openssl: update to 1.0.2i (CVE-2016-6304 and more)

This update fixes several CVEs: * OCSP Status Request extension unbounded memory growth (CVE-2016-6304) * SWEET32 Mitigation (CVE-2016-2183) * OOB write in MDC2_Update() (CVE-2016-6303) * Malformed SHA512 ticket DoS (CVE-2016-6302) * OOB write in BN_bn2dec() (CVE-2016-2182) * OOB read in TS_OBJ_print_bio() (CVE-2016-2180) * DTLS buffered message DoS (CVE-2016-2179) * DTLS replay protection DoS (CVE-2016-2181) * Certificate message OOB reads (CVE-2016-6306) Of these, only CVE-2016-6304 is considered of high severity. Everything else is low. CVE-2016-2177 and CVE-2016-2178 were already fixed via local patches, which can be removed now. See https://www.openssl.org/news/secadv/20160922.txt for details. Some patches had to be refreshed and one compile error fix from upstream's OpenSSL_1_0_2-stable was required. The server.pem file is needed for test_dtls. (From OE-Core rev: d6b69279b5d1370d9c4982d5b1842a471cfd2b0e) Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Patrick Ohly <patrick.ohly@intel.com> 2016-09-23 15:26:05 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-09-24 07:30:09 +0100
commit: d9e1bb679eb4d625a751ad668a18eaaefeaed850 (patch)
tree: 91d678182f2c08db9d61f01e37ecbd9e89f8a907
parent: 2f4b80b3061368917ecad432094e7128f8f3b740 (diff)
download: poky-d9e1bb679eb4d625a751ad668a18eaaefeaed850.tar.gz
7 files changed, 48 insertions, 345 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
index f83664c271..cb7ec0aac2 100644
--- a/meta/recipes-connectivity/openssl/openssl.inc
+++ b/meta/recipes-connectivity/openssl/openssl.inc
@@ -211,6 +211,7 @@ do_install_ptest () {
        ln -sf ${libdir}/ssl/misc/CA.sh  ${D}${PTEST_PATH}/apps
        ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${PTEST_PATH}/apps
        ln -sf ${bindir}/openssl         ${D}${PTEST_PATH}/apps
+        cp apps/server.pem              ${D}${PTEST_PATH}/apps
        cp apps/server2.pem             ${D}${PTEST_PATH}/apps
        mkdir -p ${D}${PTEST_PATH}/util
        install util/opensslwrap.sh    ${D}${PTEST_PATH}/util
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2177.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2177.patch
deleted file mode 100644
index df36d5fb37..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2177.patch
+++ /dev/null
@@ -1,286 +0,0 @@
-From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Thu, 5 May 2016 11:10:26 +0100
-Subject: [PATCH] Avoid some undefined pointer arithmetic
-A common idiom in the codebase is:
-if (p + len > limit)
-{
-    return; /* Too long */
-}
-Where "p" points to some malloc'd data of SIZE bytes and
-limit == p + SIZE
-"len" here could be from some externally supplied data (e.g. from a TLS
-message).
-The rules of C pointer arithmetic are such that "p + len" is only well
-defined where len <= SIZE. Therefore the above idiom is actually
-undefined behaviour.
-For example this could cause problems if some malloc implementation
-provides an address for "p" such that "p + len" actually overflows for
-values of len that are too big and therefore p + len < limit!
-Issue reported by Guido Vranken.
