From 5a70e45b8c6cb0fa7ea4fe1b326ad604508d00cb Mon Sep 17 00:00:00 2001
From: Roy Li <rongqing.li@windriver.com>
Date: Wed, 24 Jun 2015 10:10:18 +0800
Subject: openssl: upgrade to 1.0.2c

upgrade to fix the CVE: CVE-2015-1788..CVE-2015-1792 and CVE-2014-8176
remove a backport patch
update the c_rehash-compat.patch

Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 ...lcl.h-fix-MIPS-specific-gcc-version-check.patch | 30 -----------
 .../openssl/openssl/debian/c_rehash-compat.patch   | 22 ++++----
 .../recipes-connectivity/openssl/openssl_1.0.2a.bb | 59 ----------------------
 .../recipes-connectivity/openssl/openssl_1.0.2c.bb | 58 +++++++++++++++++++++
 4 files changed, 67 insertions(+), 102 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-bn-bn_lcl.h-fix-MIPS-specific-gcc-version-check.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl_1.0.2a.bb
 create mode 100644 meta/recipes-connectivity/openssl/openssl_1.0.2c.bb

(limited to 'meta/recipes-connectivity/openssl')

diff --git a/meta/recipes-connectivity/openssl/openssl/0001-bn-bn_lcl.h-fix-MIPS-specific-gcc-version-check.patch b/meta/recipes-connectivity/openssl/openssl/0001-bn-bn_lcl.h-fix-MIPS-specific-gcc-version-check.patch
deleted file mode 100644
index 7308f8fc3e..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/0001-bn-bn_lcl.h-fix-MIPS-specific-gcc-version-check.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 60c268b21ac81cc6b1af5c5470282a613b96f6fd Mon Sep 17 00:00:00 2001
-From: Andy Polyakov <appro@openssl.org>
-Date: Mon, 25 May 2015 10:17:14 +0200
-Subject: [PATCH] bn/bn_lcl.h: fix MIPS-specific gcc version check.
-
-RT#3859
-
-Reviewed-by: Tim Hudson <tjh@openssl.org>
----
-Upstream-Status: Backport
-
- crypto/bn/bn_lcl.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h
-index 196df7e..b9d124a 100644
---- a/crypto/bn/bn_lcl.h
-+++ b/crypto/bn/bn_lcl.h
-@@ -443,7 +443,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
- #   endif
- #  elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
- #   if defined(__GNUC__) && __GNUC__>=2
--#    if __GNUC__>=4 && __GNUC_MINOR__>=4
-+#    if __GNUC__>4 || (__GNUC__>=4 && __GNUC_MINOR__>=4)
-                                      /* "h" constraint is no more since 4.4 */
- #     define BN_UMULT_HIGH(a,b)          (((__uint128_t)(a)*(b))>>64)
- #     define BN_UMULT_LOHI(low,high,a,b) ({     \
--- 
-2.1.4
-
diff --git a/meta/recipes-connectivity/openssl/openssl/debian/c_rehash-compat.patch b/meta/recipes-connectivity/openssl/openssl/debian/c_rehash-compat.patch
index 3943e2c2e7..68e54d561e 100644
--- a/meta/recipes-connectivity/openssl/openssl/debian/c_rehash-compat.patch
+++ b/meta/recipes-connectivity/openssl/openssl/debian/c_rehash-compat.patch
@@ -5,14 +5,10 @@ Subject: [PATCH] also create old hash for compatibility
 
 Upstream-Status: Backport [debian]
 
----
- tools/c_rehash.in |    8 +++++++-
- 1 files changed, 7 insertions(+), 1 deletions(-)
-
-Index: openssl-1.0.2~beta3/tools/c_rehash.in
-===================================================================
---- openssl-1.0.2~beta3.orig/tools/c_rehash.in
-+++ openssl-1.0.2~beta3/tools/c_rehash.in
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index b086ff9..b777d79 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
 @@ -8,8 +8,6 @@ my $prefix;
  
  my $openssl = $ENV{OPENSSL} || "openssl";
@@ -23,14 +19,14 @@ Index: openssl-1.0.2~beta3/tools/c_rehash.in
  my $symlink_exists=eval {symlink("",""); 1};
  my $removelinks = 1;
 @@ -18,10 +16,7 @@ my $removelinks = 1;
- while ( $ARGV[0] =~ '-.*' ) {
+ while ( $ARGV[0] =~ /^-/ ) {
      my $flag = shift @ARGV;
      last if ( $flag eq '--');
--    if ( $flag =~ /-old/) {
+-    if ( $flag eq '-old') {
 -	    $x509hash = "-subject_hash_old";
 -	    $crlhash = "-hash_old";
--    } elsif ( $flag =~ /-h/) {
-+    if ( $flag =~ /-h/) {
+-    } elsif ( $flag eq '-h') {
++    if ( $flag eq '-h') {
  	    help();
      } elsif ( $flag eq '-n' ) {
  	    $removelinks = 0;
@@ -52,7 +48,7 @@ Index: openssl-1.0.2~beta3/tools/c_rehash.in
  		$fname =~ s/'/'\\''/g;
  		my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
  		chomp $hash;
-@@ -177,10 +175,20 @@ sub link_hash_cert {
+@@ -176,11 +174,21 @@ sub link_hash_cert {
  		$hashlist{$hash} = $fprint;
  }
  
