This fixes the build failure caused by the OpenSSL update in Poky.
Import the OpenSSL patch set from NXP's whinlatter release. Since NXP's
whinlatter release is based on OpenSSL 3.5.4, rebase the patches on top
of OpenSSL 3.5.5 to match the current version.
https://onedigi.atlassian.net/browse/DEL-10019
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
We need to relax what ciphers are allowed with openssl-3.0 so that we do
not break Digi/RM. See DAL commit ec586a621c24f840ac7cc4f91241c55581698ba3
https://onedigi.atlassian.net/browse/DEL-7999
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Remove deprecated versions of recipes updated in other general layers
(poky, meta-openembedded). Also remove duplicated IMX specific recipes that
are available in other BSP layers (meta-freescale, meta-fsl-demos, etc).
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Port the recipe from the dunfell poky branch. This version contains the latest
vulnerability fixes, including CVE-2022-0778.
https://onedigi.atlassian.net/browse/DEL-7868
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
(cherry picked from commit be046db4faae911b2a858d748551c6c91fc54043)
This fixes the following CVEs:
* CVE-2021-3711
* CVE-2021-3712
Port the recipe and patches from the dunfell poky branch, since the hardknott
version contains additional changes aside from the revision update.
https://onedigi.atlassian.net/browse/DEL-7647
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit adds the support for the cryptodev
engine into OpenSSL. So OpenSSL can use hardware
accelerated support through the CAAM driver.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://jira.digi.com/browse/DEL-7439
The previous patch was outdated, but now that we have a working PKCS11 engine
and the cryptochip supports it, update the patch with the new engine info.
https://jira.digi.com/browse/DEL-6835
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This way, we assure that the openssl binary is included in the rootfs whenever
the base openssl package is included.
https://jira.digi.com/browse/DEL-6710
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Removed patches already integrated in the OpenSSL code and
refreshed the necessary ones.
https://jira.digi.com/browse/DEL-6412
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Our current OpenSSL libraries are only functional when applications link
against v1.0.2d or higher, making some packages containing pre-compiled
applications that link to older versions (like AWS Greengrass) fail to build
and/or run properly.
This commit includes:
* Changing SHLIB_EXT from so.1.0.2 to so.1.0.0
* Reverting the version-script to an older version with backwards
compatibility plus newer symbols
Specifically, these changes partially revert the patches added in the poky
layer's commits a59bfd05d15085a3dc5669b47fd19867246c846b and
73a43fc15e0463c39baaadecab78fb3ef51b8cd0 respectively.
Please note that this only modifies the cryptographic library's ABI, its code
remains unchanged.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
As of Yocto 2.0, the cryptodev module used as interface between
user-space and hardware encryption is the version 1.7.
According to that cryptodev's version documentation, the cryptodev
engine in openssh is outdated:
https://github.com/cryptodev-linux/cryptodev-linux/blob/cryptodev-linux-1.7/README
They provide an URL with two patches to update openssl. This commit
forward port those patches to the Openssl version used in this version
of Yocto.
https://jira.digi.com/browse/DEL-2501
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Javier Viguera
Isaac Hermida
Gabriel Valcazar
Mike Engel
Arturo Buzarra