* [RFC PATCH 01/10] python: update to 3.5.3
2017-05-10 14:13 [RFC PATCH 00/10] Add openssl 1.1 Alexander Kanavin
@ 2017-05-10 14:13 ` Alexander Kanavin
2017-05-10 14:13 ` [RFC PATCH 02/10] openssl: add a 1.1 version Alexander Kanavin
` (10 subsequent siblings)
11 siblings, 0 replies; 30+ messages in thread
From: Alexander Kanavin @ 2017-05-10 14:13 UTC (permalink / raw)
To: openembedded-core
Prior versions of python do not support openssl 1.1; updating to
Python 3.6 on the other hand is a lot more involved, and so should
be done by a specialist/maintainer.
LICENSE checksum change due to copyright years.
Drop upstreamed python3-fix-CVE-2016-1000110.patch
Rebase upstream-random-fixes.patch (taken from
https://github.com/python/cpython/commit/ff558f5aba40bd173f336503def886a12f8db016 )
Rebase 0001-Do-not-use-the-shell-version-of-python-config-that-w.patch
Rebase 000-cross-compile.patch
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
...on3-native_3.5.2.bb => python3-native_3.5.3.bb} | 8 +-
...the-shell-version-of-python-config-that-w.patch | 10 +-
...pile.patch => 0001-cross-compile-support.patch} | 56 ++--
.../python3/python3-fix-CVE-2016-1000110.patch | 148 -----------
.../python/python3/upstream-random-fixes.patch | 288 ++++++++++-----------
.../python/{python3_3.5.2.bb => python3_3.5.3.bb} | 9 +-
6 files changed, 180 insertions(+), 339 deletions(-)
rename meta/recipes-devtools/python/{python3-native_3.5.2.bb => python3-native_3.5.3.bb} (90%)
rename meta/recipes-devtools/python/python3/{000-cross-compile.patch => 0001-cross-compile-support.patch} (65%)
delete mode 100644 meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch
rename meta/recipes-devtools/python/{python3_3.5.2.bb => python3_3.5.3.bb} (96%)
diff --git a/meta/recipes-devtools/python/python3-native_3.5.2.bb b/meta/recipes-devtools/python/python3-native_3.5.3.bb
similarity index 90%
rename from meta/recipes-devtools/python/python3-native_3.5.2.bb
rename to meta/recipes-devtools/python/python3-native_3.5.3.bb
index edcf2244f57..250697fbbc9 100644
--- a/meta/recipes-devtools/python/python3-native_3.5.2.bb
+++ b/meta/recipes-devtools/python/python3-native_3.5.3.bb
@@ -7,7 +7,7 @@ DISTRO_SRC_URI_linuxstdbase = ""
SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://12-distutils-prefix-is-inside-staging-area.patch \
file://python-config.patch \
-file://000-cross-compile.patch \
+file://0001-cross-compile-support.patch \
file://030-fixup-include-dirs.patch \
file://070-dont-clean-ipkg-install.patch \
file://080-distutils-dont_adjust_files.patch \
@@ -26,10 +26,10 @@ file://setup.py-check-cross_compiling-when-get-FLAGS.patch \
file://0001-Do-not-use-the-shell-version-of-python-config-that-w.patch \
"
-SRC_URI[md5sum] = "8906efbacfcdc7c3c9198aeefafd159e"
-SRC_URI[sha256sum] = "0010f56100b9b74259ebcd5d4b295a32324b58b517403a10d1a2aa7cb22bca40"
+SRC_URI[md5sum] = "57d1f8bfbabf4f2500273fb0706e6f21"
+SRC_URI[sha256sum] = "eefe2ad6575855423ab630f5b51a8ef6e5556f774584c06beab4926f930ddbb0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=6b60258130e4ed10d3101517eb5b9385"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b680ed99aa60d350c65a65914494207e"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
diff --git a/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch b/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch
index b7e0ac63544..8ea3f03fe03 100644
--- a/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch
+++ b/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch
@@ -1,4 +1,4 @@
-From 045c99b5f1eb6e4e0d8ad1ef9f0ba6574f738150 Mon Sep 17 00:00:00 2001
+From 04df959365e2b54d7503edf0e5534ff094284f2d Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Fri, 23 Oct 2015 12:25:09 +0300
Subject: [PATCH] Do not use the shell version of python-config that was
@@ -14,13 +14,13 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/Makefile.pre.in b/Makefile.pre.in
-index d7fc9a0..47e60bc 100644
+index 236f005..5c4337f 100644
--- a/Makefile.pre.in
+++ b/Makefile.pre.in
-@@ -1270,12 +1270,9 @@ python-config: $(srcdir)/Misc/python-config.in Misc/python-config.sh
+@@ -1348,12 +1348,9 @@ python-config: $(srcdir)/Misc/python-config.in Misc/python-config.sh
sed -e "s,@EXENAME@,$(BINDIR)/python$(LDVERSION)$(EXE)," < $(srcdir)/Misc/python-config.in >python-config.py
# Replace makefile compat. variable references with shell script compat. ones; $(VAR) -> ${VAR}
- sed -e 's,\$$(\([A-Za-z0-9_]*\)),\$$\{\1\},g' < Misc/python-config.sh >python-config
+ LC_ALL=C sed -e 's,\$$(\([A-Za-z0-9_]*\)),\$$\{\1\},g' < Misc/python-config.sh >python-config
- # On Darwin, always use the python version of the script, the shell
- # version doesn't use the compiler customizations that are provided
- # in python (_osx_support.py).
@@ -34,5 +34,5 @@ index d7fc9a0..47e60bc 100644
# Install the include files
--
-2.1.4
+2.11.0
diff --git a/meta/recipes-devtools/python/python3/000-cross-compile.patch b/meta/recipes-devtools/python/python3/0001-cross-compile-support.patch
similarity index 65%
rename from meta/recipes-devtools/python/python3/000-cross-compile.patch
rename to meta/recipes-devtools/python/python3/0001-cross-compile-support.patch
index 2d822218f49..118d75ddc5a 100644
--- a/meta/recipes-devtools/python/python3/000-cross-compile.patch
+++ b/meta/recipes-devtools/python/python3/0001-cross-compile-support.patch
@@ -1,27 +1,32 @@
+From 624c029abcc73c724020ccea9a2b4b5b5c00f2a6 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Fri, 31 Mar 2017 15:42:46 +0300
+Subject: [PATCH] cross-compile support
+
We cross compile python. This patch uses tools from host/native
python instead of in-tree tools
-Khem
Upstream-Status: Inappropriate[Configuration Specific]
-
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
- Makefile.pre.in | 25 +++++++++++++------------
- 1 file changed, 13 insertions(+), 12 deletions(-)
+ Makefile.pre.in | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
-Index: Python-3.5.2/Makefile.pre.in
-===================================================================
---- Python-3.5.2.orig/Makefile.pre.in
-+++ Python-3.5.2/Makefile.pre.in
-@@ -220,6 +220,7 @@ LIBOBJS= @LIBOBJS@
+diff --git a/Makefile.pre.in b/Makefile.pre.in
+index a88b7d5..7cb8bb3 100644
+--- a/Makefile.pre.in
++++ b/Makefile.pre.in
+@@ -221,6 +221,7 @@ LIBOBJS= @LIBOBJS@
PYTHON= python$(EXE)
BUILDPYTHON= python$(BUILDEXE)
-+HOSTPYTHON= $(BUILDPYTHON)
++HOSTPYTHON= $(BUILDPYTHON)
- cross_compiling=@cross_compiling@
+ PYTHON_FOR_GEN=@PYTHON_FOR_GEN@
PYTHON_FOR_BUILD=@PYTHON_FOR_BUILD@
-@@ -279,6 +280,7 @@ LIBFFI_INCLUDEDIR= @LIBFFI_INCLUDEDIR@
+@@ -280,6 +281,7 @@ LIBFFI_INCLUDEDIR= @LIBFFI_INCLUDEDIR@
##########################################################################
# Parser
PGEN= Parser/pgen$(EXE)
@@ -29,7 +34,7 @@ Index: Python-3.5.2/Makefile.pre.in
PSRCS= \
Parser/acceler.c \
-@@ -509,7 +511,7 @@ build_all_generate_profile:
+@@ -510,7 +512,7 @@ build_all_generate_profile:
run_profile_task:
: # FIXME: can't run for a cross build
@@ -38,16 +43,16 @@ Index: Python-3.5.2/Makefile.pre.in
build_all_merge_profile:
$(LLVM_PROF_MERGER)
-@@ -792,7 +794,7 @@ $(GRAMMAR_H): $(GRAMMAR_INPUT) $(PGEN)
+@@ -787,7 +789,7 @@ $(IO_OBJS): $(IO_H)
+
+ $(GRAMMAR_H): @GENERATED_COMMENT@ $(GRAMMAR_INPUT) $(PGEN)
@$(MKDIR_P) Include
- # Avoid copying the file onto itself for an in-tree build
- if test "$(cross_compiling)" != "yes"; then \
-- $(PGEN) $(GRAMMAR_INPUT) $(GRAMMAR_H) $(GRAMMAR_C); \
-+ $(HOSTPGEN) $(GRAMMAR_INPUT) $(GRAMMAR_H) $(GRAMMAR_C); \
- else \
- cp $(srcdir)/Include/graminit.h $(GRAMMAR_H).tmp; \
- mv $(GRAMMAR_H).tmp $(GRAMMAR_H); \
-@@ -990,7 +992,7 @@ $(LIBRARY_OBJS) $(MODOBJS) Programs/pyth
+- $(PGEN) $(GRAMMAR_INPUT) $(GRAMMAR_H) $(GRAMMAR_C)
++ $(HOSTPGEN) $(GRAMMAR_INPUT) $(GRAMMAR_H) $(GRAMMAR_C)
+ $(GRAMMAR_C): @GENERATED_COMMENT@ $(GRAMMAR_H)
+ touch $(GRAMMAR_C)
+
+@@ -976,7 +978,7 @@ $(LIBRARY_OBJS) $(MODOBJS) Programs/python.o: $(PYTHON_HEADERS)
######################################################################
TESTOPTS= $(EXTRATESTOPTS)
@@ -56,7 +61,7 @@ Index: Python-3.5.2/Makefile.pre.in
TESTRUNNER= $(TESTPYTHON) $(srcdir)/Tools/scripts/run_tests.py
TESTTIMEOUT= 3600
-@@ -1481,7 +1483,7 @@ frameworkinstallstructure: $(LDLIBRARY)
+@@ -1468,7 +1470,7 @@ frameworkinstallstructure: $(LDLIBRARY)
fi; \
done
$(LN) -fsn include/python$(LDVERSION) $(DESTDIR)$(prefix)/Headers
@@ -65,7 +70,7 @@ Index: Python-3.5.2/Makefile.pre.in
$(LN) -fsn $(VERSION) $(DESTDIR)$(PYTHONFRAMEWORKINSTALLDIR)/Versions/Current
$(LN) -fsn Versions/Current/$(PYTHONFRAMEWORK) $(DESTDIR)$(PYTHONFRAMEWORKINSTALLDIR)/$(PYTHONFRAMEWORK)
$(LN) -fsn Versions/Current/Headers $(DESTDIR)$(PYTHONFRAMEWORKINSTALLDIR)/Headers
-@@ -1547,7 +1549,7 @@ config.status: $(srcdir)/configure
+@@ -1534,7 +1536,7 @@ config.status: $(srcdir)/configure
# Run reindent on the library
reindent:
@@ -74,7 +79,7 @@ Index: Python-3.5.2/Makefile.pre.in
# Rerun configure with the same options as it was run last time,
# provided the config.status script exists
-@@ -1683,7 +1685,7 @@ funny:
+@@ -1674,7 +1676,7 @@ funny:
# Perform some verification checks on any modified files.
patchcheck: all
@@ -83,3 +88,6 @@ Index: Python-3.5.2/Makefile.pre.in
# Dependencies
+--
+2.11.0
+
diff --git a/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch b/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch
deleted file mode 100644
index ab1b7230ea6..00000000000
--- a/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch
+++ /dev/null
@@ -1,148 +0,0 @@
-From aab3e8c432b90508ac14755128f5a687be2fdf43 Mon Sep 17 00:00:00 2001
-From: Mingli Yu <Mingli.Yu@windriver.com>
-Date: Thu, 22 Sep 2016 16:39:49 +0800
-Subject: [PATCH] python3: fix CVE-2016-1000110
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
-indicates that the script is in CGI mode.
-
-Issue #27568 Reported and patch contributed by Rémi Rampin. [#27568]
-
-Backport patch from https://hg.python.org/cpython/rev/a0ac52ed8f79
-
-Upstream-Status: Backport
-CVE: CVE-2016-1000110
-Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
----
- Doc/howto/urllib2.rst | 5 +++++
- Doc/library/urllib.request.rst | 17 ++++++++++++++++-
- Lib/test/test_urllib.py | 14 +++++++++++++-
- Lib/urllib/request.py | 6 ++++++
- Misc/NEWS | 4 ++++
- 5 files changed, 44 insertions(+), 2 deletions(-)
-
-diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
-index 24a4156..d2c7991 100644
---- a/Doc/howto/urllib2.rst
-+++ b/Doc/howto/urllib2.rst
-@@ -538,6 +538,11 @@ setting up a `Basic Authentication`_ handler: ::
- through a proxy. However, this can be enabled by extending urllib.request as
- shown in the recipe [#]_.
-
-+.. note::
-+
-+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
-+ the documentation on :func:`~urllib.request.getproxies`.
-+
-
- Sockets and Layers
- ==================
-diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
-index 1338906..1291aeb 100644
---- a/Doc/library/urllib.request.rst
-+++ b/Doc/library/urllib.request.rst
-@@ -173,6 +173,16 @@ The :mod:`urllib.request` module defines the following functions:
- If both lowercase and uppercase environment variables exist (and disagree),
- lowercase is preferred.
-
-+ .. note::
-+
-+ If the environment variable ``REQUEST_METHOD`` is set, which usually
-+ indicates your script is running in a CGI environment, the environment
-+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
-+ because that variable can be injected by a client using the "Proxy:" HTTP
-+ header. If you need to use an HTTP proxy in a CGI environment, either use
-+ ``ProxyHandler`` explicitly, or make sure the variable name is in
-+ lowercase (or at least the ``_proxy`` suffix).
-+
-
- The following classes are provided:
-
-@@ -280,6 +290,11 @@ The following classes are provided:
- list of hostname suffixes, optionally with ``:port`` appended, for example
- ``cern.ch,ncsa.uiuc.edu,some.host:8080``.
-
-+ .. note::
-+
-+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
-+ see the documentation on :func:`~urllib.request.getproxies`.
-+
-
- .. class:: HTTPPasswordMgr()
-
-@@ -1138,7 +1153,7 @@ the returned bytes object to string once it determines or guesses
- the appropriate encoding.
-
- The following W3C document, https://www.w3.org/International/O-charset\ , lists
--the various ways in which a (X)HTML or a XML document could have specified its
-+the various ways in which an (X)HTML or an XML document could have specified its
- encoding information.
-
- As the python.org website uses *utf-8* encoding as specified in its meta tag, we
-diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
-index 5d05f8d..247598a 100644
---- a/Lib/test/test_urllib.py
-+++ b/Lib/test/test_urllib.py
-@@ -1,4 +1,4 @@
--"""Regresssion tests for what was in Python 2's "urllib" module"""
-+"""Regression tests for what was in Python 2's "urllib" module"""
-
- import urllib.parse
- import urllib.request
-@@ -232,6 +232,18 @@ class ProxyTests(unittest.TestCase):
- self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com:8888'))
- self.assertTrue(urllib.request.proxy_bypass_environment('newdomain.com:1234'))
-
-+ def test_proxy_cgi_ignore(self):
-+ try:
-+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
-+ proxies = urllib.request.getproxies_environment()
-+ self.assertEqual('http://somewhere:3128', proxies['http'])
-+ self.env.set('REQUEST_METHOD', 'GET')
-+ proxies = urllib.request.getproxies_environment()
-+ self.assertNotIn('http', proxies)
-+ finally:
-+ self.env.unset('REQUEST_METHOD')
-+ self.env.unset('HTTP_PROXY')
-+
- def test_proxy_bypass_environment_host_match(self):
- bypass = urllib.request.proxy_bypass_environment
- self.env.set('NO_PROXY',
-diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
-index 1731fe3..3be327d 100644
---- a/Lib/urllib/request.py
-+++ b/Lib/urllib/request.py
-@@ -2412,6 +2412,12 @@ def getproxies_environment():
- name = name.lower()
- if value and name[-6:] == '_proxy':
- proxies[name[:-6]] = value
-+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
-+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
-+ # header from the client
-+ # If "proxy" is lowercase, it will still be used thanks to the next block
-+ if 'REQUEST_METHOD' in os.environ:
-+ proxies.pop('http', None)
- for name, value in os.environ.items():
- if name[-6:] == '_proxy':
- name = name.lower()
-diff --git a/Misc/NEWS b/Misc/NEWS
-index 4ad2551..2fcc95b 100644
---- a/Misc/NEWS
-+++ b/Misc/NEWS
-@@ -329,6 +329,10 @@ Library
- - Issue #26644: Raise ValueError rather than SystemError when a negative
- length is passed to SSLSocket.recv() or read().
-
-+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
-+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
-+ that the script is in CGI mode.
-+
- - Issue #23804: Fix SSL recv(0) and read(0) methods to return zero bytes
- instead of up to 1024.
-
---
-2.8.1
-
diff --git a/meta/recipes-devtools/python/python3/upstream-random-fixes.patch b/meta/recipes-devtools/python/python3/upstream-random-fixes.patch
index 0d9152ccd7c..9b40e8ac9ff 100644
--- a/meta/recipes-devtools/python/python3/upstream-random-fixes.patch
+++ b/meta/recipes-devtools/python/python3/upstream-random-fixes.patch
@@ -1,21 +1,7 @@
-This patch updates random.c to match upstream python's code at revision
-8125d9a8152b. This addresses various issues around problems with glibc 2.24
-and 2.25 such that python would fail to start with:
-
-[rpurdie@centos7 ~]$ /tmp/t2/sysroots/x86_64-pokysdk-linux/usr/bin/python3
-Fatal Python error: getentropy() failed
-Aborted
-
-(taken from our buildtools-tarball also breaks eSDK)
-
-Upstream-Status: Backport
-
-# HG changeset patch
-# User Victor Stinner <victor.stinner@gmail.com>
-# Date 1483957133 -3600
-# Node ID 8125d9a8152b79e712cb09c7094b9129b9bcea86
-# Parent 337461574c90281630751b6095c4e1baf380cf7d
-Issue #29157: Prefer getrandom() over getentropy()
+From 035ba5da3e53e45c712b39fe1f6fb743e697c032 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <victor.stinner@gmail.com>
+Date: Mon, 9 Jan 2017 11:18:53 +0100
+Subject: [PATCH] Issue #29157: Prefer getrandom() over getentropy()
Copy and then adapt Python/random.c from default branch. Difference between 3.5
and default branches:
@@ -26,12 +12,17 @@ and default branches:
* Python 3.5 has no _PyOS_URandomNonblock() function: _PyOS_URandom()
works in non-blocking mode on Python 3.5
-RP 2017/1/22
+Upstream-Status: Backport [https://github.com/python/cpython/commit/035ba5da3e53e45c712b39fe1f6fb743e697c032]
+Signed-off-by: Alexander Kanavin <alexander.kanavin@intel.com>
+
+---
+ Python/random.c | 494 +++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 294 insertions(+), 200 deletions(-)
-Index: Python-3.5.2/Python/random.c
-===================================================================
---- Python-3.5.2.orig/Python/random.c
-+++ Python-3.5.2/Python/random.c
+diff --git a/Python/random.c b/Python/random.c
+index d203939..31f61d0 100644
+--- a/Python/random.c
++++ b/Python/random.c
@@ -1,6 +1,9 @@
#include "Python.h"
#ifdef MS_WINDOWS
@@ -42,7 +33,7 @@ Index: Python-3.5.2/Python/random.c
#else
# include <fcntl.h>
# ifdef HAVE_SYS_STAT_H
-@@ -36,10 +39,9 @@ win32_urandom_init(int raise)
+@@ -37,10 +40,9 @@ win32_urandom_init(int raise)
return 0;
error:
@@ -55,7 +46,7 @@ Index: Python-3.5.2/Python/random.c
return -1;
}
-@@ -52,8 +54,9 @@ win32_urandom(unsigned char *buffer, Py_
+@@ -53,8 +55,9 @@ win32_urandom(unsigned char *buffer, Py_ssize_t size, int raise)
if (hCryptProv == 0)
{
@@ -66,7 +57,7 @@ Index: Python-3.5.2/Python/random.c
}
while (size > 0)
-@@ -62,11 +65,9 @@ win32_urandom(unsigned char *buffer, Py_
+@@ -63,11 +66,9 @@ win32_urandom(unsigned char *buffer, Py_ssize_t size, int raise)
if (!CryptGenRandom(hCryptProv, (DWORD)chunk, buffer))
{
/* CryptGenRandom() failed */
@@ -80,7 +71,7 @@ Index: Python-3.5.2/Python/random.c
return -1;
}
buffer += chunk;
-@@ -75,55 +76,29 @@ win32_urandom(unsigned char *buffer, Py_
+@@ -76,58 +77,23 @@ win32_urandom(unsigned char *buffer, Py_ssize_t size, int raise)
return 0;
}
@@ -129,13 +120,19 @@ Index: Python-3.5.2/Python/random.c
#if defined(HAVE_GETRANDOM) || defined(HAVE_GETRANDOM_SYSCALL)
#define PY_GETRANDOM 1
+-/* Call getrandom()
+/* Call getrandom() to get random bytes:
+
-+ - Return 1 on success
+ - Return 1 on success
+- - Return 0 if getrandom() syscall is not available (failed with ENOSYS or
+- EPERM) or if getrandom(GRND_NONBLOCK) failed with EAGAIN (system urandom
+- not initialized yet) and raise=0.
