diff options
| author | Saul Wold <sgw@linux.intel.com> | 2014-10-20 14:16:23 -0700 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-10-23 21:43:11 +0100 |
| commit | e93f9a838260100ece7cac36f01e42e321e6414b (patch) | |
| tree | ebda072a37a097b22b65b6fc573b7e7a0669cf50 | |
| parent | df4a397df9213eb2f419120fc2c32d51d0bf6a05 (diff) | |
| download | poky-e93f9a838260100ece7cac36f01e42e321e6414b.tar.gz | |
openssl: Upgrade to 1.0.1j
This address the latest set of CVE issues
(From OE-Core rev: 461e598815f8749bb26e97369e3b877f7ce749cf)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
12 files changed, 145 insertions, 688 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc index ee02fb796e..9ec884f332 100644 --- a/meta/recipes-connectivity/openssl/openssl.inc +++ b/meta/recipes-connectivity/openssl/openssl.inc | |||
| @@ -9,6 +9,7 @@ LICENSE = "openssl" | |||
| 9 | LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8" | 9 | LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8" |
| 10 | 10 | ||
| 11 | DEPENDS = "perl-native-runtime" | 11 | DEPENDS = "perl-native-runtime" |
| 12 | DEPENDS_append_class-target = " openssl-native" | ||
| 12 | 13 | ||
| 13 | SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ | 14 | SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ |
| 14 | " | 15 | " |
| @@ -30,14 +31,14 @@ export DIRS = "crypto ssl apps" | |||
| 30 | export EX_LIBS = "-lgcc -ldl" | 31 | export EX_LIBS = "-lgcc -ldl" |
| 31 | export AS = "${CC} -c" | 32 | export AS = "${CC} -c" |
| 32 | 33 | ||
| 33 | inherit pkgconfig siteinfo multilib_header | 34 | inherit pkgconfig siteinfo multilib_header ptest |
| 34 | 35 | ||
| 35 | PACKAGES =+ "libcrypto libssl ${PN}-misc openssl-conf" | 36 | PACKAGES =+ "libcrypto libssl ${PN}-misc openssl-conf" |
| 36 | FILES_libcrypto = "${base_libdir}/libcrypto${SOLIBS}" | 37 | FILES_libcrypto = "${base_libdir}/libcrypto${SOLIBS}" |
| 37 | FILES_libssl = "${libdir}/libssl.so.*" | 38 | FILES_libssl = "${libdir}/libssl.so.*" |
| 38 | FILES_${PN} =+ " ${libdir}/ssl/*" | 39 | FILES_${PN} =+ " ${libdir}/ssl/*" |
| 39 | FILES_${PN}-misc = "${libdir}/ssl/misc ${bindir}/c_rehash" | 40 | FILES_${PN}-misc = "${libdir}/ssl/misc ${bindir}/c_rehash" |
| 40 | RDEPENDS_${PN}-misc = "${@base_contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" | 41 | RDEPENDS_${PN}-misc = "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" |
| 41 | FILES_${PN}-dev += "${base_libdir}/libcrypto${SOLIBSDEV}" | 42 | FILES_${PN}-dev += "${base_libdir}/libcrypto${SOLIBSDEV}" |
| 42 | 43 | ||
| 43 | # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto | 44 | # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto |
| @@ -47,6 +48,7 @@ FILES_${PN}-dev += "${base_libdir}/libcrypto${SOLIBSDEV}" | |||
| 47 | FILES_openssl-conf = "${libdir}/ssl/openssl.cnf" | 48 | FILES_openssl-conf = "${libdir}/ssl/openssl.cnf" |
| 48 | CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf" | 49 | CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf" |
| 49 | RRECOMMENDS_libcrypto += "openssl-conf" | 50 | RRECOMMENDS_libcrypto += "openssl-conf" |
| 51 | RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc" | ||
| 50 | 52 | ||
| 51 | do_configure_prepend_darwin () { | 53 | do_configure_prepend_darwin () { |
| 52 | sed -i -e '/version-script=openssl\.ld/d' Configure | 54 | sed -i -e '/version-script=openssl\.ld/d' Configure |
| @@ -59,17 +61,18 @@ do_configure () { | |||
| 59 | ln -sf apps/openssl.pod crypto/crypto.pod ssl/ssl.pod doc/ | 61 | ln -sf apps/openssl.pod crypto/crypto.pod ssl/ssl.pod doc/ |
| 60 | 62 | ||
| 61 | os=${HOST_OS} | 63 | os=${HOST_OS} |
| 62 | if [ "x$os" = "xlinux-uclibc" ]; then | 64 | case $os in |
| 65 | linux-uclibc |\ | ||
| 66 | linux-uclibceabi |\ | ||
| 67 | linux-gnueabi |\ | ||
| 68 | linux-uclibcspe |\ | ||
| 69 | linux-gnuspe |\ | ||
| 70 | linux-musl*) | ||
| 63 | os=linux | 71 | os=linux |
| 64 | elif [ "x$os" = "xlinux-uclibceabi" ]; then | 72 | ;; |
| 65 | os=linux | 73 | *) |
| 66 | elif [ "x$os" = "xlinux-uclibcspe" ]; then | 74 | ;; |
| 67 | os=linux | 75 | esac |
| 68 | elif [ "x$os" = "xlinux-gnuspe" ]; then | ||
| 69 | os=linux | ||
| 70 | elif [ "x$os" = "xlinux-gnueabi" ]; then | ||
| 71 | os=linux | ||
| 72 | fi | ||
| 73 | target="$os-${HOST_ARCH}" | 76 | target="$os-${HOST_ARCH}" |
| 74 | case $target in | 77 | case $target in |
| 75 | linux-arm) | 78 | linux-arm) |
| @@ -136,10 +139,18 @@ do_configure () { | |||
| 136 | perl ./Configure ${EXTRA_OECONF} shared --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=`basename ${libdir}` $target | 139 | perl ./Configure ${EXTRA_OECONF} shared --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=`basename ${libdir}` $target |
| 137 | } | 140 | } |
| 138 | 141 | ||
| 142 | do_compile_prepend_class-target () { | ||
| 143 | sed -i 's/\((OPENSSL=\)".*"/\1"openssl"/' Makefile | ||
| 144 | } | ||
| 145 | |||
| 139 | do_compile () { | 146 | do_compile () { |
| 140 | oe_runmake | 147 | oe_runmake |
| 141 | } | 148 | } |
| 142 | 149 | ||
| 150 | do_compile_ptest () { | ||
| 151 | oe_runmake buildtest | ||
| 152 | } | ||
| 153 | |||
| 143 | do_install () { | 154 | do_install () { |
| 144 | oe_runmake INSTALL_PREFIX="${D}" MANDIR="${mandir}" install | 155 | oe_runmake INSTALL_PREFIX="${D}" MANDIR="${mandir}" install |
