[RFC PATCH 0/6] openssl 1.1.1 update

[RFC PATCH 0/6] openssl 1.1.1 update

[Alexander Kanavin]

This patch series updates openssl to the soon-to-be released 1.1.1 version
(latest news is 11 September), sets it as default, and removes dependencies
on openssl 1.0 entirely from oe-core. openssl 1.0 remains available as openssl10
recipe.

The following changes since commit a8368651ffed1bd6c4715a37dfe9f40c48ca23c4:

  bitbake: fetcher: Fixed remote removal not throwing exception. (2018-08-28 10:32:08 +0100)

are available in the git repository at:

  git://push.yoctoproject.org/poky-contrib akanavin/openssl-1.1.1

Alexander Kanavin (6):
  openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the
    default version
  cryptodev-tests: port to openssl 1.1
  openssl: update to 1.1.1
  libressl: add a recipe to support openssh
  openssh: depend on libressl
  ca-certificates: update to 20180409

 meta/conf/distro/include/default-versions.inc      |   3 -
 meta/conf/distro/include/maintainers.inc           |   2 +
 ...c-libraries-with-their-library-dependenci.patch |  73 +++++++++++++++
 .../libressl/libressl_2.8.0.bb                     |  35 +++++++
 meta/recipes-connectivity/openssh/openssh_7.7p1.bb |   2 +-
 .../{openssl => files}/environment.d-openssl.sh    |   0
 ...1-Take-linking-flags-from-LDFLAGS-env-var.patch |  43 ---------
 ...SLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch |  39 --------
 ...build-with-clang-using-external-assembler.patch |   0
 .../0001-allow-manpages-to-be-disabled.patch       |   0
 ...penssl-force-soft-link-to-avoid-rare-race.patch |   0
 .../Makefiles-ptest.patch                          |   0
 .../Use-SHA256-not-MD5-as-default-digest.patch     |   0
 .../configure-musl-target.patch                    |   0
 .../configure-targets.patch                        |   0
 .../debian/c_rehash-compat.patch                   |   0
 .../debian/debian-targets.patch                    |   0
 .../debian/man-dir.patch                           |   0
 .../debian/man-section.patch                       |   0
 .../debian/no-rpath.patch                          |   0
 .../debian/no-symbolic.patch                       |   0
 .../{openssl-1.0.2p => openssl10}/debian/pic.patch |   0
 .../debian1.0.2/block_digicert_malaysia.patch      |   0
 .../debian1.0.2/block_diginotar.patch              |   0
 .../debian1.0.2/soname.patch                       |   0
 .../debian1.0.2/version-script.patch               |   0
 .../engines-install-in-libdir-ssl.patch            |   0
 .../{openssl-1.0.2p => openssl10}/oe-ldflags.patch |   0
 .../openssl-c_rehash.sh                            |   0
 .../openssl-fix-des.pod-error.patch                |   0
 .../openssl_fix_for_x32.patch                      |   0
 .../{openssl-1.0.2p => openssl10}/parallel.patch   |   0
 .../{openssl-1.0.2p => openssl10}/ptest-deps.patch |   0
 .../ptest_makefile_deps.patch                      |   0
 .../reproducible-cflags.patch                      |   0
 .../reproducible-mkbuildinf.patch                  |   0
 .../{openssl-1.0.2p => openssl10}/run-ptest        |   0
 .../shared-libs.patch                              |   0
 .../{openssl_1.0.2p.bb => openssl10_1.0.2p.bb}     |  31 +++++--
 .../{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb}   |  23 +++--
 .../cryptodev/cryptodev-tests_1.9.bb               |   3 +-
 .../files/0001-Port-tests-to-openssl-1.1.patch     | 103 +++++++++++++++++++++
 ...tes_20170717.bb => ca-certificates_20180409.bb} |   4 +-
 43 files changed, 255 insertions(+), 106 deletions(-)
 create mode 100644 meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
 create mode 100644 meta/recipes-connectivity/libressl/libressl_2.8.0.bb
 rename meta/recipes-connectivity/openssl/{openssl => files}/environment.d-openssl.sh (100%)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-Fix-build-with-clang-using-external-assembler.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-allow-manpages-to-be-disabled.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-openssl-force-soft-link-to-avoid-rare-race.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Makefiles-ptest.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Use-SHA256-not-MD5-as-default-digest.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-musl-target.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-targets.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/c_rehash-compat.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/debian-targets.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-dir.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-section.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-rpath.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-symbolic.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/pic.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_digicert_malaysia.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_diginotar.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/soname.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/version-script.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/engines-install-in-libdir-ssl.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/oe-ldflags.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-c_rehash.sh (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-fix-des.pod-error.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl_fix_for_x32.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/parallel.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest-deps.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest_makefile_deps.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-cflags.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-mkbuildinf.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/run-ptest (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/shared-libs.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl_1.0.2p.bb => openssl10_1.0.2p.bb} (91%)
 rename meta/recipes-connectivity/openssl/{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb} (83%)
 create mode 100644 meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
 rename meta/recipes-support/ca-certificates/{ca-certificates_20170717.bb => ca-certificates_20180409.bb} (95%)

-- 
2.7.4

[RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Alexander Kanavin]

From: Alexander Kanavin <alexander.kanavin@linux.intel.com>

I believe the time has come to do this: openssl 1.0 upstream support stops at the end
of 2019, and we do not want a situation where a supported YP release contains an
unsupported version of a critical security component.

Openssl 1.0 can still be utilized by depending on 'openssl10' recipe.

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 meta/conf/distro/include/default-versions.inc      |  3 ---
 meta/conf/distro/include/maintainers.inc           |  1 +
 .../{openssl => files}/environment.d-openssl.sh    |  0
 ...build-with-clang-using-external-assembler.patch |  0
 .../0001-allow-manpages-to-be-disabled.patch       |  0
 ...penssl-force-soft-link-to-avoid-rare-race.patch |  0
 .../Makefiles-ptest.patch                          |  0
 .../Use-SHA256-not-MD5-as-default-digest.patch     |  0
 .../configure-musl-target.patch                    |  0
 .../configure-targets.patch                        |  0
 .../debian/c_rehash-compat.patch                   |  0
 .../debian/debian-targets.patch                    |  0
 .../debian/man-dir.patch                           |  0
 .../debian/man-section.patch                       |  0
 .../debian/no-rpath.patch                          |  0
 .../debian/no-symbolic.patch                       |  0
 .../{openssl-1.0.2p => openssl10}/debian/pic.patch |  0
 .../debian1.0.2/block_digicert_malaysia.patch      |  0
 .../debian1.0.2/block_diginotar.patch              |  0
 .../debian1.0.2/soname.patch                       |  0
 .../debian1.0.2/version-script.patch               |  0
 .../engines-install-in-libdir-ssl.patch            |  0
 .../{openssl-1.0.2p => openssl10}/oe-ldflags.patch |  0
 .../openssl-c_rehash.sh                            |  0
 .../openssl-fix-des.pod-error.patch                |  0
 .../openssl_fix_for_x32.patch                      |  0
 .../{openssl-1.0.2p => openssl10}/parallel.patch   |  0
 .../{openssl-1.0.2p => openssl10}/ptest-deps.patch |  0
 .../ptest_makefile_deps.patch                      |  0
 .../reproducible-cflags.patch                      |  0
 .../reproducible-mkbuildinf.patch                  |  0
 .../{openssl-1.0.2p => openssl10}/run-ptest        |  0
 .../shared-libs.patch                              |  0
 .../{openssl_1.0.2p.bb => openssl10_1.0.2p.bb}     | 31 ++++++++++++++++------
 34 files changed, 24 insertions(+), 11 deletions(-)
 rename meta/recipes-connectivity/openssl/{openssl => files}/environment.d-openssl.sh (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-Fix-build-with-clang-using-external-assembler.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-allow-manpages-to-be-disabled.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-openssl-force-soft-link-to-avoid-rare-race.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Makefiles-ptest.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Use-SHA256-not-MD5-as-default-digest.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-musl-target.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-targets.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/c_rehash-compat.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/debian-targets.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-dir.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-section.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-rpath.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-symbolic.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/pic.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_digicert_malaysia.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_diginotar.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/soname.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/version-script.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/engines-install-in-libdir-ssl.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/oe-ldflags.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-c_rehash.sh (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-fix-des.pod-error.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl_fix_for_x32.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/parallel.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest-deps.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest_makefile_deps.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-cflags.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-mkbuildinf.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/run-ptest (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/shared-libs.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl_1.0.2p.bb => openssl10_1.0.2p.bb} (91%)

diff --git a/meta/conf/distro/include/default-versions.inc b/meta/conf/distro/include/default-versions.inc
index 3d88e8f..a6f3313 100644
--- a/meta/conf/distro/include/default-versions.inc
+++ b/meta/conf/distro/include/default-versions.inc
@@ -2,6 +2,3 @@
 # Default preferred versions
 #
 
-PREFERRED_VERSION_openssl ?= "1.0.%"
-PREFERRED_VERSION_openssl-native ?= "1.0.%"
-PREFERRED_VERSION_nativesdk-openssl ?= "1.0.%"
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index 98b661d..c76f81f 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -503,6 +503,7 @@ RECIPE_MAINTAINER_pn-nss-myhostname = "Maxin B. John <maxin.john@intel.com>"
 RECIPE_MAINTAINER_pn-ofono = "Maxin B. John <maxin.john@intel.com>"
 RECIPE_MAINTAINER_pn-openssh = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER_pn-openssl = "Alexander Kanavin <alex.kanavin@gmail.com>"
+RECIPE_MAINTAINER_pn-openssl10 = "Alexander Kanavin <alex.kanavin@gmail.com>"
 RECIPE_MAINTAINER_pn-opkg = "Alejandro del Castillo <alejandro.delcastillo@ni.com>"
 RECIPE_MAINTAINER_pn-opkg-arch-config = "Alejandro del Castillo <alejandro.delcastillo@ni.com>"
 RECIPE_MAINTAINER_pn-opkg-keyrings = "Alejandro del Castillo <alejandro.delcastillo@ni.com>"
diff --git a/meta/recipes-connectivity/openssl/openssl/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl/environment.d-openssl.sh
rename to meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/0001-Fix-build-with-clang-using-external-assembler.patch b/meta/recipes-connectivity/openssl/openssl10/0001-Fix-build-with-clang-using-external-assembler.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/0001-Fix-build-with-clang-using-external-assembler.patch
rename to meta/recipes-connectivity/openssl/openssl10/0001-Fix-build-with-clang-using-external-assembler.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/0001-allow-manpages-to-be-disabled.patch b/meta/recipes-connectivity/openssl/openssl10/0001-allow-manpages-to-be-disabled.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/0001-allow-manpages-to-be-disabled.patch
rename to meta/recipes-connectivity/openssl/openssl10/0001-allow-manpages-to-be-disabled.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/0001-openssl-force-soft-link-to-avoid-rare-race.patch b/meta/recipes-connectivity/openssl/openssl10/0001-openssl-force-soft-link-to-avoid-rare-race.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/0001-openssl-force-soft-link-to-avoid-rare-race.patch
rename to meta/recipes-connectivity/openssl/openssl10/0001-openssl-force-soft-link-to-avoid-rare-race.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/Makefiles-ptest.patch b/meta/recipes-connectivity/openssl/openssl10/Makefiles-ptest.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/Makefiles-ptest.patch
rename to meta/recipes-connectivity/openssl/openssl10/Makefiles-ptest.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/Use-SHA256-not-MD5-as-default-digest.patch b/meta/recipes-connectivity/openssl/openssl10/Use-SHA256-not-MD5-as-default-digest.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/Use-SHA256-not-MD5-as-default-digest.patch
rename to meta/recipes-connectivity/openssl/openssl10/Use-SHA256-not-MD5-as-default-digest.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/configure-musl-target.patch b/meta/recipes-connectivity/openssl/openssl10/configure-musl-target.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/configure-musl-target.patch
rename to meta/recipes-connectivity/openssl/openssl10/configure-musl-target.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/configure-targets.patch b/meta/recipes-connectivity/openssl/openssl10/configure-targets.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/configure-targets.patch
rename to meta/recipes-connectivity/openssl/openssl10/configure-targets.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian/c_rehash-compat.patch b/meta/recipes-connectivity/openssl/openssl10/debian/c_rehash-compat.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/debian/c_rehash-compat.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/c_rehash-compat.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian/debian-targets.patch b/meta/recipes-connectivity/openssl/openssl10/debian/debian-targets.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/debian/debian-targets.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/debian-targets.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian/man-dir.patch b/meta/recipes-connectivity/openssl/openssl10/debian/man-dir.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/debian/man-dir.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/man-dir.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian/man-section.patch b/meta/recipes-connectivity/openssl/openssl10/debian/man-section.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/debian/man-section.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/man-section.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian/no-rpath.patch b/meta/recipes-connectivity/openssl/openssl10/debian/no-rpath.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/debian/no-rpath.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/no-rpath.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian/no-symbolic.patch b/meta/recipes-connectivity/openssl/openssl10/debian/no-symbolic.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/debian/no-symbolic.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/no-symbolic.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian/pic.patch b/meta/recipes-connectivity/openssl/openssl10/debian/pic.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/debian/pic.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian/pic.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian1.0.2/block_digicert_malaysia.patch b/meta/recipes-connectivity/openssl/openssl10/debian1.0.2/block_digicert_malaysia.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/debian1.0.2/block_digicert_malaysia.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian1.0.2/block_digicert_malaysia.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian1.0.2/block_diginotar.patch b/meta/recipes-connectivity/openssl/openssl10/debian1.0.2/block_diginotar.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/debian1.0.2/block_diginotar.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian1.0.2/block_diginotar.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian1.0.2/soname.patch b/meta/recipes-connectivity/openssl/openssl10/debian1.0.2/soname.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/debian1.0.2/soname.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian1.0.2/soname.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian1.0.2/version-script.patch b/meta/recipes-connectivity/openssl/openssl10/debian1.0.2/version-script.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/debian1.0.2/version-script.patch
rename to meta/recipes-connectivity/openssl/openssl10/debian1.0.2/version-script.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/engines-install-in-libdir-ssl.patch b/meta/recipes-connectivity/openssl/openssl10/engines-install-in-libdir-ssl.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/engines-install-in-libdir-ssl.patch
rename to meta/recipes-connectivity/openssl/openssl10/engines-install-in-libdir-ssl.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/oe-ldflags.patch b/meta/recipes-connectivity/openssl/openssl10/oe-ldflags.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/oe-ldflags.patch
rename to meta/recipes-connectivity/openssl/openssl10/oe-ldflags.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/openssl-c_rehash.sh b/meta/recipes-connectivity/openssl/openssl10/openssl-c_rehash.sh
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/openssl-c_rehash.sh
rename to meta/recipes-connectivity/openssl/openssl10/openssl-c_rehash.sh
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/openssl-fix-des.pod-error.patch b/meta/recipes-connectivity/openssl/openssl10/openssl-fix-des.pod-error.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/openssl-fix-des.pod-error.patch
rename to meta/recipes-connectivity/openssl/openssl10/openssl-fix-des.pod-error.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/openssl_fix_for_x32.patch b/meta/recipes-connectivity/openssl/openssl10/openssl_fix_for_x32.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/openssl_fix_for_x32.patch
rename to meta/recipes-connectivity/openssl/openssl10/openssl_fix_for_x32.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/parallel.patch b/meta/recipes-connectivity/openssl/openssl10/parallel.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/parallel.patch
rename to meta/recipes-connectivity/openssl/openssl10/parallel.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/ptest-deps.patch b/meta/recipes-connectivity/openssl/openssl10/ptest-deps.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/ptest-deps.patch
rename to meta/recipes-connectivity/openssl/openssl10/ptest-deps.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/ptest_makefile_deps.patch b/meta/recipes-connectivity/openssl/openssl10/ptest_makefile_deps.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/ptest_makefile_deps.patch
rename to meta/recipes-connectivity/openssl/openssl10/ptest_makefile_deps.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/reproducible-cflags.patch b/meta/recipes-connectivity/openssl/openssl10/reproducible-cflags.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/reproducible-cflags.patch
rename to meta/recipes-connectivity/openssl/openssl10/reproducible-cflags.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/reproducible-mkbuildinf.patch b/meta/recipes-connectivity/openssl/openssl10/reproducible-mkbuildinf.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/reproducible-mkbuildinf.patch
rename to meta/recipes-connectivity/openssl/openssl10/reproducible-mkbuildinf.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/run-ptest b/meta/recipes-connectivity/openssl/openssl10/run-ptest
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/run-ptest
rename to meta/recipes-connectivity/openssl/openssl10/run-ptest
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/shared-libs.patch b/meta/recipes-connectivity/openssl/openssl10/shared-libs.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2p/shared-libs.patch
rename to meta/recipes-connectivity/openssl/openssl10/shared-libs.patch
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2p.bb b/meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb
similarity index 91%
rename from meta/recipes-connectivity/openssl/openssl_1.0.2p.bb
rename to meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb
index dbcb000..b7297fc 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2p.bb
+++ b/meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb
@@ -11,8 +11,6 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f475368924827d06d4b416111c8bdb77"
 DEPENDS = "hostperl-runtime-native"
 DEPENDS_append_class-target = " openssl-native"
 
-PROVIDES += "openssl10"
-
 SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://run-ptest \
            file://openssl-c_rehash.sh \
@@ -56,6 +54,8 @@ SRC_URI_append_class-nativesdk = " \
 SRC_URI[md5sum] = "ac5eb30bf5798aa14b1ae6d0e7da58df"
 SRC_URI[sha256sum] = "50a98e07b1a89eb8f6a99477f262df71c6fa7bef77df4dc83025a2845c827d00"
 
+S = "${WORKDIR}/openssl-${PV}"
+
 UPSTREAM_CHECK_REGEX = "openssl-(?P<pver>1\.0.+)\.tar"
 
 inherit pkgconfig siteinfo multilib_header ptest manpages
@@ -326,20 +326,35 @@ do_install_ptest () {
 # file to be installed for both the base openssl package and the libcrypto
 # package since the base openssl package depends on the libcrypto package.
 
-PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc"
+PACKAGES =+ "libcrypto10 libssl10 openssl10-conf ${PN}-engines ${PN}-misc"
 
-FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
-FILES_libssl = "${libdir}/libssl${SOLIBS}"
-FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+FILES_libcrypto10 = "${libdir}/libcrypto${SOLIBS}"
+FILES_libssl10 = "${libdir}/libssl${SOLIBS}"
+FILES_openssl10-conf = "${sysconfdir}/ssl/openssl.cnf"
 FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
 FILES_${PN}-misc = "${libdir}/ssl/misc"
 FILES_${PN} =+ "${libdir}/ssl/*"
 FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
 
-CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+CONFFILES_openssl10-conf = "${sysconfdir}/ssl/openssl.cnf"
 
-RRECOMMENDS_libcrypto += "openssl-conf"
+RRECOMMENDS_libcrypto10 += "openssl10-conf"
 RDEPENDS_${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}"
 RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
 
 BBCLASSEXTEND = "native nativesdk"
+PACKAGE_PREPROCESS_FUNCS += "openssl_package_preprocess"
+
+# openssl 1.0 development files and executable binaries clash with openssl 1.1
+# files when installed into target rootfs. So we don't put them into
+# packages, but they continue to be provided via target sysroot for
+# cross-compilation on the host, if some software still depends on openssl 1.0.
+openssl_package_preprocess () {
+        for file in `find ${PKGD} -name *.h -o -name *.pc -o -name *.so`; do
+                rm $file
+        done
+        rm ${PKGD}/usr/bin/openssl
+        rm ${PKGD}/usr/bin/c_rehash
+        rmdir ${PKGD}/usr/bin
+
+}
-- 
2.7.4

[RFC PATCH 2/6] cryptodev-tests: port to openssl 1.1

[Alexander Kanavin]

From: Alexander Kanavin <alexander.kanavin@linux.intel.com>

This leaves openssh as the only recipe that requires openssl 1.0 (or libressl).