+ - Return 0 if getrandom() is not available (failed with ENOSYS or EPERM),
+ or if getrandom(GRND_NONBLOCK) failed with EAGAIN (system urandom not
+ initialized yet).
-+ - Raise an exception (if raise is non-zero) and return -1 on error:
+ - Raise an exception (if raise is non-zero) and return -1 on error:
+- getrandom() failed with EINTR and the Python signal handler raised an
+- exception, or getrandom() failed with a different error. */
+ if getrandom() failed with EINTR, raise is non-zero and the Python signal
+ handler raised an exception, or if getrandom() failed with a different
+ error.
@@ -144,26 +141,16 @@ Index: Python-3.5.2/Python/random.c
static int
py_getrandom(void *buffer, Py_ssize_t size, int raise)
{
-- /* Is getrandom() supported by the running kernel?
-- * Need Linux kernel 3.17 or newer, or Solaris 11.3 or newer */
-+ /* Is getrandom() supported by the running kernel? Set to 0 if getrandom()
-+ failed with ENOSYS or EPERM. Need Linux kernel 3.17 or newer, or Solaris
-+ 11.3 or newer */
- static int getrandom_works = 1;
-
- /* getrandom() on Linux will block if called before the kernel has
-@@ -132,84 +107,165 @@ py_getrandom(void *buffer, Py_ssize_t si
+@@ -142,16 +108,19 @@ py_getrandom(void *buffer, Py_ssize_t size, int raise)
* see https://bugs.python.org/issue26839. To avoid this, use the
* GRND_NONBLOCK flag. */
const int flags = GRND_NONBLOCK;
-- int n;
+ char *dest;
-+ long n;
+ long n;
-- if (!getrandom_works)
-+ if (!getrandom_works) {
+ if (!getrandom_works) {
return 0;
-+ }
+ }
+ dest = buffer;
while (0 < size) {
@@ -174,11 +161,8 @@ Index: Python-3.5.2/Python/random.c
+ requested. */
n = Py_MIN(size, 1024);
#else
-- n = size;
-+ n = Py_MIN(size, LONG_MAX);
- #endif
-
- errno = 0;
+ n = Py_MIN(size, LONG_MAX);
+@@ -161,34 +130,35 @@ py_getrandom(void *buffer, Py_ssize_t size, int raise)
#ifdef HAVE_GETRANDOM
if (raise) {
Py_BEGIN_ALLOW_THREADS
@@ -209,56 +193,45 @@ Index: Python-3.5.2/Python/random.c
#endif
if (n < 0) {
-- if (errno == ENOSYS) {
+- /* ENOSYS: getrandom() syscall not supported by the kernel (but
+- * maybe supported by the host which built Python). EPERM:
+- * getrandom() syscall blocked by SECCOMP or something else. */
+ /* ENOSYS: the syscall is not supported by the kernel.
+ EPERM: the syscall is blocked by a security policy (ex: SECCOMP)
+ or something else. */
-+ if (errno == ENOSYS || errno == EPERM) {
+ if (errno == ENOSYS || errno == EPERM) {
getrandom_works = 0;
return 0;
}
+
if (errno == EAGAIN) {
-- /* If we failed with EAGAIN, the entropy pool was
-- * uninitialized. In this case, we return failure to fall
-- * back to reading from /dev/urandom.
-- *
-- * Note: In this case the data read will not be random so
-- * should not be used for cryptographic purposes. Retaining
-- * the existing semantics for practical purposes. */
-+ /* getrandom(GRND_NONBLOCK) fails with EAGAIN if the system
-+ urandom is not initialiazed yet. In this case, fall back on
-+ reading from /dev/urandom.
-+
-+ Note: In this case the data read will not be random so
-+ should not be used for cryptographic purposes. Retaining
-+ the existing semantics for practical purposes. */
- getrandom_works = 0;
- return 0;
+ /* getrandom(GRND_NONBLOCK) fails with EAGAIN if the system
+ urandom is not initialiazed yet. In this case, fall back on
+@@ -202,169 +172,225 @@ py_getrandom(void *buffer, Py_ssize_t size, int raise)
}
if (errno == EINTR) {
- if (PyErr_CheckSignals()) {
-- if (!raise)
+- if (!raise) {
- Py_FatalError("getrandom() interrupted by a signal");
-- return -1;
+ if (raise) {
+ if (PyErr_CheckSignals()) {
+ return -1;
-+ }
+ }
+- return -1;
}
+
- /* retry getrandom() */
-+
+ /* retry getrandom() if it was interrupted by a signal */
continue;
}
-- if (raise)
-+ if (raise) {
+ if (raise) {
PyErr_SetFromErrno(PyExc_OSError);
-- else
+ }
+- else {
- Py_FatalError("getrandom() failed");
-+ }
+- }
return -1;
}
@@ -269,12 +242,19 @@ Index: Python-3.5.2/Python/random.c
return 1;
}
-#endif
-+
+
+-static struct {
+- int fd;
+- dev_t st_dev;
+- ino_t st_ino;
+-} urandom_cache = { -1 };
+#elif defined(HAVE_GETENTROPY)
+#define PY_GETENTROPY 1
-+
+
+/* Fill buffer with size pseudo-random bytes generated by getentropy():
-+
+
+-/* Read 'size' random bytes from py_getrandom(). Fall back on reading from
+- /dev/urandom if getrandom() is not available.
+ - Return 1 on success
+ - Return 0 if getentropy() syscall is not available (failed with ENOSYS or
+ EPERM).
@@ -282,25 +262,47 @@ Index: Python-3.5.2/Python/random.c
+ if getentropy() failed with EINTR, raise is non-zero and the Python signal
+ handler raised an exception, or if getentropy() failed with a different
+ error.
-+
+
+- Call Py_FatalError() on error. */
+-static void
+-dev_urandom_noraise(unsigned char *buffer, Py_ssize_t size)
+ getentropy() is retried if it failed with EINTR: interrupted by a signal. */
+static int
+py_getentropy(char *buffer, Py_ssize_t size, int raise)
-+{
+ {
+- int fd;
+- Py_ssize_t n;
+ /* Is getentropy() supported by the running kernel? Set to 0 if
+ getentropy() failed with ENOSYS or EPERM. */
+ static int getentropy_works = 1;
-+
+
+- assert (0 < size);
+-
+-#ifdef PY_GETRANDOM
+- if (py_getrandom(buffer, size, 0) == 1) {
+- return;
+ if (!getentropy_works) {
+ return 0;
-+ }
-+
+ }
+- /* getrandom() failed with ENOSYS or EPERM,
+- fall back on reading /dev/urandom */
+-#endif
+
+- fd = _Py_open_noraise("/dev/urandom", O_RDONLY);
+- if (fd < 0) {
+- Py_FatalError("Failed to open /dev/urandom");
+- }
+ while (size > 0) {
+ /* getentropy() is limited to returning up to 256 bytes. Call it
+ multiple times if more bytes are requested. */
+ Py_ssize_t len = Py_MIN(size, 256);
+ int res;
-+
+
+- while (0 < size)
+- {
+- do {
+- n = read(fd, buffer, (size_t)size);
+- } while (n < 0 && errno == EINTR);
+ if (raise) {
+ Py_BEGIN_ALLOW_THREADS
+ res = getentropy(buffer, len);
@@ -309,7 +311,11 @@ Index: Python-3.5.2/Python/random.c
+ else {
+ res = getentropy(buffer, len);
+ }
-+
+
+- if (n <= 0) {
+- /* read() failed or returned 0 bytes */
+- Py_FatalError("Failed to read bytes from /dev/urandom");
+- break;
+ if (res < 0) {
+ /* ENOSYS: the syscall is not supported by the running kernel.
+ EPERM: the syscall is blocked by a security policy (ex: SECCOMP)
@@ -334,71 +340,44 @@ Index: Python-3.5.2/Python/random.c
+ PyErr_SetFromErrno(PyExc_OSError);
+ }
+ return -1;
-+ }
+ }
+- buffer += n;
+- size -= n;
+
+ buffer += len;
+ size -= len;
-+ }
+ }
+- close(fd);
+ return 1;
-+}
+ }
+#endif /* defined(HAVE_GETENTROPY) && !defined(sun) */
-+
- static struct {
- int fd;
-@@ -217,127 +273,123 @@ static struct {
- ino_t st_ino;
- } urandom_cache = { -1 };
+-/* Read 'size' random bytes from py_getrandom(). Fall back on reading from
+- /dev/urandom if getrandom() is not available.
+- Return 0 on success. Raise an exception and return -1 on error. */
++static struct {
++ int fd;
++ dev_t st_dev;
++ ino_t st_ino;
++} urandom_cache = { -1 };
++
+/* Read random bytes from the /dev/urandom device:
-
--/* Read size bytes from /dev/urandom into buffer.
-- Call Py_FatalError() on error. */
--static void
--dev_urandom_noraise(unsigned char *buffer, Py_ssize_t size)
--{
-- int fd;
-- Py_ssize_t n;
++
+ - Return 0 on success
+ - Raise an exception (if raise is non-zero) and return -1 on error
-
-- assert (0 < size);
++
+ Possible causes of errors:
-
--#ifdef PY_GETRANDOM
-- if (py_getrandom(buffer, size, 0) == 1)
-- return;
-- /* getrandom() is not supported by the running kernel, fall back
-- * on reading /dev/urandom */
--#endif
++
+ - open() failed with ENOENT, ENXIO, ENODEV, EACCES: the /dev/urandom device
+ was not found. For example, it was removed manually or not exposed in a
+ chroot or container.
+ - open() failed with a different error
+ - fstat() failed
+ - read() failed or returned 0
-
-- fd = _Py_open_noraise("/dev/urandom", O_RDONLY);
-- if (fd < 0)
-- Py_FatalError("Failed to open /dev/urandom");
++
+ read() is retried if it failed with EINTR: interrupted by a signal.
-
-- while (0 < size)
-- {
-- do {
-- n = read(fd, buffer, (size_t)size);
-- } while (n < 0 && errno == EINTR);
-- if (n <= 0)
-- {
-- /* stop on error or if read(size) returned 0 */
-- Py_FatalError("Failed to read bytes from /dev/urandom");
-- break;
-- }
-- buffer += n;
-- size -= (Py_ssize_t)n;
-- }
-- close(fd);
--}
++
+ The file descriptor of the device is kept open between calls to avoid using
+ many file descriptors when run in parallel from multiple threads:
+ see the issue #18756.
@@ -406,9 +385,7 @@ Index: Python-3.5.2/Python/random.c
+ st_dev and st_ino fields of the file descriptor (from fstat()) are cached to
+ check if the file descriptor was replaced by a different file (which is
+ likely a bug in the application): see the issue #21207.
-
--/* Read size bytes from /dev/urandom into buffer.
-- Return 0 on success, raise an exception and return -1 on error. */
++
+ If the file descriptor was closed or replaced, open a new file descriptor
+ but don't close the old file descriptor: it probably points to something
+ important for some third-party code. */
@@ -422,22 +399,24 @@ Index: Python-3.5.2/Python/random.c
-#ifdef PY_GETRANDOM
- int res;
-#endif
-
+-
- if (size <= 0)
- return 0;
-+ if (raise) {
-+ struct _Py_stat_struct st;
-#ifdef PY_GETRANDOM
- res = py_getrandom(buffer, size, 1);
-- if (res < 0)
+- if (res < 0) {
- return -1;
-- if (res == 1)
+- }
+- if (res == 1) {
- return 0;
-- /* getrandom() is not supported by the running kernel, fall back
-- * on reading /dev/urandom */
+- }
+- /* getrandom() failed with ENOSYS or EPERM,
+- fall back on reading /dev/urandom */
-#endif
--
++ if (raise) {
++ struct _Py_stat_struct st;
+
- if (urandom_cache.fd >= 0) {
- /* Does the fd point to the same thing as before? (issue #21207) */
- if (_Py_fstat_noraise(urandom_cache.fd, &st)
@@ -516,8 +495,9 @@ Index: Python-3.5.2/Python/random.c
- do {
- n = _Py_read(fd, buffer, (size_t)size);
-- if (n == -1)
+- if (n == -1) {
- return -1;
+- }
- if (n == 0) {
- PyErr_Format(PyExc_RuntimeError,
- "Failed to read %zi bytes from /dev/urandom",
@@ -566,7 +546,7 @@ Index: Python-3.5.2/Python/random.c
return 0;
}
-@@ -349,8 +401,8 @@ dev_urandom_close(void)
+@@ -376,8 +402,8 @@ dev_urandom_close(void)
urandom_cache.fd = -1;
}
}
@@ -576,7 +556,7 @@ Index: Python-3.5.2/Python/random.c
/* Fill buffer with pseudo-random bytes generated by a linear congruent
generator (LCG):
-@@ -373,29 +425,98 @@ lcg_urandom(unsigned int x0, unsigned ch
+@@ -400,31 +426,100 @@ lcg_urandom(unsigned int x0, unsigned char *buffer, size_t size)
}
}
@@ -661,7 +641,7 @@ Index: Python-3.5.2/Python/random.c
#else
- return dev_urandom_python((char*)buffer, size);
+ res = py_getentropy(buffer, size, raise);
- #endif
++#endif
+ if (res < 0) {
+ return -1;
+ }
@@ -673,9 +653,9 @@ Index: Python-3.5.2/Python/random.c
+#endif
+
+ return dev_urandom(buffer, size, raise);
-+#endif
-+}
-+
+ #endif
+ }
+
+/* Fill buffer with size pseudo-random bytes from the operating system random
+ number generator (RNG). It is suitable for most cryptographic purposes
+ except long living private keys for asymmetric encryption.
@@ -685,10 +665,12 @@ Index: Python-3.5.2/Python/random.c
+_PyOS_URandom(void *buffer, Py_ssize_t size)
+{
+ return pyurandom(buffer, size, 1);
- }
-
++}
++
void
-@@ -436,13 +557,14 @@ _PyRandom_Init(void)
+ _PyRandom_Init(void)
+ {
+@@ -463,13 +558,14 @@ _PyRandom_Init(void)
}
}
else {
@@ -710,7 +692,7 @@ Index: Python-3.5.2/Python/random.c
}
}
-@@ -454,8 +576,6 @@ _PyRandom_Fini(void)
+@@ -481,8 +577,6 @@ _PyRandom_Fini(void)
CryptReleaseContext(hCryptProv, 0);
hCryptProv = 0;
}
diff --git a/meta/recipes-devtools/python/python3_3.5.2.bb b/meta/recipes-devtools/python/python3_3.5.3.bb
similarity index 96%
rename from meta/recipes-devtools/python/python3_3.5.2.bb
rename to meta/recipes-devtools/python/python3_3.5.3.bb
index 2ff7c9e2780..79c2c519ff7 100644
--- a/meta/recipes-devtools/python/python3_3.5.2.bb
+++ b/meta/recipes-devtools/python/python3_3.5.3.bb
@@ -8,7 +8,7 @@ DISTRO_SRC_URI ?= "file://sitecustomize.py"
DISTRO_SRC_URI_linuxstdbase = ""
SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://python-config.patch \
-file://000-cross-compile.patch \
+file://0001-cross-compile-support.patch \
file://030-fixup-include-dirs.patch \
file://070-dont-clean-ipkg-install.patch \
file://080-distutils-dont_adjust_files.patch \
@@ -35,13 +35,12 @@ SRC_URI += "\
file://setup.py-check-cross_compiling-when-get-FLAGS.patch \
file://setup.py-find-libraries-in-staging-dirs.patch \
file://configure.ac-fix-LIBPL.patch \
- file://python3-fix-CVE-2016-1000110.patch \
file://upstream-random-fixes.patch \
"
-SRC_URI[md5sum] = "8906efbacfcdc7c3c9198aeefafd159e"
-SRC_URI[sha256sum] = "0010f56100b9b74259ebcd5d4b295a32324b58b517403a10d1a2aa7cb22bca40"
+SRC_URI[md5sum] = "57d1f8bfbabf4f2500273fb0706e6f21"
+SRC_URI[sha256sum] = "eefe2ad6575855423ab630f5b51a8ef6e5556f774584c06beab4926f930ddbb0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=6b60258130e4ed10d3101517eb5b9385"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b680ed99aa60d350c65a65914494207e"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
--
2.11.0
^ permalink raw reply related [flat|nested] 30+ messages in thread* [RFC PATCH 02/10] openssl: add a 1.1 version
2017-05-10 14:13 [RFC PATCH 00/10] Add openssl 1.1 Alexander Kanavin
2017-05-10 14:13 ` [RFC PATCH 01/10] python: update to 3.5.3 Alexander Kanavin
@ 2017-05-10 14:13 ` Alexander Kanavin
2017-05-10 14:13 ` [RFC PATCH 03/10] u-boot-mkimage: depend on openssl 1.0 Alexander Kanavin
` (9 subsequent siblings)
11 siblings, 0 replies; 30+ messages in thread
From: Alexander Kanavin @ 2017-05-10 14:13 UTC (permalink / raw)
To: openembedded-core
Existing openssl 1.0 recipe is renamed to openssl10; it will
continue to be provided for as long as upstream supports it
(and there are still several recipes which do not work with openssl
1.1 due to API differences).
