summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssl
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/openssl')
-rw-r--r--meta/recipes-connectivity/openssl/files/environment.d-openssl.sh25
-rw-r--r--meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch367
-rw-r--r--meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch13
-rw-r--r--meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch18
-rw-r--r--meta/recipes-connectivity/openssl/openssl/afalg.patch31
-rw-r--r--meta/recipes-connectivity/openssl/openssl/run-ptest19
-rw-r--r--meta/recipes-connectivity/openssl/openssl_3.5.0.bb (renamed from meta/recipes-connectivity/openssl/openssl_3.0.0.bb)165
7 files changed, 525 insertions, 113 deletions
diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
index b9cc24a7ac..71d378734c 100644
--- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
+++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
@@ -1 +1,24 @@
1export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf" 1export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/openssl.cnf"
2export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/"
3export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
4export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} OPENSSL_CONF OPENSSL_MODULES OPENSSL_ENGINES"
5
6# Respect host env SSL_CERT_FILE/SSL_CERT_DIR first, then auto-detected host cert, then cert in buildtools
7# CAFILE/CAPATH is auto-deteced when source buildtools
8if [ -z "$SSL_CERT_FILE" ]; then
9 if [ -n "$CAFILE" ];then
10 export SSL_CERT_FILE="$CAFILE"
11 elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
12 export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs/ca-certificates.crt"
13 fi
14fi
15
16if [ -z "$SSL_CERT_DIR" ]; then
17 if [ -n "$CAPATH" ];then
18 export SSL_CERT_DIR="$CAPATH"
19 elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
20 export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs"
21 fi
22fi
23
24export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} SSL_CERT_DIR SSL_CERT_FILE"
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
new file mode 100644
index 0000000000..5b7365a353
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
@@ -0,0 +1,367 @@
1From 5ba65051fea0513db0d997f0ab7cafb9826ed74a Mon Sep 17 00:00:00 2001
2From: William Lyu <William.Lyu@windriver.com>
3Date: Fri, 20 Oct 2023 16:22:37 -0400
4Subject: [PATCH] Added handshake history reporting when test fails
5
6Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
7
8Signed-off-by: William Lyu <William.Lyu@windriver.com>
9---
10 test/helpers/handshake.c | 137 +++++++++++++++++++++++++++++----------
11 test/helpers/handshake.h | 70 +++++++++++++++++++-
12 test/ssl_test.c | 44 +++++++++++++
13 3 files changed, 217 insertions(+), 34 deletions(-)
14
15diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
16index f611b3a..5703b48 100644
17--- a/test/helpers/handshake.c
18+++ b/test/helpers/handshake.c
19@@ -25,6 +25,102 @@
20 #include <netinet/sctp.h>
21 #endif
22
23+/* Shamelessly copied from test/helpers/ssl_test_ctx.c */
24+/* Maps string names to various enumeration type */
25+typedef struct {
26+ const char *name;
27+ int value;
28+} enum_name_map;
29+
30+static const enum_name_map connect_phase_names[] = {
31+ {"Handshake", HANDSHAKE},
32+ {"RenegAppData", RENEG_APPLICATION_DATA},
33+ {"RenegSetup", RENEG_SETUP},
34+ {"RenegHandshake", RENEG_HANDSHAKE},
35+ {"AppData", APPLICATION_DATA},
36+ {"Shutdown", SHUTDOWN},
37+ {"ConnectionDone", CONNECTION_DONE}
38+};
39+
40+static const enum_name_map peer_status_names[] = {
41+ {"PeerSuccess", PEER_SUCCESS},
42+ {"PeerRetry", PEER_RETRY},
43+ {"PeerError", PEER_ERROR},
44+ {"PeerWaiting", PEER_WAITING},
45+ {"PeerTestFail", PEER_TEST_FAILURE}
46+};
47+
48+static const enum_name_map handshake_status_names[] = {
49+ {"HandshakeSuccess", HANDSHAKE_SUCCESS},
50+ {"ClientError", CLIENT_ERROR},
51+ {"ServerError", SERVER_ERROR},
52+ {"InternalError", INTERNAL_ERROR},
53+ {"HandshakeRetry", HANDSHAKE_RETRY}
54+};
55+
56+/* Shamelessly copied from test/helpers/ssl_test_ctx.c */
57+static const char *enum_name(const enum_name_map *enums, size_t num_enums,
58+ int value)
59+{
60+ size_t i;
61+ for (i = 0; i < num_enums; i++) {
62+ if (enums[i].value == value) {
63+ return enums[i].name;
64+ }
65+ }
66+ return "InvalidValue";
67+}
68+
69+const char *handshake_connect_phase_name(connect_phase_t phase)
70+{
71+ return enum_name(connect_phase_names, OSSL_NELEM(connect_phase_names),
72+ (int)phase);
73+}
74+
75+const char *handshake_status_name(handshake_status_t handshake_status)
76+{
77+ return enum_name(handshake_status_names, OSSL_NELEM(handshake_status_names),
78+ (int)handshake_status);
79+}
80+
81+const char *handshake_peer_status_name(peer_status_t peer_status)
82+{
83+ return enum_name(peer_status_names, OSSL_NELEM(peer_status_names),
84+ (int)peer_status);
85+}
86+
87+static void save_loop_history(HANDSHAKE_HISTORY *history,
88+ connect_phase_t phase,
89+ handshake_status_t handshake_status,
90+ peer_status_t server_status,
91+ peer_status_t client_status,
92+ int client_turn_count,
93+ int is_client_turn)
94+{
95+ HANDSHAKE_HISTORY_ENTRY *new_entry = NULL;
96+
97+ /*
98+ * Create a new history entry for a handshake loop with statuses given in
99+ * the arguments. Potentially evicting the oldest entry when the
100+ * ring buffer is full.
