[RFC][PATCH 1/5] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[RFC][PATCH 1/5] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Alexander Kanavin]

I believe the time has come to do this: openssl 1.0 upstream support stops at the end
of 2019, and we do not want a situation where a supported YP release contains an
unsupported version of a critical security component.

Openssl 1.0 can still be utilized by depending on 'openssl10' recipe.

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 meta/conf/distro/include/default-versions.inc           |  3 ---
 meta/conf/distro/include/maintainers.inc                |  1 +
 meta/recipes-connectivity/openssl/openssl10.inc         | 17 +++++++++++++++--
 ...-Fix-build-with-clang-using-external-assembler.patch |  0
 ...001-openssl-force-soft-link-to-avoid-rare-race.patch |  0
 .../{openssl-1.0.2o => openssl10}/Makefiles-ptest.patch |  0
 .../Use-SHA256-not-MD5-as-default-digest.patch          |  0
 .../configure-musl-target.patch                         |  0
 .../configure-targets.patch                             |  0
 .../debian/c_rehash-compat.patch                        |  0
 .../{openssl-1.0.2o => openssl10}/debian/ca.patch       |  0
 .../debian/debian-targets.patch                         |  0
 .../{openssl-1.0.2o => openssl10}/debian/man-dir.patch  |  0
 .../debian/man-section.patch                            |  0
 .../{openssl-1.0.2o => openssl10}/debian/no-rpath.patch |  0
 .../debian/no-symbolic.patch                            |  0
 .../{openssl-1.0.2o => openssl10}/debian/pic.patch      |  0
 .../debian1.0.2/block_digicert_malaysia.patch           |  0
 .../debian1.0.2/block_diginotar.patch                   |  0
 .../debian1.0.2/soname.patch                            |  0
 .../debian1.0.2/version-script.patch                    |  0
 .../engines-install-in-libdir-ssl.patch                 |  0
 .../openssl/{openssl-1.0.2o => openssl10}/find.pl       |  0
 .../{openssl-1.0.2o => openssl10}/oe-ldflags.patch      |  0
 .../{openssl-1.0.2o => openssl10}/openssl-c_rehash.sh   |  0
 .../openssl-fix-des.pod-error.patch                     |  0
 .../openssl-util-perlpath.pl-cwd.patch                  |  0
 .../openssl_fix_for_x32.patch                           |  0
 .../{openssl-1.0.2o => openssl10}/parallel.patch        |  0
 .../{openssl-1.0.2o => openssl10}/ptest-deps.patch      |  0
 .../ptest_makefile_deps.patch                           |  0
 .../reproducible-cflags.patch                           |  0
 .../reproducible-mkbuildinf.patch                       |  0
 .../openssl/{openssl-1.0.2o => openssl10}/run-ptest     |  0
 .../{openssl-1.0.2o => openssl10}/shared-libs.patch     |  0
 .../openssl/{openssl_1.0.2o.bb => openssl10_1.0.2o.bb}  |  0
 36 files changed, 16 insertions(+), 5 deletions(-)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/0001-Fix-build-with-clang-using-external-assembler.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/0001-openssl-force-soft-link-to-avoid-rare-race.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/Makefiles-ptest.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/Use-SHA256-not-MD5-as-default-digest.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/configure-musl-target.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/configure-targets.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/debian/c_rehash-compat.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/debian/ca.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/debian/debian-targets.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/debian/man-dir.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/debian/man-section.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/debian/no-rpath.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/debian/no-symbolic.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/debian/pic.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/debian1.0.2/block_digicert_malaysia.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/debian1.0.2/block_diginotar.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/debian1.0.2/soname.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/debian1.0.2/version-script.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/engines-install-in-libdir-ssl.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/find.pl (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/oe-ldflags.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/openssl-c_rehash.sh (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/openssl-fix-des.pod-error.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/openssl-util-perlpath.pl-cwd.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/openssl_fix_for_x32.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/parallel.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/ptest-deps.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/ptest_makefile_deps.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/reproducible-cflags.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/reproducible-mkbuildinf.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/run-ptest (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2o => openssl10}/shared-libs.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl_1.0.2o.bb => openssl10_1.0.2o.bb} (100%)

diff --git a/meta/conf/distro/include/default-versions.inc b/meta/conf/distro/include/default-versions.inc
index 868073843af..a6f331350eb 100644
--- a/meta/conf/distro/include/default-versions.inc
+++ b/meta/conf/distro/include/default-versions.inc
@@ -2,6 +2,3 @@
 # Default preferred versions
 #
 
-PREFERRED_VERSION_openssl = "1.0.%"
-PREFERRED_VERSION_openssl-native = "1.0.%"
-PREFERRED_VERSION_nativesdk-openssl = "1.0.%"
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index 48aff9537e4..271d176ed42 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -544,6 +544,7 @@ RECIPE_MAINTAINER_pn-ofono = "Maxin B. John <maxin.john@intel.com>"
 RECIPE_MAINTAINER_pn-oh-puzzles = "Maxin B. John <maxin.john@intel.com>"
 RECIPE_MAINTAINER_pn-openssh = "Armin Kuster <akuster@mvista.com>"
 RECIPE_MAINTAINER_pn-openssl = "Alexander Kanavin <alexander.kanavin@intel.com>"
+RECIPE_MAINTAINER_pn-openssl10 = "Alexander Kanavin <alexander.kanavin@intel.com>"
 RECIPE_MAINTAINER_pn-opkg = "Alejandro del Castillo <alejandro.delcastillo@ni.com>"
 RECIPE_MAINTAINER_pn-opkg-arch-config = "Alejandro del Castillo <alejandro.delcastillo@ni.com>"
 RECIPE_MAINTAINER_pn-opkg-keyrings = "Alejandro del Castillo <alejandro.delcastillo@ni.com>"
diff --git a/meta/recipes-connectivity/openssl/openssl10.inc b/meta/recipes-connectivity/openssl/openssl10.inc
index 645d64ec85e..4e0d5857172 100644
--- a/meta/recipes-connectivity/openssl/openssl10.inc
+++ b/meta/recipes-connectivity/openssl/openssl10.inc
@@ -11,8 +11,6 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8"
 DEPENDS = "makedepend-native hostperl-runtime-native"
 DEPENDS_append_class-target = " openssl-native"
 