A few files (such as openssl binary) are no longer installed by openssl 1.0,
because they clash with openssl 1.1.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
meta/conf/distro/include/no-static-libs.inc | 3 +
meta/conf/distro/include/security_flags.inc | 2 +-
...ve-test-that-requires-running-as-non-root.patch | 49 +++++++
...1-Take-linking-flags-from-LDFLAGS-env-var.patch | 43 ++++++
.../recipes-connectivity/openssl/openssl/run-ptest | 4 +-
.../openssl/{openssl.inc => openssl10.inc} | 14 +-
...build-with-clang-using-external-assembler.patch | 0
.../{openssl => openssl10}/Makefiles-ptest.patch | 0
.../Use-SHA256-not-MD5-as-default-digest.patch | 0
.../configure-musl-target.patch | 0
.../{openssl => openssl10}/configure-targets.patch | 0
.../debian/c_rehash-compat.patch | 0
.../openssl/{openssl => openssl10}/debian/ca.patch | 0
.../debian/debian-targets.patch | 0
.../{openssl => openssl10}/debian/man-dir.patch | 0
.../debian/man-section.patch | 0
.../{openssl => openssl10}/debian/no-rpath.patch | 0
.../debian/no-symbolic.patch | 0
.../{openssl => openssl10}/debian/pic.patch | 0
.../debian/version-script.patch | 0
.../debian1.0.2/block_digicert_malaysia.patch | 0
.../debian1.0.2/block_diginotar.patch | 0
.../debian1.0.2/version-script.patch | 0
.../engines-install-in-libdir-ssl.patch | 0
.../openssl/{openssl => openssl10}/find.pl | 0
.../fix-cipher-des-ede3-cfb1.patch | 0
.../{openssl => openssl10}/oe-ldflags.patch | 0
.../openssl-1.0.2a-x32-asm.patch | 0
...-pointer-dereference-in-EVP_DigestInit_ex.patch | 0
.../{openssl => openssl10}/openssl-c_rehash.sh | 0
.../openssl-fix-des.pod-error.patch | 0
.../openssl-util-perlpath.pl-cwd.patch | 0
.../openssl_fix_for_x32.patch | 0
.../openssl/{openssl => openssl10}/parallel.patch | 0
.../{openssl => openssl10}/ptest-deps.patch | 0
.../ptest_makefile_deps.patch | 0
.../openssl/openssl10/run-ptest | 2 +
.../{openssl => openssl10}/shared-libs.patch | 0
.../{openssl_1.0.2k.bb => openssl10_1.0.2k.bb} | 4 +-
.../recipes-connectivity/openssl/openssl_1.1.0e.bb | 146 +++++++++++++++++++++
40 files changed, 261 insertions(+), 6 deletions(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Remove-test-that-requires-running-as-non-root.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
mode change 100755 => 100644 meta/recipes-connectivity/openssl/openssl/run-ptest
rename meta/recipes-connectivity/openssl/{openssl.inc => openssl10.inc} (95%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/0001-Fix-build-with-clang-using-external-assembler.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/Makefiles-ptest.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/Use-SHA256-not-MD5-as-default-digest.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/configure-musl-target.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/configure-targets.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/c_rehash-compat.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/ca.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/debian-targets.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/man-dir.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/man-section.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/no-rpath.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/no-symbolic.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/pic.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/version-script.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian1.0.2/block_digicert_malaysia.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian1.0.2/block_diginotar.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian1.0.2/version-script.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/engines-install-in-libdir-ssl.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/find.pl (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/fix-cipher-des-ede3-cfb1.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/oe-ldflags.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/openssl-1.0.2a-x32-asm.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/openssl-c_rehash.sh (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/openssl-fix-des.pod-error.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/openssl-util-perlpath.pl-cwd.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/openssl_fix_for_x32.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/parallel.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/ptest-deps.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/ptest_makefile_deps.patch (100%)
create mode 100755 meta/recipes-connectivity/openssl/openssl10/run-ptest
rename meta/recipes-connectivity/openssl/{openssl => openssl10}/shared-libs.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl_1.0.2k.bb => openssl10_1.0.2k.bb} (97%)
create mode 100644 meta/recipes-connectivity/openssl/openssl_1.1.0e.bb
diff --git a/meta/conf/distro/include/no-static-libs.inc b/meta/conf/distro/include/no-static-libs.inc
index f8d8c09cf0f..7c165c717fc 100644
--- a/meta/conf/distro/include/no-static-libs.inc
+++ b/meta/conf/distro/include/no-static-libs.inc
@@ -25,6 +25,9 @@ DISABLE_STATIC_pn-openjade-native = ""
DISABLE_STATIC_pn-openssl = ""
DISABLE_STATIC_pn-openssl-native = ""
DISABLE_STATIC_pn-nativesdk-openssl = ""
+DISABLE_STATIC_pn-openssl10 = ""
+DISABLE_STATIC_pn-openssl10-native = ""
+DISABLE_STATIC_pn-nativesdk-openssl10 = ""
# libssp-static-dev included in build-appliance
DISABLE_STATIC_pn-gcc-runtime = ""
# libusb1-native is used to build static dfu-util-native
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index e162abeb3d9..fe5ea264705 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -68,7 +68,7 @@ SECURITY_CFLAGS_pn-libpcre = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-libproxy = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-mesa = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-mesa-gl = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-openssl = "${SECURITY_NO_PIE_CFLAGS}"
+SECURITY_CFLAGS_pn-openssl10 = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-opensp = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-ppp = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-python = "${SECURITY_NO_PIE_CFLAGS}"
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Remove-test-that-requires-running-as-non-root.patch b/meta/recipes-connectivity/openssl/openssl/0001-Remove-test-that-requires-running-as-non-root.patch
new file mode 100644
index 00000000000..736bb39acd1
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Remove-test-that-requires-running-as-non-root.patch
@@ -0,0 +1,49 @@
+From 3fdb1e2a16ea405c6731447a8994f222808ef7e6 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Fri, 7 Apr 2017 18:01:52 +0300
+Subject: [PATCH] Remove test that requires running as non-root
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ test/recipes/40-test_rehash.t | 17 +----------------
+ 1 file changed, 1 insertion(+), 16 deletions(-)
+
+diff --git a/test/recipes/40-test_rehash.t b/test/recipes/40-test_rehash.t
+index f902c23..c7567c1 100644
+--- a/test/recipes/40-test_rehash.t
++++ b/test/recipes/40-test_rehash.t
+@@ -23,7 +23,7 @@ setup("test_rehash");
+ plan skip_all => "test_rehash is not available on this platform"
+ unless run(app(["openssl", "rehash", "-help"]));
+
+-plan tests => 5;
++plan tests => 3;
+
+ indir "rehash.$$" => sub {
+ prepare();
+@@ -42,21 +42,6 @@ indir "rehash.$$" => sub {
+ 'Testing rehash operations on empty directory');
+ }, create => 1, cleanup => 1;
+
+-indir "rehash.$$" => sub {
+- prepare();
+- chmod 0500, curdir();
+- SKIP: {
+- if (!ok(!open(FOO, ">unwritable.txt"),
+- "Testing that we aren't running as a privileged user, such as root")) {
+- close FOO;
+- skip "It's pointless to run the next test as root", 1;
+- }
+- isnt(run(app(["openssl", "rehash", curdir()])), 1,
+- 'Testing rehash operations on readonly directory');
+- }
+- chmod 0700, curdir(); # make it writable again, so cleanup works
+-}, create => 1, cleanup => 1;
+-
+ sub prepare {
+ my @pemsourcefiles = sort glob(srctop_file('test', "*.pem"));
+ my @destfiles = ();
+--
+2.11.0
+
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch b/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
new file mode 100644
index 00000000000..6ce4e47d712
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
@@ -0,0 +1,43 @@
+From 08face4353d80111973aba9c1304c92158cfad0e Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Tue, 28 Mar 2017 16:40:12 +0300
+Subject: [PATCH] Take linking flags from LDFLAGS env var
+
+This fixes "No GNU_HASH in the elf binary" issues.
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ Configurations/unix-Makefile.tmpl | 2 +-
+ Configure | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index c029817..43b769b 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -173,7 +173,7 @@ CROSS_COMPILE= {- $config{cross_compile_prefix} -}
+ CC= $(CROSS_COMPILE){- $target{cc} -}
+ CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
+ CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
+-LDFLAGS= {- $target{lflags} -}
++LDFLAGS= {- $target{lflags}." ".$ENV{'LDFLAGS'} -}
+ PLIB_LDFLAGS= {- $target{plib_lflags} -}
+ EX_LIBS= {- $target{ex_libs} -} {- $config{ex_libs} -}
+ LIB_CFLAGS={- $target{shared_cflag} || "" -}
+diff --git a/Configure b/Configure
+index aee7cc3..274d236 100755
+--- a/Configure
++++ b/Configure
+@@ -979,7 +979,7 @@ $config{build_file} = $target{build_file};
+ $config{defines} = [];
+ $config{cflags} = "";
+ $config{ex_libs} = "";
+-$config{shared_ldflag} = "";
++$config{shared_ldflag} = $ENV{'LDFLAGS'};
+
+ # Make sure build_scheme is consistent.
+ $target{build_scheme} = [ $target{build_scheme} ]
+--
+2.11.0
+
diff --git a/meta/recipes-connectivity/openssl/openssl/run-ptest b/meta/recipes-connectivity/openssl/openssl/run-ptest
old mode 100755
new mode 100644
index 3b20fce1ee9..65c6cc7b862
--- a/meta/recipes-connectivity/openssl/openssl/run-ptest
+++ b/meta/recipes-connectivity/openssl/openssl/run-ptest
@@ -1,2 +1,4 @@
#!/bin/sh
-make -k runtest
+cd test
+OPENSSL_ENGINES=../engines BLDTOP=.. SRCTOP=.. perl run_tests.pl
+cd ..
diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl10.inc
similarity index 95%
rename from meta/recipes-connectivity/openssl/openssl.inc
rename to meta/recipes-connectivity/openssl/openssl10.inc
index 8f2a797b89c..23b60c8bbf2 100644
--- a/meta/recipes-connectivity/openssl/openssl.inc
+++ b/meta/recipes-connectivity/openssl/openssl10.inc
@@ -37,8 +37,6 @@ FILES_${PN} =+ " ${libdir}/ssl/*"
FILES_${PN}-misc = "${libdir}/ssl/misc"
RDEPENDS_${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}"
-PROVIDES += "openssl10"
-
# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
# package RRECOMMENDS on this package. This will enable the configuration
# file to be installed for both the base openssl package and the libcrypto
@@ -250,3 +248,15 @@ do_install_append_class-native() {
}
BBCLASSEXTEND = "native nativesdk"
+
+PACKAGE_PREPROCESS_FUNCS += "openssl_package_preprocess"
+
+openssl_package_preprocess () {
+ for file in `find ${PKGD} -name *.h -o -name *.pc -o -name *.so`; do
+ rm $file
+ done
+ rm ${PKGD}/usr/bin/openssl
+ rm ${PKGD}/usr/bin/c_rehash
+ rmdir ${PKGD}/usr/bin
+
+}
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Fix-build-with-clang-using-external-assembler.patch b/meta/recipes-connectivity/openssl/openssl10/0001-Fix-build-with-clang-using-external-assembler.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/0001-Fix-build-with-clang-using-external-assembler.patch
rename to meta/recipes-connectivity/openssl/openssl10/0001-Fix-build-with-clang-using-external-assembler.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch b/meta/recipes-connectivity/openssl/openssl10/Makefiles-ptest.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch
rename to meta/recipes-connectivity/openssl/openssl10/Makefiles-ptest.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch b/meta/recipes-connectivity/openssl/openssl10/Use-SHA256-not-MD5-as-default-digest.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch
rename to meta/recipes-connectivity/openssl/openssl10/Use-SHA256-not-MD5-as-default-digest.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/configure-musl-target.patch b/meta/recipes-connectivity/openssl/openssl10/configure-musl-target.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/configure-musl-target.patch
rename to meta/recipes-connectivity/openssl/openssl10/configure-musl-target.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/configure-targets.patch b/meta/recipes-connectivity/openssl/openssl10/configure-targets.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/configure-targets.patch
rename to meta/recipes-connectivity/openssl/openssl10/configure-targets.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/debian/c_rehash-compat.patch b/meta/recipes-connectivity/openssl/openssl10/debian/c_rehash-compat.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/debian/c_rehash-compat.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/c_rehash-compat.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/debian/ca.patch b/meta/recipes-connectivity/openssl/openssl10/debian/ca.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/debian/ca.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/ca.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/debian/debian-targets.patch b/meta/recipes-connectivity/openssl/openssl10/debian/debian-targets.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/debian/debian-targets.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/debian-targets.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/debian/man-dir.patch b/meta/recipes-connectivity/openssl/openssl10/debian/man-dir.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/debian/man-dir.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/man-dir.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/debian/man-section.patch b/meta/recipes-connectivity/openssl/openssl10/debian/man-section.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/debian/man-section.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/man-section.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/debian/no-rpath.patch b/meta/recipes-connectivity/openssl/openssl10/debian/no-rpath.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/debian/no-rpath.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/no-rpath.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/debian/no-symbolic.patch b/meta/recipes-connectivity/openssl/openssl10/debian/no-symbolic.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/debian/no-symbolic.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/no-symbolic.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/debian/pic.patch b/meta/recipes-connectivity/openssl/openssl10/debian/pic.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/debian/pic.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/pic.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/debian/version-script.patch b/meta/recipes-connectivity/openssl/openssl10/debian/version-script.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/debian/version-script.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/version-script.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch b/meta/recipes-connectivity/openssl/openssl10/debian1.0.2/block_digicert_malaysia.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian1.0.2/block_digicert_malaysia.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch b/meta/recipes-connectivity/openssl/openssl10/debian1.0.2/block_diginotar.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian1.0.2/block_diginotar.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch b/meta/recipes-connectivity/openssl/openssl10/debian1.0.2/version-script.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian1.0.2/version-script.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/engines-install-in-libdir-ssl.patch b/meta/recipes-connectivity/openssl/openssl10/engines-install-in-libdir-ssl.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/engines-install-in-libdir-ssl.patch
rename to meta/recipes-connectivity/openssl/openssl10/engines-install-in-libdir-ssl.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/find.pl b/meta/recipes-connectivity/openssl/openssl10/find.pl
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/find.pl
rename to meta/recipes-connectivity/openssl/openssl10/find.pl
diff --git a/meta/recipes-connectivity/openssl/openssl/fix-cipher-des-ede3-cfb1.patch b/meta/recipes-connectivity/openssl/openssl10/fix-cipher-des-ede3-cfb1.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/fix-cipher-des-ede3-cfb1.patch
rename to meta/recipes-connectivity/openssl/openssl10/fix-cipher-des-ede3-cfb1.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/oe-ldflags.patch b/meta/recipes-connectivity/openssl/openssl10/oe-ldflags.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/oe-ldflags.patch
rename to meta/recipes-connectivity/openssl/openssl10/oe-ldflags.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.2a-x32-asm.patch b/meta/recipes-connectivity/openssl/openssl10/openssl-1.0.2a-x32-asm.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/openssl-1.0.2a-x32-asm.patch
rename to meta/recipes-connectivity/openssl/openssl10/openssl-1.0.2a-x32-asm.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch b/meta/recipes-connectivity/openssl/openssl10/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
rename to meta/recipes-connectivity/openssl/openssl10/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/meta/recipes-connectivity/openssl/openssl10/openssl-c_rehash.sh
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
rename to meta/recipes-connectivity/openssl/openssl10/openssl-c_rehash.sh
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-fix-des.pod-error.patch b/meta/recipes-connectivity/openssl/openssl10/openssl-fix-des.pod-error.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/openssl-fix-des.pod-error.patch
rename to meta/recipes-connectivity/openssl/openssl10/openssl-fix-des.pod-error.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch b/meta/recipes-connectivity/openssl/openssl10/openssl-util-perlpath.pl-cwd.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch
rename to meta/recipes-connectivity/openssl/openssl10/openssl-util-perlpath.pl-cwd.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch b/meta/recipes-connectivity/openssl/openssl10/openssl_fix_for_x32.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch
rename to meta/recipes-connectivity/openssl/openssl10/openssl_fix_for_x32.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/parallel.patch b/meta/recipes-connectivity/openssl/openssl10/parallel.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/parallel.patch
rename to meta/recipes-connectivity/openssl/openssl10/parallel.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/ptest-deps.patch b/meta/recipes-connectivity/openssl/openssl10/ptest-deps.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/ptest-deps.patch
rename to meta/recipes-connectivity/openssl/openssl10/ptest-deps.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/ptest_makefile_deps.patch b/meta/recipes-connectivity/openssl/openssl10/ptest_makefile_deps.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/ptest_makefile_deps.patch
rename to meta/recipes-connectivity/openssl/openssl10/ptest_makefile_deps.patch
diff --git a/meta/recipes-connectivity/openssl/openssl10/run-ptest b/meta/recipes-connectivity/openssl/openssl10/run-ptest
new file mode 100755
index 00000000000..3b20fce1ee9
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl10/run-ptest
@@ -0,0 +1,2 @@
+#!/bin/sh
+make -k runtest
diff --git a/meta/recipes-connectivity/openssl/openssl/shared-libs.patch b/meta/recipes-connectivity/openssl/openssl10/shared-libs.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/shared-libs.patch
rename to meta/recipes-connectivity/openssl/openssl10/shared-libs.patch
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb b/meta/recipes-connectivity/openssl/openssl10_1.0.2k.bb
similarity index 97%
rename from meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
rename to meta/recipes-connectivity/openssl/openssl10_1.0.2k.bb
index 83d1a500c23..271351f68d5 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
+++ b/meta/recipes-connectivity/openssl/openssl10_1.0.2k.bb
@@ -1,4 +1,4 @@
-require openssl.inc
+require openssl10.inc
# For target side versions of openssl enable support for OCF Linux driver
# if they are available.
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6"
export DIRS = "crypto ssl apps engines"
export OE_LDFLAGS="${LDFLAGS}"
-SRC_URI += "file://find.pl;subdir=${BP}/util/ \
+SRC_URI += "file://find.pl;subdir=openssl-${PV}/util/ \
file://run-ptest \
file://openssl-c_rehash.sh \
file://configure-targets.patch \
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0e.bb b/meta/recipes-connectivity/openssl/openssl_1.1.0e.bb
new file mode 100644
index 00000000000..236fe427744
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.0e.bb
@@ -0,0 +1,146 @@
+SUMMARY = "Secure Socket Layer"
+DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
+HOMEPAGE = "http://www.openssl.org/"
+BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
+SECTION = "libs/network"
+
+# "openssl | SSLeay" dual license
+LICENSE = "openssl"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=2100bdc885ac4cdc9783c562639ddc1f"
+
+BBCLASSEXTEND = "native nativesdk"
+
+SRC_URI[md5sum] = "51c42d152122e474754aea96f66928c6"
+SRC_URI[sha256sum] = "57be8618979d80c910728cfc99369bf97b2a1abd8f366ab6ebdee8975ad3874c"
+
+SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
+ file://run-ptest \
+ file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \
+ file://0001-Remove-test-that-requires-running-as-non-root.patch \
+ "
+
+S = "${WORKDIR}/openssl-${PV}"
+
+inherit lib_package multilib_header ptest
+
+do_configure () {
+ os=${HOST_OS}
+ case $os in
+ linux-uclibc |\
+ linux-uclibceabi |\
+ linux-gnueabi |\
+ linux-uclibcspe |\
+ linux-gnuspe |\
+ linux-musl*)
+ os=linux
+ ;;
+ *)
+ ;;
+ esac
+ target="$os-${HOST_ARCH}"
+ case $target in
+ linux-arm)
+ target=linux-armv4
+ ;;
+ linux-armeb)
+ target=linux-armv4
+ ;;
+ linux-aarch64*)
+ target=linux-aarch64
+ ;;
+ linux-sh3)
+ target=linux-generic32
+ ;;
+ linux-sh4)
+ target=linux-generic32
+ ;;
+ linux-i486)
+ target=linux-elf
+ ;;
+ linux-i586 | linux-viac3)
+ target=linux-elf
+ ;;
+ linux-i686)
+ target=linux-elf
+ ;;
+ linux-gnux32-x86_64)
+ target=linux-x32
+ ;;
+ linux-gnu64-x86_64)
+ target=linux-x86_64
+ ;;
+ linux-mips)
+ # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
+ target="linux-mips32 ${TARGET_CC_ARCH}"
+ ;;
+ linux-mipsel)
+ target="linux-mips32 ${TARGET_CC_ARCH}"
+ ;;
+ linux-gnun32-mips*)
+ target=linux-mips64
+ ;;
+ linux-*-mips64 | linux-mips64)
+ target=linux64-mips64
+ ;;
+ linux-*-mips64el | linux-mips64el)
+ target=linux64-mips64
+ ;;
+ linux-microblaze*|linux-nios2*)
+ target=linux-generic32
+ ;;
+ linux-powerpc)
+ target=linux-ppc
+ ;;
+ linux-powerpc64)
+ target=linux-ppc64
+ ;;
+ linux-supersparc)
+ target=linux-sparcv9
+ ;;
+ linux-sparc)
+ target=linux-sparcv9
+ ;;
+ darwin-i386)
+ target=darwin-i386-cc
+ ;;
+ esac
+ useprefix=${prefix}
+ if [ "x$useprefix" = "x" ]; then
+ useprefix=/
+ fi
+ perl ./Configure ${EXTRA_OECONF} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=`basename ${libdir}` $target
+}
+
+#| engines/afalg/e_afalg.c: In function 'eventfd':
+#| engines/afalg/e_afalg.c:110:20: error: '__NR_eventfd' undeclared (first use in this function)
+#| return syscall(__NR_eventfd, n);
+#| ^~~~~~~~~~~~
+EXTRA_OECONF_aarch64 += "no-afalgeng"
+
+#| ./libcrypto.so: undefined reference to `getcontext'
+#| ./libcrypto.so: undefined reference to `setcontext'
+#| ./libcrypto.so: undefined reference to `makecontext'
+EXTRA_OECONF_libc-musl += "-DOPENSSL_NO_ASYNC"
+
+do_install () {
+ oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
+ oe_multilib_header openssl/opensslconf.h
+}
+
+do_install_ptest() {
+ cp -r * ${D}${PTEST_PATH}
+
+ # Putting .so files in ptest package will mess up the dependencies of the main openssl package
+ # so we rename them to .so.ptest and patch the test accordingly
+ mv ${D}${PTEST_PATH}/libcrypto.so ${D}${PTEST_PATH}/libcrypto.so.ptest
+ mv ${D}${PTEST_PATH}/libssl.so ${D}${PTEST_PATH}/libssl.so.ptest
+ sed -i 's/$target{shared_extension_simple}/".so.ptest"/' ${D}${PTEST_PATH}/test/recipes/90-test_shlibload.t
+}
+
+RDEPENDS_${PN}-ptest += "perl-module-file-spec-functions"
+
+FILES_${PN} =+ " ${libdir}/ssl-1.1/*"
+
+PACKAGES =+ "${PN}-engines"
+FILES_${PN}-engines = "${libdir}/engines-1.1"
+
--
2.11.0
^ permalink raw reply related [flat|nested] 30+ messages in thread* [RFC PATCH 03/10] u-boot-mkimage: depend on openssl 1.0
2017-05-10 14:13 [RFC PATCH 00/10] Add openssl 1.1 Alexander Kanavin
2017-05-10 14:13 ` [RFC PATCH 01/10] python: update to 3.5.3 Alexander Kanavin
2017-05-10 14:13 ` [RFC PATCH 02/10] openssl: add a 1.1 version Alexander Kanavin
@ 2017-05-10 14:13 ` Alexander Kanavin
2017-05-10 14:13 ` [RFC PATCH 04/10] bind: fix upstream version check Alexander Kanavin
` (8 subsequent siblings)
11 siblings, 0 replies; 30+ messages in thread
From: Alexander Kanavin @ 2017-05-10 14:13 UTC (permalink / raw)
To: openembedded-core
Patches have been circulating [1] but nothing
showed up in git repo yet.
