Skip to content

Commit

Permalink
Bump openssl from 1.1.1d to 1.1.1k
Browse files Browse the repository at this point in the history
Tested:
Can connect via HTTPS, SSH, and ipmitool.

Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
  • Loading branch information
Joseph Reynolds committed Aug 27, 2021
1 parent 4160f25 commit ab1080c
Show file tree
Hide file tree
Showing 5 changed files with 253 additions and 17 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -25,16 +25,19 @@ Signed-off-by: Martin Hundebøll <martin@geanix.com>
Update to fix buildpaths qa issue for '-fmacro-prefix-map'.

Signed-off-by: Kai Kang <kai.kang@windriver.com>

Update to fix buildpaths qa issue for '-ffile-prefix-map'.

Signed-off-by: Khem Raj <raj.khem@gmail.com>

---
Configurations/unix-Makefile.tmpl | 10 +++++++++-
crypto/build.info | 2 +-
2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 16af4d2087..54c162784c 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -317,13 +317,22 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
@@ -420,13 +420,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lfl
'$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)

Expand All @@ -49,6 +52,7 @@ index 16af4d2087..54c162784c 100644
+CFLAGS_Q={- for (@{$config{CFLAGS}}) {
+ s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g;
+ s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g;
+ s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g;
+ }
+ join(' ', @{$config{CFLAGS}}) -}
+
Expand All @@ -58,11 +62,9 @@ index 16af4d2087..54c162784c 100644
PERLASM_SCHEME= {- $target{perlasm_scheme} -}

# For x86 assembler: Set PROCESSOR to 386 if you want to support
diff --git a/crypto/build.info b/crypto/build.info
index b515b7318e..8c9cee2a09 100644
--- a/crypto/build.info
+++ b/crypto/build.info
@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink
ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl

DEPEND[cversion.o]=buildinf.h
Expand All @@ -71,6 +73,3 @@ index b515b7318e..8c9cee2a09 100644
DEPEND[buildinf.h]=../configdata.pm

GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME)
--
2.19.1

Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
From 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc Mon Sep 17 00:00:00 2001
From: Alistair Francis <alistair.francis@wdc.com>
Date: Thu, 29 Aug 2019 13:56:21 -0700
Subject: [PATCH] Add support for io_pgetevents_time64 syscall

32-bit architectures that are y2038 safe don't include syscalls that use
32-bit time_t. Instead these architectures have suffixed syscalls that
always use a 64-bit time_t. In the case of the io_getevents syscall the
syscall has been replaced with the io_pgetevents_time64 syscall instead.

This patch changes the io_getevents() function to use the correct
syscall based on the avaliable syscalls and the time_t size. We will
only use the new 64-bit time_t syscall if the architecture is using a
64-bit time_t. This is to avoid having to deal with 32/64-bit
conversions and relying on a 64-bit timespec struct on 32-bit time_t
platforms. As of Linux 5.3 there are no 32-bit time_t architectures
without __NR_io_getevents. In the future if a 32-bit time_t architecture
wants to use the 64-bit syscalls we can handle the conversion.

This fixes build failures on 32-bit RISC-V.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9819)
Upstream-Status: Accepted
---
engines/e_afalg.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)

diff --git a/engines/e_afalg.c b/engines/e_afalg.c
index dacbe358cb..99516cb1bb 100644
--- a/engines/e_afalg.c
+++ b/engines/e_afalg.c
@@ -125,7 +125,23 @@ static ossl_inline int io_getevents(aio_context_t ctx, long min, long max,
struct io_event *events,
struct timespec *timeout)
{
+#if defined(__NR_io_getevents)
return syscall(__NR_io_getevents, ctx, min, max, events, timeout);
+#elif defined(__NR_io_pgetevents_time64)
+ /* Let's only support the 64 suffix syscalls for 64-bit time_t.
+ * This simplifies the code for us as we don't need to use a 64-bit
+ * version of timespec with a 32-bit time_t and handle converting
+ * between 64-bit and 32-bit times and check for overflows.
+ */
+ if (sizeof(timeout->tv_sec) == 8)
+ return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL);
+ else {
+ errno = ENOSYS;
+ return -1;
+ }
+#else
+# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64."
+#endif
}

static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key,
--
2.30.1

Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
From e5499a3cac1e823c3e0697e8667e952317b70cc8 Mon Sep 17 00:00:00 2001
From: Alistair Francis <alistair.francis@wdc.com>
Date: Thu, 4 Mar 2021 12:10:11 -0500
Subject: [PATCH] Fixup support for io_pgetevents_time64 syscall

This is a fixup for the original commit 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc
"Add support for io_pgetevents_time64 syscall" that didn't correctly
work for 32-bit architecutres with a 64-bit time_t that aren't RISC-V.