| 145 | 156 | ||
| @@ -157,7 +168,7 @@ do_install () { | |||
| 157 | cp --dereference -R include/openssl ${D}${includedir} | 168 | cp --dereference -R include/openssl ${D}${includedir} |
| 158 | 169 | ||
| 159 | oe_multilib_header openssl/opensslconf.h | 170 | oe_multilib_header openssl/opensslconf.h |
| 160 | if [ "${@base_contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" = "perl" ]; then | 171 | if [ "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" = "perl" ]; then |
| 161 | install -m 0755 ${S}/tools/c_rehash ${D}${bindir} | 172 | install -m 0755 ${S}/tools/c_rehash ${D}${bindir} |
| 162 | sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${bindir}/c_rehash | 173 | sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${bindir}/c_rehash |
| 163 | sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/CA.pl | 174 | sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/CA.pl |
| @@ -169,5 +180,18 @@ do_install () { | |||
| 169 | fi | 180 | fi |
| 170 | } | 181 | } |
| 171 | 182 | ||
| 183 | do_install_ptest () { | ||
| 184 | cp -r Makefile test ${D}${PTEST_PATH} | ||
| 185 | cp -r certs ${D}${PTEST_PATH} | ||
| 186 | mkdir -p ${D}${PTEST_PATH}/apps | ||
| 187 | ln -sf /usr/lib/ssl/misc/CA.sh ${D}${PTEST_PATH}/apps | ||
| 188 | ln -sf /usr/lib/ssl/openssl.cnf ${D}${PTEST_PATH}/apps | ||
| 189 | ln -sf /usr/bin/openssl ${D}${PTEST_PATH}/apps | ||
| 190 | cp apps/server2.pem ${D}${PTEST_PATH}/apps | ||
| 191 | mkdir -p ${D}${PTEST_PATH}/util | ||
| 192 | install util/opensslwrap.sh ${D}${PTEST_PATH}/util | ||
| 193 | install util/shlib_wrap.sh ${D}${PTEST_PATH}/util | ||
| 194 | } | ||
| 195 | |||
| 172 | BBCLASSEXTEND = "native nativesdk" | 196 | BBCLASSEXTEND = "native nativesdk" |
| 173 | 197 | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch b/meta/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch new file mode 100644 index 0000000000..ac53a9142b --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch | |||
| @@ -0,0 +1,75 @@ | |||
| 1 | Add 'buildtest' and 'runtest' targets to Makefile, to build and run tests | ||
| 2 | cross-compiled. | ||
| 3 | |||
| 4 | Signed-off-by: Anders Roxell <anders.roxell@enea.com> | ||
| 5 | Signed-off-by: Maxin B. John <maxin.john@enea.com> | ||
| 6 | Upstream-Status: Pending | ||
| 7 | --- | ||
| 8 | diff -uNr a/Makefile b/Makefile | ||
| 9 | --- a/Makefile.org 2012-05-10 17:06:02.000000000 +0200 | ||
| 10 | +++ b/Makefile.org 2012-10-27 00:05:55.359424024 +0200 | ||
| 11 | @@ -411,8 +411,16 @@ | ||
| 12 | test: tests | ||
| 13 | |||
| 14 | tests: rehash | ||
| 15 | + $(MAKE) buildtest | ||
| 16 | + $(MAKE) runtest | ||
| 17 | + | ||
| 18 | +buildtest: | ||
| 19 | + @(cd test && \ | ||
| 20 | + $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf exe apps); | ||
| 21 | + | ||
| 22 | +runtest: | ||
| 23 | @(cd test && echo "testing..." && \ | ||
| 24 | - $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests ); | ||
| 25 | + $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf alltests ); | ||
| 26 | OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a | ||
| 27 | |||
| 28 | report: | ||
| 29 | diff --git a/test/Makefile b/test/Makefile | ||
| 30 | index 3912f82..1696767 100644 | ||
| 31 | --- a/test/Makefile | ||
| 32 | +++ b/test/Makefile | ||
| 33 | @@ -128,7 +128,7 @@ tests: exe apps $(TESTS) | ||
| 34 | apps: | ||
| 35 | @(cd ..; $(MAKE) DIRS=apps all) | ||
| 36 | |||
| 37 | -alltests: \ | ||
| 38 | +all-tests= \ | ||
| 39 | test_des test_idea test_sha test_md4 test_md5 test_hmac \ | ||
| 40 | test_md2 test_mdc2 test_wp \ | ||
| 41 | test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast test_aes \ | ||
| 42 | @@ -138,6 +138,11 @@ alltests: \ | ||
| 43 | test_ss test_ca test_engine test_evp test_ssl test_tsa test_ige \ | ||
| 44 | test_jpake test_cms | ||
| 45 | |||
| 46 | +alltests: | ||
| 47 | + @(for i in $(all-tests); do \ | ||
| 48 | + ( $(MAKE) $$i && echo "PASS: $$i" ) || echo "FAIL: $$i"; \ | ||
| 49 | + done) | ||
| 50 | + | ||
| 51 | test_evp: | ||
| 52 | ../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt | ||
| 53 | |||
| 54 | @@ -203,7 +208,7 @@ test_x509: | ||
| 55 | echo test second x509v3 certificate | ||
| 56 | sh ./tx509 v3-cert2.pem 2>/dev/null | ||
| 57 | |||
| 58 | -test_rsa: $(RSATEST)$(EXE_EXT) | ||
| 59 | +test_rsa: | ||
| 60 | @sh ./trsa 2>/dev/null | ||
| 61 | ../util/shlib_wrap.sh ./$(RSATEST) | ||
| 62 | |||
| 63 | @@ -298,11 +303,11 @@ test_tsa: | ||
| 64 | sh ./testtsa; \ | ||
| 65 | fi | ||
| 66 | |||
| 67 | -test_ige: $(IGETEST)$(EXE_EXT) | ||
| 68 | +test_ige: | ||
| 69 | @echo "Test IGE mode" | ||
| 70 | ../util/shlib_wrap.sh ./$(IGETEST) | ||
| 71 | |||
| 72 | -test_jpake: $(JPAKETEST)$(EXE_EXT) | ||
| 73 | +test_jpake: | ||
| 74 | @echo "Test JPAKE" | ||
| 75 | ../util/shlib_wrap.sh ./$(JPAKETEST) | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/initial-aarch64-bits.patch b/meta/recipes-connectivity/openssl/openssl/initial-aarch64-bits.patch index 2185ff8a46..770097db78 100644 --- a/meta/recipes-connectivity/openssl/openssl/initial-aarch64-bits.patch +++ b/meta/recipes-connectivity/openssl/openssl/initial-aarch64-bits.patch | |||
| @@ -4,6 +4,7 @@ Subject: Initial aarch64 bits. | |||