[1] https://lists.denx.de/pipermail/u-boot/2017-April/285915.html
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
meta/recipes-bsp/u-boot/u-boot-mkimage_2017.01.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-bsp/u-boot/u-boot-mkimage_2017.01.bb b/meta/recipes-bsp/u-boot/u-boot-mkimage_2017.01.bb
index 1aa95e7c866..5dd30f4896d 100644
--- a/meta/recipes-bsp/u-boot/u-boot-mkimage_2017.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot-mkimage_2017.01.bb
@@ -3,7 +3,7 @@ require u-boot-common_${PV}.inc
SRC_URI += "file://default-gcc.patch"
SUMMARY = "U-Boot bootloader image creation tool"
-DEPENDS = "openssl"
+DEPENDS = "openssl10"
EXTRA_OEMAKE_class-target = 'CROSS_COMPILE="${TARGET_PREFIX}" CC="${CC} ${CFLAGS} ${LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" STRIP=true V=1'
EXTRA_OEMAKE_class-native = 'CC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" STRIP=true V=1'
--
2.11.0
^ permalink raw reply related [flat|nested] 30+ messages in thread* [RFC PATCH 04/10] bind: fix upstream version check
2017-05-10 14:13 [RFC PATCH 00/10] Add openssl 1.1 Alexander Kanavin
` (2 preceding siblings ...)
2017-05-10 14:13 ` [RFC PATCH 03/10] u-boot-mkimage: depend on openssl 1.0 Alexander Kanavin
@ 2017-05-10 14:13 ` Alexander Kanavin
2017-05-10 14:13 ` [RFC PATCH 05/10] bind: update to 9.10.5 Alexander Kanavin
` (7 subsequent siblings)
11 siblings, 0 replies; 30+ messages in thread
From: Alexander Kanavin @ 2017-05-10 14:13 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
index 81606252828..18249f2a83a 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -31,6 +31,9 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://CVE-2016-6170.patch \
"
+UPSTREAM_CHECK_URI = "ftp://ftp.isc.org/isc/bind9/"
+UPSTREAM_CHECK_REGEX = "(?P<pver>9(\.\d+)+(-P\d+)*)/"
+
SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"
SRC_URI[sha256sum] = "690810d1fbb72afa629e74638d19cd44e28d2b2e5eb63f55c705ad85d1a4cb83"
--
2.11.0
^ permalink raw reply related [flat|nested] 30+ messages in thread* [RFC PATCH 05/10] bind: update to 9.10.5
2017-05-10 14:13 [RFC PATCH 00/10] Add openssl 1.1 Alexander Kanavin
` (3 preceding siblings ...)
2017-05-10 14:13 ` [RFC PATCH 04/10] bind: fix upstream version check Alexander Kanavin
@ 2017-05-10 14:13 ` Alexander Kanavin
2017-05-12 15:43 ` Burton, Ross
2017-05-10 14:13 ` [RFC PATCH 06/10] openssh: depend on openssl 1.0 Alexander Kanavin
` (6 subsequent siblings)
11 siblings, 1 reply; 30+ messages in thread
From: Alexander Kanavin @ 2017-05-10 14:13 UTC (permalink / raw)
To: openembedded-core
This is needed to support openssl 1.1; updating to 9.11.x
should be done later by recipe maintainer.
Drop upstreamed patches.
Rebase bind-confgen-build-unix.o-once.patch and 0001-build-use-pkg-config-to-find-libxml2.patch
Add support for Python 3 bindings
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
...0001-build-use-pkg-config-to-find-libxml2.patch | 14 +-
...=> 0001-confgen-don-t-build-unix.o-twice.patch} | 17 +-
.../bind/bind/CVE-2016-1285.patch | 154 ----------
.../bind/bind/CVE-2016-1286_1.patch | 79 -----
.../bind/bind/CVE-2016-1286_2.patch | 317 ---------------------
.../bind/bind/CVE-2016-2088.patch | 247 ----------------
.../bind/bind/CVE-2016-2775.patch | 90 ------
.../bind/bind/CVE-2016-2776.patch | 123 --------
.../bind/bind/mips1-not-support-opcode.diff | 104 -------
.../bind/{bind_9.10.3-P3.bb => bind_9.10.5.bb} | 24 +-
10 files changed, 28 insertions(+), 1141 deletions(-)
rename meta/recipes-connectivity/bind/bind/{bind-confgen-build-unix.o-once.patch => 0001-confgen-don-t-build-unix.o-twice.patch} (80%)
delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff
rename meta/recipes-connectivity/bind/{bind_9.10.3-P3.bb => bind_9.10.5.bb} (83%)
diff --git a/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch b/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch
index 805cbb3315a..e812296f64a 100644
--- a/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch
+++ b/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch
@@ -1,3 +1,8 @@
+From 8031da48a6a3cb01e907dd199ad4f34c90b22969 Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@intel.com>
+Date: Thu, 7 May 2015 15:30:53 +0100
+Subject: [PATCH 6/9] bind: update libxml2 detection patch
+
xml2-config is disabled, so change the configure script to use pkgconfig to find
libxml2.
@@ -7,15 +12,16 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
Update context for version 9.10.3-P2.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
---
configure.in | 23 +++--------------------
1 file changed, 3 insertions(+), 20 deletions(-)
diff --git a/configure.in b/configure.in
-index 0db826d..75819eb 100644
+index cb66823..5112f3a 100644
--- a/configure.in
+++ b/configure.in
-@@ -2107,26 +2107,9 @@ case "$use_libxml2" in
+@@ -2281,26 +2281,9 @@ case "$use_libxml2" in
DST_LIBXML2_INC=""
;;
auto|yes)
@@ -25,7 +31,7 @@ index 0db826d..75819eb 100644
- libxml2_cflags=`xml2-config --cflags`
- ;;
- *)
-- if test "$use_libxml2" = "yes" ; then
+- if test "yes" = "$use_libxml2" ; then
- AC_MSG_RESULT(no)
- AC_MSG_ERROR(required libxml2 version not available)
- else
@@ -46,5 +52,5 @@ index 0db826d..75819eb 100644
;;
esac
--
-2.1.4
+2.11.0
diff --git a/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch b/meta/recipes-connectivity/bind/bind/0001-confgen-don-t-build-unix.o-twice.patch
similarity index 80%
rename from meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch
rename to meta/recipes-connectivity/bind/bind/0001-confgen-don-t-build-unix.o-twice.patch
index 096d5d84fc9..82dfd775306 100644
--- a/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch
+++ b/meta/recipes-connectivity/bind/bind/0001-confgen-don-t-build-unix.o-twice.patch
@@ -1,6 +1,6 @@
-From 9b40619ff6fddfef2758ba797789f8487f412df3 Mon Sep 17 00:00:00 2001
-From: Robert Yang <liezhi.yang@windriver.com>
-Date: Mon, 16 Feb 2015 00:50:01 -0800
+From c9c7ac9c7e231f086bfa1e4c63fe1213cd2b2694 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Mon, 3 Apr 2017 14:29:18 +0300
Subject: [PATCH] confgen: don't build unix.o twice
Fixed:
@@ -17,28 +17,29 @@ problem.
Upstream-Status: Pending
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
- bin/confgen/Makefile.in | 4 ++--
+ bin/confgen/Makefile.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
-index 8b3e5aa..4868a24 100644
+index dca272f..02becce 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -74,11 +74,11 @@ rndc-confgen.@O@: rndc-confgen.c
ddns-confgen.@O@: ddns-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
--rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
+-rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS)
export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
--ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
+-ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
+ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS)
export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
--
-1.7.9.5
+2.11.0
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
deleted file mode 100644
index 2149bd180dc..00000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-From 70037e040e587329cec82123e12b9f4f7c945f67 Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka@isc.org>
-Date: Thu, 18 Feb 2016 12:11:27 +1100
-Subject: [PATCH] 4318. [security] Malformed control messages can
- trigger assertions in named and rndc. (CVE-2016-1285)
- [RT #41666]
-
-(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e)
-
-CVE: CVE-2016-1285
-Upstream-Status: Backport
-[Removed doc/arm/notes.xml changes from upstream patch]
-
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
----
- CHANGES | 3 +++
- bin/named/control.c | 2 +-
- bin/named/controlconf.c | 2 +-
- bin/rndc/rndc.c | 8 ++++----
- doc/arm/notes.xml | 11 +++++++++++
- lib/isccc/cc.c | 14 +++++++-------
- 6 files changed, 27 insertions(+), 13 deletions(-)
-
-diff --git a/CHANGES b/CHANGES
-index b9bd9ef..2c727d5 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -1,3 +1,6 @@
-+4318. [security] Malformed control messages can trigger assertions
-+ in named and rndc. (CVE-2016-1285) [RT #41666]
-+
- --- 9.10.3-P3 released ---
-
- 4288. [bug] Fixed a regression in resolver.c:possibly_mark()
-diff --git a/bin/named/control.c b/bin/named/control.c
-index 8554335..81340ca 100644
---- a/bin/named/control.c
-+++ b/bin/named/control.c
-@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
- #endif
-
- data = isccc_alist_lookup(message, "_data");
-- if (data == NULL) {
-+ if (!isccc_alist_alistp(data)) {
- /*
- * No data section.
- */
-diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
-index 765afdd..a39ab8b 100644
---- a/bin/named/controlconf.c
-+++ b/bin/named/controlconf.c
-@@ -402,7 +402,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
- * Limit exposure to replay attacks.
- */
- _ctrl = isccc_alist_lookup(request, "_ctrl");
-- if (_ctrl == NULL) {
-+ if (!isccc_alist_alistp(_ctrl)) {
- log_invalid(&conn->ccmsg, ISC_R_FAILURE);
- goto cleanup_request;
- }
-diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
-index cb17050..b6e05c8 100644
---- a/bin/rndc/rndc.c
-+++ b/bin/rndc/rndc.c
-@@ -255,8 +255,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
- isccc_cc_fromwire(&source, &response, algorithm, &secret));
-
- data = isccc_alist_lookup(response, "_data");
-- if (data == NULL)
-- fatal("no data section in response");
-+ if (!isccc_alist_alistp(data))
-+ fatal("bad or missing data section in response");
- result = isccc_cc_lookupstring(data, "err", &errormsg);
- if (result == ISC_R_SUCCESS) {
- failed = ISC_TRUE;
-@@ -321,8 +321,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
- isccc_cc_fromwire(&source, &response, algorithm, &secret));
-
- _ctrl = isccc_alist_lookup(response, "_ctrl");
-- if (_ctrl == NULL)
-- fatal("_ctrl section missing");
-+ if (!isccc_alist_alistp(_ctrl))
-+ fatal("bad or missing ctrl section in response");
- nonce = 0;
- if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
- nonce = 0;
-diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
-index 47a3b74..2bb961e 100644
---- a/lib/isccc/cc.c
-+++ b/lib/isccc/cc.c
-@@ -403,13 +403,13 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
- * Extract digest.
- */
- _auth = isccc_alist_lookup(alist, "_auth");
-- if (_auth == NULL)
-+ if (!isccc_alist_alistp(_auth))
- return (ISC_R_FAILURE);
- if (algorithm == ISCCC_ALG_HMACMD5)
- hmac = isccc_alist_lookup(_auth, "hmd5");
- else
- hmac = isccc_alist_lookup(_auth, "hsha");
-- if (hmac == NULL)
-+ if (!isccc_sexpr_binaryp(hmac))
- return (ISC_R_FAILURE);
- /*
- * Compute digest.
-@@ -728,7 +728,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
- REQUIRE(ackp != NULL && *ackp == NULL);
-
- _ctrl = isccc_alist_lookup(message, "_ctrl");
-- if (_ctrl == NULL ||
-+ if (!isccc_alist_alistp(_ctrl) ||
- isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
- isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
- return (ISC_R_FAILURE);
-@@ -773,7 +773,7 @@ isccc_cc_isack(isccc_sexpr_t *message)
- isccc_sexpr_t *_ctrl;
-
- _ctrl = isccc_alist_lookup(message, "_ctrl");
-- if (_ctrl == NULL)
-+ if (!isccc_alist_alistp(_ctrl))
- return (ISC_FALSE);
- if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
- return (ISC_TRUE);
-@@ -786,7 +786,7 @@ isccc_cc_isreply(isccc_sexpr_t *message)
- isccc_sexpr_t *_ctrl;
-
- _ctrl = isccc_alist_lookup(message, "_ctrl");
-- if (_ctrl == NULL)
-+ if (!isccc_alist_alistp(_ctrl))
- return (ISC_FALSE);
- if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
- return (ISC_TRUE);
-@@ -806,7 +806,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
-
- _ctrl = isccc_alist_lookup(message, "_ctrl");
- _data = isccc_alist_lookup(message, "_data");
-- if (_ctrl == NULL || _data == NULL ||
-+ if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) ||
- isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
- isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
- return (ISC_R_FAILURE);
-@@ -995,7 +995,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
- isccc_sexpr_t *_ctrl;
-
- _ctrl = isccc_alist_lookup(message, "_ctrl");
-- if (_ctrl == NULL ||
-+ if (!isccc_alist_alistp(_ctrl) ||
- isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
- isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
- return (ISC_R_FAILURE);
---
-1.9.1
-
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
deleted file mode 100644
index ae5cc48d9cc..00000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From a3d327bf1ceaaeabb20223d8de85166e940b9f12 Mon Sep 17 00:00:00 2001
-From: Mukund Sivaraman <muks@isc.org>
-Date: Mon, 22 Feb 2016 12:22:43 +0530
-Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling
- (CVE-2016-1286) (#41753)
-
-(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673)
-
-CVE: CVE-2016-1286
-Upstream-Status: Backport
-
-[Removed doc/arm/notes.xml changes from upstream patch.]
-
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
----
-diff -ruN a/CHANGES b/CHANGES
---- a/CHANGES 2016-04-13 07:28:44.940873629 +0200
-+++ b/CHANGES 2016-04-13 07:38:38.923167851 +0200
-@@ -1,3 +1,7 @@
-+4319. [security] Fix resolver assertion failure due to improper
-+ DNAME handling when parsing fetch reply messages.
-+ (CVE-2016-1286) [RT #41753]
-+
- 4318. [security] Malformed control messages can trigger assertions
- in named and rndc. (CVE-2016-1285) [RT #41666]
-
-diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c
---- a/lib/dns/resolver.c 2016-04-13 07:28:43.088953790 +0200
-+++ b/lib/dns/resolver.c 2016-04-13 07:38:20.411968925 +0200
-@@ -6967,21 +6967,26 @@
- isc_boolean_t found_dname = ISC_FALSE;
- dns_name_t *dname_name;
-
-+ /*
-+ * Only pass DNAME or RRSIG(DNAME).
-+ */
-+ if (rdataset->type != dns_rdatatype_dname &&
-+ (rdataset->type != dns_rdatatype_rrsig ||
-+ rdataset->covers != dns_rdatatype_dname))
-+ continue;
-+
-+ /*
-+ * If we're not chaining, then the DNAME and
-+ * its signature should not be external.
-+ */
-+ if (!chaining && external) {
-+ log_formerr(fctx, "external DNAME");
-+ return (DNS_R_FORMERR);
-+ }
-+
- found = ISC_FALSE;
- aflag = 0;
- if (rdataset->type == dns_rdatatype_dname) {
-- /*
-- * We're looking for something else,
-- * but we found a DNAME.
-- *
-- * If we're not chaining, then the
-- * DNAME should not be external.
-- */
-- if (!chaining && external) {
-- log_formerr(fctx,
-- "external DNAME");
-- return (DNS_R_FORMERR);
-- }
- found = ISC_TRUE;
- want_chaining = ISC_TRUE;
- POST(want_chaining);
-@@ -7010,9 +7015,7 @@
- &fctx->domain)) {
- return (DNS_R_SERVFAIL);
- }
-- } else if (rdataset->type == dns_rdatatype_rrsig
-- && rdataset->covers ==
-- dns_rdatatype_dname) {
-+ } else {
- /*
- * We've found a signature that
- * covers the DNAME.
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
deleted file mode 100644
index 5f5cb0d340f..00000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
+++ /dev/null
@@ -1,317 +0,0 @@
-From 7602be276a73a6eb5431c5acd9718e68a55e8b61 Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka@isc.org>
-Date: Mon, 29 Feb 2016 07:16:48 +1100
-Subject: [PATCH] Part 2 of: 4319. [security] Fix resolver assertion
- failure due to improper DNAME handling when parsing
- fetch reply messages. (CVE-2016-1286) [RT #41753]
-
-CVE: CVE-2016-1286
-Upstream-Status: Backport
-
-(cherry picked from commit 2de89ee9de8c8da9dc153a754b02dcdbb7fe2374)
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
----
- lib/dns/resolver.c | 192 ++++++++++++++++++++++++++---------------------------
- 1 file changed, 93 insertions(+), 99 deletions(-)
-
-diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index 70aba87..41e9df4 100644
---- a/lib/dns/resolver.c
-+++ b/lib/dns/resolver.c
-@@ -6074,14 +6074,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
- }
-
- static inline isc_result_t
--dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
-- dns_name_t *oname, dns_fixedname_t *fixeddname)
-+dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
-+ unsigned int nlabels, dns_fixedname_t *fixeddname)
- {
- isc_result_t result;
- dns_rdata_t rdata = DNS_RDATA_INIT;
-- unsigned int nlabels;
-- int order;
-- dns_namereln_t namereln;
- dns_rdata_dname_t dname;
- dns_fixedname_t prefix;
-
-@@ -6096,21 +6093,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
- if (result != ISC_R_SUCCESS)
- return (result);
-
-- /*
-- * Get the prefix of qname.
-- */
-- namereln = dns_name_fullcompare(qname, oname, &order, &nlabels);
-- if (namereln != dns_namereln_subdomain) {
-- char qbuf[DNS_NAME_FORMATSIZE];
-- char obuf[DNS_NAME_FORMATSIZE];
--
-- dns_rdata_freestruct(&dname);
-- dns_name_format(qname, qbuf, sizeof(qbuf));
-- dns_name_format(oname, obuf, sizeof(obuf));
-- log_formerr(fctx, "unrelated DNAME in answer: "
-- "%s is not in %s", qbuf, obuf);
-- return (DNS_R_FORMERR);
-- }
- dns_fixedname_init(&prefix);
- dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
- dns_fixedname_init(fixeddname);
-@@ -6736,13 +6718,13 @@ static isc_result_t
- answer_response(fetchctx_t *fctx) {
- isc_result_t result;
- dns_message_t *message;
-- dns_name_t *name, *qname, tname, *ns_name;
-+ dns_name_t *name, *dname, *qname, tname, *ns_name;
- dns_rdataset_t *rdataset, *ns_rdataset;
- isc_boolean_t done, external, chaining, aa, found, want_chaining;
- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
- unsigned int aflag;
- dns_rdatatype_t type;
-- dns_fixedname_t dname, fqname;
-+ dns_fixedname_t fdname, fqname;
- dns_view_t *view;
-
- FCTXTRACE("answer_response");
-@@ -6770,10 +6752,15 @@ answer_response(fetchctx_t *fctx) {
- view = fctx->res->view;
- result = dns_message_firstname(message, DNS_SECTION_ANSWER);
- while (!done && result == ISC_R_SUCCESS) {
-+ dns_namereln_t namereln;
-+ int order;
-+ unsigned int nlabels;
-+
- name = NULL;
- dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
- external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
-- if (dns_name_equal(name, qname)) {
-+ namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
-+ if (namereln == dns_namereln_equal) {
- wanted_chaining = ISC_FALSE;
- for (rdataset = ISC_LIST_HEAD(name->list);
- rdataset != NULL;
-@@ -6898,10 +6885,11 @@ answer_response(fetchctx_t *fctx) {
- */
- INSIST(!external);
- if (aflag ==
-- DNS_RDATASETATTR_ANSWER)
-+ DNS_RDATASETATTR_ANSWER) {
- have_answer = ISC_TRUE;
-- name->attributes |=
-- DNS_NAMEATTR_ANSWER;
-+ name->attributes |=
-+ DNS_NAMEATTR_ANSWER;
-+ }
- rdataset->attributes |= aflag;
- if (aa)
- rdataset->trust =
-@@ -6956,6 +6944,8 @@ answer_response(fetchctx_t *fctx) {
- if (wanted_chaining)
- chaining = ISC_TRUE;
- } else {
-+ dns_rdataset_t *dnameset = NULL;
-+
- /*
- * Look for a DNAME (or its SIG). Anything else is
- * ignored.
-@@ -6963,10 +6953,8 @@ answer_response(fetchctx_t *fctx) {
- wanted_chaining = ISC_FALSE;
- for (rdataset = ISC_LIST_HEAD(name->list);
- rdataset != NULL;
-- rdataset = ISC_LIST_NEXT(rdataset, link)) {
-- isc_boolean_t found_dname = ISC_FALSE;
-- dns_name_t *dname_name;
--
-+ rdataset = ISC_LIST_NEXT(rdataset, link))
-+ {
- /*
- * Only pass DNAME or RRSIG(DNAME).
- */
-@@ -6980,20 +6968,41 @@ answer_response(fetchctx_t *fctx) {
- * its signature should not be external.
