subtree updates
meta-raspberrypi: 9240ea91ca..8e07f0d328:
DOLE Olivier (1):
rpi-config: U-Boot requires "enable_uart=1" to operate correctly.
Florin Sarbu (1):
udev-rules-rpi: Use 99-com.rules directly from upstream
meta-openembedded: 829dcb63f0..def4759e95:
Alex Kiernan (1):
ostree: Add soup3 PACKAGECONFIG, rename soup to soup2
Alexander Mohr (1):
dlt-daemon: apply rename of genivi to covesa
Armin Kuster (1):
wireshark: Update to a supported version 4.0.x
Bartosz Golaszewski (97):
python3-snagboot: new recipe
libgpiod: add myself as maintainer
python3-pyparted: add missing run-time dependencies
python3-send2trash: add missing run-time dependencies
python3-mock: cleanup RDEPENDS
python3-mock: add missing run-time dependencies
python3-cson: fix run-time dependencies
python3-ldap: don't use PYTHON_PN
python3-ldap: add missing run-time dependencies
python3-pyrad: add missing run-time dependencies
python3-html2text: add missing run-time dependencies
python3-parse: don't use PYTHON_PN and improve coding style
python3-parse: add missing run-time dependencies
python3-meld3: add missing run-time dependencies
python3-pyiface: add missing run-time dependencies
python3-mpmath: add missing run-time dependencies
python3-uswid: add missing run-time dependencies
python3-xmlrunner: add missing run-time dependencies
python3-editor: add missing run-time dependencies
python3-pykwalify: don't use PYTHON_PN and improve coding style
python3-pykwalify: add missing run-time dependencies
python3-iperf: add missing run-time dependencies
python3-sdnotify: add missing run-time dependencies
python3-service-identity: add missing run-time dependencies
python3-sqlsoup: add missing run-time dependencies
python3-sqlalchemy: don't use PYTHON_PN and improve coding style
python3-sqlalchemy: add missing run-time dependencies
python3-pure-eval: add missing run-time dependencies
python3-stack-data: fix coding style
python3-stack-data: add missing run-time dependencies
python3-sympy: add missing run-time dependencies
python3-thrift: don't use PYTHON_PN and improve coding style
python3-thrift: add missing run-time dependencies
python3-tomlkit: add missing run-time dependencies
python3-tornado: drop ${PN} from RDEPENDS
python3-tornado: fix coding style
python3-tornado: remove the testing submodule from FILES:${PN}-test
python3-tornado: add missing run-time dependencies
python3-trustme: add missing run-time dependencies
python3-twofish: add missing run-time dependencies
python3-txws: add missing run-time dependencies
python3-web3: add missing run-time dependencies
python3-uefi-firmware: add missing run-time dependencies
python3-websockets: fix coding style
python3-websockets: add missing run-time dependencies
python3-xlrd: fix coding style
python3-xlrd: add missing run-time dependencies
python3-versiontools: add missing run-time dependencies
python3-typeguard: add missing run-time dependencies
python3-process-tests: add missing run-time dependencies
python3-pyatspi: add missing run-time dependencies
python3-pydantic: don't use PYTHON_PN and improve coding style
python3-pydantic: add missing run-time dependencies
python3-python-vlc: add missing run-time dependencies
python3-redis: fix coding style
python3-redis: add missing run-time dependencies
python3-raven: add missing run-time dependencies
python3-pypng: new package
python3-qrcode: add missing run-time dependencies
python3-pyusb: fix run-time dependencies
python3-pytest-mock: add missing run-time dependencies
python3-pyroute2: fix coding style
python3-fcntl: add missing run-time dependencies
python3-pyproject-metadata: add missing run-time dependencies
python3-pyproj: don't use PYTHON_PN
python3-pyproj: drop unnecessary run-time dependency
python3-pyproj: add missing run-time dependencies
python3-classes: new package
python3-pylyrics: add missing run-time dependencies
python3-pyjwt: stop using PYTHON_PN
python3-pyjwt: add missing run-time dependencies
python3-javaobj-py3: add missing run-time dependencies
python3-pyjks: stop using PYTHON_PN
python3-pyjks: fix run-time dependencies
python3-pyexpect: add missing run-time dependencies
python3-pynetlinux: fix relative imports
python3-pynetlinux: add missing run-time dependencies
python3-pickleshare: add missing run-time dependencies
python3-petact: add missing run-time dependencies
python3-pefile: add missing run-time dependencies
python3-jsonpath-rw: add missing run-time dependencies
python3-jsonrpcclient: add missing run-time dependencies
python3-jstyleson: add missing run-time dependencies
python3-kconfiglib: add missing run-time dependencies
python3-libevdev: add missing run-time dependencies
python3-linux-procfs: add missing run-time dependencies
python3-lockfile: add missing run-time dependencies
python3-msm: fix coding style
python3-lazy: new recipe
python3-msm: add missing run-time dependencies
python3-netaddr: stop using PYTHON_PN
python3-netaddr: add missing run-time dependencies
python3-ninja-syntax: new package
python3-ninja: add missing run-time dependencies
python3-nmap: add missing run-time dependencies
python3-oslash: add missing run-time dependencies
python3-padaos: add missing run-time dependencies
Christophe Vu-Brugier (1):
switchtec-user: add new recipe
Geoff Parker (1):
python3-platformdirs: add nativesdk to BBCLASSEXTEND
Ivan Maidanski (1):
bdwgc: upgrade 8.2.2 -> 8.2.4
Johannes Kauffmann (2):
open62541: update to v1.3.6
open62541: build optimized binary
Khem Raj (21):
ipvsadm: Pass build environment cflags to compiler
orrery: Pass OE provided cflags
libleak: Upgrade to 0.3.6
zeroconf: Pass cflags from environment
lshw: Pass OE cflags via RPM_OPT_FLAGS
ruli: Pass cflags to makefile
gnome-online-accounts: Replace filename with basename
rdma-core: Use target path for systemctl
monkey: Remove buildpaths from generated mk_env.h
minio: Ignore from world builds
libcppkafka: Remove RECIPE_SYSROOT from packageconfig .pc file
doxygen: Do not generate #line directive with flex/bison
gattlib: Upgrade to latest tip of trunk
ettercap: Do not generate #line directives with bison/flex
zfs: Add a patch to fix aarch64 build with gcc13
zfs: Upgrade to 2.1.11
zfs: Fix build with aarch64
zfs: Fix build on musl
ctapi-common: Use archives.fedoraproject.org to fetch srpm
Revert "libgpiod: modify test 'gpioset: toggle (continuous)'"
meta-python-ptest-fast-image: Do not run python3-pytest-mock ptests
Lei Maohui (1):
dovecot: Fix install conflict when enable multilib.
Marek Vasut (1):
v4l-utils: Update 1.23.0+9431e4b2 -> 1.24.1
Markus Volk (4):
iwd: update 2.4 -> 2.5
gnome-control-center: upgrade 44.1 -> 44.2
mutter: upgrade 44.1 -> 44.2
gnome-shell: upgrade 44.1 -> 44.2
Martin Jansa (1):
switchtec-user: fix installed-vs-shipped with multilib
Niko Mauno (2):
contrib: oe-stylize: Fix ambiguous variable names
contrib: oe-stylize: Use Python3 explicitly
Peter Marko (1):
nss: ignore CVE-2022-3479
Petr Gotthard (4):
blueman: fix REQUIRED_DISTRO_FEATURES gobject-introspection-data
firewalld: fix REQUIRED_DISTRO_FEATURES gobject-introspection-data
system-config-printer: fix REQUIRED_DISTRO_FEATURES gobject-introspection-data
firewalld: upgrade 1.2.0 -> 1.3.2
Wang Mingyu (40):
ctags: upgrade 6.0.20230521.0 -> 6.0.20230528.0
eog: upgrade 44.1 -> 44.2
nautilus: upgrade 44.1 -> 44.2
evolution-data-server: upgrade 3.48.1 -> 3.48.2
flatbuffers: upgrade 23.1.4 -> 23.3.56
python3-asgiref: upgrade 3.7.1 -> 3.7.2
python3-cachetools: upgrade 5.3.0 -> 5.3.1
python3-coverage: upgrade 7.2.6 -> 7.2.7
python3-croniter: upgrade 1.3.14 -> 1.3.15
python3-deprecated: upgrade 1.2.13 -> 1.2.14
python3-google-api-python-client: upgrade 2.86.0 -> 2.87.0
python3-google-auth: upgrade 2.18.1 -> 2.19.0
python3-imageio: upgrade 2.29.0 -> 2.30.0
python3-license-expression: upgrade 30.1.0 -> 30.1.1
python3-lru-dict: upgrade 1.1.8 -> 1.2.0
python3-paramiko: upgrade 3.1.0 -> 3.2.0
python3-pint: upgrade 0.21 -> 0.22
python3-protobuf: upgrade 4.23.1 -> 4.23.2
python3-xlsxwriter: upgrade 3.1.1 -> 3.1.2
xterm: upgrade 380 -> 381
python3-zeroconf: upgrade 0.62.0 -> 0.63.0
dnf-plugin-tui: modify suffix of spdx file.