-PROVIDES += "openssl10"
-
 SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
           "
 S = "${WORKDIR}/openssl-${PV}"
@@ -283,3 +281,18 @@ do_install_append_class-native() {
 
 BBCLASSEXTEND = "native nativesdk"
 
+PACKAGE_PREPROCESS_FUNCS += "openssl_package_preprocess"
+
+# openssl 1.0 development files and executable binaries clash with openssl 1.1
+# files when installed into target rootfs. So we don't put them into
+# packages, but they continue to be provided via target sysroot for
+# cross-compilation on the host, if some software still depends on openssl 1.0.
+openssl_package_preprocess () {
+        for file in `find ${PKGD} -name *.h -o -name *.pc -o -name *.so`; do
+                rm $file
+        done
+        rm ${PKGD}/usr/bin/openssl
+        rm ${PKGD}/usr/bin/c_rehash
+        rmdir ${PKGD}/usr/bin
+
+}
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/0001-Fix-build-with-clang-using-external-assembler.patch b/meta/recipes-connectivity/openssl/openssl10/0001-Fix-build-with-clang-using-external-assembler.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/0001-Fix-build-with-clang-using-external-assembler.patch
rename to meta/recipes-connectivity/openssl/openssl10/0001-Fix-build-with-clang-using-external-assembler.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/0001-openssl-force-soft-link-to-avoid-rare-race.patch b/meta/recipes-connectivity/openssl/openssl10/0001-openssl-force-soft-link-to-avoid-rare-race.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/0001-openssl-force-soft-link-to-avoid-rare-race.patch
rename to meta/recipes-connectivity/openssl/openssl10/0001-openssl-force-soft-link-to-avoid-rare-race.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/Makefiles-ptest.patch b/meta/recipes-connectivity/openssl/openssl10/Makefiles-ptest.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/Makefiles-ptest.patch
rename to meta/recipes-connectivity/openssl/openssl10/Makefiles-ptest.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/Use-SHA256-not-MD5-as-default-digest.patch b/meta/recipes-connectivity/openssl/openssl10/Use-SHA256-not-MD5-as-default-digest.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/Use-SHA256-not-MD5-as-default-digest.patch
rename to meta/recipes-connectivity/openssl/openssl10/Use-SHA256-not-MD5-as-default-digest.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/configure-musl-target.patch b/meta/recipes-connectivity/openssl/openssl10/configure-musl-target.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/configure-musl-target.patch
rename to meta/recipes-connectivity/openssl/openssl10/configure-musl-target.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/configure-targets.patch b/meta/recipes-connectivity/openssl/openssl10/configure-targets.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/configure-targets.patch
rename to meta/recipes-connectivity/openssl/openssl10/configure-targets.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/c_rehash-compat.patch b/meta/recipes-connectivity/openssl/openssl10/debian/c_rehash-compat.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/c_rehash-compat.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/c_rehash-compat.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/ca.patch b/meta/recipes-connectivity/openssl/openssl10/debian/ca.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/ca.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/ca.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/debian-targets.patch b/meta/recipes-connectivity/openssl/openssl10/debian/debian-targets.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/debian-targets.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/debian-targets.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/man-dir.patch b/meta/recipes-connectivity/openssl/openssl10/debian/man-dir.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/man-dir.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/man-dir.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/man-section.patch b/meta/recipes-connectivity/openssl/openssl10/debian/man-section.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/man-section.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/man-section.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/no-rpath.patch b/meta/recipes-connectivity/openssl/openssl10/debian/no-rpath.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/no-rpath.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/no-rpath.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/no-symbolic.patch b/meta/recipes-connectivity/openssl/openssl10/debian/no-symbolic.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/no-symbolic.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/no-symbolic.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/pic.patch b/meta/recipes-connectivity/openssl/openssl10/debian/pic.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/pic.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/pic.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/debian1.0.2/block_digicert_malaysia.patch b/meta/recipes-connectivity/openssl/openssl10/debian1.0.2/block_digicert_malaysia.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/debian1.0.2/block_digicert_malaysia.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian1.0.2/block_digicert_malaysia.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/debian1.0.2/block_diginotar.patch b/meta/recipes-connectivity/openssl/openssl10/debian1.0.2/block_diginotar.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/debian1.0.2/block_diginotar.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian1.0.2/block_diginotar.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/debian1.0.2/soname.patch b/meta/recipes-connectivity/openssl/openssl10/debian1.0.2/soname.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/debian1.0.2/soname.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian1.0.2/soname.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/debian1.0.2/version-script.patch b/meta/recipes-connectivity/openssl/openssl10/debian1.0.2/version-script.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/debian1.0.2/version-script.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian1.0.2/version-script.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/engines-install-in-libdir-ssl.patch b/meta/recipes-connectivity/openssl/openssl10/engines-install-in-libdir-ssl.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/engines-install-in-libdir-ssl.patch
rename to meta/recipes-connectivity/openssl/openssl10/engines-install-in-libdir-ssl.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/find.pl b/meta/recipes-connectivity/openssl/openssl10/find.pl
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/find.pl
rename to meta/recipes-connectivity/openssl/openssl10/find.pl
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/oe-ldflags.patch b/meta/recipes-connectivity/openssl/openssl10/oe-ldflags.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/oe-ldflags.patch
rename to meta/recipes-connectivity/openssl/openssl10/oe-ldflags.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/openssl-c_rehash.sh b/meta/recipes-connectivity/openssl/openssl10/openssl-c_rehash.sh
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/openssl-c_rehash.sh
rename to meta/recipes-connectivity/openssl/openssl10/openssl-c_rehash.sh
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/openssl-fix-des.pod-error.patch b/meta/recipes-connectivity/openssl/openssl10/openssl-fix-des.pod-error.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/openssl-fix-des.pod-error.patch
rename to meta/recipes-connectivity/openssl/openssl10/openssl-fix-des.pod-error.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/openssl-util-perlpath.pl-cwd.patch b/meta/recipes-connectivity/openssl/openssl10/openssl-util-perlpath.pl-cwd.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/openssl-util-perlpath.pl-cwd.patch
rename to meta/recipes-connectivity/openssl/openssl10/openssl-util-perlpath.pl-cwd.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/openssl_fix_for_x32.patch b/meta/recipes-connectivity/openssl/openssl10/openssl_fix_for_x32.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/openssl_fix_for_x32.patch
rename to meta/recipes-connectivity/openssl/openssl10/openssl_fix_for_x32.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/parallel.patch b/meta/recipes-connectivity/openssl/openssl10/parallel.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/parallel.patch
rename to meta/recipes-connectivity/openssl/openssl10/parallel.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/ptest-deps.patch b/meta/recipes-connectivity/openssl/openssl10/ptest-deps.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/ptest-deps.patch
rename to meta/recipes-connectivity/openssl/openssl10/ptest-deps.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/ptest_makefile_deps.patch b/meta/recipes-connectivity/openssl/openssl10/ptest_makefile_deps.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/ptest_makefile_deps.patch
rename to meta/recipes-connectivity/openssl/openssl10/ptest_makefile_deps.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/reproducible-cflags.patch b/meta/recipes-connectivity/openssl/openssl10/reproducible-cflags.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/reproducible-cflags.patch
rename to meta/recipes-connectivity/openssl/openssl10/reproducible-cflags.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/reproducible-mkbuildinf.patch b/meta/recipes-connectivity/openssl/openssl10/reproducible-mkbuildinf.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/reproducible-mkbuildinf.patch
rename to meta/recipes-connectivity/openssl/openssl10/reproducible-mkbuildinf.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/run-ptest b/meta/recipes-connectivity/openssl/openssl10/run-ptest
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/run-ptest
rename to meta/recipes-connectivity/openssl/openssl10/run-ptest
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/shared-libs.patch b/meta/recipes-connectivity/openssl/openssl10/shared-libs.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2o/shared-libs.patch
rename to meta/recipes-connectivity/openssl/openssl10/shared-libs.patch
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2o.bb b/meta/recipes-connectivity/openssl/openssl10_1.0.2o.bb
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl_1.0.2o.bb
rename to meta/recipes-connectivity/openssl/openssl10_1.0.2o.bb
-- 
2.16.1

