* [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 -> 3.5.4
@ 2026-01-23 12:33 Peter Marko
2026-01-23 12:33 ` [OE-core][scarthgap][RFC PATCH 1/1] " Peter Marko
2026-01-23 17:02 ` [OE-core][scarthgap][RFC PATCH 0/1] " Yoann Congal
0 siblings, 2 replies; 11+ messages in thread
From: Peter Marko @ 2026-01-23 12:33 UTC (permalink / raw)
To: openembedded-core; +Cc: Peter Marko
Intention of this RFC is to run full autobuilder job matrix to see if
there are any failures not detected by my local testsuite.
Topic for discussion is especially what should be the final form of this
upgrade as some users may want to stay on openssl 3.2.x originally
shipped with Yocto 5.0 Scarthgap.
Current form was chosen to easily review recipe/patch differences.
Is it fine to overwrite or do we need to keep both version and make one
the default and other optional? Which would be tested on AB?
Peter Marko (1):
openssl: upgrade 3.2.6 -> 3.5.4
.../openssl/files/environment.d-openssl.sh | 9 ++-
...ke-history-reporting-when-test-fails.patch | 19 +++--
...1-Configure-do-not-tweak-mips-cflags.patch | 4 +-
...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
.../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++
.../openssl/openssl/CVE-2024-41996.patch | 44 -----------
.../{openssl_3.2.6.bb => openssl_3.5.4.bb} | 76 +++++++++++++------
7 files changed, 116 insertions(+), 94 deletions(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb => openssl_3.5.4.bb} (75%)
^ permalink raw reply [flat|nested] 11+ messages in thread
* [OE-core][scarthgap][RFC PATCH 1/1] openssl: upgrade 3.2.6 -> 3.5.4
2026-01-23 12:33 [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 -> 3.5.4 Peter Marko
@ 2026-01-23 12:33 ` Peter Marko
2026-03-03 15:37 ` Yoann Congal
2026-01-23 17:02 ` [OE-core][scarthgap][RFC PATCH 0/1] " Yoann Congal
1 sibling, 1 reply; 11+ messages in thread
From: Peter Marko @ 2026-01-23 12:33 UTC (permalink / raw)
To: openembedded-core; +Cc: Peter Marko
From: Peter Marko <peter.marko@siemens.com>
Openssl 3.2 has reached EOL.
Some projects would like to use LTS version due to criticality and
exposure of this component, so upgrade to 3.5 branch.
Copy recipe from current master and add UNPACKDIR definition at end of
it as this variable does not exist in scarthgap yet.
Dislaimers:
* this is a testing branch not intended to be merged in current form
* running builds implementing following Yocto AB testsuites showed only
intermittent failures of python ptest, otherwise the builds were ok:
* qemuarm64
* qemuarm64-alt
* qemuarm64-ptest
* qemuarm64-ptest-fast
* qemuppc
* qemuppc-tc
* qemux64-world
* qemux64-world-alt
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
.../openssl/files/environment.d-openssl.sh | 9 ++-
...ke-history-reporting-when-test-fails.patch | 19 +++--
...1-Configure-do-not-tweak-mips-cflags.patch | 4 +-
...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
.../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++
.../openssl/openssl/CVE-2024-41996.patch | 44 -----------
.../{openssl_3.2.6.bb => openssl_3.5.4.bb} | 76 +++++++++++++------
7 files changed, 116 insertions(+), 94 deletions(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb => openssl_3.5.4.bb} (75%)
diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
index d72edcb5ed..77747c1fda 100644
--- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
+++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
@@ -1,14 +1,15 @@
-export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf"
+export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/openssl.cnf"
export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/"
export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
+export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} OPENSSL_CONF OPENSSL_MODULES OPENSSL_ENGINES"
# Respect host env SSL_CERT_FILE/SSL_CERT_DIR first, then auto-detected host cert, then cert in buildtools
-# CAFILE/CAPATH is auto-deteced when source buildtools
+# CAFILE/CAPATH is auto-detected when source buildtools
if [ -z "${SSL_CERT_FILE:-}" ]; then
if [ -n "${CAFILE:-}" ];then
export SSL_CERT_FILE="$CAFILE"
elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
- export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt"
+ export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs/ca-certificates.crt"
fi
fi
@@ -16,7 +17,7 @@ if [ -z "${SSL_CERT_DIR:-}" ]; then
if [ -n "${CAPATH:-}" ];then
export SSL_CERT_DIR="$CAPATH"
elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
- export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs"
+ export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs"
fi
fi
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
index b05d7abf7c..5b7365a353 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
@@ -6,7 +6,6 @@ Subject: [PATCH] Added handshake history reporting when test fails
Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
Signed-off-by: William Lyu <William.Lyu@windriver.com>
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
test/helpers/handshake.c | 137 +++++++++++++++++++++++++++++----------
test/helpers/handshake.h | 70 +++++++++++++++++++-
@@ -14,10 +13,10 @@ Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
3 files changed, 217 insertions(+), 34 deletions(-)
diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
-index e0422469e4..ae2ad59dd4 100644
+index f611b3a..5703b48 100644
--- a/test/helpers/handshake.c
+++ b/test/helpers/handshake.c
-@@ -24,6 +24,102 @@
+@@ -25,6 +25,102 @@
#include <netinet/sctp.h>
#endif
@@ -120,7 +119,7 @@ index e0422469e4..ae2ad59dd4 100644
HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
{
HANDSHAKE_RESULT *ret;
-@@ -725,15 +821,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
+@@ -726,15 +822,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
SSL_set_post_handshake_auth(client, 1);
}
@@ -136,7 +135,7 @@ index e0422469e4..ae2ad59dd4 100644
/* An SSL object and associated read-write buffers. */
typedef struct peer_st {
SSL *ssl;
-@@ -1080,17 +1167,6 @@ static void do_shutdown_step(PEER *peer)
+@@ -1081,17 +1168,6 @@ static void do_shutdown_step(PEER *peer)
}
}
@@ -154,7 +153,7 @@ index e0422469e4..ae2ad59dd4 100644
static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
{
switch (test_ctx->handshake_mode) {
-@@ -1168,19 +1244,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
+@@ -1169,19 +1245,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
}
}
@@ -174,7 +173,7 @@ index e0422469e4..ae2ad59dd4 100644
/*
* Determine the handshake outcome.
* last_status: the status of the peer to have acted last.
-@@ -1545,6 +1608,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+@@ -1546,6 +1609,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
start = time(NULL);
@@ -185,7 +184,7 @@ index e0422469e4..ae2ad59dd4 100644
/*
* Half-duplex handshake loop.
* Client and server speak to each other synchronously in the same process.
-@@ -1566,6 +1633,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+@@ -1567,6 +1634,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
0 /* server went last */);
}
@@ -197,7 +196,7 @@ index e0422469e4..ae2ad59dd4 100644
case HANDSHAKE_SUCCESS:
client_turn_count = 0;
diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h
-index 78b03f9f4b..b9967c2623 100644
+index 78b03f9..b9967c2 100644
--- a/test/helpers/handshake.h
+++ b/test/helpers/handshake.h
@@ -1,5 +1,5 @@
@@ -302,7 +301,7 @@ index 78b03f9f4b..b9967c2623 100644
+
#endif /* OSSL_TEST_HANDSHAKE_HELPER_H */
diff --git a/test/ssl_test.c b/test/ssl_test.c
-index ea608518f9..9d6b093c81 100644
+index ea60851..9d6b093 100644
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL;
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
index 3f6ab97795..cf5ff356ee 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -17,10 +17,10 @@ Signed-off-by: Tim Orling <tim.orling@konsulko.com>
1 file changed, 10 deletions(-)
diff --git a/Configure b/Configure
-index 4569952..adf019b 100755
+index fff97bd..5ee54c1 100755
--- a/Configure
+++ b/Configure
-@@ -1485,16 +1485,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+@@ -1552,16 +1552,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
push @{$config{shared_ldflag}}, "-mno-cygwin";
}
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
index ce2acb2462..dadc034c91 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
@@ -30,23 +30,26 @@ Update to fix buildpaths qa issue for '-ffile-prefix-map'.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
- Configurations/unix-Makefile.tmpl | 12 +++++++++++-
+ Configurations/unix-Makefile.tmpl | 16 +++++++++++++++-
crypto/build.info | 2 +-
- 2 files changed, 12 insertions(+), 2 deletions(-)
+ 2 files changed, 16 insertions(+), 2 deletions(-)
-Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
-===================================================================
---- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl
-+++ openssl-3.0.4/Configurations/unix-Makefile.tmpl
-@@ -481,13 +481,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index 09303c4..011bda1 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -513,13 +513,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
'$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
-# CPPFLAGS_Q is used for one thing only: to build up buildinf.h
+# *_Q variables are used for one thing only: to build up buildinf.h
CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g;
++ $cppflags1 =~ s|-isystem/[^ ]+/usr/include||g;
$cppflags2 =~ s|([\\"])|\\$1|g;
++ $cppflags2 =~ s|-isystem/[^ ]+/usr/include||g;
$lib_cppflags =~ s|([\\"])|\\$1|g;
++ $lib_cppflags =~ s|-isystem/[^ ]+/usr/include||g;
join(' ', $lib_cppflags || (), $cppflags2 || (),
$cppflags1 || ()) -}
@@ -54,6 +57,7 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
+ s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g;
+ s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g;
+ s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g;
++ s|-isystem/[^ ]+/usr/include ||g;
+ }
+ join(' ', @{$config{CFLAGS}}) -}
+
@@ -63,10 +67,10 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
PERLASM_SCHEME= {- $target{perlasm_scheme} -}
# For x86 assembler: Set PROCESSOR to 386 if you want to support
-Index: openssl-3.0.4/crypto/build.info
-===================================================================
---- openssl-3.0.4.orig/crypto/build.info
-+++ openssl-3.0.4/crypto/build.info
+diff --git a/crypto/build.info b/crypto/build.info
+index aee5c46..95c9577 100644
+--- a/crypto/build.info
++++ b/crypto/build.info
@@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
DEPEND[info.o]=buildinf.h
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
new file mode 100644
index 0000000000..d02d42f1b5
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
@@ -0,0 +1,32 @@
+From c7000672296f4c367341aa3415f26c4d9f5e4749 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Thu, 23 Oct 2025 11:24:36 +0200
+Subject: [PATCH] extend check_cwm test timeout
+
+The default, 3s long test timeout isn't always enough for this
+particular test in case there is a high load on the host machine
+(assuming it is running in qemu). Extend the default timeout to 6s
+for the check_cwm test to avoid timeouts.
