| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545]
(From OE-Core rev: 20ae485ef65bef2ddbffe05fd29cc7d411c38448)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix an issue introduced in the new openssl version where an assembler file
isn't generated in a reproducible way by seeding the perl random number
generator consistently. It has no crypto impact, it is just used to
avoid function name clashes.
(From OE-Core rev: 448df3e1c02fe224d62f59a236fdcd47ea7e695f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
>From the NEWS.md file:
### Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023]
* SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
* Performance enhancements and new platform support including new
assembler code algorithm implementations.
* Deprecated LHASH statistics functions.
* FIPS 140-3 compliance changes.
Drop the upstreamed afalg.patch:
c425e365f4 Configure: don't try to be clever when configuring afalgeng
(From OE-Core rev: 71c763ed4fbbea22a6a0b145e4e29436c7e59625)
Signed-off-by: Randy MacLeod <randy.macleod@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL 3.0.8 fixes 1 HIGH level security vulnerability and 7 MODERATE level security vulnerability [1].
Upgrade the recipe to point to 3.0.8.
CVE-2022-3996 is reported fixed in 3.0.8, so drop the patch for that as
well.
[1] https://www.openssl.org/news/vulnerabilities.html
CVEs Fixed:
https://www.openssl.org/news/secadv/20230207.txt
(From OE-Core rev: 8461466f63200a0b1c9c247b70fdf5819651544c)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
| |
(From OE-Core rev: c20b7b864dc6726a2ed4a40cf5a30661ad28c6e0)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL 3.0.5 includes a HIGH level security vulnerability [1].
Upgrade the recipe to point to 3.0.7.
CVE-2022-3358 is reported fixed in 3.0.6, so drop the patch for that as
well.
[1] https://www.openssl.org/news/vulnerabilities.html
Fixes CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
(From OE-Core rev: a69ea1f7db96ec8b853573bd581438edd42ad6e0)
Signed-off-by: Ed Tanous <edtanous@google.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In OE-Core d6b15d1e70b99185cf245d829ada5b6fb99ec1af,
"openssl: export necessary env vars in SDK", the value added for
SSL_CERT_FILE was in conflict with the value used elsewhere, such as
in buildtools. This makes them match and fixes buildtools testsdk
failures.
(From OE-Core rev: 7d383a7fc6da666c80f2fc037af5f49a3388eb2b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
encryption
Upstream-Status: Backport from https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b]
Description:
CVE-2022-3358 openssl: Using a Custom Cipher with NID_undef may lead to NULL encryption.
Affects "openssl < 3.0.6"
(From OE-Core rev: f98b2273c6f03f8f6029a7a409600ce290817e27)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In current SDK, when running the following command in python
shell, we get an error.
$ python3
>>> from cryptography.hazmat.backends import openssl
The error message is as below:
cryptography.exceptions.InternalError: Unknown OpenSSL error.
We could set OPENSSL_MODULES explicitly in nativesdk-openssl package
so that when SDK is set up, it's in environment and we can
get rid of the above error.
Also, there are other env vars that need to be exported. And we export
all of them to keep sync with openssl-native.bbclass.
(From OE-Core rev: d6b15d1e70b99185cf245d829ada5b6fb99ec1af)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When building with the previous a number of atomic functions come back as
undefined. Switching to linux-latomic fixes this.
(From OE-Core rev: 88d5bf78ffb1d120df48139b1ed3c2e3fa8310d0)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Mark Hatle <mark.hatle@amd.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
CVEs fixed:
https://www.openssl.org/news/secadv/20220705.txt
(From OE-Core rev: 84204dea7dec05e053cce5be0071cd9c1fb4ff6f)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
| |
Includes a fix for CVE-2022-2068.
(From OE-Core rev: f034faebd45e63385849078e6ee4b51257763e99)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
ptests in in openssl have started failing as one of the test certificates has
expired. Backport a fix for this from upstream, replacing the test
certificate to allow the ptests to pass again.
(From OE-Core rev: f26f0b34f12bbca2beed153da402a3594d127374)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This minor version include fixes for several CVEs
CVE: CVE-2022-1292
CVE: CVE-2022-1343
CVE: CVE-2022-1434
CVE: CVE-2022-1473
(From OE-Core rev: d63ddc0874da32940be2b802ab31f49286e49f63)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This module contains legacy cipher suites from libcrypto.
We should not need to include base package because we want
to use this part of libcrypto.
