From f9c22c7139bba55cca090af1249be79f5a5cb795 Mon Sep 17 00:00:00 2001 From: liuh-80 Date: Tue, 21 Jan 2025 10:59:14 +0000 Subject: [PATCH 01/15] Remove krb5 --- .gitmodules | 3 --- src/krb5 | 1 - 2 files changed, 4 deletions(-) delete mode 160000 src/krb5 diff --git a/.gitmodules b/.gitmodules index a081633..e04516d 100644 --- a/.gitmodules +++ b/.gitmodules @@ -19,9 +19,6 @@ [submodule "src/openssl"] path = src/openssl url = https://salsa.debian.org/debian/openssl -[submodule "src/krb5"] - path = src/krb5 - url = https://salsa.debian.org/debian/krb5 [submodule "src/golang-fips"] path = src/golang-fips url = https://github.com/golang-fips/go diff --git a/src/krb5 b/src/krb5 deleted file mode 160000 index 029c5a9..0000000 --- a/src/krb5 +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 029c5a9be085fa52bca8805936b0738f00cfea42 From 4fb9414048ad1af403bd25b2c003b0cfe7e16a7d Mon Sep 17 00:00:00 2001 From: liuh-80 Date: Tue, 21 Jan 2025 10:59:35 +0000 Subject: [PATCH 02/15] Remove openssl --- .gitmodules | 3 --- src/openssl | 1 - 2 files changed, 4 deletions(-) delete mode 160000 src/openssl diff --git a/.gitmodules b/.gitmodules index e04516d..5e1a534 100644 --- a/.gitmodules +++ b/.gitmodules @@ -16,9 +16,6 @@ [submodule "src/golang-debian"] path = src/golang-debian url = https://salsa.debian.org/go-team/compiler/golang.git -[submodule "src/openssl"] - path = src/openssl - url = https://salsa.debian.org/debian/openssl [submodule "src/golang-fips"] path = src/golang-fips url = https://github.com/golang-fips/go diff --git a/src/openssl b/src/openssl deleted file mode 160000 index 5790e8c..0000000 --- a/src/openssl +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 5790e8c060c75afd07082067e752df8d291ca116 From 582bbd192ff6a1f0963feec1974f537028132fbb Mon Sep 17 00:00:00 2001 From: liuh-80 Date: Tue, 21 Jan 2025 11:01:34 +0000 Subject: [PATCH 03/15] Download and build from debian source code --- rules/krb5.mk | 9 +++++++-- rules/openssl.mk | 10 +++++++--- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/rules/krb5.mk b/rules/krb5.mk index 05dfced..00de4c4 100644 --- a/rules/krb5.mk +++ b/rules/krb5.mk @@ -1,9 +1,14 @@ # krb5 -KRB5_VERSION = 1.20.1-2+deb12u1 +KRB5_VERSION_MAIN = 1.20.1-2 +KRB5_VERSION_FULL = $(KRB5_VERSION_MAIN)+deb12u2 KRB5_VERSION_FIPS = $(KRB5_VERSION)+fips KRB5 = libk5crypto3_$(KRB5_VERSION_FIPS)_$(ARCH).deb $(KRB5)_SRC_PATH = $(SRC_PATH)/krb5 +# Download krb5 code +$(KRB5)_PRE_SCRIPT = rm -rf $(KRB5_SRC_PATH);dget -u http://deb.debian.org/debian/pool/main/k/krb5/krb5_$(KRB5_VERSION_FULL).dsc;mv ./krb5-$(KRB5_VERSION_MAIN) $(KRB5_SRC_PATH); + + MAIN_TARGETS += $(KRB5) -$(KRB5)_DERIVED_DEBS = +$(KRB5)_DERIVED_DEBS = \ No newline at end of file diff --git a/rules/openssl.mk b/rules/openssl.mk index 289b1d8..f88b84f 100644 --- a/rules/openssl.mk +++ b/rules/openssl.mk @@ -1,13 +1,17 @@ # openssl -OPENSSL_VERSION = 3.0.11-1~deb12u2 -OPENSSL_VERSION_FIPS = $(OPENSSL_VERSION)+fips +OPENSSL_VERSION_MAIN = 3.0.15-1~deb12u1 +OPENSSL_VERSION_FULL = $(OPENSSL_VERSION_MAIN)-1~deb12u1 +OPENSSL_VERSION_FIPS = $(OPENSSL_VERSION_FULL)+fips OPENSSL = openssl_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb $(OPENSSL)_SRC_PATH = $(SRC_PATH)/openssl +# Download openssl code +$(OPENSSL)_PRE_SCRIPT = rm -rf $(OPENSSL)_SRC_PATH;dget -u http://deb.debian.org/debian/pool/main/o/openssl/openssl_$(OPENSSL_VERSION_FULL).dsc;mv ./openssl-$(OPENSSL_VERSION_MAIN) $(OPENSSL)_SRC_PATH; + MAIN_TARGETS += $(OPENSSL) $(OPENSSL)_DERIVED_DEBS = libssl3_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb $(OPENSSL)_DERIVED_DEBS += libssl-dev_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb $(OPENSSL)_DERIVED_DEBS += openssl-dbgsym_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb $(OPENSSL)_DERIVED_DEBS += libssl3-dbgsym_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb -$(OPENSSL)_DERIVED_DEBS += libssl-doc_$(OPENSSL_VERSION_FIPS)_all.deb +$(OPENSSL)_DERIVED_DEBS += libssl-doc_$(OPENSSL_VERSION_FIPS)_all.deb \ No newline at end of file From 