diff options
Diffstat (limited to 'external/poky/meta/recipes-connectivity/openssl/openssl')
5 files changed, 42 insertions, 295 deletions
diff --git a/external/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/external/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch index 80b62ab1..949c7883 100644 --- a/external/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch +++ b/external/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch @@ -20,6 +20,11 @@ https://patchwork.openembedded.org/patch/147229/ Upstream-Status: Inappropriate [OE specific] Signed-off-by: Martin Hundebøll <martin@geanix.com> + + +Update to fix buildpaths qa issue for '-fmacro-prefix-map'. + +Signed-off-by: Kai Kang <kai.kang@windriver.com> --- Configurations/unix-Makefile.tmpl | 10 +++++++++- crypto/build.info | 2 +- @@ -29,7 +34,7 @@ diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tm index 16af4d2087..54c162784c 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl -@@ -317,13 +317,21 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), +@@ -317,13 +317,22 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) @@ -43,6 +48,7 @@ index 16af4d2087..54c162784c 100644 +CFLAGS_Q={- for (@{$config{CFLAGS}}) { + s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g; ++ s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g; + } + join(' ', @{$config{CFLAGS}}) -} + diff --git a/external/poky/meta/recipes-connectivity/openssl/openssl/CVE-2019-1543.patch b/external/poky/meta/recipes-connectivity/openssl/openssl/CVE-2019-1543.patch deleted file mode 100644 index 900ef97f..00000000 --- a/external/poky/meta/recipes-connectivity/openssl/openssl/CVE-2019-1543.patch +++ /dev/null @@ -1,69 +0,0 @@ -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/f426625b6ae9a7831010750490a5f0ad689c5ba3] -Signed-off-by: Ross Burton <ross.burton@intel.com> - -From f426625b6ae9a7831010750490a5f0ad689c5ba3 Mon Sep 17 00:00:00 2001 -From: Matt Caswell <matt@openssl.org> -Date: Tue, 5 Mar 2019 14:39:15 +0000 -Subject: [PATCH] Prevent over long nonces in ChaCha20-Poly1305 - -ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for -every encryption operation. RFC 7539 specifies that the nonce value (IV) -should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and -front pads the nonce with 0 bytes if it is less than 12 bytes. However it -also incorrectly allows a nonce to be set of up to 16 bytes. In this case -only the last 12 bytes are significant and any additional leading bytes are -ignored. - -It is a requirement of using this cipher that nonce values are unique. -Messages encrypted using a reused nonce value are susceptible to serious -confidentiality and integrity attacks. If an application changes the -default nonce length to be longer than 12 bytes and then makes a change to -the leading bytes of the nonce expecting the new value to be a new unique -nonce then such an application could inadvertently encrypt messages with a -reused nonce. - -Additionally the ignored bytes in a long nonce are not covered by the -integrity guarantee of this cipher. Any application that relies on the -integrity of these ignored leading bytes of a long nonce may be further -affected. - -Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe -because no such use sets such a long nonce value. However user -applications that use this cipher directly and set a non-default nonce -length to be longer than 12 bytes may be vulnerable. - -CVE: CVE-2019-1543 - -Fixes #8345 - -Reviewed-by: Paul Dale <paul.dale@oracle.com> -Reviewed-by: Richard Levitte <levitte@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/8406) - -(cherry picked from commit 2a3d0ee9d59156c48973592331404471aca886d6) ---- - crypto/evp/e_chacha20_poly1305.