reset upstream subtrees to HEAD
Reset the following subtrees on HEAD:
poky: 8217b477a1(master)
meta-xilinx: 64aa3d35ae(master)
meta-openembedded: 0435c9e193(master)
meta-raspberrypi: 490a4441ac(master)
meta-security: cb6d1c85ee(master)
Squashed patches:
meta-phosphor: drop systemd 239 patches
meta-phosphor: mrw-api: use correct install path
Change-Id: I268e2646d9174ad305630c6bbd3fbc1a6105f43d
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
index 80b62ab..949c788 100644
--- a/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
+++ b/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
@@ -20,6 +20,11 @@
Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Martin Hundebøll <martin@geanix.com>
+
+
+Update to fix buildpaths qa issue for '-fmacro-prefix-map'.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
Configurations/unix-Makefile.tmpl | 10 +++++++++-
crypto/build.info | 2 +-
@@ -29,7 +34,7 @@
index 16af4d2087..54c162784c 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
-@@ -317,13 +317,21 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
+@@ -317,13 +317,22 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
'$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
@@ -43,6 +48,7 @@
+CFLAGS_Q={- for (@{$config{CFLAGS}}) {
+ s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g;
++ s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g;
+ }
+ join(' ', @{$config{CFLAGS}}) -}
+
diff --git a/poky/meta/recipes-connectivity/openssl/openssl/CVE-2019-1543.patch b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2019-1543.patch
new file mode 100644
index 0000000..900ef97
--- /dev/null
+++ b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2019-1543.patch
@@ -0,0 +1,69 @@
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/f426625b6ae9a7831010750490a5f0ad689c5ba3]
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From f426625b6ae9a7831010750490a5f0ad689c5ba3 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 5 Mar 2019 14:39:15 +0000
+Subject: [PATCH] Prevent over long nonces in ChaCha20-Poly1305
+
+ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
+every encryption operation. RFC 7539 specifies that the nonce value (IV)
+should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
+front pads the nonce with 0 bytes if it is less than 12 bytes. However it
+also incorrectly allows a nonce to be set of up to 16 bytes. In this case
+only the last 12 bytes are significant and any additional leading bytes are
+ignored.
+
+It is a requirement of using this cipher that nonce values are unique.
+Messages encrypted using a reused nonce value are susceptible to serious
+confidentiality and integrity attacks. If an application changes the
+default nonce length to be longer than 12 bytes and then makes a change to
+the leading bytes of the nonce expecting the new value to be a new unique
+nonce then such an application could inadvertently encrypt messages with a
+reused nonce.
+
+Additionally the ignored bytes in a long nonce are not covered by the
+integrity guarantee of this cipher. Any application that relies on the
+integrity of these ignored leading bytes of a long nonce may be further
+affected.
+
+Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
+because no such use sets such a long nonce value. However user
+applications that use this cipher directly and set a non-default nonce
+length to be longer than 12 bytes may be vulnerable.
+
+CVE: CVE-2019-1543
+
+Fixes #8345
+
+Reviewed-by: Paul Dale <paul.dale@oracle.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/8406)
+
+(cherry picked from commit 2a3d0ee9d59156c48973592331404471aca886d6)
+---
+ crypto/evp/e_chacha20_poly1305.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
+index c1917bb86a6..d3e2c622a1b 100644
+--- a/crypto/evp/e_chacha20_poly1305.c
++++ b/crypto/evp/e_chacha20_poly1305.c
+@@ -30,6 +30,8 @@ typedef struct {
+
+ #define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
+
++#define CHACHA20_POLY1305_MAX_IVLEN 12
++
+ static int chacha_init_key(EVP_CIPHER_CTX *ctx,
+ const unsigned char user_key[CHACHA_KEY_SIZE],
+ const unsigned char iv[CHACHA_CTR_SIZE], int enc)
+@@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
+ return 1;
+
+ case EVP_CTRL_AEAD_SET_IVLEN:
+- if (arg <= 0 || arg > CHACHA_CTR_SIZE)
++ if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
+ return 0;
+ actx->nonce_len = arg;
+ return 1;
diff --git a/poky/meta/recipes-connectivity/openssl/openssl/afalg.patch b/poky/meta/recipes-connectivity/openssl/openssl/afalg.patch
new file mode 100644
index 0000000..7c4b084
--- /dev/null
+++ b/poky/meta/recipes-connectivity/openssl/openssl/afalg.patch
@@ -0,0 +1,31 @@
+Don't refuse to build afalgeng if cross-compiling or the host kernel is too old.
