Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk --- .../cheri-patches/0001-purecap-patches.patch | 183 ++++++++++++++++++ ...1-Configure-do-not-tweak-mips-cflags.patch | 36 ++++ ...sysroot-and-debug-prefix-map-from-co.patch | 78 ++++++++ .../openssl/files/afalg.patch | 31 +++ recipes-connectivity/openssl/files/run-ptest | 12 ++ .../openssl/openssl-morello_3.0.8.bb | 164 ++++++++++++++++ 6 files changed, 504 insertions(+) create mode 100644 recipes-connectivity/openssl/cheri-patches/0001-purecap-patches.patch create mode 100644 recipes-connectivity/openssl/files/0001-Configure-do-not-tweak-mips-cflags.patch create mode 100644 recipes-connectivity/openssl/files/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch create mode 100644 recipes-connectivity/openssl/files/afalg.patch create mode 100644 recipes-connectivity/openssl/files/run-ptest create mode 100644 recipes-connectivity/openssl/openssl-morello_3.0.8.bb
diff --git a/recipes-connectivity/openssl/cheri-patches/0001-purecap-patches.patch b/recipes-connectivity/openssl/cheri-patches/0001-purecap-patches.patch new file mode 100644 index 0000000..6102e6d --- /dev/null +++ b/recipes-connectivity/openssl/cheri-patches/0001-purecap-patches.patch @@ -0,0 +1,183 @@ +From c571aa7d659815902276a0c69eba170eb77074a1 Mon Sep 17 00:00:00 2001 +From: Brooks Davis brooks@one-eyed-alien.net +Date: Mon, 3 Apr 2023 11:23:57 +0100 +Subject: [PATCH] Purecap patches from CHERI BSD that are squashed and rebased. + +Re-add side channels [1] + +The branchless assignments use a pattern which results in the lost of tags +on function pointers and odd length corruption for data pointers. For the +current model of function pointers (single PCC) it might be possible to +fix the function pointer case, but this can't work for objects. + +Use more vaddr_t to fix -Wcheri-bitwise-operations [2] + +[1] https://github.com/CTSRD-CHERI/cheribsd/commit/a0eac17db0649fe134bed192bff30... +[2] https://github.com/CTSRD-CHERI/cheribsd/commit/a2a2a118f7944938e1fc5bb53875e... + +Co-authored-by: Brooks Davis brooks@one-eyed-alien.net +Co-authored-by: Alexander Richardson Alexander.Richardson@cl.cam.ac.uk + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + crypto/bn/bn_nist.c | 48 +++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 40 insertions(+), 8 deletions(-) + +diff --git a/crypto/bn/bn_nist.c b/crypto/bn/bn_nist.c +index da10c40..7f5c6bd 100644 +--- a/crypto/bn/bn_nist.c ++++ b/crypto/bn/bn_nist.c +@@ -338,7 +338,7 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, + sizeof(unsigned int)]; + } buf; + BN_ULONG c_d[BN_NIST_192_TOP], *res; +- PTR_SIZE_INT mask; ++ ptraddr_t mask; + static const BIGNUM ossl_bignum_nist_p_192_sqr = { + (BN_ULONG *)_nist_p_192_sqr, + OSSL_NELEM(_nist_p_192_sqr), +@@ -442,10 +442,14 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, + mask = + 0 - (PTR_SIZE_INT) bn_sub_words(c_d, r_d, _nist_p_192[0], + BN_NIST_192_TOP); +- mask &= 0 - (PTR_SIZE_INT) carry; ++ mask &= 0 - (ptraddr_t) carry; ++#ifndef __CHERI_PURE_CAPABILITY__ + res = c_d; + res = (BN_ULONG *) + (((PTR_SIZE_INT) res & ~mask) | ((PTR_SIZE_INT) r_d & mask)); ++#else ++ res = mask ? r_d : c_d; ++#endif + nist_cp_bn(r_d, res, BN_NIST_192_TOP); + r->top = BN_NIST_192_TOP; + bn_correct_top(r); +@@ -479,7 +483,7 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, + sizeof(unsigned int)]; + } buf; + BN_ULONG c_d[BN_NIST_224_TOP], *res; +- PTR_SIZE_INT mask; ++ ptraddr_t mask; + union { + bn_addsub_f f; + PTR_SIZE_INT p; +@@ -616,19 +620,27 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, + carry = + (int)bn_add_words(r_d, r_d, _nist_p_224[-carry - 1], + BN_NIST_224_TOP); ++#ifndef __CHERI_PURE_CAPABILITY__ + mask = 0 - (PTR_SIZE_INT) carry; + u.p = ((PTR_SIZE_INT) bn_sub_words & mask) | + ((PTR_SIZE_INT) bn_add_words & ~mask); ++#else ++ u.f = carry ? bn_sub_words : bn_add_words; ++#endif + } else + carry = 1; + + /* otherwise it's effectively same as in