+
+Upstream-Status: Inappropriate [upstream issue: https://github.com/openssl/openssl/issues/28983]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ test/radix/main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/test/radix/main.c b/test/radix/main.c
+index 4a1e886a71..39f8c61ef9 100644
+--- a/test/radix/main.c
++++ b/test/radix/main.c
+@@ -25,6 +25,11 @@ static int test_script(int idx)
+ int testresult;
+ TERP_CONFIG cfg = {0};
+
++ // check_cwm test sometimes times out, the default 3000ms is
++ // not enough if the test execution starves for CPU
++ if (!strncmp("check_cwm", script_info->name, strlen("check_cwm")))
++ cfg.max_execution_time = ossl_ms2time(6000);
++
+ if (!TEST_true(bindings_process_init(0, 0)))
+ return 0;
+
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
deleted file mode 100644
index dc18e0bef1..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Mon, 5 Aug 2024 17:54:14 +0200
-Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known
- safe-prime groups
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The partial validation is fully sufficient to check the key validity.
-
-Thanks to Szilárd Pfeiffer for reporting the issue.
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-(Merged from https://github.com/openssl/openssl/pull/25088)
-
-CVE: CVE-2024-41996
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e70e34d857d4003199bcb5d3b52ca8102ccc1b98]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
-index 82c3093b12..ebdce76710 100644
---- a/providers/implementations/keymgmt/dh_kmgmt.c
-+++ b/providers/implementations/keymgmt/dh_kmgmt.c
-@@ -387,9 +387,11 @@ static int dh_validate_public(const DH *dh, int checktype)
- if (pub_key == NULL)
- return 0;
-
-- /* The partial test is only valid for named group's with q = (p - 1) / 2 */
-- if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
-- && ossl_dh_is_named_safe_prime_group(dh))
-+ /*
-+ * The partial test is only valid for named group's with q = (p - 1) / 2
-+ * but for that case it is also fully sufficient to check the key validity.
-+ */
-+ if (ossl_dh_is_named_safe_prime_group(dh))
- return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
-
- return DH_check_pub_key_ex(dh, pub_key);
diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb b/meta/recipes-connectivity/openssl/openssl_3.5.4.bb
similarity index 75%
rename from meta/recipes-connectivity/openssl/openssl_3.2.6.bb
rename to meta/recipes-connectivity/openssl/openssl_3.5.4.bb
index 4756f5aaa6..377d307203 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.4.bb
@@ -7,19 +7,19 @@ SECTION = "libs/network"
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
-SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/openssl-${PV}.tar.gz \
+SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://run-ptest \
file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
file://0001-Configure-do-not-tweak-mips-cflags.patch \
file://0001-Added-handshake-history-reporting-when-test-fails.patch \
- file://CVE-2024-41996.patch \
+ file://0001-extend-check_cwm-test-timeout.patch \
"
SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"
-SRC_URI[sha256sum] = "89681a9ddaa9ed7cf25ea8ef61338db805200bae47d00510490623547380c148"
+SRC_URI[sha256sum] = "967311f84955316969bdb1d8d4b983718ef42338639c621ec4c34fddef355e99"
inherit lib_package multilib_header multilib_script ptest perlnative manpages
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -32,10 +32,13 @@ PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,crypt
PACKAGECONFIG[no-tls1] = "no-tls1"
PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
PACKAGECONFIG[manpages] = ""
+PACKAGECONFIG[fips] = "enable-fips"
B = "${WORKDIR}/build"
do_configure[cleandirs] = "${B}"
+EXTRA_OECONF = "${@bb.utils.contains('PTEST_ENABLED', '1', '', 'no-tests', d)}"
+
#| ./libcrypto.so: undefined reference to `getcontext'
#| ./libcrypto.so: undefined reference to `setcontext'
#| ./libcrypto.so: undefined reference to `makecontext'
@@ -44,12 +47,15 @@ EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
-EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom"
-EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
+EXTRA_OECONF:append:class-native = " --with-rand-seed=os,devrandom"
+EXTRA_OECONF:append:class-nativesdk = " --with-rand-seed=os,devrandom"
# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
-CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
-CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
+EXTRA_OEMAKE:append:task-compile:class-native = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
+EXTRA_OEMAKE:append:task-compile:class-nativesdk = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
+
+#| threads_pthread.c:(.text+0x372): undefined reference to `__atomic_is_lock_free'
+EXTRA_OECONF:append:toolchain-clang:x86 = " -latomic"
# This allows disabling deprecated or undesirable crypto algorithms.
# The default is to trust upstream choices.
@@ -136,21 +142,26 @@ do_configure () {
;;
esac
- useprefix=${prefix}
- if [ "x$useprefix" = "x" ]; then
- useprefix=/
- fi
# WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
# environment variables set by bitbake. Adjust the environment variables instead.
PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
- perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target
+ perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=${prefix} --openssldir=${libdir}/ssl-3 --libdir=${baselib} $target
perl ${B}/configdata.pm --dump
}
+do_compile:append () {
+ # The test suite binaries are large and we don't need the debugging in them
+ if test -d ${B}/test; then
+ find ${B}/test -type f -executable -exec ${STRIP} {} \;
+ fi
+}
+
do_install () {
- oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)}
+ oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs \
+ ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'install_fips', '', d)}
oe_multilib_header openssl/opensslconf.h
oe_multilib_header openssl/configuration.h
@@ -168,21 +179,30 @@ do_install () {
ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
+
+ # Generate fipsmodule.cnf in pkg_postinst_ontarget
+ if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
+ rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf
+ fi
}
do_install:append:class-native () {
create_wrapper ${D}${bindir}/openssl \
- OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \
- SSL_CERT_DIR=${libdir}/ssl-3/certs \
- SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \
- OPENSSL_ENGINES=${libdir}/engines-3 \
- OPENSSL_MODULES=${libdir}/ossl-modules
+ OPENSSL_CONF=\${OPENSSL_CONF:-${libdir}/ssl-3/openssl.cnf} \
+ SSL_CERT_DIR=\${SSL_CERT_DIR:-${libdir}/ssl-3/certs} \
+ SSL_CERT_FILE=\${SSL_CERT_FILE:-${libdir}/ssl-3/cert.pem} \
+ OPENSSL_ENGINES=\${OPENSSL_ENGINES:-${libdir}/engines-3} \
+ OPENSSL_MODULES=\${OPENSSL_MODULES:-${libdir}/ossl-modules}
+
+ # Setting ENGINESDIR and MODULESDIR to invalid paths prevents host contamination,
+ # but also breaks the generated libcrypto.pc file. Post-Fix it manually here.
+ sed -i 's|^enginesdir=\($.libdir.\)/.*|enginesdir=\1/engines-3|' ${D}${libdir}/pkgconfig/libcrypto.pc
+ sed -i 's|^modulesdir=\($.libdir.\)/.*|modulesdir=\1/ossl-modules|' ${D}${libdir}/pkgconfig/libcrypto.pc
}
do_install:append:class-nativesdk () {
mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
- install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
- sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
+ install -m 644 ${UNPACKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
}
PTEST_BUILD_HOST_FILES += "configdata.pm"
@@ -226,12 +246,18 @@ do_install_ptest() {
ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers
}
+pkg_postinst_ontarget:${PN}-ossl-module-fips () {
+ if test -f ${libdir}/ossl-modules/fips.so; then
+ ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so
+ fi
+}
+
# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
# package RRECOMMENDS on this package. This will enable the configuration
# file to be installed for both the openssl-bin package and the libcrypto
# package since the openssl-bin package depends on the libcrypto package.
-PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy"
+PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy ${PN}-ossl-module-fips"
FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
FILES:libssl = "${libdir}/libssl${SOLIBS}"
@@ -243,6 +269,7 @@ FILES:${PN}-engines = "${libdir}/engines-3"
FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
+FILES:${PN}-ossl-module-fips = "${libdir}/ossl-modules/fips.so"
FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
@@ -254,9 +281,12 @@ RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed openssl-engines
RDEPENDS:${PN}-bin += "openssl-conf"
+# The test suite is installed stripped
+INSANE_SKIP:${PN} = "already-stripped"
+
BBCLASSEXTEND = "native nativesdk"
CVE_PRODUCT = "openssl:openssl"
-CVE_VERSION_SUFFIX = "alphabetical"
-
+# this does not exist in scarthgap yet
+UNPACKDIR = "${WORKDIR}"
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 -> 3.5.4
2026-01-23 12:33 [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 -> 3.5.4 Peter Marko
2026-01-23 12:33 ` [OE-core][scarthgap][RFC PATCH 1/1] " Peter Marko
@ 2026-01-23 17:02 ` Yoann Congal
2026-01-24 10:29 ` Yoann Congal
2026-01-28 11:04 ` Yoann Congal
1 sibling, 2 replies; 11+ messages in thread
From: Yoann Congal @ 2026-01-23 17:02 UTC (permalink / raw)
To: peter.marko; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2335 bytes --]
Le ven. 23 janv. 2026 à 13:33, Peter Marko via lists.openembedded.org
<peter.marko=siemens.com@lists.openembedded.org> a écrit :
> Intention of this RFC is to run full autobuilder job matrix to see if
> there are any failures not detected by my local testsuite.
>
I created a poky branch with this patch :
https://git.yoctoproject.org/poky-contrib/log/?h=ycongal/scarthgap/openssl_3.5_upgrade
(above my -nut branch to decrease the probability of an unrelated AB-INT
failure)
I've started the build :
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118
> Topic for discussion is especially what should be the final form of this
> upgrade as some users may want to stay on openssl 3.2.x originally
> shipped with Yocto 5.0 Scarthgap.
> Current form was chosen to easily review recipe/patch differences.
> Is it fine to overwrite or do we need to keep both version and make one
> the default and other optional? Which would be tested on AB?
>
> Peter Marko (1):
> openssl: upgrade 3.2.6 -> 3.5.4
>
> .../openssl/files/environment.d-openssl.sh | 9 ++-
> ...ke-history-reporting-when-test-fails.patch | 19 +++--
> ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +-
> ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
> .../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++
> .../openssl/openssl/CVE-2024-41996.patch | 44 -----------
> .../{openssl_3.2.6.bb => openssl_3.5.4.bb} | 76 +++++++++++++------
> 7 files changed, 116 insertions(+), 94 deletions(-)
> create mode 100644
> meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
> delete mode 100644
> meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
> rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb =>
> openssl_3.5.4.bb} (75%)
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#229884):
> https://lists.openembedded.org/g/openembedded-core/message/229884
> Mute This Topic: https://lists.openembedded.org/mt/117416674/4316185
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> yoann.congal@smile.fr]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
--
Yoann Congal
Smile ECS
[-- Attachment #2: Type: text/html, Size: 4205 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 -> 3.5.4
2026-01-23 17:02 ` [OE-core][scarthgap][RFC PATCH 0/1] " Yoann Congal
@ 2026-01-24 10:29 ` Yoann Congal
2026-01-24 12:18 ` Marko, Peter
2026-01-28 11:04 ` Yoann Congal
1 sibling, 1 reply; 11+ messages in thread
From: Yoann Congal @ 2026-01-24 10:29 UTC (permalink / raw)
To: peter.marko; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2629 bytes --]
Le ven. 23 janv. 2026 à 18:02, Yoann Congal <yoann.congal@smile.fr> a
écrit :
> Le ven. 23 janv. 2026 à 13:33, Peter Marko via lists.openembedded.org
> <peter.marko=siemens.com@lists.openembedded.org> a écrit :
>
>> Intention of this RFC is to run full autobuilder job matrix to see if
>> there are any failures not detected by my local testsuite.