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 .../cryptodev/cryptodev-tests_1.9.bb               |   3 +-
 .../files/0001-Port-tests-to-openssl-1.1.patch     | 103 +++++++++++++++++++++
 2 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch

diff --git a/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb b/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb
index 9afb3de..617db6c 100644
--- a/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb
+++ b/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb
@@ -2,10 +2,11 @@ require cryptodev.inc
 
 SUMMARY = "A test suite for /dev/crypto device driver"
 
-DEPENDS += "openssl10"
+DEPENDS += "openssl"
 
 SRC_URI += " \
 file://0001-Add-the-compile-and-install-rules-for-cryptodev-test.patch \
+file://0001-Port-tests-to-openssl-1.1.patch \
 "
 
 EXTRA_OEMAKE='KERNEL_DIR="${STAGING_EXECPREFIXDIR}" PREFIX="${D}"'
diff --git a/meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch b/meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
new file mode 100644
index 0000000..c969126
--- /dev/null
+++ b/meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
@@ -0,0 +1,103 @@
+From 2fe4bdeb8cdd0b0f46d9caed807812855d51ea56 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Wed, 28 Mar 2018 20:11:05 +0300
+Subject: [PATCH] Port tests to openssl 1.1
+
+Upstream-Status: Accepted [https://github.com/cryptodev-linux/cryptodev-linux/pull/36]
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+
+---
+ tests/openssl_wrapper.c | 33 +++++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+diff --git a/tests/openssl_wrapper.c b/tests/openssl_wrapper.c
+index 038c58f..dea2496 100644
+--- a/tests/openssl_wrapper.c
++++ b/tests/openssl_wrapper.c
+@@ -4,6 +4,7 @@
+ #include <openssl/aes.h>
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
++#include <openssl/opensslv.h>
+ 
+ //#define DEBUG
+ 
+@@ -23,10 +24,17 @@ enum ctx_type {
+ 	ctx_type_md,
+ };
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++union openssl_ctx {
++	HMAC_CTX *hmac;
++	EVP_MD_CTX *md;
++};
++#else
+ union openssl_ctx {
+ 	HMAC_CTX hmac;
+ 	EVP_MD_CTX md;
+ };
++#endif
+ 
+ struct ctx_mapping {
+ 	__u32 ses;
+@@ -63,6 +71,16 @@ static void remove_mapping(__u32 ses)
+ 	switch (mapping->type) {
+ 	case ctx_type_none:
+ 		break;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	case ctx_type_hmac:
++		dbgp("%s: calling HMAC_CTX_free\n", __func__);
++		HMAC_CTX_free(mapping->ctx.hmac);
++		break;
++	case ctx_type_md:
++		dbgp("%s: calling EVP_MD_CTX_free\n", __func__);
++		EVP_MD_CTX_free(mapping->ctx.md);
++		break;
++#else
+ 	case ctx_type_hmac:
+ 		dbgp("%s: calling HMAC_CTX_cleanup\n", __func__);
+ 		HMAC_CTX_cleanup(&mapping->ctx.hmac);
+@@ -71,6 +89,7 @@ static void remove_mapping(__u32 ses)
+ 		dbgp("%s: calling EVP_MD_CTX_cleanup\n", __func__);
+ 		EVP_MD_CTX_cleanup(&mapping->ctx.md);
+ 		break;
++#endif
+ 	}
+ 	memset(mapping, 0, sizeof(*mapping));
+ }
+@@ -127,10 +146,17 @@ static int openssl_hmac(struct session_op *sess, struct crypt_op *cop)
+ 
+ 		mapping->ses = sess->ses;
+ 		mapping->type = ctx_type_hmac;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++		ctx = mapping->ctx.hmac;
++
++		dbgp("calling HMAC_CTX_new");
++		ctx = HMAC_CTX_new();
++#else
+ 		ctx = &mapping->ctx.hmac;
+ 
+ 		dbgp("calling HMAC_CTX_init");
+ 		HMAC_CTX_init(ctx);
++#endif
+ 		dbgp("calling HMAC_Init_ex");
+ 		if (!HMAC_Init_ex(ctx, sess->mackey, sess->mackeylen,
+ 				sess_to_evp_md(sess), NULL)) {
+@@ -172,10 +198,17 @@ static int openssl_md(struct session_op *sess, struct crypt_op *cop)
+ 
+ 		mapping->ses = sess->ses;
+ 		mapping->type = ctx_type_md;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++		ctx = mapping->ctx.md;
++
++		dbgp("calling EVP_MD_CTX_new");
++		ctx = EVP_MD_CTX_new();
++#else
+ 		ctx = &mapping->ctx.md;
+ 
+ 		dbgp("calling EVP_MD_CTX_init");
+ 		EVP_MD_CTX_init(ctx);
++#endif
+ 		dbgp("calling EVP_DigestInit");
+ 		EVP_DigestInit(ctx, sess_to_evp_md(sess));
+ 	}
-- 
2.7.4

[RFC PATCH 3/6] openssl: update to 1.1.1

[Alexander Kanavin]

At the moment 1.1.1 is in pre-release stage, however the final release
should be available within a few weeks. The major selling point is that
it supports the new TLS 1.3 specification. It will also be the new long
term support version. More information:

https://www.openssl.org/policies/releasestrat.html

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 ...1-Take-linking-flags-from-LDFLAGS-env-var.patch | 43 ----------------------
 ...SLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch | 39 --------------------
 .../{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb}   | 23 +++++++-----
 3 files changed, 14 insertions(+), 91 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
 rename meta/recipes-connectivity/openssl/{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb} (83%)

diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch b/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
deleted file mode 100644
index 6ce4e47..0000000
--- a/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 08face4353d80111973aba9c1304c92158cfad0e Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex.kanavin@gmail.com>
-Date: Tue, 28 Mar 2017 16:40:12 +0300
-Subject: [PATCH] Take linking flags from LDFLAGS env var
-
-This fixes "No GNU_HASH in the elf binary" issues.
-
-Upstream-Status: Inappropriate [oe-core specific]
-Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
----
- Configurations/unix-Makefile.tmpl | 2 +-
- Configure                         | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index c029817..43b769b 100644
---- a/Configurations/unix-Makefile.tmpl
-+++ b/Configurations/unix-Makefile.tmpl
-@@ -173,7 +173,7 @@ CROSS_COMPILE= {- $config{cross_compile_prefix} -}
- CC= $(CROSS_COMPILE){- $target{cc} -}
- CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
- CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
--LDFLAGS= {- $target{lflags} -}
-+LDFLAGS= {- $target{lflags}." ".$ENV{'LDFLAGS'} -}
- PLIB_LDFLAGS= {- $target{plib_lflags} -}
- EX_LIBS= {- $target{ex_libs} -} {- $config{ex_libs} -}
- LIB_CFLAGS={- $target{shared_cflag} || "" -}
-diff --git a/Configure b/Configure
-index aee7cc3..274d236 100755
---- a/Configure
-+++ b/Configure
-@@ -979,7 +979,7 @@ $config{build_file} = $target{build_file};
- $config{defines} = [];
- $config{cflags} = "";
- $config{ex_libs} = "";
--$config{shared_ldflag} = "";
-+$config{shared_ldflag} = $ENV{'LDFLAGS'};
- 
- # Make sure build_scheme is consistent.
- $target{build_scheme} = [ $target{build_scheme} ]
--- 
-2.11.0
-
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch b/meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
deleted file mode 100644
index 67d06fc..0000000
--- a/meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 26e98beb8a987cdc69699aaffc5599926fb1b293 Mon Sep 17 00:00:00 2001
-From: Andre McCurdy <armccurdy@gmail.com>
-Date: Fri, 17 Aug 2018 20:33:44 -0700
-Subject: [PATCH] allow OPENSSLDIR and ENGINESDIR CFLAGS to be controlled
-
-Upstream-Status: Inappropriate [OE Specific]
-
-Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
----
- Configurations/unix-Makefile.tmpl | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index 034d93e..2310d12 100644
---- a/Configurations/unix-Makefile.tmpl
-+++ b/Configurations/unix-Makefile.tmpl
-@@ -156,6 +156,10 @@ LIBDIR={- #
- ENGINESDIR={- use File::Spec::Functions;
-               catdir($prefix,$libdir,"engines-$sover") -}
- 
-+# Intermediate variables so the values defined via CFLAGS can be controlled.
-+OE_DOPENSSLDIR=$(OPENSSLDIR)
-+OE_DENGINESDIR=$(ENGINESDIR)
-+
- # Convenience variable for those who want to set the rpath in shared
- # libraries and applications
- LIBRPATH=$(INSTALLTOP)/$(LIBDIR)
-@@ -174,7 +178,7 @@ HTMLSUFFIX=html
- 
- CROSS_COMPILE= {- $config{cross_compile_prefix} -}
- CC= $(CROSS_COMPILE){- $target{cc} -}
--CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
-+CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OE_DOPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(OE_DENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
- CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
- LDFLAGS= {- $target{lflags}." ".$ENV{'LDFLAGS'} -}
- PLIB_LDFLAGS= {- $target{plib_lflags} -}
--- 
-1.9.1
-
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1-pre9.bb
similarity index 83%
rename from meta/recipes-connectivity/openssl/openssl_1.1.0i.bb
rename to meta/recipes-connectivity/openssl/openssl_1.1.1-pre9.bb
index a03f6ff..1917c33 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.0i.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1-pre9.bb
@@ -13,26 +13,30 @@ DEPENDS = "hostperl-runtime-native"
 SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://run-ptest \
            file://openssl-c_rehash.sh \
-           file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \
-           file://0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch \
            "
 
 SRC_URI_append_class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[md5sum] = "9495126aafd2659d357ea66a969c3fe1"
-SRC_URI[sha256sum] = "ebbfc844a8c8cc0ea5dc10b86c9ce97f401837f3fa08c17b2cdadc118253cf99"
+SRC_URI[md5sum] = "6aa32e976e2c9a4aee858ced135d2573"
+SRC_URI[sha256sum] = "95ebdfbb05e8451fb01a186ccaa4a7da0eff9a48999ede9fe1a7d90db75ccb4c"
 
 inherit lib_package multilib_header ptest
 
 #| ./libcrypto.so: undefined reference to `getcontext'
 #| ./libcrypto.so: undefined reference to `setcontext'
 #| ./libcrypto.so: undefined reference to `makecontext'
-EXTRA_OECONF_append_libc-musl = " -DOPENSSL_NO_ASYNC"
+CPPFLAGS_append_libc-musl = " -DOPENSSL_NO_ASYNC"
 
-EXTRA_OEMAKE_append_class-native = " OE_DOPENSSLDIR='/not/builtin' OE_DENGINESDIR='/not/builtin'"
-EXTRA_OEMAKE_append_class-nativesdk = " OE_DOPENSSLDIR='/not/builtin' OE_DENGINESDIR='/not/builtin'"
+# This prevents openssl from using getrandom() which is not available on older glibc versions
+# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
+EXTRA_OECONF_class-native = "--with-rand-seed=devrandom"
+EXTRA_OECONF_class-nativesdk = "--with-rand-seed=devrandom"
+
+# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
+CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
+CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
 
 do_configure () {
 	os=${HOST_OS}
@@ -98,8 +102,9 @@ do_configure () {
 	if [ "x$useprefix" = "x" ]; then
 		useprefix=/
 	fi
-	libdirleaf="$(echo ${libdir} | sed s:$useprefix::)"
-	perl ./Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=$libdirleaf $target
+	# WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
+	# environment variables set by bitbake. Adjust the environment variables instead.
+	perl ./Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
 }
 
 do_install () {
-- 
2.7.4

[RFC PATCH 4/6] libressl: add a recipe to support openssh

[Alexander Kanavin]

From: Alexander Kanavin <alexander.kanavin@linux.intel.com>

After reading through this:

https://github.com/openssh/openssh-portable/pull/48

and this thread:

https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-October/036344.html

I've concluded that this is the best of the three not-great options. The alternatives:

- bundle libressl inside openssh packages
- keep openssh dependent on openssl 1.0 and wait until upstream does something

are both inferior. Libressl is used with openssh in OpenBSD and in OS X,
so it did get at least some testing in the real world.

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 meta/conf/distro/include/maintainers.inc           |  1 +
 ...c-libraries-with-their-library-dependenci.patch | 73 ++++++++++++++++++++++
 .../libressl/libressl_2.8.0.bb                     | 35 +++++++++++
 3 files changed, 109 insertions(+)
 create mode 100644 meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
 create mode 100644 meta/recipes-connectivity/libressl/libressl_2.8.0.bb

diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index c76f81f..de4f9af 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -344,6 +344,7 @@ RECIPE_MAINTAINER_pn-libpng = "Maxin B. John <maxin.john@intel.com>"
 RECIPE_MAINTAINER_pn-libproxy = "Maxin B. John <maxin.john@intel.com>"
 RECIPE_MAINTAINER_pn-libpthread-stubs = "Alexander Kanavin <alex.kanavin@gmail.com>"
 RECIPE_MAINTAINER_pn-librepo = "Alexander Kanavin <alex.kanavin@gmail.com>"
+RECIPE_MAINTAINER_pn-libressl = "Alexander Kanavin <alex.kanavin@gmail.com>"
 RECIPE_MAINTAINER_pn-librsvg = "Maxin B. John <maxin.john@intel.com>"
 RECIPE_MAINTAINER_pn-libsamplerate0 = "Tanu Kaskinen <tanuk@iki.fi>"
 RECIPE_MAINTAINER_pn-libsdl = "Yi Zhao <yi.zhao@windriver.com>"
diff --git a/meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch b/meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
new file mode 100644
index 0000000..50b795d
--- /dev/null
+++ b/meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
@@ -0,0 +1,73 @@
+From 0dd486ba596fea07742a9317542bce27e18fd830 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Mon, 9 Apr 2018 18:02:56 +0300
+Subject: [PATCH] Link dynamic libraries with their library dependencies.
+
+It does seem like outside of OpenBSD, no one has actually used libressl yet.
+
+Upstream-Status: Pending
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+
+---
+ CMakeLists.txt        | 5 +++++
+ crypto/CMakeLists.txt | 1 +
+ ssl/CMakeLists.txt    | 2 +-
+ 3 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 549849f..0f9d8f5 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -266,15 +266,19 @@ set(OPENSSL_LIBS tls ssl crypto)
+ 
+ # Add additional required libs
+ if(WIN32)
++	set(OPENSSL_LIB_LIBS ws2_32)
+ 	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
+ endif()
+ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
++	set(OPENSSL_LIB_LIBS pthread)
+ 	set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
+ endif()
+ if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
++	set(OPENSSL_LIB_LIBS pthread)
+ 	set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
+ endif()
+ if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
++	set(OPENSSL_LIB_LIBS nsl socket)
+ 	set(OPENSSL_LIBS ${OPENSSL_LIBS} nsl socket)
+ endif()
+ 
+@@ -282,6 +286,7 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+ 	# Check if we need -lrt to get clock_gettime on Linux
+ 	check_library_exists(rt clock_gettime "time.h" HAVE_CLOCK_GETTIME)
+ 	if (HAVE_CLOCK_GETTIME)
++		set(OPENSSL_LIB_LIBS ${OPENSSL_LIB_LIBS} rt)
+ 		set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
+ 	endif()
+ else()
+diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
+index 90e127e..08eceda 100644
+--- a/crypto/CMakeLists.txt
++++ b/crypto/CMakeLists.txt
+@@ -813,6 +813,7 @@ target_include_directories(crypto
+ 		../include)
+ 
+ if (BUILD_SHARED_LIBS)
++	target_link_libraries(crypto ${OPENSSL_LIB_LIBS})
+ 	export_symbol(crypto ${CMAKE_CURRENT_BINARY_DIR}/crypto_p.sym)
+ 	if (WIN32)
+ 		target_link_libraries(crypto Ws2_32.lib)
+diff --git a/ssl/CMakeLists.txt b/ssl/CMakeLists.txt
+index 1a559e6..ed17223 100644
+--- a/ssl/CMakeLists.txt
++++ b/ssl/CMakeLists.txt
+@@ -51,7 +51,7 @@ target_include_directories(ssl
+ 
+ if (BUILD_SHARED_LIBS)
+ 	export_symbol(ssl ${CMAKE_CURRENT_SOURCE_DIR}/ssl.sym)
+-	target_link_libraries(ssl crypto)
++	target_link_libraries(ssl crypto ${OPENSSL_LIB_LIBS})
+ 	if (WIN32)
+ 		target_link_libraries(ssl Ws2_32.lib)
+ 		set(SSL_POSTFIX -${SSL_MAJOR_VERSION})
diff --git a/meta/recipes-connectivity/libressl/libressl_2.8.0.bb b/meta/recipes-connectivity/libressl/libressl_2.8.0.bb
new file mode 100644
index 0000000..b45f16a
--- /dev/null
+++ b/meta/recipes-connectivity/libressl/libressl_2.8.0.bb
@@ -0,0 +1,35 @@
+SUMMARY = "Drop-in replacement for openssl 1.0.x, maintained by OpenBSD"
+DESCRIPTION = "LibreSSL is a version of the TLS/crypto stack forked from \
+               OpenSSL in 2014, with goals of modernizing the codebase, \
+               improving security, and applying best practice development processes. "
+HOMEPAGE = "http://www.libressl.org/"
+
+LICENSE = "openssl"
+LIC_FILES_CHKSUM = "file://COPYING;md5=01f9bb4d275f5eeea905377bef3de622"
+
+SRC_URI = "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${PV}.tar.gz \
+           file://0001-Link-dynamic-libraries-with-their-library-dependenci.patch \
+           "
+SRC_URI[md5sum] = "d922be6690e7de8949948aaec42a4563"
+SRC_URI[sha256sum] = "af2bba965b06063518eec6f192d411631dfe1d07713760c67c3c29d348789dc3"
+
+inherit cmake
+
+EXTRA_OECMAKE = "-DOPENSSLDIR=${sysconfdir}/libressl -DBUILD_SHARED_LIBS=ON"
+
+PACKAGE_PREPROCESS_FUNCS += "libressl_package_preprocess"
+
+# libressl development files and executable binaries clash with openssl 1.1
+# files when installed into target rootfs. So we don't put them into
+# packages, but they continue to be provided via target sysroot for
+# cross-compilation on the host, if some software needs specifically libressl.
+libressl_package_preprocess () {
+        for file in `find ${PKGD} -name *.h -o -name *.pc -o -name *.so`; do
+                rm $file
+        done
+}
+
+# {standard input}: Assembler messages:
+# {standard input}:303: Error: selected processor does not support `rev r0,r0' in ARM mode
+# {standard input}:303: Error: selected processor does not support `rev ip,ip' in ARM mode
+OECMAKE_C_FLAGS_append_arm = " -D__STRICT_ALIGNMENT"
-- 
2.7.4

[RFC PATCH 5/6] openssh: depend on libressl

[Alexander Kanavin]

From: Alexander Kanavin <alexander.kanavin@linux.intel.com>

Please see the previous commit for the libressl rationale.