-CVE-2016-2177
-Reviewed-by: Rich Salz <rsalz@openssl.org>
-Upstream-Status: Backport
-CVE: CVE-2016-2177
-Signed-off-by: Armin Kuster <akuster@mvista.com>
---
- ssl/s3_srvr.c  | 14 +++++++-------
- ssl/ssl_sess.c |  2 +-
- ssl/t1_lib.c   | 56 ++++++++++++++++++++++++++++++--------------------------
- 3 files changed, 38 insertions(+), 34 deletions(-)
-diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
-index ab28702..ab7f690 100644
--- a/ssl/s3_srvr.c
-+++ b/ssl/s3_srvr.c
-@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s)
- 
-         session_length = *(p + SSL3_RANDOM_SIZE);
- 
-        if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
-+        if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
-@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s)
-     /* get the session-id */
-     j = *(p++);
- 
-    if (p + j > d + n) {
-+    if ((d + n) - p < j) {
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-         goto f_err;
-@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s)
- 
-     if (SSL_IS_DTLS(s)) {
-         /* cookie stuff */
-        if (p + 1 > d + n) {
-+        if ((d + n) - p < 1) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
-         }
-         cookie_len = *(p++);
- 
-        if (p + cookie_len > d + n) {
-+        if ((d + n ) - p < cookie_len) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
-@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s)
-         }
-     }
- 
-    if (p + 2 > d + n) {
-+    if ((d + n ) - p < 2) {
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-         goto f_err;
-@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s)
-     }
- 
-     /* i bytes of cipher data + 1 byte for compression length later */
-    if ((p + i + 1) > (d + n)) {
-+    if ((d + n) - p < i + 1) {
-         /* not enough data */
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s)
- 
-     /* compression */
-     i = *(p++);
-    if ((p + i) > (d + n)) {
-+    if ((d + n) - p < i) {
-         /* not enough data */
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
-index b182998..54ee783 100644
--- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
-     int r;
- #endif
- 
-    if (session_id + len > limit) {
-+    if (limit - session_id < len) {
-         fatal = 1;
-         goto err;
-     }
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index fb64607..cdac011 100644
--- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-         0x02, 0x03,             /* SHA-1/ECDSA */
-     };
- 
-    if (data >= (limit - 2))
-+    if (limit - data <= 2)
-         return;
-     data += 2;
- 
-    if (data > (limit - 4))
-+    if (limit - data < 4)
-         return;
-     n2s(data, type);
-     n2s(data, size);
-@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-     if (type != TLSEXT_TYPE_server_name)
-         return;
- 
-    if (data + size > limit)
-+    if (limit - data < size)
-         return;
-     data += size;
- 
-@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-         const size_t len1 = sizeof(kSafariExtensionsBlock);
-         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
- 
-        if (data + len1 + len2 != limit)
-+        if (limit - data != (int)(len1 + len2))
-             return;
-         if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
-             return;
-@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-     } else {
-         const size_t len = sizeof(kSafariExtensionsBlock);
- 
-        if (data + len != limit)
-+        if (limit - data != (int)(len))
-             return;
-         if (memcmp(data, kSafariExtensionsBlock, len) != 0)
-             return;
-@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
-     if (data == limit)
-         goto ri_check;
- 
-    if (data > (limit - 2))
-+    if (limit - data < 2)
-         goto err;
- 
-     n2s(data, len);
- 
-    if (data + len != limit)
-+    if (limit - data != len)
-         goto err;
- 
-    while (data <= (limit - 4)) {
-+    while (limit - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
-        if (data + size > (limit))
-+        if (limit - data < size)
-             goto err;
- # if 0
-         fprintf(stderr, "Received extension type %d size %d\n", type, size);
-@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s,
-     if (s->hit || s->cert->srv_ext.meths_count == 0)
-         return 1;
- 
-    if (data >= limit - 2)
-+    if (limit - data <= 2)
-         return 1;
-     n2s(data, len);
- 
-    if (data > limit - len)
-+    if (limit - data < len)
-         return 1;
- 
-    while (data <= limit - 4) {
-+    while (limit - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
-        if (data + size > limit)
-+        if (limit - data < size)
-             return 1;
-         if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
-             return 0;
-@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
-                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
- # endif
- 
-    if (data >= (d + n - 2))
-+    if ((d + n) - data <= 2)
-         goto ri_check;
- 
-     n2s(data, length);
-    if (data + length != d + n) {
-+    if ((d + n) - data != length) {
-         *al = SSL_AD_DECODE_ERROR;
-         return 0;
-     }
- 
-    while (data <= (d + n - 4)) {
-+    while ((d + n) - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
-        if (data + size > (d + n))
-+        if ((d + n) - data < size)
-             goto ri_check;
- 
-         if (s->tlsext_debug_cb)
-@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
-     /* Skip past DTLS cookie */
-     if (SSL_IS_DTLS(s)) {
-         i = *(p++);
-        p += i;
-        if (p >= limit)
-+
-+        if (limit - p <= i)
-             return -1;
-+
-+        p += i;
-     }
-     /* Skip past cipher list */
-     n2s(p, i);
-    p += i;
-    if (p >= limit)
-+    if (limit - p <= i)
-         return -1;
-+    p += i;
-+
-     /* Skip past compression algorithm list */
-     i = *(p++);
-    p += i;
-    if (p > limit)
-+    if (limit - p < i)
-         return -1;
-+    p += i;
-+
-     /* Now at start of extensions */
-    if ((p + 2) >= limit)
-+    if (limit - p <= 2)
-         return 0;
-     n2s(p, i);
-    while ((p + 4) <= limit) {
-+    while (limit - p >= 4) {
-         unsigned short type, size;
-         n2s(p, type);
-         n2s(p, size);
-        if (p + size > limit)
-+        if (limit - p < size)
-             return 0;
-         if (type == TLSEXT_TYPE_session_ticket) {
-             int r;
-- 
-2.3.5
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch
deleted file mode 100644
index 27ade4e7d2..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 399944622df7bd81af62e67ea967c470534090e2 Mon Sep 17 00:00:00 2001
-From: Cesar Pereida <cesar.pereida@aalto.fi>
-Date: Mon, 23 May 2016 12:45:25 +0300
-Subject: [PATCH] Fix DSA, preserve BN_FLG_CONSTTIME
-Operations in the DSA signing algorithm should run in constant time in
-order to avoid side channel attacks. A flaw in the OpenSSL DSA
-implementation means that a non-constant time codepath is followed for
-certain operations. This has been demonstrated through a cache-timing
-attack to be sufficient for an attacker to recover the private DSA key.