>>
>
> I created a poky branch with this patch :
> https://git.yoctoproject.org/poky-contrib/log/?h=ycongal/scarthgap/openssl_3.5_upgrade
> (above my -nut branch to decrease the probability of an unrelated AB-INT
> failure)
>
> I've started the build :
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118
>
a-full build was successful:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118
> Topic for discussion is especially what should be the final form of this
>> upgrade as some users may want to stay on openssl 3.2.x originally
>> shipped with Yocto 5.0 Scarthgap.
>> Current form was chosen to easily review recipe/patch differences.
>> Is it fine to overwrite or do we need to keep both version and make one
>> the default and other optional? Which would be tested on AB?
>>
>> Peter Marko (1):
>> openssl: upgrade 3.2.6 -> 3.5.4
>>
>> .../openssl/files/environment.d-openssl.sh | 9 ++-
>> ...ke-history-reporting-when-test-fails.patch | 19 +++--
>> ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +-
>> ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
>> .../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++
>> .../openssl/openssl/CVE-2024-41996.patch | 44 -----------
>> .../{openssl_3.2.6.bb => openssl_3.5.4.bb} | 76 +++++++++++++------
>> 7 files changed, 116 insertions(+), 94 deletions(-)
>> create mode 100644
>> meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
>> delete mode 100644
>> meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
>> rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb =>
>> openssl_3.5.4.bb} (75%)
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#229884):
>> https://lists.openembedded.org/g/openembedded-core/message/229884
>> Mute This Topic: https://lists.openembedded.org/mt/117416674/4316185
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
>> yoann.congal@smile.fr]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
>>
>
> --
> Yoann Congal
> Smile ECS
>
--
Yoann Congal
Smile ECS
[-- Attachment #2: Type: text/html, Size: 5319 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 -> 3.5.4
2026-01-24 10:29 ` Yoann Congal
@ 2026-01-24 12:18 ` Marko, Peter
0 siblings, 0 replies; 11+ messages in thread
From: Marko, Peter @ 2026-01-24 12:18 UTC (permalink / raw)
To: Yoann Congal; +Cc: openembedded-core@lists.openembedded.org
> -----Original Message-----
> From: Yoann Congal <yoann.congal@smile.fr>
> Sent: Saturday, January 24, 2026 11:30
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 ->
> 3.5.4
> >
> > I've started the build :
> > https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118
> >
>
> a-full build was successful:
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118
>
Thanks a lot for running the build.
Peter
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 -> 3.5.4
2026-01-23 17:02 ` [OE-core][scarthgap][RFC PATCH 0/1] " Yoann Congal
2026-01-24 10:29 ` Yoann Congal
@ 2026-01-28 11:04 ` Yoann Congal
2026-01-31 18:47 ` Marko, Peter
1 sibling, 1 reply; 11+ messages in thread
From: Yoann Congal @ 2026-01-28 11:04 UTC (permalink / raw)
To: peter.marko; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 3617 bytes --]
Le ven. 23 janv. 2026 à 18:02, Yoann Congal <yoann.congal@smile.fr> a
écrit :
> Le ven. 23 janv. 2026 à 13:33, Peter Marko via lists.openembedded.org
> <peter.marko=siemens.com@lists.openembedded.org> a écrit :
>
>> Intention of this RFC is to run full autobuilder job matrix to see if
>> there are any failures not detected by my local testsuite.
>>
>
> I created a poky branch with this patch :
> https://git.yoctoproject.org/poky-contrib/log/?h=ycongal/scarthgap/openssl_3.5_upgrade
> (above my -nut branch to decrease the probability of an unrelated AB-INT
> failure)
>
> I've started the build :
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118
>
Hello,
As discussed during the tech call of last tuesday, I've started builds:
* a new a-full with rebased branch on the latest scarthgap (now, the branch
is only scarthgap+this upgrade)
* https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3133/
failed on a unrelated AB-INT issue (#15945) but is otherwise OK
* a meta-oe build (which includes a world build for meta-oe, meta-python,
meta-networking & meta-filesystems):
* https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1277
* *Failed on python3-m2crypto* (log.do_compile =>
https://gist.github.com/ycongal-smile/4c6501ecd81c9f475b793234cceb7a74)
* to compare, I've started the same build with a vanilla scarthgap branch
(without the openssl upgrade):
* https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1278
=> success (albeit with warnings)
Can you investigate this python3-m2crypto failure?
Also, the "meta-oe" build does not cover every layer in meta-openembedded,
I think I will increase coverage to all the meta-openembedded layers for
the next run...
Topic for discussion is especially what should be the final form of this
>> upgrade as some users may want to stay on openssl 3.2.x originally
>> shipped with Yocto 5.0 Scarthgap.
>> Current form was chosen to easily review recipe/patch differences.
>> Is it fine to overwrite or do we need to keep both version and make one
>> the default and other optional? Which would be tested on AB?
>>
>> Peter Marko (1):
>> openssl: upgrade 3.2.6 -> 3.5.4
>>
>> .../openssl/files/environment.d-openssl.sh | 9 ++-
>> ...ke-history-reporting-when-test-fails.patch | 19 +++--
>> ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +-
>> ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
>> .../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++
>> .../openssl/openssl/CVE-2024-41996.patch | 44 -----------
>> .../{openssl_3.2.6.bb => openssl_3.5.4.bb} | 76 +++++++++++++------
>> 7 files changed, 116 insertions(+), 94 deletions(-)
>> create mode 100644
>> meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
>> delete mode 100644
>> meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
>> rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb =>
>> openssl_3.5.4.bb} (75%)
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#229884):
>> https://lists.openembedded.org/g/openembedded-core/message/229884
>> Mute This Topic: https://lists.openembedded.org/mt/117416674/4316185
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
>> yoann.congal@smile.fr]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
>>
>
> --
> Yoann Congal
> Smile ECS
>
--
Yoann Congal
Smile ECS
[-- Attachment #2: Type: text/html, Size: 6688 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 -> 3.5.4
2026-01-28 11:04 ` Yoann Congal
@ 2026-01-31 18:47 ` Marko, Peter
2026-02-02 15:38 ` Yoann Congal
0 siblings, 1 reply; 11+ messages in thread
From: Marko, Peter @ 2026-01-31 18:47 UTC (permalink / raw)
To: Yoann Congal; +Cc: openembedded-core@lists.openembedded.org
[-- Attachment #1: Type: text/plain, Size: 4405 bytes --]
I have checked the m2crypto build issue and found out that I had to fix this for newer Yocto releases already.
https://git.openembedded.org/meta-openembedded/commit/?id=f9158ce32fffa6f18eed4008c3295146c81d55ea
Applying this commit to scarthgap works, so I have submitted it.
https://lists.openembedded.org/g/openembedded-devel/message/124019
Peter
From: Yoann Congal <yoann.congal@smile.fr>
Sent: Wednesday, January 28, 2026 12:05
To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 -> 3.5.4
Le ven. 23 janv. 2026 à 18:02, Yoann Congal <yoann.congal@smile.fr<mailto:yoann.congal@smile.fr>> a écrit :
Le ven. 23 janv. 2026 à 13:33, Peter Marko via lists.openembedded.org<http://lists.openembedded.org> <peter.marko=siemens.com@lists.openembedded.org<mailto:siemens.com@lists.openembedded.org>> a écrit :
Intention of this RFC is to run full autobuilder job matrix to see if
there are any failures not detected by my local testsuite.
I created a poky branch with this patch : https://git.yoctoproject.org/poky-contrib/log/?h=ycongal/scarthgap/openssl_3.5_upgrade
(above my -nut branch to decrease the probability of an unrelated AB-INT failure)
I've started the build : https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118
Hello,
As discussed during the tech call of last tuesday, I've started builds:
* a new a-full with rebased branch on the latest scarthgap (now, the branch is only scarthgap+this upgrade)
* https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3133/ failed on a unrelated AB-INT issue (#15945) but is otherwise OK
* a meta-oe build (which includes a world build for meta-oe, meta-python, meta-networking & meta-filesystems):
* https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1277
* *Failed on python3-m2crypto* (log.do_compile => https://gist.github.com/ycongal-smile/4c6501ecd81c9f475b793234cceb7a74)
* to compare, I've started the same build with a vanilla scarthgap branch (without the openssl upgrade):
* https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1278 => success (albeit with warnings)
Can you investigate this python3-m2crypto failure?
Also, the "meta-oe" build does not cover every layer in meta-openembedded, I think I will increase coverage to all the meta-openembedded layers for the next run...
Topic for discussion is especially what should be the final form of this
upgrade as some users may want to stay on openssl 3.2.x originally
shipped with Yocto 5.0 Scarthgap.
Current form was chosen to easily review recipe/patch differences.
Is it fine to overwrite or do we need to keep both version and make one
the default and other optional? Which would be tested on AB?
Peter Marko (1):
openssl: upgrade 3.2.6 -> 3.5.4
.../openssl/files/environment.d-openssl.sh<http://environment.d-openssl.sh> | 9 ++-
...ke-history-reporting-when-test-fails.patch | 19 +++--
...1-Configure-do-not-tweak-mips-cflags.patch | 4 +-
...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
.../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++
.../openssl/openssl/CVE-2024-41996.patch | 44 -----------
.../{openssl_3.2.6.bb<http://openssl_3.2.6.bb> => openssl_3.5.4.bb<http://openssl_3.5.4.bb>} | 76 +++++++++++++------
7 files changed, 116 insertions(+), 94 deletions(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb<http://openssl_3.2.6.bb> => openssl_3.5.4.bb<http://openssl_3.5.4.bb>} (75%)
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#229884): https://lists.openembedded.org/g/openembedded-core/message/229884
Mute This Topic: https://lists.openembedded.org/mt/117416674/4316185
Group Owner: openembedded-core+owner@lists.openembedded.org<mailto:openembedded-core%2Bowner@lists.openembedded.org>
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [yoann.congal@smile.fr<mailto:yoann.congal@smile.fr>]
-=-=-=-=-=-=-=-=-=-=-=-
--
Yoann Congal
Smile ECS
--
Yoann Congal
Smile ECS
[-- Attachment #2: Type: text/html, Size: 11544 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 -> 3.5.4
2026-01-31 18:47 ` Marko, Peter
@ 2026-02-02 15:38 ` Yoann Congal
2026-02-26 21:46 ` Yoann Congal
0 siblings, 1 reply; 11+ messages in thread
From: Yoann Congal @ 2026-02-02 15:38 UTC (permalink / raw)
To: Marko, Peter; +Cc: openembedded-core@lists.openembedded.org
[-- Attachment #1: Type: text/plain, Size: 4875 bytes --]
Le sam. 31 janv. 2026 à 19:47, Marko, Peter <Peter.Marko@siemens.com> a
écrit :
> I have checked the m2crypto build issue and found out that I had to fix
> this for newer Yocto releases already.
>
>
> https://git.openembedded.org/meta-openembedded/commit/?id=f9158ce32fffa6f18eed4008c3295146c81d55ea
>
> Applying this commit to scarthgap works, so I have submitted it.