| 4 | X-Git-Url: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=039081b80977e2a5de84e1f88f8b4d025b559956 | 4 | X-Git-Url: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=039081b80977e2a5de84e1f88f8b4d025b559956 |
| 5 | 5 | ||
| 6 | Initial aarch64 bits. | 6 | Initial aarch64 bits. |
| 7 | Upstream-Status: backport (will be included in 1.0.2) | ||
| 7 | --- | 8 | --- |
| 8 | crypto/bn/bn_lcl.h | 9 +++++++++ | 9 | crypto/bn/bn_lcl.h | 9 +++++++++ |
| 9 | crypto/md32_common.h | 18 ++++++++++++++++++ | 10 | crypto/md32_common.h | 18 ++++++++++++++++++ |
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch deleted file mode 100644 index 0c43919427..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch +++ /dev/null | |||
| @@ -1,40 +0,0 @@ | |||
| 1 | commit 208d54db20d58c9a5e45e856a0650caadd7d9612 | ||
| 2 | Author: Dr. Stephen Henson <steve@openssl.org> | ||
| 3 | Date: Tue May 13 18:48:31 2014 +0100 | ||
| 4 | |||
| 5 | Fix for CVE-2014-0195 | ||
| 6 | |||
| 7 | A buffer overrun attack can be triggered by sending invalid DTLS fragments | ||
| 8 | to an OpenSSL DTLS client or server. This is potentially exploitable to | ||
| 9 | run arbitrary code on a vulnerable client or server. | ||
| 10 | |||
| 11 | Fixed by adding consistency check for DTLS fragments. | ||
| 12 | |||
| 13 | Thanks to Jüri Aedla for reporting this issue. | ||
| 14 | |||
| 15 | Patch borrowed from Fedora | ||
| 16 | Upstream-Status: Backport | ||
| 17 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
| 18 | |||
| 19 | diff --git a/ssl/d1_both.c b/ssl/d1_both.c | ||
| 20 | index 2e8cf68..07f67f8 100644 | ||
| 21 | --- a/ssl/d1_both.c | ||
| 22 | +++ b/ssl/d1_both.c | ||
| 23 | @@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) | ||
| 24 | frag->msg_header.frag_off = 0; | ||
| 25 | } | ||
| 26 | else | ||
| 27 | + { | ||
| 28 | frag = (hm_fragment*) item->data; | ||
| 29 | + if (frag->msg_header.msg_len != msg_hdr->msg_len) | ||
| 30 | + { | ||
| 31 | + item = NULL; | ||
| 32 | + frag = NULL; | ||
| 33 | + goto err; | ||
| 34 | + } | ||
| 35 | + } | ||
| 36 | + | ||
| 37 | |||
| 38 | /* If message is already reassembled, this must be a | ||
| 39 | * retransmit and can be dropped. | ||
| 40 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0198.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0198.patch deleted file mode 100644 index 12dcfb7f3a..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0198.patch +++ /dev/null | |||
| @@ -1,38 +0,0 @@ | |||
| 1 | From: Matt Caswell <matt@openssl.org> | ||
| 2 | Date: Sun, 11 May 2014 23:38:37 +0000 (+0100) | ||
| 3 | Subject: Fixed NULL pointer dereference. See PR#3321 | ||
| 4 | X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=b107586 | ||
| 5 | |||
| 6 | Fixed NULL pointer dereference. See PR#3321 | ||
| 7 | |||
| 8 | Patch borrowed from Fedora | ||
| 9 | Upstream-Status: Backport | ||
| 10 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
| 11 | |||
| 12 | --- | ||
| 13 | |||
| 14 | diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c | ||
| 15 | index 40eb0dd..d961d12 100644 | ||
| 16 | --- a/ssl/s3_pkt.c | ||
| 17 | +++ b/ssl/s3_pkt.c | ||
| 18 | @@ -657,9 +657,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, | ||
| 19 | SSL3_BUFFER *wb=&(s->s3->wbuf); | ||
| 20 | SSL_SESSION *sess; | ||
| 21 | |||
| 22 | - if (wb->buf == NULL) | ||
| 23 | - if (!ssl3_setup_write_buffer(s)) | ||
| 24 | - return -1; | ||
| 25 | |||
| 26 | /* first check if there is a SSL3_BUFFER still being written | ||
| 27 | * out. This will happen with non blocking IO */ | ||
| 28 | @@ -675,6 +672,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, | ||
| 29 | /* if it went, fall through and send more stuff */ | ||
| 30 | } | ||
| 31 | |||
| 32 | + if (wb->buf == NULL) | ||
| 33 | + if (!ssl3_setup_write_buffer(s)) | ||
| 34 | + return -1; | ||
| 35 | + | ||
| 36 | if (len == 0 && !create_empty_fragment) | ||
| 37 | return 0; | ||
| 38 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0221.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0221.patch deleted file mode 100644 index bf730a8124..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0221.patch +++ /dev/null | |||
| @@ -1,38 +0,0 @@ | |||
| 1 | commit d30e582446b027868cdabd0994681643682045a4 | ||
| 2 | Author: Dr. Stephen Henson <steve@openssl.org> | ||
| 3 | Date: Fri May 16 13:00:45 2014 +0100 | ||
| 4 | |||
| 5 | Fix CVE-2014-0221 | ||
| 6 | |||
| 7 | Unnecessary recursion when receiving a DTLS hello request can be used to | ||
| 8 | crash a DTLS client. Fixed by handling DTLS hello request without recursion. | ||
| 9 | |||
| 10 | Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. | ||
| 11 | |||
| 12 | Patch borrowed from Fedora | ||
| 13 | Upstream-Status: Backport | ||
| 14 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
| 15 | |||
| 16 | diff --git a/ssl/d1_both.c b/ssl/d1_both.c | ||
| 17 | index 07f67f8..4c2fd03 100644 | ||
| 18 | --- a/ssl/d1_both.c | ||
| 19 | +++ b/ssl/d1_both.c | ||
| 20 | @@ -793,6 +793,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) | ||
| 21 | int i,al; | ||
| 22 | struct hm_header_st msg_hdr; | ||
| 23 | |||
| 24 | + redo: | ||
| 25 | /* see if we have the required fragment already */ | ||
| 26 | if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok) | ||
| 27 | { | ||
| 28 | @@ -851,8 +852,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) | ||