- */
- if (!chaining && external) {
-- log_formerr(fctx, "external DNAME");
-+ char qbuf[DNS_NAME_FORMATSIZE];
-+ char obuf[DNS_NAME_FORMATSIZE];
-+
-+ dns_name_format(name, qbuf,
-+ sizeof(qbuf));
-+ dns_name_format(&fctx->domain, obuf,
-+ sizeof(obuf));
-+ log_formerr(fctx, "external DNAME or "
-+ "RRSIG covering DNAME "
-+ "in answer: %s is "
-+ "not in %s", qbuf, obuf);
-+ return (DNS_R_FORMERR);
-+ }
-+
-+ if (namereln != dns_namereln_subdomain) {
-+ char qbuf[DNS_NAME_FORMATSIZE];
-+ char obuf[DNS_NAME_FORMATSIZE];
-+
-+ dns_name_format(qname, qbuf,
-+ sizeof(qbuf));
-+ dns_name_format(name, obuf,
-+ sizeof(obuf));
-+ log_formerr(fctx, "unrelated DNAME "
-+ "in answer: %s is "
-+ "not in %s", qbuf, obuf);
- return (DNS_R_FORMERR);
- }
-
-- found = ISC_FALSE;
- aflag = 0;
- if (rdataset->type == dns_rdatatype_dname) {
-- found = ISC_TRUE;
- want_chaining = ISC_TRUE;
- POST(want_chaining);
- aflag = DNS_RDATASETATTR_ANSWER;
-- result = dname_target(fctx, rdataset,
-- qname, name,
-- &dname);
-+ result = dname_target(rdataset, qname,
-+ nlabels, &fdname);
- if (result == ISC_R_NOSPACE) {
- /*
- * We can't construct the
-@@ -7005,14 +7014,12 @@ answer_response(fetchctx_t *fctx) {
- } else if (result != ISC_R_SUCCESS)
- return (result);
- else
-- found_dname = ISC_TRUE;
-+ dnameset = rdataset;
-
-- dname_name = dns_fixedname_name(&dname);
-+ dname = dns_fixedname_name(&fdname);
- if (!is_answertarget_allowed(view,
-- qname,
-- rdataset->type,
-- dname_name,
-- &fctx->domain)) {
-+ qname, rdataset->type,
-+ dname, &fctx->domain)) {
- return (DNS_R_SERVFAIL);
- }
- } else {
-@@ -7020,73 +7027,60 @@ answer_response(fetchctx_t *fctx) {
- * We've found a signature that
- * covers the DNAME.
- */
-- found = ISC_TRUE;
- aflag = DNS_RDATASETATTR_ANSWERSIG;
- }
-
-- if (found) {
-+ /*
-+ * We've found an answer to our
-+ * question.
-+ */
-+ name->attributes |= DNS_NAMEATTR_CACHE;
-+ rdataset->attributes |= DNS_RDATASETATTR_CACHE;
-+ rdataset->trust = dns_trust_answer;
-+ if (!chaining) {
- /*
-- * We've found an answer to our
-- * question.
-+ * This data is "the" answer to
-+ * our question only if we're
-+ * not chaining.
- */
-- name->attributes |=
-- DNS_NAMEATTR_CACHE;
-- rdataset->attributes |=
-- DNS_RDATASETATTR_CACHE;
-- rdataset->trust = dns_trust_answer;
-- if (!chaining) {
-- /*
-- * This data is "the" answer
-- * to our question only if
-- * we're not chaining.
-- */
-- INSIST(!external);
-- if (aflag ==
-- DNS_RDATASETATTR_ANSWER)
-- have_answer = ISC_TRUE;
-+ INSIST(!external);
-+ if (aflag == DNS_RDATASETATTR_ANSWER) {
-+ have_answer = ISC_TRUE;
- name->attributes |=
- DNS_NAMEATTR_ANSWER;
-- rdataset->attributes |= aflag;
-- if (aa)
-- rdataset->trust =
-- dns_trust_authanswer;
-- } else if (external) {
-- rdataset->attributes |=
-- DNS_RDATASETATTR_EXTERNAL;
-- }
--
-- /*
-- * DNAME chaining.
-- */
-- if (found_dname) {
-- /*
-- * Copy the dname into the
-- * qname fixed name.
-- *
-- * Although we check for
-- * failure of the copy
-- * operation, in practice it
-- * should never fail since
-- * we already know that the
-- * result fits in a fixedname.
-- */
-- dns_fixedname_init(&fqname);
-- result = dns_name_copy(
-- dns_fixedname_name(&dname),
-- dns_fixedname_name(&fqname),
-- NULL);
-- if (result != ISC_R_SUCCESS)
-- return (result);
-- wanted_chaining = ISC_TRUE;
-- name->attributes |=
-- DNS_NAMEATTR_CHAINING;
-- rdataset->attributes |=
-- DNS_RDATASETATTR_CHAINING;
-- qname = dns_fixedname_name(
-- &fqname);
- }
-+ rdataset->attributes |= aflag;
-+ if (aa)
-+ rdataset->trust =
-+ dns_trust_authanswer;
-+ } else if (external) {
-+ rdataset->attributes |=
-+ DNS_RDATASETATTR_EXTERNAL;
- }
- }
-+
-+ /*
-+ * DNAME chaining.
-+ */
-+ if (dnameset != NULL) {
-+ /*
-+ * Copy the dname into the qname fixed name.
-+ *
-+ * Although we check for failure of the copy
-+ * operation, in practice it should never fail
-+ * since we already know that the result fits
-+ * in a fixedname.
-+ */
-+ dns_fixedname_init(&fqname);
-+ qname = dns_fixedname_name(&fqname);
-+ result = dns_name_copy(dname, qname, NULL);
-+ if (result != ISC_R_SUCCESS)
-+ return (result);
-+ wanted_chaining = ISC_TRUE;
-+ name->attributes |= DNS_NAMEATTR_CHAINING;
-+ dnameset->attributes |=
-+ DNS_RDATASETATTR_CHAINING;
-+ }
- if (wanted_chaining)
- chaining = ISC_TRUE;
- }
---
-1.9.1
-
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
deleted file mode 100644
index 1b84d46b78d..00000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
+++ /dev/null
@@ -1,247 +0,0 @@
-CVE-2016-2088
-
-Backport commit d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 from the
-v9_10_3_patch branch.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2088
-https://kb.isc.org/article/AA-01351
-
-CVE: CVE-2016-2088
-Upstream-Status: Backport
-Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
-
-
-Original commit message from Mark Andrews <marka@isc.org> below:
-
-4322. [security] Duplicate EDNS COOKIE options in a response could
- trigger an assertion failure. (CVE-2016-2088)
- [RT #41809]
-
-(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029)
-(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3)
----
- CHANGES | 4 ++++
- bin/dig/dighost.c | 9 +++++++++
- bin/named/client.c | 33 +++++++++++++++++++++++----------
- doc/arm/notes.xml | 7 +++++++
- lib/dns/resolver.c | 14 +++++++++++++-
- 5 files changed, 56 insertions(+), 11 deletions(-)
-
-diff --git a/CHANGES b/CHANGES
-index c5b5d2b..d2e3360 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -1,3 +1,7 @@
-+4322. [security] Duplicate EDNS COOKIE options in a response could
-+ trigger an assertion failure. (CVE-2016-2088)
-+ [RT #41809]
-+
- 4319. [security] Fix resolver assertion failure due to improper
- DNAME handling when parsing fetch reply messages.
- (CVE-2016-1286) [RT #41753]
-diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index ca82f8e..340904f 100644
---- a/bin/dig/dighost.c
-+++ b/bin/dig/dighost.c
-@@ -3458,6 +3458,7 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) {
- isc_buffer_t optbuf;
- isc_uint16_t optcode, optlen;
- dns_rdataset_t *opt = msg->opt;
-+ isc_boolean_t seen_cookie = ISC_FALSE;
-
- result = dns_rdataset_first(opt);
- if (result == ISC_R_SUCCESS) {
-@@ -3470,7 +3471,15 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) {
- optlen = isc_buffer_getuint16(&optbuf);
- switch (optcode) {
- case DNS_OPT_COOKIE:
-+ /*
-+ * Only process the first cookie option.
-+ */
-+ if (seen_cookie) {
-+ isc_buffer_forward(&optbuf, optlen);
-+ break;
-+ }
- process_sit(l, msg, &optbuf, optlen);
-+ seen_cookie = ISC_TRUE;
- break;
- default:
- isc_buffer_forward(&optbuf, optlen);
-diff --git a/bin/named/client.c b/bin/named/client.c
-index 683305c..0d7331a 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -120,7 +120,10 @@
- */
- #endif
-
--#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
-+#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */
-+
-+#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0)
-+#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0)
-
- /*% nameserver client manager structure */
- struct ns_clientmgr {
-@@ -1395,7 +1398,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
- {
- char nsid[BUFSIZ], *nsidp;
- #ifdef ISC_PLATFORM_USESIT
-- unsigned char sit[SIT_SIZE];
-+ unsigned char sit[COOKIE_SIZE];
- #endif
- isc_result_t result;
- dns_view_t *view;
-@@ -1420,7 +1423,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
- flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
-
- /* Set EDNS options if applicable */
-- if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 &&
-+ if (WANTNSID(client) &&
- (ns_g_server->server_id != NULL ||
- ns_g_server->server_usehostname)) {
- if (ns_g_server->server_usehostname) {
-@@ -1453,7 +1456,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
-
- INSIST(count < DNS_EDNSOPTIONS);
- ednsopts[count].code = DNS_OPT_COOKIE;
-- ednsopts[count].length = SIT_SIZE;
-+ ednsopts[count].length = COOKIE_SIZE;
- ednsopts[count].value = sit;
- count++;
- }
-@@ -1661,19 +1664,26 @@ compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce,
-
- static void
- process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
-- unsigned char dbuf[SIT_SIZE];
-+ unsigned char dbuf[COOKIE_SIZE];
- unsigned char *old;
- isc_stdtime_t now;
- isc_uint32_t when;
- isc_uint32_t nonce;
- isc_buffer_t db;
-
-+ /*
-+ * If we have already seen a ECS option skip this ECS option.
-+ */
-+ if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) {
-+ isc_buffer_forward(buf, optlen);
-+ return;
-+ }
- client->attributes |= NS_CLIENTATTR_WANTSIT;
-
- isc_stats_increment(ns_g_server->nsstats,
- dns_nsstatscounter_sitopt);
-
-- if (optlen != SIT_SIZE) {
-+ if (optlen != COOKIE_SIZE) {
- /*
- * Not our token.
- */
-@@ -1717,14 +1727,13 @@ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
- isc_buffer_init(&db, dbuf, sizeof(dbuf));
- compute_sit(client, when, nonce, &db);
-
-- if (!isc_safe_memequal(old, dbuf, SIT_SIZE)) {
-+ if (!isc_safe_memequal(old, dbuf, COOKIE_SIZE)) {
- isc_stats_increment(ns_g_server->nsstats,
- dns_nsstatscounter_sitnomatch);
- return;
- }
- isc_stats_increment(ns_g_server->nsstats,
- dns_nsstatscounter_sitmatch);
--
- client->attributes |= NS_CLIENTATTR_HAVESIT;
- }
- #endif
-@@ -1783,7 +1792,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
- optlen = isc_buffer_getuint16(&optbuf);
- switch (optcode) {
- case DNS_OPT_NSID:
-- isc_stats_increment(ns_g_server->nsstats,
-+ if (!WANTNSID(client))
-+ isc_stats_increment(
-+ ns_g_server->nsstats,
- dns_nsstatscounter_nsidopt);
- client->attributes |= NS_CLIENTATTR_WANTNSID;
- isc_buffer_forward(&optbuf, optlen);
-@@ -1794,7 +1805,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
- break;
- #endif
- case DNS_OPT_EXPIRE:
-- isc_stats_increment(ns_g_server->nsstats,
-+ if (!WANTEXPIRE(client))
-+ isc_stats_increment(
-+ ns_g_server->nsstats,
- dns_nsstatscounter_expireopt);
- client->attributes |= NS_CLIENTATTR_WANTEXPIRE;
- isc_buffer_forward(&optbuf, optlen);
-diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
-index ebf4f55..095eb5b 100644
---- a/doc/arm/notes.xml
-+++ b/doc/arm/notes.xml
-@@ -51,6 +51,13 @@
- <title>Security Fixes</title>
- <itemizedlist>
- <listitem>
-+ <para>
-+ Duplicate EDNS COOKIE options in a response could trigger
-+ an assertion failure. This flaw is disclosed in CVE-2016-2088.
-+ [RT #41809]
-+ </para>
-+ </listitem>
-+ <listitem>
- <para>
- Specific APL data could trigger an INSIST. This flaw
- was discovered by Brian Mitchell and is disclosed in
-diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index a797e3f..ba1ae23 100644
---- a/lib/dns/resolver.c
-+++ b/lib/dns/resolver.c
-@@ -7502,7 +7502,9 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
- unsigned char *sit;
- dns_adbaddrinfo_t *addrinfo;
- unsigned char cookie[8];
-+ isc_boolean_t seen_cookie = ISC_FALSE;
- #endif
-+ isc_boolean_t seen_nsid = ISC_FALSE;
-
- result = dns_rdataset_first(opt);
- if (result == ISC_R_SUCCESS) {
-@@ -7516,14 +7518,23 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
- INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
- switch (optcode) {
- case DNS_OPT_NSID:
-- if (query->options & DNS_FETCHOPT_WANTNSID)
-+ if (!seen_nsid &&
-+ query->options & DNS_FETCHOPT_WANTNSID)
- log_nsid(&optbuf, optlen, query,
- ISC_LOG_DEBUG(3),
- query->fctx->res->mctx);
- isc_buffer_forward(&optbuf, optlen);
-+ seen_nsid = ISC_TRUE;
- break;
- #ifdef ISC_PLATFORM_USESIT
- case DNS_OPT_COOKIE:
-+ /*
-+ * Only process the first cookie option.
-+ */
-+ if (seen_cookie) {
-+ isc_buffer_forward(&optbuf, optlen);
-+ break;
-+ }
- sit = isc_buffer_current(&optbuf);
- compute_cc(query, cookie, sizeof(cookie));
- INSIST(query->fctx->rmessage->sitbad == 0 &&
-@@ -7541,6 +7552,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
- isc_buffer_forward(&optbuf, optlen);
- inc_stats(query->fctx->res,
- dns_resstatscounter_sitin);
-+ seen_cookie = ISC_TRUE;
- break;
- #endif
- default:
---
-2.1.4
-
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
deleted file mode 100644
index 5393063c567..00000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka@isc.org>
-Date: Wed, 12 Oct 2016 19:52:59 +0900
-Subject: [PATCH]
-4406. [security] getrrsetbyname with a non absolute name could
- trigger an infinite recursion bug in lwresd
- and named with lwres configured if when combined
- with a search list entry the resulting name is
- too long. (CVE-2016-2775) [RT #42694]
-
-Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the
-v9.11.0_patch branch.
-
-CVE: CVE-2016-2775
-Upstream-Status: Backport
-
-Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
-
----
- CHANGES | 6 ++++++
- bin/named/lwdgrbn.c | 16 ++++++++++------
- bin/tests/system/lwresd/lwtest.c | 9 ++++++++-
- 3 files changed, 24 insertions(+), 7 deletions(-)
-
-diff --git a/CHANGES b/CHANGES
-index d2e3360..d0a9d12 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -1,3 +1,9 @@
-+4406. [security] getrrsetbyname with a non absolute name could
-+ trigger an infinite recursion bug in lwresd
-+ and named with lwres configured if when combined
-+ with a search list entry the resulting name is
-+ too long. (CVE-2016-2775) [RT #42694]
-+
- 4322. [security] Duplicate EDNS COOKIE options in a response could
- trigger an assertion failure. (CVE-2016-2088)
- [RT #41809]
-diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
-index 3e7b15b..e1e9adc 100644
---- a/bin/named/lwdgrbn.c
-+++ b/bin/named/lwdgrbn.c
-@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
- INSIST(client->lookup == NULL);
-
- dns_fixedname_init(&absname);
-- result = ns_lwsearchctx_current(&client->searchctx,
-- dns_fixedname_name(&absname));
-+
- /*
-- * This will return failure if relative name + suffix is too long.
-- * In this case, just go on to the next entry in the search path.
-+ * Perform search across all search domains until success
-+ * is returned. Return in case of failure.
- */
-- if (result != ISC_R_SUCCESS)
-- start_lookup(client);
-+ while (ns_lwsearchctx_current(&client->searchctx,
-+ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
-+ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
-+ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-+ return;
-+ }
-+ }
-
- result = dns_lookup_create(cm->mctx,
- dns_fixedname_name(&absname),
-diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c
-index ad9b551..3eb4a66 100644
---- a/bin/tests/system/lwresd/lwtest.c
-+++ b/bin/tests/system/lwresd/lwtest.c
-@@ -768,7 +768,14 @@ main(void) {
- test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1);
- test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
- test_getrrsetbyname("", 1, 1, 0, 0, 0);
--
-+ test_getrrsetbyname("123456789.123456789.123456789.123456789."
-+ "123456789.123456789.123456789.123456789."
-+ "123456789.123456789.123456789.123456789."
-+ "123456789.123456789.123456789.123456789."
-+ "123456789.123456789.123456789.123456789."
-+ "123456789.123456789.123456789.123456789."
-+ "123456789", 1, 1, 0, 0, 0);
-+
- if (fails == 0)
- printf("I:ok\n");
- return (fails);
---
-2.7.4
-
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
deleted file mode 100644
index 738bf600589..00000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 1171111657081970585f9f0e03b476358c33a6c0 Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka@isc.org>
-Date: Wed, 12 Oct 2016 20:36:52 +0900
-Subject: [PATCH]
-4467. [security] It was possible to trigger an assertion when
- rendering a message. (CVE-2016-2776) [RT #43139]
-
-Backport commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12 from the
-v9.11.0_patch branch.
-
-CVE: CVE-2016-2776
-Upstream-Status: Backport
-
-Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
-
----
- CHANGES | 3 +++
- lib/dns/message.c | 42 +++++++++++++++++++++++++++++++-----------
- 2 files changed, 34 insertions(+), 11 deletions(-)
-
-diff --git a/CHANGES b/CHANGES
-index d0a9d12..5c8c61a 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -1,3 +1,6 @@
-+4467. [security] It was possible to trigger an assertion when
-+ rendering a message. (CVE-2016-2776) [RT #43139]
-+
- 4406. [security] getrrsetbyname with a non absolute name could
- trigger an infinite recursion bug in lwresd
- and named with lwres configured if when combined
-diff --git a/lib/dns/message.c b/lib/dns/message.c
-index 6b5b4bb..b74dc81 100644
---- a/lib/dns/message.c
-+++ b/lib/dns/message.c
-@@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
- if (r.length < DNS_MESSAGE_HEADERLEN)
- return (ISC_R_NOSPACE);
-
-- if (r.length < msg->reserved)
-+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
- return (ISC_R_NOSPACE);
-
- /*
-@@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options,
-
- return (ISC_TRUE);
- }
--
- #endif
-+
-+static isc_result_t
-+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
-+ dns_compress_t *cctx, isc_buffer_t *target,
-+ unsigned int reserved, unsigned int options, unsigned int *countp)
-+{
-+ isc_result_t result;
-+
-+ /*
-+ * Shrink the space in the buffer by the reserved amount.
-+ */
-+ if (target->length - target->used < reserved)
-+ return (ISC_R_NOSPACE);
-+
-+ target->length -= reserved;
-+ result = dns_rdataset_towire(rdataset, owner_name,
-+ cctx, target, options, countp);
-+ target->length += reserved;
-+
-+ return (result);
-+}
-+
- isc_result_t
- dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
- unsigned int options)
-@@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
- /*
- * Shrink the space in the buffer by the reserved amount.
- */
-+ if (msg->buffer->length - msg->buffer->used < msg->reserved)
-+ return (ISC_R_NOSPACE);
- msg->buffer->length -= msg->reserved;
-
- total = 0;
-@@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg) {
- * Render.
- */
- count = 0;
-- result = dns_rdataset_towire(msg->opt, dns_rootname,
-- msg->cctx, msg->buffer, 0,
-- &count);
-+ result = renderset(msg->opt, dns_rootname, msg->cctx,
-+ msg->buffer, msg->reserved, 0, &count);
- msg->counts[DNS_SECTION_ADDITIONAL] += count;
- if (result != ISC_R_SUCCESS)
- return (result);
-@@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg) {
- if (result != ISC_R_SUCCESS)
- return (result);
- count = 0;
-- result = dns_rdataset_towire(msg->tsig, msg->tsigname,
-- msg->cctx, msg->buffer, 0,
-- &count);
-+ result = renderset(msg->tsig, msg->tsigname, msg->cctx,
-+ msg->buffer, msg->reserved, 0, &count);
- msg->counts[DNS_SECTION_ADDITIONAL] += count;
- if (result != ISC_R_SUCCESS)
- return (result);
-@@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg) {
- * the owner name of a SIG(0) is irrelevant, and will not
- * be set in a message being rendered.
