openssl: upgrade to 1.0.1h

Fixes the following security issues: * CVE-2014-0224 * CVE-2014-0221 * CVE-2014-0195 * CVE-2014-3470 The patch for CVE-2010-5298, CVE-2014-0198 and a fix for building the documentation are integrated upstream in this release and so were dropped. Additionally, a patch from upstream was added in order to fix a failure during do_compile_ptest_base. A similar upgrade was also submitted by Yao Xinpan <yaoxp@cn.fujitsu.com> and Lei Maohui <leimaohui@cn.fujitsu.com>. (From OE-Core rev: a3e80de6d423c272a287bf3538196b48ac5ddec1) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Paul Eggleton <paul.eggleton@linux.intel.com> 2014-06-09 10:36:34 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-06-10 17:11:55 +0100
commit: 3255d58577234b130768d6d57619cc76b6afcc6a (patch)
tree: 74ce2fcb911f84101ea99f8b1e6fe18046c55f25
parent: 66d5be204fd339cc84a0ae92d3923a8c1e6f1389 (diff)
download: poky-3255d58577234b130768d6d57619cc76b6afcc6a.tar.gz
5 files changed, 48 insertions, 453 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/heartbeat-test-private-api.patch b/meta/recipes-connectivity/openssl/openssl/heartbeat-test-private-api.patch
new file mode 100644
index 0000000000..3c77dfcdf0
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/heartbeat-test-private-api.patch
@@ -0,0 +1,45 @@
+From 2e251ba8feaa696f9408a19336d1fbab148df55e Mon Sep 17 00:00:00 2001
+From: Kurt Roeckx <kurt@roeckx.be>
+Date: Sat, 7 Jun 2014 13:32:23 +0200
+Subject: [PATCH] Link heartbeat_test with the static version of the libraries
+It's using an internal API that that might not be available in the shared
+library.
+Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/125]
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+---
+ test/Makefile | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/test/Makefile b/test/Makefile
+index f1816ac..1dd7bb9 100644
+--- a/test/Makefile
+++ b/test/Makefile
+@@ -420,6 +420,13 @@ BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
+                LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
+                link_app.$${shlib_target}
+ 
+BUILD_CMD_STATIC=shlib_target=; \
+       LIBRARIES="$(DLIBSSL) $(DLIBCRYPTO) $(LIBKRB5)"; \
+       $(MAKE) -f $(TOP)/Makefile.shared -e \
+               APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
+               LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
+               link_app.$${shlib_target}
+
+ $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
+        @target=$(RSATEST); $(BUILD_CMD)
+ 
+@@ -618,7 +625,7 @@ $(V3NAMETEST)$(EXE_EXT): $(V3NAMETEST).o $(DLIBCRYPTO)
+        @target=$(V3NAMETEST); $(BUILD_CMD)
+ 
+ $(HEARTBEATTEST)$(EXE_EXT): $(HEARTBEATTEST).o $(DLIBCRYPTO)
+-       @target=$(HEARTBEATTEST); $(BUILD_CMD)
+       @target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
+ 
+ #$(AESTEST).o: $(AESTEST).c
+ #      $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
+-- 
+1.9.3
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch b/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch
deleted file mode 100644
index 417a774ba2..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-openssl fix for CVE-2010-5298
-Upstream-Status: Backport
-Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
-through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote
-attackers to inject data across sessions or cause a denial of service
-(use-after-free and parsing error) via an SSL connection in a
-multithreaded environment.
-http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298
-Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
--- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -1013,7 +1013,7 @@ start:
-                                {
-                                s->rstate=SSL_ST_READ_HEADER;
-                                rr->off=0;
-                               if (s->mode & SSL_MODE_RELEASE_BUFFERS)
-+                               if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
-                                        ssl3_release_read_buffer(s);
-                                }
-                        }
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2014-0198-fix.patch b/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2014-0198-fix.patch
deleted file mode 100644
index 4c51d746ff..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2014-0198-fix.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Upstream-Status: Backport
-Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1093837
-CVE-2014-0198: An attacker can trigger generation of an SSL
-alert which could cause a null pointer dereference.
