openssl: Upgrade to 1.0.2

Rebased numerous patches removed aarch64 initial work since it's part of upstream now Imported a few additional patches from Debian to support the version-script and blacklist additional bad certificates. (From OE-Core rev: 10b689033551c37d6cafa284d82bdccd43f6113e) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Saul Wold <sgw@linux.intel.com> 2015-03-04 09:46:48 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-03-10 10:47:46 +0000
commit: f5e4349011bd00aa47d142022dcdd1d1706a9655 (patch)
tree: 31b2c535de004b08968cfdb57ce085ca3b70eb83 /meta/recipes-connectivity/openssl/openssl/debian1.0.2
parent: 7c504b44ef593f97f5311d0d27f667e85a2eddbb (diff)
download: poky-f5e4349011bd00aa47d142022dcdd1d1706a9655.tar.gz
3 files changed, 127 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch
new file mode 100644
index 0000000000..c43bcd1c77
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch
@@ -0,0 +1,29 @@
+From: Raphael Geissert <geissert@debian.org>
+Description: make X509_verify_cert indicate that any certificate whose
+ name contains "Digicert Sdn. Bhd." (from Malaysia) is revoked.
+Forwarded: not-needed
+Origin: vendor
+Last-Update: 2011-11-05
+Upstream-Status: Backport [debian]
+Index: openssl-1.0.2~beta1/crypto/x509/x509_vfy.c
+===================================================================
+--- openssl-1.0.2~beta1.orig/crypto/x509/x509_vfy.c     2014-02-25 00:16:12.488028844 +0100
+++ openssl-1.0.2~beta1/crypto/x509/x509_vfy.c  2014-02-25 00:16:12.484028929 +0100
+@@ -964,10 +964,11 @@
+        for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
+                {
+                x = sk_X509_value(ctx->chain, i);
+-               /* Mark DigiNotar certificates as revoked, no matter
+-                * where in the chain they are.
+               /* Mark certificates containing the following names as
+                * revoked, no matter where in the chain they are.
+                 */
+-               if (x->name && strstr(x->name, "DigiNotar"))
+               if (x->name && (strstr(x->name, "DigiNotar") ||
+                       strstr(x->name, "Digicert Sdn. Bhd.")))
+                        {
+                        ctx->error = X509_V_ERR_CERT_REVOKED;
+                        ctx->error_depth = i;
diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch
new file mode 100644
index 0000000000..0c1a0b651f
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch
@@ -0,0 +1,67 @@
+From: Raphael Geissert <geissert@debian.org>
+Description: make X509_verify_cert indicate that any certificate whose
+ name contains "DigiNotar" is revoked.
+Forwarded: not-needed
+Origin: vendor
+Last-Update: 2011-09-08
+Bug: http://bugs.debian.org/639744
+Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
+Reviewed-by: Dr Stephen N Henson <shenson@drh-consultancy.co.uk>
+This is not meant as final patch.  
+ 
+Upstream-Status: Backport [debian]
+Index: openssl-1.0.2/crypto/x509/x509_vfy.c
+===================================================================
+--- openssl-1.0.2.orig/crypto/x509/x509_vfy.c
+++ openssl-1.0.2/crypto/x509/x509_vfy.c
+@@ -119,6 +119,7 @@ static int check_trust(X509_STORE_CTX *c
+ static int check_revocation(X509_STORE_CTX *ctx);
+ static int check_cert(X509_STORE_CTX *ctx);
+ static int check_policy(X509_STORE_CTX *ctx);
+static int check_ca_blacklist(X509_STORE_CTX *ctx);
+ 
+ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
+                          unsigned int *preasons, X509_CRL *crl, X509 *x);
+@@ -438,6 +439,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
+     if (!ok)
+         goto end;
+ 
+       ok = check_ca_blacklist(ctx);
+       if(!ok) goto end;
+
+ #ifndef OPENSSL_NO_RFC3779
+     /* RFC 3779 path validation, now that CRL check has been done */
+     ok = v3_asid_validate_path(ctx);
+@@ -938,6 +942,29 @@ static int check_crl_time(X509_STORE_CTX
+     return 1;
+ }
+ 
+static int check_ca_blacklist(X509_STORE_CTX *ctx)
+       {
+       X509 *x;
+       int i;
+       /* Check all certificates against the blacklist */
+       for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
+               {
+               x = sk_X509_value(ctx->chain, i);
+               /* Mark DigiNotar certificates as revoked, no matter
+                * where in the chain they are.
