diff options
author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-04-05 22:28:33 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-04-05 22:31:28 +0300 |
commit | 193236933b0f4ab91b1625b64e2187e2db4e0e8f (patch) | |
tree | e12769d7c76d8b0517d6de3d3c72189753d253ed /poky/meta/recipes-connectivity/openssl | |
parent | bd93df9478f2f56ffcbc8cb88f1709c735dcd85b (diff) | |
download | openbmc-193236933b0f4ab91b1625b64e2187e2db4e0e8f.tar.xz |
reset upstream subtrees to HEAD
Reset the following subtrees on HEAD:
poky: 8217b477a1(master)
meta-xilinx: 64aa3d35ae(master)
meta-openembedded: 0435c9e193(master)
meta-raspberrypi: 490a4441ac(master)
meta-security: cb6d1c85ee(master)
Squashed patches:
meta-phosphor: drop systemd 239 patches
meta-phosphor: mrw-api: use correct install path
Change-Id: I268e2646d9174ad305630c6bbd3fbc1a6105f43d
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'poky/meta/recipes-connectivity/openssl')
-rw-r--r-- | poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch | 8 | ||||
-rw-r--r-- | poky/meta/recipes-connectivity/openssl/openssl/CVE-2019-1543.patch | 69 | ||||
-rw-r--r-- | poky/meta/recipes-connectivity/openssl/openssl/afalg.patch | 31 | ||||
-rw-r--r-- | poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh | 222 | ||||
-rw-r--r-- | poky/meta/recipes-connectivity/openssl/openssl/run-ptest | 2 | ||||
-rw-r--r-- | poky/meta/recipes-connectivity/openssl/openssl10_1.0.2r.bb (renamed from poky/meta/recipes-connectivity/openssl/openssl10_1.0.2q.bb) | 7 | ||||
-rw-r--r-- | poky/meta/recipes-connectivity/openssl/openssl_1.1.1b.bb (renamed from poky/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb) | 30 |
7 files changed, 123 insertions, 246 deletions
diff --git a/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch index 80b62ab18..949c78834 100644 --- a/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch +++ b/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch @@ -20,6 +20,11 @@ https://patchwork.openembedded.org/patch/147229/ Upstream-Status: Inappropriate [OE specific] Signed-off-by: Martin Hundebøll <martin@geanix.com> + + +Update to fix buildpaths qa issue for '-fmacro-prefix-map'. + +Signed-off-by: Kai Kang <kai.kang@windriver.com> --- Configurations/unix-Makefile.tmpl | 10 +++++++++- crypto/build.info | 2 +- @@ -29,7 +34,7 @@ diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tm index 16af4d2087..54c162784c 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl -@@ -317,13 +317,21 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), +@@ -317,13 +317,22 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) @@ -43,6 +48,7 @@ index 16af4d2087..54c162784c 100644 +CFLAGS_Q={- for (@{$config{CFLAGS}}) { + s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g; ++ s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g; + } + join(' ', @{$config{CFLAGS}}) -} + diff --git a/poky/meta/recipes-connectivity/openssl/openssl/CVE-2019-1543.patch b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2019-1543.patch new file mode 100644 index 000000000..900ef97fc --- /dev/null +++ b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2019-1543.patch @@ -0,0 +1,69 @@ +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/f426625b6ae9a7831010750490a5f0ad689c5ba3] +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From f426625b6ae9a7831010750490a5f0ad689c5ba3 Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Tue, 5 Mar 2019 14:39:15 +0000 +Subject: [PATCH] Prevent over long nonces in ChaCha20-Poly1305 + +ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for +every encryption operation. RFC 7539 specifies that the nonce value (IV) +should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and +front pads the nonce with 0 bytes if it is less than 12 bytes. However it +also incorrectly allows a nonce to be set of up to 16 bytes. In this case +only the last 12 bytes are significant and any additional leading bytes are +ignored. + +It is a requirement of using this cipher that nonce values are unique. +Messages encrypted using a reused nonce value