-CVE-2016-2178
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Upstream-Status: Backport
-CVE: CVE-2016-2178
-Signed-off-by: Armin Kuster <akuster@mvista.com>
---
- crypto/dsa/dsa_ossl.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-Index: openssl-1.0.2h/crypto/dsa/dsa_ossl.c
-===================================================================
--- openssl-1.0.2h.orig/crypto/dsa/dsa_ossl.c
-+++ openssl-1.0.2h/crypto/dsa/dsa_ossl.c
-@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_C
-         if (!BN_rand_range(&k, dsa->q))
-             goto err;
-     while (BN_is_zero(&k)) ;
-    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-        BN_set_flags(&k, BN_FLG_CONSTTIME);
-    }
- 
-     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
-         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
-@@ -282,6 +279,11 @@ static int dsa_sign_setup(DSA *dsa, BN_C
-     } else {
-         K = &k;
-     }
-+
-+    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-+        BN_set_flags(K, BN_FLG_CONSTTIME);
-+    }
-+
-     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
-                    dsa->method_mont_p);
-     if (!BN_mod(r, r, dsa->q, ctx))
diff --git a/meta/recipes-connectivity/openssl/openssl/Fix-typo-introduced-by-a03f81f4.patch b/meta/recipes-connectivity/openssl/openssl/Fix-typo-introduced-by-a03f81f4.patch
new file mode 100644
index 0000000000..04112966ab
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/Fix-typo-introduced-by-a03f81f4.patch
@@ -0,0 +1,29 @@
+From 581215a519c66db7255ea360ed25bb00033ccd52 Mon Sep 17 00:00:00 2001
+From: Rich Salz <rsalz@openssl.org>
+Date: Thu, 22 Sep 2016 08:47:45 -0400
+Subject: [PATCH] Fix typo introduced by a03f81f4
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/581215a519c66db7255ea360ed25bb00033ccd52]
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ crypto/engine/eng_cryptodev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
+index 65a74df..2a2b95c 100644
+--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c
+@@ -939,7 +939,7 @@ static int cryptodev_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
+     if (fstate->mac_len != 0) {
+         if (fstate->mac_data != NULL) {
+             dstate->mac_data = OPENSSL_malloc(fstate->mac_len);
+-            if (dstate->ac_data == NULL) {
+            if (dstate->mac_data == NULL) {
+                 printf("cryptodev_digest_init: malloc failed\n");
+                 return 0;
+             }
+-- 
+2.1.4
diff --git a/meta/recipes-connectivity/openssl/openssl/debian/ca.patch b/meta/recipes-connectivity/openssl/openssl/debian/ca.patch
index aba4d42983..fb745e4394 100644
--- a/meta/recipes-connectivity/openssl/openssl/debian/ca.patch
+++ b/meta/recipes-connectivity/openssl/openssl/debian/ca.patch
@@ -7,7 +7,7 @@ Index: openssl-0.9.8m/apps/CA.pl.in
 @@ -65,6 +65,7 @@
 foreach (@ARGV) {
        if ( /^(-\?|-h|-help)$/ ) {
-            print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
+            print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n";
 +           print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n";
            exit 0;
        } elsif (/^-newcert$/) {
diff --git a/meta/recipes-connectivity/openssl/openssl/parallel.patch b/meta/recipes-connectivity/openssl/openssl/parallel.patch
index b6c2c148b1..f3f4c99888 100644
--- a/meta/recipes-connectivity/openssl/openssl/parallel.patch
+++ b/meta/recipes-connectivity/openssl/openssl/parallel.patch
@@ -6,6 +6,9 @@ https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1
 Upstream-Status: Pending
 Signed-off-by: Ross Burton <ross.burton@intel.com>
+Refreshed for 1.0.2i
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
 --- openssl-1.0.2g/crypto/Makefile
 +++ openssl-1.0.2g/crypto/Makefile
 @@ -85,11 +85,11 @@
@@ -133,7 +136,7 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
                fi; \
 --- openssl-1.0.2g/test/Makefile
 +++ openssl-1.0.2g/test/Makefile
-@@ -139,7 +139,7 @@
+@@ -144,7 +144,7 @@
 tags:
        ctags $(SRC)
 
