From a200115c769eff4b9b0241d54ed5ad86da08fdbc Mon Sep 17 00:00:00 2001 From: Stefan Agner Date: Sat, 18 Nov 2017 09:53:54 +0100 Subject: openssl10: Upgrade 1.0.2l -> 1.0.2m Deals with two CVEs: * bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) * Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735) Signed-off-by: Stefan Agner Acked-by: Otavio Salvador Signed-off-by: Ross Burton --- .../recipes-connectivity/openssl/openssl_1.0.2m.bb | 60 ++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl_1.0.2m.bb (limited to 'meta/recipes-connectivity/openssl/openssl_1.0.2m.bb') diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2m.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2m.bb new file mode 100644 index 0000000000..04763ac346 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2m.bb @@ -0,0 +1,60 @@ +require openssl10.inc + +# For target side versions of openssl enable support for OCF Linux driver +# if they are available. + +CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS" +CFLAG_append_class-native = " -fPIC" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=057d9218c6180e1d9ee407572b2dd225" + +export DIRS = "crypto ssl apps engines" +export OE_LDFLAGS="${LDFLAGS}" + +SRC_URI += "file://find.pl;subdir=openssl-${PV}/util/ \ + file://run-ptest \ + file://openssl-c_rehash.sh \ + file://configure-targets.patch \ + file://shared-libs.patch \ + file://oe-ldflags.patch \ + file://engines-install-in-libdir-ssl.patch \ + file://debian1.0.2/block_diginotar.patch \ + file://debian1.0.2/block_digicert_malaysia.patch \ + file://debian/ca.patch \ + file://debian/c_rehash-compat.patch \ + file://debian/debian-targets.patch \ + file://debian/man-dir.patch \ + file://debian/man-section.patch \ + file://debian/no-rpath.patch \ + file://debian/no-symbolic.patch \ + file://debian/pic.patch \ + file://debian1.0.2/version-script.patch \ + file://debian1.0.2/soname.patch \ + file://openssl_fix_for_x32.patch \ + file://openssl-fix-des.pod-error.patch \ + file://Makefiles-ptest.patch \ + file://ptest-deps.patch \ + file://openssl-1.0.2a-x32-asm.patch \ + file://ptest_makefile_deps.patch \ + file://configure-musl-target.patch \ + file://parallel.patch \ + file://openssl-util-perlpath.pl-cwd.patch \ + file://Use-SHA256-not-MD5-as-default-digest.patch \ + file://0001-Fix-build-with-clang-using-external-assembler.patch \ + file://0001-openssl-force-soft-link-to-avoid-rare-race.patch \ + " +SRC_URI[md5sum] = "10e9e37f492094b9ef296f68f24a7666" +SRC_URI[sha256sum] = "8c6ff15ec6b319b50788f42c7abc2890c08ba5a1cdcd3810eb9092deada37b0f" + +PACKAGES =+ "${PN}-engines" +FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines" + +# The crypto_use_bigint patch means that perl's bignum module needs to be +# installed, but some distributions (for example Fedora 23) don't ship it by +# default. As the resulting error is very misleading check for bignum before +# building. +do_configure_prepend() { + if ! perl -Mbigint -e true; then + bbfatal "The perl module 'bignum' was not found but this is required to build openssl. Please install this module (often packaged as perl-bignum) and re-run bitbake." + fi +} -- cgit 1.2.3-korg