are susceptible to serious +confidentiality and integrity attacks. If an application changes the +default nonce length to be longer than 12 bytes and then makes a change to +the leading bytes of the nonce expecting the new value to be a new unique +nonce then such an application could inadvertently encrypt messages with a +reused nonce. + +Additionally the ignored bytes in a long nonce are not covered by the +integrity guarantee of this cipher. Any application that relies on the +integrity of these ignored leading bytes of a long nonce may be further +affected. + +Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe +because no such use sets such a long nonce value. However user +applications that use this cipher directly and set a non-default nonce +length to be longer than 12 bytes may be vulnerable. + +CVE: CVE-2019-1543 + +Fixes #8345 + +Reviewed-by: Paul Dale <paul.dale@oracle.com> +Reviewed-by: Richard Levitte <levitte@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/8406) + +(cherry picked from commit 2a3d0ee9d59156c48973592331404471aca886d6) +--- + crypto/evp/e_chacha20_poly1305.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c +index c1917bb86a6..d3e2c622a1b 100644 +--- a/crypto/evp/e_chacha20_poly1305.c ++++ b/crypto/evp/e_chacha20_poly1305.c +@@ -30,6 +30,8 @@ typedef struct { + + #define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data) + ++#define CHACHA20_POLY1305_MAX_IVLEN 12 ++ + static int chacha_init_key(EVP_CIPHER_CTX *ctx, + const unsigned char user_key[CHACHA_KEY_SIZE], + const unsigned char iv[CHACHA_CTR_SIZE], int enc) +@@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, + return 1; + + case EVP_CTRL_AEAD_SET_IVLEN: +- if (arg <= 0 || arg > CHACHA_CTR_SIZE) ++ if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN) + return 0; + actx->nonce_len = arg; + return 1; diff --git a/poky/meta/recipes-connectivity/openssl/openssl/afalg.patch b/poky/meta/recipes-connectivity/openssl/openssl/afalg.patch new file mode 100644 index 000000000..7c4b084f3 --- /dev/null +++ b/poky/meta/recipes-connectivity/openssl/openssl/afalg.patch @@ -0,0 +1,31 @@ +Don't refuse to build afalgeng if cross-compiling or the host kernel is too old. + +Upstream-Status: Submitted [hhttps://github.com/openssl/openssl/pull/7688] +Signed-off-by: Ross Burton <ross.burton@intel.com> + +diff --git a/Configure b/Configure +index 3baa8ce..9ef52ed 100755 +--- a/Configure ++++ b/Configure +@@ -1550,20 +1550,7 @@ unless ($disabled{"crypto-mdebug-backtrace"}) + unless ($disabled{afalgeng}) { + $config{afalgeng}=""; + if (grep { $_ eq 'afalgeng' } @{$target{enable}}) { +- my $minver = 4*10000 + 1*100 + 0; +- if ($config{CROSS_COMPILE} eq "") { +- my $verstr = `uname -r`; +- my ($ma, $mi1, $mi2) = split("\\.", $verstr); +- ($mi2) = $mi2 =~ /(\d+)/; +- my $ver = $ma*10000 + $mi1*100 + $mi2; +- if ($ver < $minver) { +- $disabled{afalgeng} = "too-old-kernel"; +- } else { +- push @{$config{engdirs}}, "afalg"; +- } +- } else { +- $disabled{afalgeng} = "cross-compiling"; +- } ++ push @{$config{engdirs}}, "afalg"; + } else { + $disabled{afalgeng} = "not-linux"; + } diff --git a/poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh deleted file mode 100644 index 6620fdcb5..000000000 --- a/poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh +++ /dev/null @@ -1,222 +0,0 @@ -#!/bin/sh -# -# Ben Secrest <blsecres@gmail.com> -# -# sh c_rehash script, scan all files in a directory -# and add symbolic links to their hash values. -# -# based on the c_rehash perl script distributed with openssl -# -# LICENSE: See OpenSSL license -# ^^acceptable?^^ -# - -# default certificate location -DIR=/etc/openssl - -# for filetype bitfield -IS_CERT=$(( 1 << 0 )) -IS_CRL=$(( 1 << 1 )) - - -# check to see if a file is a certificate file or a CRL file -# arguments: -# 1. the filename to be scanned -# returns: -# bitfield of file type; uses ${IS_CERT} and ${IS_CRL} -# -check_file() -{ - local IS_TYPE=0 - - # make IFS a newline so we can process grep output line by line - local OLDIFS=${IFS} - IFS=$( printf "\n" ) - - # XXX: could be more efficient to have two 'grep -m' but is -m portable? - for LINE in $( grep '^-----BEGIN .