-Signed-off-by: Maxin B. John <maxin.john@enea.com>
---
-diff -Naur openssl-1.0.1g-orig/ssl/s3_pkt.c openssl-1.0.1g/ssl/s3_pkt.c
--- openssl-1.0.1g-orig/ssl/s3_pkt.c    2014-03-17 17:14:20.000000000 +0100
-+++ openssl-1.0.1g/ssl/s3_pkt.c 2014-05-06 02:32:43.862587660 +0200
-@@ -657,6 +657,10 @@
-                if (i <= 0)
-                        return(i);
-                /* if it went, fall through and send more stuff */
-+               /* we may have released our buffer, so get it again */
-+               if (wb->buf == NULL)
-+                       if (!ssl3_setup_write_buffer(s))
-+                               return -1;
-                }
- 
-        if (len == 0 && !create_empty_fragment)
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch b/meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch
deleted file mode 100644
index 451256eaa5..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch
+++ /dev/null
@@ -1,401 +0,0 @@
-Fix documentation build errors with Perl 5.18 pod2man
-This fixes errors building man pages with newer versions of pod2man
-included with Perl 5.18.
-Upstream-Status: Submitted
-Signed-off-by: Jonathan Liu
-Index: openssl-1.0.1f/doc/apps/cms.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/apps/cms.pod        2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/apps/cms.pod     2014-02-28 10:13:51.899979213 +0200
-@@ -450,28 +450,28 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
- the operation was completely successfully.
- 
-=item 1 
-+=item Z<>1 
- 
- an error occurred parsing the command options.
- 
-=item 2
-+=item Z<>2
- 
- one of the input files could not be read.
- 
-=item 3
-+=item Z<>3
- 
- an error occurred creating the CMS file or when reading the MIME
- message.
- 
-=item 4
-+=item Z<>4
- 
- an error occurred decrypting or verifying the message.
- 
-=item 5
-+=item Z<>5
- 
- the message was verified correctly but an error occurred writing out
- the signers certificates.
-Index: openssl-1.0.1f/doc/apps/smime.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/apps/smime.pod      2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/apps/smime.pod   2014-02-28 10:16:57.795979233 +0200
-@@ -308,28 +308,28 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
- the operation was completely successfully.
- 
-=item 1 
-+=item Z<>1 
- 
- an error occurred parsing the command options.
- 
-=item 2
-+=item Z<>2
- 
- one of the input files could not be read.
- 
-=item 3
-+=item Z<>3
- 
- an error occurred creating the PKCS#7 file or when reading the MIME
- message.
- 
-=item 4
-+=item Z<>4
- 
- an error occurred decrypting or verifying the message.
- 
-=item 5
-+=item Z<>5
- 
- the message was verified correctly but an error occurred writing out
- the signers certificates.
-Index: openssl-1.0.1f/doc/ssl/SSL_COMP_add_compression_method.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_COMP_add_compression_method.pod     2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_COMP_add_compression_method.pod  2014-02-28 10:18:09.679979225 +0200
-@@ -53,11 +53,11 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
- The operation succeeded.
- 
-=item 1
-+=item Z<>1
- 
- The operation failed. Check the error queue to find out the reason.
- 
-Index: openssl-1.0.1f/doc/ssl/SSL_CTX_add_session.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_add_session.pod 2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_CTX_add_session.pod      2014-02-28 10:18:42.687979221 +0200
-@@ -52,13 +52,13 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
-  The operation failed. In case of the add operation, it was tried to add
-  the same (identical) session twice. In case of the remove operation, the
-  session was not found in the cache.
- 
-=item 1
-+=item Z<>1
-  
-  The operation succeeded.
- 
-Index: openssl-1.0.1f/doc/ssl/SSL_CTX_load_verify_locations.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_load_verify_locations.pod       2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_CTX_load_verify_locations.pod    2014-02-28 10:19:09.079979218 +0200
-@@ -100,13 +100,13 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
- The operation failed because B<CAfile> and B<CApath> are NULL or the
- processing at one of the locations specified failed. Check the error
- stack to find out the reason.
- 
-=item 1
-+=item Z<>1
- 
- The operation succeeded.
- 
-Index: openssl-1.0.1f/doc/ssl/SSL_CTX_set_client_CA_list.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_set_client_CA_list.pod  2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_client_CA_list.pod       2014-02-28 10:19:42.999979220 +0200
-@@ -66,13 +66,13 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
- A failure while manipulating the STACK_OF(X509_NAME) object occurred or
- the X509_NAME could not be extracted from B<cacert>. Check the error stack
- to find out the reason.
- 
-=item 1
-+=item Z<>1
- 
- The operation succeeded.
- 
-Index: openssl-1.0.1f/doc/ssl/SSL_CTX_set_session_id_context.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_set_session_id_context.pod      2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_session_id_context.pod   2014-02-28 10:20:06.495979211 +0200
-@@ -64,13 +64,13 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
- The length B<sid_ctx_len> of the session id context B<sid_ctx> exceeded
- the maximum allowed length of B<SSL_MAX_SSL_SESSION_ID_LENGTH>. The error
- is logged to the error stack.
