1*4882a593SmuzhiyunSUMMARY = "Secure Socket Layer" 2*4882a593SmuzhiyunDESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." 3*4882a593SmuzhiyunHOMEPAGE = "http://www.openssl.org/" 4*4882a593SmuzhiyunBUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" 5*4882a593SmuzhiyunSECTION = "libs/network" 6*4882a593Smuzhiyun 7*4882a593SmuzhiyunLICENSE = "Apache-2.0" 8*4882a593SmuzhiyunLIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04" 9*4882a593Smuzhiyun 10*4882a593SmuzhiyunSRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ 11*4882a593Smuzhiyun file://run-ptest \ 12*4882a593Smuzhiyun file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ 13*4882a593Smuzhiyun file://afalg.patch \ 14*4882a593Smuzhiyun file://0001-Configure-do-not-tweak-mips-cflags.patch \ 15*4882a593Smuzhiyun file://CVE-2023-0464.patch \ 16*4882a593Smuzhiyun file://CVE-2023-0465.patch \ 17*4882a593Smuzhiyun file://CVE-2023-0466.patch \ 18*4882a593Smuzhiyun " 19*4882a593Smuzhiyun 20*4882a593SmuzhiyunSRC_URI:append:class-nativesdk = " \ 21*4882a593Smuzhiyun file://environment.d-openssl.sh \ 22*4882a593Smuzhiyun " 23*4882a593Smuzhiyun 24*4882a593SmuzhiyunSRC_URI[sha256sum] = "6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e" 25*4882a593Smuzhiyun 26*4882a593Smuzhiyuninherit lib_package multilib_header multilib_script ptest perlnative 27*4882a593SmuzhiyunMULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" 28*4882a593Smuzhiyun 29*4882a593SmuzhiyunPACKAGECONFIG ?= "" 30*4882a593SmuzhiyunPACKAGECONFIG:class-native = "" 31*4882a593SmuzhiyunPACKAGECONFIG:class-nativesdk = "" 32*4882a593Smuzhiyun 33*4882a593SmuzhiyunPACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module" 34*4882a593SmuzhiyunPACKAGECONFIG[no-tls1] = "no-tls1" 35*4882a593SmuzhiyunPACKAGECONFIG[no-tls1_1] = "no-tls1_1" 36*4882a593Smuzhiyun 37*4882a593SmuzhiyunB = "${WORKDIR}/build" 38*4882a593Smuzhiyundo_configure[cleandirs] = "${B}" 39*4882a593Smuzhiyun 40*4882a593Smuzhiyun#| ./libcrypto.so: undefined reference to `getcontext' 41*4882a593Smuzhiyun#| ./libcrypto.so: undefined reference to `setcontext' 42*4882a593Smuzhiyun#| ./libcrypto.so: undefined reference to `makecontext' 43*4882a593SmuzhiyunEXTRA_OECONF:append:libc-musl = " no-async" 44*4882a593SmuzhiyunEXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm" 45*4882a593Smuzhiyun 46*4882a593Smuzhiyun# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions 47*4882a593Smuzhiyun# (native versions can be built with newer glibc, but then relocated onto a system with older glibc) 48*4882a593SmuzhiyunEXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom" 49*4882a593SmuzhiyunEXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom" 50*4882a593Smuzhiyun 51*4882a593Smuzhiyun# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. 52*4882a593SmuzhiyunCFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" 53*4882a593SmuzhiyunCFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" 54*4882a593Smuzhiyun 55*4882a593Smuzhiyun# This allows disabling deprecated or undesirable crypto algorithms. 56*4882a593Smuzhiyun# The default is to trust upstream choices. 57*4882a593SmuzhiyunDEPRECATED_CRYPTO_FLAGS ?= "" 58*4882a593Smuzhiyun 59*4882a593Smuzhiyundo_configure () { 60*4882a593Smuzhiyun # When we upgrade glibc but not uninative we see obtuse failures in openssl. Make 61*4882a593Smuzhiyun # the issue really clear that perl isn't functional due to symbol mismatch issues. 