diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-connectivity/openssl')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch | 62 | ||||
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch | 99 | ||||
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1u.bb (renamed from meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb) | 55 |
3 files changed, 207 insertions, 9 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch new file mode 100644 index 000000000..d62b9344c --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch @@ -0,0 +1,62 @@ +From 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc Mon Sep 17 00:00:00 2001 +From: Alistair Francis <alistair.francis@wdc.com> +Date: Thu, 29 Aug 2019 13:56:21 -0700 +Subject: [PATCH] Add support for io_pgetevents_time64 syscall + +32-bit architectures that are y2038 safe don't include syscalls that use +32-bit time_t. Instead these architectures have suffixed syscalls that +always use a 64-bit time_t. In the case of the io_getevents syscall the +syscall has been replaced with the io_pgetevents_time64 syscall instead. + +This patch changes the io_getevents() function to use the correct +syscall based on the avaliable syscalls and the time_t size. We will +only use the new 64-bit time_t syscall if the architecture is using a +64-bit time_t. This is to avoid having to deal with 32/64-bit +conversions and relying on a 64-bit timespec struct on 32-bit time_t +platforms. As of Linux 5.3 there are no 32-bit time_t architectures +without __NR_io_getevents. In the future if a 32-bit time_t architecture +wants to use the 64-bit syscalls we can handle the conversion. + +This fixes build failures on 32-bit RISC-V. + +Signed-off-by: Alistair Francis <alistair.francis@wdc.com> + +Reviewed-by: Richard Levitte <levitte@openssl.org> +Reviewed-by: Paul Dale <paul.dale@oracle.com> +(Merged from https://github.com/openssl/openssl/pull/9819) +Upstream-Status: Accepted +--- + engines/e_afalg.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/engines/e_afalg.c b/engines/e_afalg.c +index dacbe358cb..99516cb1bb 100644 +--- a/engines/e_afalg.c ++++ b/engines/e_afalg.c +@@ -125,7 +125,23 @@ static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, + struct io_event *events, + struct timespec *timeout) + { ++#if defined(__NR_io_getevents) + return syscall(__NR_io_getevents, ctx, min, max, events, timeout); ++#elif defined(__NR_io_pgetevents_time64) ++ /* Let's only support the 64 suffix syscalls for 64-bit time_t. ++ * This simplifies the code for us as we don't need to use a 64-bit ++ * version of timespec with a 32-bit time_t and handle converting ++ * between 64-bit and 32-bit times and check for overflows. ++ */ ++ if (sizeof(timeout->tv_sec) == 8) ++ return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL); ++ else { ++ errno = ENOSYS; ++ return -1; ++ } ++#else ++# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64." ++#endif + } + + static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key, +-- +2.30.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch new file mode 100644 index 000000000..c8bc6f5c6 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch @@ -0,0 +1,99 @@ +From e5499a3cac1e823c3e0697e8667e952317b70cc8 Mon Sep 17 00:00:00 2001 +From: Alistair Francis <alistair.francis@wdc.com> +Date: Thu, 4 Mar 2021 12:10:11 -0500 +Subject: [PATCH] Fixup support for io_pgetevents_time64 syscall + +This is a fixup for the original commit 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc +"Add support for io_pgetevents_time64 syscall" that didn't correctly +work for 32-bit architecutres with a 64-bit time_t that aren't RISC-V. + +For a full discussion of the issue see: +https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc + +Signed-off-by: Alistair Francis <alistair.francis@wdc.com> + +Reviewed-by: Tomas Mraz <tomas@openssl.org> +Reviewed-by: Paul Dale <pauli@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/14432) +Upstream-Status: Accepted +--- + engines/e_afalg.c | 55 ++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 42 insertions(+), 13 deletions(-) + +diff --git a/engines/e_afalg.c b/engines/e_afalg.c +index 9480d7c24b..4e9d67db2d 100644 +--- a/engines/e_afalg.c ++++ b/engines/e_afalg.c +@@ -124,27 +124,56 @@ static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) + return syscall(__NR_io_submit, ctx, n, iocb); + } + ++/* A version of 'struct timespec' with 32-bit time_t and nanoseconds. */ ++struct __timespec32 ++{ ++ __kernel_long_t tv_sec; ++ __kernel_long_t tv_nsec; ++}; ++ + static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, + struct io_event *events, + struct timespec *timeout) + { ++#if defined(__NR_io_pgetevents_time64) ++ /* Check if we are a 32-bit architecture with a 64-bit time_t */ ++ if (sizeof(*timeout) != sizeof(struct __timespec32)) { ++ int ret = syscall(__NR_io_pgetevents_time64, ctx, min, max, events, ++ timeout, NULL); ++ if (ret == 0 || errno != ENOSYS) ++ return ret; ++ } ++#endif ++ + #if defined(__NR_io_getevents) +- return syscall(__NR_io_getevents, ctx, min, max, events, timeout); +-#elif defined(__NR_io_pgetevents_time64) +- /* Let's only support the 64 suffix syscalls for 64-bit time_t. +- * This simplifies the code for us as we don't need to use a 64-bit +- * version of timespec