Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | SUMMARY = "Secure Socket Layer" |
| 2 | DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." |
| 3 | HOMEPAGE = "http://www.openssl.org/" |
| 4 | BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" |
| 5 | SECTION = "libs/network" |
| 6 | |
| 7 | # "openssl | SSLeay" dual license |
| 8 | LICENSE = "openssl" |
| 9 | LIC_FILES_CHKSUM = "file://LICENSE;md5=f475368924827d06d4b416111c8bdb77" |
| 10 | |
| 11 | DEPENDS = "hostperl-runtime-native" |
| 12 | DEPENDS_append_class-target = " openssl-native" |
| 13 | |
| 14 | SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ |
| 15 | file://run-ptest \ |
| 16 | file://openssl-c_rehash.sh \ |
| 17 | file://configure-targets.patch \ |
| 18 | file://shared-libs.patch \ |
| 19 | file://oe-ldflags.patch \ |
| 20 | file://engines-install-in-libdir-ssl.patch \ |
| 21 | file://debian1.0.2/block_diginotar.patch \ |
| 22 | file://debian1.0.2/block_digicert_malaysia.patch \ |
| 23 | file://debian/c_rehash-compat.patch \ |
| 24 | file://debian/debian-targets.patch \ |
| 25 | file://debian/man-dir.patch \ |
| 26 | file://debian/man-section.patch \ |
| 27 | file://debian/no-rpath.patch \ |
| 28 | file://debian/no-symbolic.patch \ |
| 29 | file://debian/pic.patch \ |
| 30 | file://debian1.0.2/version-script.patch \ |
| 31 | file://debian1.0.2/soname.patch \ |
| 32 | file://openssl_fix_for_x32.patch \ |
| 33 | file://openssl-fix-des.pod-error.patch \ |
| 34 | file://Makefiles-ptest.patch \ |
| 35 | file://ptest-deps.patch \ |
| 36 | file://ptest_makefile_deps.patch \ |
| 37 | file://configure-musl-target.patch \ |
| 38 | file://parallel.patch \ |
| 39 | file://Use-SHA256-not-MD5-as-default-digest.patch \ |
| 40 | file://0001-Fix-build-with-clang-using-external-assembler.patch \ |
| 41 | file://0001-openssl-force-soft-link-to-avoid-rare-race.patch \ |
| 42 | file://0001-allow-manpages-to-be-disabled.patch \ |
| 43 | file://0001-fix-CVE-2018-0734.patch \ |
| 44 | " |
| 45 | |
| 46 | SRC_URI_append_class-target = " \ |
| 47 | file://reproducible-cflags.patch \ |
| 48 | file://reproducible-mkbuildinf.patch \ |
| 49 | " |
| 50 | |
| 51 | SRC_URI_append_class-nativesdk = " \ |
| 52 | file://environment.d-openssl.sh \ |
| 53 | " |
| 54 | |
| 55 | SRC_URI[md5sum] = "ac5eb30bf5798aa14b1ae6d0e7da58df" |
| 56 | SRC_URI[sha256sum] = "50a98e07b1a89eb8f6a99477f262df71c6fa7bef77df4dc83025a2845c827d00" |
| 57 | |
| 58 | S = "${WORKDIR}/openssl-${PV}" |
| 59 | |
| 60 | UPSTREAM_CHECK_REGEX = "openssl-(?P<pver>1\.0.+)\.tar" |
| 61 | |
| 62 | inherit pkgconfig siteinfo multilib_header ptest manpages |
| 63 | |
| 64 | PACKAGECONFIG ?= "cryptodev-linux" |
| 65 | PACKAGECONFIG_class-native = "" |
| 66 | PACKAGECONFIG_class-nativesdk = "" |
| 67 | |
| 68 | PACKAGECONFIG[cryptodev-linux] = "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS,,cryptodev-linux" |
| 69 | PACKAGECONFIG[manpages] = ",,," |
| 70 | PACKAGECONFIG[perl] = ",,," |
| 71 | |
| 72 | # Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE |
| 73 | # vulnerability |
| 74 | EXTRA_OECONF = "no-ssl3" |
| 75 | |
| 76 | EXTRA_OEMAKE = "${@bb.utils.contains('PACKAGECONFIG', 'manpages', '', 'OE_DISABLE_MANPAGES=1', d)}" |
| 77 | |
| 78 | export OE_LDFLAGS = "${LDFLAGS}" |
| 79 | |
| 80 | # openssl fails with ccache: https://bugzilla.yoctoproject.org/show_bug.cgi?id=12810 |
| 81 | CCACHE = "" |
| 82 | |
| 83 | TERMIO ?= "-DTERMIO" |
| 84 | TERMIO_libc-musl = "-DTERMIOS" |
| 85 | |
| 86 | CFLAG = "${@oe.utils.conditional('SITEINFO_ENDIANNESS', 'le', '-DL_ENDIAN', '-DB_ENDIAN', d)} \ |
| 87 | ${TERMIO} ${CFLAGS} -Wall" |
