blob: 54af100f90d1e1fae420ac667060a6594f1eb670 [file] [log] [blame]
SUMMARY = "Secure Socket Layer"
DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
HOMEPAGE = "http://www.openssl.org/"
BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
SECTION = "libs/network"
# "openssl | SSLeay" dual license
LICENSE = "openssl"
LIC_FILES_CHKSUM = "file://LICENSE;md5=f475368924827d06d4b416111c8bdb77"
DEPENDS = "hostperl-runtime-native"
DEPENDS_append_class-target = " openssl-native"
SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://run-ptest \
file://openssl-c_rehash.sh \
file://configure-targets.patch \
file://shared-libs.patch \
file://oe-ldflags.patch \
file://engines-install-in-libdir-ssl.patch \
file://debian1.0.2/block_diginotar.patch \
file://debian1.0.2/block_digicert_malaysia.patch \
file://debian/c_rehash-compat.patch \
file://debian/debian-targets.patch \
file://debian/man-dir.patch \
file://debian/man-section.patch \
file://debian/no-rpath.patch \
file://debian/no-symbolic.patch \
file://debian/pic.patch \
file://debian1.0.2/version-script.patch \
file://debian1.0.2/soname.patch \
file://openssl_fix_for_x32.patch \
file://openssl-fix-des.pod-error.patch \
file://Makefiles-ptest.patch \
file://ptest-deps.patch \
file://ptest_makefile_deps.patch \
file://configure-musl-target.patch \
file://parallel.patch \
file://Use-SHA256-not-MD5-as-default-digest.patch \
file://0001-Fix-build-with-clang-using-external-assembler.patch \
file://0001-openssl-force-soft-link-to-avoid-rare-race.patch \
file://0001-allow-manpages-to-be-disabled.patch \
file://0001-Fix-BN_LLONG-breakage.patch \
file://0001-Fix-DES_LONG-breakage.patch \
"
SRC_URI_append_class-target = " \
file://reproducible-cflags.patch \
file://reproducible-mkbuildinf.patch \
"
SRC_URI_append_class-nativesdk = " \
file://environment.d-openssl.sh \
"
SRC_URI[md5sum] = "7563e1ce046cb21948eeb6ba1a0eb71c"
SRC_URI[sha256sum] = "5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684"
S = "${WORKDIR}/openssl-${PV}"
UPSTREAM_CHECK_REGEX = "openssl-(?P<pver>1\.0.+)\.tar"
inherit pkgconfig siteinfo multilib_header ptest manpages
PACKAGECONFIG ?= "cryptodev-linux"
PACKAGECONFIG_class-native = ""
PACKAGECONFIG_class-nativesdk = ""
PACKAGECONFIG[cryptodev-linux] = "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS,,cryptodev-linux"
PACKAGECONFIG[manpages] = ",,,"
PACKAGECONFIG[perl] = ",,,"
# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
# vulnerability
EXTRA_OECONF = "no-ssl3"
EXTRA_OEMAKE = "${@bb.utils.contains('PACKAGECONFIG', 'manpages', '', 'OE_DISABLE_MANPAGES=1', d)}"
export OE_LDFLAGS = "${LDFLAGS}"
# openssl fails with ccache: https://bugzilla.yoctoproject.org/show_bug.cgi?id=12810
CCACHE = ""
TERMIO ?= "-DTERMIO"
TERMIO_libc-musl = "-DTERMIOS"
EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm"
CFLAG = "${@oe.utils.conditional('SITEINFO_ENDIANNESS', 'le', '-DL_ENDIAN', '-DB_ENDIAN', d)} \
${TERMIO} ${CFLAGS} -Wall"
# Avoid binaries being marked as requiring an executable stack since they don't
# (and it causes issues with SELinux)
CFLAG += "-Wa,--noexecstack"
CFLAG_append_class-native = " -fPIC"
do_configure () {
# The crypto_use_bigint patch means that perl's bignum module needs to be
# installed, but some distributions (for example Fedora 23) don't ship it by
# default. As the resulting error is very misleading check for bignum before
# building.
if ! perl -Mbigint -e true; then
bbfatal "The perl module 'bignum' was not found but this is required to build openssl. Please install this module (often packaged as perl-bignum) and re-run bitbake."
