* Add PACKAGECONFIG[fips] to enable fips build.
* Split a new package openssl-ossl-module-fips for fips.so.
* Add pkg_postinst_ontarget for openssl-ossl-module-fips to ensure the
config file fipsmodule.cnf is created on target. This is because we
should not use the same fipsmodule.cnf on different machines.
The 'openssl fipsinstall' commandline in pkg_postinst_ontarget will do
the following things:
1. Run the FIPS module self tests on target.
2. Generate config file fipsmodule.conf containing information about
the FIPS module such as the calculated MAC of the module.
(From OE-Core rev: 29979937e2d40885e7e91bb9a7e7dca6763e3d52)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
To adapt user network enviroment, buildtools should first try to use
the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these
envs is not set, then use the auto-detected ca file and ca path, and
finally use the CA certificates in buildtools.
nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work
nativesdk-curl don't set default ca file, need
SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work
nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO
also works
nativesdk-python3-requests will use cacert.pem under python module certifi by
default, need to set REQUESTS_CA_BUNDLE
(From OE-Core rev: 8a7ec52e9b35654bee48cd948c6c34c63db3e265)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* make git,curl,python3-requests align with openssl, move the setting of
envvars into respective envfile
* for environment.d-openssl.sh, also check if ca-certificates.crt exist
before export envvars
(From OE-Core rev: 9d8ebfcd55ad274e79cb81f162397c8f39f4287b)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Long ago, in the OpenSSL 1.1 days changing CFLAGS worked to override
hard-coded paths in the OpenSSL libraries. Even as far back as
kirkstone this was no longer working.
Override make variables instead to poision the paths that get built
into the native (and nativesdk) libraries so they become relocatable
again.
While here, remove the -isystem<foo> compiler argument from the compiler
command line stored in the library, just like we already remove the
prefix-map and sysroot arguments.
(From OE-Core rev: d1b29222ad6243c15275a04f9de5989cf158cb2e)
Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When using openssl with some pkcs#11 plugin module, one (usually)
needs to set the OPENSSL_CONF environment variable
appropriately, and e.g. invoke openssl as
openssl dgst -engine pkcs11 -keyform engine ...
However, when putting that logic in a bitbake recipe and depending on
openssl-native (and the recipe providing the pkcs#11 engine and the
associated configuration file), the value of OPENSSL_CONF is
unconditionally overridden by the wrapper script.
If openssl was invoked directly in the task function, I could probably
call "openssl.real" instead, but then I miss the proper settings of
the other four variables, which I'd then also have to repeat in my
recipe. Moreover, sometimes openssl is only called via some helper
script (for example rpi-eeprom-digest for signing bootloader images
for RPi), and it's not reasonable to patch every such script to call
openssl.real.
So rewrite the wrapper such that if a variable is already set in the
environment before openssl is invoked, preserve its value.
(From OE-Core rev: 5582ec9d3a21c546b799d2f6d4928f5e1d19eb0a)
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A long time ago, the environment.d-openssl.sh file was shared between
openssl 1.0 and openssl 1.1 recipes, and sed was used to make the path
right for the 1.1 version. Nowadays, with only a single recipe, this
is a bit roundabout, so just use the proper path in the file directly.
(From OE-Core rev: 291fe7db623b0974e7831e908e91b1f1259e0506)
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport a patch from upstream to fix register tramping on aarch64.
(From OE-Core rev: 9005321e37030d916f4f26e7201e2f86c85ebdbd)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since 3.0.0 openssl no longer uses characters in version suffix.
(From OE-Core rev: 80151340b0b20610030f3026e9fc71ef5970c2c5)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
__NR_riscv_hwprobe is not exported in musl's hwprobe.h
this fails to build with newer kernels
Fixes
| :85:20: error: use of undeclared identifier '__NR_riscv_hwprobe'; did you mean 'riscv_hwprobe'?
| 85 | return syscall(__NR_riscv_hwprobe, pairs, pair_count, cpu_count, cpus, flags);
| | ^~~~~~~~~~~~~~~~~~
(From OE-Core rev: 5271f24643c303d0e6d3d9c12c722f5d818252fe)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Rewrite (again) the openssl test suite installation.