*-----' ${1} ) - do - if echo ${LINE} \ - | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----' - then - IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} )) - - if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ] - then - break - fi - elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----' - then - IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} )) - - if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ] - then - break - fi - fi - done - - # restore IFS - IFS=${OLDIFS} - - return ${IS_TYPE} -} - - -# -# use openssl to fingerprint a file -# arguments: -# 1. the filename to fingerprint -# 2. the method to use (x509, crl) -# returns: -# none -# assumptions: -# user will capture output from last stage of pipeline -# -fingerprint() -{ - ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':' -} - - -# -# link_hash - create links to certificate files -# arguments: -# 1. the filename to create a link for -# 2. the type of certificate being linked (x509, crl) -# returns: -# 0 on success, 1 otherwise -# -link_hash() -{ - local FINGERPRINT=$( fingerprint ${1} ${2} ) - local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} ) - local SUFFIX=0 - local LINKFILE='' - local TAG='' - - if [ ${2} = "crl" ] - then - TAG='r' - fi - - LINKFILE=${HASH}.${TAG}${SUFFIX} - - while [ -f ${LINKFILE} ] - do - if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ] - then - echo "NOTE: Skipping duplicate file ${1}" >&2 - return 1 - fi - - SUFFIX=$(( ${SUFFIX} + 1 )) - LINKFILE=${HASH}.${TAG}${SUFFIX} - done - - echo "${3} => ${LINKFILE}" - - # assume any system with a POSIX shell will either support symlinks or - # do something to handle this gracefully - ln -s ${3} ${LINKFILE} - - return 0 -} - - -# hash_dir create hash links in a given directory -hash_dir() -{ - echo "Doing ${1}" - - cd ${1} - - ls -1 * 2>/dev/null | while read FILE - do - if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \ - && [ -h "${FILE}" ] - then - rm ${FILE} - fi - done - - ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE - do - REAL_FILE=${FILE} - # if we run on build host then get to the real files in rootfs - if [ -n "${SYSROOT}" -a -h ${FILE} ] - then - FILE=$( readlink ${FILE} ) - # check the symlink is absolute (or dangling in other word) - if [ "x/" = "x$( echo ${FILE} | cut -c1 -)" ] - then - REAL_FILE=${SYSROOT}/${FILE} - fi - fi - - check_file ${REAL_FILE} - local FILE_TYPE=${?} - local TYPE_STR='' - - if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ] - then - TYPE_STR='x509' - elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ] - then - TYPE_STR='crl' - else - echo "NOTE: ${FILE} does not contain a certificate or CRL: skipping" >&2 - continue - fi - - link_hash ${REAL_FILE} ${TYPE_STR} ${FILE} - done -} - - -# choose the name of an ssl application -if [ -n "${OPENSSL}" ] -then - SSL_CMD=$(which ${OPENSSL} 2>/dev/null) -else - SSL_CMD=/usr/bin/openssl - OPENSSL=${SSL_CMD} - export OPENSSL -fi - -# fix paths -PATH=${PATH}:${DIR}/bin -export PATH - -# confirm existance/executability of ssl command -if ! [ -x ${SSL_CMD} ] -then - echo "${0}: rehashing skipped ('openssl' program not available)" >&2 - exit 0 -fi - -# determine which directories to process -old_IFS=$IFS -if [ ${#} -gt 0 ] -then - IFS=':' - DIRLIST=${*} -elif [ -n "${SSL_CERT_DIR}" ] -then - DIRLIST=$SSL_CERT_DIR -else - DIRLIST=${DIR}/certs -fi - -IFS=':' - -# process directories -for CERT_DIR in ${DIRLIST} -do - if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ] - then - IFS=$old_IFS - hash_dir ${CERT_DIR} - IFS=':' - fi -done diff --git a/poky/meta/recipes-connectivity/openssl/openssl/run-ptest b/poky/meta/recipes-connectivity/openssl/openssl/run-ptest index 0a620dea7..3fb22471f 100644 --- a/poky/meta/recipes-connectivity/openssl/openssl/run-ptest +++ b/poky/meta/recipes-connectivity/openssl/openssl/run-ptest @@ -9,4 +9,4 @@ export TOP=. # OPENSSL_ENGINES is relative from the test binaries export OPENSSL_ENGINES=../engines -perl ./test/run_tests.pl $* +perl ./test/run_tests.pl $* | perl -0pe 's#(.