- */
-- result = dns_rdataset_towire(msg->sig0, dns_rootname,
-- msg->cctx, msg->buffer, 0,
-- &count);
-+ result = renderset(msg->sig0, dns_rootname, msg->cctx,
-+ msg->buffer, msg->reserved, 0, &count);
- msg->counts[DNS_SECTION_ADDITIONAL] += count;
- if (result != ISC_R_SUCCESS)
- return (result);
---
-2.7.4
-
diff --git a/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff b/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff
deleted file mode 100644
index 2930796b6af..00000000000
--- a/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff
+++ /dev/null
@@ -1,104 +0,0 @@
-bind: port a patch to fix a build failure
-
-mips1 does not support ll and sc instructions, and lead to below error, now
-we port a patch from debian to fix it
-[http://security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.8.4.dfsg.P1-6+nmu2+deb7u1.diff.gz]
-
-| {standard input}: Assembler messages:
-| {standard input}:47: Error: Opcode not supported on this processor: mips1 (mips1) `ll $3,0($6)'
-| {standard input}:50: Error: Opcode not supported on this processor: mips1 (mips1) `sc $3,0($6)'
-
-Upstream-Status: Pending
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
-
---- bind9-9.8.4.dfsg.P1.orig/lib/isc/mips/include/isc/atomic.h
-+++ bind9-9.8.4.dfsg.P1/lib/isc/mips/include/isc/atomic.h
-@@ -31,18 +31,20 @@
- isc_atomic_xadd(isc_int32_t *p, int val) {
- isc_int32_t orig;
-
-- /* add is a cheat, since MIPS has no mov instruction */
-- __asm__ volatile (
-- "1:"
-- "ll $3, %1\n"
-- "add %0, $0, $3\n"
-- "add $3, $3, %2\n"
-- "sc $3, %1\n"
-- "beq $3, 0, 1b"
-- : "=&r"(orig)
-- : "m"(*p), "r"(val)
-- : "memory", "$3"
-- );
-+ __asm__ __volatile__ (
-+ " .set push \n"
-+ " .set mips2 \n"
-+ " .set noreorder \n"
-+ " .set noat \n"
-+ "1: ll $1, %1 \n"
-+ " addu %0, $1, %2 \n"
-+ " sc %0, %1 \n"
-+ " beqz %0, 1b \n"
-+ " move %0, $1 \n"
-+ " .set pop \n"
-+ : "=&r" (orig), "+R" (*p)
-+ : "r" (val)
-+ : "memory");
-
- return (orig);
- }
-@@ -52,16 +54,7 @@
- */
- static inline void
- isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
-- __asm__ volatile (
-- "1:"
-- "ll $3, %0\n"
-- "add $3, $0, %1\n"
-- "sc $3, %0\n"
-- "beq $3, 0, 1b"
-- :
-- : "m"(*p), "r"(val)
-- : "memory", "$3"
-- );
-+ *p = val;
- }
-
- /*
-@@ -72,20 +65,23 @@
- static inline isc_int32_t
- isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) {
- isc_int32_t orig;
-+ isc_int32_t tmp;
-
-- __asm__ volatile(
-- "1:"
-- "ll $3, %1\n"
-- "add %0, $0, $3\n"
-- "bne $3, %2, 2f\n"
-- "add $3, $0, %3\n"
-- "sc $3, %1\n"
-- "beq $3, 0, 1b\n"
-- "2:"
-- : "=&r"(orig)
-- : "m"(*p), "r"(cmpval), "r"(val)
-- : "memory", "$3"
-- );
-+ __asm__ __volatile__ (
-+ " .set push \n"
-+ " .set mips2 \n"
-+ " .set noreorder \n"
-+ " .set noat \n"
-+ "1: ll $1, %1 \n"
-+ " bne $1, %3, 2f \n"
-+ " move %2, %4 \n"
-+ " sc %2, %1 \n"
-+ " beqz %2, 1b \n"
-+ "2: move %0, $1 \n"
-+ " .set pop \n"
-+ : "=&r"(orig), "+R" (*p), "=r" (tmp)
-+ : "r"(cmpval), "r"(val)
-+ : "memory");
-
- return (orig);
- }
diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.5.bb
similarity index 83%
rename from meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
rename to meta/recipes-connectivity/bind/bind_9.10.5.bb
index 18249f2a83a..c8c5a9580b1 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.5.bb
@@ -3,39 +3,30 @@ HOMEPAGE = "http://www.isc.org/sw/bind/"
SECTION = "console/network"
LICENSE = "ISC & BSD"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=0a95f52a0ab6c5f52dedc9a45e7abb3f"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=dba46507446198119bcde32a4feaab43"
-DEPENDS = "openssl libcap"
+DEPENDS = "openssl libcap python3"
SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://conf.patch \
file://make-etc-initd-bind-stop-work.patch \
- file://mips1-not-support-opcode.diff \
file://dont-test-on-host.patch \
file://generate-rndc-key.sh \
file://named.service \
file://bind9 \
file://init.d-add-support-for-read-only-rootfs.patch \
- file://bind-confgen-build-unix.o-once.patch \
+ file://0001-confgen-don-t-build-unix.o-twice.patch \
file://0001-build-use-pkg-config-to-find-libxml2.patch \
file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
file://0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch \
file://0001-lib-dns-gen.c-fix-too-long-error.patch \
- file://CVE-2016-1285.patch \
- file://CVE-2016-1286_1.patch \
- file://CVE-2016-1286_2.patch \
- file://CVE-2016-2088.patch \
- file://CVE-2016-2775.patch \
- file://CVE-2016-2776.patch \
- file://CVE-2016-8864.patch \
- file://CVE-2016-6170.patch \
"
UPSTREAM_CHECK_URI = "ftp://ftp.isc.org/isc/bind9/"
UPSTREAM_CHECK_REGEX = "(?P<pver>9(\.\d+)+(-P\d+)*)/"
-SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"
-SRC_URI[sha256sum] = "690810d1fbb72afa629e74638d19cd44e28d2b2e5eb63f55c705ad85d1a4cb83"
+SRC_URI[md5sum] = "8359e000eaec76efd6dfa186c12c3b93"
+SRC_URI[sha256sum] = "71688d2e134e42205075eef93cc1b78b42a140a2d61bf8263afc9c92fc872b0e"
ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}"
EXTRA_OECONF = " ${ENABLE_IPV6} --with-randomdev=/dev/random --disable-threads \
@@ -43,8 +34,9 @@ EXTRA_OECONF = " ${ENABLE_IPV6} --with-randomdev=/dev/random --disable-threads \
--with-gssapi=no --with-ecdsa=yes \
--sysconfdir=${sysconfdir}/bind \
--with-openssl=${STAGING_LIBDIR}/.. \
+ --with-python=python3 \
"
-inherit autotools update-rc.d systemd useradd pkgconfig
+inherit autotools update-rc.d systemd useradd pkgconfig python3native
# PACKAGECONFIGs readline and libedit should NOT be set at same time
PACKAGECONFIG ?= "readline"
@@ -67,9 +59,11 @@ RDEPENDS_${PN} = "python3-core"
RDEPENDS_${PN}-dev = ""
PACKAGE_BEFORE_PN += "${PN}-utils"
+PACKAGES += "python3-${PN}"
FILES_${PN}-utils = "${bindir}/host ${bindir}/dig"
FILES_${PN}-dev += "${bindir}/isc-config.h"
FILES_${PN} += "${sbindir}/generate-rndc-key.sh"
+FILES_python3-${PN} += "${PYTHON_SITEPACKAGES_DIR}"
do_install_prepend() {
# clean host path in isc-config.sh before the hardlink created
--
2.11.0
^ permalink raw reply related [flat|nested] 30+ messages in thread* [RFC PATCH 06/10] openssh: depend on openssl 1.0
2017-05-10 14:13 [RFC PATCH 00/10] Add openssl 1.1 Alexander Kanavin
` (4 preceding siblings ...)
2017-05-10 14:13 ` [RFC PATCH 05/10] bind: update to 9.10.5 Alexander Kanavin
@ 2017-05-10 14:13 ` Alexander Kanavin
2017-05-10 14:13 ` [RFC PATCH 07/10] apr-util: add support for openssl 1.1 via backported patch Alexander Kanavin
` (5 subsequent siblings)
11 siblings, 0 replies; 30+ messages in thread
From: Alexander Kanavin @ 2017-05-10 14:13 UTC (permalink / raw)
To: openembedded-core
The proposed openssl 1.1 patches are here:
https://github.com/openssh/openssh-portable/pull/48
Openssl maintainers are not in a hurry to get 1.1 support in;
if it doesn't show up within reasonable time, we can take a patch
from Fedora:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-November/035454.html
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
meta/recipes-connectivity/openssh/openssh_7.4p1.bb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-connectivity/openssh/openssh_7.4p1.bb b/meta/recipes-connectivity/openssh/openssh_7.4p1.bb
index c8093d4e2bb..d94d7bd2f8d 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.4p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.4p1.bb
@@ -8,7 +8,8 @@ SECTION = "console/network"
LICENSE = "BSD"
LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
-DEPENDS = "zlib openssl"
+# openssl 1.1 patches are proposed at https://github.com/openssh/openssh-portable/pull/48
+DEPENDS = "zlib openssl10"
DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
--
2.11.0
^ permalink raw reply related [flat|nested] 30+ messages in thread* [RFC PATCH 07/10] apr-util: add support for openssl 1.1 via backported patch
2017-05-10 14:13 [RFC PATCH 00/10] Add openssl 1.1 Alexander Kanavin
` (5 preceding siblings ...)
2017-05-10 14:13 ` [RFC PATCH 06/10] openssh: depend on openssl 1.0 Alexander Kanavin
@ 2017-05-10 14:13 ` Alexander Kanavin
2017-05-10 14:13 ` [RFC PATCH 08/10] cryptodev-tests: depend on openssl 1.0 Alexander Kanavin
` (4 subsequent siblings)
11 siblings, 0 replies; 30+ messages in thread
From: Alexander Kanavin @ 2017-05-10 14:13 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
.../recipes-support/apr/apr-util/openssl-1.1.patch | 253 +++++++++++++++++++++
meta/recipes-support/apr/apr-util_1.5.4.bb | 1 +
2 files changed, 254 insertions(+)
create mode 100644 meta/recipes-support/apr/apr-util/openssl-1.1.patch
diff --git a/meta/recipes-support/apr/apr-util/openssl-1.1.patch b/meta/recipes-support/apr/apr-util/openssl-1.1.patch
new file mode 100644
index 00000000000..891c14183a8
--- /dev/null
+++ b/meta/recipes-support/apr/apr-util/openssl-1.1.patch
@@ -0,0 +1,253 @@
+# commit f163d8b5af9185de80d24b4dd13951dd64872aa6
+# Author: Rainer Jung <rjung@apache.org>
+# Date: Sun Feb 7 14:40:46 2016 +0000
+#
+# Add support for OpenSSL 1.1.0:
+# - Switch configure test for OpenSSL libcrypto
+# from BN_init() to BN_new().
+# - BN_init() is gone in OpenSSL 1.1.0.
+# BN_new() exists at least since 0.9.8.
+# - use OPENSSL_malloc_init() instead of
+# CRYPTO_malloc_init
+# - make cipherCtx a pointer. Type EVP_CIPHER_CTX
+# is now opaque.
+# - use EVP_CIPHER_CTX_new() in init() functions
+# if initialised flag is not set (and set flag)
+# - use EVP_CIPHER_CTX_free() in cleanup function
+# - Improve reuse cleanup
+# - call EVP_CIPHER_CTX_reset() resp.
+# EVP_CIPHER_CTX_cleanup() in finish functions
+# - call EVP_CIPHER_CTX_reset() resp.
+# EVP_CIPHER_CTX_cleanup() when Update fails
+# Backport of r1728958 and r1728963 from trunk.
+#
+#
+# git-svn-id: https://svn.apache.org/repos/asf/apr/apr-util/branches/1.5.x@1728969 13f79535-47bb-0310-9956-ffa450edef68
+#
+
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+Upstream-Status: Backport
+diff --git a/build/crypto.m4 b/build/crypto.m4
+index 9f9be6f..57884e3 100644
+--- a/build/crypto.m4
++++ b/build/crypto.m4
+@@ -88,7 +88,7 @@ AC_DEFUN([APU_CHECK_CRYPTO_OPENSSL], [
+ [
+ if test "$withval" = "yes"; then
+ AC_CHECK_HEADERS(openssl/x509.h, [openssl_have_headers=1])
+- AC_CHECK_LIB(crypto, BN_init, AC_CHECK_LIB(ssl, SSL_accept, [openssl_have_libs=1],,-lcrypto))
++ AC_CHECK_LIB(crypto, BN_new, AC_CHECK_LIB(ssl, SSL_accept, [openssl_have_libs=1],,-lcrypto))
+ if test "$openssl_have_headers" != "0" && test "$openssl_have_libs" != "0"; then
+ apu_have_openssl=1
+ fi
+@@ -104,7 +104,7 @@ AC_DEFUN([APU_CHECK_CRYPTO_OPENSSL], [
+
+ AC_MSG_NOTICE(checking for openssl in $withval)
+ AC_CHECK_HEADERS(openssl/x509.h, [openssl_have_headers=1])
+- AC_CHECK_LIB(crypto, BN_init, AC_CHECK_LIB(ssl, SSL_accept, [openssl_have_libs=1],,-lcrypto))
++ AC_CHECK_LIB(crypto, BN_new, AC_CHECK_LIB(ssl, SSL_accept, [openssl_have_libs=1],,-lcrypto))
+ if test "$openssl_have_headers" != "0" && test "$openssl_have_libs" != "0"; then
+ apu_have_openssl=1
+ APR_ADDTO(APRUTIL_LDFLAGS, [-L$withval/lib])
+@@ -113,7 +113,7 @@ AC_DEFUN([APU_CHECK_CRYPTO_OPENSSL], [
+
+ if test "$apu_have_openssl" != "1"; then
+ AC_CHECK_HEADERS(openssl/x509.h, [openssl_have_headers=1])
+- AC_CHECK_LIB(crypto, BN_init, AC_CHECK_LIB(ssl, SSL_accept, [openssl_have_libs=1],,-lcrypto))
++ AC_CHECK_LIB(crypto, BN_new, AC_CHECK_LIB(ssl, SSL_accept, [openssl_have_libs=1],,-lcrypto))
+ if test "$openssl_have_headers" != "0" && test "$openssl_have_libs" != "0"; then
+ apu_have_openssl=1
+ APR_ADDTO(APRUTIL_LDFLAGS, [-L$withval/lib])
+diff --git a/crypto/apr_crypto_openssl.c b/crypto/apr_crypto_openssl.c
+index 0740f93..7d61fca 100644
+--- a/crypto/apr_crypto_openssl.c
++++ b/crypto/apr_crypto_openssl.c
+@@ -64,7 +64,7 @@ struct apr_crypto_block_t {
+ apr_pool_t *pool;
+ const apr_crypto_driver_t *provider;
+ const apr_crypto_t *f;
+- EVP_CIPHER_CTX cipherCtx;
++ EVP_CIPHER_CTX *cipherCtx;
+ int initialised;
+ int ivSize;
+ int blockSize;
+@@ -111,7 +111,11 @@ static apr_status_t crypto_shutdown_helper(void *data)
+ static apr_status_t crypto_init(apr_pool_t *pool, const char *params,
+ const apu_err_t **result)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ CRYPTO_malloc_init();
++#else
++ OPENSSL_malloc_init();
++#endif
+ ERR_load_crypto_strings();
+ /* SSL_load_error_strings(); */
+ OpenSSL_add_all_algorithms();
+@@ -134,7 +138,7 @@ static apr_status_t crypto_block_cleanup(apr_crypto_block_t *ctx)
+ {
+
+ if (ctx->initialised) {
+- EVP_CIPHER_CTX_cleanup(&ctx->cipherCtx);
++ EVP_CIPHER_CTX_free(ctx->cipherCtx);
+ ctx->initialised = 0;
+ }
+
+@@ -491,8 +495,10 @@ static apr_status_t crypto_block_encrypt_init(apr_crypto_block_t **ctx,
+ apr_pool_cleanup_null);
+
+ /* create a new context for encryption */
+- EVP_CIPHER_CTX_init(&block->cipherCtx);
+- block->initialised = 1;
++ if (!block->initialised) {
++ block->cipherCtx = EVP_CIPHER_CTX_new();
++ block->initialised = 1;
++ }
+
+ /* generate an IV, if necessary */
+ usedIv = NULL;
+@@ -519,16 +525,16 @@ static apr_status_t crypto_block_encrypt_init(apr_crypto_block_t **ctx,
+
+ /* set up our encryption context */
+ #if CRYPTO_OPENSSL_CONST_BUFFERS
+- if (!EVP_EncryptInit_ex(&block->cipherCtx, key->cipher, config->engine,
++ if (!EVP_EncryptInit_ex(block->cipherCtx, key->cipher, config->engine,
+ key->key, usedIv)) {
+ #else
+- if (!EVP_EncryptInit_ex(&block->cipherCtx, key->cipher, config->engine, (unsigned char *) key->key, (unsigned char *) usedIv)) {
++ if (!EVP_EncryptInit_ex(block->cipherCtx, key->cipher, config->engine, (unsigned char *) key->key, (unsigned char *) usedIv)) {
+ #endif
+ return APR_EINIT;
+ }
+
+ /* Clear up any read padding */
+- if (!EVP_CIPHER_CTX_set_padding(&block->cipherCtx, key->doPad)) {
++ if (!EVP_CIPHER_CTX_set_padding(block->cipherCtx, key->doPad)) {
+ return APR_EPADDING;
+ }
+
+@@ -582,11 +588,16 @@ static apr_status_t crypto_block_encrypt(unsigned char **out,
+ }
+
+ #if CRYPT_OPENSSL_CONST_BUFFERS
+- if (!EVP_EncryptUpdate(&ctx->cipherCtx, (*out), &outl, in, inlen)) {
++ if (!EVP_EncryptUpdate(ctx->cipherCtx, (*out), &outl, in, inlen)) {
+ #else
+- if (!EVP_EncryptUpdate(&ctx->cipherCtx, (*out), &outl,
++ if (!EVP_EncryptUpdate(ctx->cipherCtx, (*out), &outl,
+ (unsigned char *) in, inlen)) {
+ #endif
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++ EVP_CIPHER_CTX_cleanup(ctx->cipherCtx);
++#else
++ EVP_CIPHER_CTX_reset(ctx->cipherCtx);
++#endif
+ return APR_ECRYPT;
+ }
+ *outlen = outl;
+@@ -616,14 +627,22 @@ static apr_status_t crypto_block_encrypt(unsigned char **out,
+ static apr_status_t crypto_block_encrypt_finish(unsigned char *out,
+ apr_size_t *outlen, apr_crypto_block_t *ctx)
+ {
++ apr_status_t rc = APR_SUCCESS;
+ int len = *outlen;
+
+- if (EVP_EncryptFinal_ex(&ctx->cipherCtx, out, &len) == 0) {
+- return APR_EPADDING;
++ if (EVP_EncryptFinal_ex(ctx->cipherCtx, out, &len) == 0) {
++ rc = APR_EPADDING;
++ }
++ else {
++ *outlen = len;
+ }
+- *outlen = len;
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++ EVP_CIPHER_CTX_cleanup(ctx->cipherCtx);
++#else
++ EVP_CIPHER_CTX_reset(ctx->cipherCtx);
++#endif
+
+- return APR_SUCCESS;
++ return rc;
+
+ }
+
+@@ -662,8 +681,10 @@ static apr_status_t crypto_block_decrypt_init(apr_crypto_block_t **ctx,
+ apr_pool_cleanup_null);
+
+ /* create a new context for encryption */
+- EVP_CIPHER_CTX_init(&block->cipherCtx);
+- block->initialised = 1;
++ if (!block->initialised) {
++ block->cipherCtx = EVP_CIPHER_CTX_new();
++ block->initialised = 1;
++ }
+
+ /* generate an IV, if necessary */
+ if (key->ivSize) {
+@@ -674,16 +695,16 @@ static apr_status_t crypto_block_decrypt_init(apr_crypto_block_t **ctx,
+
+ /* set up our encryption context */
+ #if CRYPTO_OPENSSL_CONST_BUFFERS
+- if (!EVP_DecryptInit_ex(&block->cipherCtx, key->cipher, config->engine,
++ if (!EVP_DecryptInit_ex(block->cipherCtx, key->cipher, config->engine,
+ key->key, iv)) {
+ #else
+- if (!EVP_DecryptInit_ex(&block->cipherCtx, key->cipher, config->engine, (unsigned char *) key->key, (unsigned char *) iv)) {
++ if (!EVP_DecryptInit_ex(block->cipherCtx, key->cipher, config->engine, (unsigned char *) key->key, (unsigned char *) iv)) {
+ #endif
+ return APR_EINIT;
+ }
+
+ /* Clear up any read padding */
+- if (!EVP_CIPHER_CTX_set_padding(&block->cipherCtx, key->doPad)) {
++ if (!EVP_CIPHER_CTX_set_padding(block->cipherCtx, key->doPad)) {
+ return APR_EPADDING;
+ }
+
+@@ -737,11 +758,16 @@ static apr_status_t crypto_block_decrypt(unsigned char **out,
+ }
+
+ #if CRYPT_OPENSSL_CONST_BUFFERS
+- if (!EVP_DecryptUpdate(&ctx->cipherCtx, *out, &outl, in, inlen)) {
++ if (!EVP_DecryptUpdate(ctx->cipherCtx, *out, &outl, in, inlen)) {
+ #else
+- if (!EVP_DecryptUpdate(&ctx->cipherCtx, *out, &outl, (unsigned char *) in,
++ if (!EVP_DecryptUpdate(ctx->cipherCtx, *out, &outl, (unsigned char *) in,
+ inlen)) {
+ #endif
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++ EVP_CIPHER_CTX_cleanup(ctx->cipherCtx);
++#else
++ EVP_CIPHER_CTX_reset(ctx->cipherCtx);
++#endif
+ return APR_ECRYPT;
+ }
+ *outlen = outl;
+@@ -771,15 +797,22 @@ static apr_status_t crypto_block_decrypt(unsigned char **out,
+ static apr_status_t crypto_block_decrypt_finish(unsigned char *out,
+ apr_size_t *outlen, apr_crypto_block_t *ctx)
+ {
+-
++ apr_status_t rc = APR_SUCCESS;
+ int len = *outlen;
+
+- if (EVP_DecryptFinal_ex(&ctx->cipherCtx, out, &len) == 0) {
+- return APR_EPADDING;
++ if (EVP_DecryptFinal_ex(ctx->cipherCtx, out, &len) == 0) {
++ rc = APR_EPADDING;
+ }
+- *outlen = len;
++ else {
++ *outlen = len;
++ }
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++ EVP_CIPHER_CTX_cleanup(ctx->cipherCtx);
++#else
++ EVP_CIPHER_CTX_reset(ctx->cipherCtx);
++#endif
+
+- return APR_SUCCESS;
++ return rc;
+
+ }
+
diff --git a/meta/recipes-support/apr/apr-util_1.5.4.bb b/meta/recipes-support/apr/apr-util_1.5.4.bb
index 2b8676fef33..64f4d94d8b6 100644
--- a/meta/recipes-support/apr/apr-util_1.5.4.bb
+++ b/meta/recipes-support/apr/apr-util_1.5.4.bb
@@ -13,6 +13,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.gz \
file://configfix.patch \
file://configure_fixes.patch \
file://run-ptest \
+ file://openssl-1.1.patch \
"
SRC_URI[md5sum] = "866825c04da827c6e5f53daff5569f42"
--
2.11.0
^ permalink raw reply related [flat|nested] 30+ messages in thread* [RFC PATCH 08/10] cryptodev-tests: depend on openssl 1.0
2017-05-10 14:13 [RFC PATCH 00/10] Add openssl 1.1 Alexander Kanavin
` (6 preceding siblings ...)