62*4882a593Smuzhiyun cat <<- EOF > ${WORKDIR}/perltest 63*4882a593Smuzhiyun #!/usr/bin/env perl 64*4882a593Smuzhiyun use POSIX; 65*4882a593Smuzhiyun EOF 66*4882a593Smuzhiyun chmod a+x ${WORKDIR}/perltest 67*4882a593Smuzhiyun ${WORKDIR}/perltest 68*4882a593Smuzhiyun 69*4882a593Smuzhiyun os=${HOST_OS} 70*4882a593Smuzhiyun case $os in 71*4882a593Smuzhiyun linux-gnueabi |\ 72*4882a593Smuzhiyun linux-gnuspe |\ 73*4882a593Smuzhiyun linux-musleabi |\ 74*4882a593Smuzhiyun linux-muslspe |\ 75*4882a593Smuzhiyun linux-musl ) 76*4882a593Smuzhiyun os=linux 77*4882a593Smuzhiyun ;; 78*4882a593Smuzhiyun *) 79*4882a593Smuzhiyun ;; 80*4882a593Smuzhiyun esac 81*4882a593Smuzhiyun target="$os-${HOST_ARCH}" 82*4882a593Smuzhiyun case $target in 83*4882a593Smuzhiyun linux-arc) 84*4882a593Smuzhiyun target=linux-latomic 85*4882a593Smuzhiyun ;; 86*4882a593Smuzhiyun linux-arm*) 87*4882a593Smuzhiyun target=linux-armv4 88*4882a593Smuzhiyun ;; 89*4882a593Smuzhiyun linux-aarch64*) 90*4882a593Smuzhiyun target=linux-aarch64 91*4882a593Smuzhiyun ;; 92*4882a593Smuzhiyun linux-i?86 | linux-viac3) 93*4882a593Smuzhiyun target=linux-x86 94*4882a593Smuzhiyun ;; 95*4882a593Smuzhiyun linux-gnux32-x86_64 | linux-muslx32-x86_64 ) 96*4882a593Smuzhiyun target=linux-x32 97*4882a593Smuzhiyun ;; 98*4882a593Smuzhiyun linux-gnu64-x86_64) 99*4882a593Smuzhiyun target=linux-x86_64 100*4882a593Smuzhiyun ;; 101*4882a593Smuzhiyun linux-mips | linux-mipsel) 102*4882a593Smuzhiyun # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags 103*4882a593Smuzhiyun target="linux-mips32 ${TARGET_CC_ARCH}" 104*4882a593Smuzhiyun ;; 105*4882a593Smuzhiyun linux-gnun32-mips*) 106*4882a593Smuzhiyun target=linux-mips64 107*4882a593Smuzhiyun ;; 108*4882a593Smuzhiyun linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el) 109*4882a593Smuzhiyun target=linux64-mips64 110*4882a593Smuzhiyun ;; 111*4882a593Smuzhiyun linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) 112*4882a593Smuzhiyun target=linux-generic32 113*4882a593Smuzhiyun ;; 114*4882a593Smuzhiyun linux-powerpc) 115*4882a593Smuzhiyun target=linux-ppc 116*4882a593Smuzhiyun ;; 117*4882a593Smuzhiyun linux-powerpc64) 118*4882a593Smuzhiyun target=linux-ppc64 119*4882a593Smuzhiyun ;; 120*4882a593Smuzhiyun linux-powerpc64le) 121*4882a593Smuzhiyun target=linux-ppc64le 122*4882a593Smuzhiyun ;; 123*4882a593Smuzhiyun linux-riscv32) 124*4882a593Smuzhiyun target=linux-generic32 125*4882a593Smuzhiyun ;; 126*4882a593Smuzhiyun linux-riscv64) 127*4882a593Smuzhiyun target=linux-generic64 128*4882a593Smuzhiyun ;; 129*4882a593Smuzhiyun linux-sparc | linux-supersparc) 130*4882a593Smuzhiyun target=linux-sparcv9 131*4882a593Smuzhiyun ;; 132*4882a593Smuzhiyun mingw32-x86_64) 133*4882a593Smuzhiyun target=mingw64 134*4882a593Smuzhiyun ;; 135*4882a593Smuzhiyun esac 136*4882a593Smuzhiyun 137*4882a593Smuzhiyun useprefix=${prefix} 138*4882a593Smuzhiyun if [ "x$useprefix" = "x" ]; then 139*4882a593Smuzhiyun useprefix=/ 140*4882a593Smuzhiyun fi 141*4882a593Smuzhiyun # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the 142*4882a593Smuzhiyun # environment variables set by bitbake. Adjust the environment variables instead. 