openssl: add a 1.1 version

Existing openssl 1.0 recipe is renamed to openssl10; it will
continue to be provided for as long as upstream supports it
(and there are still several recipes which do not work with openssl
1.1 due to API differences).

A few files (such as openssl binary) are no longer installed by openssl 1.0,
because they clash with openssl 1.1.

(From OE-Core rev: da1183f9fa5e06fbe66b5b31eb3313d5d35d11e3)

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/conf/distro/include/no-static-libs.inc

@@ -25,6 +25,9 @@ DISABLE_STATIC_pn-openjade-native = ""
 DISABLE_STATIC_pn-openssl = ""
 DISABLE_STATIC_pn-openssl-native = ""
 DISABLE_STATIC_pn-nativesdk-openssl = ""
+DISABLE_STATIC_pn-openssl10 = ""
+DISABLE_STATIC_pn-openssl10-native = ""
+DISABLE_STATIC_pn-nativesdk-openssl10 = ""
 # libssp-static-dev included in build-appliance
 DISABLE_STATIC_pn-gcc-runtime = ""
 # libusb1-native is used to build static dfu-util-native

meta/recipes-connectivity/openssl/openssl/0001-Remove-test-that-requires-running-as-non-root.patch

@@ -0,0 +1,49 @@
+From 3fdb1e2a16ea405c6731447a8994f222808ef7e6 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Fri, 7 Apr 2017 18:01:52 +0300
+Subject: [PATCH] Remove test that requires running as non-root
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ test/recipes/40-test_rehash.t | 17 +----------------
+ 1 file changed, 1 insertion(+), 16 deletions(-)
+
+diff --git a/test/recipes/40-test_rehash.t b/test/recipes/40-test_rehash.t
+index f902c23..c7567c1 100644
+--- a/test/recipes/40-test_rehash.t
++++ b/test/recipes/40-test_rehash.t
+@@ -23,7 +23,7 @@ setup("test_rehash");
+ plan skip_all => "test_rehash is not available on this platform"
+     unless run(app(["openssl", "rehash", "-help"]));
+ 
+-plan tests => 5;
++plan tests => 3;
+ 
+ indir "rehash.$$" => sub {
+     prepare();
+@@ -42,21 +42,6 @@ indir "rehash.$$" => sub {
+        'Testing rehash operations on empty directory');
+ }, create => 1, cleanup => 1;
+ 
+-indir "rehash.$$" => sub {
+-    prepare();
+-    chmod 0500, curdir();
+-  SKIP: {
+-      if (!ok(!open(FOO, ">unwritable.txt"),
+-              "Testing that we aren't running as a privileged user, such as root")) {
+-          close FOO;
+-          skip "It's pointless to run the next test as root", 1;
+-      }
+-      isnt(run(app(["openssl", "rehash", curdir()])), 1,
+-           'Testing rehash operations on readonly directory');
+-    }
+-    chmod 0700, curdir();       # make it writable again, so cleanup works
+-}, create => 1, cleanup => 1;
+-
+ sub prepare {
+     my @pemsourcefiles = sort glob(srctop_file('test', "*.pem"));
+     my @destfiles = ();
+-- 
+2.11.0
+

meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch

@@ -0,0 +1,43 @@
+From 08face4353d80111973aba9c1304c92158cfad0e Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Tue, 28 Mar 2017 16:40:12 +0300
+Subject: [PATCH] Take linking flags from LDFLAGS env var
+
+This fixes "No GNU_HASH in the elf binary" issues.
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ Configurations/unix-Makefile.tmpl | 2 +-
+ Configure                         | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index c029817..43b769b 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -173,7 +173,7 @@ CROSS_COMPILE= {- $config{cross_compile_prefix} -}
+ CC= $(CROSS_COMPILE){- $target{cc} -}
+ CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
+ CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
+-LDFLAGS= {- $target{lflags} -}
++LDFLAGS= {- $target{lflags}." ".$ENV{'LDFLAGS'} -}
+ PLIB_LDFLAGS= {- $target{plib_lflags} -}
+ EX_LIBS= {- $target{ex_libs} -} {- $config{ex_libs} -}
+ LIB_CFLAGS={- $target{shared_cflag} || "" -}
+diff --git a/Configure b/Configure
+index aee7cc3..274d236 100755
+--- a/Configure
++++ b/Configure
+@@ -979,7 +979,7 @@ $config{build_file} = $target{build_file};
+ $config{defines} = [];
+ $config{cflags} = "";
+ $config{ex_libs} = "";
+-$config{shared_ldflag} = "";
++$config{shared_ldflag} = $ENV{'LDFLAGS'};
+ 
+ # Make sure build_scheme is consistent.
+ $target{build_scheme} = [ $target{build_scheme} ]
+-- 
+2.11.0
+

meta/recipes-connectivity/openssl/openssl/run-ptest

@@ -1,2 +1,4 @@
 #!/bin/sh
-make -k runtest
+cd test
+OPENSSL_ENGINES=../engines BLDTOP=.. SRCTOP=.. perl run_tests.pl
+cd ..