@@ -142,7 +145,7 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
 
 apps:
        @(cd ..; $(MAKE) DIRS=apps all)
-@@ -421,130 +421,130 @@
+@@ -438,136 +438,136 @@
                link_app.$${shlib_target}
 
 $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
@@ -309,13 +312,21 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
 -       @target=$(CLIENTHELLOTEST) $(BUILD_CMD)
 +       +@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
 
+ $(BADDTLSTEST)$(EXE_EXT): $(BADDTLSTEST).o
+-       @target=$(BADDTLSTEST) $(BUILD_CMD)
+       +@target=$(BADDTLSTEST) $(BUILD_CMD)
+ 
 $(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o
 -       @target=$(SSLV2CONFTEST) $(BUILD_CMD)
 +       +@target=$(SSLV2CONFTEST) $(BUILD_CMD)
 
+ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssltestlib.o $(DLIBSSL) $(DLIBCRYPTO)
+-       @target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD)
+       +@target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD)
+ 
 #$(AESTEST).o: $(AESTEST).c
 #      $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
-@@ -557,7 +557,7 @@
+@@ -580,6 +580,6 @@
 #      fi
 
 dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2i.bb
index c8444d39b9..c32f47296c 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2i.bb
@@ -39,12 +39,11 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
            file://ptest_makefile_deps.patch  \
            file://configure-musl-target.patch \
            file://parallel.patch \
-            file://CVE-2016-2177.patch \
-            file://CVE-2016-2178.patch \
            file://openssl-util-perlpath.pl-cwd.patch \
+            file://Fix-typo-introduced-by-a03f81f4.patch \
           "
-SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"
+SRC_URI[md5sum] = "678374e63f8df456a697d3e5e5a931fb"
-SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"
+SRC_URI[sha256sum] = "9287487d11c9545b6efb287cdb70535d4e9b284dd10d51441d9b9963d000de6f"
 PACKAGES =+ "${PN}-engines"
 FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
author	Patrick Ohly <patrick.ohly@intel.com>	2016-09-23 15:26:05 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-09-24 07:30:09 +0100
commit	d9e1bb679eb4d625a751ad668a18eaaefeaed850 (patch)
tree	91d678182f2c08db9d61f01e37ecbd9e89f8a907
parent	2f4b80b3061368917ecad432094e7128f8f3b740 (diff)
download	poky-d9e1bb679eb4d625a751ad668a18eaaefeaed850.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc index f83664c271..cb7ec0aac2 100644 --- a/meta/recipes-connectivity/openssl/openssl.inc +++ b/meta/recipes-connectivity/openssl/openssl.inc
@@ -211,6 +211,7 @@ do_install_ptest () {
211	ln -sf ${libdir}/ssl/misc/CA.sh ${D}${PTEST_PATH}/apps	211	ln -sf ${libdir}/ssl/misc/CA.sh ${D}${PTEST_PATH}/apps
212	ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${PTEST_PATH}/apps	212	ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${PTEST_PATH}/apps
213	ln -sf ${bindir}/openssl ${D}${PTEST_PATH}/apps	213	ln -sf ${bindir}/openssl ${D}${PTEST_PATH}/apps
		214	cp apps/server.pem ${D}${PTEST_PATH}/apps
214	cp apps/server2.pem ${D}${PTEST_PATH}/apps	215	cp apps/server2.pem ${D}${PTEST_PATH}/apps
215	mkdir -p ${D}${PTEST_PATH}/util	216	mkdir -p ${D}${PTEST_PATH}/util
216	install util/opensslwrap.sh ${D}${PTEST_PATH}/util	217	install util/opensslwrap.sh ${D}${PTEST_PATH}/util


diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2177.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2177.patch deleted file mode 100644 index df36d5fb37..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2177.patch +++ /dev/null
@@ -1,286 +0,0 @@
1	From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001
2	From: Matt Caswell <matt@openssl.org>
3	Date: Thu, 5 May 2016 11:10:26 +0100
4	Subject: [PATCH] Avoid some undefined pointer arithmetic
5
6	A common idiom in the codebase is:
7
8	if (p + len > limit)
9	{
10	return; /* Too long */
11	}
12
13	Where "p" points to some malloc'd data of SIZE bytes and
14	limit == p + SIZE
15
16	"len" here could be from some externally supplied data (e.g. from a TLS
17	message).