BN_nist_mod_192... */ + mask = + 0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_224[0], BN_NIST_224_TOP); +- mask &= 0 - (PTR_SIZE_INT) carry; ++ mask &= 0 - (ptraddr_t) carry; ++#ifndef __CHERI_PURE_CAPABILITY__ + res = c_d; + res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) | + ((PTR_SIZE_INT) r_d & mask)); ++#else ++ res = mask ? r_d : c_d; ++#endif + nist_cp_bn(r_d, res, BN_NIST_224_TOP); + r->top = BN_NIST_224_TOP; + bn_correct_top(r); +@@ -660,7 +672,7 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, + sizeof(unsigned int)]; + } buf; + BN_ULONG c_d[BN_NIST_256_TOP], *res; +- PTR_SIZE_INT mask; ++ ptraddr_t mask; + union { + bn_addsub_f f; + PTR_SIZE_INT p; +@@ -859,18 +871,26 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, + carry = + (int)bn_add_words(r_d, r_d, _nist_p_256[-carry - 1], + BN_NIST_256_TOP); ++#ifndef __CHERI_PURE_CAPABILITY__ + mask = 0 - (PTR_SIZE_INT) carry; + u.p = ((PTR_SIZE_INT) bn_sub_words & mask) | + ((PTR_SIZE_INT) bn_add_words & ~mask); ++#else ++ u.f = carry ? bn_sub_words : bn_add_words; ++#endif + } else + carry = 1; + + mask = + 0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_256[0], BN_NIST_256_TOP); +- mask &= 0 - (PTR_SIZE_INT) carry; ++ mask &= 0 - (ptraddr_t) carry; ++#ifndef __CHERI_PURE_CAPABILITY__ + res = c_d; + res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) | + ((PTR_SIZE_INT) r_d & mask)); ++#else ++ res = mask ? r_d : c_d; ++#endif + nist_cp_bn(r_d, res, BN_NIST_256_TOP); + r->top = BN_NIST_256_TOP; + bn_correct_top(r); +@@ -906,7 +926,7 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, + sizeof(unsigned int)]; + } buf; + BN_ULONG c_d[BN_NIST_384_TOP], *res; +- PTR_SIZE_INT mask; ++ ptraddr_t mask; + union { + bn_addsub_f f; + PTR_SIZE_INT p; +@@ -1140,18 +1160,26 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, + carry = + (int)bn_add_words(r_d, r_d, _nist_p_384[-carry - 1], + BN_NIST_384_TOP); ++#ifndef __CHERI_PURE_CAPABILITY__ + mask = 0 - (PTR_SIZE_INT) carry; + u.p = ((PTR_SIZE_INT) bn_sub_words & mask) | + ((PTR_SIZE_INT) bn_add_words & ~mask); ++#else ++ u.f = carry ? bn_sub_words : bn_add_words; ++#endif + } else + carry = 1; + + mask = + 0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_384[0], BN_NIST_384_TOP); +- mask &= 0 - (PTR_SIZE_INT) carry; ++ mask &= 0 - (ptraddr_t) carry; ++#ifndef __CHERI_PURE_CAPABILITY__ + res = c_d; + res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) | + ((PTR_SIZE_INT) r_d & mask)); ++#else ++ res = mask ? r_d : c_d; ++#endif + nist_cp_bn(r_d, res, BN_NIST_384_TOP); + r->top = BN_NIST_384_TOP; + bn_correct_top(r); +@@ -1224,9 +1252,13 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, + mask = + 0 - (PTR_SIZE_INT) bn_sub_words(t_d, r_d, _nist_p_521, + BN_NIST_521_TOP); ++#ifndef __CHERI_PURE_CAPABILITY__ + res = t_d; + res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) | + ((PTR_SIZE_INT) r_d & mask)); ++#else ++ res = mask ? r_d : t_d; ++#endif + nist_cp_bn(r_d, res, BN_NIST_521_TOP); + r->top = BN_NIST_521_TOP; + bn_correct_top(r); +-- +2.34.1 + diff --git a/recipes-connectivity/openssl/files/0001-Configure-do-not-tweak-mips-cflags.patch b/recipes-connectivity/openssl/files/0001-Configure-do-not-tweak-mips-cflags.patch new file mode 100644 index 0000000..0b7abc3 --- /dev/null +++ b/recipes-connectivity/openssl/files/0001-Configure-do-not-tweak-mips-cflags.patch @@ -0,0 +1,36 @@ +From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin alex@linutronix.de +Date: Tue, 14 Sep 2021 12:18:25 +0200 +Subject: [PATCH] Configure: do not tweak mips cflags + +This conflicts with mips machine definitons from yocto, +e.g. +| Error: -mips3 conflicts with the other architecture options, which imply -mips64r2 + +Upstream-Status: Inappropriate [oe-core specific] +Signed-off-by: Alexander Kanavin alex@linutronix.de +--- + Configure | 10 ---------- + 1 file changed, 10 deletions(-) + +Index: openssl-3.0.4/Configure +=================================================================== +--- openssl-3.0.4.orig/Configure ++++ openssl-3.0.4/Configure +@@ -1423,16 +1423,6 @@ if ($target =~ /^mingw/ && `$config{CC} + push @{$config{shared_ldflag}}, "-mno-cygwin"; + } + +-if ($target =~ /linux.