29b26f555dd4ec43aa274b7337ba543eba591bee Mon Sep 17 00:00:00 2001 From: liuh-80 Date: Tue, 21 Jan 2025 11:15:16 +0000 Subject: [PATCH 04/15] Fix script --- rules/krb5.mk | 9 +++++---- rules/openssl.mk | 5 +++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/rules/krb5.mk b/rules/krb5.mk index 00de4c4..c52d9b1 100644 --- a/rules/krb5.mk +++ b/rules/krb5.mk @@ -1,13 +1,14 @@ # krb5 -KRB5_VERSION_MAIN = 1.20.1-2 -KRB5_VERSION_FULL = $(KRB5_VERSION_MAIN)+deb12u2 -KRB5_VERSION_FIPS = $(KRB5_VERSION)+fips +KRB5_VERSION_MAIN = 1.20.1 +KRB5_VERSION_FULL = $(KRB5_VERSION_MAIN)-2+deb12u2 +KRB5_VERSION_FIPS = $(KRB5_VERSION_FULL)+fips KRB5 = libk5crypto3_$(KRB5_VERSION_FIPS)_$(ARCH).deb $(KRB5)_SRC_PATH = $(SRC_PATH)/krb5 +KERB5_DST_PATH = krb5-$(KRB5_VERSION_MAIN) # Download krb5 code -$(KRB5)_PRE_SCRIPT = rm -rf $(KRB5_SRC_PATH);dget -u http://deb.debian.org/debian/pool/main/k/krb5/krb5_$(KRB5_VERSION_FULL).dsc;mv ./krb5-$(KRB5_VERSION_MAIN) $(KRB5_SRC_PATH); +$(KRB5)_PRE_SCRIPT = rm -rf $(KERB5_DST_PATH);rm -rf $(SRC_PATH)/krb5;dget -u http://deb.debian.org/debian/pool/main/k/krb5/krb5_$(KRB5_VERSION_FULL).dsc;mv $(KERB5_DST_PATH) $(SRC_PATH)/krb5; MAIN_TARGETS += $(KRB5) diff --git a/rules/openssl.mk b/rules/openssl.mk index f88b84f..e013bc1 100644 --- a/rules/openssl.mk +++ b/rules/openssl.mk @@ -1,13 +1,14 @@ # openssl -OPENSSL_VERSION_MAIN = 3.0.15-1~deb12u1 +OPENSSL_VERSION_MAIN = 3.0.15 OPENSSL_VERSION_FULL = $(OPENSSL_VERSION_MAIN)-1~deb12u1 OPENSSL_VERSION_FIPS = $(OPENSSL_VERSION_FULL)+fips OPENSSL = openssl_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb $(OPENSSL)_SRC_PATH = $(SRC_PATH)/openssl +OPENSSL_DST_PATH = krb5-$(KRB5_VERSION_MAIN) # Download openssl code -$(OPENSSL)_PRE_SCRIPT = rm -rf $(OPENSSL)_SRC_PATH;dget -u http://deb.debian.org/debian/pool/main/o/openssl/openssl_$(OPENSSL_VERSION_FULL).dsc;mv ./openssl-$(OPENSSL_VERSION_MAIN) $(OPENSSL)_SRC_PATH; +$(OPENSSL)_PRE_SCRIPT = rm -rf $(OPENSSL_DST_PATH);rm -rf $(SRC_PATH)/openssl;dget -u http://deb.debian.org/debian/pool/main/o/openssl/openssl_$(OPENSSL_VERSION_FULL).dsc;mv $(OPENSSL_DST_PATH) $(SRC_PATH)/openssl; MAIN_TARGETS += $(OPENSSL) $(OPENSSL)_DERIVED_DEBS = libssl3_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb From 8cad4808e51272b206b97f1dfee64f577efb3a6d Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Tue, 21 Jan 2025 21:01:55 +0800 Subject: [PATCH 05/15] Update install-packages.sh --- .azure-pipelines/install-packages.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.azure-pipelines/install-packages.sh b/.azure-pipelines/install-packages.sh index bf49d5d..cd5538d 100755 --- a/.azure-pipelines/install-packages.sh +++ b/.azure-pipelines/install-packages.sh @@ -12,6 +12,9 @@ sudo apt-get install -y dh-exec dh-runit libaudit-dev libedit-dev libfido2-dev l sudo apt-get install -y libwrap0-dev pkg-config sudo apt-get install -y libpam-dev libselinux1-dev libsystemd-dev libwrap0-dev +# Install dget for download debian package source code +sudo apt-get install -y devscripts + # Build Golang sudo apt-get install -y golang From 958ec40d105447dab73468144eedb7e4aa1f0e31 Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Wed, 22 Jan 2025 09:06:20 +0800 Subject: [PATCH 06/15] Update build-template.yml --- .azure-pipelines/build-template.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.azure-pipelines/build-template.yml b/.azure-pipelines/build-template.yml index fc69947..3a5894c 100644 --- a/.azure-pipelines/build-template.yml +++ b/.azure-pipelines/build-template.yml @@ -62,6 +62,9 @@ jobs: sudo pip3 install --break-system-packages blurb + # Install dget for download debian package source code + sudo apt-get install -y devscripts + mkdir -p $(Pipeline.Workspace)/target displayName: 'Install packages' - checkout: self From 8bdddff4e12657b18613a741be6c7c5e041625f1 Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Wed, 22 Jan 2025 10:17:47 +0800 Subject: [PATCH 07/15] Update openssl.mk --- rules/openssl.mk | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/openssl.mk