| 88 | |
| 89 | # Avoid binaries being marked as requiring an executable stack since they don't |
| 90 | # (and it causes issues with SELinux) |
| 91 | CFLAG += "-Wa,--noexecstack" |
| 92 | |
| 93 | CFLAG_append_class-native = " -fPIC" |
| 94 | |
| 95 | do_configure () { |
| 96 | # The crypto_use_bigint patch means that perl's bignum module needs to be |
| 97 | # installed, but some distributions (for example Fedora 23) don't ship it by |
| 98 | # default. As the resulting error is very misleading check for bignum before |
| 99 | # building. |
| 100 | if ! perl -Mbigint -e true; then |
| 101 | bbfatal "The perl module 'bignum' was not found but this is required to build openssl. Please install this module (often packaged as perl-bignum) and re-run bitbake." |
| 102 | fi |
| 103 | |
| 104 | ln -sf apps/openssl.pod crypto/crypto.pod ssl/ssl.pod doc/ |
| 105 | |
| 106 | os=${HOST_OS} |
| 107 | case $os in |
| 108 | linux-gnueabi |\ |
| 109 | linux-gnuspe |\ |
| 110 | linux-musleabi |\ |
| 111 | linux-muslspe |\ |
| 112 | linux-musl ) |
| 113 | os=linux |
| 114 | ;; |
| 115 | *) |
| 116 | ;; |
| 117 | esac |
| 118 | target="$os-${HOST_ARCH}" |
| 119 | case $target in |
| 120 | linux-arm) |
| 121 | target=linux-armv4 |
| 122 | ;; |
| 123 | linux-armeb) |
| 124 | target=linux-elf-armeb |
| 125 | ;; |
| 126 | linux-aarch64*) |
| 127 | target=linux-aarch64 |
| 128 | ;; |
| 129 | linux-sh3) |
| 130 | target=debian-sh3 |
| 131 | ;; |
| 132 | linux-sh4) |
| 133 | target=debian-sh4 |
| 134 | ;; |
| 135 | linux-i486) |
| 136 | target=debian-i386-i486 |
| 137 | ;; |
| 138 | linux-i586 | linux-viac3) |
| 139 | target=debian-i386-i586 |
| 140 | ;; |
| 141 | linux-i686) |
| 142 | target=debian-i386-i686/cmov |
| 143 | ;; |
| 144 | linux-gnux32-x86_64 | linux-muslx32-x86_64 ) |
| 145 | target=linux-x32 |
| 146 | ;; |
| 147 | linux-gnu64-x86_64) |
| 148 | target=linux-x86_64 |
| 149 | ;; |
| 150 | linux-gnun32-mips*el) |
| 151 | target=debian-mipsn32el |
| 152 | ;; |
| 153 | linux-gnun32-mips*) |
| 154 | target=debian-mipsn32 |
| 155 | ;; |
| 156 | linux-mips*64*el) |
| 157 | target=debian-mips64el |
| 158 | ;; |
| 159 | linux-mips*64*) |
| 160 | target=debian-mips64 |
| 161 | ;; |
| 162 | linux-mips*el) |
| 163 | target=debian-mipsel |
| 164 | ;; |
| 165 | linux-mips*) |
| 166 | target=debian-mips |
| 167 | ;; |
| 168 | linux-microblaze* | linux-nios2* | linux-gnu*ilp32** | linux-arc*) |
| 169 | target=linux-generic32 |
| 170 | ;; |
| 171 | linux-powerpc) |
| 172 | target=linux-ppc |
| 173 | ;; |
| 174 | linux-powerpc64) |
| 175 | target=linux-ppc64 |
| 176 | ;; |
| 177 | linux-riscv32) |
| 178 | target=linux-generic32 |
| 179 | ;; |
| 180 | linux-riscv64) |
| 181 | target=linux-generic64 |
| 182 | ;; |
| 183 | linux-sparc | linux-supersparc) |
| 184 | target=linux-sparcv8 |
| 185 | ;; |
| 186 | esac |
| 187 | |
| 188 | # inject machine-specific flags |
| 189 | sed -i -e "s|^\(\"$target\",\s*\"[^:]\+\):\([^:]\+\)|\1:${CFLAG}|g" Configure |
| 190 | |
| 191 | useprefix=${prefix} |
| 192 | if [ "x$useprefix" = "x" ]; then |
| 193 | useprefix=/ |
| 194 | fi |
| 195 | libdirleaf="$( echo "${libdir}" | sed "s:^$useprefix/*::" )" |
| 196 | perl ./Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} shared --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=$libdirleaf $target |
| 197 | } |
| 198 | |
| 199 | do_compile () { |
| 200 | oe_runmake depend |
| 201 | oe_runmake |
| 202 | } |
| 203 | |
| 204 | do_compile_class-target () { |
| 205 | sed -i 's/\((OPENSSL=\)".*"/\1"openssl"/' Makefile |
| 206 | oe_runmake depend |