+                */
+               if (x->name && strstr(x->name, "DigiNotar"))
+                       {
+                       ctx->error = X509_V_ERR_CERT_REVOKED;
+                       ctx->error_depth = i;
+                       ctx->current_cert = x;
+                       if (!ctx->verify_cb(0,ctx))
+                               return 0;
+                       }
+               }
+       return 1;
+       }
+
+ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
+                       X509 **pissuer, int *pscore, unsigned int *preasons,
+                       STACK_OF(X509_CRL) *crls)
diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/padlock_conf.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/padlock_conf.patch
new file mode 100644
index 0000000000..61dcf457fe
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/padlock_conf.patch
@@ -0,0 +1,31 @@
+ 
+Upstream-Status: Backport [debian]
+--- openssl/apps/openssl.cnf.orig       2012-06-06 00:45:56.000000000 +0200
+++ openssl/apps/openssl.cnf    2012-06-06 00:46:46.000000000 +0200
+@@ -19,6 +19,8 @@
+ # (Alternatively, use a configuration file that has only
+ # X.509v3 extensions in its main [= default] section.)
+ 
+openssl_conf = openssl_def
+
+ [ new_oids ]
+ 
+ # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+@@ -348,3 +350,16 @@
+                                # (optional, default: no)
+ ess_cert_id_chain      = no    # Must the ESS cert id chain be included?
+                                # (optional, default: no)
+
+[openssl_def]
+engines = engine_section
+
+[engine_section]
+padlock = padlock_section
+
+[padlock_section]
+soft_load=1
+init=1
+default_algorithms = ALL
+dynamic_path=padlock
+
author	Saul Wold <sgw@linux.intel.com>	2015-03-04 09:46:48 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-03-10 10:47:46 +0000
commit	f5e4349011bd00aa47d142022dcdd1d1706a9655 (patch)
tree	31b2c535de004b08968cfdb57ce085ca3b70eb83 /meta/recipes-connectivity/openssl/openssl/debian1.0.2
parent	7c504b44ef593f97f5311d0d27f667e85a2eddbb (diff)
download	poky-f5e4349011bd00aa47d142022dcdd1d1706a9655.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch new file mode 100644 index 0000000000..c43bcd1c77 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch
@@ -0,0 +1,29 @@
	1	From: Raphael Geissert <geissert@debian.org>
	2	Description: make X509_verify_cert indicate that any certificate whose
	3	name contains "Digicert Sdn. Bhd." (from Malaysia) is revoked.
	4	Forwarded: not-needed
	5	Origin: vendor
	6	Last-Update: 2011-11-05
	7
	8	Upstream-Status: Backport [debian]
	9
	10
	11	Index: openssl-1.0.2~beta1/crypto/x509/x509_vfy.c
	12	===================================================================
	13	--- openssl-1.0.2~beta1.orig/crypto/x509/x509_vfy.c 2014-02-25 00:16:12.488028844 +0100
	14	+++ openssl-1.0.2~beta1/crypto/x509/x509_vfy.c 2014-02-25 00:16:12.484028929 +0100
	15	@@ -964,10 +964,11 @@
	16	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
	17	{
	18	x = sk_X509_value(ctx->chain, i);
	19	- /* Mark DigiNotar certificates as revoked, no matter
	20	- * where in the chain they are.
	21	+ /* Mark certificates containing the following names as
	22	+ * revoked, no matter where in the chain they are.
	23	*/
	24	- if (x->name && strstr(x->name, "DigiNotar"))
	25	+ if (x->name && (strstr(x->name, "DigiNotar") \|\|
	26	+ strstr(x->name, "Digicert Sdn. Bhd.")))
	27	{
	28	ctx->error = X509_V_ERR_CERT_REVOKED;
	29	ctx->error_depth = i;


diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch new file mode 100644 index 0000000000..0c1a0b651f --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch
@@ -0,0 +1,67 @@
	1	From: Raphael Geissert <geissert@debian.org>
	2	Description: make X509_verify_cert indicate that any certificate whose
	3	name contains "DigiNotar" is revoked.