*-mips/ && !$disabled{asm} +- && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { +- # minimally required architecture flags for assembly modules +- my $value; +- $value = '-mips2' if ($target =~ /mips32/); +- $value = '-mips3' if ($target =~ /mips64/); +- unshift @{$config{cflags}}, $value; +- unshift @{$config{cxxflags}}, $value if $config{CXX}; +-} +- + # If threads aren't disabled, check how possible they are + unless ($disabled{threads}) { + if ($auto_threads) { diff --git a/recipes-connectivity/openssl/files/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/recipes-connectivity/openssl/files/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch new file mode 100644 index 0000000..bafdbaa --- /dev/null +++ b/recipes-connectivity/openssl/files/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch @@ -0,0 +1,78 @@ +From 5985253f2c9025d7c127443a3a9938946f80c2a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= martin@geanix.com +Date: Tue, 6 Nov 2018 14:50:47 +0100 +Subject: [PATCH] buildinfo: strip sysroot and debug-prefix-map from compiler + info +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The openssl build system generates buildinf.h containing the full +compiler command line used to compile objects. This breaks +reproducibility, as the compile command is baked into libcrypto, where +it is used when running `openssl version -f`. + +Add stripped build variables for the compiler and cflags lines, and use +those when generating buildinfo.h. + +This is based on a similar patch for older openssl versions: +https://patchwork.openembedded.org/patch/147229/ + +Upstream-Status: Inappropriate [OE specific] +Signed-off-by: Martin Hundebøll martin@geanix.com + +Update to fix buildpaths qa issue for '-fmacro-prefix-map'. + +Signed-off-by: Kai Kang kai.kang@windriver.com + +Update to fix buildpaths qa issue for '-ffile-prefix-map'. + +Signed-off-by: Khem Raj raj.khem@gmail.com + +--- + Configurations/unix-Makefile.tmpl | 12 +++++++++++- + crypto/build.info | 2 +- + 2 files changed, 12 insertions(+), 2 deletions(-) + +Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.0.4/Configurations/unix-Makefile.tmpl +@@ -472,13 +472,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lfl + '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} + BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) + +-# CPPFLAGS_Q is used for one thing only: to build up buildinf.h ++# *_Q variables are used for one thing only: to build up buildinf.h + CPPFLAGS_Q={- $cppflags1 =~ s|([\"])|\$1|g; + $cppflags2 =~ s|([\"])|\$1|g; + $lib_cppflags =~ s|([\"])|\$1|g; + join(' ', $lib_cppflags || (), $cppflags2 || (), + $cppflags1 || ()) -} + ++CFLAGS_Q={- for (@{$config{CFLAGS}}) { ++ s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g; ++ s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g; ++ s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g; ++ } ++ join(' ', @{$config{CFLAGS}}) -} ++ ++CC_Q={- $config{CC} =~ s|--sysroot=[^ ]+|--sysroot=recipe-sysroot|g; ++ join(' ', $config{CC}) -} ++ + PERLASM_SCHEME= {- $target{perlasm_scheme} -} + + # For x86 assembler: Set PROCESSOR to 386 if you want to support +Index: openssl-3.0.4/crypto/build.info +=================================================================== +--- openssl-3.0.4.orig/crypto/build.info ++++ openssl-3.0.4/crypto/build.info +@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF + + DEPEND[info.o]=buildinf.h + DEPEND[cversion.o]=buildinf.h +-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" ++GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC_Q) $(CFLAGS_Q) $(CPPFLAGS_Q)" "$(PLATFORM)" + + GENERATE[uplink-x86.S]=../ms/uplink-x86.pl + GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl diff --git a/recipes-connectivity/openssl/files/afalg.patch b/recipes-connectivity/openssl/files/afalg.patch new file mode 100644 index 0000000..cf77e87 --- /dev/null +++ b/recipes-connectivity/openssl/files/afalg.patch @@ -0,0 +1,31 @@ +Don't refuse to build afalgeng if cross-compiling or the host kernel is too old. + +Upstream-Status: Submitted [hhttps://github.com/openssl/openssl/pull/7688] +Signed-off-by: Ross Burton ross.burton@intel.com + +Index: openssl-3.0.4/Configure +=================================================================== +--- openssl-3.0.4.orig/Configure ++++ openssl-3.0.4/Configure +@@ -1681,20 +1681,7 @@ $config{CFLAGS} = [ map { $_ eq '--ossl- + unless ($disabled{afalgeng}) { + $config{afalgeng}=""; + if (grep { $_ eq 'afalgeng' } @{$target{enable}}) { +- my $minver = 4*10000 + 1*100 + 0; +- if ($config{CROSS_COMPILE} eq "") { +- my $verstr = `uname -r`; +- my ($ma, $mi1, $mi2) = split("\.", $verstr); +- ($mi2) = $mi2 =~ /(\d+)/; +- my $ver = $ma*10000 + $mi1*100 + $mi2; +- if ($ver < $minver) { +- disable('too-old-kernel', 'afalgeng'); +- } else { +- push @{$config{engdirs}}, "afalg"; +- } +- } else { +- disable('cross-compiling', 'afalgeng'); +- } ++ push @{$config{engdirs}}, "afalg"; + } else { + disable('not-linux', 'afalgeng'); + } diff --git a/recipes-connectivity/openssl/files/run-ptest b/recipes-connectivity/openssl/files/run-ptest new file mode 100644 index 0000000..8dff791 --- /dev/null +++ b/recipes-connectivity/openssl/files/run-ptest @@ -0,0 +1,12 @@ +#!/bin/sh + +set -e + +# Optional arguments are 'list' to lists all tests, or the test name (base name +# ie test_evp, not 03_test_evp.t). + +export TOP=. +# OPENSSL_ENGINES is relative from the test binaries +export OPENSSL_ENGINES=../engines + +perl ./test/run_tests.pl $* | sed -u -r -e '/(.*) .*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) .*.skipped: (.*)/ s/^/SKIP: /g' diff --git a/recipes-connectivity/openssl/openssl-morello_3.0.8.bb b/recipes-connectivity/openssl/openssl-morello_3.0.8.bb new file mode 100644 index 0000000..d296ae1 --- /dev/null +++ b/recipes-connectivity/openssl/openssl-morello_3.0.8.bb @@ -0,0 +1,164 @@ +inherit lib_package pkgconfig perlnative pure-cap-kheaders purecap-sysroot + +MORELLO_SRC = "poky/meta/recipes-connectivity/openssl/openssl_3.0.8.bb" + +SUMMARY = "Secure Socket Layer" +DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools, with rebased patches from CHERI BSD repo." +HOMEPAGE = "http://www.openssl.org/" +BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" +SECTION = "libs/network" + +TOOLCHAIN = "${MORELLO_TOOLCHAIN}" + +RPROVIDES:${PN} = "openssl-morello" + +FILESEXTRAPATHS:prepend := "${THISDIR}/cheri-patches:" + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04" + +SRC_URI = "http://www.openssl.org/source/openssl-3.0.8.tar.gz \ + file://run-ptest \ + file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ + file://afalg.patch \ + file://0001-Configure-do-not-tweak-mips-cflags.patch \ + file://0001-purecap-patches.patch \ + " + +SRC_URI[sha256sum] = "6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e" + +PACKAGECONFIG ?= "" + +PACKAGECONFIG[no-tls1] = "no-tls1" +PACKAGECONFIG[no-tls1_1] = "no-tls1_1" + +S = "${WORKDIR}/openssl-3.0.8" +B = "${WORKDIR}/build" + +do_configure[cleandirs] = "${B}" + +# no-asm as otherwise crypto wont compile, no-async is needed for musl +EXTRA_OECONF:append = " no-async" +EXTRA_OECONF:append = " no-asm" +EXTRA_OECONF:append = " shared" + +EXTRA_OECONF:remove:toolchain-llvm-morello = "--disable-static" + +# This allows disabling deprecated or undesirable crypto algorithms. +# The default is to trust upstream choices. +DEPRECATED_CRYPTO_FLAGS ?