evolution-data-server: upgrade 3.48.2 -> 3.48.3
samba: upgrade 4.18.2 -> 4.18.3
ctags: upgrade 6.0.20230528.0 -> 6.0.20230604.0
tree: upgrade 2.1.0 -> 2.1.1
xrdb: upgrade 1.2.1 -> 1.2.2
xterm: upgrade 381 -> 382
xwd: upgrade 1.0.8 -> 1.0.9
libnet-dns-perl: upgrade 1.38 -> 1.39
pamela: upgrade 1.0.0 -> 1.1.0
python3-cachecontrol: upgrade 0.12.12 -> 0.13.0
python3-google-api-python-client: upgrade 2.87.0 -> 2.88.0
python3-google-auth: upgrade 2.19.0 -> 2.19.1
python3-nocaselist: upgrade 1.1.1 -> 2.0.0
python3-pymodbus: upgrade 3.2.2 -> 3.3.0
python3-regex: upgrade 2023.5.5 -> 2023.6.3
python3-rich: upgrade 13.3.5 -> 13.4.1
python3-sentry-sdk: upgrade 1.24.0 -> 1.25.0
ntp: upgrade 4.2.8p15 -> 4.2.8p16
poky: 76494f2b66..00f3d58064:
Alex Kiernan (1):
rust: Upgrade 1.69.0 -> 1.70.0
Alexander Kanavin (5):
maintaines.inc: unassign Richard Weinberger from erofs-utils entry
maintainers.inc: unassign Andreas Müller from itstool entry
maintainers.inc: unassign Pascal Bach from cmake entry
maintainers.inc: correct unassigned entries (> was missing)
maintainers.inc: correct Carlos Rafael Giani's email address
Andrej Valek (1):
busybox: 1.36.0 -> 1.36.1
Anuj Mittal (3):
gstreamer1.0: upgrade 1.22.2 -> 1.22.3
stress-ng: upgrade 0.15.07 -> 0.15.08
glib-networking: upgrade 2.74.0 -> 2.76.0
Bruce Ashfield (10):
linux-yocto/6.1: update to v6.1.26
linux-yocto/6.1: update to v6.1.27
linux-yocto-dev: bump to v6.4+
kernel: don't force PAHOLE=false
linux-yocto: move build / debug dependencies to .inc
linux-yocto/6.1: update to v6.1.28
linux-yocto/6.1: update to v6.1.29
linux-yocto/6.1: update to v6.1.30
linux-yocto/6.1: update to v6.1.31
linux-yocto/6.1: update to v6.1.32
Chen Qi (4):
libsdl2: disable SDL's own ccache
cmake.bbclass: do not search host paths for find_program()
Revert "libsdl2: disable SDL's own ccache"
qemurunner.py: fix error message about qmp
Daniel Ammann (1):
overview-manual: concepts.rst: Fix a typo
Denys Dmytriyenko (1):
bitbake.conf: Add SRCPV to BB_HASH_CODEPARSER_VALS
Dmitry Baryshkov (1):
openssl: fix building on riscv32
Frieder Paape (1):
image_types: Fix reproducible builds for initramfs and UKI img
Jialing Zhang (1):
linuxloader/initramfs: Add support for loongarch64
Joshua Watt (7):
bitbake: server: Fix crash when checking lock file
bitbake: runqueue: Pass hashfn in taskdep data
classes/create-spdx-2.2: Use hashfn from BB_TASKDEPDATA instead of MACHINE
classes/create-spdx-2.2: Respect PKG for providers
classes/create-spdx-2.2: Fix build time dependency calculations
classes/create-spdx-2.2: Fix runtime dependency calculations
classes/create-spdx-2.2: Make license errors fatal
Khem Raj (2):
gcc: Upgrade to 13.1.1
perf: Make built-in libtraceevent plugins cohabit with external libtraceevent
Lee Chee Yang (4):
release-notes-4.2: update known issues and Repositories/Downloads
migration-guides: add release-notes for 4.1.4
migration-guides: add release notes for 4.0.10
migration-guides: add release notes for 4.2.1
Louis Rannou (1):
spdx: Fix license parsing
Marc Ferland (1):
connman: fix warning by specifying runstatedir at configure time
Markus Volk (4):
ell: upgrade 0.56 -> 0.57
python3: add libxcrypt-native dependency
ruby: add libxcrypt-native dependency
shadow: add libxcrypt-native dependency
Martin Jansa (2):
connman: backport a fix for build with pppd-2.5.0
selftest: wic.py respect IMAGE_LINK_NAME
Mauro Queiros (1):
pybootchartgui: show elapsed time for each task
Michael Halstead (2):
uninative: Upgrade to 3.10 to support gcc 13
uninative: Upgrade to 4.0 to include latest gcc 13.1.1
Michael Opdenacker (19):
migration-guides: release-notes-4.2: add doc improvement highlights
migration-guides: release-notes-4.3: add stub section for documentation changes
releases.svg: update according to latest release
ref-manual: improve description of kernel-fitimage variables
ref-manual: document uboot-sign class and variables
ref-manual: improve documentation for kernel-devicetree class
migration-guides: update 4.3 release notes
releases.svg: fix and explain duration of Hardknott 3.3
conf.py: add macro for Mitre CVE links
migration-guides: use new cve_mitre macro
migration-guides: release-notes-4.0.4.rst: fix typo
alsa-lib: upgrade 1.2.8 -> 1.2.9
alsa-ucm-conf: upgrade 1.2.8 -> 1.2.9
psplash: enable fullscreen and disable startup-msg
alsa-utils: upgrade 1.2.8 -> 1.2.9
ref-manual: document SPLASH variable
manuals: document SPLASH_IMAGES variable
bitbake: bitbake-user-manual: update releases.rst
bitbake: bitbake-user-manual: document "network" task flag
Ming Liu (1):
kernel.bbclass: introduce KERNEL_LOCALVERSION
Natasha Bailey (1):
tiff: backport a fix for CVE-2023-2731
Peter Kjellerstedt (1):
manuals: kernel-dev: Use protocol=https in a SRC_URI example
Petr Kubizňák (1):
ref-manual: document devicetree class variables
Richard Purdie (18):
glib: Fix ptest race issue
Revert "python3/ruby/shadow: Revert add libxcrypt-native dependency"
Revert "sqlite3: Whitelist CVE-2022-21227"
glib-2.0: Update ptest fix to upstream backport
meta-world-pkgdata: Fix for create-spdx
selftest/license: Exclude from world
create-spdx-2-2: Fix packagedata usage to work with SDK packages
create-spdx-2.2: Add missing variable exclusions
layer.conf: Add missing dependency exclusion
selftest/incompatible_lic: Ensure create_sdpx isn't used with the tests
oeqa/selftest/sstatetests: Add easier debug option
oeqa/selftest/wic: Fix host contamination issue
v86d: Improve kernel dependency
sstatesig: Drop SPDX special casing
packagegroup: Handle SPDX signature issues
poky: Enable spdx manifests by default
build-appliance-image: Update to master head revision
selftest/reproducible: Allow native/cross reuse in test
Riyaz Khan (1):
openssh: Remove BSD-4-clause contents completely from codebase
Robert Joslyn (1):
curl: Update from 8.1.0 to 8.1.1
Ross Burton (11):
avahi: remove redundant gobject-introspection DEPENDS
base: add ability to provide further details when using LICENSE_FLAGS
ninja: ignore CVE-2021-4336, wrong ninja
vulkan-samples: fix build on 32-bit platforms
gtk+3: upgrade 3.24.37 -> 3.24.38
piglit: upgrade to latest revision
pkgconf: upgrade 1.9.4 -> 1.9.5
ghostscript: upgrade to 10.01.1
git: upgrade to 2.39.3
binutils: fix CVE-2023-1972
cve-extra-exclusions: add more linux-yocto CVE ignores
Sanjay Chitroda (1):
sqlite3: Whitelist CVE-2022-21227
Sudip Mukherjee (1):
apt: Upgrade to v2.6.1
Tim Orling (1):
openssl: upgrade 3.1.0 -> 3.1.1
Tom Isaacson (1):
sdk-manual: fix Makefile example
Trevor Gamblin (6):
bind: upgrade 9.18.13 -> 9.18.14
pciutils: upgrade 3.9.0 -> 3.10.0
vim: upgrade 9.0.1527 -> 9.0.1592
python_hatchling: remove empty python sysroot dirs
python3-webcolors: upgrade 1.12 -> 1.13
python3-poetry-core: upgrade 1.5.2 -> 1.6.1
Ulrich Ölmann (1):
ref-manual: classes.rst: fix typo
Victor Kamensky (1):
systemtap: upgrade 4.8 -> 4.9
Wang Mingyu (34):
babeltrace2: upgrade 2.0.4 -> 2.0.5
curl: upgrade 8.1.1 -> 8.1.2
dos2unix: upgrade 7.4.4 -> 7.5.0
enchant2: upgrade 2.3.4 -> 2.5.0
fribidi: upgrade 1.0.12 -> 1.0.13
libdnf: upgrade 0.70.0 -> 0.70.1
libmicrohttpd: upgrade 0.9.76 -> 0.9.77
libxft: upgrade 2.3.7 -> 2.3.8
libxpm: upgrade 3.5.15 -> 3.5.16
mobile-broadband-provider-info: upgrade 20221107 -> 20230416
bind: upgrade 9.18.14 -> 9.18.15
ccache: upgrade 4.8 -> 4.8.1
libcap: upgrade 2.68 -> 2.69
libuv: upgrade 1.44.2 -> 1.45.0
python3-pip: upgrade 23.0.1 -> 23.1.2
python3-psutil: upgrade 5.9.4 -> 5.9.5
python3-ruamel-yaml: upgrade 0.17.21 -> 0.17.31
python3-sphinx: upgrade 6.1.3 -> 7.0.1
orc: upgrade 0.4.33 -> 0.4.34
python3-cython: upgrade 0.29.34 -> 0.29.35
python3-dbusmock: upgrade 0.28.7 -> 0.29.0
python3-hatch-fancy-pypi-readme: upgrade 22.8.0 -> 23.1.0
python3-hypothesis: upgrade 6.71.0 -> 6.75.7
python3-numpy: upgrade 1.24.2 -> 1.24.3
python3-pycryptodome: upgrade 3.17 -> 3.18.0
python3-pycryptodomex: upgrade 3.17 -> 3.18.0
python3-requests: upgrade 2.30.0 -> 2.31.0
python3-setuptools-rust: upgrade 1.5.2 -> 1.6.0
python3-sphinx-rtd-theme: upgrade 1.2.0 -> 1.2.1
python3-trove-classifiers: upgrade 2023.5.2 -> 2023.5.24
python3-typing-extensions: upgrade 4.5.0 -> 4.6.2
repo: upgrade 2.32 -> 2.34.1
sysklogd: upgrade 2.4.4 -> 2.5.0
xdpyinfo: upgrade 1.3.3 -> 1.3.4
Xiangyu Chen (1):
sysstat: Fix CVE-2023-33204
schitrod=cisco.com@lists.openembedded.org (1):
Revert "sqlite3: update CVE_PRODUCT"
meta-arm: 5cbe3041be..3fcafa3a94:
Adam Johnston (1):
CI: Platform specific Trusted Services config
Anton Antonov (1):
arm/oeqa: Make ts-service-test config match selected SPs
Claus Stovgaard (1):
arm-toolchain/gcc: Workaround for missing libcrypt
Emekcan Aras (1):
arm-bsp/u-boot: corstone1000: enable PSCI reset
Gyorgy Szing (11):
arm/trusted-services: update TS version
optee-os: remove v3.18 pin of OP-TEE on qemuarm64-secureboot
optee-os: Add support for TOS_FW_CONFIG on qemu
arm/trusted-firmware-a: Add TOS_FW_CONFIG handling for quemu
optee-test: backport SWd ABI compatibility changes
optee-os: enable SPMC test
arm/oeqa: enable OP-TEE SPMC tests
trusted-services: update documentation
arm/trusted-services: disable psa-iat on qemuarm64-secureboot
arm/trusted-services: fix nanopb build error
optee-os: unblock NWd interrupts
Jon Mason (9):
CI: move FVP license auto-accept to fvp.yml
CI/corstone: remove debug-tweaks usage
arm/qemuarm-secureboot: add musl testing
arm/linux-yocto: remove 5.15 bbappend
Revert "arm-bsp/tc1: re-enable signed kernel image"
arm/linux-yocto: remove unused 5.15 patches and inc file
arm-bsp/optee: Remove unreferenced patches
CI: add debug yml file for ease of use
arm/linux-yocto: add gcc 13 gimple backport patch
Mikko Rapeli (1):
scp-firmware: remove -fcanon-prefix-map
Ross Burton (3):
kas: remove obsolete armcompiler LICENSE_FLAGS_ACCEPTED
arm/fvp: add LICENSE_FLAGS_DETAILS
arm/trusted-firmware-a: look for LTS releases when looking for releases
Rui Miguel Silva (3):
arm-bsp/trusted-services:corstone1000: remove already merged patches
arm-bsp/trusted-services: remove merged patches for corstone1000