[RFC][PATCH 2/5] cryptodev-tests: port to openssl 1.1

[Alexander Kanavin]

This leaves openssh as the only recipe that requires openssl 1.0 (or libressl).

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 .../cryptodev/cryptodev-tests_1.9.bb               |   3 +-
 .../files/0001-Port-tests-to-openssl-1.1.patch     | 103 +++++++++++++++++++++
 2 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch

diff --git a/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb b/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb
index 9afb3de217e..617db6cdd31 100644
--- a/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb
+++ b/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb
@@ -2,10 +2,11 @@ require cryptodev.inc
 
 SUMMARY = "A test suite for /dev/crypto device driver"
 
-DEPENDS += "openssl10"
+DEPENDS += "openssl"
 
 SRC_URI += " \
 file://0001-Add-the-compile-and-install-rules-for-cryptodev-test.patch \
+file://0001-Port-tests-to-openssl-1.1.patch \
 "
 
 EXTRA_OEMAKE='KERNEL_DIR="${STAGING_EXECPREFIXDIR}" PREFIX="${D}"'
diff --git a/meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch b/meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
new file mode 100644
index 00000000000..c9691265f6c
--- /dev/null
+++ b/meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
@@ -0,0 +1,103 @@
+From 2fe4bdeb8cdd0b0f46d9caed807812855d51ea56 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Wed, 28 Mar 2018 20:11:05 +0300
+Subject: [PATCH] Port tests to openssl 1.1
+
+Upstream-Status: Accepted [https://github.com/cryptodev-linux/cryptodev-linux/pull/36]
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+
+---
+ tests/openssl_wrapper.c | 33 +++++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+diff --git a/tests/openssl_wrapper.c b/tests/openssl_wrapper.c
+index 038c58f..dea2496 100644
+--- a/tests/openssl_wrapper.c
++++ b/tests/openssl_wrapper.c
+@@ -4,6 +4,7 @@
+ #include <openssl/aes.h>
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
++#include <openssl/opensslv.h>
+ 
+ //#define DEBUG
+ 
+@@ -23,10 +24,17 @@ enum ctx_type {
+ 	ctx_type_md,
+ };
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++union openssl_ctx {
++	HMAC_CTX *hmac;
++	EVP_MD_CTX *md;
++};
++#else
+ union openssl_ctx {
+ 	HMAC_CTX hmac;
+ 	EVP_MD_CTX md;
+ };
++#endif
+ 
+ struct ctx_mapping {
+ 	__u32 ses;
+@@ -63,6 +71,16 @@ static void remove_mapping(__u32 ses)
+ 	switch (mapping->type) {
+ 	case ctx_type_none:
+ 		break;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	case ctx_type_hmac:
++		dbgp("%s: calling HMAC_CTX_free\n", __func__);
++		HMAC_CTX_free(mapping->ctx.hmac);
++		break;
++	case ctx_type_md:
++		dbgp("%s: calling EVP_MD_CTX_free\n", __func__);
++		EVP_MD_CTX_free(mapping->ctx.md);
++		break;
++#else
+ 	case ctx_type_hmac:
+ 		dbgp("%s: calling HMAC_CTX_cleanup\n", __func__);
+ 		HMAC_CTX_cleanup(&mapping->ctx.hmac);
+@@ -71,6 +89,7 @@ static void remove_mapping(__u32 ses)
+ 		dbgp("%s: calling EVP_MD_CTX_cleanup\n", __func__);
+ 		EVP_MD_CTX_cleanup(&mapping->ctx.md);
+ 		break;
++#endif
+ 	}
+ 	memset(mapping, 0, sizeof(*mapping));
+ }
+@@ -127,10 +146,17 @@ static int openssl_hmac(struct session_op *sess, struct crypt_op *cop)
+ 
+ 		mapping->ses = sess->ses;
+ 		mapping->type = ctx_type_hmac;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++		ctx = mapping->ctx.hmac;
++
++		dbgp("calling HMAC_CTX_new");
++		ctx = HMAC_CTX_new();
++#else
+ 		ctx = &mapping->ctx.hmac;
+ 
+ 		dbgp("calling HMAC_CTX_init");
+ 		HMAC_CTX_init(ctx);
++#endif
+ 		dbgp("calling HMAC_Init_ex");
+ 		if (!HMAC_Init_ex(ctx, sess->mackey, sess->mackeylen,
+ 				sess_to_evp_md(sess), NULL)) {
+@@ -172,10 +198,17 @@ static int openssl_md(struct session_op *sess, struct crypt_op *cop)
+ 
+ 		mapping->ses = sess->ses;
+ 		mapping->type = ctx_type_md;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++		ctx = mapping->ctx.md;
++
++		dbgp("calling EVP_MD_CTX_new");
++		ctx = EVP_MD_CTX_new();
++#else
+ 		ctx = &mapping->ctx.md;
+ 
+ 		dbgp("calling EVP_MD_CTX_init");
+ 		EVP_MD_CTX_init(ctx);
++#endif
+ 		dbgp("calling EVP_DigestInit");
+ 		EVP_DigestInit(ctx, sess_to_evp_md(sess));
+ 	}
-- 
2.16.1