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 meta/recipes-connectivity/openssh/openssh_7.7p1.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-connectivity/openssh/openssh_7.7p1.bb b/meta/recipes-connectivity/openssh/openssh_7.7p1.bb
index b3da5f6..db5e437 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.7p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.7p1.bb
@@ -9,7 +9,7 @@ LICENSE = "BSD"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=429658c6612f3a9b1293782366ab29d8"
 
 # openssl 1.1 patches are proposed at https://github.com/openssh/openssh-portable/pull/48
-DEPENDS = "zlib openssl10"
+DEPENDS = "zlib libressl"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
 SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
-- 
2.7.4

[RFC PATCH 6/6] ca-certificates: update to 20180409

[Alexander Kanavin]

From: Alexander Kanavin <alexander.kanavin@linux.intel.com>

License-Update: URI fix
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 .../{ca-certificates_20170717.bb => ca-certificates_20180409.bb}      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-support/ca-certificates/{ca-certificates_20170717.bb => ca-certificates_20180409.bb} (95%)

diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb b/meta/recipes-support/ca-certificates/ca-certificates_20180409.bb
similarity index 95%
rename from meta/recipes-support/ca-certificates/ca-certificates_20170717.bb
rename to meta/recipes-support/ca-certificates/ca-certificates_20180409.bb
index 24d3a6e..0d57083 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20180409.bb
@@ -5,7 +5,7 @@ This derived from Debian's CA Certificates."
 HOMEPAGE = "http://packages.debian.org/sid/ca-certificates"
 SECTION = "misc"
 LICENSE = "GPL-2.0+ & MPL-2.0"
-LIC_FILES_CHKSUM = "file://debian/copyright;md5=e7358b9541ccf3029e9705ed8de57968"
+LIC_FILES_CHKSUM = "file://debian/copyright;md5=aeb420429b1659507e0a5a1b123e8308"
 
 # This is needed to ensure we can run the postinst at image creation time
 DEPENDS = ""
@@ -14,7 +14,7 @@ DEPENDS_class-nativesdk = "openssl-native"
 # Need c_rehash from openssl and run-parts from debianutils
 PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
 
-SRCREV = "34b8e19e541b8af4076616b2e170c7a70cdaded0"
+SRCREV = "dbbd11e56af93bb79f21d0ee6059a901f83f70a5"
 
 SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \
            file://0002-update-ca-certificates-use-SYSROOT.patch \
-- 
2.7.4

Re: [RFC PATCH 6/6] ca-certificates: update to 20180409

[Khem Raj]

On Tue, Aug 28, 2018 at 3:24 AM Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
>
> From: Alexander Kanavin <alexander.kanavin@linux.intel.com>
>
> License-Update: URI fix
> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
> ---
>  .../{ca-certificates_20170717.bb => ca-certificates_20180409.bb}      | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>  rename meta/recipes-support/ca-certificates/{ca-certificates_20170717.bb => ca-certificates_20180409.bb} (95%)
>
> diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb b/meta/recipes-support/ca-certificates/ca-certificates_20180409.bb
> similarity index 95%
> rename from meta/recipes-support/ca-certificates/ca-certificates_20170717.bb
> rename to meta/recipes-support/ca-certificates/ca-certificates_20180409.bb
> index 24d3a6e..0d57083 100644
> --- a/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb
> +++ b/meta/recipes-support/ca-certificates/ca-certificates_20180409.bb
> @@ -5,7 +5,7 @@ This derived from Debian's CA Certificates."
>  HOMEPAGE = "http://packages.debian.org/sid/ca-certificates"
>  SECTION = "misc"
>  LICENSE = "GPL-2.0+ & MPL-2.0"
> -LIC_FILES_CHKSUM = "file://debian/copyright;md5=e7358b9541ccf3029e9705ed8de57968"
> +LIC_FILES_CHKSUM = "file://debian/copyright;md5=aeb420429b1659507e0a5a1b123e8308"
>
>  # This is needed to ensure we can run the postinst at image creation time
>  DEPENDS = ""
> @@ -14,7 +14,7 @@ DEPENDS_class-nativesdk = "openssl-native"
>  # Need c_rehash from openssl and run-parts from debianutils
>  PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
>
> -SRCREV = "34b8e19e541b8af4076616b2e170c7a70cdaded0"
> +SRCREV = "dbbd11e56af93bb79f21d0ee6059a901f83f70a5"

It fails in do_patch for me.
Patch 0002-update-ca-certificates-use-SYSROOT.patch does not apply
(enforce with -f)

Re: [RFC PATCH 6/6] ca-certificates: update to 20180409

[Alexander Kanavin]

2018-08-29 16:30 GMT+02:00 Khem Raj <raj.khem@gmail.com>:

>> -SRCREV = "34b8e19e541b8af4076616b2e170c7a70cdaded0"
>> +SRCREV = "dbbd11e56af93bb79f21d0ee6059a901f83f70a5"
>
> It fails in do_patch for me.
> Patch 0002-update-ca-certificates-use-SYSROOT.patch does not apply
> (enforce with -f)

Works for me though. I just did a cleansstate and build to double
check. Can you try on plain poky master please?

Alex

Re: [RFC PATCH 6/6] ca-certificates: update to 20180409

[Khem Raj]

On Wed, Aug 29, 2018 at 7:47 AM Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
>
> 2018-08-29 16:30 GMT+02:00 Khem Raj <raj.khem@gmail.com>:
>
> >> -SRCREV = "34b8e19e541b8af4076616b2e170c7a70cdaded0"
> >> +SRCREV = "dbbd11e56af93bb79f21d0ee6059a901f83f70a5"
> >
> > It fails in do_patch for me.
> > Patch 0002-update-ca-certificates-use-SYSROOT.patch does not apply
> > (enforce with -f)
>
> Works for me though. I just did a cleansstate and build to double
> check. Can you try on plain poky master please?

bitbake ca-certificates -ccleanall && bitbake ca-certificates
worked, seems a wrong fetch sometimes, I wish git fetcher has some
sort of checksumming as well.

Re: [RFC PATCH 0/6] openssl 1.1.1 update

[Khem Raj]

musl/mips seems to fail due to this see

http://errors.yoctoproject.org/Errors/Details/188615/
On Tue, Aug 28, 2018 at 3:23 AM Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
>
> This patch series updates openssl to the soon-to-be released 1.1.1 version
> (latest news is 11 September), sets it as default, and removes dependencies
> on openssl 1.0 entirely from oe-core. openssl 1.0 remains available as openssl10
> recipe.
>
> The following changes since commit a8368651ffed1bd6c4715a37dfe9f40c48ca23c4:
>
>   bitbake: fetcher: Fixed remote removal not throwing exception. (2018-08-28 10:32:08 +0100)
>
> are available in the git repository at:
>
>   git://push.yoctoproject.org/poky-contrib akanavin/openssl-1.1.1
>
> Alexander Kanavin (6):
>   openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the
>     default version
>   cryptodev-tests: port to openssl 1.1
>   openssl: update to 1.1.1
>   libressl: add a recipe to support openssh
>   openssh: depend on libressl
>   ca-certificates: update to 20180409
>
>  meta/conf/distro/include/default-versions.inc      |   3 -
>  meta/conf/distro/include/maintainers.inc           |   2 +
>  ...c-libraries-with-their-library-dependenci.patch |  73 +++++++++++++++
>  .../libressl/libressl_2.8.0.bb                     |  35 +++++++
>  meta/recipes-connectivity/openssh/openssh_7.7p1.bb |   2 +-
>  .../{openssl => files}/environment.d-openssl.sh    |   0
>  ...1-Take-linking-flags-from-LDFLAGS-env-var.patch |  43 ---------
>  ...SLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch |  39 --------
>  ...build-with-clang-using-external-assembler.patch |   0
>  .../0001-allow-manpages-to-be-disabled.patch       |   0
>  ...penssl-force-soft-link-to-avoid-rare-race.patch |   0
>  .../Makefiles-ptest.patch                          |   0
>  .../Use-SHA256-not-MD5-as-default-digest.patch     |   0
>  .../configure-musl-target.patch                    |   0
>  .../configure-targets.patch                        |   0
>  .../debian/c_rehash-compat.patch                   |   0
>  .../debian/debian-targets.patch                    |   0
>  .../debian/man-dir.patch                           |   0
>  .../debian/man-section.patch                       |   0
>  .../debian/no-rpath.patch                          |   0
>  .../debian/no-symbolic.patch                       |   0
>  .../{openssl-1.0.2p => openssl10}/debian/pic.patch |   0
>  .../debian1.0.2/block_digicert_malaysia.patch      |   0
>  .../debian1.0.2/block_diginotar.patch              |   0
>  .../debian1.0.2/soname.patch                       |   0
>  .../debian1.0.2/version-script.patch               |   0
>  .../engines-install-in-libdir-ssl.patch            |   0
>  .../{openssl-1.0.2p => openssl10}/oe-ldflags.patch |   0
>  .../openssl-c_rehash.sh                            |   0
>  .../openssl-fix-des.pod-error.patch                |   0
>  .../openssl_fix_for_x32.patch                      |   0
>  .../{openssl-1.0.2p => openssl10}/parallel.patch   |   0
>  .../{openssl-1.0.2p => openssl10}/ptest-deps.patch |   0
>  .../ptest_makefile_deps.patch                      |   0
>  .../reproducible-cflags.patch                      |   0
>  .../reproducible-mkbuildinf.patch                  |   0
>  .../{openssl-1.0.2p => openssl10}/run-ptest        |   0
>  .../shared-libs.patch                              |   0
>  .../{openssl_1.0.2p.bb => openssl10_1.0.2p.bb}     |  31 +++++--
>  .../{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb}   |  23 +++--
>  .../cryptodev/cryptodev-tests_1.9.bb               |   3 +-
>  .../files/0001-Port-tests-to-openssl-1.1.patch     | 103 +++++++++++++++++++++
>  ...tes_20170717.bb => ca-certificates_20180409.bb} |   4 +-
>  43 files changed, 255 insertions(+), 106 deletions(-)
>  create mode 100644 meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
>  create mode 100644 meta/recipes-connectivity/libressl/libressl_2.8.0.bb
>  rename meta/recipes-connectivity/openssl/{openssl => files}/environment.d-openssl.sh (100%)
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-Fix-build-with-clang-using-external-assembler.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-allow-manpages-to-be-disabled.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-openssl-force-soft-link-to-avoid-rare-race.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Makefiles-ptest.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Use-SHA256-not-MD5-as-default-digest.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-musl-target.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-targets.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/c_rehash-compat.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/debian-targets.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-dir.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-section.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-rpath.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-symbolic.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/pic.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_digicert_malaysia.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_diginotar.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/soname.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/version-script.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/engines-install-in-libdir-ssl.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/oe-ldflags.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-c_rehash.sh (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-fix-des.pod-error.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl_fix_for_x32.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/parallel.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest-deps.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest_makefile_deps.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-cflags.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-mkbuildinf.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/run-ptest (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/shared-libs.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl_1.0.2p.bb => openssl10_1.0.2p.bb} (91%)
>  rename meta/recipes-connectivity/openssl/{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb} (83%)
>  create mode 100644 meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
>  rename meta/recipes-support/ca-certificates/{ca-certificates_20170717.bb => ca-certificates_20180409.bb} (95%)
>
> --
> 2.7.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [RFC PATCH 0/6] openssl 1.1.1 update

[Alexander Kanavin]

The recipe has a guard for this, but maybe it stopped working, I'll take a look:

#| ./libcrypto.so: undefined reference to `getcontext'
#| ./libcrypto.so: undefined reference to `setcontext'
#| ./libcrypto.so: undefined reference to `makecontext'
CPPFLAGS_append_libc-musl = " -DOPENSSL_NO_ASYNC"

Alex


2018-08-31 8:22 GMT+02:00 Khem Raj <raj.khem@gmail.com>:
> musl/mips seems to fail due to this see
>
> http://errors.yoctoproject.org/Errors/Details/188615/
> On Tue, Aug 28, 2018 at 3:23 AM Alexander Kanavin
> <alex.kanavin@gmail.com> wrote:
>>
>> This patch series updates openssl to the soon-to-be released 1.1.1 version
>> (latest news is 11 September), sets it as default, and removes dependencies
>> on openssl 1.0 entirely from oe-core. openssl 1.0 remains available as openssl10
>> recipe.
>>
>> The following changes since commit a8368651ffed1bd6c4715a37dfe9f40c48ca23c4:
>>
>>   bitbake: fetcher: Fixed remote removal not throwing exception. (2018-08-28 10:32:08 +0100)
>>
>> are available in the git repository at:
>>
>>   git://push.yoctoproject.org/poky-contrib akanavin/openssl-1.1.1
>>
>> Alexander Kanavin (6):
>>   openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the
>>     default version
>>   cryptodev-tests: port to openssl 1.1
>>   openssl: update to 1.1.1
>>   libressl: add a recipe to support openssh
>>   openssh: depend on libressl
>>   ca-certificates: update to 20180409
>>
>>  meta/conf/distro/include/default-versions.inc      |   3 -
>>  meta/conf/distro/include/maintainers.inc           |   2 +
>>  ...c-libraries-with-their-library-dependenci.patch |  73 +++++++++++++++
>>  .../libressl/libressl_2.8.0.bb                     |  35 +++++++
>>  meta/recipes-connectivity/openssh/openssh_7.7p1.bb |   2 +-
>>  .../{openssl => files}/environment.d-openssl.sh    |   0
>>  ...1-Take-linking-flags-from-LDFLAGS-env-var.patch |  43 ---------
>>  ...SLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch |  39 --------
>>  ...build-with-clang-using-external-assembler.patch |   0
>>  .../0001-allow-manpages-to-be-disabled.patch       |   0
>>  ...penssl-force-soft-link-to-avoid-rare-race.patch |   0
>>  .../Makefiles-ptest.patch                          |   0
>>  .../Use-SHA256-not-MD5-as-default-digest.patch     |   0
>>  .../configure-musl-target.patch                    |   0
>>  .../configure-targets.patch                        |   0
>>  .../debian/c_rehash-compat.patch                   |   0
>>  .../debian/debian-targets.patch                    |   0
>>  .../debian/man-dir.patch                           |   0
>>  .../debian/man-section.patch                       |   0
>>  .../debian/no-rpath.patch                          |   0
>>  .../debian/no-symbolic.patch                       |   0
>>  .../{openssl-1.0.2p => openssl10}/debian/pic.patch |   0
>>  .../debian1.0.2/block_digicert_malaysia.patch      |   0
>>  .../debian1.0.2/block_diginotar.patch              |   0
>>  .../debian1.0.2/soname.patch                       |   0
>>  .../debian1.0.2/version-script.patch               |   0
>>  .../engines-install-in-libdir-ssl.patch            |   0
>>  .../{openssl-1.0.2p => openssl10}/oe-ldflags.patch |   0
>>  .../openssl-c_rehash.sh                            |   0
>>  .../openssl-fix-des.pod-error.patch                |   0
>>  .../openssl_fix_for_x32.patch                      |   0
>>  .../{openssl-1.0.2p => openssl10}/parallel.patch   |   0
>>  .../{openssl-1.0.2p => openssl10}/ptest-deps.patch |   0
>>  .../ptest_makefile_deps.patch                      |   0
>>  .../reproducible-cflags.patch                      |   0
>>  .../reproducible-mkbuildinf.patch                  |   0
>>  .../{openssl-1.0.2p => openssl10}/run-ptest        |   0
>>  .../shared-libs.patch                              |   0
>>  .../{openssl_1.0.2p.bb => openssl10_1.0.2p.bb}     |  31 +++++--
>>  .../{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb}   |  23 +++--
>>  .../cryptodev/cryptodev-tests_1.9.bb               |   3 +-
>>  .../files/0001-Port-tests-to-openssl-1.1.patch     | 103 +++++++++++++++++++++
>>  ...tes_20170717.bb => ca-certificates_20180409.bb} |   4 +-
>>  43 files changed, 255 insertions(+), 106 deletions(-)
>>  create mode 100644 meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
>>  create mode 100644 meta/recipes-connectivity/libressl/libressl_2.8.0.bb
>>  rename meta/recipes-connectivity/openssl/{openssl => files}/environment.d-openssl.sh (100%)
>>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
>>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-Fix-build-with-clang-using-external-assembler.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-allow-manpages-to-be-disabled.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-openssl-force-soft-link-to-avoid-rare-race.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Makefiles-ptest.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Use-SHA256-not-MD5-as-default-digest.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-musl-target.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-targets.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/c_rehash-compat.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/debian-targets.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-dir.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-section.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-rpath.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-symbolic.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/pic.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_digicert_malaysia.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_diginotar.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/soname.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/version-script.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/engines-install-in-libdir-ssl.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/oe-ldflags.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-c_rehash.sh (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-fix-des.pod-error.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl_fix_for_x32.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/parallel.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest-deps.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest_makefile_deps.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-cflags.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-mkbuildinf.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/run-ptest (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/shared-libs.patch (100%)
>>  rename meta/recipes-connectivity/openssl/{openssl_1.0.2p.bb => openssl10_1.0.2p.bb} (91%)
>>  rename meta/recipes-connectivity/openssl/{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb} (83%)
>>  create mode 100644 meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
>>  rename meta/recipes-support/ca-certificates/{ca-certificates_20170717.bb => ca-certificates_20180409.bb} (95%)
>>
>> --
>> 2.7.4
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [RFC PATCH 0/6] openssl 1.1.1 update

[Alexander Kanavin]

I just did a quick musl build for qemux86, and " -DOPENSSL_NO_ASYNC"
is there as expected. Something in your setup overrides it maybe? What
does bitbake -e openssl say?