+
+Upstream-Status: Submitted [hhttps://github.com/openssl/openssl/pull/7688]
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff --git a/Configure b/Configure
+index 3baa8ce..9ef52ed 100755
+--- a/Configure
++++ b/Configure
+@@ -1550,20 +1550,7 @@ unless ($disabled{"crypto-mdebug-backtrace"})
+ unless ($disabled{afalgeng}) {
+ $config{afalgeng}="";
+ if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
+- my $minver = 4*10000 + 1*100 + 0;
+- if ($config{CROSS_COMPILE} eq "") {
+- my $verstr = `uname -r`;
+- my ($ma, $mi1, $mi2) = split("\\.", $verstr);
+- ($mi2) = $mi2 =~ /(\d+)/;
+- my $ver = $ma*10000 + $mi1*100 + $mi2;
+- if ($ver < $minver) {
+- $disabled{afalgeng} = "too-old-kernel";
+- } else {
+- push @{$config{engdirs}}, "afalg";
+- }
+- } else {
+- $disabled{afalgeng} = "cross-compiling";
+- }
++ push @{$config{engdirs}}, "afalg";
+ } else {
+ $disabled{afalgeng} = "not-linux";
+ }
diff --git a/poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
deleted file mode 100644
index 6620fdc..0000000
--- a/poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
+++ /dev/null
@@ -1,222 +0,0 @@
-#!/bin/sh
-#
-# Ben Secrest <blsecres@gmail.com>
-#
-# sh c_rehash script, scan all files in a directory
-# and add symbolic links to their hash values.
-#
-# based on the c_rehash perl script distributed with openssl
-#
-# LICENSE: See OpenSSL license
-# ^^acceptable?^^
-#
-
-# default certificate location
-DIR=/etc/openssl
-
-# for filetype bitfield
-IS_CERT=$(( 1 << 0 ))
-IS_CRL=$(( 1 << 1 ))
-
-
-# check to see if a file is a certificate file or a CRL file
-# arguments:
-# 1. the filename to be scanned
-# returns:
-# bitfield of file type; uses ${IS_CERT} and ${IS_CRL}
-#
-check_file()
-{
- local IS_TYPE=0
-
- # make IFS a newline so we can process grep output line by line
- local OLDIFS=${IFS}
- IFS=$( printf "\n" )
-
- # XXX: could be more efficient to have two 'grep -m' but is -m portable?