For a full discussion of the issue see:
https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14432)
Upstream-Status: Accepted
---
engines/e_afalg.c | 55 ++++++++++++++++++++++++++++++++++++-----------
1 file changed, 42 insertions(+), 13 deletions(-)

diff --git a/engines/e_afalg.c b/engines/e_afalg.c
index 9480d7c24b..4e9d67db2d 100644
--- a/engines/e_afalg.c
+++ b/engines/e_afalg.c
@@ -124,27 +124,56 @@ static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb)
return syscall(__NR_io_submit, ctx, n, iocb);
}

+/* A version of 'struct timespec' with 32-bit time_t and nanoseconds. */
+struct __timespec32
+{
+ __kernel_long_t tv_sec;
+ __kernel_long_t tv_nsec;
+};
+
static ossl_inline int io_getevents(aio_context_t ctx, long min, long max,
struct io_event *events,
struct timespec *timeout)
{
+#if defined(__NR_io_pgetevents_time64)
+ /* Check if we are a 32-bit architecture with a 64-bit time_t */
+ if (sizeof(*timeout) != sizeof(struct __timespec32)) {
+ int ret = syscall(__NR_io_pgetevents_time64, ctx, min, max, events,
+ timeout, NULL);
+ if (ret == 0 || errno != ENOSYS)
+ return ret;
+ }
+#endif
+
#if defined(__NR_io_getevents)
- return syscall(__NR_io_getevents, ctx, min, max, events, timeout);
-#elif defined(__NR_io_pgetevents_time64)
- /* Let's only support the 64 suffix syscalls for 64-bit time_t.
- * This simplifies the code for us as we don't need to use a 64-bit
- * version of timespec with a 32-bit time_t and handle converting
- * between 64-bit and 32-bit times and check for overflows.
- */
- if (sizeof(timeout->tv_sec) == 8)
- return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL);
+ if (sizeof(*timeout) == sizeof(struct __timespec32))
+ /*
+ * time_t matches our architecture length, we can just use
+ * __NR_io_getevents
+ */
+ return syscall(__NR_io_getevents, ctx, min, max, events, timeout);
else {
- errno = ENOSYS;
- return -1;
+ /*
+ * We don't have __NR_io_pgetevents_time64, but we are using a
+ * 64-bit time_t on a 32-bit architecture. If we can fit the
+ * timeout value in a 32-bit time_t, then let's do that
+ * and then use the __NR_io_getevents syscall.
+ */
+ if (timeout && timeout->tv_sec == (long)timeout->tv_sec) {
+ struct __timespec32 ts32;
+
+ ts32.tv_sec = (__kernel_long_t) timeout->tv_sec;
+ ts32.tv_nsec = (__kernel_long_t) timeout->tv_nsec;
+
+ return syscall(__NR_io_getevents, ctx, min, max, events, ts32);
+ } else {
+ return syscall(__NR_io_getevents, ctx, min, max, events, NULL);
+ }
}
-#else
-# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64."
#endif
+
+ errno = ENOSYS;
+ return -1;
}

static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key,
--
2.30.1

32 changes: 32 additions & 0 deletions poky/meta/recipes-connectivity/openssl/openssl/reproducible.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
The value for perl_archname can vary depending on the host, e.g.
x86_64-linux-gnu-thread-multi or x86_64-linux-thread-multi which
makes the ptest package non-reproducible. Its unused other than
these references so drop it.

RP 2020/2/6

Upstream-Status: Pending
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Index: openssl-1.1.1d/Configure
===================================================================
--- openssl-1.1.1d.orig/Configure
+++ openssl-1.1.1d/Configure
@@ -286,7 +286,7 @@ if (defined env($local_config_envname))
# Save away perl command information
$config{perl_cmd} = $^X;
$config{perl_version} = $Config{version};
-$config{perl_archname} = $Config{archname};
+#$config{perl_archname} = $Config{archname};

$config{prefix}="";
$config{openssldir}="";
@@ -2517,7 +2517,7 @@ _____
@{$config{perlargv}}), "\n";
print "\nPerl information:\n\n";
print ' ',$config{perl_cmd},"\n";
- print ' ',$config{perl_version},' for ',$config{perl_archname},"\n";
+ print ' ',$config{perl_version},"\n";
}
if ($dump || $options) {
my $longest = 0;
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,19 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://0001-skip-test_symbol_presence.patch \
file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
file://afalg.patch \
file://reproducible.patch \
"