- 
-=item 1
-+=item Z<>1
- 
- The operation succeeded.
- 
-Index: openssl-1.0.1f/doc/ssl/SSL_CTX_set_ssl_version.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_set_ssl_version.pod     2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_ssl_version.pod  2014-02-28 10:20:32.111979208 +0200
-@@ -42,11 +42,11 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
- The new choice failed, check the error stack to find out the reason.
- 
-=item 1
-+=item Z<>1
- 
- The operation succeeded.
- 
-Index: openssl-1.0.1f/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_use_psk_identity_hint.pod       2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_CTX_use_psk_identity_hint.pod    2014-02-28 10:21:12.351979203 +0200
-@@ -96,7 +96,7 @@
- connection will fail with decryption_error before it will be finished
- completely.
- 
-=item 0
-+=item Z<>0
- 
- PSK identity was not found. An "unknown_psk_identity" alert message
- will be sent and the connection setup fails.
-Index: openssl-1.0.1f/doc/ssl/SSL_accept.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_accept.pod  2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_accept.pod       2014-02-28 10:21:51.535979215 +0200
-@@ -44,13 +44,13 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
- return value B<ret> to find out the reason.
- 
-=item 1
-+=item Z<>1
- 
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
-Index: openssl-1.0.1f/doc/ssl/SSL_clear.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_clear.pod   2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_clear.pod        2014-02-28 10:22:13.087979196 +0200
-@@ -56,12 +56,12 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
- The SSL_clear() operation could not be performed. Check the error stack to
- find out the reason.
- 
-=item 1
-+=item Z<>1
- 
- The SSL_clear() operation was successful.
- 
-Index: openssl-1.0.1f/doc/ssl/SSL_connect.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_connect.pod 2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_connect.pod      2014-02-28 10:22:33.991979193 +0200
-@@ -41,13 +41,13 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
- return value B<ret> to find out the reason.
- 
-=item 1
-+=item Z<>1
- 
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
-Index: openssl-1.0.1f/doc/ssl/SSL_do_handshake.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_do_handshake.pod    2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_do_handshake.pod 2014-02-28 10:22:56.887979159 +0200
-@@ -45,13 +45,13 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
- return value B<ret> to find out the reason.
- 
-=item 1
-+=item Z<>1
- 
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
-Index: openssl-1.0.1f/doc/ssl/SSL_read.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_read.pod    2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_read.pod 2014-02-28 10:23:15.303979188 +0200
-@@ -86,7 +86,7 @@
- The read operation was successful; the return value is the number of
- bytes actually read from the TLS/SSL connection.
- 
-=item 0
-+=item Z<>0
- 
- The read operation was not successful. The reason may either be a clean
- shutdown due to a "close notify" alert sent by the peer (in which case
-Index: openssl-1.0.1f/doc/ssl/SSL_session_reused.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_session_reused.pod  2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_session_reused.pod       2014-02-28 10:23:36.615979186 +0200
-@@ -27,11 +27,11 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
- A new session was negotiated.
- 
-=item 1
-+=item Z<>1
- 
- A session was reused.
- 
-Index: openssl-1.0.1f/doc/ssl/SSL_set_fd.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_set_fd.pod  2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_set_fd.pod       2014-02-28 10:23:57.599979183 +0200
-@@ -35,11 +35,11 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
- The operation failed. Check the error stack to find out why.
- 
-=item 1
-+=item Z<>1
- 
- The operation succeeded.
- 
-Index: openssl-1.0.1f/doc/ssl/SSL_set_session.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_set_session.pod     2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_set_session.pod  2014-02-28 10:24:16.943979181 +0200
-@@ -37,11 +37,11 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
- The operation failed; check the error stack to find out the reason.
- 
-=item 1
-+=item Z<>1
- 
- The operation succeeded.
- 
-Index: openssl-1.0.1f/doc/ssl/SSL_shutdown.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_shutdown.pod        2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_shutdown.pod     2014-02-28 10:25:03.623979175 +0200
-@@ -92,19 +92,19 @@
- 
- =over 4
- 
-=item 0
-+=item Z<>0
- 
- The shutdown is not yet finished. Call SSL_shutdown() for a second time,
- if a bidirectional shutdown shall be performed.
- The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
- erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
- 
-=item 1
-+=item Z<>1
- 
- The shutdown was successfully completed. The "close notify" alert was sent
- and the peer's "close notify" alert was received.