(From OE-Core rev: 1537ebc3f6ae2aec9a3864b03704ab4dbc0e971b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
* Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
for non-prime moduli ([CVE-2022-0778])
(From OE-Core rev: 30f054a1e0afaa26d16a411df2a6310104342e63)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
| |
(From OE-Core rev: aa52af4518604b5bf13f3c5e885113bf868d6c81)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Loading the POSIX module after loading others in perl causes errors to get hidden. The
resulting build failures are obtuse and hard to debug. We see this quite often when
we upgrade glibc but not uninative and there are symbol mismatches.
Add a quick test to the start of configure which tests perl operates correct and shows
a much more obvious error if it isn't since the POSIX module doesn't have to reload.
An example of the new error is:
| Can't load 'XXX/buildtools-extended-tarball/1.0-r0/testimage-sdk/XXX/openssl-native/3.0.1-r0/recipe-sysroot-native/usr/lib/perl5/5.34.0/x86_64-linux/auto/POSIX/POSIX.so' for module POSIX:
| XXX/buildtools-extended-tarball/1.0-r0/testimage-sdk/sysroots-uninative/x86_64-linux/lib/libm.so.6: version `GLIBC_2.35' not found
| (required by XXX/buildtools-extended-tarball/1.0-r0/testimage-sdk/XXX/openssl-native/3.0.1-r0/recipe-sysroot-native/usr/lib/perl5/5.34.0/x86_64-linux/auto/POSIX/POSIX.so) at
| XXX/buildtools-extended-tarball/1.0-r0/testimage-sdk/XXX/openssl-native/3.0.1-r0/recipe-sysroot-native/usr/lib/perl5/5.34.0/XSLoader.pm line 111.
| at XXX/buildtools-extended-tarball/1.0-r0/testimage-sdk/XXX/openssl-native/3.0.1-r0/recipe-sysroot-native/usr/lib/perl5/5.34.0/x86_64-linux/POSIX.pm line 24.
which clearly shows the glibc symbol issue.
(From OE-Core rev: 684b656c5e6bf8cb10467c8d0fff1a9eeaf4256f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
OpenSSL 3 added the concept of provider modules which are loaded from
disk. The load path is hard-coded into the library and needs to be
relocated when running natively, so add OPENSSL_MODULES to the wrapper.
(From OE-Core rev: 160ac2f136cb8df829c803848c7c47d707a908ff)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
When the date rolled from one year to another, it highlighted a reproducibility
issue in openssl. Patch a workaround for this to avoid autobuilder failures. Help
submitting upstream welcome.
(From OE-Core rev: f8281e290737dba16a46d7ae937c66b3266e0fe8)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes in 3.0.1:
* Fixed invalid handling of X509_verify_cert() internal errors in libssl
([CVE-2021-4044])
* Allow fetching an operation from the provider that owns an unexportable key
as a fallback if that is still allowed by the property query.
Drop patches which were backported.
Add sed to openssl-ptest as the tests use 'sed -u', which isn't supported
by busybox.
Ensure that we package the dummy async engine, needed by the test suite.
(From OE-Core rev: 5cd40648b0ba88cd9905800e748ae98f08c10ac7)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some atomic ops for 32-bit ARC processors are implemented in GCC's libatomic.
For example those dealing with 64-bit data (e.g. __atomic_load_8()) as well as
some others. That said it's required to add "-latomic" for successful linkage.
Otherwise error messages like this happen on OpenSSL building for ARC:
------------------------------->8------------------------------
| ...ld: libcrypto.a(libcrypto-lib-threads_pthread.o): in function `CRYPTO_atomic_or':
| .../openssl-3.0.0/crypto/threads_pthread.c:219: undefined reference to `__atomic_is_lock_free'
| ...ld: .../openssl-3.0.0/crypto/threads_pthread.c:219: undefined reference to `__atomic_is_lock_free'
| ...ld: .../openssl-3.0.0/crypto/threads_pthread.c:220: undefined reference to `__atomic_fetch_or_8'
------------------------------->8------------------------------
Fix that by using a special target, which does exactly what's needed.
See [1] and [2] for more details on the matter.
[1] https://github.com/openssl/openssl/commit/cdf2986a70d92668d882eb29737225f1aaafd0f1
[2] https://github.com/openssl/openssl/pull/15640
(From OE-Core rev: f48227a192022c604f8c2ea4fe973c6664861101)
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Backport a patch from upstream. Specifically, this fixes signature
validation in trusted-firmware-a with OpenSSL 3.
(From OE-Core rev: ac670fd4f543f439efdea26e813a4b5121161289)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
ARMv8 doesn't imply Aarch64, so correct a check that was making that
assumption. This fixes the build on 32-bit ARMv8 targets such as
Cortex-A32.