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2a.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2a.bb
deleted file mode 100644
index d7f0259683..0000000000
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2a.bb
+++ /dev/null
@@ -1,59 +0,0 @@
-require openssl.inc
-
-# For target side versions of openssl enable support for OCF Linux driver
-# if they are available.
-DEPENDS += "cryptodev-linux"
-
-CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS"
-
-LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8"
-
-export DIRS = "crypto ssl apps engines"
-export OE_LDFLAGS="${LDFLAGS}"
-
-SRC_URI += "file://configure-targets.patch \
-            file://shared-libs.patch \
-            file://oe-ldflags.patch \
-            file://engines-install-in-libdir-ssl.patch \
-            file://openssl-fix-link.patch \
-            file://debian1.0.2/block_diginotar.patch \
-            file://debian1.0.2/block_digicert_malaysia.patch \
-            file://debian/ca.patch \
-            file://debian/c_rehash-compat.patch \
-            file://debian/debian-targets.patch \
-            file://debian/man-dir.patch \
-            file://debian/man-section.patch \
-            file://debian/no-rpath.patch \
-            file://debian/no-symbolic.patch \
-            file://debian/pic.patch \
-            file://debian/version-script.patch \
-            file://openssl_fix_for_x32.patch \
-            file://fix-cipher-des-ede3-cfb1.patch \
-            file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \
-            file://find.pl \
-            file://openssl-fix-des.pod-error.patch \
-            file://Makefiles-ptest.patch \
-            file://ptest-deps.patch \
-            file://run-ptest \
-            file://crypto_use_bigint_in_x86-64_perl.patch \
-            file://0001-bn-bn_lcl.h-fix-MIPS-specific-gcc-version-check.patch \
-            file://openssl-1.0.2a-x32-asm.patch \
-           "
-
-SRC_URI[md5sum] = "a06c547dac9044161a477211049f60ef"
-SRC_URI[sha256sum] = "15b6393c20030aab02c8e2fe0243cb1d1d18062f6c095d67bca91871dc7f324a"
-
-PACKAGES =+ " \
-	${PN}-engines \
-	${PN}-engines-dbg \
-	"
-
-FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
-FILES_${PN}-engines-dbg = "${libdir}/ssl/engines/.debug"
-
-PARALLEL_MAKE = ""
-PARALLEL_MAKEINST = ""
-
-do_configure_prepend() {
-  cp ${WORKDIR}/find.pl ${S}/util/find.pl
-}
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2c.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2c.bb
new file mode 100644
index 0000000000..fd4ba6c5fa
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2c.bb
@@ -0,0 +1,58 @@
+require openssl.inc
+
+# For target side versions of openssl enable support for OCF Linux driver
+# if they are available.
+DEPENDS += "cryptodev-linux"
+
+CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS"
+
+LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8"
+
+export DIRS = "crypto ssl apps engines"
+export OE_LDFLAGS="${LDFLAGS}"
+
+SRC_URI += "file://configure-targets.patch \
+            file://shared-libs.patch \
+            file://oe-ldflags.patch \
+            file://engines-install-in-libdir-ssl.patch \
+            file://openssl-fix-link.patch \
+            file://debian1.0.2/block_diginotar.patch \
+            file://debian1.0.2/block_digicert_malaysia.patch \
+            file://debian/ca.patch \
+            file://debian/c_rehash-compat.patch \
+            file://debian/debian-targets.patch \
+            file://debian/man-dir.patch \
+            file://debian/man-section.patch \
+            file://debian/no-rpath.patch \
+            file://debian/no-symbolic.patch \
+            file://debian/pic.patch \
+            file://debian/version-script.patch \
+            file://openssl_fix_for_x32.patch \
+            file://fix-cipher-des-ede3-cfb1.patch \
+            file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \
+            file://find.pl \
+            file://openssl-fix-des.pod-error.patch \
+            file://Makefiles-ptest.patch \
+            file://ptest-deps.patch \
+            file://run-ptest \
+            file://crypto_use_bigint_in_x86-64_perl.patch \
+            file://openssl-1.0.2a-x32-asm.patch \
+           "
+
+SRC_URI[md5sum] = "8c8d81a9ae7005276e486702edbcd4b6"
+SRC_URI[sha256sum] = "0038ba37f35a6367c58f17a7a7f687953ef8ce4f9684bbdec63e62515ed36a83"
+
+PACKAGES =+ " \
+	${PN}-engines \
+	${PN}-engines-dbg \
+	"
+
+FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
+FILES_${PN}-engines-dbg = "${libdir}/ssl/engines/.debug"
+
+PARALLEL_MAKE = ""
+PARALLEL_MAKEINST = ""
+
+do_configure_prepend() {
+  cp ${WORKDIR}/find.pl ${S}/util/find.pl
+}
-- 
cgit 1.2.3-korg