Depend on and reuse already installed libraries and modules instead of
installing them twice.
Be more selective when installing from the build tree so we don't install
intermediate .c .d .o files.
This further reduces the size of openssl-dbg from ~120MB to ~18MB.
(From OE-Core rev: 8baa0ce7eae65026cb3a784adaf3a4fc724ce9c9)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The test suite is huge because every test binary is statically linked to
libssl and/or libcrypto. This bloats the size of the -dbg package hugely,
so strip the test suite before packaging.
This reduces the size of openssl-dbg by 90% from ~1.2GB to ~120MB, and
reduces the size of the build tree from ~1.9GB to ~800MB.
(From OE-Core rev: 92f09a4269e45e09643a7e7aafd2811cfd47cb68)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The upstream Makefile always builds the tests unless they're explicitly
disabled. Whilst this doesn't make a difference to the final package and
sysroot output, disabling the tests for openssl-native reduces the size
of the build tree from 659M to 78M and reduces the CPU time used by 30%.
(From OE-Core rev: dfaf1cba9f30c6b07836fe217e1ebc83bc6aec8a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since the bump to OpenSSL 3.3.1, riscv32 doesn't build anymore due to
the folowing error:
crypto/riscv32cpuid.s:77: Error: symbol `riscv_vlen_asm' is already
defined
This is due to the patch beeing already applied upstream:
Commit: 8702320db98d1346c230aff1282ade3ecdca681a
(From OE-Core rev: 06c4168c7bd6a32cb7de3e003793c8e232714fad)
Signed-off-by: Clément Péron <peron.clem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Now that bitbake uses websockets over SSL as hashserv and is correctly
limiting hash equivalence only to things in the orginal SDK, bitbake builds
from buildtools can fail due to broken SSL from buildtools.
The issue is that the relocation variables are being removed from the
environment. This could be fixed within bitbake or it could be fixed
within the SDK environment. This patch does the latter for now. We
really need to improve openssl relocation within the SDK in general.
Fixing this has become more urgent to fix failing builds in automated
testing.
(From OE-Core rev: 6a20667c166fa3d7e2b6e8e8b442dec0fc75f349)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
GCC-14 unearths this bug which is already fixed upstream so backport it
(From OE-Core rev: 0d5c61a1f5099639acf58b33288f466ce47847b5)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
OpenSSL 3.3.0 introduced new pkgconfig generators which interact badly
with our incorrect setting of --libdir, which is documented as being
the name of the directory _under $prefix_, not an absolute path. This
resulted in the pkgconfig files have libdir=/usr which mostly works as
the actual library directory is on the search path, but can break other
recipes (such as tpm2-openssl).
Pass the correct value for --libdir, and also remove the odd handling of
an empty ${prefix} which is very historical[1] and can't happen anymore
as all build variations have a prefix.
[1] Added in oe-classic f725a81c, 2009
(From OE-Core rev: f5e931c5e5932e35113d13ba053419283f472f43)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since we want to be able to stop unpacking to WORKDIR, correct the WORKDIR
references in recipe do_compile/do_install tasks to use UNPACKDIR in the
appropraite places instead.
(From OE-Core rev: d73595df69667fe9d12ecd407b77a0b8dae2109c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
On aarch64, if the processor doesn't have the Crypto instructions then
OpenSSL will fall back onto the "bit-sliced" assembler routines. When
branch protection (BTI) was enabled in OpenSSL these routines were
missed, so if BTI is available libssl will immediately abort when it
enters this assembler.
Backport a patch submitted upstream to add the required call target
annotations so that BTI doesn't believe the code is being exploited.
(From OE-Core rev: 438a390e8e1811bc2d3820c1cd2b8e099e70064a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE_STATUS was set for those components, but meanwhile databases are updated
with corrected information, so setting the CVE_STATUS is not needed anymore.