- 
-=item -1
-+=item Z<>-1
- 
- The shutdown was not successful because a fatal error occurred either
- at the protocol level or a connection failure occurred. It can also occur if
-Index: openssl-1.0.1f/doc/ssl/SSL_write.pod
-===================================================================
--- openssl-1.0.1f.orig/doc/ssl/SSL_write.pod   2014-01-06 15:47:42.000000000 +0200
-+++ openssl-1.0.1f/doc/ssl/SSL_write.pod        2014-02-28 10:25:36.031979168 +0200
-@@ -79,7 +79,7 @@
- The write operation was successful, the return value is the number of
- bytes actually written to the TLS/SSL connection.
- 
-=item 0
-+=item Z<>0
- 
- The write operation was not successful. Probably the underlying connection
- was closed. Call SSL_get_error() with the return value B<ret> to find out,
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1h.bb
index bbf1455f7d..ebb1029ef4 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1h.bb
@@ -27,21 +27,19 @@ SRC_URI += "file://configure-targets.patch \
            file://debian/no-symbolic.patch \
            file://debian/debian-targets.patch \
            file://openssl_fix_for_x32.patch \
-            file://openssl-fix-doc.patch \
            file://fix-cipher-des-ede3-cfb1.patch \
            file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \
            file://openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch \
            file://initial-aarch64-bits.patch \
            file://find.pl \
            file://openssl-fix-des.pod-error.patch \
-            file://openssl-CVE-2014-0198-fix.patch \
            file://Makefiles-ptest.patch \
+            file://heartbeat-test-private-api.patch \
            file://run-ptest \
-            file://openssl-CVE-2010-5298.patch \
           "
-SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959"
+SRC_URI[md5sum] = "8d6d684a9430d5cc98a62a5d8fbda8cf"
-SRC_URI[sha256sum] = "53cb818c3b90e507a8348f4f5eaedb05d8bfe5358aabb508b7263cc670c3e028"
+SRC_URI[sha256sum] = "9d1c8a9836aa63e2c6adb684186cbd4371c9e9dcc01d6e3bb447abf2d4d3d093"
 PACKAGES =+ " \
        ${PN}-engines \
author	Paul Eggleton <paul.eggleton@linux.intel.com>	2014-06-09 10:36:34 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-06-10 17:11:55 +0100
commit	3255d58577234b130768d6d57619cc76b6afcc6a (patch)
tree	74ce2fcb911f84101ea99f8b1e6fe18046c55f25
parent	66d5be204fd339cc84a0ae92d3923a8c1e6f1389 (diff)
download	poky-3255d58577234b130768d6d57619cc76b6afcc6a.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/heartbeat-test-private-api.patch b/meta/recipes-connectivity/openssl/openssl/heartbeat-test-private-api.patch new file mode 100644 index 0000000000..3c77dfcdf0 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/heartbeat-test-private-api.patch
@@ -0,0 +1,45 @@
		1	From 2e251ba8feaa696f9408a19336d1fbab148df55e Mon Sep 17 00:00:00 2001
		2	From: Kurt Roeckx <kurt@roeckx.be>
		3	Date: Sat, 7 Jun 2014 13:32:23 +0200
		4	Subject: [PATCH] Link heartbeat_test with the static version of the libraries
		5
		6	It's using an internal API that that might not be available in the shared
		7	library.
		8
		9	Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/125]
		10	Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
		11
		12	---
		13	test/Makefile \| 9 ++++++++-
		14	1 file changed, 8 insertions(+), 1 deletion(-)
		15
		16	diff --git a/test/Makefile b/test/Makefile
		17	index f1816ac..1dd7bb9 100644
		18	--- a/test/Makefile
		19	+++ b/test/Makefile
		20	@@ -420,6 +420,13 @@ BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
		21	LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
		22	link_app.$${shlib_target}
		23
		24	+BUILD_CMD_STATIC=shlib_target=; \
		25	+ LIBRARIES="$(DLIBSSL) $(DLIBCRYPTO) $(LIBKRB5)"; \
		26	+ $(MAKE) -f $(TOP)/Makefile.shared -e \
		27	+ APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
		28	+ LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
		29	+ link_app.$${shlib_target}
		30	+
		31	$(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
		32	@target=$(RSATEST); $(BUILD_CMD)
		33
		34	@@ -618,7 +625,7 @@ $(V3NAMETEST)$(EXE_EXT): $(V3NAMETEST).o $(DLIBCRYPTO)
		35	@target=$(V3NAMETEST); $(BUILD_CMD)
		36
		37	$(HEARTBEATTEST)$(EXE_EXT): $(HEARTBEATTEST).o $(DLIBCRYPTO)
		38	- @target=$(HEARTBEATTEST); $(BUILD_CMD)
		39	+ @target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
		40
		41	#$(AESTEST).o: $(AESTEST).c
		42	# $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
		43	--
		44	1.9.3
		45


diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch b/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch deleted file mode 100644 index 417a774ba2..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch +++ /dev/null
@@ -1,24 +0,0 @@
1	openssl fix for CVE-2010-5298
2
3	Upstream-Status: Backport
4
5	Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
6	through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote
7	attackers to inject data across sessions or cause a denial of service
8	(use-after-free and parsing error) via an SSL connection in a
9	multithreaded environment.