Alex

2018-08-31 11:30 GMT+02:00 Alexander Kanavin <alex.kanavin@gmail.com>:
> The recipe has a guard for this, but maybe it stopped working, I'll take a look:
>
> #| ./libcrypto.so: undefined reference to `getcontext'
> #| ./libcrypto.so: undefined reference to `setcontext'
> #| ./libcrypto.so: undefined reference to `makecontext'
> CPPFLAGS_append_libc-musl = " -DOPENSSL_NO_ASYNC"
>
> Alex
>
>
> 2018-08-31 8:22 GMT+02:00 Khem Raj <raj.khem@gmail.com>:
>> musl/mips seems to fail due to this see
>>
>> http://errors.yoctoproject.org/Errors/Details/188615/
>> On Tue, Aug 28, 2018 at 3:23 AM Alexander Kanavin
>> <alex.kanavin@gmail.com> wrote:
>>>
>>> This patch series updates openssl to the soon-to-be released 1.1.1 version
>>> (latest news is 11 September), sets it as default, and removes dependencies
>>> on openssl 1.0 entirely from oe-core. openssl 1.0 remains available as openssl10
>>> recipe.
>>>
>>> The following changes since commit a8368651ffed1bd6c4715a37dfe9f40c48ca23c4:
>>>
>>>   bitbake: fetcher: Fixed remote removal not throwing exception. (2018-08-28 10:32:08 +0100)
>>>
>>> are available in the git repository at:
>>>
>>>   git://push.yoctoproject.org/poky-contrib akanavin/openssl-1.1.1
>>>
>>> Alexander Kanavin (6):
>>>   openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the
>>>     default version
>>>   cryptodev-tests: port to openssl 1.1
>>>   openssl: update to 1.1.1
>>>   libressl: add a recipe to support openssh
>>>   openssh: depend on libressl
>>>   ca-certificates: update to 20180409
>>>
>>>  meta/conf/distro/include/default-versions.inc      |   3 -
>>>  meta/conf/distro/include/maintainers.inc           |   2 +
>>>  ...c-libraries-with-their-library-dependenci.patch |  73 +++++++++++++++
>>>  .../libressl/libressl_2.8.0.bb                     |  35 +++++++
>>>  meta/recipes-connectivity/openssh/openssh_7.7p1.bb |   2 +-
>>>  .../{openssl => files}/environment.d-openssl.sh    |   0
>>>  ...1-Take-linking-flags-from-LDFLAGS-env-var.patch |  43 ---------
>>>  ...SLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch |  39 --------
>>>  ...build-with-clang-using-external-assembler.patch |   0
>>>  .../0001-allow-manpages-to-be-disabled.patch       |   0
>>>  ...penssl-force-soft-link-to-avoid-rare-race.patch |   0
>>>  .../Makefiles-ptest.patch                          |   0
>>>  .../Use-SHA256-not-MD5-as-default-digest.patch     |   0
>>>  .../configure-musl-target.patch                    |   0
>>>  .../configure-targets.patch                        |   0
>>>  .../debian/c_rehash-compat.patch                   |   0
>>>  .../debian/debian-targets.patch                    |   0
>>>  .../debian/man-dir.patch                           |   0
>>>  .../debian/man-section.patch                       |   0
>>>  .../debian/no-rpath.patch                          |   0
>>>  .../debian/no-symbolic.patch                       |   0
>>>  .../{openssl-1.0.2p => openssl10}/debian/pic.patch |   0
>>>  .../debian1.0.2/block_digicert_malaysia.patch      |   0
>>>  .../debian1.0.2/block_diginotar.patch              |   0
>>>  .../debian1.0.2/soname.patch                       |   0
>>>  .../debian1.0.2/version-script.patch               |   0
>>>  .../engines-install-in-libdir-ssl.patch            |   0
>>>  .../{openssl-1.0.2p => openssl10}/oe-ldflags.patch |   0
>>>  .../openssl-c_rehash.sh                            |   0
>>>  .../openssl-fix-des.pod-error.patch                |   0
>>>  .../openssl_fix_for_x32.patch                      |   0
>>>  .../{openssl-1.0.2p => openssl10}/parallel.patch   |   0
>>>  .../{openssl-1.0.2p => openssl10}/ptest-deps.patch |   0
>>>  .../ptest_makefile_deps.patch                      |   0
>>>  .../reproducible-cflags.patch                      |   0
>>>  .../reproducible-mkbuildinf.patch                  |   0
>>>  .../{openssl-1.0.2p => openssl10}/run-ptest        |   0
>>>  .../shared-libs.patch                              |   0
>>>  .../{openssl_1.0.2p.bb => openssl10_1.0.2p.bb}     |  31 +++++--
>>>  .../{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb}   |  23 +++--
>>>  .../cryptodev/cryptodev-tests_1.9.bb               |   3 +-
>>>  .../files/0001-Port-tests-to-openssl-1.1.patch     | 103 +++++++++++++++++++++
>>>  ...tes_20170717.bb => ca-certificates_20180409.bb} |   4 +-
>>>  43 files changed, 255 insertions(+), 106 deletions(-)
>>>  create mode 100644 meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
>>>  create mode 100644 meta/recipes-connectivity/libressl/libressl_2.8.0.bb
>>>  rename meta/recipes-connectivity/openssl/{openssl => files}/environment.d-openssl.sh (100%)
>>>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
>>>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-Fix-build-with-clang-using-external-assembler.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-allow-manpages-to-be-disabled.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-openssl-force-soft-link-to-avoid-rare-race.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Makefiles-ptest.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Use-SHA256-not-MD5-as-default-digest.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-musl-target.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-targets.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/c_rehash-compat.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/debian-targets.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-dir.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-section.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-rpath.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-symbolic.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/pic.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_digicert_malaysia.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_diginotar.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/soname.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/version-script.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/engines-install-in-libdir-ssl.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/oe-ldflags.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-c_rehash.sh (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-fix-des.pod-error.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl_fix_for_x32.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/parallel.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest-deps.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest_makefile_deps.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-cflags.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-mkbuildinf.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/run-ptest (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/shared-libs.patch (100%)
>>>  rename meta/recipes-connectivity/openssl/{openssl_1.0.2p.bb => openssl10_1.0.2p.bb} (91%)
>>>  rename meta/recipes-connectivity/openssl/{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb} (83%)
>>>  create mode 100644 meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
>>>  rename meta/recipes-support/ca-certificates/{ca-certificates_20170717.bb => ca-certificates_20180409.bb} (95%)
>>>
>>> --
>>> 2.7.4
>>>
>>> --
>>> _______________________________________________
>>> Openembedded-core mailing list
>>> Openembedded-core@lists.openembedded.org
>>> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [RFC PATCH 0/6] openssl 1.1.1 update

[Khem Raj]

On Fri, Aug 31, 2018 at 2:38 AM Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
>
> I just did a quick musl build for qemux86, and " -DOPENSSL_NO_ASYNC"
> is there as expected. Something in your setup overrides it maybe? What
> does bitbake -e openssl say?
>

its failing in tests so may be ptests enabled build will get you to problem.

>
> Alex
>
> 2018-08-31 11:30 GMT+02:00 Alexander Kanavin <alex.kanavin@gmail.com>:
> > The recipe has a guard for this, but maybe it stopped working, I'll take a look:
> >
> > #| ./libcrypto.so: undefined reference to `getcontext'
> > #| ./libcrypto.so: undefined reference to `setcontext'
> > #| ./libcrypto.so: undefined reference to `makecontext'
> > CPPFLAGS_append_libc-musl = " -DOPENSSL_NO_ASYNC"
> >
> > Alex
> >
> >
> > 2018-08-31 8:22 GMT+02:00 Khem Raj <raj.khem@gmail.com>:
> >> musl/mips seems to fail due to this see
> >>
> >> http://errors.yoctoproject.org/Errors/Details/188615/
> >> On Tue, Aug 28, 2018 at 3:23 AM Alexander Kanavin
> >> <alex.kanavin@gmail.com> wrote:
> >>>
> >>> This patch series updates openssl to the soon-to-be released 1.1.1 version
> >>> (latest news is 11 September), sets it as default, and removes dependencies
> >>> on openssl 1.0 entirely from oe-core. openssl 1.0 remains available as openssl10
> >>> recipe.
> >>>
> >>> The following changes since commit a8368651ffed1bd6c4715a37dfe9f40c48ca23c4:
> >>>
> >>>   bitbake: fetcher: Fixed remote removal not throwing exception. (2018-08-28 10:32:08 +0100)
> >>>
> >>> are available in the git repository at:
> >>>
> >>>   git://push.yoctoproject.org/poky-contrib akanavin/openssl-1.1.1
> >>>
> >>> Alexander Kanavin (6):
> >>>   openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the
> >>>     default version
> >>>   cryptodev-tests: port to openssl 1.1
> >>>   openssl: update to 1.1.1
> >>>   libressl: add a recipe to support openssh
> >>>   openssh: depend on libressl
> >>>   ca-certificates: update to 20180409
> >>>
> >>>  meta/conf/distro/include/default-versions.inc      |   3 -
> >>>  meta/conf/distro/include/maintainers.inc           |   2 +
> >>>  ...c-libraries-with-their-library-dependenci.patch |  73 +++++++++++++++
> >>>  .../libressl/libressl_2.8.0.bb                     |  35 +++++++
> >>>  meta/recipes-connectivity/openssh/openssh_7.7p1.bb |   2 +-
> >>>  .../{openssl => files}/environment.d-openssl.sh    |   0
> >>>  ...1-Take-linking-flags-from-LDFLAGS-env-var.patch |  43 ---------
> >>>  ...SLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch |  39 --------
> >>>  ...build-with-clang-using-external-assembler.patch |   0
> >>>  .../0001-allow-manpages-to-be-disabled.patch       |   0
> >>>  ...penssl-force-soft-link-to-avoid-rare-race.patch |   0
> >>>  .../Makefiles-ptest.patch                          |   0
> >>>  .../Use-SHA256-not-MD5-as-default-digest.patch     |   0
> >>>  .../configure-musl-target.patch                    |   0
> >>>  .../configure-targets.patch                        |   0
> >>>  .../debian/c_rehash-compat.patch                   |   0
> >>>  .../debian/debian-targets.patch                    |   0
> >>>  .../debian/man-dir.patch                           |   0
> >>>  .../debian/man-section.patch                       |   0
> >>>  .../debian/no-rpath.patch                          |   0
> >>>  .../debian/no-symbolic.patch                       |   0
> >>>  .../{openssl-1.0.2p => openssl10}/debian/pic.patch |   0
> >>>  .../debian1.0.2/block_digicert_malaysia.patch      |   0
> >>>  .../debian1.0.2/block_diginotar.patch              |   0
> >>>  .../debian1.0.2/soname.patch                       |   0
> >>>  .../debian1.0.2/version-script.patch               |   0
> >>>  .../engines-install-in-libdir-ssl.patch            |   0
> >>>  .../{openssl-1.0.2p => openssl10}/oe-ldflags.patch |   0
> >>>  .../openssl-c_rehash.sh                            |   0
> >>>  .../openssl-fix-des.pod-error.patch                |   0
> >>>  .../openssl_fix_for_x32.patch                      |   0
> >>>  .../{openssl-1.0.2p => openssl10}/parallel.patch   |   0
> >>>  .../{openssl-1.0.2p => openssl10}/ptest-deps.patch |   0
> >>>  .../ptest_makefile_deps.patch                      |   0
> >>>  .../reproducible-cflags.patch                      |   0
> >>>  .../reproducible-mkbuildinf.patch                  |   0
> >>>  .../{openssl-1.0.2p => openssl10}/run-ptest        |   0
> >>>  .../shared-libs.patch                              |   0
> >>>  .../{openssl_1.0.2p.bb => openssl10_1.0.2p.bb}     |  31 +++++--
> >>>  .../{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb}   |  23 +++--
> >>>  .../cryptodev/cryptodev-tests_1.9.bb               |   3 +-
> >>>  .../files/0001-Port-tests-to-openssl-1.1.patch     | 103 +++++++++++++++++++++
> >>>  ...tes_20170717.bb => ca-certificates_20180409.bb} |   4 +-
> >>>  43 files changed, 255 insertions(+), 106 deletions(-)
> >>>  create mode 100644 meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
> >>>  create mode 100644 meta/recipes-connectivity/libressl/libressl_2.8.0.bb
> >>>  rename meta/recipes-connectivity/openssl/{openssl => files}/environment.d-openssl.sh (100%)
> >>>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
> >>>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-Fix-build-with-clang-using-external-assembler.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-allow-manpages-to-be-disabled.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-openssl-force-soft-link-to-avoid-rare-race.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Makefiles-ptest.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Use-SHA256-not-MD5-as-default-digest.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-musl-target.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-targets.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/c_rehash-compat.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/debian-targets.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-dir.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-section.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-rpath.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-symbolic.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/pic.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_digicert_malaysia.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_diginotar.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/soname.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/version-script.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/engines-install-in-libdir-ssl.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/oe-ldflags.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-c_rehash.sh (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-fix-des.pod-error.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl_fix_for_x32.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/parallel.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest-deps.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest_makefile_deps.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-cflags.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-mkbuildinf.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/run-ptest (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/shared-libs.patch (100%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl_1.0.2p.bb => openssl10_1.0.2p.bb} (91%)
> >>>  rename meta/recipes-connectivity/openssl/{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb} (83%)
> >>>  create mode 100644 meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
> >>>  rename meta/recipes-support/ca-certificates/{ca-certificates_20170717.bb => ca-certificates_20180409.bb} (95%)
> >>>
> >>> --
> >>> 2.7.4
> >>>
> >>> --
> >>> _______________________________________________
> >>> Openembedded-core mailing list
> >>> Openembedded-core@lists.openembedded.org
> >>> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [RFC PATCH 0/6] openssl 1.1.1 update

[Khem Raj]

+OE-devel

On Tue, Aug 28, 2018 at 3:23 AM Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
>
> This patch series updates openssl to the soon-to-be released 1.1.1 version
> (latest news is 11 September), sets it as default, and removes dependencies
> on openssl 1.0 entirely from oe-core. openssl 1.0 remains available as openssl10
> recipe.
>
> The following changes since commit a8368651ffed1bd6c4715a37dfe9f40c48ca23c4:
>
>   bitbake: fetcher: Fixed remote removal not throwing exception. (2018-08-28 10:32:08 +0100)
>
> are available in the git repository at:
>
>   git://push.yoctoproject.org/poky-contrib akanavin/openssl-1.1.1
>
> Alexander Kanavin (6):
>   openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the
>     default version

This change is going to require some changes en-mass in meta-openembedded repos

see the failures

http://errors.yoctoproject.org/Errors/Build/67403/

Feel free to send patches to meta-openembedded.

>   cryptodev-tests: port to openssl 1.1
>   openssl: update to 1.1.1
>   libressl: add a recipe to support openssh
>   openssh: depend on libressl
>   ca-certificates: update to 20180409
>
>  meta/conf/distro/include/default-versions.inc      |   3 -
>  meta/conf/distro/include/maintainers.inc           |   2 +
>  ...c-libraries-with-their-library-dependenci.patch |  73 +++++++++++++++
>  .../libressl/libressl_2.8.0.bb                     |  35 +++++++
>  meta/recipes-connectivity/openssh/openssh_7.7p1.bb |   2 +-
>  .../{openssl => files}/environment.d-openssl.sh    |   0
>  ...1-Take-linking-flags-from-LDFLAGS-env-var.patch |  43 ---------
>  ...SLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch |  39 --------
>  ...build-with-clang-using-external-assembler.patch |   0
>  .../0001-allow-manpages-to-be-disabled.patch       |   0
>  ...penssl-force-soft-link-to-avoid-rare-race.patch |   0
>  .../Makefiles-ptest.patch                          |   0
>  .../Use-SHA256-not-MD5-as-default-digest.patch     |   0
>  .../configure-musl-target.patch                    |   0
>  .../configure-targets.patch                        |   0
>  .../debian/c_rehash-compat.patch                   |   0
>  .../debian/debian-targets.patch                    |   0
>  .../debian/man-dir.patch                           |   0
>  .../debian/man-section.patch                       |   0
>  .../debian/no-rpath.patch                          |   0
>  .../debian/no-symbolic.patch                       |   0
>  .../{openssl-1.0.2p => openssl10}/debian/pic.patch |   0
>  .../debian1.0.2/block_digicert_malaysia.patch      |   0
>  .../debian1.0.2/block_diginotar.patch              |   0
>  .../debian1.0.2/soname.patch                       |   0
>  .../debian1.0.2/version-script.patch               |   0
>  .../engines-install-in-libdir-ssl.patch            |   0
>  .../{openssl-1.0.2p => openssl10}/oe-ldflags.patch |   0
>  .../openssl-c_rehash.sh                            |   0
>  .../openssl-fix-des.pod-error.patch                |   0
>  .../openssl_fix_for_x32.patch                      |   0
>  .../{openssl-1.0.2p => openssl10}/parallel.patch   |   0
>  .../{openssl-1.0.2p => openssl10}/ptest-deps.patch |   0
>  .../ptest_makefile_deps.patch                      |   0
>  .../reproducible-cflags.patch                      |   0
>  .../reproducible-mkbuildinf.patch                  |   0
>  .../{openssl-1.0.2p => openssl10}/run-ptest        |   0
>  .../shared-libs.patch                              |   0
>  .../{openssl_1.0.2p.bb => openssl10_1.0.2p.bb}     |  31 +++++--
>  .../{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb}   |  23 +++--
>  .../cryptodev/cryptodev-tests_1.9.bb               |   3 +-
>  .../files/0001-Port-tests-to-openssl-1.1.patch     | 103 +++++++++++++++++++++
>  ...tes_20170717.bb => ca-certificates_20180409.bb} |   4 +-
>  43 files changed, 255 insertions(+), 106 deletions(-)
>  create mode 100644 meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
>  create mode 100644 meta/recipes-connectivity/libressl/libressl_2.8.0.bb
>  rename meta/recipes-connectivity/openssl/{openssl => files}/environment.d-openssl.sh (100%)
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-Fix-build-with-clang-using-external-assembler.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-allow-manpages-to-be-disabled.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-openssl-force-soft-link-to-avoid-rare-race.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Makefiles-ptest.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Use-SHA256-not-MD5-as-default-digest.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-musl-target.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-targets.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/c_rehash-compat.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/debian-targets.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-dir.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-section.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-rpath.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-symbolic.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/pic.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_digicert_malaysia.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_diginotar.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/soname.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/version-script.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/engines-install-in-libdir-ssl.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/oe-ldflags.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-c_rehash.sh (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-fix-des.pod-error.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl_fix_for_x32.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/parallel.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest-deps.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest_makefile_deps.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-cflags.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-mkbuildinf.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/run-ptest (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/shared-libs.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl_1.0.2p.bb => openssl10_1.0.2p.bb} (91%)
>  rename meta/recipes-connectivity/openssl/{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb} (83%)
>  create mode 100644 meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
>  rename meta/recipes-support/ca-certificates/{ca-certificates_20170717.bb => ca-certificates_20180409.bb} (95%)
>
> --
> 2.7.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [RFC PATCH 0/6] openssl 1.1.1 update

[Khem Raj]

+OE-devel

On Tue, Aug 28, 2018 at 3:23 AM Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
>
> This patch series updates openssl to the soon-to-be released 1.1.1 version
> (latest news is 11 September), sets it as default, and removes dependencies
> on openssl 1.0 entirely from oe-core. openssl 1.0 remains available as openssl10
> recipe.
>
> The following changes since commit a8368651ffed1bd6c4715a37dfe9f40c48ca23c4:
>
>   bitbake: fetcher: Fixed remote removal not throwing exception. (2018-08-28 10:32:08 +0100)
>
> are available in the git repository at:
>
>   git://push.yoctoproject.org/poky-contrib akanavin/openssl-1.1.1
>
> Alexander Kanavin (6):
>   openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the
>     default version

This change is going to require some changes en-mass in meta-openembedded repos

see the failures

http://errors.yoctoproject.org/Errors/Build/67403/

Feel free to send patches to meta-openembedded.