101+ */
102+ ++(history->last_idx);
103+ history->last_idx &= MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK;
104+
105+ new_entry = &((history->entries)[history->last_idx]);
106+ new_entry->phase = phase;
107+ new_entry->handshake_status = handshake_status;
108+ new_entry->server_status = server_status;
109+ new_entry->client_status = client_status;
110+ new_entry->client_turn_count = client_turn_count;
111+ new_entry->is_client_turn = is_client_turn;
112+
113+ /* Evict the oldest handshake loop entry when the ring buffer is full. */
114+ if (history->entry_count < MAX_HANDSHAKE_HISTORY_ENTRY) {
115+ ++(history->entry_count);
116+ }
117+}
118+
119 HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
120 {
121 HANDSHAKE_RESULT *ret;
122@@ -726,15 +822,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
123 SSL_set_post_handshake_auth(client, 1);
124 }
125
126-/* The status for each connection phase. */
127-typedef enum {
128- PEER_SUCCESS,
129- PEER_RETRY,
130- PEER_ERROR,
131- PEER_WAITING,
132- PEER_TEST_FAILURE
133-} peer_status_t;
134-
135 /* An SSL object and associated read-write buffers. */
136 typedef struct peer_st {
137 SSL *ssl;
138@@ -1081,17 +1168,6 @@ static void do_shutdown_step(PEER *peer)
139 }
140 }
141
142-typedef enum {
143- HANDSHAKE,
144- RENEG_APPLICATION_DATA,
145- RENEG_SETUP,
146- RENEG_HANDSHAKE,
147- APPLICATION_DATA,
148- SHUTDOWN,
149- CONNECTION_DONE
150-} connect_phase_t;
151-
152-
153 static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
154 {
155 switch (test_ctx->handshake_mode) {
156@@ -1169,19 +1245,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
157 }
158 }
159
160-typedef enum {
161- /* Both parties succeeded. */
162- HANDSHAKE_SUCCESS,
163- /* Client errored. */
164- CLIENT_ERROR,
165- /* Server errored. */
166- SERVER_ERROR,
167- /* Peers are in inconsistent state. */
168- INTERNAL_ERROR,
169- /* One or both peers not done. */
170- HANDSHAKE_RETRY
171-} handshake_status_t;
172-
173 /*
174 * Determine the handshake outcome.
175 * last_status: the status of the peer to have acted last.
176@@ -1546,6 +1609,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
177
178 start = time(NULL);
179
180+ save_loop_history(&(ret->history),
181+ phase, status, server.status, client.status,
182+ client_turn_count, client_turn);
183+
184 /*
185 * Half-duplex handshake loop.
186 * Client and server speak to each other synchronously in the same process.