| 207 | cc_sanitized=$(echo "${CC} ${CFLAG}" | sed -e 's,--sysroot=${STAGING_DIR_TARGET},,g' -e 's|${DEBUG_PREFIX_MAP}||g' -e 's/[ \t]\+/ /g') |
| 208 | oe_runmake CC_INFO="$cc_sanitized" |
| 209 | } |
| 210 | |
| 211 | do_compile_ptest () { |
| 212 | oe_runmake buildtest |
| 213 | } |
| 214 | |
| 215 | do_install () { |
| 216 | # Create ${D}/${prefix} to fix parallel issues |
| 217 | mkdir -p ${D}/${prefix}/ |
| 218 | |
| 219 | oe_runmake INSTALL_PREFIX="${D}" MANDIR="${mandir}" install |
| 220 | |
| 221 | oe_libinstall -so libcrypto ${D}${libdir} |
| 222 | oe_libinstall -so libssl ${D}${libdir} |
| 223 | |
| 224 | install -d ${D}${includedir} |
| 225 | cp --dereference -R include/openssl ${D}${includedir} |
| 226 | |
| 227 | oe_multilib_header openssl/opensslconf.h |
| 228 | |
| 229 | install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash |
| 230 | sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash |
| 231 | |
| 232 | if [ "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}" ]; then |
| 233 | sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/CA.pl |
| 234 | sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/tsget |
| 235 | else |
| 236 | rm -f ${D}${libdir}/ssl/misc/CA.pl ${D}${libdir}/ssl/misc/tsget |
| 237 | fi |
| 238 | |
| 239 | # Create SSL structure for packages such as ca-certificates which |
| 240 | # contain hard-coded paths to /etc/ssl. Debian does the same. |
| 241 | install -d ${D}${sysconfdir}/ssl |
| 242 | mv ${D}${libdir}/ssl/certs \ |
| 243 | ${D}${libdir}/ssl/private \ |
| 244 | ${D}${libdir}/ssl/openssl.cnf \ |
| 245 | ${D}${sysconfdir}/ssl/ |
| 246 | |
| 247 | # Although absolute symlinks would be OK for the target, they become |
| 248 | # invalid if native or nativesdk are relocated from sstate. |
| 249 | ln -sf ${@oe.path.relative('${libdir}/ssl', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl/certs |
| 250 | ln -sf ${@oe.path.relative('${libdir}/ssl', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl/private |
| 251 | ln -sf ${@oe.path.relative('${libdir}/ssl', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl/openssl.cnf |
| 252 | |
| 253 | # Rename man pages to prefix openssl10-* |
| 254 | for f in `find ${D}${mandir} -type f`; do |
| 255 | mv $f $(dirname $f)/openssl10-$(basename $f) |
| 256 | done |
| 257 | for f in `find ${D}${mandir} -type l`; do |
| 258 | ln_f=`readlink $f` |
| 259 | rm -f $f |
| 260 | ln -s openssl10-$ln_f $(dirname $f)/openssl10-$(basename $f) |
| 261 | done |
| 262 | } |
| 263 | |
| 264 | do_install_append_class-native () { |
| 265 | create_wrapper ${D}${bindir}/openssl \ |
| 266 | OPENSSL_CONF=${libdir}/ssl/openssl.cnf \ |
| 267 | SSL_CERT_DIR=${libdir}/ssl/certs \ |
| 268 | SSL_CERT_FILE=${libdir}/ssl/cert.pem \ |
| 269 | OPENSSL_ENGINES=${libdir}/ssl/engines |
| 270 | } |
| 271 | |
| 272 | do_install_append_class-nativesdk () { |
| 273 | mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d |
| 274 | install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh |
| 275 | } |
| 276 | |
| 277 | do_install_ptest () { |
| 278 | cp -r -L Makefile.org Makefile test ${D}${PTEST_PATH} |
| 279 | |
| 280 | # Replace the path to native perl with the path to target perl |
| 281 | sed -i 's,^PERL=.*,PERL=${bindir}/perl,' ${D}${PTEST_PATH}/Makefile |
| 282 | |
| 283 | cp Configure config e_os.h ${D}${PTEST_PATH} |
| 284 | cp -r -L include ${D}${PTEST_PATH} |
| 285 | ln -sf ${libdir}/libcrypto.a ${D}${PTEST_PATH} |
| 286 | ln -sf ${libdir}/libssl.a ${D}${PTEST_PATH} |
| 287 | mkdir -p ${D}${PTEST_PATH}/crypto |
| 288 | cp crypto/constant_time_locl.h ${D}${PTEST_PATH}/crypto |