[RFC][PATCH 3/5] openssl: update to 1.1.1

[Alexander Kanavin]

At the moment 1.1.1 is in pre-release stage, however the final release
should be available within a few weeks. The major selling point is that
it supports the new TLS 1.3 specification. At the moment it is not clear
whether this also will be a long term support version of openssl;
we can make the decision to merge this version once that is made clear
by upstream. More information:

https://www.openssl.org/policies/releasestrat.html

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 ...1-Take-linking-flags-from-LDFLAGS-env-var.patch | 43 ----------------------
 .../{openssl_1.1.0h.bb => openssl_1.1.1-pre4.bb}   | 21 +++++------
 2 files changed, 10 insertions(+), 54 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
 rename meta/recipes-connectivity/openssl/{openssl_1.1.0h.bb => openssl_1.1.1-pre4.bb} (83%)

diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch b/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
deleted file mode 100644
index 6ce4e47d712..00000000000
--- a/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 08face4353d80111973aba9c1304c92158cfad0e Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex.kanavin@gmail.com>
-Date: Tue, 28 Mar 2017 16:40:12 +0300
-Subject: [PATCH] Take linking flags from LDFLAGS env var
-
-This fixes "No GNU_HASH in the elf binary" issues.
-
-Upstream-Status: Inappropriate [oe-core specific]
-Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
----
- Configurations/unix-Makefile.tmpl | 2 +-
- Configure                         | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index c029817..43b769b 100644
---- a/Configurations/unix-Makefile.tmpl
-+++ b/Configurations/unix-Makefile.tmpl
-@@ -173,7 +173,7 @@ CROSS_COMPILE= {- $config{cross_compile_prefix} -}
- CC= $(CROSS_COMPILE){- $target{cc} -}
- CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
- CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
--LDFLAGS= {- $target{lflags} -}
-+LDFLAGS= {- $target{lflags}." ".$ENV{'LDFLAGS'} -}
- PLIB_LDFLAGS= {- $target{plib_lflags} -}
- EX_LIBS= {- $target{ex_libs} -} {- $config{ex_libs} -}
- LIB_CFLAGS={- $target{shared_cflag} || "" -}
-diff --git a/Configure b/Configure
-index aee7cc3..274d236 100755
---- a/Configure
-+++ b/Configure
-@@ -979,7 +979,7 @@ $config{build_file} = $target{build_file};
- $config{defines} = [];
- $config{cflags} = "";
- $config{ex_libs} = "";
--$config{shared_ldflag} = "";
-+$config{shared_ldflag} = $ENV{'LDFLAGS'};
- 
- # Make sure build_scheme is consistent.
- $target{build_scheme} = [ $target{build_scheme} ]
--- 
-2.11.0
-
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1-pre4.bb
similarity index 83%
rename from meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
rename to meta/recipes-connectivity/openssl/openssl_1.1.1-pre4.bb
index 94b75eb92a8..859362f7afe 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1-pre4.bb
@@ -10,13 +10,12 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=d57d511030c9d66ef5f5966bee5a7eff"
 
 BBCLASSEXTEND = "native nativesdk"
 
-SRC_URI[md5sum] = "5271477e4d93f4ea032b665ef095ff24"
-SRC_URI[sha256sum] = "5835626cde9e99656585fc7aaa2302a73a7e1340bf8c14fd635a62c66802a517"
+SRC_URI[md5sum] = "07c3f6831fb6dfe975795ef7bbbee9fc"
+SRC_URI[sha256sum] = "df2d5fcc2a878525611c75b9e9116fbcfbce8d9b96419a16eda5fb11ecc428f6"
 
 SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://run-ptest \
            file://openssl-c_rehash.sh \
-           file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \
            "
 
 S = "${WORKDIR}/openssl-${PV}"
@@ -114,20 +113,20 @@ do_configure () {
         if [ "x$useprefix" = "x" ]; then
                 useprefix=/
         fi
-	libdirleaf="$(echo ${libdir} | sed s:$useprefix::)"
-	perl ./Configure ${EXTRA_OECONF} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdirleaf} $target
+        # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
+        # environment variables set by bitbake. Adjust the environment variables instead.
+	perl ./Configure ${EXTRA_OECONF} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
 }
 
-#| engines/afalg/e_afalg.c: In function 'eventfd':
-#| engines/afalg/e_afalg.c:110:20: error: '__NR_eventfd' undeclared (first use in this function)
-#|      return syscall(__NR_eventfd, n);
-#|                     ^~~~~~~~~~~~
-EXTRA_OECONF_aarch64 += "no-afalgeng"
+# This prevents openssl from using getrandom() which is not available on older glibc versions
+# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
+EXTRA_OECONF_class-native += "--with-rand-seed=devrandom"
+EXTRA_OECONF_class-nativesdk += "--with-rand-seed=devrandom"
 
 #| ./libcrypto.so: undefined reference to `getcontext'
 #| ./libcrypto.so: undefined reference to `setcontext'
 #| ./libcrypto.so: undefined reference to `makecontext'
-EXTRA_OECONF_libc-musl += "-DOPENSSL_NO_ASYNC"
+CPPFLAGS_libc-musl += "-DOPENSSL_NO_ASYNC"
 
 do_install () {
         oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
-- 
2.16.1

[RFC][PATCH 4/5] libressl: add a recipe to support openssh

[Alexander Kanavin]

After reading through this:

https://github.com/openssh/openssh-portable/pull/48

and this thread:

https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-October/036344.html

I've concluded that this is the best of the three not-great options. The alternatives:

- bundle libressl inside openssh packages
- keep openssh dependent on openssl 1.0 and wait until upstream does something

are both inferior. Libressl is used with openssh in OpenBSD and in OS X,
so it did get at least some testing in the real world.