fi
ln -sf apps/openssl.pod crypto/crypto.pod ssl/ssl.pod doc/
os=${HOST_OS}
case $os in
linux-gnueabi |\
linux-gnuspe |\
linux-musleabi |\
linux-muslspe |\
linux-musl )
os=linux
;;
*)
;;
esac
target="$os-${HOST_ARCH}"
case $target in
linux-arm)
target=linux-armv4
;;
linux-armeb)
target=linux-elf-armeb
;;
linux-aarch64*)
target=linux-aarch64
;;
linux-sh3)
target=debian-sh3
;;
linux-sh4)
target=debian-sh4
;;
linux-i486)
target=debian-i386-i486
;;
linux-i586 | linux-viac3)
target=debian-i386-i586
;;
linux-i686)
target=debian-i386-i686/cmov
;;
linux-gnux32-x86_64 | linux-muslx32-x86_64 )
target=linux-x32
;;
linux-gnu64-x86_64)
target=linux-x86_64
;;
linux-gnun32-mips*el)
target=debian-mipsn32el
;;
linux-gnun32-mips*)
target=debian-mipsn32
;;
linux-mips*64*el)
target=debian-mips64el
;;
linux-mips*64*)
target=debian-mips64
;;
linux-mips*el)
target=debian-mipsel
;;
linux-mips*)
target=debian-mips
;;
linux-microblaze* | linux-nios2* | linux-gnu*ilp32** | linux-arc*)
target=linux-generic32
;;
linux-powerpc)
target=linux-ppc
;;
linux-powerpc64)
target=linux-ppc64
;;
linux-riscv32)
target=linux-generic32
;;
linux-riscv64)
target=linux-generic64
;;
linux-sparc | linux-supersparc)
target=linux-sparcv8
;;
esac
# inject machine-specific flags
sed -i -e "s|^\(\"$target\",\s*\"[^:]\+\):\([^:]\+\)|\1:${CFLAG}|g" Configure
useprefix=${prefix}
if [ "x$useprefix" = "x" ]; then
useprefix=/
fi
libdirleaf="$( echo "${libdir}" | sed "s:^$useprefix/*::" )"
perl ./Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} shared --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=$libdirleaf $target
}
do_compile () {
oe_runmake depend
oe_runmake
}
do_compile_class-target () {
sed -i 's/\((OPENSSL=\)".*"/\1"openssl"/' Makefile
oe_runmake depend
cc_sanitized=$(echo "${CC} ${CFLAG}" | sed -e 's,--sysroot=${STAGING_DIR_TARGET},,g' -e 's|${DEBUG_PREFIX_MAP}||g' -e 's/[ \t]\+/ /g')
oe_runmake CC_INFO="$cc_sanitized"