10
11	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298
12
13	Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
14	--- a/ssl/s3_pkt.c
15	+++ b/ssl/s3_pkt.c
16	@@ -1013,7 +1013,7 @@ start:
17	{
18	s->rstate=SSL_ST_READ_HEADER;
19	rr->off=0;
20	- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
21	+ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
22	ssl3_release_read_buffer(s);
23	}
24	}


diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2014-0198-fix.patch b/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2014-0198-fix.patch deleted file mode 100644 index 4c51d746ff..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2014-0198-fix.patch +++ /dev/null
@@ -1,23 +0,0 @@
1	Upstream-Status: Backport
2
3	Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1093837
4
5	CVE-2014-0198: An attacker can trigger generation of an SSL
6	alert which could cause a null pointer dereference.
7
8	Signed-off-by: Maxin B. John <maxin.john@enea.com>
9	---
10	diff -Naur openssl-1.0.1g-orig/ssl/s3_pkt.c openssl-1.0.1g/ssl/s3_pkt.c
11	--- openssl-1.0.1g-orig/ssl/s3_pkt.c 2014-03-17 17:14:20.000000000 +0100
12	+++ openssl-1.0.1g/ssl/s3_pkt.c 2014-05-06 02:32:43.862587660 +0200
13	@@ -657,6 +657,10 @@
14	if (i <= 0)
15	return(i);
16	/* if it went, fall through and send more stuff */
17	+ /* we may have released our buffer, so get it again */
18	+ if (wb->buf == NULL)
19	+ if (!ssl3_setup_write_buffer(s))
20	+ return -1;
21	}
22
23	if (len == 0 && !create_empty_fragment)


diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch b/meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch deleted file mode 100644 index 451256eaa5..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch +++ /dev/null
@@ -1,401 +0,0 @@
1	Fix documentation build errors with Perl 5.18 pod2man
2
3	This fixes errors building man pages with newer versions of pod2man
4	included with Perl 5.18.
5
6	Upstream-Status: Submitted
7	Signed-off-by: Jonathan Liu
8
9	Index: openssl-1.0.1f/doc/apps/cms.pod
10	===================================================================
11	--- openssl-1.0.1f.orig/doc/apps/cms.pod 2014-01-06 15:47:42.000000000 +0200
12	+++ openssl-1.0.1f/doc/apps/cms.pod 2014-02-28 10:13:51.899979213 +0200
13	@@ -450,28 +450,28 @@
14
15	=over 4
16
17	-=item 0
18	+=item Z<>0
19
20	the operation was completely successfully.
21
22	-=item 1
23	+=item Z<>1
24
25	an error occurred parsing the command options.
26
27	-=item 2
28	+=item Z<>2
29
30	one of the input files could not be read.
31
32	-=item 3
33	+=item Z<>3
34
35	an error occurred creating the CMS file or when reading the MIME
36	message.
37
38	-=item 4
39	+=item Z<>4
40
41	an error occurred decrypting or verifying the message.
42
43	-=item 5
44	+=item Z<>5
45
46	the message was verified correctly but an error occurred writing out
47	the signers certificates.
48	Index: openssl-1.0.1f/doc/apps/smime.pod
49	===================================================================
50	--- openssl-1.0.1f.orig/doc/apps/smime.pod 2014-01-06 15:47:42.000000000 +0200
51	+++ openssl-1.0.1f/doc/apps/smime.pod 2014-02-28 10:16:57.795979233 +0200
52	@@ -308,28 +308,28 @@
53
54	=over 4
55
56	-=item 0
57	+=item Z<>0
58
59	the operation was completely successfully.
60
61	-=item 1
62	+=item Z<>1
63
64	an error occurred parsing the command options.
65
66	-=item 2
67	+=item Z<>2
68
69	one of the input files could not be read.
70
71	-=item 3
72	+=item Z<>3
73
74	an error occurred creating the PKCS#7 file or when reading the MIME
75	message.
76
77	-=item 4
78	+=item Z<>4
79
80	an error occurred decrypting or verifying the message.
81
82	-=item 5
83	+=item Z<>5
84
85	the message was verified correctly but an error occurred writing out
86	the signers certificates.