b/rules/openssl.mk index e013bc1..82f4a6f 100644 --- a/rules/openssl.mk +++ b/rules/openssl.mk @@ -5,7 +5,7 @@ OPENSSL_VERSION_FULL = $(OPENSSL_VERSION_MAIN)-1~deb12u1 OPENSSL_VERSION_FIPS = $(OPENSSL_VERSION_FULL)+fips OPENSSL = openssl_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb $(OPENSSL)_SRC_PATH = $(SRC_PATH)/openssl -OPENSSL_DST_PATH = krb5-$(KRB5_VERSION_MAIN) +OPENSSL_DST_PATH = openssl-$(OPENSSL_VERSION_MAIN) # Download openssl code $(OPENSSL)_PRE_SCRIPT = rm -rf $(OPENSSL_DST_PATH);rm -rf $(SRC_PATH)/openssl;dget -u http://deb.debian.org/debian/pool/main/o/openssl/openssl_$(OPENSSL_VERSION_FULL).dsc;mv $(OPENSSL_DST_PATH) $(SRC_PATH)/openssl; @@ -15,4 +15,4 @@ $(OPENSSL)_DERIVED_DEBS = libssl3_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb $(OPENSSL)_DERIVED_DEBS += libssl-dev_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb $(OPENSSL)_DERIVED_DEBS += openssl-dbgsym_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb $(OPENSSL)_DERIVED_DEBS += libssl3-dbgsym_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb -$(OPENSSL)_DERIVED_DEBS += libssl-doc_$(OPENSSL_VERSION_FIPS)_all.deb \ No newline at end of file +$(OPENSSL)_DERIVED_DEBS += libssl-doc_$(OPENSSL_VERSION_FIPS)_all.deb From 16a1955248849a5f6143a8fffcf68fc2201330ba Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Wed, 22 Jan 2025 16:33:24 +0800 Subject: [PATCH 08/15] Update Makefile --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index c75ec32..1aab2e7 100644 --- a/Makefile +++ b/Makefile @@ -45,7 +45,7 @@ $(addprefix $(TARGET_PATH)/, $(MAIN_TARGETS)) : $(TARGET_PATH)/% : $$(addprefix # Copy debian folder if [ -n "$($*_DEBIAN)" ]; then mkdir -p $($*_SRC_PATH)/debian; cp $($*_DEBIAN)/* -rf $($*_SRC_PATH)/debian/; fi # Apply series of patches if exist - if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && QUILT_PATCHES=../$(notdir $($*_SRC_PATH)).patch quilt push -a && mv .pc .pc1; popd; fi + if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && rm -rf .pc && QUILT_PATCHES=../$(notdir $($*_SRC_PATH)).patch quilt push -a && mv .pc .pc1; popd; fi if [ -n "$($*_PATCH_EXT)" ]; then pushd $($*_SRC_PATH); QUILT_PATCHES=$($*_PATCH_EXT) quilt push -a && mv .pc .pc2; popd; fi # Merge the debian patches if not applied if [ -f $($*_SRC_PATH).patch/debian.patch/series ]; then From b50bab93e377e25c26876d4ef7b54a53c9991210 Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Thu, 23 Jan 2025 09:08:14 +0800 Subject: [PATCH 09/15] Refactor Makefile and related scripts. --- .azure-pipelines/build-template.yml | 4 ---- Makefile | 2 +- rules/krb5.mk | 7 +++++-- rules/openssl.mk | 6 +++++- 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/.azure-pipelines/build-template.yml b/.azure-pipelines/build-template.yml index 3a5894c..6946c06 100644 --- a/.azure-pipelines/build-template.yml +++ b/.azure-pipelines/build-template.yml @@ -99,10 +99,6 @@ jobs: echo 40-Modify-tests-with-unsupported-behavior.patch >> src/openssl.patch/series openssl engine -v | grep -i symcrypt openssl list --providers | grep -i symcrypt - pushd src/openssl - git clean -xdf - git checkout -- . - popd ARCH=${{ parameters.arch }} TARGET_PATH=target-test make openssl echo 0 | sudo tee /etc/fips/fips_enable diff --git a/Makefile b/Makefile index 1aab2e7..c75ec32 100644 --- a/Makefile +++ b/Makefile @@ -45,7 +45,7 @@ $(addprefix $(TARGET_PATH)/, $(MAIN_TARGETS)) : $(TARGET_PATH)/% : $$(addprefix # Copy debian folder if [ -n "$($*_DEBIAN)" ]; then mkdir -p $($*_SRC_PATH)/debian; cp $($*_DEBIAN)/* -rf $($*_SRC_PATH)/debian/; fi # Apply series of patches if exist - if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && rm -rf .pc && QUILT_PATCHES=../$(notdir $($*_SRC_PATH)).patch quilt push -a && mv .pc .pc1; popd; fi + if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && QUILT_PATCHES=../$(notdir $($*_SRC_PATH)).patch quilt push -a && mv .pc .pc1; popd; fi if [ -n "$($*_PATCH_EXT)" ]; then pushd $($*_SRC_PATH); QUILT_PATCHES=$($*_PATCH_EXT) quilt push -a && mv .pc .pc2; popd; fi # Merge the