- for LINE in $( grep '^-----BEGIN .*-----' ${1} )
- do
- if echo ${LINE} \
- | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----'
- then
- IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} ))
-
- if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ]
- then
- break
- fi
- elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----'
- then
- IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} ))
-
- if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ]
- then
- break
- fi
- fi
- done
-
- # restore IFS
- IFS=${OLDIFS}
-
- return ${IS_TYPE}
-}
-
-
-#
-# use openssl to fingerprint a file
-# arguments:
-# 1. the filename to fingerprint
-# 2. the method to use (x509, crl)
-# returns:
-# none
-# assumptions:
-# user will capture output from last stage of pipeline
-#
-fingerprint()
-{
- ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':'
-}
-
-
-#
-# link_hash - create links to certificate files
-# arguments:
-# 1. the filename to create a link for
-# 2. the type of certificate being linked (x509, crl)
-# returns:
-# 0 on success, 1 otherwise
-#
-link_hash()
-{
- local FINGERPRINT=$( fingerprint ${1} ${2} )
- local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} )
- local SUFFIX=0
- local LINKFILE=''
- local TAG=''
-
- if [ ${2} = "crl" ]
- then
- TAG='r'
- fi
-
- LINKFILE=${HASH}.${TAG}${SUFFIX}
-
- while [ -f ${LINKFILE} ]
- do
- if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ]
- then
- echo "NOTE: Skipping duplicate file ${1}" >&2
- return 1
- fi
-
- SUFFIX=$(( ${SUFFIX} + 1 ))
- LINKFILE=${HASH}.${TAG}${SUFFIX}
- done
-
- echo "${3} => ${LINKFILE}"
-
- # assume any system with a POSIX shell will either support symlinks or
- # do something to handle this gracefully
- ln -s ${3} ${LINKFILE}
-
- return 0
-}
-
-
-# hash_dir create hash links in a given directory
-hash_dir()
-{
- echo "Doing ${1}"
-
- cd ${1}
-
- ls -1 * 2>/dev/null | while read FILE
- do
- if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \
- && [ -h "${FILE}" ]
- then
- rm ${FILE}
- fi
- done
-
- ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE
- do
- REAL_FILE=${FILE}
- # if we run on build host then get to the real files in rootfs
- if [ -n "${SYSROOT}" -a -h ${FILE} ]
- then
- FILE=$( readlink ${FILE} )
- # check the symlink is absolute (or dangling in other word)
- if [ "x/" = "x$( echo ${FILE} | cut -c1 -)" ]
- then
- REAL_FILE=${SYSROOT}/${FILE}
- fi
- fi
-
- check_file ${REAL_FILE}
- local FILE_TYPE=${?}
- local TYPE_STR=''
-
- if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ]
- then
- TYPE_STR='x509'
- elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ]
- then
- TYPE_STR='crl'
- else
- echo "NOTE: ${FILE} does not contain a certificate or CRL: skipping" >&2
- continue
- fi
-
- link_hash ${REAL_FILE} ${TYPE_STR} ${FILE}
- done
-}
-
-
-# choose the name of an ssl application
-if [ -n "${OPENSSL}" ]
-then
- SSL_CMD=$(which ${OPENSSL} 2>/dev/null)
-else
- SSL_CMD=/usr/bin/openssl
- OPENSSL=${SSL_CMD}
- export OPENSSL
-fi
-
-# fix paths
-PATH=${PATH}:${DIR}/bin
-export PATH
-
-# confirm existance/executability of ssl command
-if ! [ -x ${SSL_CMD} ]
-then
- echo "${0}: rehashing skipped ('openssl' program not available)" >&2
- exit 0
-fi
-
-# determine which directories to process
-old_IFS=$IFS
-if [ ${#} -gt 0 ]
-then
- IFS=':'
- DIRLIST=${*}
-elif [ -n "${SSL_CERT_DIR}" ]
-then
- DIRLIST=$SSL_CERT_DIR
-else
- DIRLIST=${DIR}/certs
-fi
-
-IFS=':'
-
-# process directories
-for CERT_DIR in ${DIRLIST}
-do
- if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ]
- then
- IFS=$old_IFS
- hash_dir ${CERT_DIR}
- IFS=':'
- fi
-done
diff --git a/poky/meta/recipes-connectivity/openssl/openssl/run-ptest b/poky/meta/recipes-connectivity/openssl/openssl/run-ptest
index 0a620de..3fb2247 100644
--- a/poky/meta/recipes-connectivity/openssl/openssl/run-ptest
+++ b/poky/meta/recipes-connectivity/openssl/openssl/run-ptest
@@ -9,4 +9,4 @@
# OPENSSL_ENGINES is relative from the test binaries
export OPENSSL_ENGINES=../engines
-perl ./test/run_tests.pl $*