with a 32-bit time_t and handle converting +- * between 64-bit and 32-bit times and check for overflows. +- */ +- if (sizeof(timeout->tv_sec) == 8) +- return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL); ++ if (sizeof(*timeout) == sizeof(struct __timespec32)) ++ /* ++ * time_t matches our architecture length, we can just use ++ * __NR_io_getevents ++ */ ++ return syscall(__NR_io_getevents, ctx, min, max, events, timeout); + else { +- errno = ENOSYS; +- return -1; ++ /* ++ * We don't have __NR_io_pgetevents_time64, but we are using a ++ * 64-bit time_t on a 32-bit architecture. If we can fit the ++ * timeout value in a 32-bit time_t, then let's do that ++ * and then use the __NR_io_getevents syscall. ++ */ ++ if (timeout && timeout->tv_sec == (long)timeout->tv_sec) { ++ struct __timespec32 ts32; ++ ++ ts32.tv_sec = (__kernel_long_t) timeout->tv_sec; ++ ts32.tv_nsec = (__kernel_long_t) timeout->tv_nsec; ++ ++ return syscall(__NR_io_getevents, ctx, min, max, events, ts32); ++ } else { ++ return syscall(__NR_io_getevents, ctx, min, max, events, NULL); ++ } + } +-#else +-# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64." + #endif ++ ++ errno = ENOSYS; ++ return -1; + } + + static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key, +-- +2.30.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1u.bb index dc2a8ccff..6e0ad9ac4 100644 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1u.bb @@ -11,23 +11,28 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8" DEPENDS = "hostperl-runtime-native" -SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ +PV = "1.0+git${SRCPV}" + +S = "${WORKDIR}/git" + +SRCREV = "3f499b24f3bcd66db022074f7e8b4f6ee266a3ae" + +SRC_URI = "git://github.com/openssl/openssl.git;branch=OpenSSL_1_1_1-stable;protocol=https \ file://run-ptest \ file://0001-skip-test_symbol_presence.patch \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://afalg.patch \ file://reproducible.patch \ - file://CVE-2022-0778.patch \ - file://CVE-2022-1292-Fix-openssl-c_rehash.patch \ - file://CVE-2022-2068-Fix-file-operations-in-c_rehash.patch \ - file://CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch \ " SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" +SRC_URI:append:riscv32 = " \ + file://0003-Add-support-for-io_pgetevents_time64-syscall.patch \ + file://0004-Fixup-support-for-io_pgetevents_time64-syscall.patch \ + " inherit lib_package multilib_header multilib_script ptest MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" @@ -37,6 +42,8 @@ PACKAGECONFIG:class-native = "" PACKAGECONFIG:class-nativesdk = "" PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module" +PACKAGECONFIG[no-tls1] = "no-tls1" +PACKAGECONFIG[no-tls1_1] = "no-tls1_1" B = "${WORKDIR}/build" do_configure[cleandirs] = "${B}" @@ -56,6 +63,20 @@ EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom" CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" +# Disable deprecated crypto algorithms +# Retained for compatibilty +# des (curl) +# dh (python-ssl) +# dsa (rpm) +# md4 (cyrus-sasl freeradius hostapd) +# bf (wvstreams postgresql x11vnc crda znc cfengine) +# rc4 (freerdp librtorrent ettercap xrdp transmission pam-ssh-agent-auth php) +# rc2 (mailx) +# psk (qt5) +# srp (libest) +# whirlpool (qca) +DEPRECATED_CRYPTO_FLAGS = "no-ssl no-idea no-rc5 no-md2 no-camellia no-mdc2 no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4" + do_configure () { os=${HOST_OS} case $os in @@ -117,6 +138,9 @@ do_configure () { linux-sparc | linux-supersparc) target=linux-sparcv9 ;; + mingw32-x86_64) + target=mingw64 + ;; esac useprefix=${prefix} @@ -126,7 +150,7 @@ do_configure () { # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the # environment variables set by bitbake. Adjust the environment variables instead. HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target perl ${B}/configdata.pm --dump } @@ -184,6 +208,10 @@ do_install_ptest () { install -d ${D}${PTEST_PATH}/engines install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines + + # seems to be needed with perl 5.32.1 + install -d ${D}${PTEST_PATH}/util/perl/recipes + cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/ } # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto @@ -195,21 +223,30 @@ PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}" FILES:libssl = "${libdir}/libssl${SOLIBS}" -FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf" +FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \ + ${libdir}/ssl-1.1/openssl.cnf* \ + " FILES:${PN}-engines = "${libdir}/engines-1.1" -FILES:${PN}-misc = "${libdir}/ssl-1.1/misc" +# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP) +FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-1_1" +FILES:${PN}-misc = "${libdir}/ssl-1.1/misc ${bindir}/c_rehash" FILES:${PN} =+ "${libdir}/ssl-1.1/*" FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf" RRECOMMENDS:libcrypto += "openssl-conf" +RDEPENDS:${PN}-misc = "perl" RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash" +RDEPENDS:${PN}-bin += "openssl-conf" + BBCLASSEXTEND = "native nativesdk" CVE_PRODUCT = "openssl:openssl" +CVE_VERSION_SUFFIX = "alphabetical" + # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 # Apache in meta-webserver is already recent enough CVE_CHECK_WHITELIST += "CVE-2019-0190" |