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 ...c-libraries-with-their-library-dependenci.patch | 74 ++++++++++++++++++++++
 .../libressl/libressl_2.7.2.bb                     | 31 +++++++++
 2 files changed, 105 insertions(+)
 create mode 100644 meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
 create mode 100644 meta/recipes-connectivity/libressl/libressl_2.7.2.bb

diff --git a/meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch b/meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
new file mode 100644
index 00000000000..977158fb673
--- /dev/null
+++ b/meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
@@ -0,0 +1,74 @@
+From 2e433aa5bb243c608930bdb46fbf55a31231a7bd Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Mon, 9 Apr 2018 18:02:56 +0300
+Subject: [PATCH] Link dynamic libraries with their library dependencies.
+
+It does seem like outside of OpenBSD, no one has actually used libressl yet.
+
+Upstream-Status: Pending
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ CMakeLists.txt        | 7 ++++++-
+ crypto/CMakeLists.txt | 1 +
+ ssl/CMakeLists.txt    | 2 +-
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 1c6bd67..2c1078d 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -265,6 +265,7 @@ endif()
+ set(OPENSSL_LIBS tls ssl crypto)
+ 
+ if(WIN32)
++	set(OPENSSL_LIB_LIBS ws2_32)
+ 	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
+ endif()
+ 
+@@ -274,16 +275,20 @@ if(HAVE_CLOCK_GETTIME)
+ endif()
+ 
+ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
++	set(OPENSSL_LIB_LIBS pthread)
++	set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
+ 	check_library_exists(rt clock_gettime "time.h" HAVE_CLOCK_GETTIME)
+ 	if (HAVE_CLOCK_GETTIME)
++		set(OPENSSL_LIB_LIBS ${OPENSSL_LIB_LIBS} rt)
+ 		set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
+ 	endif()
+-	set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
+ endif()
+ if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
++	set(OPENSSL_LIB_LIBS pthread)
+ 	set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
+ endif()
+ if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
++	set(OPENSSL_LIB_LIBS nsl socket)
+ 	set(OPENSSL_LIBS ${OPENSSL_LIBS} nsl socket)
+ endif()
+ 
+diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
+index 2fa08a5..32ab649 100644
+--- a/crypto/CMakeLists.txt
++++ b/crypto/CMakeLists.txt
+@@ -811,6 +811,7 @@ endif()
+ 
+ add_library(crypto ${CRYPTO_SRC})
+ if (BUILD_SHARED_LIBS)
++	target_link_libraries(crypto ${OPENSSL_LIB_LIBS})
+ 	export_symbol(crypto ${CMAKE_CURRENT_BINARY_DIR}/crypto_p.sym)
+ 	if (WIN32)
+ 		target_link_libraries(crypto Ws2_32.lib)
+diff --git a/ssl/CMakeLists.txt b/ssl/CMakeLists.txt
+index e87e0f6..e53e5ea 100644
+--- a/ssl/CMakeLists.txt
++++ b/ssl/CMakeLists.txt
+@@ -50,7 +50,7 @@ set(
+ add_library(ssl ${SSL_SRC})
+ if (BUILD_SHARED_LIBS)
+ 	export_symbol(ssl ${CMAKE_CURRENT_SOURCE_DIR}/ssl.sym)
+-	target_link_libraries(ssl crypto)
++	target_link_libraries(ssl crypto ${OPENSSL_LIB_LIBS})
+ 	if (WIN32)
+ 		target_link_libraries(ssl Ws2_32.lib)
+ 		set(SSL_POSTFIX -${SSL_MAJOR_VERSION})
diff --git a/meta/recipes-connectivity/libressl/libressl_2.7.2.bb b/meta/recipes-connectivity/libressl/libressl_2.7.2.bb
new file mode 100644
index 00000000000..375615a7d1c
--- /dev/null
+++ b/meta/recipes-connectivity/libressl/libressl_2.7.2.bb
@@ -0,0 +1,31 @@
+SUMMARY = "Drop-in replacement for openssl 1.0.x, maintained by OpenBSD"
+DESCRIPTION = "LibreSSL is a version of the TLS/crypto stack forked from \
+               OpenSSL in 2014, with goals of modernizing the codebase, \
+               improving security, and applying best practice development processes. "
+HOMEPAGE = "http://www.libressl.org/"
+
+LICENSE = "openssl"
+LIC_FILES_CHKSUM = "file://COPYING;md5=01f9bb4d275f5eeea905377bef3de622"
+
+SRC_URI = "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${PV}.tar.gz \
+           file://0001-Link-dynamic-libraries-with-their-library-dependenci.patch \
+           "
+SRC_URI[md5sum] = "97aee636dfce1eb6ec6f38687bee0760"
+SRC_URI[sha256sum] = "917a8779c342177ff3751a2bf955d0262d1d8916a4b408930c45cef326700995"
+
+inherit cmake
+
+EXTRA_OECMAKE = "-DOPENSSLDIR=${sysconfdir}/libressl -DBUILD_SHARED_LIBS=ON"
+
+PACKAGE_PREPROCESS_FUNCS += "libressl_package_preprocess"
+
+# libressl development files and executable binaries clash with openssl 1.1
+# files when installed into target rootfs. So we don't put them into
+# packages, but they continue to be provided via target sysroot for
+# cross-compilation on the host, if some software needs specifically libressl.
+libressl_package_preprocess () {
+        for file in `find ${PKGD} -name *.h -o -name *.pc -o -name *.so`; do
+                rm $file
+        done
+}
+
-- 
2.16.1

[RFC][PATCH 5/5] openssh: update to 7.7p1 and depend on libressl

[Alexander Kanavin]

Please see the previous commit for the libressl rationale.

