Skip to content
This repository has been archived by the owner on Aug 15, 2024. It is now read-only.

Commit

Permalink
Update to internal 1-1.11-1
Browse files Browse the repository at this point in the history
Signed-off-by: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com>
  • Loading branch information
dheerajpdsk committed Dec 31, 2023
1 parent 9ad1806 commit 7f53998
Show file tree
Hide file tree
Showing 104 changed files with 8,350 additions and 771 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,6 @@ SRC_URI:append:intel-ast2600 = " \
file://0034-Implement-the-IPMI-commands-in-FFUJ-mode-in-u-boot.patch \
file://0036-Disable-BMC-MMIO-Decode-on-VGA-SCU-register-bit.patch \
file://0037-Enable-I2C-clock-stretching-and-multi-master-support.patch \
file://0038-Disabling-serial-console-if-FFUJ-is-enabled.patch \
file://0044-Enable-WDT2-for-causing-reset-in-Kernel-u-boot-hang.patch \
"

Expand Down Expand Up @@ -103,12 +102,13 @@ PFR_SRC_URI = " \
file://0045-PFR-Skip-counting-WDT2-event-when-EXTRST-is-set.patch \
"

AUTOBOOT_SRC_URI = " \
U_BOOT_RELEASE_FEATURE = " \
file://0035-Remove-u-boot-delay-before-autoboot-in-release-image.patch \
file://0038-Disabling-serial-console-if-FFUJ-is-enabled.patch \
"

SRC_URI:append:intel-ast2600 += "${@bb.utils.contains('IMAGE_FSTYPES', 'intel-pfr', PFR_SRC_URI, '', d)}"
SRC_URI:append:intel-ast2600 += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks', '', AUTOBOOT_SRC_URI, d)}"
SRC_URI:append:intel-ast2600 += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks', '', U_BOOT_RELEASE_FEATURE, d)}"

do_install:append () {
install -m 0644 ${WORKDIR}/fw_env.config ${D}${sysconfdir}/fw_env.config
Expand Down
3 changes: 3 additions & 0 deletions meta-openbmc-mods/meta-common/classes/github-releases.bbclass
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
GITHUB_BASE_URI ?= "https://github.com/${BPN}/${BPN}/releases/"
UPSTREAM_CHECK_URI ?= "${GITHUB_BASE_URI}"
UPSTREAM_CHECK_REGEX ?= "releases/tag/v?(?P<pver>\d+(\.\d+)+)"
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,6 @@ IMAGE_INSTALL:append = " \
configure-usb-c \
zip \
peci-pcie \
collectd \
"

IMAGE_INSTALL:append = " ${@bb.utils.contains('IMAGE_FSTYPES', 'intel-pfr', 'pfr-manager', '', d)}"
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 17 Nov 2022 01:51:53 +0100
Subject: [PATCH] Emit error if requested service is not found

It currently just crashes instead of replying with error. Check return
value and emit error instead of passing NULL pointer to reply.

Fixes #375
---
avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c
index 70d7687bc..406d0b441 100644
--- a/avahi-daemon/dbus-protocol.c
+++ b/avahi-daemon/dbus-protocol.c
@@ -375,10 +375,14 @@ static DBusHandlerResult dbus_get_alternative_host_name(DBusConnection *c, DBusM
}

t = avahi_alternative_host_name(n);
- avahi_dbus_respond_string(c, m, t);
- avahi_free(t);
+ if (t) {
+ avahi_dbus_respond_string(c, m, t);
+ avahi_free(t);

- return DBUS_HANDLER_RESULT_HANDLED;
+ return DBUS_HANDLER_RESULT_HANDLED;
+ } else {
+ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found");
+ }
}

static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DBusMessage *m, DBusError *error) {
@@ -389,10 +393,14 @@ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DB
}

t = avahi_alternative_service_name(n);
- avahi_dbus_respond_string(c, m, t);
- avahi_free(t);
+ if (t) {
+ avahi_dbus_respond_string(c, m, t);
+ avahi_free(t);

- return DBUS_HANDLER_RESULT_HANDLED;
+ return DBUS_HANDLER_RESULT_HANDLED;
+ } else {
+ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found");
+ }
}

static DBusHandlerResult dbus_create_new_entry_group(DBusConnection *c, DBusMessage *m, DBusError *error) {
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"

SRC_URI += " \
file://CVE-2023-1981.patch \
"
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
From 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc Mon Sep 17 00:00:00 2001
From: Alistair Francis <alistair.francis@wdc.com>
Date: Thu, 29 Aug 2019 13:56:21 -0700
Subject: [PATCH] Add support for io_pgetevents_time64 syscall

32-bit architectures that are y2038 safe don't include syscalls that use
32-bit time_t. Instead these architectures have suffixed syscalls that
always use a 64-bit time_t. In the case of the io_getevents syscall the
syscall has been replaced with the io_pgetevents_time64 syscall instead.