| 29 | s->msg_callback_arg); | ||
| 30 | |||
| 31 | s->init_num = 0; | ||
| 32 | - return dtls1_get_message_fragment(s, st1, stn, | ||
| 33 | - max, ok); | ||
| 34 | + goto redo; | ||
| 35 | } | ||
| 36 | else /* Incorrectly formated Hello request */ | ||
| 37 | { | ||
| 38 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0224.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0224.patch deleted file mode 100644 index 0ed1d12551..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0224.patch +++ /dev/null | |||
| @@ -1,103 +0,0 @@ | |||
| 1 | Fix for CVE-2014-0224 | ||
| 2 | |||
| 3 | Only accept change cipher spec when it is expected instead of at any | ||
| 4 | time. This prevents premature setting of session keys before the master | ||
| 5 | secret is determined which an attacker could use as a MITM attack. | ||
| 6 | |||
| 7 | Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue | ||
| 8 | and providing the initial fix this patch is based on. | ||
| 9 | |||
| 10 | |||
| 11 | Patch borrowed from Fedora | ||
| 12 | Upstream-Status: Backport | ||
| 13 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
| 14 | |||
| 15 | |||
| 16 | diff -up openssl-1.0.1e/ssl/ssl3.h.keying-mitm openssl-1.0.1e/ssl/ssl3.h | ||
| 17 | --- openssl-1.0.1e/ssl/ssl3.h.keying-mitm 2014-06-02 19:48:04.518100562 +0200 | ||
| 18 | +++ openssl-1.0.1e/ssl/ssl3.h 2014-06-02 19:48:04.642103429 +0200 | ||
| 19 | @@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st | ||
| 20 | #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 | ||
| 21 | #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 | ||
| 22 | #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 | ||
| 23 | +#define SSL3_FLAGS_CCS_OK 0x0080 | ||
| 24 | |||
| 25 | /* SSL3_FLAGS_SGC_RESTART_DONE is set when we | ||
| 26 | * restart a handshake because of MS SGC and so prevents us | ||
| 27 | diff -up openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm openssl-1.0.1e/ssl/s3_clnt.c | ||
| 28 | --- openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm 2013-02-11 16:26:04.000000000 +0100 | ||
| 29 | +++ openssl-1.0.1e/ssl/s3_clnt.c 2014-06-02 19:49:57.042701985 +0200 | ||
| 30 | @@ -559,6 +559,7 @@ int ssl3_connect(SSL *s) | ||
| 31 | case SSL3_ST_CR_FINISHED_A: | ||
| 32 | case SSL3_ST_CR_FINISHED_B: | ||
| 33 | |||
| 34 | + s->s3->flags |= SSL3_FLAGS_CCS_OK; | ||
| 35 | ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, | ||
| 36 | SSL3_ST_CR_FINISHED_B); | ||
| 37 | if (ret <= 0) goto end; | ||
| 38 | @@ -916,6 +917,7 @@ int ssl3_get_server_hello(SSL *s) | ||
| 39 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); | ||
| 40 | goto f_err; | ||
| 41 | } | ||
| 42 | + s->s3->flags |= SSL3_FLAGS_CCS_OK; | ||
| 43 | s->hit=1; | ||
| 44 | } | ||
| 45 | else /* a miss or crap from the other end */ | ||
| 46 | diff -up openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm openssl-1.0.1e/ssl/s3_pkt.c | ||
| 47 | --- openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm 2014-06-02 19:48:04.640103383 +0200 | ||
| 48 | +++ openssl-1.0.1e/ssl/s3_pkt.c 2014-06-02 19:48:04.643103452 +0200 | ||
| 49 | @@ -1298,6 +1298,15 @@ start: | ||
| 50 | goto f_err; | ||
| 51 | } | ||
| 52 | |||
| 53 | + if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) | ||
| 54 | + { | ||
| 55 | + al=SSL_AD_UNEXPECTED_MESSAGE; | ||
| 56 | + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY); | ||
| 57 | + goto f_err; | ||
| 58 | + } | ||
| 59 | + | ||
| 60 | + s->s3->flags &= ~SSL3_FLAGS_CCS_OK; | ||
| 61 | + | ||
| 62 | rr->length=0; | ||
| 63 | |||
| 64 | if (s->msg_callback) | ||
| 65 | @@ -1432,7 +1441,7 @@ int ssl3_do_change_cipher_spec(SSL *s) | ||
| 66 | |||
| 67 | if (s->s3->tmp.key_block == NULL) | ||
| 68 | { | ||
| 69 | - if (s->session == NULL) | ||
| 70 | + if (s->session == NULL || s->session->master_key_length == 0) | ||
| 71 | { | ||
| 72 | /* might happen if dtls1_read_bytes() calls this */ | ||
| 73 | SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY); | ||
| 74 | diff -up openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm openssl-1.0.1e/ssl/s3_srvr.c | ||
| 75 | --- openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm 2014-06-02 19:48:04.630103151 +0200 | ||
| 76 | +++ openssl-1.0.1e/ssl/s3_srvr.c 2014-06-02 19:48:04.643103452 +0200 | ||
| 77 | @@ -673,6 +673,7 @@ int ssl3_accept(SSL *s) | ||
| 78 | case SSL3_ST_SR_CERT_VRFY_A: | ||
| 79 | case SSL3_ST_SR_CERT_VRFY_B: | ||
| 80 | |||
| 81 | + s->s3->flags |= SSL3_FLAGS_CCS_OK; | ||
| 82 | /* we should decide if we expected this one */ | ||
| 83 | ret=ssl3_get_cert_verify(s); | ||
| 84 | if (ret <= 0) goto end; | ||
| 85 | @@ -700,6 +701,7 @@ int ssl3_accept(SSL *s) | ||
| 86 | |||
| 87 | case SSL3_ST_SR_FINISHED_A: | ||
| 88 | case SSL3_ST_SR_FINISHED_B: | ||
| 89 | + s->s3->flags |= SSL3_FLAGS_CCS_OK; | ||
| 90 | ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, | ||
| 91 | SSL3_ST_SR_FINISHED_B); | ||
| 92 | if (ret <= 0) goto end; | ||
| 93 | @@ -770,7 +772,10 @@ int ssl3_accept(SSL *s) | ||
| 94 | s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; | ||
| 95 | #else | ||
| 96 | if (s->s3->next_proto_neg_seen) | ||
| 97 | + { | ||
| 98 | + s->s3->flags |= SSL3_FLAGS_CCS_OK; | ||
| 99 | s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; | ||
| 100 | + } | ||