+perl ./test/run_tests.pl $* | perl -0pe 's#(.*) \.*.ok#PASS: \1#g; s#(.*) \.*.skipped: (.*)#SKIP: \1 (\2)#g; s#(.*) \.*.\nDubious#FAIL: \1#;'
diff --git a/poky/meta/recipes-connectivity/openssl/openssl10_1.0.2q.bb b/poky/meta/recipes-connectivity/openssl/openssl10_1.0.2r.bb
similarity index 97%
rename from poky/meta/recipes-connectivity/openssl/openssl10_1.0.2q.bb
rename to poky/meta/recipes-connectivity/openssl/openssl10_1.0.2r.bb
index 54af100..87df4f5 100644
--- a/poky/meta/recipes-connectivity/openssl/openssl10_1.0.2q.bb
+++ b/poky/meta/recipes-connectivity/openssl/openssl10_1.0.2r.bb
@@ -53,8 +53,8 @@
file://environment.d-openssl.sh \
"
-SRC_URI[md5sum] = "7563e1ce046cb21948eeb6ba1a0eb71c"
-SRC_URI[sha256sum] = "5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684"
+SRC_URI[md5sum] = "0d2baaf04c56d542f6cc757b9c2a2aac"
+SRC_URI[sha256sum] = "ae51d08bba8a83958e894946f15303ff894d75c2b8bbd44a852b64e3fe11d0d6"
S = "${WORKDIR}/openssl-${PV}"
@@ -78,9 +78,6 @@
export OE_LDFLAGS = "${LDFLAGS}"
-# openssl fails with ccache: https://bugzilla.yoctoproject.org/show_bug.cgi?id=12810
-CCACHE = ""
-
TERMIO ?= "-DTERMIO"
TERMIO_libc-musl = "-DTERMIOS"
EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm"
diff --git a/poky/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb b/poky/meta/recipes-connectivity/openssl/openssl_1.1.1b.bb
similarity index 89%
rename from poky/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb
rename to poky/meta/recipes-connectivity/openssl/openssl_1.1.1b.bb
index e9e9fac..d3404d2 100644
--- a/poky/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb
+++ b/poky/meta/recipes-connectivity/openssl/openssl_1.1.1b.bb
@@ -7,26 +7,33 @@
# "openssl" here actually means both OpenSSL and SSLeay licenses apply
# (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped)
LICENSE = "openssl"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=d57d511030c9d66ef5f5966bee5a7eff"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8"
DEPENDS = "hostperl-runtime-native"
SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://run-ptest \
- file://openssl-c_rehash.sh \
file://0001-skip-test_symbol_presence.patch \
file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
+ file://afalg.patch \
+ file://CVE-2019-1543.patch \
"
SRC_URI_append_class-nativesdk = " \
file://environment.d-openssl.sh \
"
-SRC_URI[md5sum] = "963deb2272d6be7d4c2458afd2517b73"
-SRC_URI[sha256sum] = "fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41"
+SRC_URI[md5sum] = "4532712e7bcc9414f5bce995e4e13930"
+SRC_URI[sha256sum] = "5c557b023230413dfb0756f3137a13e6d726838ccd1430888ad15bfb2b43ea4b"
inherit lib_package multilib_header ptest
+PACKAGECONFIG ?= ""
+PACKAGECONFIG_class-native = ""
+PACKAGECONFIG_class-nativesdk = ""
+
+PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux"
+
B = "${WORKDIR}/build"
do_configure[cleandirs] = "${B}"
@@ -113,6 +120,7 @@
# environment variables set by bitbake. Adjust the environment variables instead.
PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
+ perl ${B}/configdata.pm --dump
}
do_install () {
@@ -141,12 +149,6 @@
SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
OPENSSL_ENGINES=${libdir}/ssl-1.1/engines
-
- # Install a custom version of c_rehash that can handle sysroots properly.
- # This version is used for example when installing ca-certificates during
- # image creation.
- install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
- sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
}
do_install_append_class-nativesdk () {
@@ -195,16 +197,10 @@
CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
RRECOMMENDS_libcrypto += "openssl-conf"
-RDEPENDS_${PN}-bin = "perl"
-RDEPENDS_${PN}-misc = "perl"
-RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash python"
+RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash"
RPROVIDES_openssl-conf = "openssl10-conf"
RREPLACES_openssl-conf = "openssl10-conf"
RCONFLICTS_openssl-conf = "openssl10-conf"
BBCLASSEXTEND = "native nativesdk"
-
-inherit multilib_script
-
-MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"