(From OE-Core rev: 5ec6057cfa66ceeb33bec013e320f8e3fa7d7ecf)
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The assembler sections in OpenSSL were not marked as valid call targets,
so branch protection could not be enabled for libcrypto.so.
(From OE-Core rev: 4bf06bc5487da05e6b4a4895e5ca2da65cdc25d8)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes [YOCTO #15225]
Yocto Bug #15255 is not reproducible. To obtain more useful information
for debugging, the OpenSSL test code is improved so that more detailed
state information in the handshake loop is printed when an error occurs.
(From OE-Core rev: 5bf9a70f580357badd01f39822998985654b0bfc)
Signed-off-by: William Lyu <William.Lyu@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Piping results through sed may mask failures that sed isn't catching.
(From OE-Core rev: 2b1b0e9e4d5011e7c2fd1b59fc277a7cfdc41194)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This brings them from 15 minutes to just over 4.
(From OE-Core rev: 9eeee78aa94aaa441da012aeb904a0f1cbcd4d91)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This significantly speeds up the build by default.
(From OE-Core rev: 2b5ee583c62dbe381cd429da14ecbba5ea32d506)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-311-and-openssl-312-1-aug-2023
Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023]
* Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
* Fix DH_check() excessive time with over sized modulus (CVE-2023-3446)
* Do not ignore empty associated data entries with AES-SIV (CVE-2023-2975)
* When building with the enable-fips option and using the resulting FIPS provider, TLS 1.2 will, by default, mandate the use of an extended master secret and the Hash and HMAC DRBGs will not operate with truncated digests.
(From OE-Core rev: e65802383b02df6f502af859a927309d881bbb27)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The Text-Template was updated from 1.46 to 1.56
| ERROR: openssl-native-3.1.1-r0 do_configure: PERLEXTERNAL '/build/tmp/work/x86_64-linux/openssl-native/3.1.1-r0/openssl-3.1.1/external/perl/Text-Template-1.46/lib' not found!
(From OE-Core rev: b9a7739b01e31d0cc8358d99255e3e1b02a0a1a8)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
On riscv32 configurations OpenSSL fails to build with "undefined
reference to `__atomic_foo'" kind of errors. Change OpenSSL recipe to
use linux-latomic configuration instead of linux-generic32.
(From OE-Core rev: e8ce80fc6d6579554bca2eba057e65d4b12c0793)
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Drop CVE-2023-0464.patch (merged upstream).
* Refresh 0001-Configure-do-not-tweak-mips-cflags.patch
https://github.com/openssl/openssl/blob/openssl-3.1.1/NEWS.md
Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [30 May 2023]
* Mitigate for very slow OBJ_obj2txt() performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms (CVE-2023-1255)
* Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
* Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465)
* Limited the number of nodes created in a policy tree (CVE-2023-0464)
Security Advisory:
https://www.openssl.org/news/secadv/20230530.txt
CVE: CVE-2023-2650
CVE: CVE-2023-1255
CVE: CVE-2023-0466
CVE: CVE-2023-0465
CVE: CVE-2023-0464
(From OE-Core rev: 26ce9a5fd31c27812ce8784a398b600cc0e9aa80)
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix an issue introduced in the new openssl version where an assembler file
isn't generated in a reproducible way by seeding the perl random number
generator consistently. It has no crypto impact, it is just used to
avoid function name clashes.
(From OE-Core rev: 448df3e1c02fe224d62f59a236fdcd47ea7e695f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>From the NEWS.md file:
### Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023]
* SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
* Performance enhancements and new platform support including new
assembler code algorithm implementations.
* Deprecated LHASH statistics functions.
* FIPS 140-3 compliance changes.
Drop the upstreamed afalg.patch:
c425e365f4 Configure: don't try to be clever when configuring afalgeng
(From OE-Core rev: 71c763ed4fbbea22a6a0b145e4e29436c7e59625)
Signed-off-by: Randy MacLeod <randy.macleod@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