18
19	The rules of C pointer arithmetic are such that "p + len" is only well
20	defined where len <= SIZE. Therefore the above idiom is actually
21	undefined behaviour.
22
23	For example this could cause problems if some malloc implementation
24	provides an address for "p" such that "p + len" actually overflows for
25	values of len that are too big and therefore p + len < limit!
26
27	Issue reported by Guido Vranken.
28
29	CVE-2016-2177
30
31	Reviewed-by: Rich Salz <rsalz@openssl.org>
32
33	Upstream-Status: Backport
34	CVE: CVE-2016-2177
35
36	Signed-off-by: Armin Kuster <akuster@mvista.com>
37
38
39	---
40	ssl/s3_srvr.c \| 14 +++++++-------
41	ssl/ssl_sess.c \| 2 +-
42	ssl/t1_lib.c \| 56 ++++++++++++++++++++++++++++++--------------------------
43	3 files changed, 38 insertions(+), 34 deletions(-)
44
45	diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
46	index ab28702..ab7f690 100644
47	--- a/ssl/s3_srvr.c
48	+++ b/ssl/s3_srvr.c
49	@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s)
50
51	session_length = *(p + SSL3_RANDOM_SIZE);
52
53	- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
54	+ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
55	al = SSL_AD_DECODE_ERROR;
56	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
57	goto f_err;
58	@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s)
59	/* get the session-id */
60	j = *(p++);
61
62	- if (p + j > d + n) {
63	+ if ((d + n) - p < j) {
64	al = SSL_AD_DECODE_ERROR;
65	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
66	goto f_err;
67	@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s)
68
69	if (SSL_IS_DTLS(s)) {
70	/* cookie stuff */
71	- if (p + 1 > d + n) {
72	+ if ((d + n) - p < 1) {
73	al = SSL_AD_DECODE_ERROR;
74	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
75	goto f_err;
76	}
77	cookie_len = *(p++);
78
79	- if (p + cookie_len > d + n) {
80	+ if ((d + n ) - p < cookie_len) {
81	al = SSL_AD_DECODE_ERROR;
82	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
83	goto f_err;
84	@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s)
85	}
86	}
87
88	- if (p + 2 > d + n) {
89	+ if ((d + n ) - p < 2) {
90	al = SSL_AD_DECODE_ERROR;
91	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
92	goto f_err;
93	@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s)
94	}
95
96	/* i bytes of cipher data + 1 byte for compression length later */
97	- if ((p + i + 1) > (d + n)) {
98	+ if ((d + n) - p < i + 1) {
99	/* not enough data */
100	al = SSL_AD_DECODE_ERROR;
101	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
102	@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s)
103
104	/* compression */
105	i = *(p++);
106	- if ((p + i) > (d + n)) {
107	+ if ((d + n) - p < i) {
108	/* not enough data */
109	al = SSL_AD_DECODE_ERROR;
110	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
111	diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
112	index b182998..54ee783 100644
113	--- a/ssl/ssl_sess.c
114	+++ b/ssl/ssl_sess.c
115	@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL s, unsigned char session_id, int len,
116	int r;
117	#endif
118
119	- if (session_id + len > limit) {
120	+ if (limit - session_id < len) {
121	fatal = 1;
122	goto err;
123	}
124	diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
125	index fb64607..cdac011 100644
126	--- a/ssl/t1_lib.c
127	+++ b/ssl/t1_lib.c
128	@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL s, const unsigned char data,
129	0x02, 0x03, /* SHA-1/ECDSA */
130	};
131
132	- if (data >= (limit - 2))
133	+ if (limit - data <= 2)
134	return;
135	data += 2;
136
137	- if (data > (limit - 4))
138	+ if (limit - data < 4)
139	return;
140	n2s(data, type);
141	n2s(data, size);
142	@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL s, const unsigned char data,
143	if (type != TLSEXT_TYPE_server_name)
144	return;
145
146	- if (data + size > limit)
147	+ if (limit - data < size)
148	return;
149	data += size;
150
151	@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL s, const unsigned char data,
152	const size_t len1 = sizeof(kSafariExtensionsBlock);