>   cryptodev-tests: port to openssl 1.1
>   openssl: update to 1.1.1
>   libressl: add a recipe to support openssh
>   openssh: depend on libressl
>   ca-certificates: update to 20180409
>
>  meta/conf/distro/include/default-versions.inc      |   3 -
>  meta/conf/distro/include/maintainers.inc           |   2 +
>  ...c-libraries-with-their-library-dependenci.patch |  73 +++++++++++++++
>  .../libressl/libressl_2.8.0.bb                     |  35 +++++++
>  meta/recipes-connectivity/openssh/openssh_7.7p1.bb |   2 +-
>  .../{openssl => files}/environment.d-openssl.sh    |   0
>  ...1-Take-linking-flags-from-LDFLAGS-env-var.patch |  43 ---------
>  ...SLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch |  39 --------
>  ...build-with-clang-using-external-assembler.patch |   0
>  .../0001-allow-manpages-to-be-disabled.patch       |   0
>  ...penssl-force-soft-link-to-avoid-rare-race.patch |   0
>  .../Makefiles-ptest.patch                          |   0
>  .../Use-SHA256-not-MD5-as-default-digest.patch     |   0
>  .../configure-musl-target.patch                    |   0
>  .../configure-targets.patch                        |   0
>  .../debian/c_rehash-compat.patch                   |   0
>  .../debian/debian-targets.patch                    |   0
>  .../debian/man-dir.patch                           |   0
>  .../debian/man-section.patch                       |   0
>  .../debian/no-rpath.patch                          |   0
>  .../debian/no-symbolic.patch                       |   0
>  .../{openssl-1.0.2p => openssl10}/debian/pic.patch |   0
>  .../debian1.0.2/block_digicert_malaysia.patch      |   0
>  .../debian1.0.2/block_diginotar.patch              |   0
>  .../debian1.0.2/soname.patch                       |   0
>  .../debian1.0.2/version-script.patch               |   0
>  .../engines-install-in-libdir-ssl.patch            |   0
>  .../{openssl-1.0.2p => openssl10}/oe-ldflags.patch |   0
>  .../openssl-c_rehash.sh                            |   0
>  .../openssl-fix-des.pod-error.patch                |   0
>  .../openssl_fix_for_x32.patch                      |   0
>  .../{openssl-1.0.2p => openssl10}/parallel.patch   |   0
>  .../{openssl-1.0.2p => openssl10}/ptest-deps.patch |   0
>  .../ptest_makefile_deps.patch                      |   0
>  .../reproducible-cflags.patch                      |   0
>  .../reproducible-mkbuildinf.patch                  |   0
>  .../{openssl-1.0.2p => openssl10}/run-ptest        |   0
>  .../shared-libs.patch                              |   0
>  .../{openssl_1.0.2p.bb => openssl10_1.0.2p.bb}     |  31 +++++--
>  .../{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb}   |  23 +++--
>  .../cryptodev/cryptodev-tests_1.9.bb               |   3 +-
>  .../files/0001-Port-tests-to-openssl-1.1.patch     | 103 +++++++++++++++++++++
>  ...tes_20170717.bb => ca-certificates_20180409.bb} |   4 +-
>  43 files changed, 255 insertions(+), 106 deletions(-)
>  create mode 100644 meta/recipes-connectivity/libressl/libressl/0001-Link-dynamic-libraries-with-their-library-dependenci.patch
>  create mode 100644 meta/recipes-connectivity/libressl/libressl_2.8.0.bb
>  rename meta/recipes-connectivity/openssl/{openssl => files}/environment.d-openssl.sh (100%)
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-Fix-build-with-clang-using-external-assembler.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-allow-manpages-to-be-disabled.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/0001-openssl-force-soft-link-to-avoid-rare-race.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Makefiles-ptest.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/Use-SHA256-not-MD5-as-default-digest.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-musl-target.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/configure-targets.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/c_rehash-compat.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/debian-targets.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-dir.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/man-section.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-rpath.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/no-symbolic.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian/pic.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_digicert_malaysia.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/block_diginotar.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/soname.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/debian1.0.2/version-script.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/engines-install-in-libdir-ssl.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/oe-ldflags.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-c_rehash.sh (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl-fix-des.pod-error.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/openssl_fix_for_x32.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/parallel.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest-deps.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/ptest_makefile_deps.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-cflags.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/reproducible-mkbuildinf.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/run-ptest (100%)
>  rename meta/recipes-connectivity/openssl/{openssl-1.0.2p => openssl10}/shared-libs.patch (100%)
>  rename meta/recipes-connectivity/openssl/{openssl_1.0.2p.bb => openssl10_1.0.2p.bb} (91%)
>  rename meta/recipes-connectivity/openssl/{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb} (83%)
>  create mode 100644 meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
>  rename meta/recipes-support/ca-certificates/{ca-certificates_20170717.bb => ca-certificates_20180409.bb} (95%)
>
> --
> 2.7.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [RFC PATCH 3/6] openssl: update to 1.1.1

[Khem Raj]

[-- Attachment #1.1: Type: text/plain, Size: 7684 bytes --]



On 8/28/18 3:23 AM, Alexander Kanavin wrote:
> At the moment 1.1.1 is in pre-release stage, however the final release
> should be available within a few weeks. The major selling point is that
> it supports the new TLS 1.3 specification. It will also be the new long
> term support version. More information:
> 
> https://www.openssl.org/policies/releasestrat.html
> 
> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
> ---
>  ...1-Take-linking-flags-from-LDFLAGS-env-var.patch | 43 ----------------------
>  ...SLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch | 39 --------------------
>  .../{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb}   | 23 +++++++-----
>  3 files changed, 14 insertions(+), 91 deletions(-)
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
>  rename meta/recipes-connectivity/openssl/{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb} (83%)
> 
> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch b/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
> deleted file mode 100644
> index 6ce4e47..0000000
> --- a/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
> +++ /dev/null
> @@ -1,43 +0,0 @@
> -From 08face4353d80111973aba9c1304c92158cfad0e Mon Sep 17 00:00:00 2001
> -From: Alexander Kanavin <alex.kanavin@gmail.com>
> -Date: Tue, 28 Mar 2017 16:40:12 +0300
> -Subject: [PATCH] Take linking flags from LDFLAGS env var
> -
> -This fixes "No GNU_HASH in the elf binary" issues.
> -
> -Upstream-Status: Inappropriate [oe-core specific]
> -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
> ----
> - Configurations/unix-Makefile.tmpl | 2 +-
> - Configure                         | 2 +-
> - 2 files changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
> -index c029817..43b769b 100644
> ---- a/Configurations/unix-Makefile.tmpl
> -+++ b/Configurations/unix-Makefile.tmpl
> -@@ -173,7 +173,7 @@ CROSS_COMPILE= {- $config{cross_compile_prefix} -}
> - CC= $(CROSS_COMPILE){- $target{cc} -}
> - CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
> - CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
> --LDFLAGS= {- $target{lflags} -}
> -+LDFLAGS= {- $target{lflags}." ".$ENV{'LDFLAGS'} -}
> - PLIB_LDFLAGS= {- $target{plib_lflags} -}
> - EX_LIBS= {- $target{ex_libs} -} {- $config{ex_libs} -}
> - LIB_CFLAGS={- $target{shared_cflag} || "" -}
> -diff --git a/Configure b/Configure
> -index aee7cc3..274d236 100755
> ---- a/Configure
> -+++ b/Configure
> -@@ -979,7 +979,7 @@ $config{build_file} = $target{build_file};
> - $config{defines} = [];
> - $config{cflags} = "";
> - $config{ex_libs} = "";
> --$config{shared_ldflag} = "";
> -+$config{shared_ldflag} = $ENV{'LDFLAGS'};
> - 
> - # Make sure build_scheme is consistent.
> - $target{build_scheme} = [ $target{build_scheme} ]
> --- 
> -2.11.0
> -
> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch b/meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
> deleted file mode 100644
> index 67d06fc..0000000
> --- a/meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
> +++ /dev/null
> @@ -1,39 +0,0 @@
> -From 26e98beb8a987cdc69699aaffc5599926fb1b293 Mon Sep 17 00:00:00 2001
> -From: Andre McCurdy <armccurdy@gmail.com>
> -Date: Fri, 17 Aug 2018 20:33:44 -0700
> -Subject: [PATCH] allow OPENSSLDIR and ENGINESDIR CFLAGS to be controlled
> -
> -Upstream-Status: Inappropriate [OE Specific]
> -
> -Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
> ----
> - Configurations/unix-Makefile.tmpl | 6 +++++-
> - 1 file changed, 5 insertions(+), 1 deletion(-)
> -
> -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
> -index 034d93e..2310d12 100644
> ---- a/Configurations/unix-Makefile.tmpl
> -+++ b/Configurations/unix-Makefile.tmpl
> -@@ -156,6 +156,10 @@ LIBDIR={- #
> - ENGINESDIR={- use File::Spec::Functions;
> -               catdir($prefix,$libdir,"engines-$sover") -}
> - 
> -+# Intermediate variables so the values defined via CFLAGS can be controlled.
> -+OE_DOPENSSLDIR=$(OPENSSLDIR)
> -+OE_DENGINESDIR=$(ENGINESDIR)
> -+
> - # Convenience variable for those who want to set the rpath in shared
> - # libraries and applications
> - LIBRPATH=$(INSTALLTOP)/$(LIBDIR)
> -@@ -174,7 +178,7 @@ HTMLSUFFIX=html
> - 
> - CROSS_COMPILE= {- $config{cross_compile_prefix} -}
> - CC= $(CROSS_COMPILE){- $target{cc} -}
> --CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
> -+CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OE_DOPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(OE_DENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
> - CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
> - LDFLAGS= {- $target{lflags}." ".$ENV{'LDFLAGS'} -}
> - PLIB_LDFLAGS= {- $target{plib_lflags} -}
> --- 
> -1.9.1
> -
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1-pre9.bb
> similarity index 83%
> rename from meta/recipes-connectivity/openssl/openssl_1.1.0i.bb
> rename to meta/recipes-connectivity/openssl/openssl_1.1.1-pre9.bb
> index a03f6ff..1917c33 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.1.0i.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1-pre9.bb
> @@ -13,26 +13,30 @@ DEPENDS = "hostperl-runtime-native"
>  SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
>             file://run-ptest \
>             file://openssl-c_rehash.sh \
> -           file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \
> -           file://0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch \
>             "
>  
>  SRC_URI_append_class-nativesdk = " \
>             file://environment.d-openssl.sh \
>             "
>  
> -SRC_URI[md5sum] = "9495126aafd2659d357ea66a969c3fe1"
> -SRC_URI[sha256sum] = "ebbfc844a8c8cc0ea5dc10b86c9ce97f401837f3fa08c17b2cdadc118253cf99"
> +SRC_URI[md5sum] = "6aa32e976e2c9a4aee858ced135d2573"
> +SRC_URI[sha256sum] = "95ebdfbb05e8451fb01a186ccaa4a7da0eff9a48999ede9fe1a7d90db75ccb4c"
>  
>  inherit lib_package multilib_header ptest
>  
>  #| ./libcrypto.so: undefined reference to `getcontext'
>  #| ./libcrypto.so: undefined reference to `setcontext'
>  #| ./libcrypto.so: undefined reference to `makecontext'
> -EXTRA_OECONF_append_libc-musl = " -DOPENSSL_NO_ASYNC"
> +CPPFLAGS_append_libc-musl = " -DOPENSSL_NO_ASYNC"

This change actually does not work. Correct way to disable async would
be to add -no-async option to configure, something like below works

EXTRA_OECONF_append_libc-musl = " -no-async"

Otherwise we get undefined refs to {get|set}context APIs encoded into
libcrypto.so





[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 201 bytes --]

Re: [RFC PATCH 3/6] openssl: update to 1.1.1

[Andre McCurdy]

On Mon, Sep 3, 2018 at 3:53 PM, Khem Raj <raj.khem@gmail.com> wrote:
> On 8/28/18 3:23 AM, Alexander Kanavin wrote:
>> At the moment 1.1.1 is in pre-release stage, however the final release
>> should be available within a few weeks. The major selling point is that
>> it supports the new TLS 1.3 specification. It will also be the new long
>> term support version. More information:
>>
>> https://www.openssl.org/policies/releasestrat.html
>>
>> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
>> ---
>>  ...1-Take-linking-flags-from-LDFLAGS-env-var.patch | 43 ----------------------
>>  ...SLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch | 39 --------------------
>>  .../{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb}   | 23 +++++++-----
>>  3 files changed, 14 insertions(+), 91 deletions(-)
>>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
>>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
>>  rename meta/recipes-connectivity/openssl/{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb} (83%)
>>
>> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch b/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
>> deleted file mode 100644
>> index 6ce4e47..0000000
>> --- a/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
>> +++ /dev/null
>> @@ -1,43 +0,0 @@
>> -From 08face4353d80111973aba9c1304c92158cfad0e Mon Sep 17 00:00:00 2001
>> -From: Alexander Kanavin <alex.kanavin@gmail.com>
>> -Date: Tue, 28 Mar 2017 16:40:12 +0300
>> -Subject: [PATCH] Take linking flags from LDFLAGS env var
>> -
>> -This fixes "No GNU_HASH in the elf binary" issues.
>> -
>> -Upstream-Status: Inappropriate [oe-core specific]
>> -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
>> ----
>> - Configurations/unix-Makefile.tmpl | 2 +-
>> - Configure                         | 2 +-
>> - 2 files changed, 2 insertions(+), 2 deletions(-)
>> -
>> -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
>> -index c029817..43b769b 100644
>> ---- a/Configurations/unix-Makefile.tmpl
>> -+++ b/Configurations/unix-Makefile.tmpl
>> -@@ -173,7 +173,7 @@ CROSS_COMPILE= {- $config{cross_compile_prefix} -}
>> - CC= $(CROSS_COMPILE){- $target{cc} -}
>> - CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
>> - CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
>> --LDFLAGS= {- $target{lflags} -}
>> -+LDFLAGS= {- $target{lflags}." ".$ENV{'LDFLAGS'} -}
>> - PLIB_LDFLAGS= {- $target{plib_lflags} -}
>> - EX_LIBS= {- $target{ex_libs} -} {- $config{ex_libs} -}
>> - LIB_CFLAGS={- $target{shared_cflag} || "" -}
>> -diff --git a/Configure b/Configure
>> -index aee7cc3..274d236 100755
>> ---- a/Configure
>> -+++ b/Configure
>> -@@ -979,7 +979,7 @@ $config{build_file} = $target{build_file};
>> - $config{defines} = [];
>> - $config{cflags} = "";
>> - $config{ex_libs} = "";
>> --$config{shared_ldflag} = "";
>> -+$config{shared_ldflag} = $ENV{'LDFLAGS'};
>> -
>> - # Make sure build_scheme is consistent.
>> - $target{build_scheme} = [ $target{build_scheme} ]
>> ---
>> -2.11.0
>> -
>> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch b/meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
>> deleted file mode 100644
>> index 67d06fc..0000000
>> --- a/meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
>> +++ /dev/null
>> @@ -1,39 +0,0 @@
>> -From 26e98beb8a987cdc69699aaffc5599926fb1b293 Mon Sep 17 00:00:00 2001
>> -From: Andre McCurdy <armccurdy@gmail.com>
>> -Date: Fri, 17 Aug 2018 20:33:44 -0700
>> -Subject: [PATCH] allow OPENSSLDIR and ENGINESDIR CFLAGS to be controlled
>> -
>> -Upstream-Status: Inappropriate [OE Specific]
>> -
>> -Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
>> ----
>> - Configurations/unix-Makefile.tmpl | 6 +++++-
>> - 1 file changed, 5 insertions(+), 1 deletion(-)
>> -
>> -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
>> -index 034d93e..2310d12 100644
>> ---- a/Configurations/unix-Makefile.tmpl
>> -+++ b/Configurations/unix-Makefile.tmpl
>> -@@ -156,6 +156,10 @@ LIBDIR={- #
>> - ENGINESDIR={- use File::Spec::Functions;
>> -               catdir($prefix,$libdir,"engines-$sover") -}
>> -
>> -+# Intermediate variables so the values defined via CFLAGS can be controlled.
>> -+OE_DOPENSSLDIR=$(OPENSSLDIR)
>> -+OE_DENGINESDIR=$(ENGINESDIR)
>> -+
>> - # Convenience variable for those who want to set the rpath in shared
>> - # libraries and applications
>> - LIBRPATH=$(INSTALLTOP)/$(LIBDIR)
>> -@@ -174,7 +178,7 @@ HTMLSUFFIX=html
>> -
>> - CROSS_COMPILE= {- $config{cross_compile_prefix} -}
>> - CC= $(CROSS_COMPILE){- $target{cc} -}
>> --CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
>> -+CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OE_DOPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(OE_DENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
>> - CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
>> - LDFLAGS= {- $target{lflags}." ".$ENV{'LDFLAGS'} -}
>> - PLIB_LDFLAGS= {- $target{plib_lflags} -}
>> ---
>> -1.9.1
>> -
>> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1-pre9.bb
>> similarity index 83%
>> rename from meta/recipes-connectivity/openssl/openssl_1.1.0i.bb
>> rename to meta/recipes-connectivity/openssl/openssl_1.1.1-pre9.bb
>> index a03f6ff..1917c33 100644
>> --- a/meta/recipes-connectivity/openssl/openssl_1.1.0i.bb
>> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1-pre9.bb
>> @@ -13,26 +13,30 @@ DEPENDS = "hostperl-runtime-native"
>>  SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
>>             file://run-ptest \
>>             file://openssl-c_rehash.sh \
>> -           file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \
>> -           file://0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch \
>>             "
>>
>>  SRC_URI_append_class-nativesdk = " \
>>             file://environment.d-openssl.sh \
>>             "
>>
>> -SRC_URI[md5sum] = "9495126aafd2659d357ea66a969c3fe1"
>> -SRC_URI[sha256sum] = "ebbfc844a8c8cc0ea5dc10b86c9ce97f401837f3fa08c17b2cdadc118253cf99"
>> +SRC_URI[md5sum] = "6aa32e976e2c9a4aee858ced135d2573"
>> +SRC_URI[sha256sum] = "95ebdfbb05e8451fb01a186ccaa4a7da0eff9a48999ede9fe1a7d90db75ccb4c"
>>
>>  inherit lib_package multilib_header ptest
>>
>>  #| ./libcrypto.so: undefined reference to `getcontext'
>>  #| ./libcrypto.so: undefined reference to `setcontext'
>>  #| ./libcrypto.so: undefined reference to `makecontext'
>> -EXTRA_OECONF_append_libc-musl = " -DOPENSSL_NO_ASYNC"
>> +CPPFLAGS_append_libc-musl = " -DOPENSSL_NO_ASYNC"
>
> This change actually does not work. Correct way to disable async would
> be to add -no-async option to configure, something like below works
>
> EXTRA_OECONF_append_libc-musl = " -no-async"