(From OE-Core rev: 78ae8b02bfbf0d98ae481682179439845d30c797)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
These patches are already available in 3.0
(From OE-Core rev: 063d085534b7b3659c5721228bb58f4e8115b5ee)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop 0001-skip-test_symbol_presence.patch - testing revealed
no need for it, and I couldn't quite understand what it does.
Drop reproducible.patch - upstream has removed the non-reproducible
bit.
Process lines in run-ptest with sed one by one rather than with
perl after the test completes, avoiding ptest-runner timeout errors.
License-Update: openssl relicense to apache 2.0. Goodbye awkward
gpl exceptions in consumers.
DEPRECATED_CRYPTO_FLAGS is now empty by default but available
by anyone who wants to set it. Trying to come up with a working
set was not a good idea as shown in the deleted comment.
(From OE-Core rev: f028a55383588d68c052f19f16d0f3f4d0560c57)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Includes fixes for:
CVE: CVE-2021-3711
CVE: CVE-2021-3712
as described by:
https://www.openssl.org/news/secadv/20210824.txt
Ptest results on qemux86-64 with kvm:
All tests successful.
Files=158, Tests=2532, 137 wallclock secs \
( 2.59 usr 0.33 sys + 104.71 cusr 44.19 csys = 151.82 CPU)
Result: PASS
DURATION: 137
(From OE-Core rev: fdb6d8c0604e7170ad0c361d54ce9a19253afe36)
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
| |
(From OE-Core rev: 1829fa0bda9a9388c3134866c471f26ec5658c36)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Only security issues fixed in this release according to
https://www.openssl.org/news/cl111.txt
(From OE-Core rev: 557d956743ecf5e1d002ae0b2135b1307736b7c8)
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
| |
(From OE-Core rev: 22691df60abe22bafb83f391549ee9e5026cabef)
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
For some reason the new perl no longer has . in list of
directories searched in 'require', and so the file
needs to be copied where perl can find it.
(From OE-Core rev: 2ae879ddb72bd316e49a8200e99887dadb02b3dc)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
| |
(From OE-Core rev: a67635ca2c7a016efcf450e4011f2032883e995d)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* it breaks KDE's qca and dependencies
* it is not deprecated. Openssl 3.0 (currently alpha) will deprecate whirlpool
[1] https://www.openssl.org/news/changelog.html#openssl-30
(From OE-Core rev: bc02baadeee477b10eceae62985af4f4c323506e)
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
| |
(From OE-Core rev: 17df664a32a74f17baaef8c31ac23adec2d6255f)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
This is still needed by libest in meta-security
(From OE-Core rev: 1242b04e97fbef3d926bcf706ac99a580109e58b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Cc: Shachar Menashe <shachar@vdoo.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
TLS 1.3 implementation in qt5 uses psk so retain it for now
(From OE-Core rev: ab2cc33331ee931e65a63a02cf034c1b8ee695ac)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
They are still needed by several packages in meta-openembedded
(From OE-Core rev: 52af41387f1c843e7677c0bb632b2b96f9793ebd)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Shachar Menashe <shachar@vdoo.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
1. Drop support for many deprecated algorithms by default
2. Allow dropping support for TLS 1.0/1.1 via PACKAGECONFIG
(From OE-Core rev: 304417a97db89d9ea4a41aa7c92b5a052896d63b)
Signed-off-by: Shachar Menashe <shachar@vdoo.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Engines are installed in a slightly different path, and
the host type doesn't precisely match in x86_64
Co-authored-by: Paul Eggleton <paul.eggleton@microsoft.com>
Co-authored-by: Deepak Rawat <derawa@microsoft.com>
(From OE-Core rev: 166bb89f6d97495b6522786182b4f9623acd7ff4)
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
update version to 1.1.1i
openssl 1.1.1i Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
updates include fix for CVE:
CVE-2020-1971
(From OE-Core rev: ebbb732d7707d3e755dd9760fc292f86253f86b4)
Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following changes since commit f075071761172c69f8ae2be5868d51ef9ef646e7:
conf: update for release 3.2 (2020-11-09 13:16:13 +0000)
are available in the Git repository at:
git://push.yoctoproject.org/poky-contrib fedepell/bug14083
Federico Pellegrin (1):
openssl: Add c_rehash to misc package and add perl runtime dependency
c_rehash implemented in perl is back (in history was moved to shell for
some time), so handle it inside the -misc package so just that one will
carry the heavy runtime dependency on perl and not the whole openssl
package. Note: in misc there were already before a few perl files
(tsget.pl and CA.pl) so the added perl dependency will fix those too.
