meta/recipes-connectivity/openssl/openssl_1.1.1p.bb

   1 SUMMARY = "Secure Socket Layer"
   2 DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
   3 HOMEPAGE = "http://www.openssl.org/"
   4 BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
   5 SECTION = "libs/network"
   6
   7 # "openssl" here actually means both OpenSSL and SSLeay licenses apply
   8 # (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped)
   9 LICENSE = "openssl"
  10 LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8"
  11
  12 DEPENDS = "hostperl-runtime-native"
  13
  14 SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
  15            file://run-ptest \
  16            file://0001-skip-test_symbol_presence.patch \
  17            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
  18            file://afalg.patch \
  19            file://reproducible.patch \
  20            file://reproducibility.patch \
  21            "
  22
  23 SRC_URI_append_class-nativesdk = " \
  24            file://environment.d-openssl.sh \
  25            "
  26
  27 SRC_URI[sha256sum] = "bf61b62aaa66c7c7639942a94de4c9ae8280c08f17d4eac2e44644d9fc8ace6f"
  28
  29 inherit lib_package multilib_header multilib_script ptest
  30 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
  31
  32 PACKAGECONFIG ?= ""
  33 PACKAGECONFIG_class-native = ""
  34 PACKAGECONFIG_class-nativesdk = ""
  35
  36 PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
  37
  38 B = "${WORKDIR}/build"
  39 do_configure[cleandirs] = "${B}"
  40
  41 #| ./libcrypto.so: undefined reference to `getcontext'
  42 #| ./libcrypto.so: undefined reference to `setcontext'
  43 #| ./libcrypto.so: undefined reference to `makecontext'
  44 EXTRA_OECONF_append_libc-musl = " no-async"
  45 EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm"
  46
  47 # adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
  48 # (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
  49 EXTRA_OECONF_class-native = "--with-rand-seed=os,devrandom"
  50 EXTRA_OECONF_class-nativesdk = "--with-rand-seed=os,devrandom"
  51
  52 # Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
  53 CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
  54 CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
  55
  56 do_configure () {
  57         os=${HOST_OS}
  58         case $os in
  59         linux-gnueabi |\
  60         linux-gnuspe |\
  61         linux-musleabi |\
  62         linux-muslspe |\
  63         linux-musl )
  64                 os=linux
  65                 ;;
  66         *)
  67                 ;;
  68         esac
  69         target="$os-${HOST_ARCH}"
  70         case $target in
  71         linux-arm*)
  72                 target=linux-armv4
  73                 ;;
  74         linux-aarch64*)
  75                 target=linux-aarch64
  76                 ;;
  77         linux-i?86 | linux-viac3)
  78                 target=linux-x86
  79                 ;;
  80         linux-gnux32-x86_64 | linux-muslx32-x86_64 )
  81                 target=linux-x32
  82                 ;;
  83         linux-gnu64-x86_64)
  84                 target=linux-x86_64
  85                 ;;
  86         linux-mips | linux-mipsel)
  87                 # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
  88                 target="linux-mips32 ${TARGET_CC_ARCH}"
  89                 ;;
  90         linux-gnun32-mips*)
  91                 target=linux-mips64
  92                 ;;
  93         linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el)
  94                 target=linux64-mips64
  95                 ;;
  96         linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
  97                 target=linux-generic32
  98                 ;;
  99         linux-powerpc)
 100                 target=linux-ppc
 101                 ;;
 102         linux-powerpc64)
 103                 target=linux-ppc64
 104                 ;;
 105         linux-powerpc64le)
 106                 target=linux-ppc64le
 107                 ;;
 108         linux-riscv32)
 109                 target=linux-generic32
 110                 ;;
 111         linux-riscv64)
 112                 target=linux-generic64
 113                 ;;
 114         linux-sparc | linux-supersparc)
 115                 target=linux-sparcv9
 116                 ;;
 117         esac
 118
 119         useprefix=${prefix}
 120         if [ "x$useprefix" = "x" ]; then
 121                 useprefix=/
 122         fi
 123         # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
 124         # environment variables set by bitbake. Adjust the environment variables instead.
 125         HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
 126         perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
 127         perl ${B}/configdata.pm --dump
 128 }
 129
 130 do_install () {
 131         oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
 132
 133         oe_multilib_header openssl/opensslconf.h
 134
 135         # Create SSL structure for packages such as ca-certificates which
 136         # contain hard-coded paths to /etc/ssl. Debian does the same.
 137         install -d ${D}${sysconfdir}/ssl
 138         mv ${D}${libdir}/ssl-1.1/certs \
 139            ${D}${libdir}/ssl-1.1/private \
 140            ${D}${libdir}/ssl-1.1/openssl.cnf \
 141            ${D}${sysconfdir}/ssl/
 142
 143         # Although absolute symlinks would be OK for the target, they become
 144         # invalid if native or nativesdk are relocated from sstate.
 145         ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs
 146         ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private
 147         ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf
 148 }
 149
 150 do_install_append_class-native () {
 151         create_wrapper ${D}${bindir}/openssl \
 152             OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \
 153             SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
 154             SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
 155             OPENSSL_ENGINES=${libdir}/engines-1.1
 156 }
 157
 158 do_install_append_class-nativesdk () {
 159         mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
 160         install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
 161         sed 's|/usr/lib/ssl/|/usr/lib/ssl-1.1/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
 162 }
 163
 164 PTEST_BUILD_HOST_FILES += "configdata.pm"
 165 PTEST_BUILD_HOST_PATTERN = "perl_version ="
 166 do_install_ptest () {
 167         # Prune the build tree
 168         rm -f ${B}/fuzz/*.* ${B}/test/*.*
 169
 170         cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
 171         cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
 172
 173         # For test_shlibload
 174         ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
 175         ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
 176
 177         install -d ${D}${PTEST_PATH}/apps
 178         ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
 179         install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps
 180         install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
 181
 182         install -d ${D}${PTEST_PATH}/engines
 183         install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
 184         install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
 185 }
 186
 187 # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
 188 # package RRECOMMENDS on this package. This will enable the configuration
 189 # file to be installed for both the openssl-bin package and the libcrypto
 190 # package since the openssl-bin package depends on the libcrypto package.
 191
 192 PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc"
 193
 194 FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
 195 FILES_libssl = "${libdir}/libssl${SOLIBS}"
 196 FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf \
 197                       ${libdir}/ssl-1.1/openssl.cnf* \
 198                       "
 199 FILES_${PN}-engines = "${libdir}/engines-1.1"
 200 FILES_${PN}-misc = "${libdir}/ssl-1.1/misc"
 201 FILES_${PN} =+ "${libdir}/ssl-1.1/*"
 202 FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
 203
 204 CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
 205
 206 RRECOMMENDS_libcrypto += "openssl-conf"
 207 RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash"
 208
 209 RDEPENDS_${PN}-bin += "openssl-conf"
 210
 211 BBCLASSEXTEND = "native nativesdk"
 212
 213 CVE_PRODUCT = "openssl:openssl"
 214
 215 CVE_VERSION_SUFFIX = "alphabetical"
 216
 217 # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
 218 # Apache in meta-webserver is already recent enough
 219 CVE_CHECK_WHITELIST += "CVE-2019-0190"