On Fri Jan 23, 2026 at 1:33 PM CET, Peter Marko via lists.openembedded.org
wrote:
> From: Peter Marko <[email protected]>
>
> Openssl 3.2 has reached EOL.
> Some projects would like to use LTS version due to criticality and
> exposure of this component, so upgrade to 3.5 branch.
>
> Copy recipe from current master and add UNPACKDIR definition at end of
> it as this variable does not exist in scarthgap yet.
>
> Dislaimers:
> * this is a testing branch not intended to be merged in current form
> * running builds implementing following Yocto AB testsuites showed only
> intermittent failures of python ptest, otherwise the builds were ok:
> * qemuarm64
> * qemuarm64-alt
> * qemuarm64-ptest
> * qemuarm64-ptest-fast
> * qemuppc
> * qemuppc-tc
> * qemux64-world
> * qemux64-world-alt
>
> Signed-off-by: Peter Marko <[email protected]>
> ---
> .../openssl/files/environment.d-openssl.sh | 9 ++-
> ...ke-history-reporting-when-test-fails.patch | 19 +++--
> ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +-
> ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
> .../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++
> .../openssl/openssl/CVE-2024-41996.patch | 44 -----------
> .../{openssl_3.2.6.bb => openssl_3.5.4.bb} | 76 +++++++++++++------
> 7 files changed, 116 insertions(+), 94 deletions(-)
> create mode 100644
> meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
> delete mode 100644
> meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
> rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb =>
> openssl_3.5.4.bb} (75%)
The TSC has approved merging this 3.5 Openssl upgrade to scarthgap :)
Can you send an updated non-RFC patch?
Thanks!
> diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
> b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
> index d72edcb5ed..77747c1fda 100644
> --- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
> +++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
> @@ -1,14 +1,15 @@
> -export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf"
> +export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/openssl.cnf"
> export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/"
> export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
> +export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-}
> OPENSSL_CONF OPENSSL_MODULES OPENSSL_ENGINES"
>
> # Respect host env SSL_CERT_FILE/SSL_CERT_DIR first, then auto-detected host
> cert, then cert in buildtools
> -# CAFILE/CAPATH is auto-deteced when source buildtools
> +# CAFILE/CAPATH is auto-detected when source buildtools
> if [ -z "${SSL_CERT_FILE:-}" ]; then
> if [ -n "${CAFILE:-}" ];then
> export SSL_CERT_FILE="$CAFILE"
> elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
> ];then
> - export
> SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt"
> + export
> SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs/ca-certificates.crt"
> fi
> fi
>
> @@ -16,7 +17,7 @@ if [ -z "${SSL_CERT_DIR:-}" ]; then
> if [ -n "${CAPATH:-}" ];then
> export SSL_CERT_DIR="$CAPATH"
> elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
> ];then
> - export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs"
> + export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs"
> fi
> fi
>
> diff --git
> a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
>
> b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
> index b05d7abf7c..5b7365a353 100644
> ---
> a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
> +++
> b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
> @@ -6,7 +6,6 @@ Subject: [PATCH] Added handshake history reporting when test
> fails
> Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
>
> Signed-off-by: William Lyu <[email protected]>
> -Signed-off-by: Siddharth Doshi <[email protected]>
> ---
> test/helpers/handshake.c | 137 +++++++++++++++++++++++++++++----------
> test/helpers/handshake.h | 70 +++++++++++++++++++-
> @@ -14,10 +13,10 @@ Signed-off-by: Siddharth Doshi <[email protected]>
> 3 files changed, 217 insertions(+), 34 deletions(-)
>
> diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
> -index e0422469e4..ae2ad59dd4 100644
> +index f611b3a..5703b48 100644
> --- a/test/helpers/handshake.c
> +++ b/test/helpers/handshake.c
> -@@ -24,6 +24,102 @@
> +@@ -25,6 +25,102 @@
> #include <netinet/sctp.h>
> #endif
>
> @@ -120,7 +119,7 @@ index e0422469e4..ae2ad59dd4 100644
> HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
> {
> HANDSHAKE_RESULT *ret;
> -@@ -725,15 +821,6 @@ static void configure_handshake_ssl(SSL *server, SSL
> *client,
> +@@ -726,15 +822,6 @@ static void configure_handshake_ssl(SSL *server, SSL
> *client,
> SSL_set_post_handshake_auth(client, 1);
> }
>
> @@ -136,7 +135,7 @@ index e0422469e4..ae2ad59dd4 100644
> /* An SSL object and associated read-write buffers. */
> typedef struct peer_st {
> SSL *ssl;
> -@@ -1080,17 +1167,6 @@ static void do_shutdown_step(PEER *peer)
> +@@ -1081,17 +1168,6 @@ static void do_shutdown_step(PEER *peer)
> }
> }
>
> @@ -154,7 +153,7 @@ index e0422469e4..ae2ad59dd4 100644
> static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
> {
> switch (test_ctx->handshake_mode) {
> -@@ -1168,19 +1244,6 @@ static void do_connect_step(const SSL_TEST_CTX
> *test_ctx, PEER *peer,
> +@@ -1169,19 +1245,6 @@ static void do_connect_step(const SSL_TEST_CTX
> *test_ctx, PEER *peer,
> }
> }
>
> @@ -174,7 +173,7 @@ index e0422469e4..ae2ad59dd4 100644
> /*
> * Determine the handshake outcome.