arm-bps/corstone1000: setup trusted service proxy configuration
meta-security: 5c2379f4bc..180dac9aec:
Andrew Geissler (1):
ibmswtpm2: update to 164-2020-192.1
Mikko Rapeli (4):
linux-yocto: support tpm and tpm2 on all architectures
linux-yocto: remove tpm_x86.cfg
parsec-service: fix build error
parsec-tool: fix build error
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I7e7960123b241d099e5ace7c36bb5836bdac6aad
diff --git a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 8649140..1764997 100644
--- a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -35,7 +35,7 @@
# Issue only affects Debian/SUSE, not us
CVE_CHECK_IGNORE += "CVE-2021-26720"
-DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native gobject-introspection"
+DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native"
# For gtk related PACKAGECONFIGs: gtk, gtk3
AVAHI_GTK ?= ""
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/0001-avoid-start-failure-with-bind-user.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.15/0001-avoid-start-failure-with-bind-user.patch
similarity index 100%
rename from poky/meta/recipes-connectivity/bind/bind-9.18.13/0001-avoid-start-failure-with-bind-user.patch
rename to poky/meta/recipes-connectivity/bind/bind-9.18.15/0001-avoid-start-failure-with-bind-user.patch
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.15/0001-named-lwresd-V-and-start-log-hide-build-options.patch
similarity index 100%
rename from poky/meta/recipes-connectivity/bind/bind-9.18.13/0001-named-lwresd-V-and-start-log-hide-build-options.patch
rename to poky/meta/recipes-connectivity/bind/bind-9.18.15/0001-named-lwresd-V-and-start-log-hide-build-options.patch
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/bind-ensure-searching-for-json-headers-searches-sysr.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.15/bind-ensure-searching-for-json-headers-searches-sysr.patch
similarity index 100%
rename from poky/meta/recipes-connectivity/bind/bind-9.18.13/bind-ensure-searching-for-json-headers-searches-sysr.patch
rename to poky/meta/recipes-connectivity/bind/bind-9.18.15/bind-ensure-searching-for-json-headers-searches-sysr.patch
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/bind9 b/poky/meta/recipes-connectivity/bind/bind-9.18.15/bind9
similarity index 100%
rename from poky/meta/recipes-connectivity/bind/bind-9.18.13/bind9
rename to poky/meta/recipes-connectivity/bind/bind-9.18.15/bind9
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/conf.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.15/conf.patch
similarity index 100%
rename from poky/meta/recipes-connectivity/bind/bind-9.18.13/conf.patch
rename to poky/meta/recipes-connectivity/bind/bind-9.18.15/conf.patch
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/generate-rndc-key.sh b/poky/meta/recipes-connectivity/bind/bind-9.18.15/generate-rndc-key.sh
similarity index 100%
rename from poky/meta/recipes-connectivity/bind/bind-9.18.13/generate-rndc-key.sh
rename to poky/meta/recipes-connectivity/bind/bind-9.18.15/generate-rndc-key.sh
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/init.d-add-support-for-read-only-rootfs.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.15/init.d-add-support-for-read-only-rootfs.patch
similarity index 100%
rename from poky/meta/recipes-connectivity/bind/bind-9.18.13/init.d-add-support-for-read-only-rootfs.patch
rename to poky/meta/recipes-connectivity/bind/bind-9.18.15/init.d-add-support-for-read-only-rootfs.patch
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/make-etc-initd-bind-stop-work.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.15/make-etc-initd-bind-stop-work.patch
similarity index 100%
rename from poky/meta/recipes-connectivity/bind/bind-9.18.13/make-etc-initd-bind-stop-work.patch
rename to poky/meta/recipes-connectivity/bind/bind-9.18.15/make-etc-initd-bind-stop-work.patch
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/named.service b/poky/meta/recipes-connectivity/bind/bind-9.18.15/named.service
similarity index 100%
rename from poky/meta/recipes-connectivity/bind/bind-9.18.13/named.service
rename to poky/meta/recipes-connectivity/bind/bind-9.18.15/named.service
diff --git a/poky/meta/recipes-connectivity/bind/bind_9.18.13.bb b/poky/meta/recipes-connectivity/bind/bind_9.18.15.bb
similarity index 97%
rename from poky/meta/recipes-connectivity/bind/bind_9.18.13.bb
rename to poky/meta/recipes-connectivity/bind/bind_9.18.15.bb
index 8617137..80164aa 100644
--- a/poky/meta/recipes-connectivity/bind/bind_9.18.13.bb
+++ b/poky/meta/recipes-connectivity/bind/bind_9.18.15.bb
@@ -20,7 +20,7 @@
file://0001-avoid-start-failure-with-bind-user.patch \
"
-SRC_URI[sha256sum] = "3b06b6390c1012dd3956b1479c73b2097c0b22207817e2e8aae352fd20e578c7"
+SRC_URI[sha256sum] = "28ae8db14862801bc2bd4fd820db00667d3f1ff9ae9cc2d06a0ef7810fed7a4e"
UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
# follow the ESV versions divisible by 2
diff --git a/poky/meta/recipes-connectivity/connman/connman.inc b/poky/meta/recipes-connectivity/connman/connman.inc
index d7af94f..7487ca0 100644
--- a/poky/meta/recipes-connectivity/connman/connman.inc
+++ b/poky/meta/recipes-connectivity/connman/connman.inc
@@ -27,6 +27,7 @@
--enable-ethernet \
--enable-tools \
--disable-polkit \
+ --runstatedir=/run \
"
# For smooth operation it would be best to start only one wireless daemon at a time.
# If wpa-supplicant is running, connman will use it preferentially.
diff --git a/poky/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch b/poky/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch
new file mode 100644
index 0000000..83343fd
--- /dev/null
+++ b/poky/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch
@@ -0,0 +1,274 @@
+From 5f373f373f5baccc282dce257b7b16c8bb4a82c4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Eivind=20N=C3=A6ss?= <eivnaes@yahoo.com>
+Date: Sat, 25 Mar 2023 20:51:52 +0000
+Subject: [PATCH] vpn: Adding support for latest pppd 2.5.0 release
+
+The API has gone through a significant overhaul, and this change fixes any compile issues.
+1) Fixes to configure.ac itself
+2) Cleanup in pppd plugin itself
+
+Adding a libppp-compat.h file to mask for any differences in the version.
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a48864a2e5d2a725dfc6eef567108bc13b43857f]
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ configure.ac | 42 ++++++++-----
+ scripts/libppp-compat.h | 127 ++++++++++++++++++++++++++++++++++++++++
+ scripts/libppp-plugin.c | 15 +++--
+ 3 files changed, 161 insertions(+), 23 deletions(-)
+ create mode 100644 scripts/libppp-compat.h
+
+diff --git a/configure.ac b/configure.ac
+index a573cef..f34bb38 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -135,14 +135,6 @@ AC_ARG_ENABLE(l2tp,
+ AC_HELP_STRING([--enable-l2tp], [enable l2tp support]),
+ [enable_l2tp=${enableval}], [enable_l2tp="no"])
+ if (test "${enable_l2tp}" != "no"); then
+- if (test -z "${path_pppd}"); then
+- AC_PATH_PROG(PPPD, [pppd], [/usr/sbin/pppd], $PATH:/sbin:/usr/sbin)
+- else
+- PPPD="${path_pppd}"
+- AC_SUBST(PPPD)
+- fi
+- AC_CHECK_HEADERS(pppd/pppd.h, dummy=yes,
+- AC_MSG_ERROR(ppp header files are required))
+ if (test -z "${path_l2tp}"); then
+ AC_PATH_PROG(L2TP, [xl2tpd], [/usr/sbin/xl2tpd], $PATH:/sbin:/usr/sbin)
+ else
+@@ -160,6 +152,18 @@ AC_ARG_ENABLE(pptp,
+ AC_HELP_STRING([--enable-pptp], [enable pptp support]),
+ [enable_pptp=${enableval}], [enable_pptp="no"])
+ if (test "${enable_pptp}" != "no"); then
++ if (test -z "${path_pptp}"); then
++ AC_PATH_PROG(PPTP, [pptp], [/usr/sbin/pptp], $PATH:/sbin:/usr/sbin)
++ else
++ PPTP="${path_pptp}"
++ AC_SUBST(PPTP)
++ fi
++fi
++AM_CONDITIONAL(PPTP, test "${enable_pptp}" != "no")
++AM_CONDITIONAL(PPTP_BUILTIN, test "${enable_pptp}" = "builtin")
++
++if (test "${enable_pptp}" != "no" || test "${enable_l2tp}" != "no"); then
++
+ if (test -z "${path_pppd}"); then
+ AC_PATH_PROG(PPPD, [pppd], [/usr/sbin/pppd], $PATH:/sbin:/usr/sbin)
+ else
+@@ -168,15 +172,23 @@ if (test "${enable_pptp}" != "no"); then
+ fi
+ AC_CHECK_HEADERS(pppd/pppd.h, dummy=yes,
+ AC_MSG_ERROR(ppp header files are required))
+- if (test -z "${path_pptp}"); then
+- AC_PATH_PROG(PPTP, [pptp], [/usr/sbin/pptp], $PATH:/sbin:/usr/sbin)
+- else
+- PPTP="${path_pptp}"
+- AC_SUBST(PPTP)
++ AC_CHECK_HEADERS([pppd/chap.h pppd/chap-new.h pppd/chap_ms.h])
++
++ PKG_CHECK_EXISTS([pppd],
++ [AS_VAR_SET([pppd_pkgconfig_support],[yes])])
++
++ PPPD_VERSION=2.4.9
++ if test x"$pppd_pkgconfig_support" = xyes; then
++ PPPD_VERSION=`$PKG_CONFIG --modversion pppd`
+ fi
++
++ AC_DEFINE_UNQUOTED([PPP_VERSION(x,y,z)],
++ [((x & 0xFF) << 16 | (y & 0xFF) << 8 | (z & 0xFF) << 0)],
++ [Macro to help determine the particular version of pppd])
++ PPP_VERSION=$(echo $PPPD_VERSION | sed -e "s/\./\,/g")
++ AC_DEFINE_UNQUOTED(WITH_PPP_VERSION, PPP_VERSION($PPP_VERSION),
++ [The real version of pppd represented as an int])
+ fi
+-AM_CONDITIONAL(PPTP, test "${enable_pptp}" != "no")
+-AM_CONDITIONAL(PPTP_BUILTIN, test "${enable_pptp}" = "builtin")
+
+ AC_CHECK_HEADERS(resolv.h, dummy=yes,
+ AC_MSG_ERROR(resolver header files are required))
+diff --git a/scripts/libppp-compat.h b/scripts/libppp-compat.h
+new file mode 100644
+index 0000000..eee1d09
+--- /dev/null
++++ b/scripts/libppp-compat.h
+@@ -0,0 +1,127 @@
++/* Copyright (C) Eivind Naess, eivnaes@yahoo.com */
++/* SPDX-License-Identifier: GPL-2.0-or-later */
++
++#ifndef __LIBPPP_COMPAT_H__
++#define __LIBPPP_COMPAT_H__
++
++/* Define USE_EAPTLS compile with EAP TLS support against older pppd headers,
++ * pppd >= 2.5.0 use PPP_WITH_EAPTLS and is defined in pppdconf.h */
++#define USE_EAPTLS 1
++
++/* Define INET6 to compile with IPv6 support against older pppd headers,
++ * pppd >= 2.5.0 use PPP_WITH_IPV6CP and is defined in pppdconf.h */
++#define INET6 1
++
++/* PPP < 2.5.0 defines and exports VERSION which overlaps with current package VERSION define.