187@@ -1567,6 +1634,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
188 0 /* server went last */);
189 }
190
191+ save_loop_history(&(ret->history),
192+ phase, status, server.status, client.status,
193+ client_turn_count, client_turn);
194+
195 switch (status) {
196 case HANDSHAKE_SUCCESS:
197 client_turn_count = 0;
198diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h
199index 78b03f9..b9967c2 100644
200--- a/test/helpers/handshake.h
201+++ b/test/helpers/handshake.h
202@@ -1,5 +1,5 @@
203 /*
204- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
205+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
206 *
207 * Licensed under the Apache License 2.0 (the "License"). You may not use
208 * this file except in compliance with the License. You can obtain a copy
209@@ -12,6 +12,11 @@
210
211 #include "ssl_test_ctx.h"
212
213+#define MAX_HANDSHAKE_HISTORY_ENTRY_BIT 4
214+#define MAX_HANDSHAKE_HISTORY_ENTRY (1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT)
215+#define MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK \
216+ ((1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT) - 1)
217+
218 typedef struct ctx_data_st {
219 unsigned char *npn_protocols;
220 size_t npn_protocols_len;
221@@ -22,6 +27,63 @@ typedef struct ctx_data_st {
222 char *session_ticket_app_data;
223 } CTX_DATA;
224
225+typedef enum {
226+ HANDSHAKE,
227+ RENEG_APPLICATION_DATA,
228+ RENEG_SETUP,
229+ RENEG_HANDSHAKE,
230+ APPLICATION_DATA,
231+ SHUTDOWN,
232+ CONNECTION_DONE
233+} connect_phase_t;
234+
235+/* The status for each connection phase. */
236+typedef enum {
237+ PEER_SUCCESS,
238+ PEER_RETRY,
239+ PEER_ERROR,
240+ PEER_WAITING,
241+ PEER_TEST_FAILURE
242+} peer_status_t;
243+
244+typedef enum {
245+ /* Both parties succeeded. */
246+ HANDSHAKE_SUCCESS,
247+ /* Client errored. */
248+ CLIENT_ERROR,
249+ /* Server errored. */
250+ SERVER_ERROR,
251+ /* Peers are in inconsistent state. */
252+ INTERNAL_ERROR,
253+ /* One or both peers not done. */
254+ HANDSHAKE_RETRY
255+} handshake_status_t;
256+
257+/* Stores the various status information in a handshake loop. */
258+typedef struct handshake_history_entry_st {
259+ connect_phase_t phase;
260+ handshake_status_t handshake_status;
261+ peer_status_t server_status;
262+ peer_status_t client_status;
263+ int client_turn_count;
264+ int is_client_turn;
265+} HANDSHAKE_HISTORY_ENTRY;
266+
267+typedef struct handshake_history_st {
268+ /* Implemented using ring buffer. */
269+ /*
270+ * The valid entries are |entries[last_idx]|, |entries[last_idx-1]|,
271+ * ..., etc., going up to |entry_count| number of entries. Note that when
272+ * the index into the array |entries| becomes < 0, we wrap around to
273+ * the end of |entries|.
274+ */
275+ HANDSHAKE_HISTORY_ENTRY entries[MAX_HANDSHAKE_HISTORY_ENTRY];
276+ /* The number of valid entries in |entries| array. */
277+ size_t entry_count;
278+ /* The index of the last valid entry in the |entries| array. */
279+ size_t last_idx;
280+} HANDSHAKE_HISTORY;
281+
282 typedef struct handshake_result {
283 ssl_test_result_t result;
284 /* These alerts are in the 2-byte format returned by the info_callback. */
285@@ -77,6 +139,8 @@ typedef struct handshake_result {
286 char *cipher;
287 /* session ticket application data */
288 char *result_session_ticket_app_data;
289+ /* handshake loop history */
290+ HANDSHAKE_HISTORY history;
291 } HANDSHAKE_RESULT;
292
293 HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
294@@ -95,4 +159,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
295 CTX_DATA *server2_ctx_data,
296 CTX_DATA *client_ctx_data);
297
298+const char *handshake_connect_phase_name(connect_phase_t phase);
299+const char *handshake_status_name(handshake_status_t handshake_status);
300+const char *handshake_peer_status_name(peer_status_t peer_status);
301+
302 #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */
303diff --git a/test/ssl_test.c b/test/ssl_test.c
304index ea60851..9d6b093 100644
305--- a/test/ssl_test.c
306+++ b/test/ssl_test.c
307@@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL;
308 /* Currently the section names are of the form test-<number>, e.g. test-15. */
309 #define MAX_TESTCASE_NAME_LENGTH 100
310
311+static void print_handshake_history(const HANDSHAKE_HISTORY *history)
312+{
313+ size_t first_idx;
314+ size_t i;
315+ size_t cur_idx;
316+ const HANDSHAKE_HISTORY_ENTRY *cur_entry;
317+ const char header_template[] = "|%14s|%16s|%16s|%16s|%17s|%14s|";
318+ const char body_template[] = "|%14s|%16s|%16s|%16s|%17d|%14s|";
319+
320+ TEST_info("The following is the server/client state "
321+ "in the most recent %d handshake loops.",
322+ MAX_HANDSHAKE_HISTORY_ENTRY);
323+
324+ TEST_note("=================================================="
325+ "==================================================");
326+ TEST_note(header_template,
