This SSL library is for hosts only
and not shipped as a build product,
therefore its performance quality (speed) is not critical.
Assembly code is broken in LibreSSL for some x86_64 hosts (part of git history)
and for some RISC host archs like armv7l, aarch64, powerpc, ppc64, etc...
so let's just disable it for all hosts.
For example, this fixes an instance on ARM hosts
where the host Python 3 builds broken modules which link to LibreSSL,
even with patches that enable LibreSSL support
with the import error "unexpected reloc type 3".
Ref: a395563f6 ("build: fix libressl build on x32 (amd64ilp32) host ")
Suggested-by: Andre Heider <a.heider@gmail.com>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Line up configure arguments for cleaner git diff and editing and grepping.
LibreSSL must be built with PIC, and has the flags for it already in CFLAGS.
Add the configure option native to LibreSSL to use only PIC in objects,
which further enforces that each object in the library has the PIC flag
to prevent a mixture of PIC / non-PIC objects within it.
Ref: 96a940308 ("tools: libressl: always build as PIC")
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Release notes:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.3-relnotes.txt
```
It includes the following security fix:
* A malicious certificate can cause an infinite loop.
Reported by and fix from Tavis Ormandy and David Benjamin, Google.
```
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Release notes:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.2-relnotes.txt
```
It includes the following security fix
* In some situations the X.509 verifier would discard an error on an
unverified certificate chain, resulting in an authentication bypass.
Thanks to Ilya Shipitsin and Timo Steinlein for reporting.
```
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Upstream switched to building with CMake. Adjust accordingly.
Reapplied patch as upstream changed the file format.
Added HOST_BUILD_PARALLEL for faster compilation.
Added cmake tool dependency and removed circular dependencies as a
result.
Adjusted dependent tools to use NOCACHE as they are needed to build
ccache.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
libressl update to 3.2.1
Delete 001-dont-build-tests-man.patch
Add configure args :
--enable-static
--disable-tests
The patch (001-dont-build-tests-man.patch) no longer works with the current version.
Follow the patch notes:
Adding the --enable-static and --disable-tests parameters should replace the patch.
Signed-off-by: Yuan Tao <ty@wevs.org>
Making all in tests
depbase=`echo handshake_table.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
gcc -DPACKAGE_NAME=\"libressl\" -DPACKAGE_TARNAME=\"libressl\" -DPACKAGE_VERSION=\"2.9.2\" -DPACKAGE_STRING=\"libressl\ 2.9.2\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE_URL=\"\" -DPACKAGE=\"libressl\" -DVERSION=\"2.9.2\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\" -DHAVE_SYMLINK=1 -DHAVE_ERR_H=1 -DHAVE_READPASSPHRASE_H=1 -DHAVE_ASPRINTF=1 -DHAVE_MEMMEM=1 -DHAVE_READPASSPHRASE=1 -DHAVE_STRLCAT=1 -DHAVE_STRLCPY=1 -DHAVE_STRNDUP=1 -DHAVE_STRNLEN=1 -DHAVE_STRSEP=1 -DHAVE_TIMEGM=1 -DHAVE_GETPROGNAME=1 -DHAVE_SYSLOG=1 -DHAVE_POLL=1 -DHAVE_SOCKETPAIR=1 -DHAVE_ARC4RANDOM=1 -DHAVE_ARC4RANDOM_BUF=1 -DHAVE_ARC4RANDOM_UNIFORM=1 -DHAVE_TIMINGSAFE_BCMP=1 -DHAVE_CLOCK_GETTIME=1 -DHAVE_VA_COPY=1 -DHAVE___VA_COPY=1 -DSIZEOF_TIME_T=8 -I. -I../include -I../include/compat -DLIBRESSL_INTERNAL -D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS= -I ../crypto/modes -I ../crypto/asn1 -I ../ssl -I ../tls -I ../apps/openssl -I ../apps/openssl/compat -D_PATH_SSL_CA_FILE=\"../apps/openssl/cert.pem\" -I/Users/kevin/wrt/staging_dir/host/include -D__STRICT_ALIGNMENT -O2 -I/Users/kevin/wrt/staging_dir/host/include -fpic -Wall -std=gnu99 -fno-strict-aliasing -fno-strict-overflow -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Qunused-arguments -Wno-pointer-sign -MT handshake_table.o -MD -MP -MF $depbase.Tpo -c -o handshake_table.o handshake_table.c &&\
mv -f $depbase.Tpo $depbase.Po
make[4]: *** No rule to make target `/Users/kevin/wrt/build_dir/host/libressl-2.9.2/crypto/.libs/libcrypto_la-cpuid-macosx-x86_64.o', needed by `handshake_table'. Stop.
make[3]: *** [all-recursive] Error 1
A similar error & clues from
e783d60473
"
LibreSSL 2.9.1 now has a test that requires libtls.a, however, when building a
shared library only build, the --disable-static flag is passed to libressl,
which prevents the building of libtls.a.
With libtls.a not being built, the following error occurs:
libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'. Stop.
There are three options to fix this:
1) Stick with autotools, and provide a patch that removes building anything in
the tests folder.
2) Pass --enable-static to LIBRESSL_CONF_OPTS
3) Change the package type to cmake, as a cmake build does not have this issue."
It appears we cannot change to cmake because cmake has a dependency on
an ssl library.
Take option 1 and do not build the tests.
Also take the opportunity to remove man page building as well.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Libressl version 2.7.0 and later implement more of the OpenSSL 1.1 API
and this needs some modifications of the code using it.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fixes link errors for host packages like ruby like the following:
/usr/bin/ld: .../staging_dir/host/lib/libcrypto.a(libcrypto_la-md5_dgst.o):
relocation R_X86_64_PC32 against symbol `memcpy@@GLIBC_2.14' can not be used when making a shared object; recompile with -fPIC
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Latest Xcode doesn't include openssl anymore. To compile
mkimage from u-boot source you need SSL headers on your host.
This patch provides libressl host package for any Darwin
compilation. Unfortunately openssl from MacPorts can not be
used, as the installed headers in /opt/local are breaking
GDB compilation. Tested with a RB532 image build and resulting
kernel booted on a device via TFTP.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [fixes, dependencies]
Josef Schlehofer