Age | Commit message (Collapse) | Author |
|
Fix CVE-2021-23839
Backport from OpenSSL 1.1.1
Fix CVE-2021-23840
Fix CVE-2021-23841
Patches are from openssl_1.0.2g-1ubuntu4.19.debian.tar.xz
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Fixed sourced from: openssl1.0_1.0.2n-1ubuntu5.5.debian.tar.xz
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
|
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
See: https://www.openssl.org/news/openssl-1.0.2-notes.html
Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
(CVE-2019-1563)
For built-in EC curves, ensure an EC_GROUP built from the curve name is used
even when parsing explicit parameters
Compute ECC cofactors if not provided during EC_GROUP construction
(CVE-2019-1547)
Document issue with installation paths in diverse Windows builds
(CVE-2019-1552)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Issue: LIN1019-2416
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
Issue: LIN1019-2231
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Issue: LIN1019-2229
Fix an issue w/ the original implementation to match other WR layers.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Note, disabling weak crypto may cause issues with linking with the FIPS
module -- as well as other protocols that may require the weak crypto.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
This should make things easier to manage in the future. Let rename commits.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
oe-core openssl_1.1.1 has this inherit which created the openssl-bin package. This is needed
for compatibility.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(oe-core: 31b0f25026145b81aca2b58aada2dbc7c8b0e420)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
The fix is heavily based on Khem's previous fix for bn.h/BN_LLONG breakage:
https://git.openembedded.org/openembedded-core/commit/?id=f787b0bb9b0626ddbf2ac94cb206c76716a3773d
Signed-off-by: Denys Dmytriyenko <denys@ti.com>
Cc: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(oe-core: 914e1520bf9c45e14bce9993c9131a2c0702b9c9)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
After adding #pragma once to wrapper header ( opensslconf.h ) this
latent issue got to bite us, where it expect bn.h to be including
openssl.h to define BN_* defines, which is fragile. This patch removes
the contraints for nested includes for bn.h
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(oe-core: f787b0bb9b0626ddbf2ac94cb206c76716a3773d)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
They work well now.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
(oe-core commit: 5514c6c136b4ea48cba7edb0831eb12e1870d7d2)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
This code is written for elfv1 ABI in mind and linked as such: disable
all optimizations at the moment when building for powerpc64 with musl.
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(oe-core: bee9e807430178426b2a5635b573ae285e889c39)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(oe-core: 03149ca307282c22dd9ceb6fe3224bf586b03f6d)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Backport patches to fix CVE-2018-0734 for both openssl 1.0.2p and 1.1.1
versions.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(oe-core: 9d5c6a87eb72a8b8b8d417126a831565982ca9a6)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
The configure script ended up creating Makefile with
LIBDIR=/lib
which got leaked into various places including all
pkg-config .pc files where lines like (note the
double slash //):
libdir=${exec_prefix}//lib
...
Libs: -L${libdir} -lcrypto
which causes pkg-config --libs to include the full absolute path
to the recipe specific sysroot. This isn't a big problem
until something like CMake projects start generating
their own .cmake modules using this absolute path and exposing
them to sysroots of other bitbake recipes thus escaping
their recipe specific sysroots.
Then the fun begins when these users of the .cmake module start
to randomly fail builds with error messages like:
/home/builder/src/base/build/tmp/work/corei7-64-linux/package/1.0-r0/recipe-sysroot-native/usr/bin/x86_64-linux/../../libexec/x86_64-linux/gcc/x86_64-linux/7.3.0/ld: cannot find /lib/libpthread.so.0
/home/builder/src/base/build/tmp/work/corei7-64-linux/package/1.0-r0/recipe-sysroot-native/usr/bin/x86_64-linux/../../libexec/x86_64-linux/gcc/x86_64-linux/7.3.0/ld: cannot find /usr/lib/libpthread_nonshared.a
collect2: error: ld returned 1 exit status
ninja: build stopped: subcommand failed.
WARNING: exit code 1 from a shell command.
As luck has it, this problem goes away by recompiling the recipes
alone but repeats with multiple recipes here and there when full
images are build.
A careful inspection of multi page linker command lines shows
that some linker paramaters point to libraries in a different
recipes sysroot than what bitbake was building when the task
failed.
So, fix is to remove this one extra slash from openssl
library path configuration option. This changes openssl
Makefile to have:
LIBDIR=lib
and all users of LIBDIR variable in the Makefile are already
adding slashes as path separators if that is needed.
With this the generated .pc files have:
libdir=${exec_prefix}/lib
and pkg-config --libs knows to strip the already default
sysroot path away.
This then fixes the generated .cmake files to not include
these absolute paths and fixes the random build failures
when building images.
Thanks to Thomas, Michael and Ross for debugging support!
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Cc: Thomas Witt <thomas.witt@bmw.de>
Cc: Michael Ho <michael.ho@bmw.de>
Cc: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(oe-core: d286e91bbdcecef16153313fe5e1e0e0cb469612)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(oe-core: 479d0e0d1002c025c9cbb0f03ed038c3feba44a7)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Current configuration for debian-mips64 is not correct,
'SIXTY_FOUR_BIT_LONG' need to be specified. otherwise,
it will cause other recipe like crda compile failed since
use default THIRTY_TWO_BIT mode.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(oe-core: 68f82ceb289149885eb0b04547cb4f79a680183b)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Although the relative_symlinks class converts any absolute symlinks
in ${D} into relative symlinks automatically, it's a little clearer
to create relative symlinks directly where possible.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(oe-core: 959b4d30b5b11e4a098654b0d4469bbdf01b3812)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Formatting and comment tweaks only, no functional changes.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(oe-core: 06da559b5becee1b5fcc2263f6edd95f6d305fc2)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Merge duplicates + minor reformatting (no functional changes).
Note that the openssl 1.1 recipe still needs to be updated to handle
MIPS Release 6 ISA targets (e.g. linux-mipsisa32r6, etc).
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(oe-core: bdc9e773c240716c2e2a60ca5d4313cfaa6188b1)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Since this will be the primary openssl, we don't need the openssl10 components.
This can cause compatibility issues if we don't have another OpenSSL version.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Bring in OpenSSL 1.0.2p:
repo: git://git.openembedded.org/openembedded-core
branch: sumo
commit: 84233553e963e26ca5f9f983662d4bd133176bb9
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|