327+ "phase", "handshake status", "server status",
328+ "client status", "client turn count", "is client turn");
329+ TEST_note("+--------------+----------------+----------------"
330+ "+----------------+-----------------+--------------+");
331+
332+ first_idx = (history->last_idx - history->entry_count + 1) &
333+ MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK;
334+ for (i = 0; i < history->entry_count; ++i) {
335+ cur_idx = (first_idx + i) & MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK;
336+ cur_entry = &(history->entries)[cur_idx];
337+ TEST_note(body_template,
338+ handshake_connect_phase_name(cur_entry->phase),
339+ handshake_status_name(cur_entry->handshake_status),
340+ handshake_peer_status_name(cur_entry->server_status),
341+ handshake_peer_status_name(cur_entry->client_status),
342+ cur_entry->client_turn_count,
343+ cur_entry->is_client_turn ? "true" : "false");
344+ }
345+ TEST_note("=================================================="
346+ "==================================================");
347+}
348+
349 static const char *print_alert(int alert)
350 {
351 return alert ? SSL_alert_desc_string_long(alert) : "no alert";
352@@ -388,6 +426,12 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
353 ret &= check_client_sign_type(result, test_ctx);
354 ret &= check_client_ca_names(result, test_ctx);
355 }
356+
357+ /* Print handshake loop history if any check fails. */
358+ if (!ret) {
359+ print_handshake_history(&(result->history));
360+ }
361+
362 return ret;
363 }
364
365--
3662.25.1
367
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
index 5effa6c6f6..7043188973 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -1,6 +1,6 @@
1From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001 1From 0377f0d5b5c1079e3b9a80881f4dcc891cbe9f9a Mon Sep 17 00:00:00 2001
2From: Alexander Kanavin <alex@linutronix.de> 2From: Alexander Kanavin <alex@linutronix.de>
3Date: Tue, 14 Sep 2021 12:18:25 +0200 3Date: Tue, 30 May 2023 09:11:27 -0700
4Subject: [PATCH] Configure: do not tweak mips cflags 4Subject: [PATCH] Configure: do not tweak mips cflags
5 5
6This conflicts with mips machine definitons from yocto, 6This conflicts with mips machine definitons from yocto,
@@ -9,20 +9,23 @@ e.g.
9 9
10Upstream-Status: Inappropriate [oe-core specific] 10Upstream-Status: Inappropriate [oe-core specific]
11Signed-off-by: Alexander Kanavin <alex@linutronix.de> 11Signed-off-by: Alexander Kanavin <alex@linutronix.de>
12
13Refreshed for openssl-3.1.1
14Signed-off-by: Tim Orling <tim.orling@konsulko.com>
12--- 15---
13 Configure | 10 ---------- 16 Configure | 10 ----------
14 1 file changed, 10 deletions(-) 17 1 file changed, 10 deletions(-)
15 18
16diff --git a/Configure b/Configure 19diff --git a/Configure b/Configure
17index 821e680..0387a74 100755 20index fff97bd..5ee54c1 100755
18--- a/Configure 21--- a/Configure
19+++ b/Configure 22+++ b/Configure
20@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) 23@@ -1551,16 +1551,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
21 push @{$config{shared_ldflag}}, "-mno-cygwin"; 24 push @{$config{shared_ldflag}}, "-mno-cygwin";
22 } 25 }
23 26
24-if ($target =~ /linux.*-mips/ && !$disabled{asm} 27-if ($target =~ /linux.*-mips/ && !$disabled{asm}
25- && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { 28- && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
26- # minimally required architecture flags for assembly modules 29- # minimally required architecture flags for assembly modules
27- my $value; 30- my $value;
28- $value = '-mips2' if ($target =~ /mips32/); 31- $value = '-mips2' if ($target =~ /mips32/);
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
index 60890c666d..687d682976 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
@@ -30,23 +30,26 @@ Update to fix buildpaths qa issue for '-ffile-prefix-map'.
30Signed-off-by: Khem Raj <raj.khem@gmail.com> 30Signed-off-by: Khem Raj <raj.khem@gmail.com>
31 31
32--- 32---
33 Configurations/unix-Makefile.tmpl | 12 +++++++++++- 33 Configurations/unix-Makefile.tmpl | 16 +++++++++++++++-
34 crypto/build.info | 2 +- 34 crypto/build.info | 2 +-
35 2 files changed, 12 insertions(+), 2 deletions(-) 35 2 files changed, 16 insertions(+), 2 deletions(-)
36 36
37diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl 37diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
38index f88a70f..528cdef 100644 38index 09303c4..011bda1 100644
39--- a/Configurations/unix-Makefile.tmpl 39--- a/Configurations/unix-Makefile.tmpl
40+++ b/Configurations/unix-Makefile.tmpl 40+++ b/Configurations/unix-Makefile.tmpl
41@@ -471,13 +471,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), 41@@ -502,13 +502,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
42 '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} 42 '$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
