1SUMMARY = "Secure Socket Layer" 2DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." 3HOMEPAGE = "http://www.openssl.org/" 4BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" 5SECTION = "libs/network" 6 7LICENSE = "Apache-2.0" 8LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04" 9 10SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ 11 file://run-ptest \ 12 file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ 13 file://afalg.patch \ 14 file://0001-Configure-do-not-tweak-mips-cflags.patch \ 15 file://CVE-2023-0464.patch \ 16 file://CVE-2023-0465.patch \ 17 file://CVE-2023-0466.patch \ 18 " 19 20SRC_URI:append:class-nativesdk = " \ 21 file://environment.d-openssl.sh \ 22 " 23 24SRC_URI[sha256sum] = "6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e" 25 26inherit lib_package multilib_header multilib_script ptest perlnative 27MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" 28 29PACKAGECONFIG ?= "" 30PACKAGECONFIG:class-native = "" 31PACKAGECONFIG:class-nativesdk = "" 32 33PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module" 34PACKAGECONFIG[no-tls1] = "no-tls1" 35PACKAGECONFIG[no-tls1_1] = "no-tls1_1" 36 37B = "${WORKDIR}/build" 38do_configure[cleandirs] = "${B}" 39 40#| ./libcrypto.so: undefined reference to `getcontext' 41#| ./libcrypto.so: undefined reference to `setcontext' 42#| ./libcrypto.so: undefined reference to `makecontext' 43EXTRA_OECONF:append:libc-musl = " no-async" 44EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm" 45 46# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions 47# (native versions can be built with newer glibc, but then relocated onto a system with older glibc) 48EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom" 49EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom" 50 51# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. 52CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" 53CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" 54 55# This allows disabling deprecated or undesirable crypto algorithms. 56# The default is to trust upstream choices. 57DEPRECATED_CRYPTO_FLAGS ?= "" 58 59do_configure () { 60 # When we upgrade glibc but not uninative we see obtuse failures in openssl. Make 61 # the issue really clear that perl isn't functional due to symbol mismatch issues. 62 cat <<- EOF > ${WORKDIR}/perltest 63 #!/usr/bin/env perl 64 use POSIX; 65 EOF 66 chmod a+x ${WORKDIR}/perltest 67 ${WORKDIR}/perltest 68 69 os=${HOST_OS} 70 case $os in 71 linux-gnueabi |\ 72 linux-gnuspe |\ 73 linux-musleabi |\ 74 linux-muslspe |\ 75 linux-musl ) 76 os=linux 77 ;; 78 *) 79 ;; 80 esac 81 target="$os-${HOST_ARCH}" 82 case $target in 83 linux-arc) 84 target=linux-latomic 85 ;; 86 linux-arm*) 87 target=linux-armv4 88 ;; 89 linux-aarch64*) 90 target=linux-aarch64 91 ;; 92 linux-i?86 | linux-viac3) 93 target=linux-x86 94 ;; 95 linux-gnux32-x86_64 | linux-muslx32-x86_64 ) 96 target=linux-x32 97 ;; 98 linux-gnu64-x86_64) 99 target=linux-x86_64 100 ;; 101 linux-mips | linux-mipsel) 102 # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags 103 target="linux-mips32 ${TARGET_CC_ARCH}" 104 ;; 105 linux-gnun32-mips*) 106 target=linux-mips64 107 ;; 108 linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el) 109 target=linux64-mips64 110 ;; 111 linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) 112 target=linux-generic32 113 ;; 114 linux-powerpc) 115 target=linux-ppc 116 ;; 117 linux-powerpc64) 118 target=linux-ppc64 119 ;; 120 linux-powerpc64le) 121 target=linux-ppc64le 122 ;; 123 linux-riscv32) 124 target=linux-generic32 125 ;; 126 linux-riscv64) 127 target=linux-generic64 128 ;; 129 linux-sparc | linux-supersparc) 130 target=linux-sparcv9 131 ;; 132 mingw32-x86_64) 133 target=mingw64 134 ;; 135 esac 136 137 useprefix=${prefix} 138 if [ "x$useprefix" = "x" ]; then 139 useprefix=/ 140 fi 141 # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the 142 # environment variables set by bitbake. Adjust the environment variables instead. 143 HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ 144 perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target 145 perl ${B}/configdata.pm --dump 146} 147 148do_install () { 149 oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install 150 151 oe_multilib_header openssl/opensslconf.h 152 oe_multilib_header openssl/configuration.h 153 154 # Create SSL structure for packages such as ca-certificates which 155 # contain hard-coded paths to /etc/ssl. Debian does the same. 156 install -d ${D}${sysconfdir}/ssl 157 mv ${D}${libdir}/ssl-3/certs \ 158 ${D}${libdir}/ssl-3/private \ 159 ${D}${libdir}/ssl-3/openssl.cnf \ 160 ${D}${sysconfdir}/ssl/ 161 162 # Although absolute symlinks would be OK for the target, they become 163 # invalid if native or nativesdk are relocated from sstate. 164 ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs 165 ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private 166 ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf 167} 168 169do_install:append:class-native () { 170 create_wrapper ${D}${bindir}/openssl \ 171 OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \ 172 SSL_CERT_DIR=${libdir}/ssl-3/certs \ 173 SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \ 174 OPENSSL_ENGINES=${libdir}/engines-3 \ 175 OPENSSL_MODULES=${libdir}/ossl-modules 176} 177 178do_install:append:class-nativesdk () { 179 mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d 180 install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh 181 sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh 182} 183 184PTEST_BUILD_HOST_FILES += "configdata.pm" 185PTEST_BUILD_HOST_PATTERN = "perl_version =" 186do_install_ptest () { 187 install -d ${D}${PTEST_PATH}/test 188 install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test 189 install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test 190 191 # Prune the build tree 192 rm -f ${B}/fuzz/*.* ${B}/test/*.* 193 194 cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH} 195 sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm 196 cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH} 197 198 # For test_shlibload 199 ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/ 200 ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/ 201 202 install -d ${D}${PTEST_PATH}/apps 203 ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps 204 install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps 205 install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps 206 207 install -d ${D}${PTEST_PATH}/engines 208 install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines 209 install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines 210 install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines 211 212 install -d ${D}${PTEST_PATH}/providers 213 install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers 214 215 install -d ${D}${PTEST_PATH}/Configurations 216 cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/ 217 218 # seems to be needed with perl 5.32.1 219 install -d ${D}${PTEST_PATH}/util/perl/recipes 220 cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/ 221 222 sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/util/wrap.pl 223} 224 225# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto 226# package RRECOMMENDS on this package. This will enable the configuration 227# file to be installed for both the openssl-bin package and the libcrypto 228# package since the openssl-bin package depends on the libcrypto package. 229 230PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy" 231 232FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}" 233FILES:libssl = "${libdir}/libssl${SOLIBS}" 234FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \ 235 ${libdir}/ssl-3/openssl.cnf* \ 236 " 237FILES:${PN}-engines = "${libdir}/engines-3" 238# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP) 239FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3" 240FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash" 241FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so" 242FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/" 243FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" 244 245CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf" 246 247RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy" 248RDEPENDS:${PN}-misc = "perl" 249RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed" 250 251RDEPENDS:${PN}-bin += "openssl-conf" 252 253BBCLASSEXTEND = "native nativesdk" 254 255CVE_PRODUCT = "openssl:openssl" 256 257CVE_VERSION_SUFFIX = "alphabetical" 258 259# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 260# Apache in meta-webserver is already recent enough 261CVE_CHECK_IGNORE += "CVE-2019-0190" 262