debian patches if not applied if [ -f $($*_SRC_PATH).patch/debian.patch/series ]; then diff --git a/rules/krb5.mk b/rules/krb5.mk index c52d9b1..102bfa7 100644 --- a/rules/krb5.mk +++ b/rules/krb5.mk @@ -8,8 +8,11 @@ $(KRB5)_SRC_PATH = $(SRC_PATH)/krb5 KERB5_DST_PATH = krb5-$(KRB5_VERSION_MAIN) # Download krb5 code -$(KRB5)_PRE_SCRIPT = rm -rf $(KERB5_DST_PATH);rm -rf $(SRC_PATH)/krb5;dget -u http://deb.debian.org/debian/pool/main/k/krb5/krb5_$(KRB5_VERSION_FULL).dsc;mv $(KERB5_DST_PATH) $(SRC_PATH)/krb5; - +$(KRB5)_PRE_SCRIPT = rm -rf $(KERB5_DST_PATH); \ + rm -rf $(SRC_PATH)/krb5; \ + dget -x http://deb.debian.org/debian/pool/main/k/krb5/krb5_$(KRB5_VERSION_FULL).dsc; \ + mv $(KERB5_DST_PATH) $(SRC_PATH)/krb5; \ + rm -rf $(SRC_PATH)/krb5/.pc; MAIN_TARGETS += $(KRB5) $(KRB5)_DERIVED_DEBS = \ No newline at end of file diff --git a/rules/openssl.mk b/rules/openssl.mk index 82f4a6f..418ed81 100644 --- a/rules/openssl.mk +++ b/rules/openssl.mk @@ -8,7 +8,11 @@ $(OPENSSL)_SRC_PATH = $(SRC_PATH)/openssl OPENSSL_DST_PATH = openssl-$(OPENSSL_VERSION_MAIN) # Download openssl code -$(OPENSSL)_PRE_SCRIPT = rm -rf $(OPENSSL_DST_PATH);rm -rf $(SRC_PATH)/openssl;dget -u http://deb.debian.org/debian/pool/main/o/openssl/openssl_$(OPENSSL_VERSION_FULL).dsc;mv $(OPENSSL_DST_PATH) $(SRC_PATH)/openssl; +$(OPENSSL)_PRE_SCRIPT = rm -rf $(OPENSSL_DST_PATH); \ + rm -rf $(SRC_PATH)/openssl; \ + dget -u http://deb.debian.org/debian/pool/main/o/openssl/openssl_$(OPENSSL_VERSION_FULL).dsc; \ + mv $(OPENSSL_DST_PATH) $(SRC_PATH)/openssl; \ + rm -rf $(SRC_PATH)/openssl/.pc; MAIN_TARGETS += $(OPENSSL) $(OPENSSL)_DERIVED_DEBS = libssl3_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb From a4c690957fa7914f7642b99f3d66dfde71b288dd Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Thu, 23 Jan 2025 09:16:40 +0800 Subject: [PATCH 10/15] Update test-multiarch.sh --- .azure-pipelines/test-multiarch.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.azure-pipelines/test-multiarch.sh b/.azure-pipelines/test-multiarch.sh index 657a102..33690cd 100755 --- a/.azure-pipelines/test-multiarch.sh +++ b/.azure-pipelines/test-multiarch.sh @@ -23,12 +23,6 @@ sudo mkdir -p /etc/fips echo 1 | sudo tee /etc/fips/fips_enable openssl engine -v | grep -i symcrypt -# Cleanup OpenSSL source folder -pushd src/openssl -git clean -xdf -git checkout -- . -popd - # Build the OpenSSL again with SymCrypt enabled rm -f src/openssl/test/recipes/30-test_afalg.t echo 40-Modify-tests-with-unsupported-behavior.patch >> src/openssl.patch/series From cf8046125ebeb6f02cf3e78013a70653d56bdca8 Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Thu, 23 Jan 2025 14:30:08 +0800 Subject: [PATCH 11/15] Add Debian patch application logic --- Makefile | 15 +++++++++++++-- rules/krb5.mk | 3 +++ rules/openssl.mk | 3 +++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index c75ec32..623abdb 100644 --- a/Makefile +++ b/Makefile @@ -47,15 +47,26 @@ $(addprefix $(TARGET_PATH)/, $(MAIN_TARGETS)) : $(TARGET_PATH)/% : $$(addprefix # Apply series of patches if exist if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && QUILT_PATCHES=../$(notdir $($*_SRC_PATH)).patch quilt push -a && mv .pc .pc1; popd; fi if [ -n "$($*_PATCH_EXT)" ]; then pushd $($*_SRC_PATH); QUILT_PATCHES=$($*_PATCH_EXT) quilt push -a && mv .pc .pc2; popd; fi - # Merge the debian patches if not applied + + # Merge the debian patches if [ -f $($*_SRC_PATH).patch/debian.patch/series ]; then LAST_PATCH=$$(tail -n1 $($*_SRC_PATH).patch/debian.patch/series) if ! grep -q $$LAST_PATCH $($*_SRC_PATH)/debian/patches/series 2>/dev/null; then echo "Applying patches for $($*_SRC_PATH)/debian/patches/" - cat $($*_SRC_PATH).patch/debian.patch/series >> $($*_SRC_PATH)/debian/patches/series cp $($*_SRC_PATH).patch/debian.patch/*.patch $($*_SRC_PATH)/debian/patches/ + if [ "$($*_DEBIAN_PATCH_APPLIED)" == true ]; then + # Debian offical patches already applied, copy and apply SONiC patches + cp $($*_SRC_PATH).patch/debian.patch/series $($*_SRC_PATH)/debian/patches/series + pushd $($*_SRC_PATH) + QUILT_PATCHES=debian/patches quilt push -a + popd + else + # Debian offical patches not applied, copy and append SONiC patches + cat $($*_SRC_PATH).patch/debian.patch/series >> $($*_SRC_PATH)/debian/patches/series + fi fi fi + if [ -n "$($*_MAKEFILE)" ]; then $($*_BUILD_OPTIONS) make -C $($*_SRC_PATH) -f $($*_MAKEFILE) $(DEST)/$* | tee $(DEST)/$*.log elif [ -f $($*_SRC_PATH)/debian/control ]; then diff --git a/rules/krb5.mk b/rules/krb5.mk index 102bfa7..d07a792 100644 --- a/rules/krb5.mk +++ b/rules/krb5.mk @@ -14,5 +14,8 @@ $(KRB5)_PRE_SCRIPT = rm -rf $(KERB5_DST_PATH); \ mv $(KERB5_DST_PATH) $(SRC_PATH)/krb5; \ rm -rf $(SRC_PATH)/krb5/.pc; +# Download with dget will apply all debian patch +$(KRB5)_DEBIAN_PATCH_APPLIED = true + MAIN_TARGETS += $(KRB5) $(KRB5)_DERIVED_DEBS = \ No newline at end of file diff --git a/rules/openssl.mk b/rules/openssl.mk index 418ed81..0908803 100644 --- a/rules/openssl.mk +++ b/rules/openssl.mk @@ -14,6 +14,9 @@ $(OPENSSL)_PRE_SCRIPT = rm -rf $(OPENSSL_DST_PATH); \ mv $(OPENSSL_DST_PATH) $(SRC_PATH)/openssl; \ rm -rf $(SRC_PATH)/openssl/.pc; +# Download with dget will apply all debian patch +$(OPENSSL)_DEBIAN_PATCH_APPLIED = true + MAIN_TARGETS += $(OPENSSL) $(OPENSSL)_DERIVED_DEBS = libssl3_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb $(OPENSSL)_DERIVED_DEBS += libssl-dev_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb From 0bcd6025a24763d36de5b670d8d06027d1a90905 Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Thu, 23 Jan 2025 15:42:24 +0800 Subject: [PATCH 12/15] Update 40-Modify-tests-with-unsupported-behavior.patch --- ...dify-tests-with-unsupported-behavior.patch | 206 +++++++++--------- 1 file changed, 106 insertions(+), 100 deletions(-) diff --git a/src/openssl.patch/40-Modify-tests-with-unsupported-behavior.patch b/src/openssl.patch/40-Modify-tests-with-unsupported-behavior.patch index 5de1079..fa5b1bc 100644 --- a/src/openssl.patch/40-Modify-tests-with-unsupported-behavior.patch +++ b/src/openssl.patch/40-Modify-tests-with-unsupported-behavior.patch @@ -103,10 +103,10 @@ diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c index 1aabfef893b08..fb817f155f68f 100644 --- a/test/evp_pkey_provided_test.c +++ b/test/evp_pkey_provided_test.c -@@ -346,102 +346,102 @@ static int test_print_key_using_encoder_public(const char *alg, +@@ -346,105 +346,105 @@ static int test_print_key_using_encoder_public(const char *alg, #define DQ 6 #define QINV 7 - + -static int test_fromdata_rsa(void) -{ - int ret = 0, i; @@ -150,7 +150,7 @@ index 1aabfef893b08..fb817f155f68f 100644 - fromdata_params), 1)) - goto err; - -- while (dup_pk == NULL) { +- for (;;) { - ret = 0; - if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 32) - || !TEST_int_eq(EVP_PKEY_get_security_bits(pk), 8) @@ -178,7 +178,10 @@ index 1aabfef893b08..fb817f155f68f 100644 - ret = test_print_key_using_pem("RSA", pk) - && test_print_key_using_encoder("RSA", pk); - -- if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) +- if (!ret || dup_pk != NULL) +- break; +- +- if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) - goto err; - ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1); - EVP_PKEY_free(pk); @@ -203,102 +206,105 @@ index 1aabfef893b08..fb817f155f68f 100644 - - return ret; -} -+// static int test_fromdata_rsa(void) -+// { -+// int ret = 0, i; -+// EVP_PKEY_CTX *ctx = NULL, *key_ctx = NULL; -+// EVP_PKEY *pk = NULL, *copy_pk = NULL, *dup_pk = NULL; -+// /* -+// * 32-bit RSA key, extracted from this command, -+// * executed with OpenSSL 1.0.2: -+// * -+// * openssl genrsa 32 | openssl rsa -text -+// */ -+// static unsigned long key_numbers[] = { -+// 0xbc747fc5, /* N */ -+// 0x10001, /* E */ -+// 0x7b133399, /* D */ -+// 0xe963, /* P */ -+// 0xceb7, /* Q */ -+// 0x8599, /* DP */ -+// 0xbd87, /* DQ */ -+// 0xcc3b, /* QINV */ -+// }; -+// OSSL_PARAM