43 BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) 43 BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
44 44
45-# CPPFLAGS_Q is used for one thing only: to build up buildinf.h 45-# CPPFLAGS_Q is used for one thing only: to build up buildinf.h
46+# *_Q variables are used for one thing only: to build up buildinf.h 46+# *_Q variables are used for one thing only: to build up buildinf.h
47 CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g; 47 CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g;
48+ $cppflags1 =~ s|-isystem/[^ ]+/usr/include||g;
48 $cppflags2 =~ s|([\\"])|\\$1|g; 49 $cppflags2 =~ s|([\\"])|\\$1|g;
50+ $cppflags2 =~ s|-isystem/[^ ]+/usr/include||g;
49 $lib_cppflags =~ s|([\\"])|\\$1|g; 51 $lib_cppflags =~ s|([\\"])|\\$1|g;
52+ $lib_cppflags =~ s|-isystem/[^ ]+/usr/include||g;
50 join(' ', $lib_cppflags || (), $cppflags2 || (), 53 join(' ', $lib_cppflags || (), $cppflags2 || (),
51 $cppflags1 || ()) -} 54 $cppflags1 || ()) -}
52 55
@@ -54,6 +57,7 @@ index f88a70f..528cdef 100644
54+ s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g; 57+ s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g;
55+ s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g; 58+ s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g;
56+ s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g; 59+ s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g;
60+ s|-isystem/[^ ]+/usr/include ||g;
57+ } 61+ }
58+ join(' ', @{$config{CFLAGS}}) -} 62+ join(' ', @{$config{CFLAGS}}) -}
59+ 63+
@@ -64,15 +68,15 @@ index f88a70f..528cdef 100644
64 68
65 # For x86 assembler: Set PROCESSOR to 386 if you want to support 69 # For x86 assembler: Set PROCESSOR to 386 if you want to support
66diff --git a/crypto/build.info b/crypto/build.info 70diff --git a/crypto/build.info b/crypto/build.info
67index efca6cc..eda433e 100644 71index aee5c46..95c9577 100644
68--- a/crypto/build.info 72--- a/crypto/build.info
69+++ b/crypto/build.info 73+++ b/crypto/build.info
70@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF 74@@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
71 75
72 DEPEND[info.o]=buildinf.h 76 DEPEND[info.o]=buildinf.h
73 DEPEND[cversion.o]=buildinf.h 77 DEPEND[cversion.o]=buildinf.h
74-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" 78-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
75+GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC_Q) $(CFLAGS_Q) $(CPPFLAGS_Q)" "$(PLATFORM)" 79+GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC_Q) $(CFLAGS_Q) $(CPPFLAGS_Q)" "$(PLATFORM)"
76 80
77 GENERATE[uplink-x86.s]=../ms/uplink-x86.pl 81 GENERATE[uplink-x86.S]=../ms/uplink-x86.pl
78 GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl 82 GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl
diff --git a/meta/recipes-connectivity/openssl/openssl/afalg.patch b/meta/recipes-connectivity/openssl/openssl/afalg.patch
deleted file mode 100644
index b7c0e9697f..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/afalg.patch
+++ /dev/null
@@ -1,31 +0,0 @@
1Don't refuse to build afalgeng if cross-compiling or the host kernel is too old.
2
3Upstream-Status: Submitted [hhttps://github.com/openssl/openssl/pull/7688]
4Signed-off-by: Ross Burton <ross.burton@intel.com>
5
6diff --git a/Configure b/Configure
7index 3baa8ce..9ef52ed 100755
8--- a/Configure
9+++ b/Configure
10@@ -1550,20 +1550,7 @@ unless ($disabled{"crypto-mdebug-backtrace"})
11 unless ($disabled{afalgeng}) {
12 $config{afalgeng}="";
13 if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
14- my $minver = 4*10000 + 1*100 + 0;
15- if ($config{CROSS_COMPILE} eq "") {
16- my $verstr = `uname -r`;
17- my ($ma, $mi1, $mi2) = split("\\.", $verstr);
18- ($mi2) = $mi2 =~ /(\d+)/;
19- my $ver = $ma*10000 + $mi1*100 + $mi2;
20- if ($ver < $minver) {
21- disable('too-old-kernel', 'afalgeng');
22- } else {
23- push @{$config{engdirs}}, "afalg";
24- }
25- } else {
26- disable('cross-compiling', 'afalgeng');
27- }
28+ push @{$config{engdirs}}, "afalg";
29 } else {
30 disable('not-linux', 'afalgeng');
31 }
diff --git a/meta/recipes-connectivity/openssl/openssl/run-ptest b/meta/recipes-connectivity/openssl/openssl/run-ptest
index 8dff79101f..cd29bb1446 100644
--- a/meta/recipes-connectivity/openssl/openssl/run-ptest
+++ b/meta/recipes-connectivity/openssl/openssl/run-ptest
@@ -1,12 +1,19 @@
1#!/bin/sh 1#!/bin/sh
2 2
3set -e 3set -eu
4 4
5# Optional arguments are 'list' to lists all tests, or the test name (base name 5# Optional arguments are 'list' to lists the tests, or the test name (base name
6# ie test_evp, not 03_test_evp.t). 6# ie test_evp, not 03_test_evp.t). Without any arguments we run all tests.
7
8if test $# -gt 0; then
9 TESTS=$*
10else
11 # Skip test_symbol_presence as this is for developers
12 TESTS="alltests -test_symbol_presence"
13fi
7 14
8export TOP=. 15export TOP=.