>
> https://lists.openembedded.org/g/openembedded-devel/message/124019
>
Thanks Peter,
I've put that m2crypto patch on a branch and ran a full meta-openembedded
world build (every layers under meta-openembedded)
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/81/builds/1285
=> Only warnings (reference to TMPDIR [buildpaths]) that are most likely
not related to the openssl upgrade
> Peter
>
>
>
> *From:* Yoann Congal <yoann.congal@smile.fr>
> *Sent:* Wednesday, January 28, 2026 12:05
> *To:* Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> *Cc:* openembedded-core@lists.openembedded.org
> *Subject:* Re: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6
> -> 3.5.4
>
>
>
> Le ven. 23 janv. 2026 à 18:02, Yoann Congal <yoann.congal@smile.fr> a
> écrit :
>
> Le ven. 23 janv. 2026 à 13:33, Peter Marko via lists.openembedded.org
> <peter.marko=siemens.com@lists.openembedded.org> a écrit :
>
> Intention of this RFC is to run full autobuilder job matrix to see if
> there are any failures not detected by my local testsuite.
>
>
>
> I created a poky branch with this patch :
> https://git.yoctoproject.org/poky-contrib/log/?h=ycongal/scarthgap/openssl_3.5_upgrade
>
> (above my -nut branch to decrease the probability of an unrelated AB-INT
> failure)
>
>
>
> I've started the build :
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118
>
>
>
> Hello,
>
>
>
> As discussed during the tech call of last tuesday, I've started builds:
>
> * a new a-full with rebased branch on the latest scarthgap (now, the
> branch is only scarthgap+this upgrade)
>
> *
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3133/
> failed on a unrelated AB-INT issue (#15945) but is otherwise OK
>
> * a meta-oe build (which includes a world build for meta-oe, meta-python,
> meta-networking & meta-filesystems):
>
> *
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1277
>
> * *Failed on python3-m2crypto* (log.do_compile =>
> https://gist.github.com/ycongal-smile/4c6501ecd81c9f475b793234cceb7a74)
>
> * to compare, I've started the same build with a vanilla scarthgap branch
> (without the openssl upgrade):
>
> *
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1278
> => success (albeit with warnings)
>
>
>
> Can you investigate this python3-m2crypto failure?
>
>
>
> Also, the "meta-oe" build does not cover every layer in meta-openembedded,
> I think I will increase coverage to all the meta-openembedded layers for
> the next run...
>
>
>
>
>
> Topic for discussion is especially what should be the final form of this
> upgrade as some users may want to stay on openssl 3.2.x originally
> shipped with Yocto 5.0 Scarthgap.
> Current form was chosen to easily review recipe/patch differences.
> Is it fine to overwrite or do we need to keep both version and make one
> the default and other optional? Which would be tested on AB?
>
> Peter Marko (1):
> openssl: upgrade 3.2.6 -> 3.5.4
>
> .../openssl/files/environment.d-openssl.sh | 9 ++-
> ...ke-history-reporting-when-test-fails.patch | 19 +++--
> ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +-
> ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
> .../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++
> .../openssl/openssl/CVE-2024-41996.patch | 44 -----------
> .../{openssl_3.2.6.bb => openssl_3.5.4.bb} | 76 +++++++++++++------
> 7 files changed, 116 insertions(+), 94 deletions(-)
> create mode 100644
> meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
> delete mode 100644
> meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
> rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb =>
> openssl_3.5.4.bb} (75%)
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#229884):
> https://lists.openembedded.org/g/openembedded-core/message/229884
> Mute This Topic: https://lists.openembedded.org/mt/117416674/4316185
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> yoann.congal@smile.fr]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
>
> --
>
> Yoann Congal
>
> Smile ECS
>
>
>
> --
>
> Yoann Congal
>
> Smile ECS
>
--
Yoann Congal
Smile ECS
[-- Attachment #2: Type: text/html, Size: 11998 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 -> 3.5.4
2026-02-02 15:38 ` Yoann Congal
@ 2026-02-26 21:46 ` Yoann Congal
0 siblings, 0 replies; 11+ messages in thread
From: Yoann Congal @ 2026-02-26 21:46 UTC (permalink / raw)
To: Yoann Congal, Marko, Peter; +Cc: openembedded-core@lists.openembedded.org
On Mon Feb 2, 2026 at 4:38 PM CET, Yoann Congal wrote:
> Le sam. 31 janv. 2026 à 19:47, Marko, Peter <Peter.Marko@siemens.com> a
> écrit :
>
>> I have checked the m2crypto build issue and found out that I had to fix
>> this for newer Yocto releases already.
>>
>>
>> https://git.openembedded.org/meta-openembedded/commit/?id=f9158ce32fffa6f18eed4008c3295146c81d55ea
>>
>> Applying this commit to scarthgap works, so I have submitted it.
>>
>> https://lists.openembedded.org/g/openembedded-devel/message/124019
>>
>
> Thanks Peter,
>
> I've put that m2crypto patch on a branch and ran a full meta-openembedded
> world build (every layers under meta-openembedded)
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/81/builds/1285
> => Only warnings (reference to TMPDIR [buildpaths]) that are most likely
> not related to the openssl upgrade
I've run this build again (with a more recent scarthgap
oe-core & meta-openembedded):
* Since the m2crypto patch has merged, meta-openembedded is on scarthgap
without additionnal patches.
* https://autobuilder.yoctoproject.org/valkyrie/?#/builders/81/builds/1323
same unrelated buildpath warnings, no errors.
Regards,
>
>
>> Peter
>>
>>
>>
>> *From:* Yoann Congal <yoann.congal@smile.fr>
>> *Sent:* Wednesday, January 28, 2026 12:05
>> *To:* Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
>> *Cc:* openembedded-core@lists.openembedded.org
>> *Subject:* Re: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6
>> -> 3.5.4
>>
>>
>>
>> Le ven. 23 janv. 2026 à 18:02, Yoann Congal <yoann.congal@smile.fr> a
>> écrit :
>>
>> Le ven. 23 janv. 2026 à 13:33, Peter Marko via lists.openembedded.org
>> <peter.marko=siemens.com@lists.openembedded.org> a écrit :
>>
>> Intention of this RFC is to run full autobuilder job matrix to see if
>> there are any failures not detected by my local testsuite.
>>
>>
>>
>> I created a poky branch with this patch :
>> https://git.yoctoproject.org/poky-contrib/log/?h=ycongal/scarthgap/openssl_3.5_upgrade
>>
>> (above my -nut branch to decrease the probability of an unrelated AB-INT
>> failure)
>>
>>
>>
>> I've started the build :
>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118
>>
>>
>>
>> Hello,
>>
>>
>>
>> As discussed during the tech call of last tuesday, I've started builds:
>>
>> * a new a-full with rebased branch on the latest scarthgap (now, the
>> branch is only scarthgap+this upgrade)
>>
>> *
>> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3133/
>> failed on a unrelated AB-INT issue (#15945) but is otherwise OK
>>
>> * a meta-oe build (which includes a world build for meta-oe, meta-python,
>> meta-networking & meta-filesystems):
>>
>> *
>> https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1277
>>
>> * *Failed on python3-m2crypto* (log.do_compile =>
>> https://gist.github.com/ycongal-smile/4c6501ecd81c9f475b793234cceb7a74)
>>
>> * to compare, I've started the same build with a vanilla scarthgap branch
>> (without the openssl upgrade):
>>
>> *
>> https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1278
>> => success (albeit with warnings)
>>
>>
>>
>> Can you investigate this python3-m2crypto failure?
>>
>>
>>
>> Also, the "meta-oe" build does not cover every layer in meta-openembedded,
>> I think I will increase coverage to all the meta-openembedded layers for
>> the next run...
>>
>>
>>
>>
>>
>> Topic for discussion is especially what should be the final form of this
>> upgrade as some users may want to stay on openssl 3.2.x originally
>> shipped with Yocto 5.0 Scarthgap.
>> Current form was chosen to easily review recipe/patch differences.
>> Is it fine to overwrite or do we need to keep both version and make one
>> the default and other optional? Which would be tested on AB?
>>
>> Peter Marko (1):
>> openssl: upgrade 3.2.6 -> 3.5.4
>>
>> .../openssl/files/environment.d-openssl.sh | 9 ++-
>> ...ke-history-reporting-when-test-fails.patch | 19 +++--
>> ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +-
>> ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
>> .../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++
>> .../openssl/openssl/CVE-2024-41996.patch | 44 -----------
>> .../{openssl_3.2.6.bb => openssl_3.5.4.bb} | 76 +++++++++++++------
>> 7 files changed, 116 insertions(+), 94 deletions(-)
>> create mode 100644
>> meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
>> delete mode 100644
>> meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
>> rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb =>
>> openssl_3.5.4.bb} (75%)
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#229884):
>> https://lists.openembedded.org/g/openembedded-core/message/229884
>> Mute This Topic: https://lists.openembedded.org/mt/117416674/4316185
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
>> yoann.congal@smile.fr]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
>>
>>
>> --
>>
>> Yoann Congal
>>
>> Smile ECS
>>
>>
>>
>> --
>>
>> Yoann Congal
>>
>> Smile ECS
>>
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [OE-core][scarthgap][RFC PATCH 1/1] openssl: upgrade 3.2.6 -> 3.5.4
2026-01-23 12:33 ` [OE-core][scarthgap][RFC PATCH 1/1] " Peter Marko
@ 2026-03-03 15:37 ` Yoann Congal
2026-03-04 7:01 ` Marko, Peter
0 siblings, 1 reply; 11+ messages in thread
From: Yoann Congal @ 2026-03-03 15:37 UTC (permalink / raw)
To: peter.marko, openembedded-core
On Fri Jan 23, 2026 at 1:33 PM CET, Peter Marko via lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
>
> Openssl 3.2 has reached EOL.
> Some projects would like to use LTS version due to criticality and
> exposure of this component, so upgrade to 3.5 branch.
>
> Copy recipe from current master and add UNPACKDIR definition at end of
> it as this variable does not exist in scarthgap yet.
>
> Dislaimers:
> * this is a testing branch not intended to be merged in current form
> * running builds implementing following Yocto AB testsuites showed only
> intermittent failures of python ptest, otherwise the builds were ok:
> * qemuarm64
> * qemuarm64-alt
> * qemuarm64-ptest
> * qemuarm64-ptest-fast
> * qemuppc
> * qemuppc-tc
> * qemux64-world
> * qemux64-world-alt
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
> .../openssl/files/environment.d-openssl.sh | 9 ++-
> ...ke-history-reporting-when-test-fails.patch | 19 +++--
> ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +-
> ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
> .../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++
> .../openssl/openssl/CVE-2024-41996.patch | 44 -----------
> .../{openssl_3.2.6.bb => openssl_3.5.4.bb} | 76 +++++++++++++------
> 7 files changed, 116 insertions(+), 94 deletions(-)
> create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
> delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
> rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb => openssl_3.5.4.bb} (75%)
The TSC has approved merging this 3.5 Openssl upgrade to scarthgap :)
Can you send an updated non-RFC patch?