| 101 | else | ||
| 102 | s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; | ||
| 103 | #endif | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-3470.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-3470.patch deleted file mode 100644 index 025727f587..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-3470.patch +++ /dev/null | |||
| @@ -1,31 +0,0 @@ | |||
| 1 | commit 4ad43d511f6cf064c66eb4bfd0fb0919b5dd8a86 | ||
| 2 | Author: Dr. Stephen Henson <steve@openssl.org> | ||
| 3 | Date: Thu May 29 15:00:05 2014 +0100 | ||
| 4 | |||
| 5 | Fix CVE-2014-3470 | ||
| 6 | |||
| 7 | Check session_cert is not NULL before dereferencing it. | ||
| 8 | |||
| 9 | Patch borrowed from Fedora | ||
| 10 | Upstream-Status: Backport | ||
| 11 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
| 12 | |||
| 13 | |||
| 14 | diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c | ||
| 15 | index d35376d..4324f8d 100644 | ||
| 16 | --- a/ssl/s3_clnt.c | ||
| 17 | +++ b/ssl/s3_clnt.c | ||
| 18 | @@ -2511,6 +2511,13 @@ int ssl3_send_client_key_exchange(SSL *s) | ||
| 19 | int ecdh_clnt_cert = 0; | ||
| 20 | int field_size = 0; | ||
| 21 | |||
| 22 | + if (s->session->sess_cert == NULL) | ||
| 23 | + { | ||
| 24 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); | ||
| 25 | + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); | ||
| 26 | + goto err; | ||
| 27 | + } | ||
| 28 | + | ||
| 29 | /* Did we send out the client's | ||
| 30 | * ECDH share for use in premaster | ||
| 31 | * computation as part of client certificate? | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch b/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch deleted file mode 100644 index 417a774ba2..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch +++ /dev/null | |||
| @@ -1,24 +0,0 @@ | |||
| 1 | openssl fix for CVE-2010-5298 | ||
| 2 | |||
| 3 | Upstream-Status: Backport | ||
| 4 | |||
| 5 | Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL | ||
| 6 | through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote | ||
| 7 | attackers to inject data across sessions or cause a denial of service | ||
| 8 | (use-after-free and parsing error) via an SSL connection in a | ||
| 9 | multithreaded environment. | ||
| 10 | |||
| 11 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298 | ||
| 12 | |||
| 13 | Signed-off-by: Yue Tao <Yue.Tao@windriver.com> | ||
| 14 | --- a/ssl/s3_pkt.c | ||
| 15 | +++ b/ssl/s3_pkt.c | ||
| 16 | @@ -1013,7 +1013,7 @@ start: | ||
| 17 | { | ||
| 18 | s->rstate=SSL_ST_READ_HEADER; | ||
| 19 | rr->off=0; | ||
| 20 | - if (s->mode & SSL_MODE_RELEASE_BUFFERS) | ||
| 21 | + if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) | ||
| 22 | ssl3_release_read_buffer(s); | ||
| 23 | } | ||
| 24 | } | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch b/meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch deleted file mode 100644 index 451256eaa5..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch +++ /dev/null | |||
| @@ -1,401 +0,0 @@ | |||
| 1 | Fix documentation build errors with Perl 5.18 pod2man | ||
| 2 | |||
| 3 | This fixes errors building man pages with newer versions of pod2man | ||
| 4 | included with Perl 5.18. | ||
| 5 | |||
| 6 | Upstream-Status: Submitted | ||
| 7 | Signed-off-by: Jonathan Liu | ||
| 8 | |||
| 9 | Index: openssl-1.0.1f/doc/apps/cms.pod | ||
| 10 | =================================================================== | ||
| 11 | --- openssl-1.0.1f.orig/doc/apps/cms.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 12 | +++ openssl-1.0.1f/doc/apps/cms.pod 2014-02-28 10:13:51.899979213 +0200 | ||
| 13 | @@ -450,28 +450,28 @@ | ||
| 14 | |||
| 15 | =over 4 | ||
| 16 | |||
| 17 | -=item 0 | ||
| 18 | +=item Z<>0 | ||
| 19 | |||
| 20 | the operation was completely successfully. | ||
| 21 | |||
| 22 | -=item 1 | ||
| 23 | +=item Z<>1 | ||
| 24 | |||
| 25 | an error occurred parsing the command options. | ||
| 26 | |||
| 27 | -=item 2 | ||
| 28 | +=item Z<>2 | ||
| 29 | |||
| 30 | one of the input files could not be read. | ||
| 31 | |||
| 32 | -=item 3 | ||
| 33 | +=item Z<>3 | ||
| 34 | |||
| 35 | an error occurred creating the CMS file or when reading the MIME | ||
| 36 | message. | ||
| 37 | |||
| 38 | -=item 4 | ||
| 39 | +=item Z<>4 | ||
| 40 | |||
| 41 | an error occurred decrypting or verifying the message. | ||
| 42 | |||
| 43 | -=item 5 | ||
| 44 | +=item Z<>5 | ||
| 45 | |||
| 46 | the message was verified correctly but an error occurred writing out | ||
| 47 | the signers certificates. | ||
| 48 | Index: openssl-1.0.1f/doc/apps/smime.pod | ||
| 49 | =================================================================== | ||
| 50 | --- openssl-1.0.1f.orig/doc/apps/smime.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 51 | +++ openssl-1.0.1f/doc/apps/smime.pod 2014-02-28 10:16:57.795979233 +0200 | ||
| 52 | @@ -308,28 +308,28 @@ | ||
| 53 | |||
| 54 | =over 4 | ||
| 55 | |||
| 56 | -=item 0 | ||
| 57 | +=item Z<>0 | ||
| 58 | |||
| 59 | the operation was completely successfully. | ||
| 60 | |||
| 61 | -=item 1 | ||
| 62 | +=item Z<>1 | ||
| 63 | |||
| 64 | an error occurred parsing the command options. | ||
| 65 | |||
| 66 | -=item 2 | ||
| 67 | +=item Z<>2 | ||
| 68 | |||
| 69 | one of the input files could not be read. | ||
| 70 | |||