153	const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
154
155	- if (data + len1 + len2 != limit)
156	+ if (limit - data != (int)(len1 + len2))
157	return;
158	if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
159	return;
160	@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL s, const unsigned char data,
161	} else {
162	const size_t len = sizeof(kSafariExtensionsBlock);
163
164	- if (data + len != limit)
165	+ if (limit - data != (int)(len))
166	return;
167	if (memcmp(data, kSafariExtensionsBlock, len) != 0)
168	return;
169	@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL s, unsigned char *p,
170	if (data == limit)
171	goto ri_check;
172
173	- if (data > (limit - 2))
174	+ if (limit - data < 2)
175	goto err;
176
177	n2s(data, len);
178
179	- if (data + len != limit)
180	+ if (limit - data != len)
181	goto err;
182
183	- while (data <= (limit - 4)) {
184	+ while (limit - data >= 4) {
185	n2s(data, type);
186	n2s(data, size);
187
188	- if (data + size > (limit))
189	+ if (limit - data < size)
190	goto err;
191	# if 0
192	fprintf(stderr, "Received extension type %d size %d\n", type, size);
193	@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s,
194	if (s->hit \|\| s->cert->srv_ext.meths_count == 0)
195	return 1;
196
197	- if (data >= limit - 2)
198	+ if (limit - data <= 2)
199	return 1;
200	n2s(data, len);
201
202	- if (data > limit - len)
203	+ if (limit - data < len)
204	return 1;
205
206	- while (data <= limit - 4) {
207	+ while (limit - data >= 4) {
208	n2s(data, type);
209	n2s(data, size);
210
211	- if (data + size > limit)
212	+ if (limit - data < size)
213	return 1;
214	if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
215	return 0;
216	@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL s, unsigned char *p,
217	SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
218	# endif
219
220	- if (data >= (d + n - 2))
221	+ if ((d + n) - data <= 2)
222	goto ri_check;
223
224	n2s(data, length);
225	- if (data + length != d + n) {
226	+ if ((d + n) - data != length) {
227	*al = SSL_AD_DECODE_ERROR;
228	return 0;
229	}
230
231	- while (data <= (d + n - 4)) {
232	+ while ((d + n) - data >= 4) {
233	n2s(data, type);
234	n2s(data, size);
235
236	- if (data + size > (d + n))
237	+ if ((d + n) - data < size)
238	goto ri_check;
239
240	if (s->tlsext_debug_cb)
241	@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL s, unsigned char session_id, int len,
242	/* Skip past DTLS cookie */
243	if (SSL_IS_DTLS(s)) {
244	i = *(p++);
245	- p += i;
246	- if (p >= limit)
247	+
248	+ if (limit - p <= i)
249	return -1;
250	+
251	+ p += i;
252	}
253	/* Skip past cipher list */
254	n2s(p, i);
255	- p += i;
256	- if (p >= limit)
257	+ if (limit - p <= i)
258	return -1;
259	+ p += i;
260	+
261	/* Skip past compression algorithm list */
262	i = *(p++);
263	- p += i;
264	- if (p > limit)
265	+ if (limit - p < i)
266	return -1;
267	+ p += i;
268	+
269	/* Now at start of extensions */
270	- if ((p + 2) >= limit)
271	+ if (limit - p <= 2)
272	return 0;
273	n2s(p, i);
274	- while ((p + 4) <= limit) {
275	+ while (limit - p >= 4) {
276	unsigned short type, size;
277	n2s(p, type);
278	n2s(p, size);
279	- if (p + size > limit)
280	+ if (limit - p < size)
281	return 0;
282	if (type == TLSEXT_TYPE_session_ticket) {
283	int r;
284	--
285	2.3.5
286


diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch deleted file mode 100644 index 27ade4e7d2..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch +++ /dev/null
@@ -1,51 +0,0 @@
1	From 399944622df7bd81af62e67ea967c470534090e2 Mon Sep 17 00:00:00 2001
2	From: Cesar Pereida <cesar.pereida@aalto.fi>
3	Date: Mon, 23 May 2016 12:45:25 +0300
4	Subject: [PATCH] Fix DSA, preserve BN_FLG_CONSTTIME
5
6	Operations in the DSA signing algorithm should run in constant time in
7	order to avoid side channel attacks. A flaw in the OpenSSL DSA
8	implementation means that a non-constant time codepath is followed for
9	certain operations. This has been demonstrated through a cache-timing
10	attack to be sufficient for an attacker to recover the private DSA key.