	4	Forwarded: not-needed
	5	Origin: vendor
	6	Last-Update: 2011-09-08
	7	Bug: http://bugs.debian.org/639744
	8	Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
	9	Reviewed-by: Dr Stephen N Henson <shenson@drh-consultancy.co.uk>
	10
	11	This is not meant as final patch.
	12
	13	Upstream-Status: Backport [debian]
	14
	15
	16	Index: openssl-1.0.2/crypto/x509/x509_vfy.c
	17	===================================================================
	18	--- openssl-1.0.2.orig/crypto/x509/x509_vfy.c
	19	+++ openssl-1.0.2/crypto/x509/x509_vfy.c
	20	@@ -119,6 +119,7 @@ static int check_trust(X509_STORE_CTX *c
	21	static int check_revocation(X509_STORE_CTX *ctx);
	22	static int check_cert(X509_STORE_CTX *ctx);
	23	static int check_policy(X509_STORE_CTX *ctx);
	24	+static int check_ca_blacklist(X509_STORE_CTX *ctx);
	25
	26	static int get_crl_score(X509_STORE_CTX ctx, X509 *pissuer,
	27	unsigned int preasons, X509_CRL crl, X509 *x);
	28	@@ -438,6 +439,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
	29	if (!ok)
	30	goto end;
	31
	32	+ ok = check_ca_blacklist(ctx);
	33	+ if(!ok) goto end;
	34	+
	35	#ifndef OPENSSL_NO_RFC3779
	36	/* RFC 3779 path validation, now that CRL check has been done */
	37	ok = v3_asid_validate_path(ctx);
	38	@@ -938,6 +942,29 @@ static int check_crl_time(X509_STORE_CTX
	39	return 1;
	40	}
	41
	42	+static int check_ca_blacklist(X509_STORE_CTX *ctx)
	43	+ {
	44	+ X509 *x;
	45	+ int i;
	46	+ /* Check all certificates against the blacklist */
	47	+ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
	48	+ {
	49	+ x = sk_X509_value(ctx->chain, i);
	50	+ /* Mark DigiNotar certificates as revoked, no matter
	51	+ * where in the chain they are.
	52	+ */
	53	+ if (x->name && strstr(x->name, "DigiNotar"))
	54	+ {
	55	+ ctx->error = X509_V_ERR_CERT_REVOKED;
	56	+ ctx->error_depth = i;
	57	+ ctx->current_cert = x;
	58	+ if (!ctx->verify_cb(0,ctx))
	59	+ return 0;
	60	+ }
	61	+ }
	62	+ return 1;
	63	+ }
	64	+
	65	static int get_crl_sk(X509_STORE_CTX ctx, X509_CRL pcrl, X509_CRL *pdcrl,
	66	X509 *pissuer, int pscore, unsigned int *preasons,
	67	STACK_OF(X509_CRL) *crls)


diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/padlock_conf.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/padlock_conf.patch new file mode 100644 index 0000000000..61dcf457fe --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/padlock_conf.patch
@@ -0,0 +1,31 @@
	1
	2	Upstream-Status: Backport [debian]
	3
	4	--- openssl/apps/openssl.cnf.orig 2012-06-06 00:45:56.000000000 +0200
	5	+++ openssl/apps/openssl.cnf 2012-06-06 00:46:46.000000000 +0200
	6	@@ -19,6 +19,8 @@
	7	# (Alternatively, use a configuration file that has only
	8	# X.509v3 extensions in its main [= default] section.)
	9
	10	+openssl_conf = openssl_def
	11	+
	12	[ new_oids ]
	13
	14	# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
	15	@@ -348,3 +350,16 @@
	16	# (optional, default: no)
	17	ess_cert_id_chain = no # Must the ESS cert id chain be included?
	18	# (optional, default: no)
	19	+
	20	+[openssl_def]
	21	+engines = engine_section
	22	+
	23	+[engine_section]
	24	+padlock = padlock_section
	25	+
	26	+[padlock_section]
	27	+soft_load=1
	28	+init=1
	29	+default_algorithms = ALL
	30	+dynamic_path=padlock
	31	+