87	Index: openssl-1.0.1f/doc/ssl/SSL_COMP_add_compression_method.pod
88	===================================================================
89	--- openssl-1.0.1f.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2014-01-06 15:47:42.000000000 +0200
90	+++ openssl-1.0.1f/doc/ssl/SSL_COMP_add_compression_method.pod 2014-02-28 10:18:09.679979225 +0200
91	@@ -53,11 +53,11 @@
92
93	=over 4
94
95	-=item 0
96	+=item Z<>0
97
98	The operation succeeded.
99
100	-=item 1
101	+=item Z<>1
102
103	The operation failed. Check the error queue to find out the reason.
104
105	Index: openssl-1.0.1f/doc/ssl/SSL_CTX_add_session.pod
106	===================================================================
107	--- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_add_session.pod 2014-01-06 15:47:42.000000000 +0200
108	+++ openssl-1.0.1f/doc/ssl/SSL_CTX_add_session.pod 2014-02-28 10:18:42.687979221 +0200
109	@@ -52,13 +52,13 @@
110
111	=over 4
112
113	-=item 0
114	+=item Z<>0
115
116	The operation failed. In case of the add operation, it was tried to add
117	the same (identical) session twice. In case of the remove operation, the
118	session was not found in the cache.
119
120	-=item 1
121	+=item Z<>1
122
123	The operation succeeded.
124
125	Index: openssl-1.0.1f/doc/ssl/SSL_CTX_load_verify_locations.pod
126	===================================================================
127	--- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_load_verify_locations.pod 2014-01-06 15:47:42.000000000 +0200
128	+++ openssl-1.0.1f/doc/ssl/SSL_CTX_load_verify_locations.pod 2014-02-28 10:19:09.079979218 +0200
129	@@ -100,13 +100,13 @@
130
131	=over 4
132
133	-=item 0
134	+=item Z<>0
135
136	The operation failed because B<CAfile> and B<CApath> are NULL or the
137	processing at one of the locations specified failed. Check the error
138	stack to find out the reason.
139
140	-=item 1
141	+=item Z<>1
142
143	The operation succeeded.
144
145	Index: openssl-1.0.1f/doc/ssl/SSL_CTX_set_client_CA_list.pod
146	===================================================================
147	--- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_set_client_CA_list.pod 2014-01-06 15:47:42.000000000 +0200
148	+++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_client_CA_list.pod 2014-02-28 10:19:42.999979220 +0200
149	@@ -66,13 +66,13 @@
150
151	=over 4
152
153	-=item 0
154	+=item Z<>0
155
156	A failure while manipulating the STACK_OF(X509_NAME) object occurred or
157	the X509_NAME could not be extracted from B<cacert>. Check the error stack
158	to find out the reason.
159
160	-=item 1
161	+=item Z<>1
162
163	The operation succeeded.
164
165	Index: openssl-1.0.1f/doc/ssl/SSL_CTX_set_session_id_context.pod
166	===================================================================
167	--- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_set_session_id_context.pod 2014-01-06 15:47:42.000000000 +0200
168	+++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_session_id_context.pod 2014-02-28 10:20:06.495979211 +0200
169	@@ -64,13 +64,13 @@
170
171	=over 4
172
173	-=item 0
174	+=item Z<>0
175
176	The length B<sid_ctx_len> of the session id context B<sid_ctx> exceeded
177	the maximum allowed length of B<SSL_MAX_SSL_SESSION_ID_LENGTH>. The error
178	is logged to the error stack.
179
180	-=item 1
181	+=item Z<>1
182
183	The operation succeeded.
184
185	Index: openssl-1.0.1f/doc/ssl/SSL_CTX_set_ssl_version.pod
186	===================================================================
187	--- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_set_ssl_version.pod 2014-01-06 15:47:42.000000000 +0200
188	+++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_ssl_version.pod 2014-02-28 10:20:32.111979208 +0200
189	@@ -42,11 +42,11 @@
190
191	=over 4
192
193	-=item 0
194	+=item Z<>0
195
196	The new choice failed, check the error stack to find out the reason.
197
198	-=item 1
199	+=item Z<>1
200
201	The operation succeeded.
202
203	Index: openssl-1.0.1f/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
204	===================================================================
205	--- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2014-01-06 15:47:42.000000000 +0200
206	+++ openssl-1.0.1f/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2014-02-28 10:21:12.351979203 +0200
207	@@ -96,7 +96,7 @@
208	connection will fail with decryption_error before it will be finished
209	completely.
210
211	-=item 0
212	+=item Z<>0
213
214	PSK identity was not found. An "unknown_psk_identity" alert message
215	will be sent and the connection setup fails.
