openssl: 1.0.2d -> 1.0.2h (mainly for CVEs)

* CVEs:
  - CVE-2016-0705
  - CVE-2016-0798
  - CVE-2016-0797
  - CVE-2016-0799
  - CVE-2016-0702
  - CVE-2016-0703
  - CVE-2016-0704
  - CVE-2016-2105
  - CVE-2016-2106
  - CVE-2016-2109
  - CVE-2016-2176

* The LICENSE's checksum is changed because of date changes (2011 ->
  2016), the contents are the same.

* Remove backport patches
  - 0001-Add-test-for-CVE-2015-3194.patch
  - CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
  - CVE-2015-3194-1-Add-PSS-parameter-check.patch
  - CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
  - CVE-2015-3197.patch
  - CVE-2016-0701_1.patch
  - CVE-2016-0701_2.patch
  - CVE-2016-0800.patch
  - CVE-2016-0800_2.patch
  - CVE-2016-0800_3.patch

* Update crypto_use_bigint_in_x86-64_perl.patch

* Add version-script.patch and update block_diginotar.patch (From master branch)

* Update openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
  (From Armin)

(From OE-Core master rev: bca156013af0a98cb18d8156626b9acc8f9883e3)

(From OE-Core rev: 6ed7c8a9f82bc173ae0cc8b494af5a2c838f08fc)

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 9 insertions, 8 deletions

diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch
index 0c1a0b651f..d81e22cd8d 100644
--- a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch
+++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch
@@ -9,14 +9,15 @@ Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
 Reviewed-by: Dr Stephen N Henson <shenson@drh-consultancy.co.uk>
 
 This is not meant as final patch.  
- 
+
 Upstream-Status: Backport [debian]
 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
 
-Index: openssl-1.0.2/crypto/x509/x509_vfy.c
+Index: openssl-1.0.2g/crypto/x509/x509_vfy.c
 ===================================================================
---- openssl-1.0.2.orig/crypto/x509/x509_vfy.c
-+++ openssl-1.0.2/crypto/x509/x509_vfy.c
+--- openssl-1.0.2g.orig/crypto/x509/x509_vfy.c
++++ openssl-1.0.2g/crypto/x509/x509_vfy.c
 @@ -119,6 +119,7 @@ static int check_trust(X509_STORE_CTX *c
  static int check_revocation(X509_STORE_CTX *ctx);
  static int check_cert(X509_STORE_CTX *ctx);
@@ -25,17 +26,17 @@ Index: openssl-1.0.2/crypto/x509/x509_vfy.c
  
  static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
                           unsigned int *preasons, X509_CRL *crl, X509 *x);
-@@ -438,6 +439,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
+@@ -489,6 +490,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
      if (!ok)
-         goto end;
+         goto err;
  
 +       ok = check_ca_blacklist(ctx);
-+       if(!ok) goto end;
++       if(!ok) goto err;
 +
  #ifndef OPENSSL_NO_RFC3779
      /* RFC 3779 path validation, now that CRL check has been done */
      ok = v3_asid_validate_path(ctx);
-@@ -938,6 +942,29 @@ static int check_crl_time(X509_STORE_CTX
+@@ -996,6 +1000,29 @@ static int check_crl_time(X509_STORE_CTX
      return 1;
  }