2017-05-10 14:13 ` [RFC PATCH 07/10] apr-util: add support for openssl 1.1 via backported patch Alexander Kanavin
@ 2017-05-10 14:13 ` Alexander Kanavin
2017-05-10 14:13 ` [RFC PATCH 09/10] mailx: " Alexander Kanavin
` (3 subsequent siblings)
11 siblings, 0 replies; 30+ messages in thread
From: Alexander Kanavin @ 2017-05-10 14:13 UTC (permalink / raw)
To: openembedded-core
Upstream ticket:
https://github.com/cryptodev-linux/cryptodev-linux/issues/22
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
meta/recipes-kernel/cryptodev/cryptodev-tests_1.8.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-kernel/cryptodev/cryptodev-tests_1.8.bb b/meta/recipes-kernel/cryptodev/cryptodev-tests_1.8.bb
index c4005242a76..13011799ad5 100644
--- a/meta/recipes-kernel/cryptodev/cryptodev-tests_1.8.bb
+++ b/meta/recipes-kernel/cryptodev/cryptodev-tests_1.8.bb
@@ -2,7 +2,7 @@ require cryptodev.inc
SUMMARY = "A test suite for /dev/crypto device driver"
-DEPENDS += "openssl"
+DEPENDS += "openssl10"
SRC_URI += " \
file://0001-Add-the-compile-and-install-rules-for-cryptodev-test.patch \
--
2.11.0
^ permalink raw reply related [flat|nested] 30+ messages in thread* [RFC PATCH 09/10] mailx: depend on openssl 1.0
2017-05-10 14:13 [RFC PATCH 00/10] Add openssl 1.1 Alexander Kanavin
` (7 preceding siblings ...)
2017-05-10 14:13 ` [RFC PATCH 08/10] cryptodev-tests: depend on openssl 1.0 Alexander Kanavin
@ 2017-05-10 14:13 ` Alexander Kanavin
2017-05-10 14:13 ` [RFC PATCH 10/10] gstreamer-plugins-bad: replace openssl dependency with nettle for hls plugin Alexander Kanavin
` (2 subsequent siblings)
11 siblings, 0 replies; 30+ messages in thread
From: Alexander Kanavin @ 2017-05-10 14:13 UTC (permalink / raw)
To: openembedded-core
We only carry this recipe for LSB compatibility; if we need
a modern supported implementation of mail/mailx, then
s-nail (http://sdaoden.eu/code.html) or mailutils (http://mailutils.org/)
should be used.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
meta/recipes-extended/mailx/mailx_12.5-5.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-extended/mailx/mailx_12.5-5.bb b/meta/recipes-extended/mailx/mailx_12.5-5.bb
index 9dd710a7181..0a191a00c18 100644
--- a/meta/recipes-extended/mailx/mailx_12.5-5.bb
+++ b/meta/recipes-extended/mailx/mailx_12.5-5.bb
@@ -9,7 +9,7 @@ SECTION = "console/network"
LICENSE = "BSD & MPL-1"
LIC_FILES_CHKSUM = "file://COPYING;md5=4202a0a62910cf94f7af8a3436a2a2dd"
-DEPENDS = "openssl"
+DEPENDS = "openssl10"
SRC_URI = "http://snapshot.debian.org/archive/debian/20160728T043443Z/pool/main/h/heirloom-mailx/heirloom-mailx_12.5.orig.tar.gz;name=archive \
file://0001-Don-t-reuse-weak-symbol-optopt-to-fix-FTBFS-on-mips.patch \
--
2.11.0
^ permalink raw reply related [flat|nested] 30+ messages in thread* [RFC PATCH 10/10] gstreamer-plugins-bad: replace openssl dependency with nettle for hls plugin
2017-05-10 14:13 [RFC PATCH 00/10] Add openssl 1.1 Alexander Kanavin
` (8 preceding siblings ...)
2017-05-10 14:13 ` [RFC PATCH 09/10] mailx: " Alexander Kanavin
@ 2017-05-10 14:13 ` Alexander Kanavin
2017-05-10 15:02 ` [RFC PATCH 00/10] Add openssl 1.1 Davis, Michael
2017-05-10 15:39 ` akuster808
11 siblings, 0 replies; 30+ messages in thread
From: Alexander Kanavin @ 2017-05-10 14:13 UTC (permalink / raw)
To: openembedded-core
It has not been ported to openssl 1.1 (and there's nothing in upstream git),
but it's possible to use nettle or gcrypt intead.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad.inc | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad.inc b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad.inc
index 0ccfc89a2ea..e1a98b16a13 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad.inc
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad.inc
@@ -40,9 +40,7 @@ PACKAGECONFIG[flite] = "--enable-flite,--disable-flite,flite-alsa"
PACKAGECONFIG[fluidsynth] = "--enable-fluidsynth,--disable-fluidsynth,fluidsynth"
PACKAGECONFIG[gles2] = "--enable-gles2,--disable-gles2,virtual/libgles2"
PACKAGECONFIG[gtk] = "--enable-gtk3,--disable-gtk3,gtk+3"
-# ensure OpenSSL is used for HLS AES description instead of nettle
-# (OpenSSL is a shared dependency with dtls)
-PACKAGECONFIG[hls] = "--enable-hls --with-hls-crypto=openssl,--disable-hls,openssl"
+PACKAGECONFIG[hls] = "--enable-hls --with-hls-crypto=nettle,--disable-hls,nettle"
PACKAGECONFIG[kms] = "--enable-kms,--disable-kms,libdrm"
PACKAGECONFIG[libmms] = "--enable-libmms,--disable-libmms,libmms"
PACKAGECONFIG[libssh2] = "--enable-libssh2,--disable-libssh2,libssh2"
--
2.11.0
^ permalink raw reply related [flat|nested] 30+ messages in thread* Re: [RFC PATCH 00/10] Add openssl 1.1
2017-05-10 14:13 [RFC PATCH 00/10] Add openssl 1.1 Alexander Kanavin
` (9 preceding siblings ...)
2017-05-10 14:13 ` [RFC PATCH 10/10] gstreamer-plugins-bad: replace openssl dependency with nettle for hls plugin Alexander Kanavin
@ 2017-05-10 15:02 ` Davis, Michael
2017-05-10 15:15 ` Alexander Kanavin
2017-05-10 15:39 ` akuster808
11 siblings, 1 reply; 30+ messages in thread
From: Davis, Michael @ 2017-05-10 15:02 UTC (permalink / raw)
To: Alexander Kanavin, openembedded-core
Won't this cause a lot of issues for those of us that require FIPS?
I don't think 1.1 is expected to get FIPS support for some time.
--
Mike
^ permalink raw reply [flat|nested] 30+ messages in thread* Re: [RFC PATCH 00/10] Add openssl 1.1
2017-05-10 15:02 ` [RFC PATCH 00/10] Add openssl 1.1 Davis, Michael
@ 2017-05-10 15:15 ` Alexander Kanavin
2017-05-10 15:34 ` Davis, Michael
0 siblings, 1 reply; 30+ messages in thread
From: Alexander Kanavin @ 2017-05-10 15:15 UTC (permalink / raw)
To: Davis, Michael, openembedded-core
On 05/10/2017 06:02 PM, Davis, Michael wrote:
> Won't this cause a lot of issues for those of us that require FIPS?
> I don't think 1.1 is expected to get FIPS support for some time.
https://www.openssl.org/blog/blog/2016/07/20/fips/#comment-3277656289
"There's been a delay on starting due to a priority focus on finishing
the TLS 1.3 implementation; we're still waiting on a final TLS 1.3 spec.
Schedule estimates are difficult, not only because we haven't actually
started yet but because the FIPS 140 validation process is notoriously
unpredictable. Based on the first five open source based validations I
would be surprised to see a final approved validation in less than two
years after we start, but my prognostications have been wrong before."
Would you be okay with staying on yocto 2.3 release until this is
resolved? Otherwise, this can be delayed somewhat, but "we haven't
started yet; we have no idea how long it's gonna take; probably two
years or more" does not seem like a reasonable ask. There are other
users of oe-core, who do not care about FIPS, and at the same time do
want to have 1.1.
Alex
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [RFC PATCH 00/10] Add openssl 1.1
2017-05-10 15:15 ` Alexander Kanavin
@ 2017-05-10 15:34 ` Davis, Michael
2017-05-10 15:38 ` Alexander Kanavin
0 siblings, 1 reply; 30+ messages in thread
From: Davis, Michael @ 2017-05-10 15:34 UTC (permalink / raw)
To: Alexander Kanavin, openembedded-core
Sitting on 2.3 wouldn't be too much an issue for me, but I can't speak for others that may be in the same situation.
Do these patches / new versions require 1.1.0 or break backwards compatibility with 1.0.2?
It would be nice if it could be handled by the PREFFERED_VERSION/PREFERRERED_PROVIDER.
-----Original Message-----
From: Alexander Kanavin [mailto:alexander.kanavin@linux.intel.com]
Sent: Wednesday, May 10, 2017 10:16 AM
To: Davis, Michael; openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [RFC PATCH 00/10] Add openssl 1.1
On 05/10/2017 06:02 PM, Davis, Michael wrote:
> Won't this cause a lot of issues for those of us that require FIPS?
> I don't think 1.1 is expected to get FIPS support for some time.
https://www.openssl.org/blog/blog/2016/07/20/fips/#comment-3277656289
"There's been a delay on starting due to a priority focus on finishing
the TLS 1.3 implementation; we're still waiting on a final TLS 1.3 spec.
Schedule estimates are difficult, not only because we haven't actually
started yet but because the FIPS 140 validation process is notoriously
unpredictable. Based on the first five open source based validations I
would be surprised to see a final approved validation in less than two
years after we start, but my prognostications have been wrong before."
Would you be okay with staying on yocto 2.3 release until this is
resolved? Otherwise, this can be delayed somewhat, but "we haven't
started yet; we have no idea how long it's gonna take; probably two
years or more" does not seem like a reasonable ask. There are other
users of oe-core, who do not care about FIPS, and at the same time do
want to have 1.1.
Alex
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [RFC PATCH 00/10] Add openssl 1.1
2017-05-10 15:34 ` Davis, Michael
@ 2017-05-10 15:38 ` Alexander Kanavin
2017-05-10 18:56 ` Gary Thomas
0 siblings, 1 reply; 30+ messages in thread
From: Alexander Kanavin @ 2017-05-10 15:38 UTC (permalink / raw)
To: Davis, Michael, openembedded-core
On 05/10/2017 06:34 PM, Davis, Michael wrote:
> Sitting on 2.3 wouldn't be too much an issue for me, but I can't speak for others that may be in the same situation.
> Do these patches / new versions require 1.1.0 or break backwards compatibility with 1.0.2?
> It would be nice if it could be handled by the PREFFERED_VERSION/PREFERRERED_PROVIDER.
PREFERRED_ thing is not possible, unfortunately. 1.1 is API incompatible
with 1.0, and so both need to be provided at the same time, with recipes
explicitly telling which one they need. Most of the patchset is moving
various recipes to newer, 1.1 compatible versions, so we minimize the
need for 1.0.
1.0 will be provided for as long as upstream supports it, which should
be another two years or so.
Alex
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [RFC PATCH 00/10] Add openssl 1.1
2017-05-10 15:38 ` Alexander Kanavin
@ 2017-05-10 18:56 ` Gary Thomas
2017-05-10 19:34 ` Alexander Kanavin
0 siblings, 1 reply; 30+ messages in thread
From: Gary Thomas @ 2017-05-10 18:56 UTC (permalink / raw)
To: openembedded-core
On 2017-05-10 17:38, Alexander Kanavin wrote:
> On 05/10/2017 06:34 PM, Davis, Michael wrote:
>> Sitting on 2.3 wouldn't be too much an issue for me, but I can't speak for others that may be in the same situation.
>> Do these patches / new versions require 1.1.0 or break backwards compatibility with 1.0.2?
>> It would be nice if it could be handled by the PREFFERED_VERSION/PREFERRERED_PROVIDER.
>
> PREFERRED_ thing is not possible, unfortunately. 1.1 is API incompatible with 1.0, and so both need to be provided at
> the same time, with recipes explicitly telling which one they need. Most of the patchset is moving various recipes to
> newer, 1.1 compatible versions, so we minimize the need for 1.0.
>
> 1.0 will be provided for as long as upstream supports it, which should be another two years or so.
Why not do this in a "softer" way - make the new 1.1 package have the
obscured name (and not be preferred by default)? That way existing
uses of the older 1.0 package can continue but users can migrate to
1.1 as they see fit?
--
------------------------------------------------------------
Gary Thomas | Consulting for the
MLB Associates | Embedded world
------------------------------------------------------------
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [RFC PATCH 00/10] Add openssl 1.1
2017-05-10 18:56 ` Gary Thomas
@ 2017-05-10 19:34 ` Alexander Kanavin
2017-05-10 19:53 ` Davis, Michael
2017-05-10 20:35 ` Khem Raj
0 siblings, 2 replies; 30+ messages in thread
From: Alexander Kanavin @ 2017-05-10 19:34 UTC (permalink / raw)
To: Gary Thomas, openembedded-core
On 05/10/2017 09:56 PM, Gary Thomas wrote:
> Why not do this in a "softer" way - make the new 1.1 package have the
> obscured name (and not be preferred by default)? That way existing
> uses of the older 1.0 package can continue but users can migrate to
> 1.1 as they see fit?
I have an answer which you might not particularly like. But here goes:
What will actually happen is that no one will do anything to port their
stuff until it's time to remove 1.0 because upstream has EOLd it. And
then there'll still be complaints that more time is needed for the
transition. I'd like to gently push people to plan this transition
already now - and it's as gentle as it can be: if you pull from master
and your things no longer build, make one simple change and they will.
It's part and parcel of being on the bleeding edge, or rebasing to the
new yocto release: not everything works exactly as before, and most
components are newer and different and not always fully compatible.
The other reason is that it's more work for me: I would have to update
everything in oe-core to use the new recipe, instead of fixing just a
few recipes that need to stay with 1.0. And then again the same thing
will happen when 1.2 is out.
Alex
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [RFC PATCH 00/10] Add openssl 1.1
2017-05-10 19:34 ` Alexander Kanavin
@ 2017-05-10 19:53 ` Davis, Michael
2017-05-10 20:02 ` Alexander Kanavin
2017-05-10 20:35 ` Khem Raj
1 sibling, 1 reply; 30+ messages in thread
From: Davis, Michael @ 2017-05-10 19:53 UTC (permalink / raw)
To: Alexander Kanavin, Gary Thomas, openembedded-core
Could we offload the 1.0.2 supported recipes to something similar to meta-gplv2?
Then the rest of the Yocto world can move on and those that need 1.0.x can seek it out.
-----Original Message-----
From: openembedded-core-bounces@lists.openembedded.org [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of Alexander Kanavin
Sent: Wednesday, May 10, 2017 2:34 PM
To: Gary Thomas; openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [RFC PATCH 00/10] Add openssl 1.1
On 05/10/2017 09:56 PM, Gary Thomas wrote:
> Why not do this in a "softer" way - make the new 1.1 package have the
> obscured name (and not be preferred by default)? That way existing
> uses of the older 1.0 package can continue but users can migrate to
> 1.1 as they see fit?
I have an answer which you might not particularly like. But here goes:
What will actually happen is that no one will do anything to port their
stuff until it's time to remove 1.0 because upstream has EOLd it. And
then there'll still be complaints that more time is needed for the
transition. I'd like to gently push people to plan this transition
already now - and it's as gentle as it can be: if you pull from master
and your things no longer build, make one simple change and they will.
It's part and parcel of being on the bleeding edge, or rebasing to the
new yocto release: not everything works exactly as before, and most
components are newer and different and not always fully compatible.
The other reason is that it's more work for me: I would have to update
everything in oe-core to use the new recipe, instead of fixing just a
few recipes that need to stay with 1.0. And then again the same thing
will happen when 1.2 is out.
Alex
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [RFC PATCH 00/10] Add openssl 1.1
2017-05-10 19:53 ` Davis, Michael
@ 2017-05-10 20:02 ` Alexander Kanavin
0 siblings, 0 replies; 30+ messages in thread
From: Alexander Kanavin @ 2017-05-10 20:02 UTC (permalink / raw)
To: Davis, Michael, Gary Thomas, openembedded-core
On 05/10/2017 10:53 PM, Davis, Michael wrote:
> Could we offload the 1.0.2 supported recipes to something similar to meta-gplv2?
> Then the rest of the Yocto world can move on and those that need 1.0.x can seek it out.
Maybe in 2019, when 1.0.2 will be reaching EOL, but definitely not now.
I don't think anyone will be happy if openssh (1.0 only for now) is
removed from oe-core, and everyone has to seek an additional layer to
keep that and other things running.
1.0.2 is fully supported by upstream, and they will provide bugfixes for
another 2.5 years. There is nothing wrong with keeping it in oe-core,
unlike the gplv2 recipes which were both badly out of date and not
really getting tested.
Alex
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [RFC PATCH 00/10] Add openssl 1.1
2017-05-10 19:34 ` Alexander Kanavin
2017-05-10 19:53 ` Davis, Michael
@ 2017-05-10 20:35 ` Khem Raj
2017-05-10 20:48 ` Davis, Michael
1 sibling, 1 reply; 30+ messages in thread
From: Khem Raj @ 2017-05-10 20:35 UTC (permalink / raw)
To: Alexander Kanavin, Gary Thomas, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 1897 bytes --]
On Wed, May 10, 2017 at 12:34 PM Alexander Kanavin <
alexander.kanavin@linux.intel.com> wrote:
> On 05/10/2017 09:56 PM, Gary Thomas wrote:
> > Why not do this in a "softer" way - make the new 1.1 package have the
> > obscured name (and not be preferred by default)? That way existing
> > uses of the older 1.0 package can continue but users can migrate to
> > 1.1 as they see fit?
>
> I have an answer which you might not particularly like. But here goes:
>
> What will actually happen is that no one will do anything to port their
> stuff until it's time to remove 1.0 because upstream has EOLd it. And
> then there'll still be complaints that more time is needed for the
> transition. I'd like to gently push people to plan this transition
> already now - and it's as gentle as it can be: if you pull from master
> and your things no longer build, make one simple change and they will.
> It's part and parcel of being on the bleeding edge, or rebasing to the
> new yocto release: not everything works exactly as before, and most
> components are newer and different and not always fully compatible.
It is a cross distro item really we should find out what other Linux
distributions are doing about it moving forward unless major distros also
have same policy there won't be much momentum this would gain among the
packages ecosystems this could also help in sharing the porting burden
>
>
> The other reason is that it's more work for me: I would have to update
> everything in oe-core to use the new recipe, instead of fixing just a
> few recipes that need to stay with 1.0. And then again the same thing
> will happen when 1.2 is out.
>
> Alex
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
[-- Attachment #2: Type: text/html, Size: 2572 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [RFC PATCH 00/10] Add openssl 1.1
2017-05-10 20:35 ` Khem Raj
@ 2017-05-10 20:48 ` Davis, Michael
2017-05-10 21:08 ` Khem Raj
0 siblings, 1 reply; 30+ messages in thread
From: Davis, Michael @ 2017-05-10 20:48 UTC (permalink / raw)
To: Khem Raj, Alexander Kanavin, Gary Thomas, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2329 bytes --]
I think most of the major distros have either switched or are in the process this year.