11
12	CVE-2016-2178
13
14	Reviewed-by: Richard Levitte <levitte@openssl.org>
15	Reviewed-by: Matt Caswell <matt@openssl.org>
16
17	Upstream-Status: Backport
18	CVE: CVE-2016-2178
19
20	Signed-off-by: Armin Kuster <akuster@mvista.com>
21
22	---
23	crypto/dsa/dsa_ossl.c \| 9 +++++----
24	1 file changed, 5 insertions(+), 4 deletions(-)
25
26	Index: openssl-1.0.2h/crypto/dsa/dsa_ossl.c
27	===================================================================
28	--- openssl-1.0.2h.orig/crypto/dsa/dsa_ossl.c
29	+++ openssl-1.0.2h/crypto/dsa/dsa_ossl.c
30	@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_C
31	if (!BN_rand_range(&k, dsa->q))
32	goto err;
33	while (BN_is_zero(&k)) ;
34	- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
35	- BN_set_flags(&k, BN_FLG_CONSTTIME);
36	- }
37
38	if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
39	if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
40	@@ -282,6 +279,11 @@ static int dsa_sign_setup(DSA *dsa, BN_C
41	} else {
42	K = &k;
43	}
44	+
45	+ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
46	+ BN_set_flags(K, BN_FLG_CONSTTIME);
47	+ }
48	+
49	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
50	dsa->method_mont_p);
51	if (!BN_mod(r, r, dsa->q, ctx))


diff --git a/meta/recipes-connectivity/openssl/openssl/Fix-typo-introduced-by-a03f81f4.patch b/meta/recipes-connectivity/openssl/openssl/Fix-typo-introduced-by-a03f81f4.patch new file mode 100644 index 0000000000..04112966ab --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/Fix-typo-introduced-by-a03f81f4.patch
@@ -0,0 +1,29 @@
		1	From 581215a519c66db7255ea360ed25bb00033ccd52 Mon Sep 17 00:00:00 2001
		2	From: Rich Salz <rsalz@openssl.org>
		3	Date: Thu, 22 Sep 2016 08:47:45 -0400
		4	Subject: [PATCH] Fix typo introduced by a03f81f4
		5
		6	Reviewed-by: Richard Levitte <levitte@openssl.org>
		7
		8	Upstream-Status: Backport [https://github.com/openssl/openssl/commit/581215a519c66db7255ea360ed25bb00033ccd52]
		9	Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
		10	---
		11	crypto/engine/eng_cryptodev.c \| 2 +-
		12	1 file changed, 1 insertion(+), 1 deletion(-)
		13
		14	diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
		15	index 65a74df..2a2b95c 100644
		16	--- a/crypto/engine/eng_cryptodev.c
		17	+++ b/crypto/engine/eng_cryptodev.c
		18	@@ -939,7 +939,7 @@ static int cryptodev_digest_copy(EVP_MD_CTX to, const EVP_MD_CTX from)
		19	if (fstate->mac_len != 0) {
		20	if (fstate->mac_data != NULL) {
		21	dstate->mac_data = OPENSSL_malloc(fstate->mac_len);
		22	- if (dstate->ac_data == NULL) {
		23	+ if (dstate->mac_data == NULL) {
		24	printf("cryptodev_digest_init: malloc failed\n");
		25	return 0;
		26	}
		27	--
		28	2.1.4
		29


diff --git a/meta/recipes-connectivity/openssl/openssl/debian/ca.patch b/meta/recipes-connectivity/openssl/openssl/debian/ca.patch index aba4d42983..fb745e4394 100644 --- a/meta/recipes-connectivity/openssl/openssl/debian/ca.patch +++ b/meta/recipes-connectivity/openssl/openssl/debian/ca.patch
@@ -7,7 +7,7 @@ Index: openssl-0.9.8m/apps/CA.pl.in
7	@@ -65,6 +65,7 @@	7	@@ -65,6 +65,7 @@
8	foreach (@ARGV) {	8	foreach (@ARGV) {
9	if ( /^(-\?\|-h\|-help)$/ ) {	9	if ( /^(-\?\|-h\|-help)$/ ) {
10	print STDERR "usage: CA -newcert\|-newreq\|-newreq-nodes\|-newca\|-sign\|-verify\n";	10	print STDERR "usage: CA -newcert\|-newreq\|-newreq-nodes\|-newca\|-sign\|-signcert\|-verify\n";
11	+ print STDERR "usage: CA -signcert certfile keyfile\|-newcert\|-newreq\|-newca\|-sign\|-verify\n";	11	+ print STDERR "usage: CA -signcert certfile keyfile\|-newcert\|-newreq\|-newca\|-sign\|-verify\n";
12	exit 0;	12	exit 0;
13	} elsif (/^-newcert$/) {	13	} elsif (/^-newcert$/) {


diff --git a/meta/recipes-connectivity/openssl/openssl/parallel.patch b/meta/recipes-connectivity/openssl/openssl/parallel.patch index b6c2c148b1..f3f4c99888 100644 --- a/meta/recipes-connectivity/openssl/openssl/parallel.patch +++ b/meta/recipes-connectivity/openssl/openssl/parallel.patch