++ * this silly macro magic is to work around that. */
++#undef VERSION
++#include <pppd/pppd.h>
++
++#ifndef PPPD_VERSION
++#define PPPD_VERSION VERSION
++#endif
++
++#include <pppd/fsm.h>
++#include <pppd/ccp.h>
++#include <pppd/eui64.h>
++#include <pppd/ipcp.h>
++#include <pppd/ipv6cp.h>
++#include <pppd/eap.h>
++#include <pppd/upap.h>
++
++#ifdef HAVE_PPPD_CHAP_H
++#include <pppd/chap.h>
++#endif
++
++#ifdef HAVE_PPPD_CHAP_NEW_H
++#include <pppd/chap-new.h>
++#endif
++
++#ifdef HAVE_PPPD_CHAP_MS_H
++#include <pppd/chap_ms.h>
++#endif
++
++#ifndef PPP_PROTO_CHAP
++#define PPP_PROTO_CHAP 0xc223
++#endif
++
++#ifndef PPP_PROTO_EAP
++#define PPP_PROTO_EAP 0xc227
++#endif
++
++
++#if WITH_PPP_VERSION < PPP_VERSION(2,5,0)
++
++static inline bool
++debug_on (void)
++{
++ return debug;
++}
++
++static inline const char
++*ppp_ipparam (void)
++{
++ return ipparam;
++}
++
++static inline int
++ppp_ifunit (void)
++{
++ return ifunit;
++}
++
++static inline const char *
++ppp_ifname (void)
++{
++ return ifname;
++}
++
++static inline int
++ppp_get_mtu (int idx)
++{
++ return netif_get_mtu(idx);
++}
++
++typedef enum ppp_notify
++{
++ NF_PID_CHANGE,
++ NF_PHASE_CHANGE,
++ NF_EXIT,
++ NF_SIGNALED,
++ NF_IP_UP,
++ NF_IP_DOWN,
++ NF_IPV6_UP,
++ NF_IPV6_DOWN,
++ NF_AUTH_UP,
++ NF_LINK_DOWN,
++ NF_FORK,
++ NF_MAX_NOTIFY
++} ppp_notify_t;
++
++typedef void (ppp_notify_fn) (void *ctx, int arg);
++
++static inline void
++ppp_add_notify (ppp_notify_t type, ppp_notify_fn *func, void *ctx)
++{
++ struct notifier **list[NF_MAX_NOTIFY] = {
++ [NF_PID_CHANGE ] = &pidchange,
++ [NF_PHASE_CHANGE] = &phasechange,
++ [NF_EXIT ] = &exitnotify,
++ [NF_SIGNALED ] = &sigreceived,
++ [NF_IP_UP ] = &ip_up_notifier,
++ [NF_IP_DOWN ] = &ip_down_notifier,
++ [NF_IPV6_UP ] = &ipv6_up_notifier,
++ [NF_IPV6_DOWN ] = &ipv6_down_notifier,
++ [NF_AUTH_UP ] = &auth_up_notifier,
++ [NF_LINK_DOWN ] = &link_down_notifier,
++ [NF_FORK ] = &fork_notifier,
++ };
++
++ struct notifier **notify = list[type];
++ if (notify) {
++ add_notifier(notify, func, ctx);
++ }
++}
++
++#endif /* #if WITH_PPP_VERSION < PPP_VERSION(2,5,0) */
++#endif /* #if__LIBPPP_COMPAT_H__ */
+diff --git a/scripts/libppp-plugin.c b/scripts/libppp-plugin.c
+index 0dd8b47..61641b5 100644
+--- a/scripts/libppp-plugin.c
++++ b/scripts/libppp-plugin.c
+@@ -29,14 +29,13 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <fcntl.h>
+-#include <pppd/pppd.h>
+-#include <pppd/fsm.h>
+-#include <pppd/ipcp.h>
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+
+ #include <dbus/dbus.h>
+
++#include "libppp-compat.h"
++
+ #define INET_ADDRES_LEN (INET_ADDRSTRLEN + 5)
+ #define INET_DNS_LEN (2*INET_ADDRSTRLEN + 9)
+
+@@ -47,7 +46,7 @@ static char *path;
+ static DBusConnection *connection;
+ static int prev_phase;
+
+-char pppd_version[] = VERSION;
++char pppd_version[] = PPPD_VERSION;
+
+ int plugin_init(void);
+
+@@ -170,7 +169,7 @@ static void ppp_up(void *data, int arg)
+ DBUS_TYPE_STRING_AS_STRING DBUS_TYPE_STRING_AS_STRING
+ DBUS_DICT_ENTRY_END_CHAR_AS_STRING, &dict);
+
+- append(&dict, "INTERNAL_IFNAME", ifname);
++ append(&dict, "INTERNAL_IFNAME", ppp_ifname());
+
+ inet_ntop(AF_INET, &ipcp_gotoptions[0].ouraddr, buf, INET_ADDRSTRLEN);
+ append(&dict, "INTERNAL_IP4_ADDRESS", buf);
+@@ -309,9 +308,9 @@ int plugin_init(void)
+ chap_check_hook = ppp_have_secret;
+ pap_check_hook = ppp_have_secret;
+
+- add_notifier(&ip_up_notifier, ppp_up, NULL);
+- add_notifier(&phasechange, ppp_phase_change, NULL);
+- add_notifier(&exitnotify, ppp_exit, connection);
++ ppp_add_notify(NF_IP_UP, ppp_up, NULL);
++ ppp_add_notify(NF_PHASE_CHANGE, ppp_phase_change, NULL);
++ ppp_add_notify(NF_EXIT, ppp_exit, connection);
+
+ return 0;
+ }
diff --git a/poky/meta/recipes-connectivity/connman/connman_1.41.bb b/poky/meta/recipes-connectivity/connman/connman_1.41.bb
index 3f2e298..d8ac1f5 100644
--- a/poky/meta/recipes-connectivity/connman/connman_1.41.bb
+++ b/poky/meta/recipes-connectivity/connman/connman_1.41.bb
@@ -9,6 +9,7 @@
file://CVE-2022-32293_p2.patch \
file://CVE-2022-32292.patch \
file://0001-gdhcp-Verify-and-sanitize-packet-length-first.patch \
+ file://0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch \
"
SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
diff --git a/poky/meta/recipes-connectivity/libuv/libuv_1.44.2.bb b/poky/meta/recipes-connectivity/libuv/libuv_1.45.0.bb
similarity index 74%
rename from poky/meta/recipes-connectivity/libuv/libuv_1.44.2.bb
rename to poky/meta/recipes-connectivity/libuv/libuv_1.45.0.bb
index 27e7927..45b3a96 100644
--- a/poky/meta/recipes-connectivity/libuv/libuv_1.44.2.bb
+++ b/poky/meta/recipes-connectivity/libuv/libuv_1.45.0.bb
@@ -3,10 +3,10 @@
DESCRIPTION = "libuv is a multi-platform support library with a focus on asynchronous I/O. It was primarily developed for use by Node.js, but it's also used by Luvit, Julia, pyuv, and others."
BUGTRACKER = "https://github.com/libuv/libuv/issues"
LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=ad93ca1fffe931537fcf64f6fcce084d"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=74b6f2f7818a4e3a80d03556f71b129b"
-SRCREV = "0c1fa696aa502eb749c2c4735005f41ba00a27b8"
-SRC_URI = "git://github.com/libuv/libuv.git;branch=v1.x;protocol=https"
+SRCREV = "96e05543f53b19d9642b4b0dd73b86ad3cea313e"
+SRC_URI = "git://github.com/libuv/libuv.git;branch=master;protocol=https"
UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
S = "${WORKDIR}/git"
diff --git a/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
index e802bce..a4030b7 100644
--- a/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
+++ b/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
@@ -5,8 +5,8 @@
LICENSE = "PD"
LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04"
-SRCREV = "22a5de3ef637990ce03141f786fbdb327e9c5a3f"
-PV = "20221107"
+SRCREV = "aae7c68671d225e6d35224613d5b98192b9b2ffe"
+PV = "20230416"
PE = "1"
SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main"
diff --git a/poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch b/poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch
new file mode 100644
index 0000000..4c8aa08
--- /dev/null
+++ b/poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch
@@ -0,0 +1,994 @@
+From 7280401bdd77ca54be6867a154cc01e0d72612e0 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Fri, 24 Mar 2023 13:56:25 +1100
+Subject: [PATCH] remove support for old libcrypto
+
+OpenSSH now requires LibreSSL 3.1.0 or greater or
+OpenSSL 1.1.1 or greater
+
+with/ok dtucker@
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7280401bdd77ca54be6867a154cc01e0d72612e0]
+Comment: Hunks are refreshed.
+Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
+
+---
+ .github/workflows/c-cpp.yml | 7 -
+ INSTALL | 8 +-
+ cipher-aes.c | 2 +-
+ configure.ac | 96 ++---
+ openbsd-compat/libressl-api-compat.c | 556 +--------------------------
+ openbsd-compat/openssl-compat.h | 151 +-------
+ 6 files changed, 40 insertions(+), 780 deletions(-)
+
+diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml
+index 3d9aa22dba5..d299a32468d 100644
+--- a/.github/workflows/c-cpp.yml
++++ b/.github/workflows/c-cpp.yml
+@@ -47,9 +47,6 @@ jobs:
+ - { target: ubuntu-20.04, config: tcmalloc }
+ - { target: ubuntu-20.04, config: musl }
+ - { target: ubuntu-latest, config: libressl-master }
+- - { target: ubuntu-latest, config: libressl-2.2.9 }
+- - { target: ubuntu-latest, config: libressl-2.8.3 }
+- - { target: ubuntu-latest, config: libressl-3.0.2 }
+ - { target: ubuntu-latest, config: libressl-3.2.6 }
+ - { target: ubuntu-latest, config: libressl-3.3.6 }
+ - { target: ubuntu-latest, config: libressl-3.4.3 }
+@@ -58,10 +55,6 @@ jobs:
+ - { target: ubuntu-latest, config: libressl-3.7.0 }
+ - { target: ubuntu-latest, config: openssl-master }
+ - { target: ubuntu-latest, config: openssl-noec }
+- - { target: ubuntu-latest, config: openssl-1.0.1 }
+- - { target: ubuntu-latest, config: openssl-1.0.1u }
+- - { target: ubuntu-latest, config: openssl-1.0.2u }
+- - { target: ubuntu-latest, config: openssl-1.1.0h }
+ - { target: ubuntu-latest, config: openssl-1.1.1 }
+ - { target: ubuntu-latest, config: openssl-1.1.1k }
+ - { target: ubuntu-latest, config: openssl-1.1.1n }
+diff --git a/INSTALL b/INSTALL
+index 68b15e13190..f99d1e2a809 100644
+--- a/INSTALL
++++ b/INSTALL
+@@ -21,12 +21,8 @@ https://zlib.net/
+
+ libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto
+ is supported but severely restricts the available ciphers and algorithms.
+- - LibreSSL (https://www.libressl.org/)
+- - OpenSSL (https://www.openssl.org) with any of the following versions:
+- - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1
+-
+-Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to
+-1.1.0g can't be used.
++ - LibreSSL (https://www.libressl.org/) 3.1.0 or greater
++ - OpenSSL (https://www.openssl.org) 1.1.1 or greater
+
+ LibreSSL/OpenSSL should be compiled as a position-independent library
+ (i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC"
+diff --git a/cipher-aes.c b/cipher-aes.c
+index 8b101727284..87c763353d8 100644
+--- a/cipher-aes.c
++++ b/cipher-aes.c
+@@ -69,7 +69,7 @@ ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
+
+ static int
+ ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
+- LIBCRYPTO_EVP_INL_TYPE len)
++ size_t len)
+ {
+ struct ssh_rijndael_ctx *c;
+ u_char buf[RIJNDAEL_BLOCKSIZE];
+diff --git a/configure.ac b/configure.ac
+index 22fee70f604..1c0ccdf19c5 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2802,42 +2802,40 @@ if test "x$openssl" = "xyes" ; then
+ #include <openssl/crypto.h>
+ #define DATA "conftest.ssllibver"
+ ]], [[
+- FILE *fd;
+- int rc;
++ FILE *f;
+
+- fd = fopen(DATA,"w");
+- if(fd == NULL)
++ if ((f = fopen(DATA, "w")) == NULL)
+ exit(1);
+-#ifndef OPENSSL_VERSION
+-# define OPENSSL_VERSION SSLEAY_VERSION
+-#endif
+-#ifndef HAVE_OPENSSL_VERSION
+-# define OpenSSL_version SSLeay_version
+-#endif
+-#ifndef HAVE_OPENSSL_VERSION_NUM
+-# define OpenSSL_version_num SSLeay
+-#endif
+- if ((rc = fprintf(fd, "%08lx (%s)\n",
++ if (fprintf(f, "%08lx (%s)",
+ (unsigned long)OpenSSL_version_num(),
+- OpenSSL_version(OPENSSL_VERSION))) < 0)
++ OpenSSL_version(OPENSSL_VERSION)) < 0)
++ exit(1);
++#ifdef LIBRESSL_VERSION_NUMBER
++ if (fprintf(f, " libressl-%08lx", LIBRESSL_VERSION_NUMBER) < 0)
++ exit(1);
++#endif
++ if (fputc('\n', f) == EOF || fclose(f) == EOF)
+ exit(1);
+-
+ exit(0);
+ ]])],
+ [
+- ssl_library_ver=`cat conftest.ssllibver`
++ sslver=`cat conftest.ssllibver`
++ ssl_showver=`echo "$sslver" | sed 's/ libressl-.*//'`
+ # Check version is supported.
+- case "$ssl_library_ver" in
+- 10000*|0*)
+- AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
+- ;;
+- 100*) ;; # 1.0.x
+- 101000[[0123456]]*)
+- # https://github.com/openssl/openssl/pull/4613
+- AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
++ case "$sslver" in
++ 100*|10100*) # 1.0.x, 1.1.0x
++ AC_MSG_ERROR([OpenSSL >= 1.1.1 required (have "$ssl_showver")])
+ ;;
+ 101*) ;; # 1.1.x
+- 200*) ;; # LibreSSL
++ 200*) # LibreSSL
++ lver=`echo "$sslver" | sed 's/.*libressl-//'`
++ case "$lver" in
++ 2*|300*) # 2.x, 3.0.0
++ AC_MSG_ERROR([LibreSSL >= 3.1.0 required (have "$ssl_showver")])
++ ;;
++ *) ;; # Assume all other versions are good.
++ esac
++ ;;
+ 300*)
+ # OpenSSL 3; we use the 1.1x API
+ CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
+@@ -2847,10 +2845,10 @@ if test "x$openssl" = "xyes" ; then
+ CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
+ ;;
+ *)
+- AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
++ AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_showver")])
+ ;;
+ esac
+- AC_MSG_RESULT([$ssl_library_ver])
++ AC_MSG_RESULT([$ssl_showver])
+ ],
+ [
+ AC_MSG_RESULT([not found])
+@@ -2863,7 +2861,7 @@ if test "x$openssl" = "xyes" ; then
+
+ case "$host" in
+ x86_64-*)
+- case "$ssl_library_ver" in
++ case "$sslver" in
+ 3000004*)
+ AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)])
+ ;;
+@@ -2879,9 +2877,6 @@ if test "x$openssl" = "xyes" ; then
+ #include <openssl/opensslv.h>
+ #include <openssl/crypto.h>
+ ]], [[
+-#ifndef HAVE_OPENSSL_VERSION_NUM
+-# define OpenSSL_version_num SSLeay
+-#endif
+ exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
+ ]])],
+ [
+@@ -2955,44 +2950,13 @@ if test "x$openssl" = "xyes" ; then
+ )
+ )
+
+- # LibreSSL/OpenSSL 1.1x API
++ # LibreSSL/OpenSSL API differences
+ AC_CHECK_FUNCS([ \
+- OPENSSL_init_crypto \
+- DH_get0_key \
+- DH_get0_pqg \
+- DH_set0_key \
+- DH_set_length \
+- DH_set0_pqg \
+- DSA_get0_key \
+- DSA_get0_pqg \
+- DSA_set0_key \
+- DSA_set0_pqg \
+- DSA_SIG_get0 \
+- DSA_SIG_set0 \
+- ECDSA_SIG_get0 \
+- ECDSA_SIG_set0 \
+ EVP_CIPHER_CTX_iv \
+ EVP_CIPHER_CTX_iv_noconst \
+ EVP_CIPHER_CTX_get_iv \
+ EVP_CIPHER_CTX_get_updated_iv \
+ EVP_CIPHER_CTX_set_iv \
+- RSA_get0_crt_params \
+- RSA_get0_factors \
+- RSA_get0_key \
+- RSA_set0_crt_params \
+- RSA_set0_factors \
+- RSA_set0_key \
+- RSA_meth_free \
+- RSA_meth_dup \
+- RSA_meth_set1_name \
+- RSA_meth_get_finish \
+- RSA_meth_set_priv_enc \
+- RSA_meth_set_priv_dec \
+- RSA_meth_set_finish \
+- EVP_PKEY_get0_RSA \
+- EVP_MD_CTX_new \
+- EVP_MD_CTX_free \
+- EVP_chacha20 \
+ ])
+
+ if test "x$openssl_engine" = "xyes" ; then
+@@ -3050,8 +3014,8 @@ if test "x$openssl" = "xyes" ; then
+ ]
+ )
+
+- # Check for SHA256, SHA384 and SHA512 support in OpenSSL
+- AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
++ # Check for various EVP support in OpenSSL
++ AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 EVP_chacha20])
+
+ # Check complete ECC support in OpenSSL
+ AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
+diff --git a/openbsd-compat/libressl-api-compat.c b/openbsd-compat/libressl-api-compat.c
+index 498180dc894..59be17397c5 100644
+--- a/openbsd-compat/libressl-api-compat.c
++++ b/openbsd-compat/libressl-api-compat.c
+@@ -1,129 +1,5 @@
+-/* $OpenBSD: dsa_lib.c,v 1.29 2018/04/14 07:09:21 tb Exp $ */
+-/* $OpenBSD: rsa_lib.c,v 1.37 2018/04/14 07:09:21 tb Exp $ */
+-/* $OpenBSD: evp_lib.c,v 1.17 2018/09/12 06:35:38 djm Exp $ */
+-/* $OpenBSD: dh_lib.c,v 1.32 2018/05/02 15:48:38 tb Exp $ */
+-/* $OpenBSD: p_lib.c,v 1.24 2018/05/30 15:40:50 tb Exp $ */
+-/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */
+-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+- * All rights reserved.
+- *
+- * This package is an SSL implementation written
+- * by Eric Young (eay@cryptsoft.com).
+- * The implementation was written so as to conform with Netscapes SSL.
+- *
+- * This library is free for commercial and non-commercial use as long as
+- * the following conditions are aheared to. The following conditions
+- * apply to all code found in this distribution, be it the RC4, RSA,
+- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+- * included with this distribution is covered by the same copyright terms
+- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+- *
+- * Copyright remains Eric Young's, and as such any Copyright notices in
+- * the code are not to be removed.