| 71 | -=item 3 | ||
| 72 | +=item Z<>3 | ||
| 73 | |||
| 74 | an error occurred creating the PKCS#7 file or when reading the MIME | ||
| 75 | message. | ||
| 76 | |||
| 77 | -=item 4 | ||
| 78 | +=item Z<>4 | ||
| 79 | |||
| 80 | an error occurred decrypting or verifying the message. | ||
| 81 | |||
| 82 | -=item 5 | ||
| 83 | +=item Z<>5 | ||
| 84 | |||
| 85 | the message was verified correctly but an error occurred writing out | ||
| 86 | the signers certificates. | ||
| 87 | Index: openssl-1.0.1f/doc/ssl/SSL_COMP_add_compression_method.pod | ||
| 88 | =================================================================== | ||
| 89 | --- openssl-1.0.1f.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 90 | +++ openssl-1.0.1f/doc/ssl/SSL_COMP_add_compression_method.pod 2014-02-28 10:18:09.679979225 +0200 | ||
| 91 | @@ -53,11 +53,11 @@ | ||
| 92 | |||
| 93 | =over 4 | ||
| 94 | |||
| 95 | -=item 0 | ||
| 96 | +=item Z<>0 | ||
| 97 | |||
| 98 | The operation succeeded. | ||
| 99 | |||
| 100 | -=item 1 | ||
| 101 | +=item Z<>1 | ||
| 102 | |||
| 103 | The operation failed. Check the error queue to find out the reason. | ||
| 104 | |||
| 105 | Index: openssl-1.0.1f/doc/ssl/SSL_CTX_add_session.pod | ||
| 106 | =================================================================== | ||
| 107 | --- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_add_session.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 108 | +++ openssl-1.0.1f/doc/ssl/SSL_CTX_add_session.pod 2014-02-28 10:18:42.687979221 +0200 | ||
| 109 | @@ -52,13 +52,13 @@ | ||
| 110 | |||
| 111 | =over 4 | ||
| 112 | |||
| 113 | -=item 0 | ||
| 114 | +=item Z<>0 | ||
| 115 | |||
| 116 | The operation failed. In case of the add operation, it was tried to add | ||
| 117 | the same (identical) session twice. In case of the remove operation, the | ||
| 118 | session was not found in the cache. | ||
| 119 | |||
| 120 | -=item 1 | ||
| 121 | +=item Z<>1 | ||
| 122 | |||
| 123 | The operation succeeded. | ||
| 124 | |||
| 125 | Index: openssl-1.0.1f/doc/ssl/SSL_CTX_load_verify_locations.pod | ||
| 126 | =================================================================== | ||
| 127 | --- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_load_verify_locations.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 128 | +++ openssl-1.0.1f/doc/ssl/SSL_CTX_load_verify_locations.pod 2014-02-28 10:19:09.079979218 +0200 | ||
| 129 | @@ -100,13 +100,13 @@ | ||
| 130 | |||
| 131 | =over 4 | ||
| 132 | |||
| 133 | -=item 0 | ||
| 134 | +=item Z<>0 | ||
| 135 | |||
| 136 | The operation failed because B<CAfile> and B<CApath> are NULL or the | ||
| 137 | processing at one of the locations specified failed. Check the error | ||
| 138 | stack to find out the reason. | ||
| 139 | |||
| 140 | -=item 1 | ||
| 141 | +=item Z<>1 | ||
| 142 | |||
| 143 | The operation succeeded. | ||
| 144 | |||
| 145 | Index: openssl-1.0.1f/doc/ssl/SSL_CTX_set_client_CA_list.pod | ||
| 146 | =================================================================== | ||
| 147 | --- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_set_client_CA_list.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 148 | +++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_client_CA_list.pod 2014-02-28 10:19:42.999979220 +0200 | ||
| 149 | @@ -66,13 +66,13 @@ | ||
| 150 | |||
| 151 | =over 4 | ||
| 152 | |||
| 153 | -=item 0 | ||
| 154 | +=item Z<>0 | ||
| 155 | |||
| 156 | A failure while manipulating the STACK_OF(X509_NAME) object occurred or | ||
| 157 | the X509_NAME could not be extracted from B<cacert>. Check the error stack | ||
| 158 | to find out the reason. | ||
| 159 | |||
| 160 | -=item 1 | ||
| 161 | +=item Z<>1 | ||
| 162 | |||
| 163 | The operation succeeded. | ||
| 164 | |||
| 165 | Index: openssl-1.0.1f/doc/ssl/SSL_CTX_set_session_id_context.pod | ||
| 166 | =================================================================== | ||
| 167 | --- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_set_session_id_context.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 168 | +++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_session_id_context.pod 2014-02-28 10:20:06.495979211 +0200 | ||
| 169 | @@ -64,13 +64,13 @@ | ||
| 170 | |||
| 171 | =over 4 | ||
| 172 | |||
| 173 | -=item 0 | ||
| 174 | +=item Z<>0 | ||
| 175 | |||
| 176 | The length B<sid_ctx_len> of the session id context B<sid_ctx> exceeded | ||
| 177 | the maximum allowed length of B<SSL_MAX_SSL_SESSION_ID_LENGTH>. The error | ||
| 178 | is logged to the error stack. | ||
| 179 | |||
| 180 | -=item 1 | ||
| 181 | +=item Z<>1 | ||
| 182 | |||
| 183 | The operation succeeded. | ||
| 184 | |||
| 185 | Index: openssl-1.0.1f/doc/ssl/SSL_CTX_set_ssl_version.pod | ||
| 186 | =================================================================== | ||
| 187 | --- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_set_ssl_version.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 188 | +++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_ssl_version.pod 2014-02-28 10:20:32.111979208 +0200 | ||
| 189 | @@ -42,11 +42,11 @@ | ||
| 190 | |||
| 191 | =over 4 | ||
| 192 | |||
| 193 | -=item 0 | ||
| 194 | +=item Z<>0 | ||
| 195 | |||
| 196 | The new choice failed, check the error stack to find out the reason. | ||
| 197 | |||
| 198 | -=item 1 | ||