meta/recipes-connectivity/openssl/openssl10.inc

@@ -37,8 +37,6 @@ FILES_${PN} =+ " ${libdir}/ssl/*"
 FILES_${PN}-misc = "${libdir}/ssl/misc"
 RDEPENDS_${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}"
 
-PROVIDES += "openssl10"
-
 # Add the openssl.cnf file to the openssl-conf package.  Make the libcrypto
 # package RRECOMMENDS on this package.  This will enable the configuration
 # file to be installed for both the base openssl package and the libcrypto
@@ -254,3 +252,15 @@ do_install_append_class-native() {
 }
 
 BBCLASSEXTEND = "native nativesdk"
+
+PACKAGE_PREPROCESS_FUNCS += "openssl_package_preprocess"
+
+openssl_package_preprocess () {
+        for file in `find ${PKGD} -name *.h -o -name *.pc -o -name *.so`; do
+                rm $file
+        done
+        rm ${PKGD}/usr/bin/openssl
+        rm ${PKGD}/usr/bin/c_rehash
+        rmdir ${PKGD}/usr/bin
+
+}

meta/recipes-connectivity/openssl/openssl10/openssl-c_rehash.sh

@@ -0,0 +1,222 @@
+#!/bin/sh
+#
+# Ben Secrest <blsecres@gmail.com>
+#
+# sh c_rehash script, scan all files in a directory
+# and add symbolic links to their hash values.
+#
+# based on the c_rehash perl script distributed with openssl
+#
+# LICENSE: See OpenSSL license
+# ^^acceptable?^^
+#
+
+# default certificate location
+DIR=/etc/openssl
+
+# for filetype bitfield
+IS_CERT=$(( 1 << 0 ))
+IS_CRL=$(( 1 << 1 ))
+
+
+# check to see if a file is a certificate file or a CRL file
+# arguments:
+#       1. the filename to be scanned
+# returns:
+#       bitfield of file type; uses ${IS_CERT} and ${IS_CRL}
+#
+check_file()
+{
+    local IS_TYPE=0
+
+    # make IFS a newline so we can process grep output line by line
+    local OLDIFS=${IFS}
+    IFS=$( printf "\n" )
+
+    # XXX: could be more efficient to have two 'grep -m' but is -m portable?
+    for LINE in $( grep '^-----BEGIN .*-----' ${1} )
+    do
+	if echo ${LINE} \
+	    | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----'
+	then
+	    IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} ))
+
+	    if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ]
+	    then
+	    	break
+	    fi
+	elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----'
+	then
+	    IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} ))
+
+	    if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ]
+	    then
+	    	break
+	    fi
+	fi
+    done
+
+    # restore IFS
+    IFS=${OLDIFS}
+
+    return ${IS_TYPE}
+}
+
+
+#
+# use openssl to fingerprint a file
+#    arguments:
+#	1. the filename to fingerprint
+#	2. the method to use (x509, crl)
+#    returns:
+#	none
+#    assumptions:
+#	user will capture output from last stage of pipeline
+#
+fingerprint()
+{
+    ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':'
+}
+
+
+#
+# link_hash - create links to certificate files
+#    arguments:
+#       1. the filename to create a link for
+#	2. the type of certificate being linked (x509, crl)
+#    returns:
+#	0 on success, 1 otherwise
+#
+link_hash()
+{
+    local FINGERPRINT=$( fingerprint ${1} ${2} )
+    local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} )
+    local SUFFIX=0
+    local LINKFILE=''
+    local TAG=''
+
+    if [ ${2} = "crl" ]
+    then
+    	TAG='r'
+    fi
+
+    LINKFILE=${HASH}.${TAG}${SUFFIX}