From: openembedded-core-bounces@lists.openembedded.org [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of Khem Raj
Sent: Wednesday, May 10, 2017 3:36 PM
To: Alexander Kanavin; Gary Thomas; openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [RFC PATCH 00/10] Add openssl 1.1
On Wed, May 10, 2017 at 12:34 PM Alexander Kanavin <alexander.kanavin@linux.intel.com<mailto:alexander.kanavin@linux.intel.com>> wrote:
On 05/10/2017 09:56 PM, Gary Thomas wrote:
> Why not do this in a "softer" way - make the new 1.1 package have the
> obscured name (and not be preferred by default)? That way existing
> uses of the older 1.0 package can continue but users can migrate to
> 1.1 as they see fit?
I have an answer which you might not particularly like. But here goes:
What will actually happen is that no one will do anything to port their
stuff until it's time to remove 1.0 because upstream has EOLd it. And
then there'll still be complaints that more time is needed for the
transition. I'd like to gently push people to plan this transition
already now - and it's as gentle as it can be: if you pull from master
and your things no longer build, make one simple change and they will.
It's part and parcel of being on the bleeding edge, or rebasing to the
new yocto release: not everything works exactly as before, and most
components are newer and different and not always fully compatible.
It is a cross distro item really we should find out what other Linux distributions are doing about it moving forward unless major distros also have same policy there won't be much momentum this would gain among the packages ecosystems this could also help in sharing the porting burden
The other reason is that it's more work for me: I would have to update
everything in oe-core to use the new recipe, instead of fixing just a
few recipes that need to stay with 1.0. And then again the same thing
will happen when 1.2 is out.
Alex
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org<mailto:Openembedded-core@lists.openembedded.org>
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[-- Attachment #2: Type: text/html, Size: 5951 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [RFC PATCH 00/10] Add openssl 1.1
2017-05-10 20:48 ` Davis, Michael
@ 2017-05-10 21:08 ` Khem Raj
2017-05-11 7:44 ` Alexander Kanavin
2017-05-12 18:15 ` Denys Dmytriyenko
0 siblings, 2 replies; 30+ messages in thread
From: Khem Raj @ 2017-05-10 21:08 UTC (permalink / raw)
To: Davis, Michael; +Cc: Gary Thomas, openembedded-core
On Wed, May 10, 2017 at 1:48 PM, Davis, Michael
<michael.davis@essvote.com> wrote:
> I think most of the major distros have either switched or are in the process
> this year.
>
are there some info on the policy decisions of other distros ?
we should try to follow the suite then
>
>
>
>
>
>
> From: openembedded-core-bounces@lists.openembedded.org
> [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of Khem
> Raj
> Sent: Wednesday, May 10, 2017 3:36 PM
> To: Alexander Kanavin; Gary Thomas; openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [RFC PATCH 00/10] Add openssl 1.1
>
>
>
>
>
> On Wed, May 10, 2017 at 12:34 PM Alexander Kanavin
> <alexander.kanavin@linux.intel.com> wrote:
>
> On 05/10/2017 09:56 PM, Gary Thomas wrote:
>> Why not do this in a "softer" way - make the new 1.1 package have the
>> obscured name (and not be preferred by default)? That way existing
>> uses of the older 1.0 package can continue but users can migrate to
>> 1.1 as they see fit?
>
> I have an answer which you might not particularly like. But here goes:
>
> What will actually happen is that no one will do anything to port their
> stuff until it's time to remove 1.0 because upstream has EOLd it. And
> then there'll still be complaints that more time is needed for the
> transition. I'd like to gently push people to plan this transition
> already now - and it's as gentle as it can be: if you pull from master
> and your things no longer build, make one simple change and they will.
> It's part and parcel of being on the bleeding edge, or rebasing to the
> new yocto release: not everything works exactly as before, and most
> components are newer and different and not always fully compatible.
>
>
>
>
>
> It is a cross distro item really we should find out what other Linux
> distributions are doing about it moving forward unless major distros also
> have same policy there won't be much momentum this would gain among the
> packages ecosystems this could also help in sharing the porting burden
>
>
>
> The other reason is that it's more work for me: I would have to update
> everything in oe-core to use the new recipe, instead of fixing just a
> few recipes that need to stay with 1.0. And then again the same thing
> will happen when 1.2 is out.
>
> Alex
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [RFC PATCH 00/10] Add openssl 1.1
2017-05-10 21:08 ` Khem Raj
@ 2017-05-11 7:44 ` Alexander Kanavin
2017-05-13 0:17 ` akuster808
2017-05-12 18:15 ` Denys Dmytriyenko
1 sibling, 1 reply; 30+ messages in thread
From: Alexander Kanavin @ 2017-05-11 7:44 UTC (permalink / raw)
To: Khem Raj, Davis, Michael; +Cc: Gary Thomas, openembedded-core
On 05/11/2017 12:08 AM, Khem Raj wrote:
> On Wed, May 10, 2017 at 1:48 PM, Davis, Michael
> <michael.davis@essvote.com> wrote:
>> I think most of the major distros have either switched or are in the process
>> this year.
>>
>
> are there some info on the policy decisions of other distros ?
> we should try to follow the suite then
Both Fedora and Debian default to 1.1 in their upcoming versions. 1.0 is
provided only as a legacy package. So same as here.
Alex
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [OE-core] [RFC PATCH 00/10] Add openssl 1.1
2017-05-11 7:44 ` Alexander Kanavin
@ 2017-05-13 0:17 ` akuster808
0 siblings, 0 replies; 30+ messages in thread
From: akuster808 @ 2017-05-13 0:17 UTC (permalink / raw)
To: openembedded-core, yocto
On 05/11/2017 12:44 AM, Alexander Kanavin wrote:
> On 05/11/2017 12:08 AM, Khem Raj wrote:
>> On Wed, May 10, 2017 at 1:48 PM, Davis, Michael
>> <michael.davis@essvote.com> wrote:
>>> I think most of the major distros have either switched or are in the
>>> process
>>> this year.
>>>
>>
>> are there some info on the policy decisions of other distros ?
>> we should try to follow the suite then
>
> Both Fedora and Debian default to 1.1 in their upcoming versions. 1.0
> is provided only as a legacy package. So same as here.
I recommend members of the Yocto project to chime in as most are
commercial entities and may have reasons they want Poky to stay on an
LTS openssl version. OE can decide to do something different. That
should be possible. Is this an OE TSC issue??
- armin
>
> Alex
>
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [RFC PATCH 00/10] Add openssl 1.1
@ 2017-05-13 0:17 ` akuster808
0 siblings, 0 replies; 30+ messages in thread
From: akuster808 @ 2017-05-13 0:17 UTC (permalink / raw)
To: openembedded-core, yocto
On 05/11/2017 12:44 AM, Alexander Kanavin wrote:
> On 05/11/2017 12:08 AM, Khem Raj wrote:
>> On Wed, May 10, 2017 at 1:48 PM, Davis, Michael
>> <michael.davis@essvote.com> wrote:
>>> I think most of the major distros have either switched or are in the
>>> process
>>> this year.
>>>
>>
>> are there some info on the policy decisions of other distros ?
>> we should try to follow the suite then
>
> Both Fedora and Debian default to 1.1 in their upcoming versions. 1.0
> is provided only as a legacy package. So same as here.
I recommend members of the Yocto project to chime in as most are
commercial entities and may have reasons they want Poky to stay on an
LTS openssl version. OE can decide to do something different. That
should be possible. Is this an OE TSC issue??
- armin
>
> Alex
>
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [RFC PATCH 00/10] Add openssl 1.1
2017-05-10 21:08 ` Khem Raj
2017-05-11 7:44 ` Alexander Kanavin
@ 2017-05-12 18:15 ` Denys Dmytriyenko
2017-05-12 18:33 ` Khem Raj
1 sibling, 1 reply; 30+ messages in thread
From: Denys Dmytriyenko @ 2017-05-12 18:15 UTC (permalink / raw)
To: Khem Raj; +Cc: openembedded-core, Gary Thomas
On Wed, May 10, 2017 at 02:08:26PM -0700, Khem Raj wrote:
> On Wed, May 10, 2017 at 1:48 PM, Davis, Michael
> <michael.davis@essvote.com> wrote:
> > I think most of the major distros have either switched or are in the process
> > this year.
> >
>
> are there some info on the policy decisions of other distros ?
> we should try to follow the suite then
Khem,
https://wiki.debian.org/OpenSSL-1.1
Binary packages have X.Y version in the package name:
libssl1.1_1.1.0c-2~bpo8+1_amd64.deb
libssl1.0.0_1.0.2k-1~bpo8+1_amd64.deb
As of OE, we've handled such updates with incompatible API in the past
similarly - gstreamer vs. gstreamer010
--
Denys
> > From: openembedded-core-bounces@lists.openembedded.org
> > [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of Khem
> > Raj
> > Sent: Wednesday, May 10, 2017 3:36 PM
> > To: Alexander Kanavin; Gary Thomas; openembedded-core@lists.openembedded.org
> > Subject: Re: [OE-core] [RFC PATCH 00/10] Add openssl 1.1
> >
> >
> >
> >
> >
> > On Wed, May 10, 2017 at 12:34 PM Alexander Kanavin
> > <alexander.kanavin@linux.intel.com> wrote:
> >
> > On 05/10/2017 09:56 PM, Gary Thomas wrote:
> >> Why not do this in a "softer" way - make the new 1.1 package have the
> >> obscured name (and not be preferred by default)? That way existing
> >> uses of the older 1.0 package can continue but users can migrate to
> >> 1.1 as they see fit?
> >
> > I have an answer which you might not particularly like. But here goes:
> >
> > What will actually happen is that no one will do anything to port their
> > stuff until it's time to remove 1.0 because upstream has EOLd it. And
> > then there'll still be complaints that more time is needed for the
> > transition. I'd like to gently push people to plan this transition
> > already now - and it's as gentle as it can be: if you pull from master
> > and your things no longer build, make one simple change and they will.
> > It's part and parcel of being on the bleeding edge, or rebasing to the
> > new yocto release: not everything works exactly as before, and most
> > components are newer and different and not always fully compatible.
> >
> >
> >
> >
> >
> > It is a cross distro item really we should find out what other Linux
> > distributions are doing about it moving forward unless major distros also
> > have same policy there won't be much momentum this would gain among the
> > packages ecosystems this could also help in sharing the porting burden
> >
> >
> >
> > The other reason is that it's more work for me: I would have to update
> > everything in oe-core to use the new recipe, instead of fixing just a
> > few recipes that need to stay with 1.0. And then again the same thing
> > will happen when 1.2 is out.
> >
> > Alex
> > --
> > _______________________________________________
> > Openembedded-core mailing list
> > Openembedded-core@lists.openembedded.org
> > http://lists.openembedded.org/mailman/listinfo/openembedded-core
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [RFC PATCH 00/10] Add openssl 1.1
2017-05-12 18:15 ` Denys Dmytriyenko
@ 2017-05-12 18:33 ` Khem Raj
0 siblings, 0 replies; 30+ messages in thread
From: Khem Raj @ 2017-05-12 18:33 UTC (permalink / raw)
To: Denys Dmytriyenko; +Cc: openembedded-core, Gary Thomas
On Fri, May 12, 2017 at 11:15 AM, Denys Dmytriyenko <denis@denix.org> wrote:
> On Wed, May 10, 2017 at 02:08:26PM -0700, Khem Raj wrote:
>> On Wed, May 10, 2017 at 1:48 PM, Davis, Michael
>> <michael.davis@essvote.com> wrote:
>> > I think most of the major distros have either switched or are in the process
>> > this year.
>> >
>>
>> are there some info on the policy decisions of other distros ?
>> we should try to follow the suite then
>
> Khem,
>
> https://wiki.debian.org/OpenSSL-1.1
>
> Binary packages have X.Y version in the package name:
> libssl1.1_1.1.0c-2~bpo8+1_amd64.deb
> libssl1.0.0_1.0.2k-1~bpo8+1_amd64.deb
>
> As of OE, we've handled such updates with incompatible API in the past
> similarly - gstreamer vs. gstreamer010
yes we have, my point was if were flying against the headwind
or not,
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [RFC PATCH 00/10] Add openssl 1.1
2017-05-10 14:13 [RFC PATCH 00/10] Add openssl 1.1 Alexander Kanavin
` (10 preceding siblings ...)
2017-05-10 15:02 ` [RFC PATCH 00/10] Add openssl 1.1 Davis, Michael
@ 2017-05-10 15:39 ` akuster808
11 siblings, 0 replies; 30+ messages in thread
From: akuster808 @ 2017-05-10 15:39 UTC (permalink / raw)
To: Alexander Kanavin, openembedded-core
On 05/10/2017 07:13 AM, Alexander Kanavin wrote:
> This patch series introduces the recipe for openssl 1.1 (openssl 1.0 is preserved
> but renamed to openssl10), and does a few necessary adjustmenets and updates to other
> recipes. The reason it's marked RFC is that there is one known remaining issue to
> resolve: specifically, u-boot needs to be ported to 1.1 before this series can be
> merged, otherwise there's a dependency conflict when building native u-boot. This
> should be resolved quite soon, but it isn't yet (as of u-boot v2017.05).
>
> Openssl 1.1 is an opt-out; it has the same recipe name as openssl 1.0 had, and so
> all dependencies are compiled with it by default. If there's an API issue, please
> fix it, or adjust the recipe to depend on 'openssl10' (which is a lesser solution,
> and subject to openssl 1.0 eventually being removed from oe-core).
>
> Please review the following changes for suitability for inclusion. If you have
> any objections or suggestions for improvement, please respond to the patches. If
> you agree with the changes, please provide your Acked-by
Acked-by: Armin Kuster <akuster@mvista.com>
> .
>
> The following changes since commit 381897c64069ea43d595380a3ae913bcc79cf7e1:
>
> build-appliance-image: Update to master head revision (2017-05-01 08:56:47 +0100)
>
> are available in the git repository at:
>
> git://git.yoctoproject.org/poky-contrib akanavin/openssl-1.1
> http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=akanavin/openssl-1.1
>
> Alexander Kanavin (10):
> python: update to 3.5.3
> openssl: add a 1.1 version
> u-boot-mkimage: depend on openssl 1.0
> bind: fix upstream version check
> bind: update to 9.10.5
> openssh: depend on openssl 1.0
> apr-util: add support for openssl 1.1 via backported patch
> cryptodev-tests: depend on openssl 1.0
> mailx: depend on openssl 1.0
> gstreamer-plugins-bad: replace openssl dependency with nettle for hls
> plugin
>
> meta/conf/distro/include/no-static-libs.inc | 3 +
> meta/conf/distro/include/security_flags.inc | 2 +-
> meta/recipes-bsp/u-boot/u-boot-mkimage_2017.01.bb | 2 +-
> ...0001-build-use-pkg-config-to-find-libxml2.patch | 14 +-
> ...=> 0001-confgen-don-t-build-unix.o-twice.patch} | 17 +-
> .../bind/bind/CVE-2016-1285.patch | 154 ----------
> .../bind/bind/CVE-2016-1286_1.patch | 79 -----
> .../bind/bind/CVE-2016-1286_2.patch | 317 ---------------------
> .../bind/bind/CVE-2016-2088.patch | 247 ----------------
> .../bind/bind/CVE-2016-2775.patch | 90 ------
> .../bind/bind/CVE-2016-2776.patch | 123 --------
> .../bind/bind/mips1-not-support-opcode.diff | 104 -------
> .../bind/{bind_9.10.3-P3.bb => bind_9.10.5.bb} | 27 +-
> meta/recipes-connectivity/openssh/openssh_7.4p1.bb | 3 +-
> ...ve-test-that-requires-running-as-non-root.patch | 49 ++++
> ...1-Take-linking-flags-from-LDFLAGS-env-var.patch | 43 +++
> .../recipes-connectivity/openssl/openssl/run-ptest | 4 +-
> .../openssl/{openssl.inc => openssl10.inc} | 14 +-
> ...build-with-clang-using-external-assembler.patch | 0
> .../{openssl => openssl10}/Makefiles-ptest.patch | 0
> .../Use-SHA256-not-MD5-as-default-digest.patch | 0
> .../configure-musl-target.patch | 0
> .../{openssl => openssl10}/configure-targets.patch | 0
> .../debian/c_rehash-compat.patch | 0
> .../openssl/{openssl => openssl10}/debian/ca.patch | 0
> .../debian/debian-targets.patch | 0
> .../{openssl => openssl10}/debian/man-dir.patch | 0
> .../debian/man-section.patch | 0
> .../{openssl => openssl10}/debian/no-rpath.patch | 0
> .../debian/no-symbolic.patch | 0
> .../{openssl => openssl10}/debian/pic.patch | 0
> .../debian/version-script.patch | 0
> .../debian1.0.2/block_digicert_malaysia.patch | 0
> .../debian1.0.2/block_diginotar.patch | 0
> .../debian1.0.2/version-script.patch | 0
> .../engines-install-in-libdir-ssl.patch | 0
> .../openssl/{openssl => openssl10}/find.pl | 0
> .../fix-cipher-des-ede3-cfb1.patch | 0
> .../{openssl => openssl10}/oe-ldflags.patch | 0
> .../openssl-1.0.2a-x32-asm.patch | 0
> ...-pointer-dereference-in-EVP_DigestInit_ex.patch | 0
> .../{openssl => openssl10}/openssl-c_rehash.sh | 0
> .../openssl-fix-des.pod-error.patch | 0
> .../openssl-util-perlpath.pl-cwd.patch | 0
> .../openssl_fix_for_x32.patch | 0
> .../openssl/{openssl => openssl10}/parallel.patch | 0
> .../{openssl => openssl10}/ptest-deps.patch | 0
> .../ptest_makefile_deps.patch | 0
> .../openssl/openssl10/run-ptest | 2 +
> .../{openssl => openssl10}/shared-libs.patch | 0
> .../{openssl_1.0.2k.bb => openssl10_1.0.2k.bb} | 4 +-
> .../recipes-connectivity/openssl/openssl_1.1.0e.bb | 146 ++++++++++
> ...on3-native_3.5.2.bb => python3-native_3.5.3.bb} | 8 +-
> ...the-shell-version-of-python-config-that-w.patch | 10 +-
> ...pile.patch => 0001-cross-compile-support.patch} | 56 ++--
> .../python3/python3-fix-CVE-2016-1000110.patch | 148 ----------
> .../python/python3/upstream-random-fixes.patch | 288 +++++++++----------
> .../python/{python3_3.5.2.bb => python3_3.5.3.bb} | 9 +-
> meta/recipes-extended/mailx/mailx_12.5-5.bb | 2 +-
> .../cryptodev/cryptodev-tests_1.8.bb | 2 +-
> .../gstreamer/gstreamer1.0-plugins-bad.inc | 4 +-
> .../recipes-support/apr/apr-util/openssl-1.1.patch | 253 ++++++++++++++++
> meta/recipes-support/apr/apr-util_1.5.4.bb | 1 +
> 63 files changed, 732 insertions(+), 1493 deletions(-)
> rename meta/recipes-connectivity/bind/bind/{bind-confgen-build-unix.o-once.patch => 0001-confgen-don-t-build-unix.o-twice.patch} (80%)
> delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
> delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
> delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
> delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
> delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
> delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
> delete mode 100644 meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff
> rename meta/recipes-connectivity/bind/{bind_9.10.3-P3.bb => bind_9.10.5.bb} (82%)
> create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Remove-test-that-requires-running-as-non-root.patch
> create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
> mode change 100755 => 100644 meta/recipes-connectivity/openssl/openssl/run-ptest
> rename meta/recipes-connectivity/openssl/{openssl.inc => openssl10.inc} (95%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/0001-Fix-build-with-clang-using-external-assembler.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/Makefiles-ptest.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/Use-SHA256-not-MD5-as-default-digest.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/configure-musl-target.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/configure-targets.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/c_rehash-compat.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/ca.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/debian-targets.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/man-dir.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/man-section.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/no-rpath.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/no-symbolic.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/pic.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian/version-script.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian1.0.2/block_digicert_malaysia.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian1.0.2/block_diginotar.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/debian1.0.2/version-script.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/engines-install-in-libdir-ssl.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/find.pl (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/fix-cipher-des-ede3-cfb1.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/oe-ldflags.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/openssl-1.0.2a-x32-asm.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/openssl-c_rehash.sh (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/openssl-fix-des.pod-error.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/openssl-util-perlpath.pl-cwd.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/openssl_fix_for_x32.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/parallel.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/ptest-deps.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/ptest_makefile_deps.patch (100%)
> create mode 100755 meta/recipes-connectivity/openssl/openssl10/run-ptest
> rename meta/recipes-connectivity/openssl/{openssl => openssl10}/shared-libs.patch (100%)
> rename meta/recipes-connectivity/openssl/{openssl_1.0.2k.bb => openssl10_1.0.2k.bb} (97%)
> create mode 100644 meta/recipes-connectivity/openssl/openssl_1.1.0e.bb
> rename meta/recipes-devtools/python/{python3-native_3.5.2.bb => python3-native_3.5.3.bb} (90%)
> rename meta/recipes-devtools/python/python3/{000-cross-compile.patch => 0001-cross-compile-support.patch} (65%)
> delete mode 100644 meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch
> rename meta/recipes-devtools/python/{python3_3.5.2.bb => python3_3.5.3.bb} (96%)
> create mode 100644 meta/recipes-support/apr/apr-util/openssl-1.1.patch
>
^ permalink raw reply [flat|nested] 30+ messages in thread