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c -index c1917bb86a6..d3e2c622a1b 100644 ---- a/crypto/evp/e_chacha20_poly1305.c -+++ b/crypto/evp/e_chacha20_poly1305.c -@@ -30,6 +30,8 @@ typedef struct { - - #define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data) - -+#define CHACHA20_POLY1305_MAX_IVLEN 12 -+ - static int chacha_init_key(EVP_CIPHER_CTX *ctx, - const unsigned char user_key[CHACHA_KEY_SIZE], - const unsigned char iv[CHACHA_CTR_SIZE], int enc) -@@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, - return 1; - - case EVP_CTRL_AEAD_SET_IVLEN: -- if (arg <= 0 || arg > CHACHA_CTR_SIZE) -+ if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN) - return 0; - actx->nonce_len = arg; - return 1; diff --git a/external/poky/meta/recipes-connectivity/openssl/openssl/afalg.patch b/external/poky/meta/recipes-connectivity/openssl/openssl/afalg.patch index 7c4b084f..b7c0e969 100644 --- a/external/poky/meta/recipes-connectivity/openssl/openssl/afalg.patch +++ b/external/poky/meta/recipes-connectivity/openssl/openssl/afalg.patch @@ -18,14 +18,14 @@ index 3baa8ce..9ef52ed 100755 - ($mi2) = $mi2 =~ /(\d+)/; - my $ver = $ma*10000 + $mi1*100 + $mi2; - if ($ver < $minver) { -- $disabled{afalgeng} = "too-old-kernel"; +- disable('too-old-kernel', 'afalgeng'); - } else { - push @{$config{engdirs}}, "afalg"; - } - } else { -- $disabled{afalgeng} = "cross-compiling"; +- disable('cross-compiling', 'afalgeng'); - } + push @{$config{engdirs}}, "afalg"; } else { - $disabled{afalgeng} = "not-linux"; + disable('not-linux', 'afalgeng'); } diff --git a/external/poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/external/poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh deleted file mode 100644 index 6620fdcb..00000000 --- a/external/poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh +++ /dev/null @@ -1,222 +0,0 @@ -#!/bin/sh -# -# Ben Secrest <blsecres@gmail.com> -# -# sh c_rehash script, scan all files in a directory -# and add symbolic links to their hash values. -# -# based on the c_rehash perl script distributed with openssl -# -# LICENSE: See OpenSSL license -# ^^acceptable?^^ -# - -# default certificate location -DIR=/etc/openssl - -# for filetype bitfield -IS_CERT=$(( 1 << 0 )) -IS_CRL=$(( 1 << 1 )) - - -# check to see if a file is a certificate file or a CRL file -# arguments: -# 1. the filename to be scanned -# returns: -# bitfield of file type; uses ${IS_CERT} and ${IS_CRL} -# -check_file() -{ - local IS_TYPE=0 - - # make IFS a newline so we can process grep output line by line - local OLDIFS=${IFS} - IFS=$( printf "\n" ) - - # XXX: could be more efficient to have two 'grep -m' but is -m portable? - for LINE in $( grep '^-----BEGIN .*-----' ${1} ) - do - if echo ${LINE} \ - | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----' - then - IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} )) - - if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ] - then - break - fi - elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----' - then - IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} )) - - if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ] - then - break - fi - fi - done - - # restore IFS - IFS=${OLDIFS} - - return ${IS_TYPE} -} - - -# -# use openssl to fingerprint a file -# arguments: -# 1. the filename to fingerprint -# 2. the method to use (x509, crl) -# returns: -# none -# assumptions: -# user will capture output from last stage of pipeline -# -fingerprint() -{ - ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':' -} - - -# -# link_hash - create links to certificate files -# arguments: -# 1. the filename to create a link for -# 2. the type of certificate being linked (x509, crl) -# returns: -# 0 on success, 1 otherwise -# -link_hash() -{ - local FINGERPRINT=$( fingerprint ${1} ${2} ) - local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} ) - local SUFFIX=0 - local LINKFILE='' - local TAG='' - - if [ ${2} = "crl" ] - then - TAG='r' - fi - - LINKFILE=${HASH}.