*) \.*.ok#PASS: \1#g; s#(.*) \.*.skipped: (.*)#SKIP: \1 (\2)#g; s#(.*) \.*.\nDubious#FAIL: \1#;' diff --git a/poky/meta/recipes-connectivity/openssl/openssl10_1.0.2q.bb b/poky/meta/recipes-connectivity/openssl/openssl10_1.0.2r.bb index 54af100f9..87df4f517 100644 --- a/poky/meta/recipes-connectivity/openssl/openssl10_1.0.2q.bb +++ b/poky/meta/recipes-connectivity/openssl/openssl10_1.0.2r.bb @@ -53,8 +53,8 @@ SRC_URI_append_class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[md5sum] = "7563e1ce046cb21948eeb6ba1a0eb71c" -SRC_URI[sha256sum] = "5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684" +SRC_URI[md5sum] = "0d2baaf04c56d542f6cc757b9c2a2aac" +SRC_URI[sha256sum] = "ae51d08bba8a83958e894946f15303ff894d75c2b8bbd44a852b64e3fe11d0d6" S = "${WORKDIR}/openssl-${PV}" @@ -78,9 +78,6 @@ EXTRA_OEMAKE = "${@bb.utils.contains('PACKAGECONFIG', 'manpages', '', 'OE_DISABL export OE_LDFLAGS = "${LDFLAGS}" -# openssl fails with ccache: https://bugzilla.yoctoproject.org/show_bug.cgi?id=12810 -CCACHE = "" - TERMIO ?= "-DTERMIO" TERMIO_libc-musl = "-DTERMIOS" EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm" diff --git a/poky/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb b/poky/meta/recipes-connectivity/openssl/openssl_1.1.1b.bb index e9e9facd3..d3404d2ef 100644 --- a/poky/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb +++ b/poky/meta/recipes-connectivity/openssl/openssl_1.1.1b.bb @@ -7,26 +7,33 @@ SECTION = "libs/network" # "openssl" here actually means both OpenSSL and SSLeay licenses apply # (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped) LICENSE = "openssl" -LIC_FILES_CHKSUM = "file://LICENSE;md5=d57d511030c9d66ef5f5966bee5a7eff" +LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8" DEPENDS = "hostperl-runtime-native" SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://run-ptest \ - file://openssl-c_rehash.sh \ file://0001-skip-test_symbol_presence.patch \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ + file://afalg.patch \ + file://CVE-2019-1543.patch \ " SRC_URI_append_class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[md5sum] = "963deb2272d6be7d4c2458afd2517b73" -SRC_URI[sha256sum] = "fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41" +SRC_URI[md5sum] = "4532712e7bcc9414f5bce995e4e13930" +SRC_URI[sha256sum] = "5c557b023230413dfb0756f3137a13e6d726838ccd1430888ad15bfb2b43ea4b" inherit lib_package multilib_header ptest +PACKAGECONFIG ?= "" +PACKAGECONFIG_class-native = "" +PACKAGECONFIG_class-nativesdk = "" + +PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux" + B = "${WORKDIR}/build" do_configure[cleandirs] = "${B}" @@ -113,6 +120,7 @@ do_configure () { # environment variables set by bitbake. Adjust the environment variables instead. PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target + perl ${B}/configdata.pm --dump } do_install () { @@ -141,12 +149,6 @@ do_install_append_class-native () { SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ OPENSSL_ENGINES=${libdir}/ssl-1.1/engines - - # Install a custom version of c_rehash that can handle sysroots properly. - # This version is used for example when installing ca-certificates during - # image creation. - install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash - sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash } do_install_append_class-nativesdk () { @@ -195,16 +197,10 @@ FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/open CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" RRECOMMENDS_libcrypto += "openssl-conf" -RDEPENDS_${PN}-bin = "perl" -RDEPENDS_${PN}-misc = "perl" -RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash python" +RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash" RPROVIDES_openssl-conf = "openssl10-conf" RREPLACES_openssl-conf = "openssl10-conf" RCONFLICTS_openssl-conf = "openssl10-conf" BBCLASSEXTEND = "native nativesdk" - -inherit multilib_script - -MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" |