| 199 | +=item Z<>1 | ||
| 200 | |||
| 201 | The operation succeeded. | ||
| 202 | |||
| 203 | Index: openssl-1.0.1f/doc/ssl/SSL_CTX_use_psk_identity_hint.pod | ||
| 204 | =================================================================== | ||
| 205 | --- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 206 | +++ openssl-1.0.1f/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2014-02-28 10:21:12.351979203 +0200 | ||
| 207 | @@ -96,7 +96,7 @@ | ||
| 208 | connection will fail with decryption_error before it will be finished | ||
| 209 | completely. | ||
| 210 | |||
| 211 | -=item 0 | ||
| 212 | +=item Z<>0 | ||
| 213 | |||
| 214 | PSK identity was not found. An "unknown_psk_identity" alert message | ||
| 215 | will be sent and the connection setup fails. | ||
| 216 | Index: openssl-1.0.1f/doc/ssl/SSL_accept.pod | ||
| 217 | =================================================================== | ||
| 218 | --- openssl-1.0.1f.orig/doc/ssl/SSL_accept.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 219 | +++ openssl-1.0.1f/doc/ssl/SSL_accept.pod 2014-02-28 10:21:51.535979215 +0200 | ||
| 220 | @@ -44,13 +44,13 @@ | ||
| 221 | |||
| 222 | =over 4 | ||
| 223 | |||
| 224 | -=item 0 | ||
| 225 | +=item Z<>0 | ||
| 226 | |||
| 227 | The TLS/SSL handshake was not successful but was shut down controlled and | ||
| 228 | by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the | ||
| 229 | return value B<ret> to find out the reason. | ||
| 230 | |||
| 231 | -=item 1 | ||
| 232 | +=item Z<>1 | ||
| 233 | |||
| 234 | The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been | ||
| 235 | established. | ||
| 236 | Index: openssl-1.0.1f/doc/ssl/SSL_clear.pod | ||
| 237 | =================================================================== | ||
| 238 | --- openssl-1.0.1f.orig/doc/ssl/SSL_clear.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 239 | +++ openssl-1.0.1f/doc/ssl/SSL_clear.pod 2014-02-28 10:22:13.087979196 +0200 | ||
| 240 | @@ -56,12 +56,12 @@ | ||
| 241 | |||
| 242 | =over 4 | ||
| 243 | |||
| 244 | -=item 0 | ||
| 245 | +=item Z<>0 | ||
| 246 | |||
| 247 | The SSL_clear() operation could not be performed. Check the error stack to | ||
| 248 | find out the reason. | ||
| 249 | |||
| 250 | -=item 1 | ||
| 251 | +=item Z<>1 | ||
| 252 | |||
| 253 | The SSL_clear() operation was successful. | ||
| 254 | |||
| 255 | Index: openssl-1.0.1f/doc/ssl/SSL_connect.pod | ||
| 256 | =================================================================== | ||
| 257 | --- openssl-1.0.1f.orig/doc/ssl/SSL_connect.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 258 | +++ openssl-1.0.1f/doc/ssl/SSL_connect.pod 2014-02-28 10:22:33.991979193 +0200 | ||
| 259 | @@ -41,13 +41,13 @@ | ||
| 260 | |||
| 261 | =over 4 | ||
| 262 | |||
| 263 | -=item 0 | ||
| 264 | +=item Z<>0 | ||
| 265 | |||
| 266 | The TLS/SSL handshake was not successful but was shut down controlled and | ||
| 267 | by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the | ||
| 268 | return value B<ret> to find out the reason. | ||
| 269 | |||
| 270 | -=item 1 | ||
| 271 | +=item Z<>1 | ||
| 272 | |||
| 273 | The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been | ||
| 274 | established. | ||
| 275 | Index: openssl-1.0.1f/doc/ssl/SSL_do_handshake.pod | ||
| 276 | =================================================================== | ||
| 277 | --- openssl-1.0.1f.orig/doc/ssl/SSL_do_handshake.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 278 | +++ openssl-1.0.1f/doc/ssl/SSL_do_handshake.pod 2014-02-28 10:22:56.887979159 +0200 | ||
| 279 | @@ -45,13 +45,13 @@ | ||
| 280 | |||
| 281 | =over 4 | ||
| 282 | |||
| 283 | -=item 0 | ||
| 284 | +=item Z<>0 | ||
| 285 | |||
| 286 | The TLS/SSL handshake was not successful but was shut down controlled and | ||
| 287 | by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the | ||
| 288 | return value B<ret> to find out the reason. | ||
| 289 | |||
| 290 | -=item 1 | ||
| 291 | +=item Z<>1 | ||
| 292 | |||
| 293 | The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been | ||
| 294 | established. | ||
| 295 | Index: openssl-1.0.1f/doc/ssl/SSL_read.pod | ||
| 296 | =================================================================== | ||
| 297 | --- openssl-1.0.1f.orig/doc/ssl/SSL_read.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 298 | +++ openssl-1.0.1f/doc/ssl/SSL_read.pod 2014-02-28 10:23:15.303979188 +0200 | ||
| 299 | @@ -86,7 +86,7 @@ | ||
| 300 | The read operation was successful; the return value is the number of | ||
| 301 | bytes actually read from the TLS/SSL connection. | ||
| 302 | |||
| 303 | -=item 0 | ||
| 304 | +=item Z<>0 | ||
| 305 | |||
| 306 | The read operation was not successful. The reason may either be a clean | ||
| 307 | shutdown due to a "close notify" alert sent by the peer (in which case | ||
| 308 | Index: openssl-1.0.1f/doc/ssl/SSL_session_reused.pod | ||
| 309 | =================================================================== | ||
| 310 | --- openssl-1.0.1f.orig/doc/ssl/SSL_session_reused.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 311 | +++ openssl-1.0.1f/doc/ssl/SSL_session_reused.pod 2014-02-28 10:23:36.615979186 +0200 | ||
| 312 | @@ -27,11 +27,11 @@ | ||
| 313 | |||
| 314 | =over 4 | ||
| 315 | |||
| 316 | -=item 0 | ||