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 .../openssh/{openssh_7.6p1.bb => openssh_7.7p1.bb}                  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename meta/recipes-connectivity/openssh/{openssh_7.6p1.bb => openssh_7.7p1.bb} (97%)

diff --git a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb b/meta/recipes-connectivity/openssh/openssh_7.7p1.bb
similarity index 97%
rename from meta/recipes-connectivity/openssh/openssh_7.6p1.bb
rename to meta/recipes-connectivity/openssh/openssh_7.7p1.bb
index a2288dfe08e..78cad4727d4 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.7p1.bb
@@ -9,7 +9,7 @@ LICENSE = "BSD"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=429658c6612f3a9b1293782366ab29d8"
 
 # openssl 1.1 patches are proposed at https://github.com/openssh/openssh-portable/pull/48
-DEPENDS = "zlib openssl10"
+DEPENDS = "zlib libressl"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
 SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
@@ -29,8 +29,8 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
 
 PAM_SRC_URI = "file://sshd"
 
-SRC_URI[md5sum] = "06a88699018e5fef13d4655abfed1f63"
-SRC_URI[sha256sum] = "a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723"
+SRC_URI[md5sum] = "68ba883aff6958297432e5877e9a0fe2"
+SRC_URI[sha256sum] = "d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f"
 
 inherit useradd update-rc.d update-alternatives systemd
 
-- 
2.16.1

✗ patchtest: failure for "[RFC] openssl: rename openssl ..." and 4 more

[Patchwork]

== Series Details ==

Series: "[RFC] openssl: rename openssl ..." and 4 more
Revision: 1
URL   : https://patchwork.openembedded.org/series/11748/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             LIC_FILES_CHKSUM changed on target openssl but there is no "License-Update" tag in commit message [test_lic_files_chksum_modified_not_mentioned] 
  Suggested fix    Include "License-Update: <description>" into the commit message with a brief description
  Current checksum file://LICENSE;md5=f475368924827d06d4b416111c8bdb77
  New checksum     file://LICENSE;md5=d57d511030c9d66ef5f5966bee5a7eff

* Issue             Patches not removed from tree [test_src_uri_left_files] 
  Suggested fix    Amend the patch containing the software patch file removal
  Patch            
  Patch            engines-install-in-libdir-ssl.patch
  Patch            ptest-deps.patch
  Patch            openssl_fix_for_x32.patch
  Patch            c_rehash-compat.patch
  Patch            no-symbolic.patch
  Patch            oe-ldflags.patch
  Patch            ptest_makefile_deps.patch
  Patch            openssl-util-perlpath.pl-cwd.patch
  Patch            debian-targets.patch
  Patch            0001-openssl-force-soft-link-to-avoid-rare-race.patch
  Patch            man-dir.patch
  Patch            pic.patch
  Patch            block_diginotar.patch
  Patch            parallel.patch
  Patch            Makefiles-ptest.patch
  Patch            man-section.patch
  Patch            block_digicert_malaysia.patch
  Patch            configure-targets.patch
  Patch            0001-Fix-build-with-clang-using-external-assembler.patch
  Patch            reproducible-mkbuildinf.patch
  Patch            no-rpath.patch
  Patch            soname.patch
  Patch            ca.patch
  Patch            shared-libs.patch
  Patch            Use-SHA256-not-MD5-as-default-digest.patch
  Patch            reproducible-cflags.patch
  Patch            configure-musl-target.patch
  Patch            openssl-fix-des.pod-error.patch
  Patch            version-script.patch



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

Re: [RFC][PATCH 1/5] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Alexander Kanavin]

On 04/10/2018 03:43 PM, Martin Jansa wrote:
> On Tue, Apr 10, 2018 at 03:07:43PM +0300, Alexander Kanavin wrote:
>> Openssl 1.0 can still be utilized by depending on 'openssl10' recipe.
> 
> Does this really work now?
> 
> I think it will fail again when both openssl versions end up in RSS.

The only known case where this happened was Qt5 (because it also wanted 
python), and Qt5 gained openssl 1.1 support in the latest released version.

Alex

Re: [RFC][PATCH 1/5] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 243 bytes --]

On Tue, Apr 10, 2018 at 03:07:43PM +0300, Alexander Kanavin wrote:
> Openssl 1.0 can still be utilized by depending on 'openssl10' recipe.

Does this really work now?

I think it will fail again when both openssl versions end up in RSS.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 201 bytes --]

Re: [RFC][PATCH 3/5] openssl: update to 1.1.1

[Andre McCurdy]

On Tue, Apr 10, 2018 at 5:07 AM, Alexander Kanavin
<alexander.kanavin@linux.intel.com> wrote:
> At the moment 1.1.1 is in pre-release stage, however the final release
> should be available within a few weeks. The major selling point is that
> it supports the new TLS 1.3 specification. At the moment it is not clear
> whether this also will be a long term support version of openssl;
> we can make the decision to merge this version once that is made clear
> by upstream. More information:
>
> https://www.openssl.org/policies/releasestrat.html
>
> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
> ---
>  ...1-Take-linking-flags-from-LDFLAGS-env-var.patch | 43 ----------------------
>  .../{openssl_1.1.0h.bb => openssl_1.1.1-pre4.bb}   | 21 +++++------
>  2 files changed, 10 insertions(+), 54 deletions(-)
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
>  rename meta/recipes-connectivity/openssl/{openssl_1.1.0h.bb => openssl_1.1.1-pre4.bb} (83%)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1-pre4.bb
> similarity index 83%
> rename from meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
> rename to meta/recipes-connectivity/openssl/openssl_1.1.1-pre4.bb
> index 94b75eb92a8..859362f7afe 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1-pre4.bb
> @@ -10,13 +10,12 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=d57d511030c9d66ef5f5966bee5a7eff"
>
>  BBCLASSEXTEND = "native nativesdk"
>
> -SRC_URI[md5sum] = "5271477e4d93f4ea032b665ef095ff24"
> -SRC_URI[sha256sum] = "5835626cde9e99656585fc7aaa2302a73a7e1340bf8c14fd635a62c66802a517"
> +SRC_URI[md5sum] = "07c3f6831fb6dfe975795ef7bbbee9fc"
> +SRC_URI[sha256sum] = "df2d5fcc2a878525611c75b9e9116fbcfbce8d9b96419a16eda5fb11ecc428f6"
>
>  SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
>             file://run-ptest \
>             file://openssl-c_rehash.sh \
> -           file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \
>             "
>
>  S = "${WORKDIR}/openssl-${PV}"
> @@ -114,20 +113,20 @@ do_configure () {
>          if [ "x$useprefix" = "x" ]; then
>                  useprefix=/
>          fi
> -       libdirleaf="$(echo ${libdir} | sed s:$useprefix::)"
> -       perl ./Configure ${EXTRA_OECONF} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdirleaf} $target
> +        # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
> +        # environment variables set by bitbake. Adjust the environment variables instead.
> +       perl ./Configure ${EXTRA_OECONF} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
>  }
>
> -#| engines/afalg/e_afalg.c: In function 'eventfd':
> -#| engines/afalg/e_afalg.c:110:20: error: '__NR_eventfd' undeclared (first use in this function)
> -#|      return syscall(__NR_eventfd, n);
> -#|                     ^~~~~~~~~~~~
> -EXTRA_OECONF_aarch64 += "no-afalgeng"
> +# This prevents openssl from using getrandom() which is not available on older glibc versions
> +# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
> +EXTRA_OECONF_class-native += "--with-rand-seed=devrandom"
> +EXTRA_OECONF_class-nativesdk += "--with-rand-seed=devrandom"

Better to avoid += with an over-ride since it doesn't do what most new
users etc expect. Better to use _append instead (or just the over-ride
on it's own, if over-riding the original value is what you intended to
do).