9# OPENSSL_ENGINES is relative from the test binaries 16# Run four jobs in parallel
10export OPENSSL_ENGINES=../engines 17export HARNESS_JOBS=4
11 18
12perl ./test/run_tests.pl $* | sed -u -r -e '/(.*) \.*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) \.*.skipped: (.*)/ s/^/SKIP: /g' 19{ perl ./test/run_tests.pl $TESTS || echo "FAIL: openssl" ; } | sed -u -r -e '/(.*) \.*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) \.*.skipped: (.*)/ s/^/SKIP: /g'
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb
index 67343bedcc..0f5c28dafa 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb
@@ -10,17 +10,17 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
10SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ 10SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
11 file://run-ptest \ 11 file://run-ptest \
12 file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ 12 file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
13 file://afalg.patch \
14 file://0001-Configure-do-not-tweak-mips-cflags.patch \ 13 file://0001-Configure-do-not-tweak-mips-cflags.patch \
14 file://0001-Added-handshake-history-reporting-when-test-fails.patch \
15 " 15 "
16 16
17SRC_URI:append:class-nativesdk = " \ 17SRC_URI:append:class-nativesdk = " \
18 file://environment.d-openssl.sh \ 18 file://environment.d-openssl.sh \
19 " 19 "
20 20
21SRC_URI[sha256sum] = "59eedfcb46c25214c9bd37ed6078297b4df01d012267fe9e9eee31f61bc70536" 21SRC_URI[sha256sum] = "344d0a79f1a9b08029b0744e2cc401a43f9c90acd1044d09a530b4885a8e9fc0"
22 22
23inherit lib_package multilib_header multilib_script ptest perlnative 23inherit lib_package multilib_header multilib_script ptest perlnative manpages
24MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" 24MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
25 25
26PACKAGECONFIG ?= "" 26PACKAGECONFIG ?= ""
@@ -30,10 +30,14 @@ PACKAGECONFIG:class-nativesdk = ""
30PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module" 30PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
31PACKAGECONFIG[no-tls1] = "no-tls1" 31PACKAGECONFIG[no-tls1] = "no-tls1"
32PACKAGECONFIG[no-tls1_1] = "no-tls1_1" 32PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
33PACKAGECONFIG[manpages] = ""
34PACKAGECONFIG[fips] = "enable-fips"
33 35
34B = "${WORKDIR}/build" 36B = "${WORKDIR}/build"
35do_configure[cleandirs] = "${B}" 37do_configure[cleandirs] = "${B}"
36 38
39EXTRA_OECONF = "${@bb.utils.contains('PTEST_ENABLED', '1', '', 'no-tests', d)}"
40
37#| ./libcrypto.so: undefined reference to `getcontext' 41#| ./libcrypto.so: undefined reference to `getcontext'
38#| ./libcrypto.so: undefined reference to `setcontext' 42#| ./libcrypto.so: undefined reference to `setcontext'
39#| ./libcrypto.so: undefined reference to `makecontext' 43#| ./libcrypto.so: undefined reference to `makecontext'
@@ -42,18 +46,30 @@ EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
42 46
43# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions 47# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
44# (native versions can be built with newer glibc, but then relocated onto a system with older glibc) 48# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
45EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom" 49EXTRA_OECONF:append:class-native = " --with-rand-seed=os,devrandom"
46EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom" 50EXTRA_OECONF:append:class-nativesdk = " --with-rand-seed=os,devrandom"
47 51
48# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. 52# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
49CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" 53EXTRA_OEMAKE:append:task-compile:class-native = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
50CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" 54EXTRA_OEMAKE:append:task-compile:class-nativesdk = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
55
56#| threads_pthread.c:(.text+0x372): undefined reference to `__atomic_is_lock_free'
57EXTRA_OECONF:append:toolchain-clang:x86 = " -latomic"
51 58
52# This allows disabling deprecated or undesirable crypto algorithms. 59# This allows disabling deprecated or undesirable crypto algorithms.
53# The default is to trust upstream choices. 60# The default is to trust upstream choices.
54DEPRECATED_CRYPTO_FLAGS ?= "" 61DEPRECATED_CRYPTO_FLAGS ?= ""
55 62
56do_configure () { 63do_configure () {
64 # When we upgrade glibc but not uninative we see obtuse failures in openssl. Make
65 # the issue really clear that perl isn't functional due to symbol mismatch issues.