@@ -6,6 +6,9 @@ https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1
6	Upstream-Status: Pending	6	Upstream-Status: Pending
7	Signed-off-by: Ross Burton <ross.burton@intel.com>	7	Signed-off-by: Ross Burton <ross.burton@intel.com>
8		8
		9	Refreshed for 1.0.2i
		10	Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
		11
9	--- openssl-1.0.2g/crypto/Makefile	12	--- openssl-1.0.2g/crypto/Makefile
10	+++ openssl-1.0.2g/crypto/Makefile	13	+++ openssl-1.0.2g/crypto/Makefile
11	@@ -85,11 +85,11 @@	14	@@ -85,11 +85,11 @@
@@ -133,7 +136,7 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
133	fi; \	136	fi; \
134	--- openssl-1.0.2g/test/Makefile	137	--- openssl-1.0.2g/test/Makefile
135	+++ openssl-1.0.2g/test/Makefile	138	+++ openssl-1.0.2g/test/Makefile
136	@@ -139,7 +139,7 @@	139	@@ -144,7 +144,7 @@
137	tags:	140	tags:
138	ctags $(SRC)	141	ctags $(SRC)
139		142
@@ -142,7 +145,7 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
142		145
143	apps:	146	apps:
144	@(cd ..; $(MAKE) DIRS=apps all)	147	@(cd ..; $(MAKE) DIRS=apps all)
145	@@ -421,130 +421,130 @@	148	@@ -438,136 +438,136 @@
146	link_app.$${shlib_target}	149	link_app.$${shlib_target}
147		150
148	$(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)	151	$(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
@@ -309,13 +312,21 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
309	- @target=$(CLIENTHELLOTEST) $(BUILD_CMD)	312	- @target=$(CLIENTHELLOTEST) $(BUILD_CMD)
310	+ +@target=$(CLIENTHELLOTEST) $(BUILD_CMD)	313	+ +@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
311		314
		315	$(BADDTLSTEST)$(EXE_EXT): $(BADDTLSTEST).o
		316	- @target=$(BADDTLSTEST) $(BUILD_CMD)
		317	+ +@target=$(BADDTLSTEST) $(BUILD_CMD)
		318
312	$(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o	319	$(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o
313	- @target=$(SSLV2CONFTEST) $(BUILD_CMD)	320	- @target=$(SSLV2CONFTEST) $(BUILD_CMD)
314	+ +@target=$(SSLV2CONFTEST) $(BUILD_CMD)	321	+ +@target=$(SSLV2CONFTEST) $(BUILD_CMD)
315		322
		323	$(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssltestlib.o $(DLIBSSL) $(DLIBCRYPTO)
		324	- @target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD)
		325	+ +@target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD)
		326
316	#$(AESTEST).o: $(AESTEST).c	327	#$(AESTEST).o: $(AESTEST).c
317	# $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c	328	# $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
318	@@ -557,7 +557,7 @@	329	@@ -580,6 +580,6 @@
319	# fi	330	# fi
320		331
321	dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)	332	dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2i.bb index c8444d39b9..c32f47296c 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2i.bb
@@ -39,12 +39,11 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
39	file://ptest_makefile_deps.patch \	39	file://ptest_makefile_deps.patch \
40	file://configure-musl-target.patch \	40	file://configure-musl-target.patch \
41	file://parallel.patch \	41	file://parallel.patch \
42	file://CVE-2016-2177.patch \
43	file://CVE-2016-2178.patch \
44	file://openssl-util-perlpath.pl-cwd.patch \	42	file://openssl-util-perlpath.pl-cwd.patch \
		43	file://Fix-typo-introduced-by-a03f81f4.patch \
45	"	44	"
46	SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"	45	SRC_URI[md5sum] = "678374e63f8df456a697d3e5e5a931fb"
47	SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"	46	SRC_URI[sha256sum] = "9287487d11c9545b6efb287cdb70535d4e9b284dd10d51441d9b9963d000de6f"
48		47
49	PACKAGES =+ "${PN}-engines"	48	PACKAGES =+ "${PN}-engines"
50	FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"	49	FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"