> * last_status: the status of the peer to have acted last.
> -@@ -1545,6 +1608,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
> +@@ -1546,6 +1609,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
>
> start = time(NULL);
>
> @@ -185,7 +184,7 @@ index e0422469e4..ae2ad59dd4 100644
> /*
> * Half-duplex handshake loop.
> * Client and server speak to each other synchronously in the same
> process.
> -@@ -1566,6 +1633,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
> +@@ -1567,6 +1634,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
> 0 /* server went last */);
> }
>
> @@ -197,7 +196,7 @@ index e0422469e4..ae2ad59dd4 100644
> case HANDSHAKE_SUCCESS:
> client_turn_count = 0;
> diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h
> -index 78b03f9f4b..b9967c2623 100644
> +index 78b03f9..b9967c2 100644
> --- a/test/helpers/handshake.h
> +++ b/test/helpers/handshake.h
> @@ -1,5 +1,5 @@
> @@ -302,7 +301,7 @@ index 78b03f9f4b..b9967c2623 100644
> +
> #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */
> diff --git a/test/ssl_test.c b/test/ssl_test.c
> -index ea608518f9..9d6b093c81 100644
> +index ea60851..9d6b093 100644
> --- a/test/ssl_test.c
> +++ b/test/ssl_test.c
> @@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL;
> diff --git
> a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
>
> b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
> index 3f6ab97795..cf5ff356ee 100644
> ---
> a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
> +++
> b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
> @@ -17,10 +17,10 @@ Signed-off-by: Tim Orling <[email protected]>
> 1 file changed, 10 deletions(-)
>
> diff --git a/Configure b/Configure
> -index 4569952..adf019b 100755
> +index fff97bd..5ee54c1 100755
> --- a/Configure
> +++ b/Configure
> -@@ -1485,16 +1485,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help
> 2>&1` =~ m/-mno-cygwin/m)
> +@@ -1552,16 +1552,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help
> 2>&1` =~ m/-mno-cygwin/m)
> push @{$config{shared_ldflag}}, "-mno-cygwin";
> }
>
> diff --git
> a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
>
> b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
> index ce2acb2462..dadc034c91 100644
> ---
> a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
> +++
> b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
> @@ -30,23 +30,26 @@ Update to fix buildpaths qa issue for '-ffile-prefix-map'.
> Signed-off-by: Khem Raj <[email protected]>
>
> ---
> - Configurations/unix-Makefile.tmpl | 12 +++++++++++-
> + Configurations/unix-Makefile.tmpl | 16 +++++++++++++++-
> crypto/build.info | 2 +-
> - 2 files changed, 12 insertions(+), 2 deletions(-)
> + 2 files changed, 16 insertions(+), 2 deletions(-)
>
> -Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
> -===================================================================
> ---- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl
> -+++ openssl-3.0.4/Configurations/unix-Makefile.tmpl
> -@@ -481,13 +481,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
> +diff --git a/Configurations/unix-Makefile.tmpl
> b/Configurations/unix-Makefile.tmpl
> +index 09303c4..011bda1 100644
> +--- a/Configurations/unix-Makefile.tmpl
> ++++ b/Configurations/unix-Makefile.tmpl
> +@@ -513,13 +513,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
> '$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
> BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
>
> -# CPPFLAGS_Q is used for one thing only: to build up buildinf.h
> +# *_Q variables are used for one thing only: to build up buildinf.h
> CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g;
> ++ $cppflags1 =~ s|-isystem/[^ ]+/usr/include||g;
> $cppflags2 =~ s|([\\"])|\\$1|g;
> ++ $cppflags2 =~ s|-isystem/[^ ]+/usr/include||g;
> $lib_cppflags =~ s|([\\"])|\\$1|g;
> ++ $lib_cppflags =~ s|-isystem/[^ ]+/usr/include||g;
> join(' ', $lib_cppflags || (), $cppflags2 || (),
> $cppflags1 || ()) -}
>
> @@ -54,6 +57,7 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
> + s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g;
> + s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g;
> + s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g;