SRC_URI_append_class-nativesdk = " \
file://environment.d-openssl.sh \
"

SRC_URI[md5sum] = "3be209000dbc7e1b95bcdf47980a3baa"
SRC_URI[sha256sum] = "1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2"
SRC_URI_append_riscv32 = " \
file://0003-Add-support-for-io_pgetevents_time64-syscall.patch \
file://0004-Fixup-support-for-io_pgetevents_time64-syscall.patch \
"

SRC_URI[sha256sum] = "892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5"

inherit lib_package multilib_header multilib_script ptest
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
Expand All @@ -32,7 +37,9 @@ PACKAGECONFIG ?= ""
PACKAGECONFIG_class-native = ""
PACKAGECONFIG_class-nativesdk = ""

PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux"
PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
PACKAGECONFIG[no-tls1] = "no-tls1"
PACKAGECONFIG[no-tls1_1] = "no-tls1_1"

B = "${WORKDIR}/build"
do_configure[cleandirs] = "${B}"
Expand All @@ -52,6 +59,20 @@ EXTRA_OECONF_class-nativesdk = "--with-rand-seed=os,devrandom"
CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"

# Disable deprecated crypto algorithms
# Retained for compatibilty
# des (curl)
# dh (python-ssl)
# dsa (rpm)
# md4 (cyrus-sasl freeradius hostapd)
# bf (wvstreams postgresql x11vnc crda znc cfengine)
# rc4 (freerdp librtorrent ettercap xrdp transmission pam-ssh-agent-auth php)
# rc2 (mailx)
# psk (qt5)
# srp (libest)
# whirlpool (qca)
DEPRECATED_CRYPTO_FLAGS = "no-ssl no-idea no-rc5 no-md2 no-camellia no-mdc2 no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4"

do_configure () {
os=${HOST_OS}
case $os in
Expand Down Expand Up @@ -101,6 +122,9 @@ do_configure () {
linux-powerpc64)
target=linux-ppc64
;;
linux-powerpc64le)
target=linux-ppc64le
;;
linux-riscv32)
target=linux-generic32
;;
Expand All @@ -110,6 +134,9 @@ do_configure () {
linux-sparc | linux-supersparc)
target=linux-sparcv9
;;
mingw32-x86_64)
target=mingw64
;;
esac

useprefix=${prefix}
Expand All @@ -118,8 +145,8 @@ do_configure () {
fi
# WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
# environment variables set by bitbake. Adjust the environment variables instead.
PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
perl ${B}/configdata.pm --dump
}

Expand Down Expand Up @@ -148,7 +175,7 @@ do_install_append_class-native () {
OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \
SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
OPENSSL_ENGINES=${libdir}/ssl-1.1/engines
OPENSSL_ENGINES=${libdir}/engines-1.1
}

do_install_append_class-nativesdk () {
Expand Down Expand Up @@ -177,6 +204,10 @@ do_install_ptest () {

install -d ${D}${PTEST_PATH}/engines
install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines

# seems to be needed with perl 5.32.1
install -d ${D}${PTEST_PATH}/util/perl/recipes
cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/
}

# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
Expand All @@ -188,17 +219,30 @@ PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc"

FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
FILES_libssl = "${libdir}/libssl${SOLIBS}"
FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf \
${libdir}/ssl-1.1/openssl.cnf* \
"
FILES_${PN}-engines = "${libdir}/engines-1.1"
FILES_${PN}-misc = "${libdir}/ssl-1.1/misc"
# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP)
FILES_${PN}-engines_append_mingw32_class-nativesdk = " ${prefix}${libdir}/engines-1_1"
FILES_${PN}-misc = "${libdir}/ssl-1.1/misc ${bindir}/c_rehash"
FILES_${PN} =+ "${libdir}/ssl-1.1/*"
FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"

CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"

RRECOMMENDS_libcrypto += "openssl-conf"
RDEPENDS_${PN}-misc = "perl"
RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash"

RDEPENDS_${PN}-bin += "openssl-conf"

BBCLASSEXTEND = "native nativesdk"

CVE_PRODUCT = "openssl:openssl"

CVE_VERSION_SUFFIX = "alphabetical"

# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
# Apache in meta-webserver is already recent enough
CVE_CHECK_WHITELIST += "CVE-2019-0190"

0 comments on commit ab1080c

Please sign in to comment.