[dunfell,04/12] openssl: Add reproducibility fix

Message ID	b360fdca923bb3e4a4bf41d705e634eafc0e54c5.1641765639.git.steve@sakoman.com
State	Accepted, archived
Commit	b360fdca923bb3e4a4bf41d705e634eafc0e54c5
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.177, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 04/12] openssl: Add reproducibility fix Date: Sun, 9 Jan 2022 12:04:08 -1000 Message-Id: <b360fdca923bb3e4a4bf41d705e634eafc0e54c5.1641765639.git.steve@sakoman.com> In-Reply-To: <cover.1641765639.git.steve@sakoman.com> References: <cover.1641765639.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell,01/12] grub: fix CVE-2020-14372 and CVE-2020-27779 \| expand [dunfell,01/12] grub: fix CVE-2020-14372 and CVE-2020-27779 [dunfell,02/12] linux-firmware: upgrade 20211027 -> 20211216 [dunfell,03/12] libpcre2: update SRC_URI [dunfell,04/12] openssl: Add reproducibility fix [dunfell,05/12] oeqa/selftest/bbtests: Use YP sources mirror instead of GNU [dunfell,06/12] oeqa/selftest/tinfoil: Update to use test command [dunfell,07/12] weston: Backport patches to always activate the top-level surface [dunfell,08/12] scripts/buildhistory-diff: drop use of distutils [dunfell,09/12] selftest: skip virgl test on fedora 35 [dunfell,10/12] scripts: Update to use exec_module() instead of load_module() [dunfell,11/12] lib/oe/reproducible: correctly set .git location when recursively looking for git r… [dunfell,12/12] asciidoc: properly detect and compare Python versions >= 3.10

Message ID

b360fdca923bb3e4a4bf41d705e634eafc0e54c5.1641765639.git.steve@sakoman.com

State

Accepted, archived

Commit

b360fdca923bb3e4a4bf41d705e634eafc0e54c5

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 04/12] openssl: Add reproducibility fix
Date: Sun,  9 Jan 2022 12:04:08 -1000
Message-Id: 
 <b360fdca923bb3e4a4bf41d705e634eafc0e54c5.1641765639.git.steve@sakoman.com>
In-Reply-To: <cover.1641765639.git.steve@sakoman.com>
References: <cover.1641765639.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell,01/12] grub: fix CVE-2020-14372 and CVE-2020-27779 | expand

Commit Message

Steve Sakoman Jan. 9, 2022, 10:04 p.m. UTC

From: Richard Purdie <richard.purdie@linuxfoundation.org>

When the date rolled from one year to another, it highlighted a reproducibility
issue in openssl. Patch a workaround for this to avoid autobuilder failures.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f8281e290737dba16a46d7ae937c66b3266e0fe8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssl/openssl/reproducibility.patch     | 22 +++++++++++++++++++
 .../openssl/openssl_1.1.1l.bb                 |  1 +
 2 files changed, 23 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/reproducibility.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/reproducibility.patch b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch
new file mode 100644
index 0000000000..8accbc9df2
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch
@@ -0,0 +1,22 @@ 
+Using localtime() means the output can depend on the timezone of the build machine.
+Using gmtime() is safer. For complete reproducibility use SOURCE_DATE_EPOCH if set.
+
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Upstream-Status: Pending [should be suitable]
+
+Index: openssl-3.0.1/apps/progs.pl
+===================================================================
+--- openssl-3.0.1.orig/apps/progs.pl
++++ openssl-3.0.1/apps/progs.pl
+@@ -21,7 +21,10 @@ die "Unrecognised option, must be -C or
+ my %commands     = ();
+ my $cmdre        = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/;
+ my $apps_openssl = shift @ARGV;
+-my $YEAR         = [localtime()]->[5] + 1900;
++my $YEAR         = [gmtime()]->[5] + 1900;
++if (defined($ENV{SOURCE_DATE_EPOCH}) && $ENV{SOURCE_DATE_EPOCH} !~ /\D/) {
++    $YEAR = [gmtime($ENV{SOURCE_DATE_EPOCH})]->[5] + 1900;
++}
+ 
+ # because the program apps/openssl has object files as sources, and
+ # they then have the corresponding C files as source, we need to chain
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb
index 9412b19fa5..bf7cd6527e 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb
@@ -17,6 +17,7 @@  SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://afalg.patch \
            file://reproducible.patch \
+           file://reproducibility.patch \
            "
 
 SRC_URI_append_class-nativesdk = " \