> ++ s|-isystem/[^ ]+/usr/include ||g;
> + }
> + join(' ', @{$config{CFLAGS}}) -}
> +
> @@ -63,10 +67,10 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
> PERLASM_SCHEME= {- $target{perlasm_scheme} -}
>
> # For x86 assembler: Set PROCESSOR to 386 if you want to support
> -Index: openssl-3.0.4/crypto/build.info
> -===================================================================
> ---- openssl-3.0.4.orig/crypto/build.info
> -+++ openssl-3.0.4/crypto/build.info
> +diff --git a/crypto/build.info b/crypto/build.info
> +index aee5c46..95c9577 100644
> +--- a/crypto/build.info
> ++++ b/crypto/build.info
> @@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
>
> DEPEND[info.o]=buildinf.h
> diff --git
> a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
>
> b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
> new file mode 100644
> index 0000000000..d02d42f1b5
> --- /dev/null
> +++
> b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
> @@ -0,0 +1,32 @@
> +From c7000672296f4c367341aa3415f26c4d9f5e4749 Mon Sep 17 00:00:00 2001
> +From: Gyorgy Sarvari <[email protected]>
> +Date: Thu, 23 Oct 2025 11:24:36 +0200
> +Subject: [PATCH] extend check_cwm test timeout
> +
> +The default, 3s long test timeout isn't always enough for this
> +particular test in case there is a high load on the host machine
> +(assuming it is running in qemu). Extend the default timeout to 6s
> +for the check_cwm test to avoid timeouts.
> +
> +Upstream-Status: Inappropriate [upstream issue:
> https://github.com/openssl/openssl/issues/28983]
> +Signed-off-by: Gyorgy Sarvari <[email protected]>
> +---
> + test/radix/main.c | 5 +++++
> + 1 file changed, 5 insertions(+)
> +
> +diff --git a/test/radix/main.c b/test/radix/main.c
> +index 4a1e886a71..39f8c61ef9 100644
> +--- a/test/radix/main.c
> ++++ b/test/radix/main.c
> +@@ -25,6 +25,11 @@ static int test_script(int idx)
> + int testresult;
> + TERP_CONFIG cfg = {0};
> +
> ++ // check_cwm test sometimes times out, the default 3000ms is
> ++ // not enough if the test execution starves for CPU
> ++ if (!strncmp("check_cwm", script_info->name, strlen("check_cwm")))
> ++ cfg.max_execution_time = ossl_ms2time(6000);
> ++
> + if (!TEST_true(bindings_process_init(0, 0)))
> + return 0;
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
> b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
> deleted file mode 100644
> index dc18e0bef1..0000000000
> --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
> +++ /dev/null
> @@ -1,44 +0,0 @@
> -From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001
> -From: Tomas Mraz <[email protected]>
> -Date: Mon, 5 Aug 2024 17:54:14 +0200
> -Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known
> - safe-prime groups
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -The partial validation is fully sufficient to check the key validity.
> -
> -Thanks to Szilárd Pfeiffer for reporting the issue.
> -
> -Reviewed-by: Neil Horman <[email protected]>
> -Reviewed-by: Matt Caswell <[email protected]>
> -Reviewed-by: Paul Dale <[email protected]>
> -(Merged from https://github.com/openssl/openssl/pull/25088)
> -
> -CVE: CVE-2024-41996
> -Upstream-Status: Backport
> [https://github.com/openssl/openssl/commit/e70e34d857d4003199bcb5d3b52ca8102ccc1b98]
> -Signed-off-by: Peter Marko <[email protected]>
> ----
> - providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++---
> - 1 file changed, 5 insertions(+), 3 deletions(-)
> -
> -diff --git a/providers/implementations/keymgmt/dh_kmgmt.c
> b/providers/implementations/keymgmt/dh_kmgmt.c
> -index 82c3093b12..ebdce76710 100644
> ---- a/providers/implementations/keymgmt/dh_kmgmt.c
> -+++ b/providers/implementations/keymgmt/dh_kmgmt.c
> -@@ -387,9 +387,11 @@ static int dh_validate_public(const DH *dh, int
> checktype)
> - if (pub_key == NULL)
> - return 0;
> -
> -- /* The partial test is only valid for named group's with q = (p - 1) /
> 2 */
> -- if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
> -- && ossl_dh_is_named_safe_prime_group(dh))
> -+ /*
> -+ * The partial test is only valid for named group's with q = (p - 1) / 2
> -+ * but for that case it is also fully sufficient to check the key
> validity.