+
+    while [ -f ${LINKFILE} ]
+    do
+	if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ]
+	then
+	    echo "NOTE: Skipping duplicate file ${1}" >&2
+	    return 1
+	fi	
+
+	SUFFIX=$(( ${SUFFIX} + 1 ))
+	LINKFILE=${HASH}.${TAG}${SUFFIX}
+    done
+
+    echo "${3} => ${LINKFILE}"
+
+    # assume any system with a POSIX shell will either support symlinks or
+    # do something to handle this gracefully
+    ln -s ${3} ${LINKFILE}
+
+    return 0
+}
+
+
+# hash_dir create hash links in a given directory
+hash_dir()
+{
+    echo "Doing ${1}"
+
+    cd ${1}
+
+    ls -1 * 2>/dev/null | while read FILE
+    do
+        if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \
+	    	&& [ -h "${FILE}" ]
+        then
+            rm ${FILE}
+        fi
+    done
+
+    ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE
+    do
+	REAL_FILE=${FILE}
+	# if we run on build host then get to the real files in rootfs
+	if [ -n "${SYSROOT}" -a -h ${FILE} ]
+	then
+	    FILE=$( readlink ${FILE} )
+	    # check the symlink is absolute (or dangling in other word)
+	    if [ "x/" = "x$( echo ${FILE} | cut -c1 -)" ]
+	    then
+		REAL_FILE=${SYSROOT}/${FILE}
+	    fi
+	fi
+
+	check_file ${REAL_FILE}
+        local FILE_TYPE=${?}
+	local TYPE_STR=''
+
+        if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ]
+        then
+            TYPE_STR='x509'
+        elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ]
+        then
+            TYPE_STR='crl'
+        else
+            echo "NOTE: ${FILE} does not contain a certificate or CRL: skipping" >&2
+	    continue
+        fi
+
+	link_hash ${REAL_FILE} ${TYPE_STR} ${FILE}
+    done
+}
+
+
+# choose the name of an ssl application
+if [ -n "${OPENSSL}" ]
+then
+    SSL_CMD=$(which ${OPENSSL} 2>/dev/null)
+else
+    SSL_CMD=/usr/bin/openssl
+    OPENSSL=${SSL_CMD}
+    export OPENSSL
+fi
+
+# fix paths
+PATH=${PATH}:${DIR}/bin
+export PATH
+
+# confirm existance/executability of ssl command
+if ! [ -x ${SSL_CMD} ]
+then
+    echo "${0}: rehashing skipped ('openssl' program not available)" >&2
+    exit 0
+fi
+
+# determine which directories to process
+old_IFS=$IFS
+if [ ${#} -gt 0 ]
+then
+    IFS=':'
+    DIRLIST=${*}
+elif [ -n "${SSL_CERT_DIR}" ]
+then
+    DIRLIST=$SSL_CERT_DIR
+else
+    DIRLIST=${DIR}/certs
+fi
+
+IFS=':'
+
+# process directories
+for CERT_DIR in ${DIRLIST}
+do
+    if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ]
+    then
+        IFS=$old_IFS
+        hash_dir ${CERT_DIR}
+        IFS=':'
+    fi
+done

meta/recipes-connectivity/openssl/openssl10/run-ptest

@@ -0,0 +1,2 @@
+#!/bin/sh
+make -k runtest

meta/recipes-connectivity/openssl/openssl10_1.0.2l.bb

@@ -1,4 +1,4 @@
-require openssl.inc
+require openssl10.inc
 
 # For target side versions of openssl enable support for OCF Linux driver
 # if they are available.
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=057d9218c6180e1d9ee407572b2dd225"
 export DIRS = "crypto ssl apps engines"
 export OE_LDFLAGS="${LDFLAGS}"
 
-SRC_URI += "file://find.pl;subdir=${BP}/util/ \
+SRC_URI += "file://find.pl;subdir=openssl-${PV}/util/ \
             file://run-ptest \
             file://openssl-c_rehash.sh \
             file://configure-targets.patch \