| 317 | +=item Z<>0 | ||
| 318 | |||
| 319 | A new session was negotiated. | ||
| 320 | |||
| 321 | -=item 1 | ||
| 322 | +=item Z<>1 | ||
| 323 | |||
| 324 | A session was reused. | ||
| 325 | |||
| 326 | Index: openssl-1.0.1f/doc/ssl/SSL_set_fd.pod | ||
| 327 | =================================================================== | ||
| 328 | --- openssl-1.0.1f.orig/doc/ssl/SSL_set_fd.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 329 | +++ openssl-1.0.1f/doc/ssl/SSL_set_fd.pod 2014-02-28 10:23:57.599979183 +0200 | ||
| 330 | @@ -35,11 +35,11 @@ | ||
| 331 | |||
| 332 | =over 4 | ||
| 333 | |||
| 334 | -=item 0 | ||
| 335 | +=item Z<>0 | ||
| 336 | |||
| 337 | The operation failed. Check the error stack to find out why. | ||
| 338 | |||
| 339 | -=item 1 | ||
| 340 | +=item Z<>1 | ||
| 341 | |||
| 342 | The operation succeeded. | ||
| 343 | |||
| 344 | Index: openssl-1.0.1f/doc/ssl/SSL_set_session.pod | ||
| 345 | =================================================================== | ||
| 346 | --- openssl-1.0.1f.orig/doc/ssl/SSL_set_session.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 347 | +++ openssl-1.0.1f/doc/ssl/SSL_set_session.pod 2014-02-28 10:24:16.943979181 +0200 | ||
| 348 | @@ -37,11 +37,11 @@ | ||
| 349 | |||
| 350 | =over 4 | ||
| 351 | |||
| 352 | -=item 0 | ||
| 353 | +=item Z<>0 | ||
| 354 | |||
| 355 | The operation failed; check the error stack to find out the reason. | ||
| 356 | |||
| 357 | -=item 1 | ||
| 358 | +=item Z<>1 | ||
| 359 | |||
| 360 | The operation succeeded. | ||
| 361 | |||
| 362 | Index: openssl-1.0.1f/doc/ssl/SSL_shutdown.pod | ||
| 363 | =================================================================== | ||
| 364 | --- openssl-1.0.1f.orig/doc/ssl/SSL_shutdown.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 365 | +++ openssl-1.0.1f/doc/ssl/SSL_shutdown.pod 2014-02-28 10:25:03.623979175 +0200 | ||
| 366 | @@ -92,19 +92,19 @@ | ||
| 367 | |||
| 368 | =over 4 | ||
| 369 | |||
| 370 | -=item 0 | ||
| 371 | +=item Z<>0 | ||
| 372 | |||
| 373 | The shutdown is not yet finished. Call SSL_shutdown() for a second time, | ||
| 374 | if a bidirectional shutdown shall be performed. | ||
| 375 | The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an | ||
| 376 | erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. | ||
| 377 | |||
| 378 | -=item 1 | ||
| 379 | +=item Z<>1 | ||
| 380 | |||
| 381 | The shutdown was successfully completed. The "close notify" alert was sent | ||
| 382 | and the peer's "close notify" alert was received. | ||
| 383 | |||
| 384 | -=item -1 | ||
| 385 | +=item Z<>-1 | ||
| 386 | |||
| 387 | The shutdown was not successful because a fatal error occurred either | ||
| 388 | at the protocol level or a connection failure occurred. It can also occur if | ||
| 389 | Index: openssl-1.0.1f/doc/ssl/SSL_write.pod | ||
| 390 | =================================================================== | ||
| 391 | --- openssl-1.0.1f.orig/doc/ssl/SSL_write.pod 2014-01-06 15:47:42.000000000 +0200 | ||
| 392 | +++ openssl-1.0.1f/doc/ssl/SSL_write.pod 2014-02-28 10:25:36.031979168 +0200 | ||
| 393 | @@ -79,7 +79,7 @@ | ||
| 394 | The write operation was successful, the return value is the number of | ||
| 395 | bytes actually written to the TLS/SSL connection. | ||
| 396 | |||
| 397 | -=item 0 | ||
| 398 | +=item Z<>0 | ||
| 399 | |||
| 400 | The write operation was not successful. Probably the underlying connection | ||
| 401 | was closed. Call SSL_get_error() with the return value B<ret> to find out, | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/ptest-deps.patch b/meta/recipes-connectivity/openssl/openssl/ptest-deps.patch new file mode 100644 index 0000000000..527e10c53b --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/ptest-deps.patch | |||
| @@ -0,0 +1,30 @@ | |||
| 1 | Remove Makefile dependencies for test targets | ||
| 2 | |||
| 3 | These are probably here because the executables aren't always built for | ||
| 4 | other platforms (e.g. Windows); however we can safely assume they'll | ||
| 5 | always be there. None of the other test targets have such dependencies | ||
| 6 | and if we don't remove them, make tries to rebuild the executables and | ||
| 7 | fails during run-ptest. | ||
| 8 | |||
| 9 | Upstream-Status: Inappropriate [config] | ||
| 10 | |||
| 11 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
| 12 | |||
| 13 | diff --git a/test/Makefile b/test/Makefile | ||
| 14 | index e6fcfb4..5ae043b 100644 | ||
| 15 | --- a/test/Makefile | ||
| 16 | +++ b/test/Makefile | ||
| 17 | @@ -322,11 +322,11 @@ test_cms: | ||
| 18 | @echo "CMS consistency test" | ||
| 19 | $(PERL) cms-test.pl | ||
| 20 | |||
| 21 | -test_srp: $(SRPTEST)$(EXE_EXT) | ||
| 22 | +test_srp: | ||
| 23 | @echo "Test SRP" | ||
| 24 | ../util/shlib_wrap.sh ./srptest | ||
| 25 | |||
| 26 | -test_heartbeat: $(HEARTBEATTEST)$(EXE_EXT) | ||
| 27 | +test_heartbeat: | ||
| 28 | ../util/shlib_wrap.sh ./$(HEARTBEATTEST) | ||
| 29 | |||
| 30 | lint: | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/run-ptest b/meta/recipes-connectivity/openssl/openssl/run-ptest new file mode 100755 index 0000000000..3b20fce1ee --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/run-ptest | |||
| @@ -0,0 +1,2 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | make -k runtest | ||