216	Index: openssl-1.0.1f/doc/ssl/SSL_accept.pod
217	===================================================================
218	--- openssl-1.0.1f.orig/doc/ssl/SSL_accept.pod 2014-01-06 15:47:42.000000000 +0200
219	+++ openssl-1.0.1f/doc/ssl/SSL_accept.pod 2014-02-28 10:21:51.535979215 +0200
220	@@ -44,13 +44,13 @@
221
222	=over 4
223
224	-=item 0
225	+=item Z<>0
226
227	The TLS/SSL handshake was not successful but was shut down controlled and
228	by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
229	return value B<ret> to find out the reason.
230
231	-=item 1
232	+=item Z<>1
233
234	The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
235	established.
236	Index: openssl-1.0.1f/doc/ssl/SSL_clear.pod
237	===================================================================
238	--- openssl-1.0.1f.orig/doc/ssl/SSL_clear.pod 2014-01-06 15:47:42.000000000 +0200
239	+++ openssl-1.0.1f/doc/ssl/SSL_clear.pod 2014-02-28 10:22:13.087979196 +0200
240	@@ -56,12 +56,12 @@
241
242	=over 4
243
244	-=item 0
245	+=item Z<>0
246
247	The SSL_clear() operation could not be performed. Check the error stack to
248	find out the reason.
249
250	-=item 1
251	+=item Z<>1
252
253	The SSL_clear() operation was successful.
254
255	Index: openssl-1.0.1f/doc/ssl/SSL_connect.pod
256	===================================================================
257	--- openssl-1.0.1f.orig/doc/ssl/SSL_connect.pod 2014-01-06 15:47:42.000000000 +0200
258	+++ openssl-1.0.1f/doc/ssl/SSL_connect.pod 2014-02-28 10:22:33.991979193 +0200
259	@@ -41,13 +41,13 @@
260
261	=over 4
262
263	-=item 0
264	+=item Z<>0
265
266	The TLS/SSL handshake was not successful but was shut down controlled and
267	by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
268	return value B<ret> to find out the reason.
269
270	-=item 1
271	+=item Z<>1
272
273	The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
274	established.
275	Index: openssl-1.0.1f/doc/ssl/SSL_do_handshake.pod
276	===================================================================
277	--- openssl-1.0.1f.orig/doc/ssl/SSL_do_handshake.pod 2014-01-06 15:47:42.000000000 +0200
278	+++ openssl-1.0.1f/doc/ssl/SSL_do_handshake.pod 2014-02-28 10:22:56.887979159 +0200
279	@@ -45,13 +45,13 @@
280
281	=over 4
282
283	-=item 0
284	+=item Z<>0
285
286	The TLS/SSL handshake was not successful but was shut down controlled and
287	by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
288	return value B<ret> to find out the reason.
289
290	-=item 1
291	+=item Z<>1
292
293	The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
294	established.
295	Index: openssl-1.0.1f/doc/ssl/SSL_read.pod
296	===================================================================
297	--- openssl-1.0.1f.orig/doc/ssl/SSL_read.pod 2014-01-06 15:47:42.000000000 +0200
298	+++ openssl-1.0.1f/doc/ssl/SSL_read.pod 2014-02-28 10:23:15.303979188 +0200
299	@@ -86,7 +86,7 @@
300	The read operation was successful; the return value is the number of
301	bytes actually read from the TLS/SSL connection.
302
303	-=item 0
304	+=item Z<>0
305
306	The read operation was not successful. The reason may either be a clean
307	shutdown due to a "close notify" alert sent by the peer (in which case
308	Index: openssl-1.0.1f/doc/ssl/SSL_session_reused.pod
309	===================================================================
310	--- openssl-1.0.1f.orig/doc/ssl/SSL_session_reused.pod 2014-01-06 15:47:42.000000000 +0200
311	+++ openssl-1.0.1f/doc/ssl/SSL_session_reused.pod 2014-02-28 10:23:36.615979186 +0200
312	@@ -27,11 +27,11 @@
313
314	=over 4
315
316	-=item 0
317	+=item Z<>0
318
319	A new session was negotiated.
320
321	-=item 1
322	+=item Z<>1
323
324	A session was reused.
325
326	Index: openssl-1.0.1f/doc/ssl/SSL_set_fd.pod
327	===================================================================
328	--- openssl-1.0.1f.orig/doc/ssl/SSL_set_fd.pod 2014-01-06 15:47:42.000000000 +0200
329	+++ openssl-1.0.1f/doc/ssl/SSL_set_fd.pod 2014-02-28 10:23:57.599979183 +0200