This patch changes the io_getevents() function to use the correct
syscall based on the avaliable syscalls and the time_t size. We will
only use the new 64-bit time_t syscall if the architecture is using a
64-bit time_t. This is to avoid having to deal with 32/64-bit
conversions and relying on a 64-bit timespec struct on 32-bit time_t
platforms. As of Linux 5.3 there are no 32-bit time_t architectures
without __NR_io_getevents. In the future if a 32-bit time_t architecture
wants to use the 64-bit syscalls we can handle the conversion.

This fixes build failures on 32-bit RISC-V.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9819)
Upstream-Status: Accepted
---
engines/e_afalg.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)

diff --git a/engines/e_afalg.c b/engines/e_afalg.c
index dacbe358cb..99516cb1bb 100644
--- a/engines/e_afalg.c
+++ b/engines/e_afalg.c
@@ -125,7 +125,23 @@ static ossl_inline int io_getevents(aio_context_t ctx, long min, long max,
struct io_event *events,
struct timespec *timeout)
{
+#if defined(__NR_io_getevents)
return syscall(__NR_io_getevents, ctx, min, max, events, timeout);
+#elif defined(__NR_io_pgetevents_time64)
+ /* Let's only support the 64 suffix syscalls for 64-bit time_t.
+ * This simplifies the code for us as we don't need to use a 64-bit
+ * version of timespec with a 32-bit time_t and handle converting
+ * between 64-bit and 32-bit times and check for overflows.
+ */
+ if (sizeof(timeout->tv_sec) == 8)
+ return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL);
+ else {
+ errno = ENOSYS;
+ return -1;
+ }
+#else
+# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64."
+#endif
}

static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key,
--
2.30.1

Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
From e5499a3cac1e823c3e0697e8667e952317b70cc8 Mon Sep 17 00:00:00 2001
From: Alistair Francis <alistair.francis@wdc.com>
Date: Thu, 4 Mar 2021 12:10:11 -0500
Subject: [PATCH] Fixup support for io_pgetevents_time64 syscall

This is a fixup for the original commit 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc
"Add support for io_pgetevents_time64 syscall" that didn't correctly
work for 32-bit architecutres with a 64-bit time_t that aren't RISC-V.

For a full discussion of the issue see:
https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14432)
Upstream-Status: Accepted
---
engines/e_afalg.c | 55 ++++++++++++++++++++++++++++++++++++-----------
1 file changed, 42 insertions(+), 13 deletions(-)

diff --git a/engines/e_afalg.c b/engines/e_afalg.c
index 9480d7c24b..4e9d67db2d 100644
--- a/engines/e_afalg.c
+++ b/engines/e_afalg.c
@@ -124,27 +124,56 @@ static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb)
return syscall(__NR_io_submit, ctx, n, iocb);
}

+/* A version of 'struct timespec' with 32-bit time_t and nanoseconds. */
+struct __timespec32
+{
+ __kernel_long_t tv_sec;
+ __kernel_long_t tv_nsec;
+};
+
static ossl_inline int io_getevents(aio_context_t ctx, long min, long max,
struct io_event *events,
struct timespec *timeout)
{
+#if defined(__NR_io_pgetevents_time64)
+ /* Check if we are a 32-bit architecture with a 64-bit time_t */
+ if (sizeof(*timeout) != sizeof(struct __timespec32)) {
+ int ret = syscall(__NR_io_pgetevents_time64, ctx, min, max, events,
+ timeout, NULL);
+ if (ret == 0 || errno != ENOSYS)
+ return ret;
+ }
+#endif
+
#if defined(__NR_io_getevents)
- return syscall(__NR_io_getevents, ctx, min, max, events, timeout);
-#elif defined(__NR_io_pgetevents_time64)
- /* Let's only support the 64 suffix syscalls for 64-bit time_t.
- * This simplifies the code for us as we don't need to use a 64-bit
- * version of timespec with a 32-bit time_t and handle converting
- * between 64-bit and 32-bit times and check for overflows.
- */
- if (sizeof(timeout->tv_sec) == 8)
- return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL);
+ if (sizeof(*timeout) == sizeof(struct __timespec32))
+ /*
+ * time_t matches our architecture length, we can just use
+ * __NR_io_getevents
+ */
+ return syscall(__NR_io_getevents, ctx, min, max, events, timeout);
else {
- errno = ENOSYS;
- return -1;
+ /*
+ * We don't have __NR_io_pgetevents_time64, but we are using a
+ * 64-bit time_t on a 32-bit architecture. If we can fit the
+ * timeout value in a 32-bit time_t, then let's do that
+ * and then use the __NR_io_getevents syscall.
+ */
+ if (timeout && timeout->tv_sec == (long)timeout->tv_sec) {
+ struct __timespec32 ts32;
+
+ ts32.tv_sec = (__kernel_long_t) timeout->tv_sec;
+ ts32.tv_nsec = (__kernel_long_t) timeout->tv_nsec;
+
+ return syscall(__NR_io_getevents, ctx, min, max, events, ts32);
+ } else {
+ return syscall(__NR_io_getevents, ctx, min, max, events, NULL);
+ }
}
-#else
-# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64."
#endif
+
+ errno = ENOSYS;
+ return -1;
}