Thanks!
> diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
> index d72edcb5ed..77747c1fda 100644
> --- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
> +++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
> @@ -1,14 +1,15 @@
> -export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf"
> +export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/openssl.cnf"
> export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/"
> export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
> +export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} OPENSSL_CONF OPENSSL_MODULES OPENSSL_ENGINES"
>
> # Respect host env SSL_CERT_FILE/SSL_CERT_DIR first, then auto-detected host cert, then cert in buildtools
> -# CAFILE/CAPATH is auto-deteced when source buildtools
> +# CAFILE/CAPATH is auto-detected when source buildtools
> if [ -z "${SSL_CERT_FILE:-}" ]; then
> if [ -n "${CAFILE:-}" ];then
> export SSL_CERT_FILE="$CAFILE"
> elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
> - export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt"
> + export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs/ca-certificates.crt"
> fi
> fi
>
> @@ -16,7 +17,7 @@ if [ -z "${SSL_CERT_DIR:-}" ]; then
> if [ -n "${CAPATH:-}" ];then
> export SSL_CERT_DIR="$CAPATH"
> elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
> - export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs"
> + export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs"
> fi
> fi
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
> index b05d7abf7c..5b7365a353 100644
> --- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
> +++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
> @@ -6,7 +6,6 @@ Subject: [PATCH] Added handshake history reporting when test fails
> Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
>
> Signed-off-by: William Lyu <William.Lyu@windriver.com>
> -Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
> ---
> test/helpers/handshake.c | 137 +++++++++++++++++++++++++++++----------
> test/helpers/handshake.h | 70 +++++++++++++++++++-
> @@ -14,10 +13,10 @@ Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
> 3 files changed, 217 insertions(+), 34 deletions(-)
>
> diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
> -index e0422469e4..ae2ad59dd4 100644
> +index f611b3a..5703b48 100644
> --- a/test/helpers/handshake.c
> +++ b/test/helpers/handshake.c
> -@@ -24,6 +24,102 @@
> +@@ -25,6 +25,102 @@
> #include <netinet/sctp.h>
> #endif
>
> @@ -120,7 +119,7 @@ index e0422469e4..ae2ad59dd4 100644
> HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
> {
> HANDSHAKE_RESULT *ret;
> -@@ -725,15 +821,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
> +@@ -726,15 +822,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
> SSL_set_post_handshake_auth(client, 1);
> }
>
> @@ -136,7 +135,7 @@ index e0422469e4..ae2ad59dd4 100644
> /* An SSL object and associated read-write buffers. */
> typedef struct peer_st {
> SSL *ssl;
> -@@ -1080,17 +1167,6 @@ static void do_shutdown_step(PEER *peer)
> +@@ -1081,17 +1168,6 @@ static void do_shutdown_step(PEER *peer)
> }
> }
>
> @@ -154,7 +153,7 @@ index e0422469e4..ae2ad59dd4 100644
> static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
> {
> switch (test_ctx->handshake_mode) {
> -@@ -1168,19 +1244,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
> +@@ -1169,19 +1245,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
> }
> }
>
> @@ -174,7 +173,7 @@ index e0422469e4..ae2ad59dd4 100644
> /*
> * Determine the handshake outcome.
> * last_status: the status of the peer to have acted last.
> -@@ -1545,6 +1608,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
> +@@ -1546,6 +1609,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
>
> start = time(NULL);
>
> @@ -185,7 +184,7 @@ index e0422469e4..ae2ad59dd4 100644
> /*
> * Half-duplex handshake loop.
> * Client and server speak to each other synchronously in the same process.
> -@@ -1566,6 +1633,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
> +@@ -1567,6 +1634,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
> 0 /* server went last */);
> }
>
> @@ -197,7 +196,7 @@ index e0422469e4..ae2ad59dd4 100644
> case HANDSHAKE_SUCCESS:
> client_turn_count = 0;
> diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h
> -index 78b03f9f4b..b9967c2623 100644
> +index 78b03f9..b9967c2 100644
> --- a/test/helpers/handshake.h
> +++ b/test/helpers/handshake.h
> @@ -1,5 +1,5 @@
> @@ -302,7 +301,7 @@ index 78b03f9f4b..b9967c2623 100644
> +
> #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */
> diff --git a/test/ssl_test.c b/test/ssl_test.c
> -index ea608518f9..9d6b093c81 100644
> +index ea60851..9d6b093 100644
> --- a/test/ssl_test.c
> +++ b/test/ssl_test.c
> @@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL;
> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
> index 3f6ab97795..cf5ff356ee 100644
> --- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
> +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
> @@ -17,10 +17,10 @@ Signed-off-by: Tim Orling <tim.orling@konsulko.com>
> 1 file changed, 10 deletions(-)
>
> diff --git a/Configure b/Configure
> -index 4569952..adf019b 100755
> +index fff97bd..5ee54c1 100755
> --- a/Configure
> +++ b/Configure
> -@@ -1485,16 +1485,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
> +@@ -1552,16 +1552,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
> push @{$config{shared_ldflag}}, "-mno-cygwin";
> }
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
> index ce2acb2462..dadc034c91 100644
> --- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
> +++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
> @@ -30,23 +30,26 @@ Update to fix buildpaths qa issue for '-ffile-prefix-map'.
> Signed-off-by: Khem Raj <raj.khem@gmail.com>
>
> ---
> - Configurations/unix-Makefile.tmpl | 12 +++++++++++-
> + Configurations/unix-Makefile.tmpl | 16 +++++++++++++++-
> crypto/build.info | 2 +-
> - 2 files changed, 12 insertions(+), 2 deletions(-)
> + 2 files changed, 16 insertions(+), 2 deletions(-)
>
> -Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
> -===================================================================
> ---- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl
> -+++ openssl-3.0.4/Configurations/unix-Makefile.tmpl
> -@@ -481,13 +481,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
> +diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
> +index 09303c4..011bda1 100644
> +--- a/Configurations/unix-Makefile.tmpl
> ++++ b/Configurations/unix-Makefile.tmpl
> +@@ -513,13 +513,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
> '$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
> BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
>
> -# CPPFLAGS_Q is used for one thing only: to build up buildinf.h
> +# *_Q variables are used for one thing only: to build up buildinf.h
> CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g;
> ++ $cppflags1 =~ s|-isystem/[^ ]+/usr/include||g;
> $cppflags2 =~ s|([\\"])|\\$1|g;
> ++ $cppflags2 =~ s|-isystem/[^ ]+/usr/include||g;
> $lib_cppflags =~ s|([\\"])|\\$1|g;
> ++ $lib_cppflags =~ s|-isystem/[^ ]+/usr/include||g;
> join(' ', $lib_cppflags || (), $cppflags2 || (),
> $cppflags1 || ()) -}
>
> @@ -54,6 +57,7 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
> + s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g;
> + s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g;
> + s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g;
> ++ s|-isystem/[^ ]+/usr/include ||g;
> + }
> + join(' ', @{$config{CFLAGS}}) -}
> +
> @@ -63,10 +67,10 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
> PERLASM_SCHEME= {- $target{perlasm_scheme} -}
>
> # For x86 assembler: Set PROCESSOR to 386 if you want to support
> -Index: openssl-3.0.4/crypto/build.info
> -===================================================================
> ---- openssl-3.0.4.orig/crypto/build.info
> -+++ openssl-3.0.4/crypto/build.info
> +diff --git a/crypto/build.info b/crypto/build.info
> +index aee5c46..95c9577 100644
> +--- a/crypto/build.info
> ++++ b/crypto/build.info
> @@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
>
> DEPEND[info.o]=buildinf.h
> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
> new file mode 100644
> index 0000000000..d02d42f1b5
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
> @@ -0,0 +1,32 @@
> +From c7000672296f4c367341aa3415f26c4d9f5e4749 Mon Sep 17 00:00:00 2001
> +From: Gyorgy Sarvari <skandigraun@gmail.com>
> +Date: Thu, 23 Oct 2025 11:24:36 +0200
> +Subject: [PATCH] extend check_cwm test timeout
> +
> +The default, 3s long test timeout isn't always enough for this
> +particular test in case there is a high load on the host machine
> +(assuming it is running in qemu). Extend the default timeout to 6s
> +for the check_cwm test to avoid timeouts.
> +
> +Upstream-Status: Inappropriate [upstream issue: https://github.com/openssl/openssl/issues/28983]
> +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> +---
> + test/radix/main.c | 5 +++++
> + 1 file changed, 5 insertions(+)
> +
> +diff --git a/test/radix/main.c b/test/radix/main.c
> +index 4a1e886a71..39f8c61ef9 100644
> +--- a/test/radix/main.c
> ++++ b/test/radix/main.c
> +@@ -25,6 +25,11 @@ static int test_script(int idx)
> + int testresult;
> + TERP_CONFIG cfg = {0};
> +
> ++ // check_cwm test sometimes times out, the default 3000ms is
> ++ // not enough if the test execution starves for CPU
> ++ if (!strncmp("check_cwm", script_info->name, strlen("check_cwm")))
> ++ cfg.max_execution_time = ossl_ms2time(6000);
> ++
> + if (!TEST_true(bindings_process_init(0, 0)))
> + return 0;
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
> deleted file mode 100644
> index dc18e0bef1..0000000000
> --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
> +++ /dev/null
> @@ -1,44 +0,0 @@
> -From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001
> -From: Tomas Mraz <tomas@openssl.org>
> -Date: Mon, 5 Aug 2024 17:54:14 +0200
> -Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known
> - safe-prime groups
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -The partial validation is fully sufficient to check the key validity.
> -
> -Thanks to Szilárd Pfeiffer for reporting the issue.
> -
> -Reviewed-by: Neil Horman <nhorman@openssl.org>
> -Reviewed-by: Matt Caswell <matt@openssl.org>
> -Reviewed-by: Paul Dale <ppzgs1@gmail.com>
> -(Merged from https://github.com/openssl/openssl/pull/25088)
> -
> -CVE: CVE-2024-41996
> -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e70e34d857d4003199bcb5d3b52ca8102ccc1b98]
> -Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ----
> - providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++---
> - 1 file changed, 5 insertions(+), 3 deletions(-)
> -
> -diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
> -index 82c3093b12..ebdce76710 100644
> ---- a/providers/implementations/keymgmt/dh_kmgmt.c
> -+++ b/providers/implementations/keymgmt/dh_kmgmt.c
> -@@ -387,9 +387,11 @@ static int dh_validate_public(const DH *dh, int checktype)
> - if (pub_key == NULL)
> - return 0;
> -
> -- /* The partial test is only valid for named group's with q = (p - 1) / 2 */
> -- if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
> -- && ossl_dh_is_named_safe_prime_group(dh))
> -+ /*
> -+ * The partial test is only valid for named group's with q = (p - 1) / 2
> -+ * but for that case it is also fully sufficient to check the key validity.