meta/recipes-connectivity/openssl/openssl_1.1.0f.bb

@@ -0,0 +1,155 @@
+SUMMARY = "Secure Socket Layer"
+DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
+HOMEPAGE = "http://www.openssl.org/"
+BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
+SECTION = "libs/network"
+
+# "openssl | SSLeay" dual license
+LICENSE = "openssl"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=cae6da10f4ffd9703214776d2aabce32"
+
+BBCLASSEXTEND = "native nativesdk"
+
+SRC_URI[md5sum] = "7b521dea79ab159e8ec879d2333369fa"
+SRC_URI[sha256sum] = "12f746f3f2493b2f39da7ecf63d7ee19c6ac9ec6a4fcd8c229da8a522cb12765"
+
+SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
+           file://run-ptest \
+           file://openssl-c_rehash.sh \
+           file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \
+           file://0001-Remove-test-that-requires-running-as-non-root.patch \
+          "
+
+S = "${WORKDIR}/openssl-${PV}"
+
+inherit lib_package multilib_header ptest
+
+do_configure () {
+	os=${HOST_OS}
+	case $os in
+	linux-uclibc |\
+	linux-uclibceabi |\
+	linux-gnueabi |\
+	linux-uclibcspe |\
+	linux-gnuspe |\
+	linux-musl*)
+		os=linux
+		;;
+		*)
+		;;
+	esac
+	target="$os-${HOST_ARCH}"
+	case $target in
+	linux-arm)
+		target=linux-armv4
+		;;
+	linux-armeb)
+		target=linux-armv4
+		;;
+	linux-aarch64*)
+		target=linux-aarch64
+		;;
+	linux-sh3)
+		target=linux-generic32
+		;;
+	linux-sh4)
+		target=linux-generic32
+		;;
+	linux-i486)
+		target=linux-elf
+		;;
+	linux-i586 | linux-viac3)
+		target=linux-elf
+		;;
+	linux-i686)
+		target=linux-elf
+		;;
+	linux-gnux32-x86_64)
+		target=linux-x32
+		;;
+	linux-gnu64-x86_64)
+		target=linux-x86_64
+		;;
+	linux-mips)
+                # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
+		target="linux-mips32 ${TARGET_CC_ARCH}"
+		;;
+	linux-mipsel)
+		target="linux-mips32 ${TARGET_CC_ARCH}"
+		;;
+        linux-gnun32-mips*)
+               target=linux-mips64
+                ;;
+        linux-*-mips64 | linux-mips64)
+               target=linux64-mips64
+                ;;
+        linux-*-mips64el | linux-mips64el)
+               target=linux64-mips64
+                ;;
+	linux-microblaze*|linux-nios2*)
+		target=linux-generic32
+		;;
+	linux-powerpc)
+		target=linux-ppc
+		;;
+	linux-powerpc64)
+		target=linux-ppc64
+		;;
+	linux-supersparc)
+		target=linux-sparcv9
+		;;
+	linux-sparc)
+		target=linux-sparcv9
+		;;
+	darwin-i386)
+		target=darwin-i386-cc
+		;;
+	esac
+        useprefix=${prefix}
+        if [ "x$useprefix" = "x" ]; then
+                useprefix=/
+        fi
+	perl ./Configure ${EXTRA_OECONF} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=`basename ${libdir}` $target
+}
+
+#| engines/afalg/e_afalg.c: In function 'eventfd':
+#| engines/afalg/e_afalg.c:110:20: error: '__NR_eventfd' undeclared (first use in this function)
+#|      return syscall(__NR_eventfd, n);
+#|                     ^~~~~~~~~~~~
+EXTRA_OECONF_aarch64 += "no-afalgeng"
+
+#| ./libcrypto.so: undefined reference to `getcontext'
+#| ./libcrypto.so: undefined reference to `setcontext'
+#| ./libcrypto.so: undefined reference to `makecontext'
+EXTRA_OECONF_libc-musl += "-DOPENSSL_NO_ASYNC"
+
+do_install () {
+        oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
+        oe_multilib_header openssl/opensslconf.h
+}
+
+do_install_append_class-native () {
+        # Install a custom version of c_rehash that can handle sysroots properly.
+        # This version is used for example when installing ca-certificates during
+        # image creation.
+        install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
+        sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
+}
+
+do_install_ptest() {
+        cp -r * ${D}${PTEST_PATH}
+
+        # Putting .so files in ptest package will mess up the dependencies of the main openssl package
+        # so we rename them to .so.ptest and patch the test accordingly
+        mv ${D}${PTEST_PATH}/libcrypto.so ${D}${PTEST_PATH}/libcrypto.so.ptest
+        mv ${D}${PTEST_PATH}/libssl.so ${D}${PTEST_PATH}/libssl.so.ptest
+        sed -i 's/$target{shared_extension_simple}/".so.ptest"/' ${D}${PTEST_PATH}/test/recipes/90-test_shlibload.t
+}
+
+RDEPENDS_${PN}-ptest += "perl-module-file-spec-functions"
+
+FILES_${PN} =+ " ${libdir}/ssl-1.1/*"
+
+PACKAGES =+ "${PN}-engines"
+FILES_${PN}-engines = "${libdir}/engines-1.1"
+