[YOCTO #14083]
(From OE-Core rev: 70da1f956bfbb627691c47eba7451182aca758e3)
Signed-off-by: Federico Pellegrin <fede@evolware.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
| |
(From OE-Core rev: 37d19b346894c751184ec1e5e97fbdee244f47a0)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fixed:
$ dnf install openssl-bin
$ openssl req -new -x509 -keyout lighttpd.pem -out lighttpd.pem -days 365 -nodes -batch
Can't open /usr/lib/ssl-1.1/openssl.cnf for reading, No such file or directory
(From OE-Core rev: e93cd3b83a255294c9ab728adc7e237eb1321dab)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some openssl command line operations like creating an X.509 CSR require
the file /usr/lib/ssl-1.1/openssl.cnf to exist and fail if it doesn't
root@qemux86-64:~# openssl req -out my.csr -new -newkey rsa:2048 -nodes -keyout my.key
Can't open /usr/lib/ssl-1.1/openssl.cnf for reading, No such file or directory
140289168594176:error:02001002:system library:fopen:No such file or directory:../openssl-1.1.1g/crypto/bio/bss_file.c:69:fopen('/usr/lib/ssl-1.1/openssl.cnf','r')
140289168594176:error:2006D080:BIO routines:BIO_new_file:no such file:../openssl-1.1.1g/crypto/bio/bss_file.c:76:
which is the case e.g. in core-image-minimal with just the
package openssl-bin added to the image by declaring
IMAGE_INSTALL_append = " openssl-bin"
e.g. in local.conf.
The file did not exist in the aforementioned image / configuration
because it was packaged to the main openssl package
FILES_${PN} =+ "${libdir}/ssl-1.1/*"
(there is no other FILES specification that would match the file either)
and
path/to/poky/build$ rpm --query --package --list tmp/deploy/rpm/core2_64/openssl-1.1.1g-r0.core2_64.rpm
[...]
/usr/lib/ssl-1.1/openssl.cnf
[...]
Hence move /usr/lib/ssl-1.1/openssl.cnf (and openssl.cnf.dist as it
seems closely related) to the ${PN}-conf package to have it installed
with ${PN}-bin, which already (indirectly) depends on ${PN}-conf.
Note that the openssl recipe has the comment
Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
package RRECOMMENDS on this package. This will enable the configuration
file to be installed for both the openssl-bin package and the libcrypto
package since the openssl-bin package depends on the libcrypto package.
but openssl-conf only contained /etc/ssl/openssl.cnf
path/to/poky/build$ rpm --query --package --list tmp/deploy/rpm/core2_64/openssl-conf-1.1.1g-r0.core2_64.rpm
/etc
/etc/ssl
/etc/ssl/openssl.cnf
/usr/lib/ssl-1.1/openssl.cnf is actually only a symlink that points to
../../../etc/ssl/openssl.cnf.
Other files and directories in /usr/lib/ssl-1.1/ were considered as well
because they seem to be configuration files and / or related to
(symlinks pointing to) /etc. They were not moved though, because based
on our use case and testing moving the openssl.cnf symlink is sufficient
for fixing the immediate problem and we lack knowledge about the other
files in order to make a decision to change their packaging.
(From OE-Core rev: c1632d7041fe0c18ec61abfa79a9c025af43c033)
Signed-off-by: Hannu Lounento <hannu.lounento@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
This also fixes CVE-2020-1967.
(From OE-Core rev: 8e0283e70b9977c9ac14cdab77907301405c3cee)
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
This also un-breaks python3 ptest which got broken
with 1.1.1e update.
(From OE-Core rev: b4ddf5b9d8cd769b7026663f93c8bc69b55d8cbf)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
Backported patch removed.
(From OE-Core rev: 710bc0f8544f54750c8fb7b8affa243932927a24)
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* passing PERL=perl breaks c_rehash calls from dash (works fine with bash)
dash doesn't like
#!perl
shebang
PERL="/usr/bin/env perl"
unfortunately just passing PERL like this doesn't pass do_configure:
Creating Makefile
sh: 1: /usr/bin/env perl: not found
WARNING: exit code 1 from a shell command.
But passing it as:
HASHBANGPERL="/usr/bin/env perl" PERL=perl
seems to work.
(From OE-Core rev: 79350826396a882d115caafd88b0a49c91a4fa6c)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
| |
(From OE-Core rev: 57fcf9b517fe95e871122946cb99fe7fa9fd2e26)
Signed-off-by: Denys Dmytriyenko <denys@ti.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