> -+ */
> -+ if (ossl_dh_is_named_safe_prime_group(dh))
> - return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
> -
> - return DH_check_pub_key_ex(dh, pub_key);
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb b/meta/recipes-connectivity/openssl/openssl_3.5.4.bb
> similarity index 75%
> rename from meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> rename to meta/recipes-connectivity/openssl/openssl_3.5.4.bb
> index 4756f5aaa6..377d307203 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.5.4.bb
> @@ -7,19 +7,19 @@ SECTION = "libs/network"
> LICENSE = "Apache-2.0"
> LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
>
> -SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/openssl-${PV}.tar.gz \
> +SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
> file://run-ptest \
> file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
> file://0001-Configure-do-not-tweak-mips-cflags.patch \
> file://0001-Added-handshake-history-reporting-when-test-fails.patch \
> - file://CVE-2024-41996.patch \
> + file://0001-extend-check_cwm-test-timeout.patch \
> "
>
> SRC_URI:append:class-nativesdk = " \
> file://environment.d-openssl.sh \
> "
>
> -SRC_URI[sha256sum] = "89681a9ddaa9ed7cf25ea8ef61338db805200bae47d00510490623547380c148"
> +SRC_URI[sha256sum] = "967311f84955316969bdb1d8d4b983718ef42338639c621ec4c34fddef355e99"
>
> inherit lib_package multilib_header multilib_script ptest perlnative manpages
> MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
> @@ -32,10 +32,13 @@ PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,crypt
> PACKAGECONFIG[no-tls1] = "no-tls1"
> PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
> PACKAGECONFIG[manpages] = ""
> +PACKAGECONFIG[fips] = "enable-fips"
>
> B = "${WORKDIR}/build"
> do_configure[cleandirs] = "${B}"
>
> +EXTRA_OECONF = "${@bb.utils.contains('PTEST_ENABLED', '1', '', 'no-tests', d)}"
> +
> #| ./libcrypto.so: undefined reference to `getcontext'
> #| ./libcrypto.so: undefined reference to `setcontext'
> #| ./libcrypto.so: undefined reference to `makecontext'
> @@ -44,12 +47,15 @@ EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
>
> # adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
> # (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
> -EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom"
> -EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
> +EXTRA_OECONF:append:class-native = " --with-rand-seed=os,devrandom"
> +EXTRA_OECONF:append:class-nativesdk = " --with-rand-seed=os,devrandom"
>
> # Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
> -CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
> -CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
> +EXTRA_OEMAKE:append:task-compile:class-native = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
> +EXTRA_OEMAKE:append:task-compile:class-nativesdk = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
> +
> +#| threads_pthread.c:(.text+0x372): undefined reference to `__atomic_is_lock_free'
> +EXTRA_OECONF:append:toolchain-clang:x86 = " -latomic"
>
> # This allows disabling deprecated or undesirable crypto algorithms.
> # The default is to trust upstream choices.
> @@ -136,21 +142,26 @@ do_configure () {
> ;;
> esac
>
> - useprefix=${prefix}
> - if [ "x$useprefix" = "x" ]; then
> - useprefix=/
> - fi
> # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
> # environment variables set by bitbake. Adjust the environment variables instead.
> PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
> test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
> HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
> - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target
> + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=${prefix} --openssldir=${libdir}/ssl-3 --libdir=${baselib} $target
> perl ${B}/configdata.pm --dump
> }
>
> +do_compile:append () {
> + # The test suite binaries are large and we don't need the debugging in them
> + if test -d ${B}/test; then
> + find ${B}/test -type f -executable -exec ${STRIP} {} \;
> + fi
> +}
> +
> do_install () {
> - oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)}
> + oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs \
> + ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} \
> + ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'install_fips', '', d)}
>
> oe_multilib_header openssl/opensslconf.h
> oe_multilib_header openssl/configuration.h
> @@ -168,21 +179,30 @@ do_install () {
> ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
> ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
> ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
> +
> + # Generate fipsmodule.cnf in pkg_postinst_ontarget
> + if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
> + rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf
> + fi
> }
>
> do_install:append:class-native () {
> create_wrapper ${D}${bindir}/openssl \
> - OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \
> - SSL_CERT_DIR=${libdir}/ssl-3/certs \
> - SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \
> - OPENSSL_ENGINES=${libdir}/engines-3 \
> - OPENSSL_MODULES=${libdir}/ossl-modules
> + OPENSSL_CONF=\${OPENSSL_CONF:-${libdir}/ssl-3/openssl.cnf} \
> + SSL_CERT_DIR=\${SSL_CERT_DIR:-${libdir}/ssl-3/certs} \
> + SSL_CERT_FILE=\${SSL_CERT_FILE:-${libdir}/ssl-3/cert.pem} \
> + OPENSSL_ENGINES=\${OPENSSL_ENGINES:-${libdir}/engines-3} \
> + OPENSSL_MODULES=\${OPENSSL_MODULES:-${libdir}/ossl-modules}
> +
> + # Setting ENGINESDIR and MODULESDIR to invalid paths prevents host contamination,
> + # but also breaks the generated libcrypto.pc file. Post-Fix it manually here.
> + sed -i 's|^enginesdir=\($.libdir.\)/.*|enginesdir=\1/engines-3|' ${D}${libdir}/pkgconfig/libcrypto.pc
> + sed -i 's|^modulesdir=\($.libdir.\)/.*|modulesdir=\1/ossl-modules|' ${D}${libdir}/pkgconfig/libcrypto.pc
> }
>
> do_install:append:class-nativesdk () {
> mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
> - install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
> - sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
> + install -m 644 ${UNPACKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
> }
>
> PTEST_BUILD_HOST_FILES += "configdata.pm"
> @@ -226,12 +246,18 @@ do_install_ptest() {
> ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers
> }
>
> +pkg_postinst_ontarget:${PN}-ossl-module-fips () {
> + if test -f ${libdir}/ossl-modules/fips.so; then
> + ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so
> + fi
> +}
> +
> # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
> # package RRECOMMENDS on this package. This will enable the configuration
> # file to be installed for both the openssl-bin package and the libcrypto
> # package since the openssl-bin package depends on the libcrypto package.
>
> -PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy"
> +PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy ${PN}-ossl-module-fips"
>
> FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
> FILES:libssl = "${libdir}/libssl${SOLIBS}"
> @@ -243,6 +269,7 @@ FILES:${PN}-engines = "${libdir}/engines-3"
> FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
> FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
> FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
> +FILES:${PN}-ossl-module-fips = "${libdir}/ossl-modules/fips.so"
> FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
> FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
>
> @@ -254,9 +281,12 @@ RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed openssl-engines
>
> RDEPENDS:${PN}-bin += "openssl-conf"
>
> +# The test suite is installed stripped
> +INSANE_SKIP:${PN} = "already-stripped"
> +
> BBCLASSEXTEND = "native nativesdk"
>
> CVE_PRODUCT = "openssl:openssl"
>
> -CVE_VERSION_SUFFIX = "alphabetical"
> -
> +# this does not exist in scarthgap yet
> +UNPACKDIR = "${WORKDIR}"
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: [OE-core][scarthgap][RFC PATCH 1/1] openssl: upgrade 3.2.6 -> 3.5.4
2026-03-03 15:37 ` Yoann Congal
@ 2026-03-04 7:01 ` Marko, Peter
0 siblings, 0 replies; 11+ messages in thread
From: Marko, Peter @ 2026-03-04 7:01 UTC (permalink / raw)
To: Yoann Congal, openembedded-core@lists.openembedded.org
> -----Original Message-----
> From: Yoann Congal <yoann.congal@smile.fr>
> Sent: Tuesday, March 3, 2026 16:38
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>;
> openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][scarthgap][RFC PATCH 1/1] openssl: upgrade 3.2.6 ->
> 3.5.4
>
> On Fri Jan 23, 2026 at 1:33 PM CET, Peter Marko via lists.openembedded.org
> wrote:
> > From: Peter Marko <peter.marko@siemens.com>
> >
> > Openssl 3.2 has reached EOL.
> > Some projects would like to use LTS version due to criticality and
> > exposure of this component, so upgrade to 3.5 branch.
> >
> > Copy recipe from current master and add UNPACKDIR definition at end of
> > it as this variable does not exist in scarthgap yet.
> >
> > Dislaimers:
> > * this is a testing branch not intended to be merged in current form
> > * running builds implementing following Yocto AB testsuites showed only
> > intermittent failures of python ptest, otherwise the builds were ok:
> > * qemuarm64
> > * qemuarm64-alt
> > * qemuarm64-ptest
> > * qemuarm64-ptest-fast
> > * qemuppc
> > * qemuppc-tc
> > * qemux64-world
> > * qemux64-world-alt
> >
> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > ---
> > .../openssl/files/environment.d-openssl.sh | 9 ++-
> > ...ke-history-reporting-when-test-fails.patch | 19 +++--
> > ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +-
> > ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
> > .../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++
> > .../openssl/openssl/CVE-2024-41996.patch | 44 -----------
> > .../{openssl_3.2.6.bb => openssl_3.5.4.bb} | 76 +++++++++++++------
> > 7 files changed, 116 insertions(+), 94 deletions(-)
> > create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-extend-
> check_cwm-test-timeout.patch
> > delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-
> 41996.patch
> > rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb =>
> openssl_3.5.4.bb} (75%)
>
> The TSC has approved merging this 3.5 Openssl upgrade to scarthgap :)
>
> Can you send an updated non-RFC patch?
Great news!
I'll send a new patch in the evening.
It will be now 3.5.5.
Peter
>
> Thanks!