> -+ */
> -+ if (ossl_dh_is_named_safe_prime_group(dh))
> - return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
> -
> - return DH_check_pub_key_ex(dh, pub_key);
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> b/meta/recipes-connectivity/openssl/openssl_3.5.4.bb
> similarity index 75%
> rename from meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> rename to meta/recipes-connectivity/openssl/openssl_3.5.4.bb
> index 4756f5aaa6..377d307203 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.5.4.bb
> @@ -7,19 +7,19 @@ SECTION = "libs/network"
> LICENSE = "Apache-2.0"
> LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
>
> -SRC_URI =
> "https://github.com/openssl/openssl/releases/download/openssl-${PV}/openssl-${PV}.tar.gz
> \
> +SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
> file://run-ptest \
>
> file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
> file://0001-Configure-do-not-tweak-mips-cflags.patch \
>
> file://0001-Added-handshake-history-reporting-when-test-fails.patch \
> - file://CVE-2024-41996.patch \
> + file://0001-extend-check_cwm-test-timeout.patch \
> "
>
> SRC_URI:append:class-nativesdk = " \
> file://environment.d-openssl.sh \
> "
>
> -SRC_URI[sha256sum] =
> "89681a9ddaa9ed7cf25ea8ef61338db805200bae47d00510490623547380c148"
> +SRC_URI[sha256sum] =
> "967311f84955316969bdb1d8d4b983718ef42338639c621ec4c34fddef355e99"
>
> inherit lib_package multilib_header multilib_script ptest perlnative manpages
> MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
> @@ -32,10 +32,13 @@ PACKAGECONFIG[cryptodev-linux] =
> "enable-devcryptoeng,disable-devcryptoeng,crypt
> PACKAGECONFIG[no-tls1] = "no-tls1"
> PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
> PACKAGECONFIG[manpages] = ""
> +PACKAGECONFIG[fips] = "enable-fips"
>
> B = "${WORKDIR}/build"
> do_configure[cleandirs] = "${B}"
>
> +EXTRA_OECONF = "${@bb.utils.contains('PTEST_ENABLED', '1', '', 'no-tests',
> d)}"
> +
> #| ./libcrypto.so: undefined reference to `getcontext'
> #| ./libcrypto.so: undefined reference to `setcontext'
> #| ./libcrypto.so: undefined reference to `makecontext'
> @@ -44,12 +47,15 @@ EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
>
> # adding devrandom prevents openssl from using getrandom() which is not
> available on older glibc versions
> # (native versions can be built with newer glibc, but then relocated onto a
> system with older glibc)
> -EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom"
> -EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
> +EXTRA_OECONF:append:class-native = " --with-rand-seed=os,devrandom"
> +EXTRA_OECONF:append:class-nativesdk = " --with-rand-seed=os,devrandom"
>
> # Relying on hardcoded built-in paths causes openssl-native to not be
> relocateable from sstate.
> -CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin
> -DENGINESDIR=/not/builtin"
> -CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin
> -DENGINESDIR=/not/builtin"
> +EXTRA_OEMAKE:append:task-compile:class-native = ' OPENSSLDIR="/not/builtin"
> ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
> +EXTRA_OEMAKE:append:task-compile:class-nativesdk = '
> OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
> +
> +#| threads_pthread.c:(.text+0x372): undefined reference to
> `__atomic_is_lock_free'
> +EXTRA_OECONF:append:toolchain-clang:x86 = " -latomic"
>
> # This allows disabling deprecated or undesirable crypto algorithms.
> # The default is to trust upstream choices.
> @@ -136,21 +142,26 @@ do_configure () {
> ;;
> esac
>
> - useprefix=${prefix}
> - if [ "x$useprefix" = "x" ]; then
> - useprefix=/
> - fi
> # WARNING: do not set compiler/linker flags (-I/-D etc.) in
> EXTRA_OECONF, as they will fully replace the
> # environment variables set by bitbake. Adjust the environment
> variables instead.
> PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
> test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not
> found!"
> HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
> - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS}
> ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3
> --libdir=${libdir} $target
> + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS}
> ${DEPRECATED_CRYPTO_FLAGS} --prefix=${prefix} --openssldir=${libdir}/ssl-3
> --libdir=${baselib} $target
> perl ${B}/configdata.pm --dump
> }
>
> +do_compile:append () {
> + # The test suite binaries are large and we don't need the debugging in
> them
> + if test -d ${B}/test; then
> + find ${B}/test -type f -executable -exec ${STRIP} {} \;
> + fi
> +}
> +
> do_install () {
> - oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw
> install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages',
> 'install_docs', '', d)}
> + oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw
> install_ssldirs \
> + ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs',
> '', d)} \
> + ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'install_fips', '',
> d)}
>
> oe_multilib_header openssl/opensslconf.h
> oe_multilib_header openssl/configuration.h
> @@ -168,21 +179,30 @@ do_install () {
> ln -sf ${@oe.path.relative('${libdir}/ssl-3',
> '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
> ln -sf ${@oe.path.relative('${libdir}/ssl-3',
> '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
> ln -sf ${@oe.path.relative('${libdir}/ssl-3',
> '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
> +
> + # Generate fipsmodule.cnf in pkg_postinst_ontarget
> + if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)};
> then
> + rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf
> + fi
> }
>
> do_install:append:class-native () {
> create_wrapper ${D}${bindir}/openssl \
> - OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \
> - SSL_CERT_DIR=${libdir}/ssl-3/certs \
> - SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \
> - OPENSSL_ENGINES=${libdir}/engines-3 \
> - OPENSSL_MODULES=${libdir}/ossl-modules
> + OPENSSL_CONF=\${OPENSSL_CONF:-${libdir}/ssl-3/openssl.cnf} \
> + SSL_CERT_DIR=\${SSL_CERT_DIR:-${libdir}/ssl-3/certs} \
> + SSL_CERT_FILE=\${SSL_CERT_FILE:-${libdir}/ssl-3/cert.pem} \
> + OPENSSL_ENGINES=\${OPENSSL_ENGINES:-${libdir}/engines-3} \
> + OPENSSL_MODULES=\${OPENSSL_MODULES:-${libdir}/ossl-modules}
> +
> + # Setting ENGINESDIR and MODULESDIR to invalid paths prevents host
> contamination,
> + # but also breaks the generated libcrypto.pc file. Post-Fix it manually
> here.
> + sed -i 's|^enginesdir=\($.libdir.\)/.*|enginesdir=\1/engines-3|'
> ${D}${libdir}/pkgconfig/libcrypto.pc
> + sed -i 's|^modulesdir=\($.libdir.\)/.*|modulesdir=\1/ossl-modules|'
> ${D}${libdir}/pkgconfig/libcrypto.pc
> }
>
> do_install:append:class-nativesdk () {
> mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
> - install -m 644 ${WORKDIR}/environment.d-openssl.sh
> ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
> - sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i
> ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
> + install -m 644 ${UNPACKDIR}/environment.d-openssl.sh
> ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
> }
>
> PTEST_BUILD_HOST_FILES += "configdata.pm"
> @@ -226,12 +246,18 @@ do_install_ptest() {
> ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers
> }
>
> +pkg_postinst_ontarget:${PN}-ossl-module-fips () {
> + if test -f ${libdir}/ossl-modules/fips.so; then
> + ${bindir}/openssl fipsinstall -out
> ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so
> + fi
> +}
> +
> # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
> # package RRECOMMENDS on this package. This will enable the configuration
> # file to be installed for both the openssl-bin package and the libcrypto
> # package since the openssl-bin package depends on the libcrypto package.
>
> -PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc
> ${PN}-ossl-module-legacy"
> +PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc
> ${PN}-ossl-module-legacy ${PN}-ossl-module-fips"
>
> FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
> FILES:libssl = "${libdir}/libssl${SOLIBS}"
> @@ -243,6 +269,7 @@ FILES:${PN}-engines = "${libdir}/engines-3"
> FILES:${PN}-engines:append:mingw32:class-nativesdk = "
> ${prefix}${libdir}/engines-3"
> FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
> FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
> +FILES:${PN}-ossl-module-fips = "${libdir}/ossl-modules/fips.so"
> FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
> FILES:${PN}:append:class-nativesdk = "
> ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
>
> @@ -254,9 +281,12 @@ RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules
> bash sed openssl-engines
>
> RDEPENDS:${PN}-bin += "openssl-conf"
>
> +# The test suite is installed stripped
> +INSANE_SKIP:${PN} = "already-stripped"
> +
> BBCLASSEXTEND = "native nativesdk"
>
> CVE_PRODUCT = "openssl:openssl"
>
> -CVE_VERSION_SUFFIX = "alphabetical"
> -
> +# this does not exist in scarthgap yet
> +UNPACKDIR = "${WORKDIR}"
--
Yoann Congal
Smile ECS
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#232322):
https://lists.openembedded.org/g/openembedded-core/message/232322
Mute This Topic: https://lists.openembedded.org/mt/117416676/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