66 cat <<- EOF > ${WORKDIR}/perltest
67 #!/usr/bin/env perl
68 use POSIX;
69 EOF
70 chmod a+x ${WORKDIR}/perltest
71 ${WORKDIR}/perltest
72
57 os=${HOST_OS} 73 os=${HOST_OS}
58 case $os in 74 case $os in
59 linux-gnueabi |\ 75 linux-gnueabi |\
@@ -68,6 +84,9 @@ do_configure () {
68 esac 84 esac
69 target="$os-${HOST_ARCH}" 85 target="$os-${HOST_ARCH}"
70 case $target in 86 case $target in
87 linux-arc | linux-microblaze*)
88 target=linux-latomic
89 ;;
71 linux-arm*) 90 linux-arm*)
72 target=linux-armv4 91 target=linux-armv4
73 ;; 92 ;;
@@ -83,6 +102,9 @@ do_configure () {
83 linux-gnu64-x86_64) 102 linux-gnu64-x86_64)
84 target=linux-x86_64 103 target=linux-x86_64
85 ;; 104 ;;
105 linux-loongarch64)
106 target=linux64-loongarch64
107 ;;
86 linux-mips | linux-mipsel) 108 linux-mips | linux-mipsel)
87 # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags 109 # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
88 target="linux-mips32 ${TARGET_CC_ARCH}" 110 target="linux-mips32 ${TARGET_CC_ARCH}"
@@ -93,7 +115,7 @@ do_configure () {
93 linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el) 115 linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el)
94 target=linux64-mips64 116 target=linux64-mips64
95 ;; 117 ;;
96 linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) 118 linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
97 target=linux-generic32 119 target=linux-generic32
98 ;; 120 ;;
99 linux-powerpc) 121 linux-powerpc)
@@ -106,10 +128,10 @@ do_configure () {
106 target=linux-ppc64le 128 target=linux-ppc64le
107 ;; 129 ;;
108 linux-riscv32) 130 linux-riscv32)
109 target=linux-generic32 131 target=linux32-riscv32
110 ;; 132 ;;
111 linux-riscv64) 133 linux-riscv64)
112 target=linux-generic64 134 target=linux64-riscv64
113 ;; 135 ;;
114 linux-sparc | linux-supersparc) 136 linux-sparc | linux-supersparc)
115 target=linux-sparcv9 137 target=linux-sparcv9
@@ -119,19 +141,26 @@ do_configure () {
119 ;; 141 ;;
120 esac 142 esac
121 143
122 useprefix=${prefix}
123 if [ "x$useprefix" = "x" ]; then
124 useprefix=/
125 fi
126 # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the 144 # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
127 # environment variables set by bitbake. Adjust the environment variables instead. 145 # environment variables set by bitbake. Adjust the environment variables instead.
128 HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ 146 PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
129 perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target 147 test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
148 HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
149 perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=${prefix} --openssldir=${libdir}/ssl-3 --libdir=${baselib} $target
130 perl ${B}/configdata.pm --dump 150 perl ${B}/configdata.pm --dump
131} 151}
132 152
153do_compile:append () {
154 # The test suite binaries are large and we don't need the debugging in them
155 if test -d ${B}/test; then
156 find ${B}/test -type f -executable -exec ${STRIP} {} \;
157 fi
158}
159
133do_install () { 160do_install () {
134 oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install 161 oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs \
162 ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} \
163 ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'install_fips', '', d)}
135 164
136 oe_multilib_header openssl/opensslconf.h 165 oe_multilib_header openssl/opensslconf.h
137 oe_multilib_header openssl/configuration.h 166 oe_multilib_header openssl/configuration.h
@@ -149,61 +178,72 @@ do_install () {
149 ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs 178 ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
150 ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private 179 ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
151 ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf 180 ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
181
182 # Generate fipsmodule.cnf in pkg_postinst_ontarget
183 if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
184 rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf
185 fi
152} 186}
153 187
154do_install:append:class-native () { 188do_install:append:class-native () {
155 create_wrapper ${D}${bindir}/openssl \ 189 create_wrapper ${D}${bindir}/openssl \
156 OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \ 190 OPENSSL_CONF=\${OPENSSL_CONF:-${libdir}/ssl-3/openssl.cnf} \
157 SSL_CERT_DIR=${libdir}/ssl-3/certs \ 191 SSL_CERT_DIR=\${SSL_CERT_DIR:-${libdir}/ssl-3/certs} \
158 SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \ 192 SSL_CERT_FILE=\${SSL_CERT_FILE:-${libdir}/ssl-3/cert.pem} \
159 OPENSSL_ENGINES=${libdir}/engines-3 193 OPENSSL_ENGINES=\${OPENSSL_ENGINES:-${libdir}/engines-3} \
194 OPENSSL_MODULES=\${OPENSSL_MODULES:-${libdir}/ossl-modules}
160} 195}
161 196
162do_install:append:class-nativesdk () { 197do_install:append:class-nativesdk () {
163 mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d 198 mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
164 install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh 199 install -m 644 ${UNPACKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
165 sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
166} 200}
167 201
168PTEST_BUILD_HOST_FILES += "configdata.pm" 202PTEST_BUILD_HOST_FILES += "configdata.pm"
169PTEST_BUILD_HOST_PATTERN = "perl_version =" 203PTEST_BUILD_HOST_PATTERN = "perl_version ="
170do_install_ptest () { 204do_install_ptest() {
171 install -d ${D}${PTEST_PATH}/test 205 install -m644 ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
172 install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test 206 cp -rf ${S}/Configurations ${S}/external ${D}${PTEST_PATH}/
173 install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test
174
175 # Prune the build tree
176 rm -f ${B}/fuzz/*.* ${B}/test/*.*
177