>
> > diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
> b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
> > index d72edcb5ed..77747c1fda 100644
> > --- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
> > +++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
> > @@ -1,14 +1,15 @@
> > -export
> OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf"
> > +export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-
> 3/openssl.cnf"
> > export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-
> modules/"
> > export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
> > +export
> BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITION
> S:-} OPENSSL_CONF OPENSSL_MODULES OPENSSL_ENGINES"
> >
> > # Respect host env SSL_CERT_FILE/SSL_CERT_DIR first, then auto-detected
> host cert, then cert in buildtools
> > -# CAFILE/CAPATH is auto-deteced when source buildtools
> > +# CAFILE/CAPATH is auto-detected when source buildtools
> > if [ -z "${SSL_CERT_FILE:-}" ]; then
> > if [ -n "${CAFILE:-}" ];then
> > export SSL_CERT_FILE="$CAFILE"
> > elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
> ];then
> > - export
> SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-
> certificates.crt"
> > + export
> SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs/ca-
> certificates.crt"
> > fi
> > fi
> >
> > @@ -16,7 +17,7 @@ if [ -z "${SSL_CERT_DIR:-}" ]; then
> > if [ -n "${CAPATH:-}" ];then
> > export SSL_CERT_DIR="$CAPATH"
> > elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
> ];then
> > - export
> SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs"
> > + export
> SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs"
> > fi
> > fi
> >
> > diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-
> history-reporting-when-test-fails.patch b/meta/recipes-
> connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-
> fails.patch
> > index b05d7abf7c..5b7365a353 100644
> > --- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-
> reporting-when-test-fails.patch
> > +++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-
> history-reporting-when-test-fails.patch
> > @@ -6,7 +6,6 @@ Subject: [PATCH] Added handshake history reporting when
> test fails
> > Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
> >
> > Signed-off-by: William Lyu <William.Lyu@windriver.com>
> > -Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
> > ---
> > test/helpers/handshake.c | 137 +++++++++++++++++++++++++++++----------
> > test/helpers/handshake.h | 70 +++++++++++++++++++-
> > @@ -14,10 +13,10 @@ Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
> > 3 files changed, 217 insertions(+), 34 deletions(-)
> >
> > diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
> > -index e0422469e4..ae2ad59dd4 100644
> > +index f611b3a..5703b48 100644
> > --- a/test/helpers/handshake.c
> > +++ b/test/helpers/handshake.c
> > -@@ -24,6 +24,102 @@
> > +@@ -25,6 +25,102 @@
> > #include <netinet/sctp.h>
> > #endif
> >
> > @@ -120,7 +119,7 @@ index e0422469e4..ae2ad59dd4 100644
> > HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
> > {
> > HANDSHAKE_RESULT *ret;
> > -@@ -725,15 +821,6 @@ static void configure_handshake_ssl(SSL *server, SSL
> *client,
> > +@@ -726,15 +822,6 @@ static void configure_handshake_ssl(SSL *server,
> SSL *client,
> > SSL_set_post_handshake_auth(client, 1);
> > }
> >
> > @@ -136,7 +135,7 @@ index e0422469e4..ae2ad59dd4 100644
> > /* An SSL object and associated read-write buffers. */
> > typedef struct peer_st {
> > SSL *ssl;
> > -@@ -1080,17 +1167,6 @@ static void do_shutdown_step(PEER *peer)
> > +@@ -1081,17 +1168,6 @@ static void do_shutdown_step(PEER *peer)
> > }
> > }
> >
> > @@ -154,7 +153,7 @@ index e0422469e4..ae2ad59dd4 100644
> > static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
> > {
> > switch (test_ctx->handshake_mode) {
> > -@@ -1168,19 +1244,6 @@ static void do_connect_step(const SSL_TEST_CTX
> *test_ctx, PEER *peer,
> > +@@ -1169,19 +1245,6 @@ static void do_connect_step(const SSL_TEST_CTX
> *test_ctx, PEER *peer,
> > }
> > }
> >
> > @@ -174,7 +173,7 @@ index e0422469e4..ae2ad59dd4 100644
> > /*
> > * Determine the handshake outcome.
> > * last_status: the status of the peer to have acted last.
> > -@@ -1545,6 +1608,10 @@ static HANDSHAKE_RESULT
> *do_handshake_internal(
> > +@@ -1546,6 +1609,10 @@ static HANDSHAKE_RESULT
> *do_handshake_internal(
> >
> > start = time(NULL);
> >
> > @@ -185,7 +184,7 @@ index e0422469e4..ae2ad59dd4 100644
> > /*
> > * Half-duplex handshake loop.
> > * Client and server speak to each other synchronously in the same process.
> > -@@ -1566,6 +1633,10 @@ static HANDSHAKE_RESULT
> *do_handshake_internal(
> > +@@ -1567,6 +1634,10 @@ static HANDSHAKE_RESULT
> *do_handshake_internal(
> > 0 /* server went last */);
> > }
> >
> > @@ -197,7 +196,7 @@ index e0422469e4..ae2ad59dd4 100644
> > case HANDSHAKE_SUCCESS:
> > client_turn_count = 0;
> > diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h
> > -index 78b03f9f4b..b9967c2623 100644
> > +index 78b03f9..b9967c2 100644
> > --- a/test/helpers/handshake.h
> > +++ b/test/helpers/handshake.h
> > @@ -1,5 +1,5 @@
> > @@ -302,7 +301,7 @@ index 78b03f9f4b..b9967c2623 100644
> > +
> > #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */
> > diff --git a/test/ssl_test.c b/test/ssl_test.c
> > -index ea608518f9..9d6b093c81 100644
> > +index ea60851..9d6b093 100644
> > --- a/test/ssl_test.c
> > +++ b/test/ssl_test.c
> > @@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL;
> > diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-
> tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-
> Configure-do-not-tweak-mips-cflags.patch
> > index 3f6ab97795..cf5ff356ee 100644
> > --- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-
> mips-cflags.patch
> > +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-
> mips-cflags.patch
> > @@ -17,10 +17,10 @@ Signed-off-by: Tim Orling <tim.orling@konsulko.com>
> > 1 file changed, 10 deletions(-)
> >
> > diff --git a/Configure b/Configure
> > -index 4569952..adf019b 100755
> > +index fff97bd..5ee54c1 100755
> > --- a/Configure
> > +++ b/Configure
> > -@@ -1485,16 +1485,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help
> 2>&1` =~ m/-mno-cygwin/m)
> > +@@ -1552,16 +1552,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-
> help 2>&1` =~ m/-mno-cygwin/m)
> > push @{$config{shared_ldflag}}, "-mno-cygwin";
> > }
> >
> > diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-
> sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-
> connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-
> from-co.patch
> > index ce2acb2462..dadc034c91 100644
> > --- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-
> debug-prefix-map-from-co.patch
> > +++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-
> and-debug-prefix-map-from-co.patch
> > @@ -30,23 +30,26 @@ Update to fix buildpaths qa issue for '-ffile-prefix-map'.
> > Signed-off-by: Khem Raj <raj.khem@gmail.com>
> >
> > ---
> > - Configurations/unix-Makefile.tmpl | 12 +++++++++++-
> > + Configurations/unix-Makefile.tmpl | 16 +++++++++++++++-
> > crypto/build.info | 2 +-
> > - 2 files changed, 12 insertions(+), 2 deletions(-)
> > + 2 files changed, 16 insertions(+), 2 deletions(-)
> >
> > -Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
> > -
> =============================================================
> ======
> > ---- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl
> > -+++ openssl-3.0.4/Configurations/unix-Makefile.tmpl
> > -@@ -481,13 +481,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
> > +diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-
> Makefile.tmpl
> > +index 09303c4..011bda1 100644
> > +--- a/Configurations/unix-Makefile.tmpl
> > ++++ b/Configurations/unix-Makefile.tmpl
> > +@@ -513,13 +513,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
> > '$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
> > BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
> >
> > -# CPPFLAGS_Q is used for one thing only: to build up buildinf.h
> > +# *_Q variables are used for one thing only: to build up buildinf.h
> > CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g;
> > ++ $cppflags1 =~ s|-isystem/[^ ]+/usr/include||g;
> > $cppflags2 =~ s|([\\"])|\\$1|g;
> > ++ $cppflags2 =~ s|-isystem/[^ ]+/usr/include||g;
> > $lib_cppflags =~ s|([\\"])|\\$1|g;
> > ++ $lib_cppflags =~ s|-isystem/[^ ]+/usr/include||g;
> > join(' ', $lib_cppflags || (), $cppflags2 || (),
> > $cppflags1 || ()) -}
> >
> > @@ -54,6 +57,7 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
> > + s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g;
> > + s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g;
> > + s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g;
> > ++ s|-isystem/[^ ]+/usr/include ||g;
> > + }
> > + join(' ', @{$config{CFLAGS}}) -}
> > +
> > @@ -63,10 +67,10 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
> > PERLASM_SCHEME= {- $target{perlasm_scheme} -}
> >
> > # For x86 assembler: Set PROCESSOR to 386 if you want to support
> > -Index: openssl-3.0.4/crypto/build.info
> > -
> =============================================================
> ======
> > ---- openssl-3.0.4.orig/crypto/build.info
> > -+++ openssl-3.0.4/crypto/build.info
> > +diff --git a/crypto/build.info b/crypto/build.info
> > +index aee5c46..95c9577 100644
> > +--- a/crypto/build.info
> > ++++ b/crypto/build.info
> > @@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
> >
> > DEPEND[info.o]=buildinf.h
> > diff --git a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-
> test-timeout.patch b/meta/recipes-connectivity/openssl/openssl/0001-extend-
> check_cwm-test-timeout.patch
> > new file mode 100644
> > index 0000000000..d02d42f1b5
> > --- /dev/null
> > +++ b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-
> timeout.patch
> > @@ -0,0 +1,32 @@
> > +From c7000672296f4c367341aa3415f26c4d9f5e4749 Mon Sep 17 00:00:00 2001
> > +From: Gyorgy Sarvari <skandigraun@gmail.com>
> > +Date: Thu, 23 Oct 2025 11:24:36 +0200
> > +Subject: [PATCH] extend check_cwm test timeout
> > +
> > +The default, 3s long test timeout isn't always enough for this
> > +particular test in case there is a high load on the host machine
> > +(assuming it is running in qemu). Extend the default timeout to 6s
> > +for the check_cwm test to avoid timeouts.
> > +
> > +Upstream-Status: Inappropriate [upstream issue:
> https://github.com/openssl/openssl/issues/28983]
> > +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> > +---
> > + test/radix/main.c | 5 +++++
> > + 1 file changed, 5 insertions(+)
> > +
> > +diff --git a/test/radix/main.c b/test/radix/main.c
> > +index 4a1e886a71..39f8c61ef9 100644
> > +--- a/test/radix/main.c
> > ++++ b/test/radix/main.c
> > +@@ -25,6 +25,11 @@ static int test_script(int idx)
> > + int testresult;
> > + TERP_CONFIG cfg = {0};
> > +
> > ++ // check_cwm test sometimes times out, the default 3000ms is
> > ++ // not enough if the test execution starves for CPU
> > ++ if (!strncmp("check_cwm", script_info->name, strlen("check_cwm")))
> > ++ cfg.max_execution_time = ossl_ms2time(6000);
> > ++
> > + if (!TEST_true(bindings_process_init(0, 0)))
> > + return 0;
> > +
> > diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
> b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
> > deleted file mode 100644
> > index dc18e0bef1..0000000000
> > --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
> > +++ /dev/null
> > @@ -1,44 +0,0 @@
> > -From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00
> 2001
> > -From: Tomas Mraz <tomas@openssl.org>
> > -Date: Mon, 5 Aug 2024 17:54:14 +0200
> > -Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for
> known
> > - safe-prime groups
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -The partial validation is fully sufficient to check the key validity.
> > -
> > -Thanks to Szilárd Pfeiffer for reporting the issue.