| 289 | cp -r certs ${D}${PTEST_PATH} |
| 290 | mkdir -p ${D}${PTEST_PATH}/apps |
| 291 | ln -sf ${libdir}/ssl/misc/CA.sh ${D}${PTEST_PATH}/apps |
| 292 | ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${PTEST_PATH}/apps |
| 293 | ln -sf ${bindir}/openssl ${D}${PTEST_PATH}/apps |
| 294 | cp apps/server.pem ${D}${PTEST_PATH}/apps |
| 295 | cp apps/server2.pem ${D}${PTEST_PATH}/apps |
| 296 | mkdir -p ${D}${PTEST_PATH}/util |
| 297 | install util/opensslwrap.sh ${D}${PTEST_PATH}/util |
| 298 | install util/shlib_wrap.sh ${D}${PTEST_PATH}/util |
| 299 | # Time stamps are relevant for "make alltests", otherwise |
| 300 | # make may try to recompile binaries. Not only must the |
| 301 | # binary files be newer than the sources, they also must |
| 302 | # be more recent than the header files in /usr/include. |
| 303 | # |
| 304 | # Using "cp -a" is not sufficient, because do_install |
| 305 | # does not preserve the original time stamps. |
| 306 | # |
| 307 | # So instead of using the original file stamps, we set |
| 308 | # the current time for all files. Binaries will get |
| 309 | # modified again later when stripping them, but that's okay. |
| 310 | touch ${D}${PTEST_PATH} |
| 311 | find ${D}${PTEST_PATH} -type f -print0 | xargs --verbose -0 touch -r ${D}${PTEST_PATH} |
| 312 | |
| 313 | # exclude binary files or the package won't install |
| 314 | for d in ssltest_old v3ext x509aux; do |
| 315 | rm -rf ${D}${libdir}/${BPN}/ptest/test/$d |
| 316 | done |
| 317 | |
| 318 | # Remove build host references |
| 319 | sed -i \ |
| 320 | -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \ |
| 321 | -e 's|${DEBUG_PREFIX_MAP}||g' \ |
| 322 | ${D}${PTEST_PATH}/Makefile ${D}${PTEST_PATH}/Configure |
| 323 | } |
| 324 | |
| 325 | # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto |
| 326 | # package RRECOMMENDS on this package. This will enable the configuration |
| 327 | # file to be installed for both the base openssl package and the libcrypto |
| 328 | # package since the base openssl package depends on the libcrypto package. |
| 329 | |
| 330 | PACKAGES =+ "libcrypto10 libssl10 openssl10-conf ${PN}-engines ${PN}-misc" |
| 331 | |
| 332 | FILES_libcrypto10 = "${libdir}/libcrypto${SOLIBS}" |
| 333 | FILES_libssl10 = "${libdir}/libssl${SOLIBS}" |
| 334 | FILES_openssl10-conf = "${sysconfdir}/ssl/openssl.cnf" |
| 335 | FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines" |
| 336 | FILES_${PN}-misc = "${libdir}/ssl/misc" |
| 337 | FILES_${PN} =+ "${libdir}/ssl/*" |
| 338 | FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" |
| 339 | |
| 340 | CONFFILES_openssl10-conf = "${sysconfdir}/ssl/openssl.cnf" |
| 341 | |
| 342 | RRECOMMENDS_libcrypto10 += "openssl10-conf" |
| 343 | RDEPENDS_${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}" |
| 344 | RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc" |
| 345 | |
| 346 | BBCLASSEXTEND = "native nativesdk" |
| 347 | PACKAGE_PREPROCESS_FUNCS += "openssl_package_preprocess" |
| 348 | |
| 349 | # openssl 1.0 development files and executable binaries clash with openssl 1.1 |
| 350 | # files when installed into target rootfs. So we don't put them into |
| 351 | # packages, but they continue to be provided via target sysroot for |
| 352 | # cross-compilation on the host, if some software still depends on openssl 1.0. |
| 353 | openssl_package_preprocess () { |
| 354 | for file in `find ${PKGD} -name *.h -o -name *.pc -o -name *.so`; do |
| 355 | rm $file |
| 356 | done |
| 357 | rm ${PKGD}/usr/bin/openssl |
| 358 | rm ${PKGD}/usr/bin/c_rehash |
| 359 | rmdir ${PKGD}/usr/bin |
| 360 | |
| 361 | } |