330	@@ -35,11 +35,11 @@
331
332	=over 4
333
334	-=item 0
335	+=item Z<>0
336
337	The operation failed. Check the error stack to find out why.
338
339	-=item 1
340	+=item Z<>1
341
342	The operation succeeded.
343
344	Index: openssl-1.0.1f/doc/ssl/SSL_set_session.pod
345	===================================================================
346	--- openssl-1.0.1f.orig/doc/ssl/SSL_set_session.pod 2014-01-06 15:47:42.000000000 +0200
347	+++ openssl-1.0.1f/doc/ssl/SSL_set_session.pod 2014-02-28 10:24:16.943979181 +0200
348	@@ -37,11 +37,11 @@
349
350	=over 4
351
352	-=item 0
353	+=item Z<>0
354
355	The operation failed; check the error stack to find out the reason.
356
357	-=item 1
358	+=item Z<>1
359
360	The operation succeeded.
361
362	Index: openssl-1.0.1f/doc/ssl/SSL_shutdown.pod
363	===================================================================
364	--- openssl-1.0.1f.orig/doc/ssl/SSL_shutdown.pod 2014-01-06 15:47:42.000000000 +0200
365	+++ openssl-1.0.1f/doc/ssl/SSL_shutdown.pod 2014-02-28 10:25:03.623979175 +0200
366	@@ -92,19 +92,19 @@
367
368	=over 4
369
370	-=item 0
371	+=item Z<>0
372
373	The shutdown is not yet finished. Call SSL_shutdown() for a second time,
374	if a bidirectional shutdown shall be performed.
375	The output of L<SSL_get_error(3)\|SSL_get_error(3)> may be misleading, as an
376	erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
377
378	-=item 1
379	+=item Z<>1
380
381	The shutdown was successfully completed. The "close notify" alert was sent
382	and the peer's "close notify" alert was received.
383
384	-=item -1
385	+=item Z<>-1
386
387	The shutdown was not successful because a fatal error occurred either
388	at the protocol level or a connection failure occurred. It can also occur if
389	Index: openssl-1.0.1f/doc/ssl/SSL_write.pod
390	===================================================================
391	--- openssl-1.0.1f.orig/doc/ssl/SSL_write.pod 2014-01-06 15:47:42.000000000 +0200
392	+++ openssl-1.0.1f/doc/ssl/SSL_write.pod 2014-02-28 10:25:36.031979168 +0200
393	@@ -79,7 +79,7 @@
394	The write operation was successful, the return value is the number of
395	bytes actually written to the TLS/SSL connection.
396
397	-=item 0
398	+=item Z<>0
399
400	The write operation was not successful. Probably the underlying connection
401	was closed. Call SSL_get_error() with the return value B<ret> to find out,


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1h.bb index bbf1455f7d..ebb1029ef4 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1h.bb
@@ -27,21 +27,19 @@ SRC_URI += "file://configure-targets.patch \
27	file://debian/no-symbolic.patch \	27	file://debian/no-symbolic.patch \
28	file://debian/debian-targets.patch \	28	file://debian/debian-targets.patch \
29	file://openssl_fix_for_x32.patch \	29	file://openssl_fix_for_x32.patch \
30	file://openssl-fix-doc.patch \
31	file://fix-cipher-des-ede3-cfb1.patch \	30	file://fix-cipher-des-ede3-cfb1.patch \
32	file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \	31	file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \
33	file://openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch \	32	file://openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch \
34	file://initial-aarch64-bits.patch \	33	file://initial-aarch64-bits.patch \
35	file://find.pl \	34	file://find.pl \
36	file://openssl-fix-des.pod-error.patch \	35	file://openssl-fix-des.pod-error.patch \
37	file://openssl-CVE-2014-0198-fix.patch \
38	file://Makefiles-ptest.patch \	36	file://Makefiles-ptest.patch \
		37	file://heartbeat-test-private-api.patch \
39	file://run-ptest \	38	file://run-ptest \
40	file://openssl-CVE-2010-5298.patch \
41	"	39	"
42		40
43	SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959"	41	SRC_URI[md5sum] = "8d6d684a9430d5cc98a62a5d8fbda8cf"
44	SRC_URI[sha256sum] = "53cb818c3b90e507a8348f4f5eaedb05d8bfe5358aabb508b7263cc670c3e028"	42	SRC_URI[sha256sum] = "9d1c8a9836aa63e2c6adb684186cbd4371c9e9dcc01d6e3bb447abf2d4d3d093"
45		43
46	PACKAGES =+ " \	44	PACKAGES =+ " \
47	${PN}-engines \	45	${PN}-engines \