That should be " no-async", ie without the leading "-".

  https://github.com/openssl/openssl/blob/OpenSSL_1_1_0i/INSTALL#L233

> Otherwise we get undefined refs to {get|set}context APIs encoded into
> libcrypto.so
>
>
>
>
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

Re: [RFC PATCH 3/6] openssl: update to 1.1.1

[Khem Raj]

On Mon, Sep 3, 2018 at 8:17 PM Andre McCurdy <armccurdy@gmail.com> wrote:
>
> On Mon, Sep 3, 2018 at 3:53 PM, Khem Raj <raj.khem@gmail.com> wrote:
> > On 8/28/18 3:23 AM, Alexander Kanavin wrote:
> >> At the moment 1.1.1 is in pre-release stage, however the final release
> >> should be available within a few weeks. The major selling point is that
> >> it supports the new TLS 1.3 specification. It will also be the new long
> >> term support version. More information:
> >>
> >> https://www.openssl.org/policies/releasestrat.html
> >>
> >> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
> >> ---
> >>  ...1-Take-linking-flags-from-LDFLAGS-env-var.patch | 43 ----------------------
> >>  ...SLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch | 39 --------------------
> >>  .../{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb}   | 23 +++++++-----
> >>  3 files changed, 14 insertions(+), 91 deletions(-)
> >>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
> >>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
> >>  rename meta/recipes-connectivity/openssl/{openssl_1.1.0i.bb => openssl_1.1.1-pre9.bb} (83%)
> >>
> >> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch b/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
> >> deleted file mode 100644
> >> index 6ce4e47..0000000
> >> --- a/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch
> >> +++ /dev/null
> >> @@ -1,43 +0,0 @@
> >> -From 08face4353d80111973aba9c1304c92158cfad0e Mon Sep 17 00:00:00 2001
> >> -From: Alexander Kanavin <alex.kanavin@gmail.com>
> >> -Date: Tue, 28 Mar 2017 16:40:12 +0300
> >> -Subject: [PATCH] Take linking flags from LDFLAGS env var
> >> -
> >> -This fixes "No GNU_HASH in the elf binary" issues.
> >> -
> >> -Upstream-Status: Inappropriate [oe-core specific]
> >> -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
> >> ----
> >> - Configurations/unix-Makefile.tmpl | 2 +-
> >> - Configure                         | 2 +-
> >> - 2 files changed, 2 insertions(+), 2 deletions(-)
> >> -
> >> -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
> >> -index c029817..43b769b 100644
> >> ---- a/Configurations/unix-Makefile.tmpl
> >> -+++ b/Configurations/unix-Makefile.tmpl
> >> -@@ -173,7 +173,7 @@ CROSS_COMPILE= {- $config{cross_compile_prefix} -}
> >> - CC= $(CROSS_COMPILE){- $target{cc} -}
> >> - CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
> >> - CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
> >> --LDFLAGS= {- $target{lflags} -}
> >> -+LDFLAGS= {- $target{lflags}." ".$ENV{'LDFLAGS'} -}
> >> - PLIB_LDFLAGS= {- $target{plib_lflags} -}
> >> - EX_LIBS= {- $target{ex_libs} -} {- $config{ex_libs} -}
> >> - LIB_CFLAGS={- $target{shared_cflag} || "" -}
> >> -diff --git a/Configure b/Configure
> >> -index aee7cc3..274d236 100755
> >> ---- a/Configure
> >> -+++ b/Configure
> >> -@@ -979,7 +979,7 @@ $config{build_file} = $target{build_file};
> >> - $config{defines} = [];
> >> - $config{cflags} = "";
> >> - $config{ex_libs} = "";
> >> --$config{shared_ldflag} = "";
> >> -+$config{shared_ldflag} = $ENV{'LDFLAGS'};
> >> -
> >> - # Make sure build_scheme is consistent.
> >> - $target{build_scheme} = [ $target{build_scheme} ]
> >> ---
> >> -2.11.0
> >> -
> >> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch b/meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
> >> deleted file mode 100644
> >> index 67d06fc..0000000
> >> --- a/meta/recipes-connectivity/openssl/openssl/0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch
> >> +++ /dev/null
> >> @@ -1,39 +0,0 @@
> >> -From 26e98beb8a987cdc69699aaffc5599926fb1b293 Mon Sep 17 00:00:00 2001
> >> -From: Andre McCurdy <armccurdy@gmail.com>
> >> -Date: Fri, 17 Aug 2018 20:33:44 -0700
> >> -Subject: [PATCH] allow OPENSSLDIR and ENGINESDIR CFLAGS to be controlled
> >> -
> >> -Upstream-Status: Inappropriate [OE Specific]
> >> -
> >> -Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
> >> ----
> >> - Configurations/unix-Makefile.tmpl | 6 +++++-
> >> - 1 file changed, 5 insertions(+), 1 deletion(-)
> >> -
> >> -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
> >> -index 034d93e..2310d12 100644
> >> ---- a/Configurations/unix-Makefile.tmpl
> >> -+++ b/Configurations/unix-Makefile.tmpl
> >> -@@ -156,6 +156,10 @@ LIBDIR={- #
> >> - ENGINESDIR={- use File::Spec::Functions;
> >> -               catdir($prefix,$libdir,"engines-$sover") -}
> >> -
> >> -+# Intermediate variables so the values defined via CFLAGS can be controlled.
> >> -+OE_DOPENSSLDIR=$(OPENSSLDIR)
> >> -+OE_DENGINESDIR=$(ENGINESDIR)
> >> -+
> >> - # Convenience variable for those who want to set the rpath in shared
> >> - # libraries and applications
> >> - LIBRPATH=$(INSTALLTOP)/$(LIBDIR)
> >> -@@ -174,7 +178,7 @@ HTMLSUFFIX=html
> >> -
> >> - CROSS_COMPILE= {- $config{cross_compile_prefix} -}
> >> - CC= $(CROSS_COMPILE){- $target{cc} -}
> >> --CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
> >> -+CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OE_DOPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(OE_DENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
> >> - CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
> >> - LDFLAGS= {- $target{lflags}." ".$ENV{'LDFLAGS'} -}
> >> - PLIB_LDFLAGS= {- $target{plib_lflags} -}
> >> ---
> >> -1.9.1
> >> -
> >> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1-pre9.bb
> >> similarity index 83%
> >> rename from meta/recipes-connectivity/openssl/openssl_1.1.0i.bb
> >> rename to meta/recipes-connectivity/openssl/openssl_1.1.1-pre9.bb
> >> index a03f6ff..1917c33 100644
> >> --- a/meta/recipes-connectivity/openssl/openssl_1.1.0i.bb
> >> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1-pre9.bb
> >> @@ -13,26 +13,30 @@ DEPENDS = "hostperl-runtime-native"
> >>  SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
> >>             file://run-ptest \
> >>             file://openssl-c_rehash.sh \
> >> -           file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \
> >> -           file://0001-allow-OPENSSLDIR-and-ENGINESDIR-CFLAGS-to-be-control.patch \
> >>             "
> >>
> >>  SRC_URI_append_class-nativesdk = " \
> >>             file://environment.d-openssl.sh \
> >>             "
> >>
> >> -SRC_URI[md5sum] = "9495126aafd2659d357ea66a969c3fe1"
> >> -SRC_URI[sha256sum] = "ebbfc844a8c8cc0ea5dc10b86c9ce97f401837f3fa08c17b2cdadc118253cf99"
> >> +SRC_URI[md5sum] = "6aa32e976e2c9a4aee858ced135d2573"
> >> +SRC_URI[sha256sum] = "95ebdfbb05e8451fb01a186ccaa4a7da0eff9a48999ede9fe1a7d90db75ccb4c"
> >>
> >>  inherit lib_package multilib_header ptest
> >>
> >>  #| ./libcrypto.so: undefined reference to `getcontext'
> >>  #| ./libcrypto.so: undefined reference to `setcontext'
> >>  #| ./libcrypto.so: undefined reference to `makecontext'
> >> -EXTRA_OECONF_append_libc-musl = " -DOPENSSL_NO_ASYNC"
> >> +CPPFLAGS_append_libc-musl = " -DOPENSSL_NO_ASYNC"
> >
> > This change actually does not work. Correct way to disable async would
> > be to add -no-async option to configure, something like below works
> >
> > EXTRA_OECONF_append_libc-musl = " -no-async"
>
> That should be " no-async", ie without the leading "-".

it does not matter, it ignores it, but for better readability I agree
its better to use as documented

>
>   https://github.com/openssl/openssl/blob/OpenSSL_1_1_0i/INSTALL#L233
>
> > Otherwise we get undefined refs to {get|set}context APIs encoded into
> > libcrypto.so
> >
> >
> >
> >
> >
> > --
> > _______________________________________________
> > Openembedded-core mailing list
> > Openembedded-core@lists.openembedded.org
> > http://lists.openembedded.org/mailman/listinfo/openembedded-core
> >

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 1056 bytes --]

On Tue, Aug 28, 2018 at 12:23 PM Alexander Kanavin <alex.kanavin@gmail.com>
wrote:

> From: Alexander Kanavin <alexander.kanavin@linux.intel.com>
>
> I believe the time has come to do this: openssl 1.0 upstream support stops
> at the end
> of 2019, and we do not want a situation where a supported YP release
> contains an
> unsupported version of a critical security component.
>
> Openssl 1.0 can still be utilized by depending on 'openssl10' recipe.
>

This still isn't true for most recipes, as long as there is something
depending on openssl in the dependency tree, it will
cause do_prepare_recipe_sysroot failures like last time

ERROR: The file /usr/lib/libssl.so is installed by both openssl10 and
openssl, aborting
DEBUG: Python function extend_recipe_sysroot finished
DEBUG: Python function do_prepare_recipe_sysroot finished
ERROR: Function failed: extend_recipe_sysroot

From 15 failures caused by openssl-1.1 detected in my builds, just changing
DEPENDS from openssl to openssl10 didn't help in any case.

Regards,

[-- Attachment #2: Type: text/html, Size: 1566 bytes --]

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Richard Purdie]

On Tue, 2018-09-04 at 21:12 +0200, Martin Jansa wrote:
> On Tue, Aug 28, 2018 at 12:23 PM Alexander Kanavin <alex.kanavin@gmai
> l.com> wrote:
> > From: Alexander Kanavin <alexander.kanavin@linux.intel.com>
> > 
> > I believe the time has come to do this: openssl 1.0 upstream
> > support stops at the end
> > of 2019, and we do not want a situation where a supported YP
> > release contains an
> > unsupported version of a critical security component.
> > 
> > Openssl 1.0 can still be utilized by depending on 'openssl10'
> > recipe.
> 
> This still isn't true for most recipes, as long as there is something
> depending on openssl in the dependency tree, it will
> cause do_prepare_recipe_sysroot failures like last time
> 
> ERROR: The file /usr/lib/libssl.so is installed by both openssl10 and
> openssl, aborting
> DEBUG: Python function extend_recipe_sysroot finished
> DEBUG: Python function do_prepare_recipe_sysroot finished
> ERROR: Function failed: extend_recipe_sysroot
> 
> From 15 failures caused by openssl-1.1 detected in my builds, just
> changing DEPENDS from openssl to openssl10 didn't help in any case.

That isn't good news. Do you have an idea of which components are in
the dependency chains and if any of them are common? It'd also be
useful to understand which ones are breaking...

Cheers,

Richard

Re: [RFC PATCH 2/6] cryptodev-tests: port to openssl 1.1

[Andre McCurdy]

On Tue, Aug 28, 2018 at 3:23 AM, Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
> From: Alexander Kanavin <alexander.kanavin@linux.intel.com>
>
> This leaves openssh as the only recipe that requires openssl 1.0 (or libressl).
>
> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
> ---
>  .../cryptodev/cryptodev-tests_1.9.bb               |   3 +-
>  .../files/0001-Port-tests-to-openssl-1.1.patch     | 103 +++++++++++++++++++++
>  2 files changed, 105 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
>
> diff --git a/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb b/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb
> index 9afb3de..617db6c 100644
> --- a/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb
> +++ b/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb
> @@ -2,10 +2,11 @@ require cryptodev.inc
>
>  SUMMARY = "A test suite for /dev/crypto device driver"
>
> -DEPENDS += "openssl10"
> +DEPENDS += "openssl"
>
>  SRC_URI += " \
>  file://0001-Add-the-compile-and-install-rules-for-cryptodev-test.patch \
> +file://0001-Port-tests-to-openssl-1.1.patch \
>  "
>
>  EXTRA_OEMAKE='KERNEL_DIR="${STAGING_EXECPREFIXDIR}" PREFIX="${D}"'
> diff --git a/meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch b/meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
> new file mode 100644
> index 0000000..c969126
> --- /dev/null
> +++ b/meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
> @@ -0,0 +1,103 @@
> +From 2fe4bdeb8cdd0b0f46d9caed807812855d51ea56 Mon Sep 17 00:00:00 2001
> +From: Alexander Kanavin <alex.kanavin@gmail.com>
> +Date: Wed, 28 Mar 2018 20:11:05 +0300
> +Subject: [PATCH] Port tests to openssl 1.1
> +
> +Upstream-Status: Accepted [https://github.com/cryptodev-linux/cryptodev-linux/pull/36]
> +Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
> +
> +---
> + tests/openssl_wrapper.c | 33 +++++++++++++++++++++++++++++++++
> + 1 file changed, 33 insertions(+)
> +
> +diff --git a/tests/openssl_wrapper.c b/tests/openssl_wrapper.c
> +index 038c58f..dea2496 100644
> +--- a/tests/openssl_wrapper.c
> ++++ b/tests/openssl_wrapper.c
> +@@ -4,6 +4,7 @@
> + #include <openssl/aes.h>
> + #include <openssl/evp.h>
> + #include <openssl/hmac.h>
> ++#include <openssl/opensslv.h>
> +
> + //#define DEBUG
> +
> +@@ -23,10 +24,17 @@ enum ctx_type {
> +       ctx_type_md,
> + };
> +
> ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
> ++union openssl_ctx {
> ++      HMAC_CTX *hmac;
> ++      EVP_MD_CTX *md;
> ++};
> ++#else
> + union openssl_ctx {
> +       HMAC_CTX hmac;
> +       EVP_MD_CTX md;
> + };
> ++#endif
> +
> + struct ctx_mapping {
> +       __u32 ses;
> +@@ -63,6 +71,16 @@ static void remove_mapping(__u32 ses)
> +       switch (mapping->type) {
> +       case ctx_type_none:
> +               break;
> ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
> ++      case ctx_type_hmac:
> ++              dbgp("%s: calling HMAC_CTX_free\n", __func__);
> ++              HMAC_CTX_free(mapping->ctx.hmac);
> ++              break;
> ++      case ctx_type_md:
> ++              dbgp("%s: calling EVP_MD_CTX_free\n", __func__);
> ++              EVP_MD_CTX_free(mapping->ctx.md);
> ++              break;
> ++#else
> +       case ctx_type_hmac:
> +               dbgp("%s: calling HMAC_CTX_cleanup\n", __func__);
> +               HMAC_CTX_cleanup(&mapping->ctx.hmac);
> +@@ -71,6 +89,7 @@ static void remove_mapping(__u32 ses)
> +               dbgp("%s: calling EVP_MD_CTX_cleanup\n", __func__);
> +               EVP_MD_CTX_cleanup(&mapping->ctx.md);
> +               break;
> ++#endif
> +       }
> +       memset(mapping, 0, sizeof(*mapping));
> + }
> +@@ -127,10 +146,17 @@ static int openssl_hmac(struct session_op *sess, struct crypt_op *cop)
> +
> +               mapping->ses = sess->ses;
> +               mapping->type = ctx_type_hmac;
> ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
> ++              ctx = mapping->ctx.hmac;

Assigning the (uninitialised?) value of mapping->ctx.hmac to ctx here
looks redundant?

> ++
> ++              dbgp("calling HMAC_CTX_new");
> ++              ctx = HMAC_CTX_new();
> ++#else
> +               ctx = &mapping->ctx.hmac;
> +
> +               dbgp("calling HMAC_CTX_init");
> +               HMAC_CTX_init(ctx);
> ++#endif
> +               dbgp("calling HMAC_Init_ex");
> +               if (!HMAC_Init_ex(ctx, sess->mackey, sess->mackeylen,
> +                               sess_to_evp_md(sess), NULL)) {
> +@@ -172,10 +198,17 @@ static int openssl_md(struct session_op *sess, struct crypt_op *cop)
> +
> +               mapping->ses = sess->ses;
> +               mapping->type = ctx_type_md;
> ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
> ++              ctx = mapping->ctx.md;

And same comment here.

> ++
> ++              dbgp("calling EVP_MD_CTX_new");
> ++              ctx = EVP_MD_CTX_new();
> ++#else
> +               ctx = &mapping->ctx.md;
> +
> +               dbgp("calling EVP_MD_CTX_init");
> +               EVP_MD_CTX_init(ctx);
> ++#endif
> +               dbgp("calling EVP_DigestInit");
> +               EVP_DigestInit(ctx, sess_to_evp_md(sess));
> +       }
> --
> 2.7.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Khem Raj]

On Tue, Sep 4, 2018 at 1:35 PM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Tue, 2018-09-04 at 21:12 +0200, Martin Jansa wrote:
> > On Tue, Aug 28, 2018 at 12:23 PM Alexander Kanavin <alex.kanavin@gmai
> > l.com> wrote:
> > > From: Alexander Kanavin <alexander.kanavin@linux.intel.com>
> > >
> > > I believe the time has come to do this: openssl 1.0 upstream
> > > support stops at the end
> > > of 2019, and we do not want a situation where a supported YP
> > > release contains an
> > > unsupported version of a critical security component.
> > >
> > > Openssl 1.0 can still be utilized by depending on 'openssl10'
> > > recipe.
> >
> > This still isn't true for most recipes, as long as there is something
> > depending on openssl in the dependency tree, it will
> > cause do_prepare_recipe_sysroot failures like last time
> >
> > ERROR: The file /usr/lib/libssl.so is installed by both openssl10 and
> > openssl, aborting
> > DEBUG: Python function extend_recipe_sysroot finished
> > DEBUG: Python function do_prepare_recipe_sysroot finished
> > ERROR: Function failed: extend_recipe_sysroot
> >
> > From 15 failures caused by openssl-1.1 detected in my builds, just
> > changing DEPENDS from openssl to openssl10 didn't help in any case.
>
> That isn't good news. Do you have an idea of which components are in
> the dependency chains and if any of them are common? It'd also be
> useful to understand which ones are breaking...
>

I pointed this earlier before merge as well
meta-openembedded has 40 odd recipes failing due to openssl 1.1 upgrade

http://errors.yoctoproject.org/Errors/Build/67457/?page=2&limit=50

so obvious fix was to keep them pinned to openssl10 and i created
couple of fixes
to start

https://patchwork.openembedded.org/patch/154517/
https://patchwork.openembedded.org/patch/154516/

and the effects are showing up where sysroot task now starts to fail
for dependent
recipes here

http://errors.yoctoproject.org/Errors/Details/190427/
http://errors.yoctoproject.org/Errors/Details/190433/

in meta-oe certain recipes can be upgraded and we can get openssl 1.1 support
but others like the two examples I cited above do not have openSSL 1.1 port.
so I think we can not live without openSSL 1.0 and OpenSSL 2.0 being able to
co-exist.