178 cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
179 sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm
180 cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
181
182 # For test_shlibload
183 ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
184 ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
185 207
186 install -d ${D}${PTEST_PATH}/apps 208 install -d ${D}${PTEST_PATH}/apps
187 ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps 209 ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
188 install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps
189 install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
190
191 install -d ${D}${PTEST_PATH}/engines
192 install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
193 install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines
194
195 install -d ${D}${PTEST_PATH}/providers
196 install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers
197
198 install -d ${D}${PTEST_PATH}/Configurations
199 cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/
200 210
201 # seems to be needed with perl 5.32.1 211 cd ${S}
202 install -d ${D}${PTEST_PATH}/util/perl/recipes 212 find test/certs test/ct test/d2i-tests test/recipes test/ocsp-tests test/ssl-tests test/smime-certs -type f -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
203 cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/ 213 find apps test -name \*.cnf -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
214 find apps test -name \*.der -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
215 find apps test -name \*.pem -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
216 find util -name \*.p[lm] -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
217
218 cd ${B}
219 # Everything but .? (.o and .d)
220 find test -type f -name \*[^.]? -exec install -m755 -D {} ${D}${PTEST_PATH}/{} \;
221 find apps test -name \*.cnf -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
222 find apps test -name \*.pem -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
223 find apps test -name \*.srl -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
224 install -m755 ${B}/util/*wrap.* ${D}${PTEST_PATH}/util/
225
226 install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps/
227 install -m755 ${S}/test/*.pl ${D}${PTEST_PATH}/test/
228 install -m755 ${S}/test/shibboleth.pfx ${D}${PTEST_PATH}/test/
229 install -m755 ${S}/test/*.bin ${D}${PTEST_PATH}/test/
230 install -m755 ${S}/test/dane*.in ${D}${PTEST_PATH}/test/
231 install -m755 ${S}/test/smcont*.txt ${D}${PTEST_PATH}/test/
232 install -m755 ${S}/test/ssl_test.tmpl ${D}${PTEST_PATH}/test/
233
234 sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm ${D}${PTEST_PATH}/util/wrap.pl
204 235
205 sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/util/wrap.pl 236 install -d ${D}${PTEST_PATH}/engines
237 install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines/
238 install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines/
239 ln -s ${libdir}/engines-3/loader_attic.so ${D}${PTEST_PATH}/engines/
240 ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers
241}
206 242
243pkg_postinst_ontarget:${PN}-ossl-module-fips () {
244 if test -f ${libdir}/ossl-modules/fips.so; then
245 ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so
246 fi
207} 247}
208 248
209# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto 249# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
@@ -211,7 +251,7 @@ do_install_ptest () {
211# file to be installed for both the openssl-bin package and the libcrypto 251# file to be installed for both the openssl-bin package and the libcrypto
212# package since the openssl-bin package depends on the libcrypto package. 252# package since the openssl-bin package depends on the libcrypto package.
213 253
214PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" 254PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy ${PN}-ossl-module-fips"
215 255
216FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}" 256FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
217FILES:libssl = "${libdir}/libssl${SOLIBS}" 257FILES:libssl = "${libdir}/libssl${SOLIBS}"
@@ -222,23 +262,22 @@ FILES:${PN}-engines = "${libdir}/engines-3"
222# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP) 262# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP)
223FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3" 263FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
224FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash" 264FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
265FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
266FILES:${PN}-ossl-module-fips = "${libdir}/ossl-modules/fips.so"
225FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/" 267FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
226FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" 268FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
227 269
228CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf" 270CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
229 271
230RRECOMMENDS:libcrypto += "openssl-conf" 272RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy"
231RDEPENDS:${PN}-misc = "perl" 273RDEPENDS:${PN}-misc = "perl"
232RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash" 274RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed openssl-engines openssl-ossl-module-legacy"
233 275
234RDEPENDS:${PN}-bin += "openssl-conf" 276RDEPENDS:${PN}-bin += "openssl-conf"
235 277
278# The test suite is installed stripped
279INSANE_SKIP:${PN} = "already-stripped"
280
236BBCLASSEXTEND = "native nativesdk" 281BBCLASSEXTEND = "native nativesdk"
237 282
238CVE_PRODUCT = "openssl:openssl" 283CVE_PRODUCT = "openssl:openssl"
239
240CVE_VERSION_SUFFIX = "alphabetical"
241
242# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
243# Apache in meta-webserver is already recent enough
244CVE_CHECK_WHITELIST += "CVE-2019-0190"