${TAG}${SUFFIX} - - while [ -f ${LINKFILE} ] - do - if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ] - then - echo "NOTE: Skipping duplicate file ${1}" >&2 - return 1 - fi - - SUFFIX=$(( ${SUFFIX} + 1 )) - LINKFILE=${HASH}.${TAG}${SUFFIX} - done - - echo "${3} => ${LINKFILE}" - - # assume any system with a POSIX shell will either support symlinks or - # do something to handle this gracefully - ln -s ${3} ${LINKFILE} - - return 0 -} - - -# hash_dir create hash links in a given directory -hash_dir() -{ - echo "Doing ${1}" - - cd ${1} - - ls -1 * 2>/dev/null | while read FILE - do - if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \ - && [ -h "${FILE}" ] - then - rm ${FILE} - fi - done - - ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE - do - REAL_FILE=${FILE} - # if we run on build host then get to the real files in rootfs - if [ -n "${SYSROOT}" -a -h ${FILE} ] - then - FILE=$( readlink ${FILE} ) - # check the symlink is absolute (or dangling in other word) - if [ "x/" = "x$( echo ${FILE} | cut -c1 -)" ] - then - REAL_FILE=${SYSROOT}/${FILE} - fi - fi - - check_file ${REAL_FILE} - local FILE_TYPE=${?} - local TYPE_STR='' - - if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ] - then - TYPE_STR='x509' - elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ] - then - TYPE_STR='crl' - else - echo "NOTE: ${FILE} does not contain a certificate or CRL: skipping" >&2 - continue - fi - - link_hash ${REAL_FILE} ${TYPE_STR} ${FILE} - done -} - - -# choose the name of an ssl application -if [ -n "${OPENSSL}" ] -then - SSL_CMD=$(which ${OPENSSL} 2>/dev/null) -else - SSL_CMD=/usr/bin/openssl - OPENSSL=${SSL_CMD} - export OPENSSL -fi - -# fix paths -PATH=${PATH}:${DIR}/bin -export PATH - -# confirm existance/executability of ssl command -if ! [ -x ${SSL_CMD} ] -then - echo "${0}: rehashing skipped ('openssl' program not available)" >&2 - exit 0 -fi - -# determine which directories to process -old_IFS=$IFS -if [ ${#} -gt 0 ] -then - IFS=':' - DIRLIST=${*} -elif [ -n "${SSL_CERT_DIR}" ] -then - DIRLIST=$SSL_CERT_DIR -else - DIRLIST=${DIR}/certs -fi - -IFS=':' - -# process directories -for CERT_DIR in ${DIRLIST} -do - if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ] - then - IFS=$old_IFS - hash_dir ${CERT_DIR} - IFS=':' - fi -done diff --git a/external/poky/meta/recipes-connectivity/openssl/openssl/reproducible.patch b/external/poky/meta/recipes-connectivity/openssl/openssl/reproducible.patch new file mode 100644 index 00000000..a24260c9 --- /dev/null +++ b/external/poky/meta/recipes-connectivity/openssl/openssl/reproducible.patch @@ -0,0 +1,32 @@ +The value for perl_archname can vary depending on the host, e.g. +x86_64-linux-gnu-thread-multi or x86_64-linux-thread-multi which +makes the ptest package non-reproducible. Its unused other than +these references so drop it. + +RP 2020/2/6 + +Upstream-Status: Pending +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> + +Index: openssl-1.1.1d/Configure +=================================================================== +--- openssl-1.1.1d.orig/Configure ++++ openssl-1.1.1d/Configure +@@ -286,7 +286,7 @@ if (defined env($local_config_envname)) + # Save away perl command information + $config{perl_cmd} = $^X; + $config{perl_version} = $Config{version}; +-$config{perl_archname} = $Config{archname}; ++#$config{perl_archname} = $Config{archname}; + + $config{prefix}=""; + $config{openssldir}=""; +@@ -2517,7 +2517,7 @@ _____ + @{$config{perlargv}}), "\n"; + print "\nPerl information:\n\n"; + print ' ',$config{perl_cmd},"\n"; +- print ' ',$config{perl_version},' for ',$config{perl_archname},"\n"; ++ print ' ',$config{perl_version},"\n"; + } + if ($dump || $options) { + my $longest = 0; |