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[richard.purdie]

On Tue, 2018-09-04 at 13:43 -0700, Khem Raj wrote:
> I pointed this earlier before merge as well
> meta-openembedded has 40 odd recipes failing due to openssl 1.1
> upgrade

Sorry, I think I missed something somewhere as I thought the
indications were the bigger problems like qt5 were working now :/.

> http://errors.yoctoproject.org/Errors/Build/67457/?page=2&limit=50
> 
> so obvious fix was to keep them pinned to openssl10 and i created
> couple of fixes
> to start
> 
> https://patchwork.openembedded.org/patch/154517/
> https://patchwork.openembedded.org/patch/154516/
> 
> and the effects are showing up where sysroot task now starts to fail
> for dependent
> recipes here
> 
> http://errors.yoctoproject.org/Errors/Details/190427/
> http://errors.yoctoproject.org/Errors/Details/190433/
> 
> in meta-oe certain recipes can be upgraded and we can get openssl 1.1
> support
> but others like the two examples I cited above do not have openSSL
> 1.1 port.
> so I think we can not live without openSSL 1.0 and OpenSSL 2.0 being
> able to
> co-exist.

The latter link is php 7.2 which should have openssl 1.1 support
(https://bugs.php.net/bug.php?id=72360).

For the former, libgdata doesn't have an openssl depends so I guessed
at liboauth pulling it in which does have an openssl 1.1 patch at: 
https://github.com/x42/liboauth/issues/9

Cheers,

Richard

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Khem Raj]

On Tue, Sep 4, 2018 at 3:58 PM <richard.purdie@linuxfoundation.org> wrote:
>
> On Tue, 2018-09-04 at 13:43 -0700, Khem Raj wrote:
> > I pointed this earlier before merge as well
> > meta-openembedded has 40 odd recipes failing due to openssl 1.1
> > upgrade
>
> Sorry, I think I missed something somewhere as I thought the
> indications were the bigger problems like qt5 were working now :/.
>
> > http://errors.yoctoproject.org/Errors/Build/67457/?page=2&limit=50
> >
> > so obvious fix was to keep them pinned to openssl10 and i created
> > couple of fixes
> > to start
> >
> > https://patchwork.openembedded.org/patch/154517/
> > https://patchwork.openembedded.org/patch/154516/
> >
> > and the effects are showing up where sysroot task now starts to fail
> > for dependent
> > recipes here
> >
> > http://errors.yoctoproject.org/Errors/Details/190427/
> > http://errors.yoctoproject.org/Errors/Details/190433/
> >
> > in meta-oe certain recipes can be upgraded and we can get openssl 1.1
> > support
> > but others like the two examples I cited above do not have openSSL
> > 1.1 port.
> > so I think we can not live without openSSL 1.0 and OpenSSL 2.0 being
> > able to
> > co-exist.
>
> The latter link is php 7.2 which should have openssl 1.1 support
> (https://bugs.php.net/bug.php?id=72360).
>
> For the former, libgdata doesn't have an openssl depends so I guessed
> at liboauth pulling it in which does have an openssl 1.1 patch at:
> https://github.com/x42/liboauth/issues/9
>

Thanks for pointers and they do help. However IMO the problem that
Martin decribed
is going to be a real blocker. Unless we can provide a solution to let
both openssl versions
coexist, this change is going to be problematic since we maintain
several old recipes which
would have to be fixed for openssl 1.1 and this can take time, right
now we are only seeing
meta-openembedded layers, we don't even know all other layers which
might get into similar
issues.

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Andre McCurdy]

On Tue, Sep 4, 2018 at 6:49 PM, Khem Raj <raj.khem@gmail.com> wrote:
> On Tue, Sep 4, 2018 at 3:58 PM <richard.purdie@linuxfoundation.org> wrote:
>>
>> On Tue, 2018-09-04 at 13:43 -0700, Khem Raj wrote:
>> > I pointed this earlier before merge as well
>> > meta-openembedded has 40 odd recipes failing due to openssl 1.1
>> > upgrade
>>
>> Sorry, I think I missed something somewhere as I thought the
>> indications were the bigger problems like qt5 were working now :/.
>>
>> > http://errors.yoctoproject.org/Errors/Build/67457/?page=2&limit=50
>> >
>> > so obvious fix was to keep them pinned to openssl10 and i created
>> > couple of fixes
>> > to start
>> >
>> > https://patchwork.openembedded.org/patch/154517/
>> > https://patchwork.openembedded.org/patch/154516/
>> >
>> > and the effects are showing up where sysroot task now starts to fail
>> > for dependent
>> > recipes here
>> >
>> > http://errors.yoctoproject.org/Errors/Details/190427/
>> > http://errors.yoctoproject.org/Errors/Details/190433/
>> >
>> > in meta-oe certain recipes can be upgraded and we can get openssl 1.1
>> > support
>> > but others like the two examples I cited above do not have openSSL
>> > 1.1 port.
>> > so I think we can not live without openSSL 1.0 and OpenSSL 2.0 being
>> > able to
>> > co-exist.
>>
>> The latter link is php 7.2 which should have openssl 1.1 support
>> (https://bugs.php.net/bug.php?id=72360).
>>
>> For the former, libgdata doesn't have an openssl depends so I guessed
>> at liboauth pulling it in which does have an openssl 1.1 patch at:
>> https://github.com/x42/liboauth/issues/9
>>
>
> Thanks for pointers and they do help. However IMO the problem that
> Martin decribed
> is going to be a real blocker. Unless we can provide a solution to let
> both openssl versions
> coexist, this change is going to be problematic since we maintain
> several old recipes which
> would have to be fixed for openssl 1.1 and this can take time, right
> now we are only seeing
> meta-openembedded layers, we don't even know all other layers which
> might get into similar
> issues.

To be clear, the issue is ( foo depends on openssl 1.1 and bar ) and (
bar depends on openssl 1.0 ), right?

Anyway, just for reference, it looks like Debian is packaging both
openssl 1.0 and 1.1:

  https://packages.debian.org/source/sid/openssl1.0
  https://packages.debian.org/source/sid/openssl

In the case of liboauth, they avoid to need to patch by configuring
liboauth to build with nss instead of openssl.

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Khem Raj]

On Tue, Sep 4, 2018 at 9:08 PM Andre McCurdy <armccurdy@gmail.com> wrote:
>
> On Tue, Sep 4, 2018 at 6:49 PM, Khem Raj <raj.khem@gmail.com> wrote:
> > On Tue, Sep 4, 2018 at 3:58 PM <richard.purdie@linuxfoundation.org> wrote:
> >>
> >> On Tue, 2018-09-04 at 13:43 -0700, Khem Raj wrote:
> >> > I pointed this earlier before merge as well
> >> > meta-openembedded has 40 odd recipes failing due to openssl 1.1
> >> > upgrade
> >>
> >> Sorry, I think I missed something somewhere as I thought the
> >> indications were the bigger problems like qt5 were working now :/.
> >>
> >> > http://errors.yoctoproject.org/Errors/Build/67457/?page=2&limit=50
> >> >
> >> > so obvious fix was to keep them pinned to openssl10 and i created
> >> > couple of fixes
> >> > to start
> >> >
> >> > https://patchwork.openembedded.org/patch/154517/
> >> > https://patchwork.openembedded.org/patch/154516/
> >> >
> >> > and the effects are showing up where sysroot task now starts to fail
> >> > for dependent
> >> > recipes here
> >> >
> >> > http://errors.yoctoproject.org/Errors/Details/190427/
> >> > http://errors.yoctoproject.org/Errors/Details/190433/
> >> >
> >> > in meta-oe certain recipes can be upgraded and we can get openssl 1.1
> >> > support
> >> > but others like the two examples I cited above do not have openSSL
> >> > 1.1 port.
> >> > so I think we can not live without openSSL 1.0 and OpenSSL 2.0 being
> >> > able to
> >> > co-exist.
> >>
> >> The latter link is php 7.2 which should have openssl 1.1 support
> >> (https://bugs.php.net/bug.php?id=72360).
> >>
> >> For the former, libgdata doesn't have an openssl depends so I guessed
> >> at liboauth pulling it in which does have an openssl 1.1 patch at:
> >> https://github.com/x42/liboauth/issues/9
> >>
> >
> > Thanks for pointers and they do help. However IMO the problem that
> > Martin decribed
> > is going to be a real blocker. Unless we can provide a solution to let
> > both openssl versions
> > coexist, this change is going to be problematic since we maintain
> > several old recipes which
> > would have to be fixed for openssl 1.1 and this can take time, right
> > now we are only seeing
> > meta-openembedded layers, we don't even know all other layers which
> > might get into similar
> > issues.
>
> To be clear, the issue is ( foo depends on openssl 1.1 and bar ) and (
> bar depends on openssl 1.0 ), right?

yes.

>
> Anyway, just for reference, it looks like Debian is packaging both
> openssl 1.0 and 1.1:
>
>   https://packages.debian.org/source/sid/openssl1.0
>   https://packages.debian.org/source/sid/openssl
>
> In the case of liboauth, they avoid to need to patch by configuring
> liboauth to build with nss instead of openssl.

this is already taken care see
http://git.openembedded.org/meta-openembedded-contrib/commit/?h=kraj/master&id=b1f87edc4202d6238c469dde358819c534b35751

but thats just one case.

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Alexander Kanavin]

I am also disappointed to see that openssl10 does not help much,
however, I do not believe we should wait another year, and hope the
problem would take care of itself - this clearly did not happen over
the past year. Let's just look at failing recipes one by one and
investigate what needs to be done for them. I've done this for
everything in oe-core, and so it does not need openssl10 anymore
(except one issue with openssh on arm64). It might be that much of the
failing stuff is simply out of date.

Making 1.0 and 1.0 coexist in a sysroot means one of them has to be
renamed into, say, libssl10.so, and everything that is using it
patched accordingly. Not really possible. Yes, upstream has botched
this transition badly. If you have better ideas, let me know please.

Alex

2018-09-05 6:54 GMT+02:00 Khem Raj <raj.khem@gmail.com>:
> On Tue, Sep 4, 2018 at 9:08 PM Andre McCurdy <armccurdy@gmail.com> wrote:
>>
>> On Tue, Sep 4, 2018 at 6:49 PM, Khem Raj <raj.khem@gmail.com> wrote:
>> > On Tue, Sep 4, 2018 at 3:58 PM <richard.purdie@linuxfoundation.org> wrote:
>> >>
>> >> On Tue, 2018-09-04 at 13:43 -0700, Khem Raj wrote:
>> >> > I pointed this earlier before merge as well
>> >> > meta-openembedded has 40 odd recipes failing due to openssl 1.1
>> >> > upgrade
>> >>
>> >> Sorry, I think I missed something somewhere as I thought the
>> >> indications were the bigger problems like qt5 were working now :/.
>> >>
>> >> > http://errors.yoctoproject.org/Errors/Build/67457/?page=2&limit=50
>> >> >
>> >> > so obvious fix was to keep them pinned to openssl10 and i created
>> >> > couple of fixes
>> >> > to start
>> >> >
>> >> > https://patchwork.openembedded.org/patch/154517/
>> >> > https://patchwork.openembedded.org/patch/154516/
>> >> >
>> >> > and the effects are showing up where sysroot task now starts to fail
>> >> > for dependent
>> >> > recipes here
>> >> >
>> >> > http://errors.yoctoproject.org/Errors/Details/190427/
>> >> > http://errors.yoctoproject.org/Errors/Details/190433/
>> >> >
>> >> > in meta-oe certain recipes can be upgraded and we can get openssl 1.1
>> >> > support
>> >> > but others like the two examples I cited above do not have openSSL
>> >> > 1.1 port.
>> >> > so I think we can not live without openSSL 1.0 and OpenSSL 2.0 being
>> >> > able to
>> >> > co-exist.
>> >>
>> >> The latter link is php 7.2 which should have openssl 1.1 support
>> >> (https://bugs.php.net/bug.php?id=72360).
>> >>
>> >> For the former, libgdata doesn't have an openssl depends so I guessed
>> >> at liboauth pulling it in which does have an openssl 1.1 patch at:
>> >> https://github.com/x42/liboauth/issues/9
>> >>
>> >
>> > Thanks for pointers and they do help. However IMO the problem that
>> > Martin decribed
>> > is going to be a real blocker. Unless we can provide a solution to let
>> > both openssl versions
>> > coexist, this change is going to be problematic since we maintain
>> > several old recipes which
>> > would have to be fixed for openssl 1.1 and this can take time, right
>> > now we are only seeing
>> > meta-openembedded layers, we don't even know all other layers which
>> > might get into similar
>> > issues.
>>
>> To be clear, the issue is ( foo depends on openssl 1.1 and bar ) and (
>> bar depends on openssl 1.0 ), right?
>
> yes.
>
>>
>> Anyway, just for reference, it looks like Debian is packaging both
>> openssl 1.0 and 1.1:
>>
>>   https://packages.debian.org/source/sid/openssl1.0
>>   https://packages.debian.org/source/sid/openssl
>>
>> In the case of liboauth, they avoid to need to patch by configuring
>> liboauth to build with nss instead of openssl.
>
> this is already taken care see
> http://git.openembedded.org/meta-openembedded-contrib/commit/?h=kraj/master&id=b1f87edc4202d6238c469dde358819c534b35751
>
> but thats just one case.
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 5680 bytes --]

On Wed, Sep 05, 2018 at 09:14:21AM +0200, Alexander Kanavin wrote:
> I am also disappointed to see that openssl10 does not help much,
> however, I do not believe we should wait another year, and hope the
> problem would take care of itself - this clearly did not happen over
> the past year. Let's just look at failing recipes one by one and
> investigate what needs to be done for them. I've done this for
> everything in oe-core, and so it does not need openssl10 anymore
> (except one issue with openssh on arm64). It might be that much of the
> failing stuff is simply out of date.

Here is the thread from last year with a bit more details:
https://www.mail-archive.com/openembedded-core@lists.openembedded.org/msg100353.html

oe-core is just very small core, fixing it there doesn't prove anything

> Making 1.0 and 1.0 coexist in a sysroot means one of them has to be
> renamed into, say, libssl10.so, and everything that is using it
> patched accordingly. Not really possible. Yes, upstream has botched
> this transition badly. If you have better ideas, let me know please.

But patching the components to use libssl10 might actually work (unlike
just changing DEPENDS to openssl10).

It's not only conflicting in build-time in RSS, but it will conflict on
target as well. You either need to migrate all components included in
image to 1.1 or all stay on 1.0.

The 15 failures I've mentioned before were all in our internal
components (e.g. whole nodejs-* world is botched if you use openssl10 in
nodejs DEPENDS).

In a bit smaller world builds than what Khem is now testing I'm seeing
also around 40 recipes failing (and nobody knows how many are "hidding"
behind them).

I'm not against openssl-1.1 upgrade when it's ready, but saying in
commit message that incompatibilities are easily solved by using
openssl10 in DEPENDS just isn't true as proven a year ago and it still
isn't.

Regards,

> 2018-09-05 6:54 GMT+02:00 Khem Raj <raj.khem@gmail.com>:
> > On Tue, Sep 4, 2018 at 9:08 PM Andre McCurdy <armccurdy@gmail.com> wrote:
> >>
> >> On Tue, Sep 4, 2018 at 6:49 PM, Khem Raj <raj.khem@gmail.com> wrote:
> >> > On Tue, Sep 4, 2018 at 3:58 PM <richard.purdie@linuxfoundation.org> wrote:
> >> >>
> >> >> On Tue, 2018-09-04 at 13:43 -0700, Khem Raj wrote:
> >> >> > I pointed this earlier before merge as well
> >> >> > meta-openembedded has 40 odd recipes failing due to openssl 1.1
> >> >> > upgrade
> >> >>
> >> >> Sorry, I think I missed something somewhere as I thought the
> >> >> indications were the bigger problems like qt5 were working now :/.
> >> >>
> >> >> > http://errors.yoctoproject.org/Errors/Build/67457/?page=2&limit=50
> >> >> >
> >> >> > so obvious fix was to keep them pinned to openssl10 and i created
> >> >> > couple of fixes
> >> >> > to start
> >> >> >
> >> >> > https://patchwork.openembedded.org/patch/154517/
> >> >> > https://patchwork.openembedded.org/patch/154516/
> >> >> >
> >> >> > and the effects are showing up where sysroot task now starts to fail
> >> >> > for dependent
> >> >> > recipes here
> >> >> >
> >> >> > http://errors.yoctoproject.org/Errors/Details/190427/
> >> >> > http://errors.yoctoproject.org/Errors/Details/190433/
> >> >> >
> >> >> > in meta-oe certain recipes can be upgraded and we can get openssl 1.1
> >> >> > support
> >> >> > but others like the two examples I cited above do not have openSSL
> >> >> > 1.1 port.
> >> >> > so I think we can not live without openSSL 1.0 and OpenSSL 2.0 being
> >> >> > able to
> >> >> > co-exist.
> >> >>
> >> >> The latter link is php 7.2 which should have openssl 1.1 support
> >> >> (https://bugs.php.net/bug.php?id=72360).
> >> >>
> >> >> For the former, libgdata doesn't have an openssl depends so I guessed
> >> >> at liboauth pulling it in which does have an openssl 1.1 patch at:
> >> >> https://github.com/x42/liboauth/issues/9
> >> >>
> >> >
> >> > Thanks for pointers and they do help. However IMO the problem that
> >> > Martin decribed
> >> > is going to be a real blocker. Unless we can provide a solution to let
> >> > both openssl versions
> >> > coexist, this change is going to be problematic since we maintain
> >> > several old recipes which
> >> > would have to be fixed for openssl 1.1 and this can take time, right
> >> > now we are only seeing
> >> > meta-openembedded layers, we don't even know all other layers which
> >> > might get into similar
> >> > issues.
> >>
> >> To be clear, the issue is ( foo depends on openssl 1.1 and bar ) and (
> >> bar depends on openssl 1.0 ), right?
> >
> > yes.
> >
> >>
> >> Anyway, just for reference, it looks like Debian is packaging both
> >> openssl 1.0 and 1.1:
> >>
> >>   https://packages.debian.org/source/sid/openssl1.0
> >>   https://packages.debian.org/source/sid/openssl
> >>
> >> In the case of liboauth, they avoid to need to patch by configuring
> >> liboauth to build with nss instead of openssl.
> >
> > this is already taken care see
> > http://git.openembedded.org/meta-openembedded-contrib/commit/?h=kraj/master&id=b1f87edc4202d6238c469dde358819c534b35751
> >
> > but thats just one case.
> > --
> > _______________________________________________
> > Openembedded-core mailing list
> > Openembedded-core@lists.openembedded.org
> > http://lists.openembedded.org/mailman/listinfo/openembedded-core
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 201 bytes --]