static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key,
--
2.30.1

Original file line number Diff line number Diff line change
Expand Up @@ -11,23 +11,28 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8"

DEPENDS = "hostperl-runtime-native"

SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
PV = "1.0+git${SRCPV}"

S = "${WORKDIR}/git"

SRCREV = "3f499b24f3bcd66db022074f7e8b4f6ee266a3ae"

SRC_URI = "git://github.com/openssl/openssl.git;branch=OpenSSL_1_1_1-stable;protocol=https \
file://run-ptest \
file://0001-skip-test_symbol_presence.patch \
file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
file://afalg.patch \
file://reproducible.patch \
file://CVE-2022-0778.patch \
file://CVE-2022-1292-Fix-openssl-c_rehash.patch \
file://CVE-2022-2068-Fix-file-operations-in-c_rehash.patch \
file://CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch \
"

SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"

SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1"
SRC_URI:append:riscv32 = " \
file://0003-Add-support-for-io_pgetevents_time64-syscall.patch \
file://0004-Fixup-support-for-io_pgetevents_time64-syscall.patch \
"

inherit lib_package multilib_header multilib_script ptest
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
Expand All @@ -37,6 +42,8 @@ PACKAGECONFIG:class-native = ""
PACKAGECONFIG:class-nativesdk = ""

PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
PACKAGECONFIG[no-tls1] = "no-tls1"
PACKAGECONFIG[no-tls1_1] = "no-tls1_1"

B = "${WORKDIR}/build"
do_configure[cleandirs] = "${B}"
Expand All @@ -56,6 +63,20 @@ EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"

# Disable deprecated crypto algorithms
# Retained for compatibilty
# des (curl)
# dh (python-ssl)
# dsa (rpm)
# md4 (cyrus-sasl freeradius hostapd)
# bf (wvstreams postgresql x11vnc crda znc cfengine)
# rc4 (freerdp librtorrent ettercap xrdp transmission pam-ssh-agent-auth php)
# rc2 (mailx)
# psk (qt5)
# srp (libest)
# whirlpool (qca)
DEPRECATED_CRYPTO_FLAGS = "no-ssl no-idea no-rc5 no-md2 no-camellia no-mdc2 no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4"

do_configure () {
os=${HOST_OS}
case $os in
Expand Down Expand Up @@ -117,6 +138,9 @@ do_configure () {
linux-sparc | linux-supersparc)
target=linux-sparcv9
;;
mingw32-x86_64)
target=mingw64
;;
esac

useprefix=${prefix}
Expand All @@ -126,7 +150,7 @@ do_configure () {
# WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
# environment variables set by bitbake. Adjust the environment variables instead.
HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
perl ${B}/configdata.pm --dump
}

Expand Down Expand Up @@ -184,6 +208,10 @@ do_install_ptest () {

install -d ${D}${PTEST_PATH}/engines
install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines

# seems to be needed with perl 5.32.1
install -d ${D}${PTEST_PATH}/util/perl/recipes
cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/
}

# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
Expand All @@ -195,21 +223,30 @@ PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc"

FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
FILES:libssl = "${libdir}/libssl${SOLIBS}"
FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \
${libdir}/ssl-1.1/openssl.cnf* \
"
FILES:${PN}-engines = "${libdir}/engines-1.1"
FILES:${PN}-misc = "${libdir}/ssl-1.1/misc"
# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP)
FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-1_1"
FILES:${PN}-misc = "${libdir}/ssl-1.1/misc ${bindir}/c_rehash"
FILES:${PN} =+ "${libdir}/ssl-1.1/*"
FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"

CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"

RRECOMMENDS:libcrypto += "openssl-conf"
RDEPENDS:${PN}-misc = "perl"
RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash"

RDEPENDS:${PN}-bin += "openssl-conf"

BBCLASSEXTEND = "native nativesdk"

CVE_PRODUCT = "openssl:openssl"

CVE_VERSION_SUFFIX = "alphabetical"

# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
# Apache in meta-webserver is already recent enough
CVE_CHECK_WHITELIST += "CVE-2019-0190"
Loading

0 comments on commit 7f53998

Please sign in to comment.