+- * If this package is used in a product, Eric Young should be given attribution
+- * as the author of the parts of the library used.
+- * This can be in the form of a textual message at program startup or
+- * in documentation (online or textual) provided with the package.
+- *
+- * Redistribution and use in source and binary forms, with or without
+- * modification, are permitted provided that the following conditions
+- * are met:
+- * 1. Redistributions of source code must retain the copyright
+- * notice, this list of conditions and the following disclaimer.
+- * 2. Redistributions in binary form must reproduce the above copyright
+- * notice, this list of conditions and the following disclaimer in the
+- * documentation and/or other materials provided with the distribution.
+- * 3. All advertising materials mentioning features or use of this software
+- * must display the following acknowledgement:
+- * "This product includes cryptographic software written by
+- * Eric Young (eay@cryptsoft.com)"
+- * The word 'cryptographic' can be left out if the rouines from the library
+- * being used are not cryptographic related :-).
+- * 4. If you include any Windows specific code (or a derivative thereof) from
+- * the apps directory (application code) you must include an acknowledgement:
+- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+- *
+- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+- * SUCH DAMAGE.
+- *
+- * The licence and distribution terms for any publically available version or
+- * derivative of this code cannot be changed. i.e. this code cannot simply be
+- * copied and put under another distribution licence
+- * [including the GNU Public Licence.]
+- */
+-
+-/* $OpenBSD: dsa_asn1.c,v 1.22 2018/06/14 17:03:19 jsing Exp $ */
+-/* $OpenBSD: ecs_asn1.c,v 1.9 2018/03/17 15:24:44 tb Exp $ */
+-/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */
+-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+- * project 2000.
+- */
+-/* ====================================================================
+- * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
+- *
+- * Redistribution and use in source and binary forms, with or without
+- * modification, are permitted provided that the following conditions
+- * are met:
+- *
+- * 1. Redistributions of source code must retain the above copyright
+- * notice, this list of conditions and the following disclaimer.
+- *
+- * 2. Redistributions in binary form must reproduce the above copyright
+- * notice, this list of conditions and the following disclaimer in
+- * the documentation and/or other materials provided with the
+- * distribution.
+- *
+- * 3. All advertising materials mentioning features or use of this
+- * software must display the following acknowledgment:
+- * "This product includes software developed by the OpenSSL Project
+- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+- *
+- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+- * endorse or promote products derived from this software without
+- * prior written permission. For written permission, please contact
+- * licensing@OpenSSL.org.
+- *
+- * 5. Products derived from this software may not be called "OpenSSL"
+- * nor may "OpenSSL" appear in their names without prior written
+- * permission of the OpenSSL Project.
+- *
+- * 6. Redistributions of any form whatsoever must retain the following
+- * acknowledgment:
+- * "This product includes software developed by the OpenSSL Project
+- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+- *
+- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+- * OF THE POSSIBILITY OF SUCH DAMAGE.
+- * ====================================================================
+- *
+- * This product includes cryptographic software written by Eric Young
+- * (eay@cryptsoft.com). This product includes software written by Tim
+- * Hudson (tjh@cryptsoft.com).
+- *
+- */
+-
+-/* $OpenBSD: rsa_meth.c,v 1.2 2018/09/12 06:35:38 djm Exp $ */
+ /*
+- * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
++ * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+@@ -147,192 +23,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+
+-#include <openssl/err.h>
+-#include <openssl/bn.h>
+-#include <openssl/dsa.h>
+-#include <openssl/rsa.h>
+ #include <openssl/evp.h>
+-#ifdef OPENSSL_HAS_ECC
+-#include <openssl/ecdsa.h>
+-#endif
+-#include <openssl/dh.h>
+-
+-#ifndef HAVE_DSA_GET0_PQG
+-void
+-DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
+-{
+- if (p != NULL)
+- *p = d->p;
+- if (q != NULL)
+- *q = d->q;
+- if (g != NULL)
+- *g = d->g;
+-}
+-#endif /* HAVE_DSA_GET0_PQG */
+-
+-#ifndef HAVE_DSA_SET0_PQG
+-int
+-DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+-{
+- if ((d->p == NULL && p == NULL) || (d->q == NULL && q == NULL) ||
+- (d->g == NULL && g == NULL))
+- return 0;
+-
+- if (p != NULL) {
+- BN_free(d->p);
+- d->p = p;
+- }
+- if (q != NULL) {
+- BN_free(d->q);
+- d->q = q;
+- }
+- if (g != NULL) {
+- BN_free(d->g);
+- d->g = g;
+- }
+-
+- return 1;
+-}
+-#endif /* HAVE_DSA_SET0_PQG */
+-
+-#ifndef HAVE_DSA_GET0_KEY
+-void
+-DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key)
+-{
+- if (pub_key != NULL)
+- *pub_key = d->pub_key;
+- if (priv_key != NULL)
+- *priv_key = d->priv_key;
+-}
+-#endif /* HAVE_DSA_GET0_KEY */
+-
+-#ifndef HAVE_DSA_SET0_KEY
+-int
+-DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)
+-{
+- if (d->pub_key == NULL && pub_key == NULL)
+- return 0;
+-
+- if (pub_key != NULL) {
+- BN_free(d->pub_key);
+- d->pub_key = pub_key;
+- }
+- if (priv_key != NULL) {
+- BN_free(d->priv_key);
+- d->priv_key = priv_key;
+- }
+-
+- return 1;
+-}
+-#endif /* HAVE_DSA_SET0_KEY */
+-
+-#ifndef HAVE_RSA_GET0_KEY
+-void
+-RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
+-{
+- if (n != NULL)
+- *n = r->n;
+- if (e != NULL)
+- *e = r->e;
+- if (d != NULL)
+- *d = r->d;
+-}
+-#endif /* HAVE_RSA_GET0_KEY */
+-
+-#ifndef HAVE_RSA_SET0_KEY
+-int
+-RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
+-{
+- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL))
+- return 0;
+-
+- if (n != NULL) {
+- BN_free(r->n);
+- r->n = n;
+- }
+- if (e != NULL) {
+- BN_free(r->e);
+- r->e = e;
+- }
+- if (d != NULL) {
+- BN_free(r->d);
+- r->d = d;
+- }
+-
+- return 1;
+-}
+-#endif /* HAVE_RSA_SET0_KEY */
+-
+-#ifndef HAVE_RSA_GET0_CRT_PARAMS
+-void
+-RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
+- const BIGNUM **iqmp)
+-{
+- if (dmp1 != NULL)
+- *dmp1 = r->dmp1;
+- if (dmq1 != NULL)
+- *dmq1 = r->dmq1;
+- if (iqmp != NULL)
+- *iqmp = r->iqmp;
+-}
+-#endif /* HAVE_RSA_GET0_CRT_PARAMS */
+-
+-#ifndef HAVE_RSA_SET0_CRT_PARAMS
+-int
+-RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
+-{
+- if ((r->dmp1 == NULL && dmp1 == NULL) ||
+- (r->dmq1 == NULL && dmq1 == NULL) ||
+- (r->iqmp == NULL && iqmp == NULL))
+- return 0;
+-
+- if (dmp1 != NULL) {
+- BN_free(r->dmp1);
+- r->dmp1 = dmp1;
+- }
+- if (dmq1 != NULL) {
+- BN_free(r->dmq1);
+- r->dmq1 = dmq1;
+- }
+- if (iqmp != NULL) {
+- BN_free(r->iqmp);
+- r->iqmp = iqmp;
+- }
+-
+- return 1;
+-}
+-#endif /* HAVE_RSA_SET0_CRT_PARAMS */
+-
+-#ifndef HAVE_RSA_GET0_FACTORS
+-void
+-RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
+-{
+- if (p != NULL)
+- *p = r->p;
+- if (q != NULL)
+- *q = r->q;
+-}
+-#endif /* HAVE_RSA_GET0_FACTORS */
+-
+-#ifndef HAVE_RSA_SET0_FACTORS
+-int
+-RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
+-{
+- if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL))
+- return 0;
+-
+- if (p != NULL) {
+- BN_free(r->p);
+- r->p = p;
+- }
+- if (q != NULL) {
+- BN_free(r->q);
+- r->q = q;
+- }
+-
+- return 1;
+-}
+-#endif /* HAVE_RSA_SET0_FACTORS */
+
+ #ifndef HAVE_EVP_CIPHER_CTX_GET_IV
+ int
+@@ -392,249 +83,4 @@ EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len)
+ }
+ #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */
+
+-#ifndef HAVE_DSA_SIG_GET0
+-void
+-DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
+-{
+- if (pr != NULL)
+- *pr = sig->r;
+- if (ps != NULL)
+- *ps = sig->s;
+-}
+-#endif /* HAVE_DSA_SIG_GET0 */
+-
+-#ifndef HAVE_DSA_SIG_SET0
+-int
+-DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)
+-{
+- if (r == NULL || s == NULL)
+- return 0;
+-
+- BN_clear_free(sig->r);
+- sig->r = r;
+- BN_clear_free(sig->s);
+- sig->s = s;
+-
+- return 1;
+-}
+-#endif /* HAVE_DSA_SIG_SET0 */
+-
+-#ifdef OPENSSL_HAS_ECC
+-#ifndef HAVE_ECDSA_SIG_GET0
+-void
+-ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
+-{
+- if (pr != NULL)
+- *pr = sig->r;
+- if (ps != NULL)
+- *ps = sig->s;
+-}
+-#endif /* HAVE_ECDSA_SIG_GET0 */
+-
+-#ifndef HAVE_ECDSA_SIG_SET0
+-int
+-ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
+-{
+- if (r == NULL || s == NULL)
+- return 0;
+-
+- BN_clear_free(sig->r);
+- BN_clear_free(sig->s);
+- sig->r = r;
+- sig->s = s;
+- return 1;
+-}
+-#endif /* HAVE_ECDSA_SIG_SET0 */
+-#endif /* OPENSSL_HAS_ECC */
+-
+-#ifndef HAVE_DH_GET0_PQG
+-void
+-DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
+-{
+- if (p != NULL)
+- *p = dh->p;
+- if (q != NULL)
+- *q = dh->q;
+- if (g != NULL)
+- *g = dh->g;
+-}
+-#endif /* HAVE_DH_GET0_PQG */
+-
+-#ifndef HAVE_DH_SET0_PQG
+-int
+-DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+-{
+- if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL))
+- return 0;
+-
+- if (p != NULL) {
+- BN_free(dh->p);
+- dh->p = p;
+- }
+- if (q != NULL) {
+- BN_free(dh->q);
+- dh->q = q;
+- }
+- if (g != NULL) {
+- BN_free(dh->g);
+- dh->g = g;
+- }
+-
+- return 1;
+-}
+-#endif /* HAVE_DH_SET0_PQG */
+-
+-#ifndef HAVE_DH_GET0_KEY
+-void
+-DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
+-{
+- if (pub_key != NULL)
+- *pub_key = dh->pub_key;