}
do_compile_ptest () {
oe_runmake buildtest
}
do_install () {
# Create ${D}/${prefix} to fix parallel issues
mkdir -p ${D}/${prefix}/
oe_runmake INSTALL_PREFIX="${D}" MANDIR="${mandir}" install
oe_libinstall -so libcrypto ${D}${libdir}
oe_libinstall -so libssl ${D}${libdir}
install -d ${D}${includedir}
cp --dereference -R include/openssl ${D}${includedir}
oe_multilib_header openssl/opensslconf.h
install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
if [ "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}" ]; then
sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/CA.pl
sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/tsget
else
rm -f ${D}${libdir}/ssl/misc/CA.pl ${D}${libdir}/ssl/misc/tsget
fi
# Create SSL structure for packages such as ca-certificates which
# contain hard-coded paths to /etc/ssl. Debian does the same.
install -d ${D}${sysconfdir}/ssl
mv ${D}${libdir}/ssl/certs \
${D}${libdir}/ssl/private \
${D}${libdir}/ssl/openssl.cnf \
${D}${sysconfdir}/ssl/
# Although absolute symlinks would be OK for the target, they become
# invalid if native or nativesdk are relocated from sstate.
ln -sf ${@oe.path.relative('${libdir}/ssl', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl/certs
ln -sf ${@oe.path.relative('${libdir}/ssl', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl/private
ln -sf ${@oe.path.relative('${libdir}/ssl', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl/openssl.cnf
# Rename man pages to prefix openssl10-*
for f in `find ${D}${mandir} -type f`; do
mv $f $(dirname $f)/openssl10-$(basename $f)
done
for f in `find ${D}${mandir} -type l`; do
ln_f=`readlink $f`
rm -f $f
ln -s openssl10-$ln_f $(dirname $f)/openssl10-$(basename $f)
done
}
do_install_append_class-native () {
create_wrapper ${D}${bindir}/openssl \
OPENSSL_CONF=${libdir}/ssl/openssl.cnf \
SSL_CERT_DIR=${libdir}/ssl/certs \
SSL_CERT_FILE=${libdir}/ssl/cert.pem \
OPENSSL_ENGINES=${libdir}/ssl/engines
}
do_install_append_class-nativesdk () {
mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
}
do_install_ptest () {
cp -r -L Makefile.org Makefile test ${D}${PTEST_PATH}
# Replace the path to native perl with the path to target perl
sed -i 's,^PERL=.*,PERL=${bindir}/perl,' ${D}${PTEST_PATH}/Makefile
cp Configure config e_os.h ${D}${PTEST_PATH}
cp -r -L include ${D}${PTEST_PATH}
ln -sf ${libdir}/libcrypto.a ${D}${PTEST_PATH}
ln -sf ${libdir}/libssl.a ${D}${PTEST_PATH}
mkdir -p ${D}${PTEST_PATH}/crypto
cp crypto/constant_time_locl.h ${D}${PTEST_PATH}/crypto
cp -r certs ${D}${PTEST_PATH}
mkdir -p ${D}${PTEST_PATH}/apps
ln -sf ${libdir}/ssl/misc/CA.sh ${D}${PTEST_PATH}/apps
ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${PTEST_PATH}/apps
ln -sf ${bindir}/openssl ${D}${PTEST_PATH}/apps
cp apps/server.pem ${D}${PTEST_PATH}/apps
cp apps/server2.pem ${D}${PTEST_PATH}/apps
mkdir -p ${D}${PTEST_PATH}/util
install util/opensslwrap.sh ${D}${PTEST_PATH}/util
install util/shlib_wrap.sh ${D}${PTEST_PATH}/util
# Time stamps are relevant for "make alltests", otherwise
# make may try to recompile binaries. Not only must the
# binary files be newer than the sources, they also must
# be more recent than the header files in /usr/include.
#
# Using "cp -a" is not sufficient, because do_install
# does not preserve the original time stamps.
#
# So instead of using the original file stamps, we set
# the current time for all files. Binaries will get
# modified again later when stripping them, but that's okay.
touch ${D}${PTEST_PATH}
find ${D}${PTEST_PATH} -type f -print0 | xargs --verbose -0 touch -r ${D}${PTEST_PATH}
# exclude binary files or the package won't install
for d in ssltest_old v3ext x509aux; do
rm -rf ${D}${libdir}/${BPN}/ptest/test/$d
done
# Remove build host references
sed -i \
-e 's,--sysroot=${STAGING_DIR_TARGET},,g' \
-e 's|${DEBUG_PREFIX_MAP}||g' \
${D}${PTEST_PATH}/Makefile ${D}${PTEST_PATH}/Configure
}
# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
# package RRECOMMENDS on this package. This will enable the configuration
# file to be installed for both the base openssl package and the libcrypto
# package since the base openssl package depends on the libcrypto package.
PACKAGES =+ "libcrypto10 libssl10 openssl10-conf ${PN}-engines ${PN}-misc"
FILES_libcrypto10 = "${libdir}/libcrypto${SOLIBS}"
FILES_libssl10 = "${libdir}/libssl${SOLIBS}"
FILES_openssl10-conf = "${sysconfdir}/ssl/openssl.cnf"
FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
FILES_${PN}-misc = "${libdir}/ssl/misc"
FILES_${PN} =+ "${libdir}/ssl/*"
FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
CONFFILES_openssl10-conf = "${sysconfdir}/ssl/openssl.cnf"
RRECOMMENDS_libcrypto10 += "openssl10-conf"
RDEPENDS_${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}"
RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
BBCLASSEXTEND = "native nativesdk"
PACKAGE_PREPROCESS_FUNCS += "openssl_package_preprocess"
# openssl 1.0 development files and executable binaries clash with openssl 1.1
# files when installed into target rootfs. So we don't put them into
# packages, but they continue to be provided via target sysroot for
# cross-compilation on the host, if some software still depends on openssl 1.0.
openssl_package_preprocess () {
for file in `find ${PKGD} -name *.h -o -name *.pc -o -name *.so`; do
rm $file
done
rm ${PKGD}${bindir}/openssl
rm ${PKGD}${bindir}/c_rehash
rmdir ${PKGD}${bindir}
}