143*4882a593Smuzhiyun HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ 144*4882a593Smuzhiyun perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target 145*4882a593Smuzhiyun perl ${B}/configdata.pm --dump 146*4882a593Smuzhiyun} 147*4882a593Smuzhiyun 148*4882a593Smuzhiyundo_install () { 149*4882a593Smuzhiyun oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install 150*4882a593Smuzhiyun 151*4882a593Smuzhiyun oe_multilib_header openssl/opensslconf.h 152*4882a593Smuzhiyun oe_multilib_header openssl/configuration.h 153*4882a593Smuzhiyun 154*4882a593Smuzhiyun # Create SSL structure for packages such as ca-certificates which 155*4882a593Smuzhiyun # contain hard-coded paths to /etc/ssl. Debian does the same. 156*4882a593Smuzhiyun install -d ${D}${sysconfdir}/ssl 157*4882a593Smuzhiyun mv ${D}${libdir}/ssl-3/certs \ 158*4882a593Smuzhiyun ${D}${libdir}/ssl-3/private \ 159*4882a593Smuzhiyun ${D}${libdir}/ssl-3/openssl.cnf \ 160*4882a593Smuzhiyun ${D}${sysconfdir}/ssl/ 161*4882a593Smuzhiyun 162*4882a593Smuzhiyun # Although absolute symlinks would be OK for the target, they become 163*4882a593Smuzhiyun # invalid if native or nativesdk are relocated from sstate. 164*4882a593Smuzhiyun ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs 165*4882a593Smuzhiyun ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private 166*4882a593Smuzhiyun ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf 167*4882a593Smuzhiyun} 168*4882a593Smuzhiyun 169*4882a593Smuzhiyundo_install:append:class-native () { 170*4882a593Smuzhiyun create_wrapper ${D}${bindir}/openssl \ 171*4882a593Smuzhiyun OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \ 172*4882a593Smuzhiyun SSL_CERT_DIR=${libdir}/ssl-3/certs \ 173*4882a593Smuzhiyun SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \ 174*4882a593Smuzhiyun OPENSSL_ENGINES=${libdir}/engines-3 \ 175*4882a593Smuzhiyun OPENSSL_MODULES=${libdir}/ossl-modules 176*4882a593Smuzhiyun} 177*4882a593Smuzhiyun 178*4882a593Smuzhiyundo_install:append:class-nativesdk () { 179*4882a593Smuzhiyun mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d 180*4882a593Smuzhiyun install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh 181*4882a593Smuzhiyun sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh 182*4882a593Smuzhiyun} 183*4882a593Smuzhiyun 184*4882a593SmuzhiyunPTEST_BUILD_HOST_FILES += "configdata.pm" 185*4882a593SmuzhiyunPTEST_BUILD_HOST_PATTERN = "perl_version =" 186*4882a593Smuzhiyundo_install_ptest () { 187*4882a593Smuzhiyun install -d ${D}${PTEST_PATH}/test 188*4882a593Smuzhiyun install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test 189*4882a593Smuzhiyun install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test 190*4882a593Smuzhiyun 191*4882a593Smuzhiyun # Prune the build tree 192*4882a593Smuzhiyun rm -f ${B}/fuzz/*.* ${B}/test/*.* 193*4882a593Smuzhiyun 194*4882a593Smuzhiyun cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH} 195*4882a593Smuzhiyun sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm 196*4882a593Smuzhiyun cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH} 197*4882a593Smuzhiyun 198*4882a593Smuzhiyun # For test_shlibload 199*4882a593Smuzhiyun ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/ 200*4882a593Smuzhiyun ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/ 201*4882a593Smuzhiyun 202*4882a593Smuzhiyun install -d ${D}${PTEST_PATH}/apps 203*4882a593Smuzhiyun ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps 204*4882a593Smuzhiyun install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps 205*4882a593Smuzhiyun install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps 206*4882a593Smuzhiyun 207*4882a593Smuzhiyun install -d ${D}${PTEST_PATH}/engines 208*4882a593Smuzhiyun install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines 209*4882a593Smuzhiyun install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines 210*4882a593Smuzhiyun install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines 211*4882a593Smuzhiyun 212*4882a593Smuzhiyun install -d ${D}${PTEST_PATH}/providers 213*4882a593Smuzhiyun install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers 214*4882a593Smuzhiyun 215*4882a593Smuzhiyun install -d ${D}${PTEST_PATH}/Configurations 216*4882a593Smuzhiyun cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/ 217*4882a593Smuzhiyun 218*4882a593Smuzhiyun # seems to be needed with perl 5.32.1 219*4882a593Smuzhiyun install -d ${D}${PTEST_PATH}/util/perl/recipes 220*4882a593Smuzhiyun cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/ 221*4882a593Smuzhiyun 222*4882a593Smuzhiyun sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/util/wrap.pl 223*4882a593Smuzhiyun} 224*4882a593Smuzhiyun 225*4882a593Smuzhiyun# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto 226*4882a593Smuzhiyun# package RRECOMMENDS on this package. This will enable the configuration 227*4882a593Smuzhiyun# file to be installed for both the openssl-bin package and the libcrypto 228*4882a593Smuzhiyun# package since the openssl-bin package depends on the libcrypto package. 229*4882a593Smuzhiyun 230*4882a593SmuzhiyunPACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy" 231*4882a593Smuzhiyun 232*4882a593SmuzhiyunFILES:libcrypto = "${libdir}/libcrypto${SOLIBS}" 233*4882a593SmuzhiyunFILES:libssl = "${libdir}/libssl${SOLIBS}" 234*4882a593SmuzhiyunFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \ 235*4882a593Smuzhiyun ${libdir}/ssl-3/openssl.cnf* \ 236*4882a593Smuzhiyun " 237*4882a593SmuzhiyunFILES:${PN}-engines = "${libdir}/engines-3" 238*4882a593Smuzhiyun# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP) 239*4882a593SmuzhiyunFILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3" 240*4882a593SmuzhiyunFILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash" 241*4882a593SmuzhiyunFILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so" 242*4882a593SmuzhiyunFILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/" 243*4882a593SmuzhiyunFILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" 244*4882a593Smuzhiyun 245*4882a593SmuzhiyunCONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf" 246*4882a593Smuzhiyun 247*4882a593SmuzhiyunRRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy" 248*4882a593SmuzhiyunRDEPENDS:${PN}-misc = "perl" 249*4882a593SmuzhiyunRDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed" 250*4882a593Smuzhiyun 251*4882a593SmuzhiyunRDEPENDS:${PN}-bin += "openssl-conf" 252*4882a593Smuzhiyun 253*4882a593SmuzhiyunBBCLASSEXTEND = "native nativesdk" 254*4882a593Smuzhiyun 255*4882a593SmuzhiyunCVE_PRODUCT = "openssl:openssl" 256*4882a593Smuzhiyun 257*4882a593SmuzhiyunCVE_VERSION_SUFFIX = "alphabetical" 258*4882a593Smuzhiyun 259*4882a593Smuzhiyun# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 260*4882a593Smuzhiyun# Apache in meta-webserver is already recent enough 261*4882a593SmuzhiyunCVE_CHECK_IGNORE += "CVE-2019-0190" 262