Re: [RFC PATCH 2/6] cryptodev-tests: port to openssl 1.1

[Alexander Kanavin]

Note that the upstream accepted the patch as it is (frankly I don't
remember how the line appeared there), so you should probably send a
fix directly to them :)

Alex

2018-09-04 22:38 GMT+02:00 Andre McCurdy <armccurdy@gmail.com>:
> On Tue, Aug 28, 2018 at 3:23 AM, Alexander Kanavin
> <alex.kanavin@gmail.com> wrote:
>> From: Alexander Kanavin <alexander.kanavin@linux.intel.com>
>>
>> This leaves openssh as the only recipe that requires openssl 1.0 (or libressl).
>>
>> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
>> ---
>>  .../cryptodev/cryptodev-tests_1.9.bb               |   3 +-
>>  .../files/0001-Port-tests-to-openssl-1.1.patch     | 103 +++++++++++++++++++++
>>  2 files changed, 105 insertions(+), 1 deletion(-)
>>  create mode 100644 meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
>>
>> diff --git a/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb b/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb
>> index 9afb3de..617db6c 100644
>> --- a/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb
>> +++ b/meta/recipes-kernel/cryptodev/cryptodev-tests_1.9.bb
>> @@ -2,10 +2,11 @@ require cryptodev.inc
>>
>>  SUMMARY = "A test suite for /dev/crypto device driver"
>>
>> -DEPENDS += "openssl10"
>> +DEPENDS += "openssl"
>>
>>  SRC_URI += " \
>>  file://0001-Add-the-compile-and-install-rules-for-cryptodev-test.patch \
>> +file://0001-Port-tests-to-openssl-1.1.patch \
>>  "
>>
>>  EXTRA_OEMAKE='KERNEL_DIR="${STAGING_EXECPREFIXDIR}" PREFIX="${D}"'
>> diff --git a/meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch b/meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
>> new file mode 100644
>> index 0000000..c969126
>> --- /dev/null
>> +++ b/meta/recipes-kernel/cryptodev/files/0001-Port-tests-to-openssl-1.1.patch
>> @@ -0,0 +1,103 @@
>> +From 2fe4bdeb8cdd0b0f46d9caed807812855d51ea56 Mon Sep 17 00:00:00 2001
>> +From: Alexander Kanavin <alex.kanavin@gmail.com>
>> +Date: Wed, 28 Mar 2018 20:11:05 +0300
>> +Subject: [PATCH] Port tests to openssl 1.1
>> +
>> +Upstream-Status: Accepted [https://github.com/cryptodev-linux/cryptodev-linux/pull/36]
>> +Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
>> +
>> +---
>> + tests/openssl_wrapper.c | 33 +++++++++++++++++++++++++++++++++
>> + 1 file changed, 33 insertions(+)
>> +
>> +diff --git a/tests/openssl_wrapper.c b/tests/openssl_wrapper.c
>> +index 038c58f..dea2496 100644
>> +--- a/tests/openssl_wrapper.c
>> ++++ b/tests/openssl_wrapper.c
>> +@@ -4,6 +4,7 @@
>> + #include <openssl/aes.h>
>> + #include <openssl/evp.h>
>> + #include <openssl/hmac.h>
>> ++#include <openssl/opensslv.h>
>> +
>> + //#define DEBUG
>> +
>> +@@ -23,10 +24,17 @@ enum ctx_type {
>> +       ctx_type_md,
>> + };
>> +
>> ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
>> ++union openssl_ctx {
>> ++      HMAC_CTX *hmac;
>> ++      EVP_MD_CTX *md;
>> ++};
>> ++#else
>> + union openssl_ctx {
>> +       HMAC_CTX hmac;
>> +       EVP_MD_CTX md;
>> + };
>> ++#endif
>> +
>> + struct ctx_mapping {
>> +       __u32 ses;
>> +@@ -63,6 +71,16 @@ static void remove_mapping(__u32 ses)
>> +       switch (mapping->type) {
>> +       case ctx_type_none:
>> +               break;
>> ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
>> ++      case ctx_type_hmac:
>> ++              dbgp("%s: calling HMAC_CTX_free\n", __func__);
>> ++              HMAC_CTX_free(mapping->ctx.hmac);
>> ++              break;
>> ++      case ctx_type_md:
>> ++              dbgp("%s: calling EVP_MD_CTX_free\n", __func__);
>> ++              EVP_MD_CTX_free(mapping->ctx.md);
>> ++              break;
>> ++#else
>> +       case ctx_type_hmac:
>> +               dbgp("%s: calling HMAC_CTX_cleanup\n", __func__);
>> +               HMAC_CTX_cleanup(&mapping->ctx.hmac);
>> +@@ -71,6 +89,7 @@ static void remove_mapping(__u32 ses)
>> +               dbgp("%s: calling EVP_MD_CTX_cleanup\n", __func__);
>> +               EVP_MD_CTX_cleanup(&mapping->ctx.md);
>> +               break;
>> ++#endif
>> +       }
>> +       memset(mapping, 0, sizeof(*mapping));
>> + }
>> +@@ -127,10 +146,17 @@ static int openssl_hmac(struct session_op *sess, struct crypt_op *cop)
>> +
>> +               mapping->ses = sess->ses;
>> +               mapping->type = ctx_type_hmac;
>> ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
>> ++              ctx = mapping->ctx.hmac;
>
> Assigning the (uninitialised?) value of mapping->ctx.hmac to ctx here
> looks redundant?
>
>> ++
>> ++              dbgp("calling HMAC_CTX_new");
>> ++              ctx = HMAC_CTX_new();
>> ++#else
>> +               ctx = &mapping->ctx.hmac;
>> +
>> +               dbgp("calling HMAC_CTX_init");
>> +               HMAC_CTX_init(ctx);
>> ++#endif
>> +               dbgp("calling HMAC_Init_ex");
>> +               if (!HMAC_Init_ex(ctx, sess->mackey, sess->mackeylen,
>> +                               sess_to_evp_md(sess), NULL)) {
>> +@@ -172,10 +198,17 @@ static int openssl_md(struct session_op *sess, struct crypt_op *cop)
>> +
>> +               mapping->ses = sess->ses;
>> +               mapping->type = ctx_type_md;
>> ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
>> ++              ctx = mapping->ctx.md;
>
> And same comment here.
>
>> ++
>> ++              dbgp("calling EVP_MD_CTX_new");
>> ++              ctx = EVP_MD_CTX_new();
>> ++#else
>> +               ctx = &mapping->ctx.md;
>> +
>> +               dbgp("calling EVP_MD_CTX_init");
>> +               EVP_MD_CTX_init(ctx);
>> ++#endif
>> +               dbgp("calling EVP_DigestInit");
>> +               EVP_DigestInit(ctx, sess_to_evp_md(sess));
>> +       }
>> --
>> 2.7.4
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Richard Purdie]

On Wed, 2018-09-05 at 10:53 +0200, Martin Jansa wrote:
> But patching the components to use libssl10 might actually work
> (unlike
> just changing DEPENDS to openssl10).
> 
> It's not only conflicting in build-time in RSS, but it will conflict
> on target as well. You either need to migrate all components included
> in image to 1.1 or all stay on 1.0.

That isn't quite the case. For OE-Core we have images using both 1.0
(openssh) and 1.1 installed together. Its true there are some issues if
you try and parallel install both the -dev packages but normal target
images are working.

We could probably "fix" the -dev images to an extent by making 1.1
replace 1.0 dev pieces.

The build time sysroot problem is harder unfortunately, I've ideas
about things we might be able to do but haven't experimented as yet.

Cheers,

Richard

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Khem Raj]

On Wed, Sep 5, 2018 at 7:45 AM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Wed, 2018-09-05 at 10:53 +0200, Martin Jansa wrote:
> > But patching the components to use libssl10 might actually work
> > (unlike
> > just changing DEPENDS to openssl10).
> >
> > It's not only conflicting in build-time in RSS, but it will conflict
> > on target as well. You either need to migrate all components included
> > in image to 1.1 or all stay on 1.0.
>
> That isn't quite the case. For OE-Core we have images using both 1.0
> (openssh) and 1.1 installed together. Its true there are some issues if
> you try and parallel install both the -dev packages but normal target
> images are working.
>
> We could probably "fix" the -dev images to an extent by making 1.1
> replace 1.0 dev pieces.
>
> The build time sysroot problem is harder unfortunately, I've ideas
> about things we might be able to do but haven't experimented as yet.
>

If runtime conflicts are clear
I think we can install the headers into /usr/include/openssl10/
and dev libs into /usr/lib/openssl10
and provide a openssl10.pc file to we can use pkgconfig in packages

> Cheers,
>
> Richard
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Andre McCurdy]

On Wed, Sep 5, 2018 at 8:15 AM, Khem Raj <raj.khem@gmail.com> wrote:
> On Wed, Sep 5, 2018 at 7:45 AM Richard Purdie
> <richard.purdie@linuxfoundation.org> wrote:
>>
>> On Wed, 2018-09-05 at 10:53 +0200, Martin Jansa wrote:
>> > But patching the components to use libssl10 might actually work
>> > (unlike
>> > just changing DEPENDS to openssl10).
>> >
>> > It's not only conflicting in build-time in RSS, but it will conflict
>> > on target as well. You either need to migrate all components included
>> > in image to 1.1 or all stay on 1.0.
>>
>> That isn't quite the case. For OE-Core we have images using both 1.0
>> (openssh) and 1.1 installed together. Its true there are some issues if
>> you try and parallel install both the -dev packages but normal target
>> images are working.
>>
>> We could probably "fix" the -dev images to an extent by making 1.1
>> replace 1.0 dev pieces.
>>
>> The build time sysroot problem is harder unfortunately, I've ideas
>> about things we might be able to do but haven't experimented as yet.
>>
>
> If runtime conflicts are clear

I don't think the runtime issues are clear.

Being able to install both versions of openssl on the target and have
them be used by different applications is one case (already solved by
different sonames).

But the builds that are failing in meta-oe are a different case - a
single application is indirectly linked against both versions of
openssl. Loading two versions of openssl into the same address space
at runtime hasn't been solved... and may not be realistically solvable
- e.g. what happens if code in an app compiled against openssl 1.1
tries to share an openssl data type with code in a library compiled
against openssl 1.0?

> I think we can install the headers into /usr/include/openssl10/
> and dev libs into /usr/lib/openssl10
> and provide a openssl10.pc file to we can use pkgconfig in packages

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 2426 bytes --]

https://wiki.debian.org/OpenSSL-1.1 says it will cause runtime bugs like
segmentation faults or just misbehaving applications.

On Wed, Sep 5, 2018 at 5:45 PM Andre McCurdy <armccurdy@gmail.com> wrote:

> On Wed, Sep 5, 2018 at 8:15 AM, Khem Raj <raj.khem@gmail.com> wrote:
> > On Wed, Sep 5, 2018 at 7:45 AM Richard Purdie
> > <richard.purdie@linuxfoundation.org> wrote:
> >>
> >> On Wed, 2018-09-05 at 10:53 +0200, Martin Jansa wrote:
> >> > But patching the components to use libssl10 might actually work
> >> > (unlike
> >> > just changing DEPENDS to openssl10).
> >> >
> >> > It's not only conflicting in build-time in RSS, but it will conflict
> >> > on target as well. You either need to migrate all components included
> >> > in image to 1.1 or all stay on 1.0.
> >>
> >> That isn't quite the case. For OE-Core we have images using both 1.0
> >> (openssh) and 1.1 installed together. Its true there are some issues if
> >> you try and parallel install both the -dev packages but normal target
> >> images are working.
> >>
> >> We could probably "fix" the -dev images to an extent by making 1.1
> >> replace 1.0 dev pieces.
> >>
> >> The build time sysroot problem is harder unfortunately, I've ideas
> >> about things we might be able to do but haven't experimented as yet.
> >>
> >
> > If runtime conflicts are clear
>
> I don't think the runtime issues are clear.
>
> Being able to install both versions of openssl on the target and have
> them be used by different applications is one case (already solved by
> different sonames).
>
> But the builds that are failing in meta-oe are a different case - a
> single application is indirectly linked against both versions of
> openssl. Loading two versions of openssl into the same address space
> at runtime hasn't been solved... and may not be realistically solvable
> - e.g. what happens if code in an app compiled against openssl 1.1
> tries to share an openssl data type with code in a library compiled
> against openssl 1.0?
>
> > I think we can install the headers into /usr/include/openssl10/
> > and dev libs into /usr/lib/openssl10
> > and provide a openssl10.pc file to we can use pkgconfig in packages
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

[-- Attachment #2: Type: text/html, Size: 3391 bytes --]

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Andre McCurdy]

On Wed, Sep 5, 2018 at 8:55 AM, Martin Jansa <martin.jansa@gmail.com> wrote:
> https://wiki.debian.org/OpenSSL-1.1 says it will cause runtime bugs like
> segmentation faults or just misbehaving applications.
>
> On Wed, Sep 5, 2018 at 5:45 PM Andre McCurdy <armccurdy@gmail.com> wrote:
>>
>> On Wed, Sep 5, 2018 at 8:15 AM, Khem Raj <raj.khem@gmail.com> wrote:
>> > On Wed, Sep 5, 2018 at 7:45 AM Richard Purdie
>> > <richard.purdie@linuxfoundation.org> wrote:
>> >>
>> >> On Wed, 2018-09-05 at 10:53 +0200, Martin Jansa wrote:
>> >> > But patching the components to use libssl10 might actually work
>> >> > (unlike
>> >> > just changing DEPENDS to openssl10).
>> >> >
>> >> > It's not only conflicting in build-time in RSS, but it will conflict
>> >> > on target as well. You either need to migrate all components included
>> >> > in image to 1.1 or all stay on 1.0.
>> >>
>> >> That isn't quite the case. For OE-Core we have images using both 1.0
>> >> (openssh) and 1.1 installed together. Its true there are some issues if
>> >> you try and parallel install both the -dev packages but normal target
>> >> images are working.
>> >>
>> >> We could probably "fix" the -dev images to an extent by making 1.1
>> >> replace 1.0 dev pieces.
>> >>
>> >> The build time sysroot problem is harder unfortunately, I've ideas
>> >> about things we might be able to do but haven't experimented as yet.
>> >>
>> >
>> > If runtime conflicts are clear
>>
>> I don't think the runtime issues are clear.
>>
>> Being able to install both versions of openssl on the target and have
>> them be used by different applications is one case (already solved by
>> different sonames).
>>
>> But the builds that are failing in meta-oe are a different case - a
>> single application is indirectly linked against both versions of
>> openssl. Loading two versions of openssl into the same address space
>> at runtime hasn't been solved... and may not be realistically solvable
>> - e.g. what happens if code in an app compiled against openssl 1.1
>> tries to share an openssl data type with code in a library compiled
>> against openssl 1.0?
>>

Any further comments?

How are the meta-oe world builds looking now after the recent fixes?
Are there still issues?

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Khem Raj]

we are good with fixes in master-next
On Mon, Sep 10, 2018 at 10:54 AM Andre McCurdy <armccurdy@gmail.com> wrote:
>
> On Wed, Sep 5, 2018 at 8:55 AM, Martin Jansa <martin.jansa@gmail.com> wrote:
> > https://wiki.debian.org/OpenSSL-1.1 says it will cause runtime bugs like
> > segmentation faults or just misbehaving applications.
> >
> > On Wed, Sep 5, 2018 at 5:45 PM Andre McCurdy <armccurdy@gmail.com> wrote:
> >>
> >> On Wed, Sep 5, 2018 at 8:15 AM, Khem Raj <raj.khem@gmail.com> wrote:
> >> > On Wed, Sep 5, 2018 at 7:45 AM Richard Purdie
> >> > <richard.purdie@linuxfoundation.org> wrote:
> >> >>
> >> >> On Wed, 2018-09-05 at 10:53 +0200, Martin Jansa wrote:
> >> >> > But patching the components to use libssl10 might actually work
> >> >> > (unlike
> >> >> > just changing DEPENDS to openssl10).
> >> >> >
> >> >> > It's not only conflicting in build-time in RSS, but it will conflict
> >> >> > on target as well. You either need to migrate all components included
> >> >> > in image to 1.1 or all stay on 1.0.
> >> >>
> >> >> That isn't quite the case. For OE-Core we have images using both 1.0
> >> >> (openssh) and 1.1 installed together. Its true there are some issues if
> >> >> you try and parallel install both the -dev packages but normal target
> >> >> images are working.
> >> >>
> >> >> We could probably "fix" the -dev images to an extent by making 1.1
> >> >> replace 1.0 dev pieces.
> >> >>
> >> >> The build time sysroot problem is harder unfortunately, I've ideas
> >> >> about things we might be able to do but haven't experimented as yet.
> >> >>
> >> >
> >> > If runtime conflicts are clear
> >>
> >> I don't think the runtime issues are clear.
> >>
> >> Being able to install both versions of openssl on the target and have
> >> them be used by different applications is one case (already solved by
> >> different sonames).
> >>
> >> But the builds that are failing in meta-oe are a different case - a
> >> single application is indirectly linked against both versions of
> >> openssl. Loading two versions of openssl into the same address space
> >> at runtime hasn't been solved... and may not be realistically solvable
> >> - e.g. what happens if code in an app compiled against openssl 1.1
> >> tries to share an openssl data type with code in a library compiled
> >> against openssl 1.0?
> >>
>
> Any further comments?
>
> How are the meta-oe world builds looking now after the recent fixes?
> Are there still issues?

Re: [RFC PATCH 1/6] openssl: rename openssl 1.0.x to openssl10 and make openssl 1.1.x the default version

[Andre McCurdy]

On Tue, Aug 28, 2018 at 3:23 AM, Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
> From: Alexander Kanavin <alexander.kanavin@linux.intel.com>
>
> I believe the time has come to do this: openssl 1.0 upstream support stops at the end
> of 2019, and we do not want a situation where a supported YP release contains an
> unsupported version of a critical security component.
>
> Openssl 1.0 can still be utilized by depending on 'openssl10' recipe.
>
> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
> ---
>
> ...
>
>  BBCLASSEXTEND = "native nativesdk"
> +PACKAGE_PREPROCESS_FUNCS += "openssl_package_preprocess"
> +
> +# openssl 1.0 development files and executable binaries clash with openssl 1.1
> +# files when installed into target rootfs. So we don't put them into
> +# packages, but they continue to be provided via target sysroot for
> +# cross-compilation on the host, if some software still depends on openssl 1.0.
> +openssl_package_preprocess () {
> +        for file in `find ${PKGD} -name *.h -o -name *.pc -o -name *.so`; do
> +                rm $file
> +        done
> +        rm ${PKGD}/usr/bin/openssl
> +        rm ${PKGD}/usr/bin/c_rehash
> +        rmdir ${PKGD}/usr/bin
> +
> +}

I haven't tried it, but does this mean it's no longer possible to
build openssh with an OE based SDK?