+- if (priv_key != NULL)
+- *priv_key = dh->priv_key;
+-}
+-#endif /* HAVE_DH_GET0_KEY */
+-
+-#ifndef HAVE_DH_SET0_KEY
+-int
+-DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
+-{
+- if (pub_key != NULL) {
+- BN_free(dh->pub_key);
+- dh->pub_key = pub_key;
+- }
+- if (priv_key != NULL) {
+- BN_free(dh->priv_key);
+- dh->priv_key = priv_key;
+- }
+-
+- return 1;
+-}
+-#endif /* HAVE_DH_SET0_KEY */
+-
+-#ifndef HAVE_DH_SET_LENGTH
+-int
+-DH_set_length(DH *dh, long length)
+-{
+- if (length < 0 || length > INT_MAX)
+- return 0;
+-
+- dh->length = length;
+- return 1;
+-}
+-#endif /* HAVE_DH_SET_LENGTH */
+-
+-#ifndef HAVE_RSA_METH_FREE
+-void
+-RSA_meth_free(RSA_METHOD *meth)
+-{
+- if (meth != NULL) {
+- free((char *)meth->name);
+- free(meth);
+- }
+-}
+-#endif /* HAVE_RSA_METH_FREE */
+-
+-#ifndef HAVE_RSA_METH_DUP
+-RSA_METHOD *
+-RSA_meth_dup(const RSA_METHOD *meth)
+-{
+- RSA_METHOD *copy;
+-
+- if ((copy = calloc(1, sizeof(*copy))) == NULL)
+- return NULL;
+- memcpy(copy, meth, sizeof(*copy));
+- if ((copy->name = strdup(meth->name)) == NULL) {
+- free(copy);
+- return NULL;
+- }
+-
+- return copy;
+-}
+-#endif /* HAVE_RSA_METH_DUP */
+-
+-#ifndef HAVE_RSA_METH_SET1_NAME
+-int
+-RSA_meth_set1_name(RSA_METHOD *meth, const char *name)
+-{
+- char *copy;
+-
+- if ((copy = strdup(name)) == NULL)
+- return 0;
+- free((char *)meth->name);
+- meth->name = copy;
+- return 1;
+-}
+-#endif /* HAVE_RSA_METH_SET1_NAME */
+-
+-#ifndef HAVE_RSA_METH_GET_FINISH
+-int
+-(*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa)
+-{
+- return meth->finish;
+-}
+-#endif /* HAVE_RSA_METH_GET_FINISH */
+-
+-#ifndef HAVE_RSA_METH_SET_PRIV_ENC
+-int
+-RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen,
+- const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
+-{
+- meth->rsa_priv_enc = priv_enc;
+- return 1;
+-}
+-#endif /* HAVE_RSA_METH_SET_PRIV_ENC */
+-
+-#ifndef HAVE_RSA_METH_SET_PRIV_DEC
+-int
+-RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen,
+- const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
+-{
+- meth->rsa_priv_dec = priv_dec;
+- return 1;
+-}
+-#endif /* HAVE_RSA_METH_SET_PRIV_DEC */
+-
+-#ifndef HAVE_RSA_METH_SET_FINISH
+-int
+-RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa))
+-{
+- meth->finish = finish;
+- return 1;
+-}
+-#endif /* HAVE_RSA_METH_SET_FINISH */
+-
+-#ifndef HAVE_EVP_PKEY_GET0_RSA
+-RSA *
+-EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
+-{
+- if (pkey->type != EVP_PKEY_RSA) {
+- /* EVPerror(EVP_R_EXPECTING_AN_RSA_KEY); */
+- return NULL;
+- }
+- return pkey->pkey.rsa;
+-}
+-#endif /* HAVE_EVP_PKEY_GET0_RSA */
+-
+-#ifndef HAVE_EVP_MD_CTX_NEW
+-EVP_MD_CTX *
+-EVP_MD_CTX_new(void)
+-{
+- return calloc(1, sizeof(EVP_MD_CTX));
+-}
+-#endif /* HAVE_EVP_MD_CTX_NEW */
+-
+-#ifndef HAVE_EVP_MD_CTX_FREE
+-void
+-EVP_MD_CTX_free(EVP_MD_CTX *ctx)
+-{
+- if (ctx == NULL)
+- return;
+-
+- EVP_MD_CTX_cleanup(ctx);
+-
+- free(ctx);
+-}
+-#endif /* HAVE_EVP_MD_CTX_FREE */
+-
+ #endif /* WITH_OPENSSL */
+diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
+index 61a69dd56eb..d0dd2c3450d 100644
+--- a/openbsd-compat/openssl-compat.h
++++ b/openbsd-compat/openssl-compat.h
+@@ -33,26 +33,13 @@
+ int ssh_compatible_openssl(long, long);
+ void ssh_libcrypto_init(void);
+
+-#if (OPENSSL_VERSION_NUMBER < 0x1000100fL)
+-# error OpenSSL 1.0.1 or greater is required
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
++# error OpenSSL 1.1.0 or greater is required
+ #endif
+-
+-#ifndef OPENSSL_VERSION
+-# define OPENSSL_VERSION SSLEAY_VERSION
+-#endif
+-
+-#ifndef HAVE_OPENSSL_VERSION
+-# define OpenSSL_version(x) SSLeay_version(x)
+-#endif
+-
+-#ifndef HAVE_OPENSSL_VERSION_NUM
+-# define OpenSSL_version_num SSLeay
+-#endif
+-
+-#if OPENSSL_VERSION_NUMBER < 0x10000001L
+-# define LIBCRYPTO_EVP_INL_TYPE unsigned int
+-#else
+-# define LIBCRYPTO_EVP_INL_TYPE size_t
++#ifdef LIBRESSL_VERSION_NUMBER
++# if LIBRESSL_VERSION_NUMBER < 0x3010000fL
++# error LibreSSL 3.1.0 or greater is required
++# endif
+ #endif
+
+ #ifndef OPENSSL_RSA_MAX_MODULUS_BITS
+@@ -68,25 +55,6 @@ void ssh_libcrypto_init(void);
+ # endif
+ #endif
+
+-/* LibreSSL/OpenSSL 1.1x API compat */
+-#ifndef HAVE_DSA_GET0_PQG
+-void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
+- const BIGNUM **g);
+-#endif /* HAVE_DSA_GET0_PQG */
+-
+-#ifndef HAVE_DSA_SET0_PQG
+-int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
+-#endif /* HAVE_DSA_SET0_PQG */
+-
+-#ifndef HAVE_DSA_GET0_KEY
+-void DSA_get0_key(const DSA *d, const BIGNUM **pub_key,
+- const BIGNUM **priv_key);
+-#endif /* HAVE_DSA_GET0_KEY */
+-
+-#ifndef HAVE_DSA_SET0_KEY
+-int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key);
+-#endif /* HAVE_DSA_SET0_KEY */
+-
+ #ifndef HAVE_EVP_CIPHER_CTX_GET_IV
+ # ifdef HAVE_EVP_CIPHER_CTX_GET_UPDATED_IV
+ # define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv
+@@ -101,112 +69,5 @@ int EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx,
+ const unsigned char *iv, size_t len);
+ #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */
+
+-#ifndef HAVE_RSA_GET0_KEY
+-void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
+- const BIGNUM **d);
+-#endif /* HAVE_RSA_GET0_KEY */
+-
+-#ifndef HAVE_RSA_SET0_KEY
+-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
+-#endif /* HAVE_RSA_SET0_KEY */
+-
+-#ifndef HAVE_RSA_GET0_CRT_PARAMS
+-void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
+- const BIGNUM **iqmp);
+-#endif /* HAVE_RSA_GET0_CRT_PARAMS */
+-
+-#ifndef HAVE_RSA_SET0_CRT_PARAMS
+-int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
+-#endif /* HAVE_RSA_SET0_CRT_PARAMS */
+-
+-#ifndef HAVE_RSA_GET0_FACTORS
+-void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
+-#endif /* HAVE_RSA_GET0_FACTORS */
+-
+-#ifndef HAVE_RSA_SET0_FACTORS
+-int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
+-#endif /* HAVE_RSA_SET0_FACTORS */
+-
+-#ifndef DSA_SIG_GET0
+-void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
+-#endif /* DSA_SIG_GET0 */
+-
+-#ifndef DSA_SIG_SET0
+-int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+-#endif /* DSA_SIG_SET0 */
+-
+-#ifdef OPENSSL_HAS_ECC
+-#ifndef HAVE_ECDSA_SIG_GET0
+-void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
+-#endif /* HAVE_ECDSA_SIG_GET0 */
+-
+-#ifndef HAVE_ECDSA_SIG_SET0
+-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+-#endif /* HAVE_ECDSA_SIG_SET0 */
+-#endif /* OPENSSL_HAS_ECC */
+-
+-#ifndef HAVE_DH_GET0_PQG
+-void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q,
+- const BIGNUM **g);
+-#endif /* HAVE_DH_GET0_PQG */
+-
+-#ifndef HAVE_DH_SET0_PQG
+-int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
+-#endif /* HAVE_DH_SET0_PQG */
+-
+-#ifndef HAVE_DH_GET0_KEY
+-void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
+-#endif /* HAVE_DH_GET0_KEY */
+-
+-#ifndef HAVE_DH_SET0_KEY
+-int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
+-#endif /* HAVE_DH_SET0_KEY */
+-
+-#ifndef HAVE_DH_SET_LENGTH
+-int DH_set_length(DH *dh, long length);
+-#endif /* HAVE_DH_SET_LENGTH */
+-
+-#ifndef HAVE_RSA_METH_FREE
+-void RSA_meth_free(RSA_METHOD *meth);
+-#endif /* HAVE_RSA_METH_FREE */
+-
+-#ifndef HAVE_RSA_METH_DUP
+-RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth);
+-#endif /* HAVE_RSA_METH_DUP */
+-
+-#ifndef HAVE_RSA_METH_SET1_NAME
+-int RSA_meth_set1_name(RSA_METHOD *meth, const char *name);
+-#endif /* HAVE_RSA_METH_SET1_NAME */
+-
+-#ifndef HAVE_RSA_METH_GET_FINISH
+-int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa);
+-#endif /* HAVE_RSA_METH_GET_FINISH */
+-
+-#ifndef HAVE_RSA_METH_SET_PRIV_ENC
+-int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen,
+- const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
+-#endif /* HAVE_RSA_METH_SET_PRIV_ENC */
+-
+-#ifndef HAVE_RSA_METH_SET_PRIV_DEC
+-int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen,
+- const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
+-#endif /* HAVE_RSA_METH_SET_PRIV_DEC */
+-
+-#ifndef HAVE_RSA_METH_SET_FINISH
+-int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa));
+-#endif /* HAVE_RSA_METH_SET_FINISH */
+-
+-#ifndef HAVE_EVP_PKEY_GET0_RSA
+-RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
+-#endif /* HAVE_EVP_PKEY_GET0_RSA */
+-
+-#ifndef HAVE_EVP_MD_CTX_new
+-EVP_MD_CTX *EVP_MD_CTX_new(void);
+-#endif /* HAVE_EVP_MD_CTX_new */
+-
+-#ifndef HAVE_EVP_MD_CTX_free
+-void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
+-#endif /* HAVE_EVP_MD_CTX_free */
+-
+ #endif /* WITH_OPENSSL */
+ #endif /* _OPENSSL_COMPAT_H */
diff --git a/poky/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/poky/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
index d3dedd1..42ce814 100644
--- a/poky/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
+++ b/poky/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
@@ -24,6 +24,7 @@
file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
file://sshd_check_keys \
file://add-test-support-for-busybox.patch \
+ file://7280401bdd77ca54be6867a154cc01e0d72612e0.patch \
"
SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8"
diff --git a/poky/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/poky/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
index 0b7abc3..502a7aa 100644
--- a/poky/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
+++ b/poky/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -1,6 +1,6 @@
-From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001
+From 0377f0d5b5c1079e3b9a80881f4dcc891cbe9f9a Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex@linutronix.de>
-Date: Tue, 14 Sep 2021 12:18:25 +0200
+Date: Tue, 30 May 2023 09:11:27 -0700
Subject: [PATCH] Configure: do not tweak mips cflags
This conflicts with mips machine definitons from yocto,
@@ -9,20 +9,23 @@
Upstream-Status: Inappropriate [oe-core specific]
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+
+Refreshed for openssl-3.1.1
+Signed-off-by: Tim Orling <tim.orling@konsulko.com>
---
Configure | 10 ----------
1 file changed, 10 deletions(-)
-Index: openssl-3.0.4/Configure
-===================================================================
---- openssl-3.0.4.orig/Configure
-+++ openssl-3.0.4/Configure
-@@ -1423,16 +1423,6 @@ if ($target =~ /^mingw/ && `$config{CC}
+diff --git a/Configure b/Configure
+index 4569952..adf019b 100755
+--- a/Configure
++++ b/Configure
+@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
push @{$config{shared_ldflag}}, "-mno-cygwin";
}
-if ($target =~ /linux.*-mips/ && !$disabled{asm}
-- && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
+- && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
- # minimally required architecture flags for assembly modules
- my $value;
- $value = '-mips2' if ($target =~ /mips32/);
diff --git a/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch
deleted file mode 100644
index 33b0bb6..0000000
--- a/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch
+++ /dev/null
@@ -1,226 +0,0 @@
-From 2017771e2db3e2b96f89bbe8766c3209f6a99545 Mon Sep 17 00:00:00 2001
-From: Pauli <pauli@openssl.org>
-Date: Wed, 8 Mar 2023 15:28:20 +1100
-Subject: [PATCH] x509: excessive resource use verifying policy constraints
-
-A security vulnerability has been identified in all supported versions
-of OpenSSL related to the verification of X.509 certificate chains
-that include policy constraints. Attackers may be able to exploit this
-vulnerability by creating a malicious certificate chain that triggers
-exponential use of computational resources, leading to a denial-of-service
-(DoS) attack on affected systems.
-
-Fixes CVE-2023-0464
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-(Merged from https://github.com/openssl/openssl/pull/20570)
-
-Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545]
-CVE: CVE-2023-0464
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
-
----
- crypto/x509/pcy_local.h | 8 +++++++-
- crypto/x509/pcy_node.c | 12 +++++++++---
- crypto/x509/pcy_tree.c | 36 ++++++++++++++++++++++++++----------
- 3 files changed, 42 insertions(+), 14 deletions(-)
-
-diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h
-index 18b53cc..cba107c 100644
---- a/crypto/x509/pcy_local.h
-+++ b/crypto/x509/pcy_local.h
-@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
- };
-
- struct X509_POLICY_TREE_st {
-+ /* The number of nodes in the tree */
-+ size_t node_count;
-+ /* The maximum number of nodes in the tree */
-+ size_t node_maximum;
-+
- /* This is the tree 'level' data */
- X509_POLICY_LEVEL *levels;
- int nlevel;
-@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
- X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
- X509_POLICY_DATA *data,
- X509_POLICY_NODE *parent,
-- X509_POLICY_TREE *tree);
-+ X509_POLICY_TREE *tree,
-+ int extra_data);
- void ossl_policy_node_free(X509_POLICY_NODE *node);
- int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
- const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
-diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c
-index 9d9a7ea..450f95a 100644
---- a/crypto/x509/pcy_node.c
-+++ b/crypto/x509/pcy_node.c
-@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level,
- X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
- X509_POLICY_DATA *data,
- X509_POLICY_NODE *parent,
-- X509_POLICY_TREE *tree)
-+ X509_POLICY_TREE *tree,
-+ int extra_data)
- {
- X509_POLICY_NODE *node;
-
-+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */
-+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
-+ return NULL;
-+
- node = OPENSSL_zalloc(sizeof(*node));
- if (node == NULL) {
- ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
-@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
- }
- node->data = data;
- node->parent = parent;
-- if (level) {
-+ if (level != NULL) {
- if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
- if (level->anyPolicy)
- goto node_error;
-@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
- }
- }
-
-- if (tree) {
-+ if (extra_data) {
- if (tree->extra_data == NULL)
- tree->extra_data = sk_X509_POLICY_DATA_new_null();
- if (tree->extra_data == NULL){
-@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
- }
- }
-
-+ tree->node_count++;
- if (parent)
- parent->nchild++;
-
-diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c
-index fa45da5..f953a05 100644
---- a/crypto/x509/pcy_tree.c
-+++ b/crypto/x509/pcy_tree.c
-@@ -14,6 +14,17 @@
-
- #include "pcy_local.h"
-
-+/*
-+ * If the maximum number of nodes in the policy tree isn't defined, set it to
-+ * a generous default of 1000 nodes.
-+ *
-+ * Defining this to be zero means unlimited policy tree growth which opens the
-+ * door on CVE-2023-0464.
-+ */
-+#ifndef OPENSSL_POLICY_TREE_NODES_MAX
-+# define OPENSSL_POLICY_TREE_NODES_MAX 1000
-+#endif
-+
- static void expected_print(BIO *channel,
- X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
- int indent)
-@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
- return X509_PCY_TREE_INTERNAL;
- }
-
-+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */
-+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
-+
- /*
- * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
- *
-@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
- if ((data = ossl_policy_data_new(NULL,
- OBJ_nid2obj(NID_any_policy), 0)) == NULL)
- goto bad_tree;
-- if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) {
-+ if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) {
- ossl_policy_data_free(data);
- goto bad_tree;
- }
-@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
- * Return value: 1 on success, 0 otherwise
- */
- static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
-- X509_POLICY_DATA *data)
-+ X509_POLICY_DATA *data,
-+ X509_POLICY_TREE *tree)
- {
- X509_POLICY_LEVEL *last = curr - 1;
- int i, matched = 0;
-@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
- X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
-
- if (ossl_policy_node_match(last, node, data->valid_policy)) {
-- if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL)
-+ if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL)
- return 0;
- matched = 1;
- }
- }
- if (!matched && last->anyPolicy) {
-- if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
-+ if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
- return 0;
- }
- return 1;
-@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
- * Return value: 1 on success, 0 otherwise.
- */
- static int tree_link_nodes(X509_POLICY_LEVEL *curr,
-- const X509_POLICY_CACHE *cache)
-+ const X509_POLICY_CACHE *cache,
-+ X509_POLICY_TREE *tree)
- {
- int i;
-
-@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
- X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
-
- /* Look for matching nodes in previous level */
-- if (!tree_link_matching_nodes(curr, data))
-+ if (!tree_link_matching_nodes(curr, data, tree))
- return 0;
- }
- return 1;
-@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
- /* Curr may not have anyPolicy */
- data->qualifier_set = cache->anyPolicy->qualifier_set;
- data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
-- if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) {
-+ if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) {
- ossl_policy_data_free(data);
- return 0;
- }
-@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
- /* Finally add link to anyPolicy */
- if (last->anyPolicy &&
- ossl_policy_level_add_node(curr, cache->anyPolicy,
-- last->anyPolicy, NULL) == NULL)
-+ last->anyPolicy, tree, 0) == NULL)
- return 0;
- return 1;
- }
-@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
- extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
- | POLICY_DATA_FLAG_EXTRA_NODE;
- node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent,
-- tree);
-+ tree, 1);
- }
- if (!tree->user_policies) {
- tree->user_policies = sk_X509_POLICY_NODE_new_null();
-@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
-
- for (i = 1; i < tree->nlevel; i++, curr++) {
- cache = ossl_policy_cache_set(curr->cert);
-- if (!tree_link_nodes(curr, cache))
-+ if (!tree_link_nodes(curr, cache, tree))
- return X509_PCY_TREE_INTERNAL;
-
- if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
---
-2.25.1
-
diff --git a/poky/meta/recipes-connectivity/openssl/openssl_3.1.0.bb b/poky/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
similarity index 97%
rename from poky/meta/recipes-connectivity/openssl/openssl_3.1.0.bb
rename to poky/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
index b319c66..f5f3f32 100644
--- a/poky/meta/recipes-connectivity/openssl/openssl_3.1.0.bb
+++ b/poky/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
@@ -12,14 +12,13 @@
file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
file://0001-Configure-do-not-tweak-mips-cflags.patch \
file://fix_random_labels.patch \
- file://CVE-2023-0464.patch \
"
SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"
-SRC_URI[sha256sum] = "aaa925ad9828745c4cad9d9efeb273deca820f2cdcf2c3ac7d7c1212b7c497b4"
+SRC_URI[sha256sum] = "b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674"
inherit lib_package multilib_header multilib_script ptest perlnative
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -119,7 +118,7 @@
target=linux-ppc64le
;;
linux-riscv32)
- target=linux-generic32
+ target=linux-latomic
;;
linux-riscv64)
target=linux-generic64