fromdata_params[] = { -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_N, &key_numbers[N]), -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_E, &key_numbers[E]), -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_D, &key_numbers[D]), -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_FACTOR1, &key_numbers[P]), -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_FACTOR2, &key_numbers[Q]), -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_EXPONENT1, &key_numbers[DP]), -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_EXPONENT2, &key_numbers[DQ]), -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &key_numbers[QINV]), -+// OSSL_PARAM_END -+// }; -+// BIGNUM *bn = BN_new(); -+// BIGNUM *bn_from = BN_new(); -+ -+// if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL))) -+// goto err; -+ -+// if (!TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) -+// || !TEST_int_eq(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, -+// fromdata_params), 1)) -+// goto err; -+ -+// while (dup_pk == NULL) { -+// ret = 0; -+// if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 32) -+// || !TEST_int_eq(EVP_PKEY_get_security_bits(pk), 8) -+// || !TEST_int_eq(EVP_PKEY_get_size(pk), 4) -+// || !TEST_false(EVP_PKEY_missing_parameters(pk))) -+// goto err; -+ -+// EVP_PKEY_CTX_free(key_ctx); -+// if (!TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pk, ""))) -+// goto err; -+ -+// if (!TEST_int_gt(EVP_PKEY_check(key_ctx), 0) -+// || !TEST_int_gt(EVP_PKEY_public_check(key_ctx), 0) -+// || !TEST_int_gt(EVP_PKEY_private_check(key_ctx), 0) -+// || !TEST_int_gt(EVP_PKEY_pairwise_check(key_ctx), 0)) -+// goto err; -+ -+// /* EVP_PKEY_copy_parameters() should fail for RSA */ -+// if (!TEST_ptr(copy_pk = EVP_PKEY_new()) -+// || !TEST_false(EVP_PKEY_copy_parameters(copy_pk, pk))) -+// goto err; -+// EVP_PKEY_free(copy_pk); -+// copy_pk = NULL; -+ -+// ret = test_print_key_using_pem("RSA", pk) -+// && test_print_key_using_encoder("RSA", pk); -+ -+// if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) -+// goto err; -+// ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1); -+// EVP_PKEY_free(pk); -+// pk = dup_pk; -+// if (!ret) -+// goto err; -+// } -+// err: -+// /* for better diagnostics always compare key params */ -+// for (i = 0; fromdata_params[i].key != NULL; ++i) { -+// if (!TEST_true(BN_set_word(bn_from, key_numbers[i])) -+// || !TEST_true(EVP_PKEY_get_bn_param(pk, fromdata_params[i].key, &bn)) -+// || !TEST_BN_eq(bn, bn_from)) -+// ret = 0; -+// } -+// BN_free(bn_from); -+// BN_free(bn); -+// EVP_PKEY_free(pk); -+// EVP_PKEY_free(copy_pk); -+// EVP_PKEY_CTX_free(key_ctx); -+// EVP_PKEY_CTX_free(ctx); -+ -+// return ret; -+// } ++//static int test_fromdata_rsa(void) ++//{ ++// int ret = 0, i; ++// EVP_PKEY_CTX *ctx = NULL, *key_ctx = NULL; ++// EVP_PKEY *pk = NULL, *copy_pk = NULL, *dup_pk = NULL; ++// /* ++// * 32-bit RSA key, extracted from this command, ++// * executed with OpenSSL 1.0.2: ++// * ++// * openssl genrsa 32 | openssl rsa -text ++// */ ++// static unsigned long key_numbers[] = { ++// 0xbc747fc5, /* N */ ++// 0x10001, /* E */ ++// 0x7b133399, /* D */ ++// 0xe963, /* P */ ++// 0xceb7, /* Q */ ++// 0x8599, /* DP */ ++// 0xbd87, /* DQ */ ++// 0xcc3b, /* QINV */ ++// }; ++// OSSL_PARAM fromdata_params[] = { ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_N, &key_numbers[N]), ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_E, &key_numbers[E]), ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_D, &key_numbers[D]), ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_FACTOR1, &key_numbers[P]), ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_FACTOR2, &key_numbers[Q]), ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_EXPONENT1, &key_numbers[DP]), ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_EXPONENT2, &key_numbers[DQ]), ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &key_numbers[QINV]), ++// OSSL_PARAM_END ++// }; ++// BIGNUM *bn = BN_new(); ++// BIGNUM *bn_from = BN_new(); ++// ++// if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL))) ++// goto err; ++// ++// if (!TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) ++// || !TEST_int_eq(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, ++// fromdata_params), 1)) ++// goto err; ++// ++// for (;;) { ++// ret = 0; ++// if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 32) ++// || !TEST_int_eq(EVP_PKEY_get_security_bits(pk), 8) ++// || !TEST_int_eq(EVP_PKEY_get_size(pk), 4) ++// || !TEST_false(EVP_PKEY_missing_parameters(pk))) ++// goto err; ++// ++// EVP_PKEY_CTX_free(key_ctx); ++// if (!TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pk, ""))) ++// goto err; ++// ++// if (!TEST_int_gt(EVP_PKEY_check(key_ctx), 0) ++// || !TEST_int_gt(EVP_PKEY_public_check(key_ctx), 0) ++// || !TEST_int_gt(EVP_PKEY_private_check(key_ctx), 0) ++// || !TEST_int_gt(EVP_PKEY_pairwise_check(key_ctx), 0)) ++// goto err; ++// ++// /* EVP_PKEY_copy_parameters() should fail for RSA */ ++// if (!TEST_ptr(copy_pk = EVP_PKEY_new()) ++// || !TEST_false(EVP_PKEY_copy_parameters(copy_pk, pk))) ++// goto err; ++// EVP_PKEY_free(copy_pk); ++// copy_pk = NULL; ++// ++// ret = test_print_key_using_pem("RSA", pk) ++// && test_print_key_using_encoder("RSA", pk); ++// ++// if (!ret || dup_pk != NULL) ++// break; ++// ++// if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) ++// goto err; ++// ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1); ++// EVP_PKEY_free(pk); ++// pk = dup_pk; ++// if (!ret) ++// goto err; ++// } ++// err: ++// /* for better diagnostics always compare key params */ ++// for (i = 0; fromdata_params[i].key != NULL; ++i) { ++// if (!TEST_true(BN_set_word(bn_from, key_numbers[i])) ++// || !TEST_true(EVP_PKEY_get_bn_param(pk, fromdata_params[i].key, &bn)) ++// || !TEST_BN_eq(bn, bn_from)) ++// ret = 0; ++// } ++// BN_free(bn_from); ++// BN_free(bn); ++// EVP_PKEY_free(pk); ++// EVP_PKEY_free(copy_pk); ++// EVP_PKEY_CTX_free(key_ctx); ++// EVP_PKEY_CTX_free(ctx); ++// ++// return ret; ++//} static int test_evp_pkey_get_bn_param_large(void) { From 41af102717a804e0b42814b00b02ec33f2fb71fd Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Thu, 23 Jan 2025 17:47:24 +0800 Subject: [PATCH 13/15] Refactor patch application and cleanup process --- Makefile | 15 ++------------- rules/krb5.mk | 8 ++++---- rules/openssl.mk | 10 +++++----- 3 files changed, 11 insertions(+), 22 deletions(-) diff --git a/Makefile b/Makefile index 623abdb..4965721 100644 --- a/Makefile +++ b/Makefile @@ -47,26 +47,15 @@ $(addprefix $(TARGET_PATH)/, $(MAIN_TARGETS)) : $(TARGET_PATH)/% : $$(addprefix # Apply series of patches if exist if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && QUILT_PATCHES=../$(notdir $($*_SRC_PATH)).patch quilt push -a && mv .pc .pc1; popd; fi if [ -n "$($*_PATCH_EXT)" ]; then pushd $($*_SRC_PATH); QUILT_PATCHES=$($*_PATCH_EXT) quilt push -a && mv .pc .pc2; popd; fi - - # Merge the debian patches + # Merge the debian patches if not applied if [ -f $($*_SRC_PATH).patch/debian.patch/series ]; then LAST_PATCH=$$(tail -n1 $($*_SRC_PATH).patch/debian.patch/series) if ! grep -q $$LAST_PATCH $($*_SRC_PATH)/debian/patches/series 2>/dev/null; then echo "Applying patches for $($*_SRC_PATH)/debian/patches/" + cat $($*_SRC_PATH).patch/debian.patch/series >> $($*_SRC_PATH)/debian/patches/series cp $($*_SRC_PATH).patch/debian.patch/*.patch $($*_SRC_PATH)/debian/patches/ - if [ "$($*_DEBIAN_PATCH_APPLIED)" == true ]; then - # Debian offical patches already applied, copy and apply SONiC patches - cp $($*_SRC_PATH).patch/debian.patch/series $($*_SRC_PATH)/debian/patches/series - pushd $($*_SRC_PATH) - QUILT_PATCHES=debian/patches quilt push -a - popd - else - # Debian offical patches not applied, copy and append SONiC patches - cat $($*_SRC_PATH).patch/debian.patch/series >> $($*_SRC_PATH)/debian/patches/series - fi fi fi - if [ -n "$($*_MAKEFILE)" ]; then $($*_BUILD_OPTIONS) make -C $($*_SRC_PATH) -f $($*_MAKEFILE) $(DEST)/$* | tee $(DEST)/$*.log elif [ -f $($*_SRC_PATH)/debian/control ]; then diff --git a/rules/krb5.mk b/rules/krb5.mk index d07a792..29c46a2 100644 --- a/rules/krb5.mk +++ b/rules/krb5.mk @@ -12,10 +12,10 @@ $(KRB5)_PRE_SCRIPT = rm -rf $(KERB5_DST_PATH); \ rm -rf $(SRC_PATH)/krb5; \ dget -x http://deb.debian.org/debian/pool/main/k/krb5/krb5_$(KRB5_VERSION_FULL).dsc; \ mv $(KERB5_DST_PATH) $(SRC_PATH)/krb5; \ - rm -rf $(SRC_PATH)/krb5/.pc; - -# Download with dget will apply all debian patch -$(KRB5)_DEBIAN_PATCH_APPLIED = true + pushd $(SRC_PATH)/krb5; \ + quilt pop -a -f; \ + rm -rf .pc; \ + popd; MAIN_TARGETS += $(KRB5) $(KRB5)_DERIVED_DEBS = \ No newline at end of file diff --git a/rules/openssl.mk b/rules/openssl.mk index 0908803..002a33f 100644 --- a/rules/openssl.mk +++ b/rules/openssl.mk @@ -10,12 +10,12 @@ OPENSSL_DST_PATH = openssl-$(OPENSSL_VERSION_MAIN) # Download openssl code $(OPENSSL)_PRE_SCRIPT = rm -rf $(OPENSSL_DST_PATH); \ rm -rf $(SRC_PATH)/openssl; \ - dget -u http://deb.debian.org/debian/pool/main/o/openssl/openssl_$(OPENSSL_VERSION_FULL).dsc; \ + dget -d -u http://deb.debian.org/debian/pool/main/o/openssl/openssl_$(OPENSSL_VERSION_FULL).dsc; \ mv $(OPENSSL_DST_PATH) $(SRC_PATH)/openssl; \ - rm -rf $(SRC_PATH)/openssl/.pc; - -# Download with dget will apply all debian patch -$(OPENSSL)_DEBIAN_PATCH_APPLIED = true + pushd $(SRC_PATH)/openssl; \ + quilt pop -a -f; \ + rm -rf .pc; \ + popd; MAIN_TARGETS += $(OPENSSL) $(OPENSSL)_DERIVED_DEBS = libssl3_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb From 3e96867b400d871777030f1ff9e1c1fbe5c12254 Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Thu, 23 Jan 2025 17:48:00 +0800 Subject: [PATCH 14/15] Fix indentation in Makefile --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 4965721..c75ec32 100644 --- a/Makefile +++ b/Makefile @@ -47,12 +47,12 @@ $(addprefix $(TARGET_PATH)/, $(MAIN_TARGETS)) : $(TARGET_PATH)/% : $$(addprefix # Apply series of patches if exist if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && QUILT_PATCHES=../$(notdir $($*_SRC_PATH)).patch quilt push -a && mv .pc .pc1; popd; fi if [ -n "$($*_PATCH_EXT)" ]; then pushd $($*_SRC_PATH); QUILT_PATCHES=$($*_PATCH_EXT) quilt push -a && mv .pc .pc2; popd; fi - # Merge the debian patches if not applied + # Merge the debian patches if not applied if [ -f $($*_SRC_PATH).patch/debian.patch/series ]; then LAST_PATCH=$$(tail -n1 $($*_SRC_PATH).patch/debian.patch/series) if ! grep -q $$LAST_PATCH $($*_SRC_PATH)/debian/patches/series 2>/dev/null; then echo "Applying patches for $($*_SRC_PATH)/debian/patches/" - cat $($*_SRC_PATH).patch/debian.patch/series >> $($*_SRC_PATH)/debian/patches/series + cat $($*_SRC_PATH).patch/debian.patch/series >> $($*_SRC_PATH)/debian/patches/series cp $($*_SRC_PATH).patch/debian.patch/*.patch $($*_SRC_PATH)/debian/patches/ fi fi From 10350e6ffdbe15d5be4f45a6993f333aadd898ee Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Thu, 23 Jan 2025 20:08:17 +0800 Subject: [PATCH 15/15] Update dget options in openssl and krb5 scripts --- rules/krb5.mk | 2 +- rules/openssl.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/krb5.mk b/rules/krb5.mk index 29c46a2..d577e3b 100644 --- a/rules/krb5.mk +++ b/rules/krb5.mk @@ -10,7 +10,7 @@ KERB5_DST_PATH = krb5-$(KRB5_VERSION_MAIN) # Download krb5 code $(KRB5)_PRE_SCRIPT = rm -rf $(KERB5_DST_PATH); \ rm -rf $(SRC_PATH)/krb5; \ - dget -x http://deb.debian.org/debian/pool/main/k/krb5/krb5_$(KRB5_VERSION_FULL).dsc; \ + dget -u http://deb.debian.org/debian/pool/main/k/krb5/krb5_$(KRB5_VERSION_FULL).dsc; \ mv $(KERB5_DST_PATH) $(SRC_PATH)/krb5; \ pushd $(SRC_PATH)/krb5; \ quilt pop -a -f; \ diff --git a/rules/openssl.mk b/rules/openssl.mk index 002a33f..d978a8c 100644 --- a/rules/openssl.mk +++ b/rules/openssl.mk @@ -10,7 +10,7 @@ OPENSSL_DST_PATH = openssl-$(OPENSSL_VERSION_MAIN) # Download openssl code $(OPENSSL)_PRE_SCRIPT = rm -rf $(OPENSSL_DST_PATH); \ rm -rf $(SRC_PATH)/openssl; \ - dget -d -u http://deb.debian.org/debian/pool/main/o/openssl/openssl_$(OPENSSL_VERSION_FULL).dsc; \ + dget -u http://deb.debian.org/debian/pool/main/o/openssl/openssl_$(OPENSSL_VERSION_FULL).dsc; \ mv $(OPENSSL_DST_PATH) $(SRC_PATH)/openssl; \ pushd $(SRC_PATH)/openssl; \ quilt pop -a -f; \