>  #| ./libcrypto.so: undefined reference to `getcontext'
>  #| ./libcrypto.so: undefined reference to `setcontext'
>  #| ./libcrypto.so: undefined reference to `makecontext'
> -EXTRA_OECONF_libc-musl += "-DOPENSSL_NO_ASYNC"
> +CPPFLAGS_libc-musl += "-DOPENSSL_NO_ASYNC"

Same comment here.

>  do_install () {
>          oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
> --

Re: [RFC][PATCH 4/5] libressl: add a recipe to support openssh

[Andre McCurdy]

On Tue, Apr 10, 2018 at 5:07 AM, Alexander Kanavin
<alexander.kanavin@linux.intel.com> wrote:
> After reading through this:
>
> https://github.com/openssh/openssh-portable/pull/48
>
> and this thread:
>
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-October/036344.html
>
> I've concluded that this is the best of the three not-great options. The alternatives:
>
> - bundle libressl inside openssh packages
> - keep openssh dependent on openssl 1.0 and wait until upstream does something
>
> are both inferior. Libressl is used with openssh in OpenBSD and in OS X,
> so it did get at least some testing in the real world.
>
> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
> ---
>  ...c-libraries-with-their-library-dependenci.patch | 74 ++++++++++++++++++++++
>  .../libressl/libressl_2.7.2.bb                     | 31 +++++++++
>  2 files changed, 105 insertions(+)
>  create mode 100644 meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
>  create mode 100644 meta/recipes-connectivity/libressl/libressl_2.7.2.bb
>
> diff --git a/meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch b/meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
> new file mode 100644
> index 00000000000..977158fb673
> --- /dev/null
> +++ b/meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
> @@ -0,0 +1,74 @@
> +From 2e433aa5bb243c608930bdb46fbf55a31231a7bd Mon Sep 17 00:00:00 2001
> +From: Alexander Kanavin <alex.kanavin@gmail.com>
> +Date: Mon, 9 Apr 2018 18:02:56 +0300
> +Subject: [PATCH] Link dynamic libraries with their library dependencies.
> +
> +It does seem like outside of OpenBSD, no one has actually used libressl yet.

I played around with completely replacing openssl with libressl a year
or so ago and it went fairly smoothly (at least as far as I tested).
That was with libressl 2.4.2 and my recipe built with autotools rather
than cmake though. Did you try to build with autotools? That still
appears to be the option mentioned first in the libressl README.

> +Upstream-Status: Pending
> +Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
> +---
> + CMakeLists.txt        | 7 ++++++-
> + crypto/CMakeLists.txt | 1 +
> + ssl/CMakeLists.txt    | 2 +-
> + 3 files changed, 8 insertions(+), 2 deletions(-)
> +
> +diff --git a/CMakeLists.txt b/CMakeLists.txt
> +index 1c6bd67..2c1078d 100644
> +--- a/CMakeLists.txt
> ++++ b/CMakeLists.txt
> +@@ -265,6 +265,7 @@ endif()
> + set(OPENSSL_LIBS tls ssl crypto)
> +
> + if(WIN32)
> ++      set(OPENSSL_LIB_LIBS ws2_32)
> +       set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
> + endif()
> +
> +@@ -274,16 +275,20 @@ if(HAVE_CLOCK_GETTIME)
> + endif()
> +
> + if(CMAKE_SYSTEM_NAME MATCHES "Linux")
> ++      set(OPENSSL_LIB_LIBS pthread)
> ++      set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
> +       check_library_exists(rt clock_gettime "time.h" HAVE_CLOCK_GETTIME)
> +       if (HAVE_CLOCK_GETTIME)
> ++              set(OPENSSL_LIB_LIBS ${OPENSSL_LIB_LIBS} rt)
> +               set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
> +       endif()
> +-      set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
> + endif()
> + if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
> ++      set(OPENSSL_LIB_LIBS pthread)
> +       set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
> + endif()
> + if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
> ++      set(OPENSSL_LIB_LIBS nsl socket)
> +       set(OPENSSL_LIBS ${OPENSSL_LIBS} nsl socket)
> + endif()
> +
> +diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
> +index 2fa08a5..32ab649 100644
> +--- a/crypto/CMakeLists.txt
> ++++ b/crypto/CMakeLists.txt
> +@@ -811,6 +811,7 @@ endif()
> +
> + add_library(crypto ${CRYPTO_SRC})
> + if (BUILD_SHARED_LIBS)
> ++      target_link_libraries(crypto ${OPENSSL_LIB_LIBS})
> +       export_symbol(crypto ${CMAKE_CURRENT_BINARY_DIR}/crypto_p.sym)
> +       if (WIN32)
> +               target_link_libraries(crypto Ws2_32.lib)
> +diff --git a/ssl/CMakeLists.txt b/ssl/CMakeLists.txt
> +index e87e0f6..e53e5ea 100644
> +--- a/ssl/CMakeLists.txt
> ++++ b/ssl/CMakeLists.txt
> +@@ -50,7 +50,7 @@ set(
> + add_library(ssl ${SSL_SRC})
> + if (BUILD_SHARED_LIBS)
> +       export_symbol(ssl ${CMAKE_CURRENT_SOURCE_DIR}/ssl.sym)
> +-      target_link_libraries(ssl crypto)
> ++      target_link_libraries(ssl crypto ${OPENSSL_LIB_LIBS})
> +       if (WIN32)
> +               target_link_libraries(ssl Ws2_32.lib)
> +               set(SSL_POSTFIX -${SSL_MAJOR_VERSION})
> diff --git a/meta/recipes-connectivity/libressl/libressl_2.7.2.bb b/meta/recipes-connectivity/libressl/libressl_2.7.2.bb
> new file mode 100644
> index 00000000000..375615a7d1c
> --- /dev/null
> +++ b/meta/recipes-connectivity/libressl/libressl_2.7.2.bb
> @@ -0,0 +1,31 @@
> +SUMMARY = "Drop-in replacement for openssl 1.0.x, maintained by OpenBSD"
> +DESCRIPTION = "LibreSSL is a version of the TLS/crypto stack forked from \
> +               OpenSSL in 2014, with goals of modernizing the codebase, \
> +               improving security, and applying best practice development processes. "
> +HOMEPAGE = "http://www.libressl.org/"
> +
> +LICENSE = "openssl"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=01f9bb4d275f5eeea905377bef3de622"
> +
> +SRC_URI = "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${PV}.tar.gz \
> +           file://0001-Link-dynamic-libraries-with-their-library-dependenci.patch \
> +           "
> +SRC_URI[md5sum] = "97aee636dfce1eb6ec6f38687bee0760"
> +SRC_URI[sha256sum] = "917a8779c342177ff3751a2bf955d0262d1d8916a4b408930c45cef326700995"
> +
> +inherit cmake
> +
> +EXTRA_OECMAKE = "-DOPENSSLDIR=${sysconfdir}/libressl -DBUILD_SHARED_LIBS=ON"
> +
> +PACKAGE_PREPROCESS_FUNCS += "libressl_package_preprocess"
> +
> +# libressl development files and executable binaries clash with openssl 1.1
> +# files when installed into target rootfs. So we don't put them into
> +# packages, but they continue to be provided via target sysroot for
> +# cross-compilation on the host, if some software needs specifically libressl.
> +libressl_package_preprocess () {
> +        for file in `find ${PKGD} -name *.h -o -name *.pc -o -name *.so`; do
> +                rm $file
> +        done
> +}
> +
> --
> 2.16.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [RFC][PATCH 4/5] libressl: add a recipe to support openssh

[Alexander Kanavin]

On 04/11/2018 11:38 AM, Andre McCurdy wrote:
> I played around with completely replacing openssl with libressl a year
> or so ago and it went fairly smoothly (at least as far as I tested).
> That was with libressl 2.4.2 and my recipe built with autotools rather
> than cmake though. Did you try to build with autotools? That still
> appears to be the option mentioned first in the libressl README.

That's not however the options I would take first, as the recipe 
maintainer :) Autotools is horrible in many ways; while cmake is not 
great, it's definitely less horrible.


Alex

Re: [RFC][PATCH 3/5] openssl: update to 1.1.1

[Alexander Kanavin]

On 04/11/2018 12:20 AM, Andre McCurdy wrote:
>> -#| engines/afalg/e_afalg.c: In function 'eventfd':
>> -#| engines/afalg/e_afalg.c:110:20: error: '__NR_eventfd' undeclared (first use in this function)
>> -#|      return syscall(__NR_eventfd, n);
>> -#|                     ^~~~~~~~~~~~
>> -EXTRA_OECONF_aarch64 += "no-afalgeng"
>> +# This prevents openssl from using getrandom() which is not available on older glibc versions
>> +# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
>> +EXTRA_OECONF_class-native += "--with-rand-seed=devrandom"
>> +EXTRA_OECONF_class-nativesdk += "--with-rand-seed=devrandom"
> 
> Better to avoid += with an over-ride since it doesn't do what most new
> users etc expect. Better to use _append instead (or just the over-ride
> on it's own, if over-riding the original value is what you intended to
> do).

Thanks, I will fix this. The whole += vs. _append is a design 
shortcoming in bitbake I'd say, as it's a regular source of confusion, 
and can't be automatically QA'd.

Alex

Re: [RFC][PATCH 3/5] openssl: update to 1.1.1

[Andre McCurdy]

On Wed, Apr 11, 2018 at 3:09 AM, Alexander Kanavin
<alexander.kanavin@linux.intel.com> wrote:
> On 04/11/2018 12:20 AM, Andre McCurdy wrote:
>>>
>>> -#| engines/afalg/e_afalg.c: In function 'eventfd':
>>> -#| engines/afalg/e_afalg.c:110:20: error: '__NR_eventfd' undeclared
>>> (first use in this function)
>>> -#|      return syscall(__NR_eventfd, n);
>>> -#|                     ^~~~~~~~~~~~
>>> -EXTRA_OECONF_aarch64 += "no-afalgeng"
>>> +# This prevents openssl from using getrandom() which is not available on
>>> older glibc versions
>>> +# (native versions can be built with newer glibc, but then relocated
>>> onto a system with older glibc)
>>> +EXTRA_OECONF_class-native += "--with-rand-seed=devrandom"
>>> +EXTRA_OECONF_class-nativesdk += "--with-rand-seed=devrandom"
>>
>> Better to avoid += with an over-ride since it doesn't do what most new
>> users etc expect. Better to use _append instead (or just the over-ride
>> on it's own, if over-riding the original value is what you intended to
>> do).
>
> Thanks, I will fix this. The whole += vs. _append is a design shortcoming in
> bitbake I'd say, as it's a regular source of confusion, and can't be
> automatically QA'd.

Yes, fully agree. We would save new users a lot of time and confusion
if the parser just failed with an error on any attempt to use += with
an over-ride. I've seen it cause bugs many times.

Re: [RFC][PATCH 4/5] libressl: add a recipe to support openssh

[Andre McCurdy]

On Wed, Apr 11, 2018 at 3:03 AM, Alexander Kanavin
<alexander.kanavin@linux.intel.com> wrote:
> On 04/11/2018 11:38 AM, Andre McCurdy wrote:
>>
>> I played around with completely replacing openssl with libressl a year
>> or so ago and it went fairly smoothly (at least as far as I tested).
>> That was with libressl 2.4.2 and my recipe built with autotools rather
>> than cmake though. Did you try to build with autotools? That still
>> appears to be the option mentioned first in the libressl README.
>
> That's not however the options I would take first, as the recipe maintainer
> :) Autotools is horrible in many ways; while cmake is not great, it's
> definitely less horrible.

Well, as you're the one writing the recipe you get to make the choice
:-) But if one "just works" and the other requires patches that might
sway the choice a little. I wasn't sure if you'd even looked at the
autotools build.

Either option is a vast improvement on the openssl build system
though. Libressl seems to have done a lot of valuable cleanup in that
respect.