= "" + +do_configure () { + HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ + perl ${S}/Configure ${EXTRA_OECONF} --prefix=$prefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} linux-aarch64 + perl ${B}/configdata.pm --dump +} + +do_compile () { + oe_runmake +} + +do_install () { + + oe_runmake DESTDIR=${D} install + + libdirssl="${libdir}/ssl-3" + sysconfdirssl="${sysconfdir}/ssl" + + install -d ${D}${sysconfdirssl} + mv ${D}${libdirssl}/certs \ + ${D}${libdirssl}/private \ + ${D}${libdirssl}/openssl.cnf \ + ${D}${sysconfdirssl}/ + + # Although absolute symlinks would be OK for the target, they become + # invalid if native or nativesdk are relocated from sstate. + ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdirssl}/certs + ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdirssl}/private + ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdirssl}/openssl.cnf +} + +do_install:append() { + ${OBJDUMP_COMMAND} ${D}${libdir}/libssl.so > ${D}${PURECAP_DEBUGDIR}/libssl.dump + ${READELF_COMMAND} ${D}${libdir}/libssl.so > ${D}${PURECAP_DEBUGDIR}/libssl.readelf +} + +PTEST_BUILD_HOST_FILES += "configdata.pm" +PTEST_BUILD_HOST_PATTERN = "perl_version =" +do_install_ptest () { + + local ptest_path = "${D}${PURECAP_SYSROOT_DIR}${PTEST_PATH}" + install -d ${ptest_path} + install -d ${ptest_path}/test + install -m755 ${B}/test/p_test.so ${ptest_path}/test + install -m755 ${B}/test/provider_internal_test.cnf ${ptest_path}/test + + # Prune the build tree + rm -f ${B}/fuzz/*.* ${B}/test/*.* + cp ${S}/Configure ${B}/configdata.pm ${ptest_path} + sed 's|${S}|${ptest_path}|g' -i ${ptest_path}/configdata.pm + cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${ptest_path} + + # For test_shlibload + ln -s ${libdir}/libcrypto.so.1.1 ${ptest_path}/ + ln -s ${libdir}/libssl.so.1.1 ${ptest_path}/ + install -d ${ptest_path}/apps + ln -s ${bindir}/openssl ${ptest_path}/apps + install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${ptest_path}/apps + install -m755 ${B}/apps/CA.pl ${ptest_path}/apps + install -d ${ptest_path}/engines + install -m755 ${B}/engines/dasync.so ${ptest_path}/engines + install -m755 ${B}/engines/loader_attic.so ${ptest_path}/engines + install -m755 ${B}/engines/ossltest.so ${ptest_path}/engines + install -d ${ptest_path}/providers + install -m755 ${B}/providers/legacy.so ${ptest_path}/providers + install -d ${ptest_path}/Configurations + cp -rf ${S}/Configurations/* ${ptest_path}/Configurations/ + + # seems to be needed with perl 5.32.1 + install -d ${ptest_path}/util/perl/recipes + cp ${ptest_path}/test/recipes/tconversion.pl ${ptest_path}/util/perl/recipes/ + sed 's|${S}|${ptest_path}|g' -i ${ptest_path}/util/wrap.pl +} + +# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto +# package RRECOMMENDS on this package. This will enable the configuration +# file to be installed for both the openssl-bin package and the libcrypto +# package since the openssl-bin package depends on the libcrypto package. + +PACKAGES =+ "libcrypto-morello libssl-morello openssl-morello-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy" + +FILES:${PN} += "${libdir}/ssl-3/* \ + ${libdir}/ossl-modules/ \ + ${sysconfdir}/ssl \ + " + +FILES:${PN}-bin = "${bindir}/openssl" + +FILES:libcrypto-morello = "${libdir}/libcrypto${SOLIBS}" +FILES:libssl-morello = "${libdir}/libssl${SOLIBS}" +FILES:openssl-morello-conf = "${sysconfdir}/ssl/openssl.cnf \ + ${libdir}/ssl-3/openssl.cnf* \ + " + +FILES:${PN}-engines = "${libdir}/engines-3" + +FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash" +FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so" + + +CONFFILES:openssl-morello-conf = "${sysconfdir}/ssl/openssl.cnf" + +RRECOMMENDS:libcrypto-mmorello += "openssl-morello-conf ${PN}-ossl-module-legacy" + +RDEPENDS:${PN}-misc = "perl" +RDEPENDS:${PN}-ptest += "openssl-morello-bin perl perl-modules bash sed" + +RDEPENDS:${PN}-bin += "openssl-morello-conf" + +CVE_PRODUCT = "openssl:openssl" +CVE_VERSION_SUFFIX = "alphabetical" + +# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 +# Apache in meta-webserver is already recent enough +CVE_CHECK_IGNORE += "CVE-2019-0190" \ No newline at end of file