> > -
> > -Reviewed-by: Neil Horman <nhorman@openssl.org>
> > -Reviewed-by: Matt Caswell <matt@openssl.org>
> > -Reviewed-by: Paul Dale <ppzgs1@gmail.com>
> > -(Merged from https://github.com/openssl/openssl/pull/25088)
> > -
> > -CVE: CVE-2024-41996
> > -Upstream-Status: Backport
> [https://github.com/openssl/openssl/commit/e70e34d857d4003199bcb5d3b52ca81
> 02ccc1b98]
> > -Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > ----
> > - providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++---
> > - 1 file changed, 5 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/providers/implementations/keymgmt/dh_kmgmt.c
> b/providers/implementations/keymgmt/dh_kmgmt.c
> > -index 82c3093b12..ebdce76710 100644
> > ---- a/providers/implementations/keymgmt/dh_kmgmt.c
> > -+++ b/providers/implementations/keymgmt/dh_kmgmt.c
> > -@@ -387,9 +387,11 @@ static int dh_validate_public(const DH *dh, int
> checktype)
> > - if (pub_key == NULL)
> > - return 0;
> > -
> > -- /* The partial test is only valid for named group's with q = (p - 1) / 2 */
> > -- if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
> > -- && ossl_dh_is_named_safe_prime_group(dh))
> > -+ /*
> > -+ * The partial test is only valid for named group's with q = (p - 1) / 2
> > -+ * but for that case it is also fully sufficient to check the key validity.
> > -+ */
> > -+ if (ossl_dh_is_named_safe_prime_group(dh))
> > - return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
> > -
> > - return DH_check_pub_key_ex(dh, pub_key);
> > diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb b/meta/recipes-
> connectivity/openssl/openssl_3.5.4.bb
> > similarity index 75%
> > rename from meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> > rename to meta/recipes-connectivity/openssl/openssl_3.5.4.bb
> > index 4756f5aaa6..377d307203 100644
> > --- a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> > +++ b/meta/recipes-connectivity/openssl/openssl_3.5.4.bb
> > @@ -7,19 +7,19 @@ SECTION = "libs/network"
> > LICENSE = "Apache-2.0"
> > LIC_FILES_CHKSUM =
> "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
> >
> > -SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-
> ${PV}/openssl-${PV}.tar.gz \
> > +SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
> > file://run-ptest \
> > file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
> > file://0001-Configure-do-not-tweak-mips-cflags.patch \
> > file://0001-Added-handshake-history-reporting-when-test-fails.patch \
> > - file://CVE-2024-41996.patch \
> > + file://0001-extend-check_cwm-test-timeout.patch \
> > "
> >
> > SRC_URI:append:class-nativesdk = " \
> > file://environment.d-openssl.sh \
> > "
> >
> > -SRC_URI[sha256sum] =
> "89681a9ddaa9ed7cf25ea8ef61338db805200bae47d00510490623547380c148"
> > +SRC_URI[sha256sum] =
> "967311f84955316969bdb1d8d4b983718ef42338639c621ec4c34fddef355e99"
> >
> > inherit lib_package multilib_header multilib_script ptest perlnative manpages
> > MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
> > @@ -32,10 +32,13 @@ PACKAGECONFIG[cryptodev-linux] = "enable-
> devcryptoeng,disable-devcryptoeng,crypt
> > PACKAGECONFIG[no-tls1] = "no-tls1"
> > PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
> > PACKAGECONFIG[manpages] = ""
> > +PACKAGECONFIG[fips] = "enable-fips"
> >
> > B = "${WORKDIR}/build"
> > do_configure[cleandirs] = "${B}"
> >
> > +EXTRA_OECONF = "${@bb.utils.contains('PTEST_ENABLED', '1', '', 'no-tests',
> d)}"
> > +
> > #| ./libcrypto.so: undefined reference to `getcontext'
> > #| ./libcrypto.so: undefined reference to `setcontext'
> > #| ./libcrypto.so: undefined reference to `makecontext'
> > @@ -44,12 +47,15 @@ EXTRA_OECONF:append:libc-musl:powerpc64 = " no-
> asm"
> >
> > # adding devrandom prevents openssl from using getrandom() which is not
> available on older glibc versions
> > # (native versions can be built with newer glibc, but then relocated onto a
> system with older glibc)
> > -EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom"
> > -EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
> > +EXTRA_OECONF:append:class-native = " --with-rand-seed=os,devrandom"
> > +EXTRA_OECONF:append:class-nativesdk = " --with-rand-seed=os,devrandom"
> >
> > # Relying on hardcoded built-in paths causes openssl-native to not be
> relocateable from sstate.
> > -CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -
> DENGINESDIR=/not/builtin"
> > -CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -
> DENGINESDIR=/not/builtin"
> > +EXTRA_OEMAKE:append:task-compile:class-native = '
> OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin"
> MODULESDIR="/not/builtin"'
> > +EXTRA_OEMAKE:append:task-compile:class-nativesdk = '
> OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin"
> MODULESDIR="/not/builtin"'
> > +
> > +#| threads_pthread.c:(.text+0x372): undefined reference to
> `__atomic_is_lock_free'
> > +EXTRA_OECONF:append:toolchain-clang:x86 = " -latomic"
> >
> > # This allows disabling deprecated or undesirable crypto algorithms.
> > # The default is to trust upstream choices.
> > @@ -136,21 +142,26 @@ do_configure () {
> > ;;
> > esac
> >
> > - useprefix=${prefix}
> > - if [ "x$useprefix" = "x" ]; then
> > - useprefix=/
> > - fi
> > # WARNING: do not set compiler/linker flags (-I/-D etc.) in
> EXTRA_OECONF, as they will fully replace the
> > # environment variables set by bitbake. Adjust the environment variables
> instead.
> > PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
> > test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL
> '$PERLEXTERNAL' not found!"
> > HASHBANGPERL="/usr/bin/env perl" PERL=perl
> PERL5LIB="$PERLEXTERNAL" \
> > - perl ${S}/Configure ${EXTRA_OECONF}
> ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --
> prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target
> > + perl ${S}/Configure ${EXTRA_OECONF}
> ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --
> prefix=${prefix} --openssldir=${libdir}/ssl-3 --libdir=${baselib} $target
> > perl ${B}/configdata.pm --dump
> > }
> >
> > +do_compile:append () {
> > + # The test suite binaries are large and we don't need the debugging in them
> > + if test -d ${B}/test; then
> > + find ${B}/test -type f -executable -exec ${STRIP} {} \;
> > + fi
> > +}
> > +
> > do_install () {
> > - oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl
> install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages',
> 'install_docs', '', d)}
> > + oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl
> install_sw install_ssldirs \
> > + ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '',
> d)} \
> > + ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'install_fips', '', d)}
> >
> > oe_multilib_header openssl/opensslconf.h
> > oe_multilib_header openssl/configuration.h
> > @@ -168,21 +179,30 @@ do_install () {
> > ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')}
> ${D}${libdir}/ssl-3/certs
> > ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')}
> ${D}${libdir}/ssl-3/private
> > ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')}
> ${D}${libdir}/ssl-3/openssl.cnf
> > +
> > + # Generate fipsmodule.cnf in pkg_postinst_ontarget
> > + if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
> > + rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf
> > + fi
> > }
> >
> > do_install:append:class-native () {
> > create_wrapper ${D}${bindir}/openssl \
> > - OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \
> > - SSL_CERT_DIR=${libdir}/ssl-3/certs \
> > - SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \
> > - OPENSSL_ENGINES=${libdir}/engines-3 \
> > - OPENSSL_MODULES=${libdir}/ossl-modules
> > + OPENSSL_CONF=\${OPENSSL_CONF:-${libdir}/ssl-3/openssl.cnf} \
> > + SSL_CERT_DIR=\${SSL_CERT_DIR:-${libdir}/ssl-3/certs} \
> > + SSL_CERT_FILE=\${SSL_CERT_FILE:-${libdir}/ssl-3/cert.pem} \
> > + OPENSSL_ENGINES=\${OPENSSL_ENGINES:-${libdir}/engines-3} \
> > + OPENSSL_MODULES=\${OPENSSL_MODULES:-${libdir}/ossl-
> modules}
> > +
> > + # Setting ENGINESDIR and MODULESDIR to invalid paths prevents host
> contamination,
> > + # but also breaks the generated libcrypto.pc file. Post-Fix it manually here.
> > + sed -i 's|^enginesdir=\($.libdir.\)/.*|enginesdir=\1/engines-3|'
> ${D}${libdir}/pkgconfig/libcrypto.pc
> > + sed -i 's|^modulesdir=\($.libdir.\)/.*|modulesdir=\1/ossl-modules|'
> ${D}${libdir}/pkgconfig/libcrypto.pc
> > }
> >
> > do_install:append:class-nativesdk () {
> > mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
> > - install -m 644 ${WORKDIR}/environment.d-openssl.sh
> ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
> > - sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-
> setup.d/openssl.sh
> > + install -m 644 ${UNPACKDIR}/environment.d-openssl.sh
> ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
> > }
> >
> > PTEST_BUILD_HOST_FILES += "configdata.pm"
> > @@ -226,12 +246,18 @@ do_install_ptest() {
> > ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers
> > }
> >
> > +pkg_postinst_ontarget:${PN}-ossl-module-fips () {
> > + if test -f ${libdir}/ossl-modules/fips.so; then
> > + ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -
> module ${libdir}/ossl-modules/fips.so
> > + fi
> > +}
> > +
> > # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
> > # package RRECOMMENDS on this package. This will enable the configuration
> > # file to be installed for both the openssl-bin package and the libcrypto
> > # package since the openssl-bin package depends on the libcrypto package.
> >
> > -PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-
> ossl-module-legacy"
> > +PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-
> ossl-module-legacy ${PN}-ossl-module-fips"
> >
> > FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
> > FILES:libssl = "${libdir}/libssl${SOLIBS}"
> > @@ -243,6 +269,7 @@ FILES:${PN}-engines = "${libdir}/engines-3"
> > FILES:${PN}-engines:append:mingw32:class-nativesdk = "
> ${prefix}${libdir}/engines-3"
> > FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
> > FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
> > +FILES:${PN}-ossl-module-fips = "${libdir}/ossl-modules/fips.so"
> > FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
> > FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-
> setup.d/openssl.sh"
> >
> > @@ -254,9 +281,12 @@ RDEPENDS:${PN}-ptest += "openssl-bin perl perl-
> modules bash sed openssl-engines
> >
> > RDEPENDS:${PN}-bin += "openssl-conf"
> >
> > +# The test suite is installed stripped
> > +INSANE_SKIP:${PN} = "already-stripped"
> > +
> > BBCLASSEXTEND = "native nativesdk"
> >
> > CVE_PRODUCT = "openssl:openssl"
> >
> > -CVE_VERSION_SUFFIX = "alphabetical"
> > -
> > +# this does not exist in scarthgap yet
> > +UNPACKDIR = "${WORKDIR}"
>
>
> --
> Yoann Congal
> Smile ECS
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2026-03-04 7:01 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-23 12:33 [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 -> 3.5.4 Peter Marko
2026-01-23 12:33 ` [OE-core][scarthgap][RFC PATCH 1/1] " Peter Marko
2026-03-03 15:37 ` Yoann Congal
2026-03-04 7:01 ` Marko, Peter
2026-01-23 17:02 ` [OE-core][scarthgap][RFC PATCH 0/1] " Yoann Congal
2026-01-24 10:29 ` Yoann Congal
2026-01-24 12:18 ` Marko, Peter
2026-01-28 11:04 ` Yoann Congal
2026-01-31 18:47 ` Marko, Peter
2026-02-02 15:38 ` Yoann Congal
2026-02-26 21:46 ` Yoann Congal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox