diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-03-16 10:54:31 +0100 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-03-21 11:29:21 +0100 |
commit | 7e14191bb3bf457907727f3125e5cbc846d39b9f (patch) | |
tree | 9770da8380271fe318845b69262590263ee0ebe9 /meta/recipes-connectivity/openssl | |
parent | dfde5b94e82264ea16a189252d615d67366e3d98 (diff) | |
download | poky-7e14191bb3bf457907727f3125e5cbc846d39b9f.tar.gz |
openssl: upgrade to 1.0.2k
Following vulnerabilities have been solved between 1.0.2h and
1.0.2k releases:
Vulnerabilities detected in 1.0.2h and fixed in 1.0.2i
======================================================
Ref: https://www.openssl.org/news/secadv/20160922.txt
CVE-2016-6304 (High): OCSP Status Request extension unbounded memory growth
CVE-2016-2183 (Low): SWEET32 Mitigation
CVE-2016-6303 (Low): OOB write in MDC2_Update()
CVE-2016-6302 (Low): Malformed SHA512 ticket DoS
CVE-2016-2182 (Low): OOB write in BN_bn2dec()
CVE-2016-2180 (Low): OOB read in TS_OBJ_print_bio()
CVE-2016-2177 (Low): Pointer arithmetic undefined behaviour
CVE-2016-2178 (Low): Constant time flag not preserved in DSA signing
CVE-2016-2179 (Low): DTLS buffered message DoS
CVE-2016-2181 (Low): DTLS replay protection DoS
CVE-2016-6306 (Low): Certificate message OOB reads
Vulnerabilities detected in 1.0.ih and fixed in 1.0.2j
======================================================
https://www.openssl.org/news/secadv/20160926.txt
CVE-2016-7052 (Moderate): This issue only affects OpenSSL 1.0.2i
1.0.2j - 1.0.2k
Vulnerabilities detected in 1.0.2j and fixed in 1.0.2k
======================================================
CVE-2017-3731 (Moderate): For Openssl 1.0.2, the crash can be triggered when using
RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k
CVE-2017-3732 (Moderate): BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055 (Low): Montgomery multiplication may produce incorrect results
References:
https://www.openssl.org/news/secadv/20160922.txt
https://www.openssl.org/news/secadv/20160926.txt
https://www.openssl.org/news/secadv/20170126.txt
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'meta/recipes-connectivity/openssl')
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch | 69 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/debian/ca.patch | 2 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh | 222 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch | 35 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/parallel.patch | 17 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl_1.0.2k.bb (renamed from meta/recipes-connectivity/openssl/openssl_1.0.2h.bb) | 20 |
6 files changed, 347 insertions, 18 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch b/meta/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch new file mode 100644 index 0000000000..e6e297e47f --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From d795f5f20a29adecf92c09459a3ee07ffac01a99 Mon Sep 17 00:00:00 2001 | ||
2 | From: Rich Salz <rsalz@akamai.com> | ||
3 | Date: Sat, 13 Jun 2015 17:03:39 -0400 | ||
4 | Subject: [PATCH] Use SHA256 not MD5 as default digest. | ||
5 | |||
6 | Commit f8547f62c212837dbf44fb7e2755e5774a59a57b upstream. | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | Backport from OpenSSL 2.0 to OpenSSL 1.0.2 | ||
10 | Commit f8547f62c212837dbf44fb7e2755e5774a59a57b | ||
11 | |||
12 | CVE: CVE-2004-2761 | ||
13 | |||
14 | The MD5 Message-Digest Algorithm is not collision resistant, | ||
15 | which makes it easier for context-dependent attackers to | ||
16 | conduct spoofing attacks, as demonstrated by attacks on the | ||
17 | use of MD5 in the signature algorithm of an X.509 certificate. | ||
18 | |||
19 | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> | ||
20 | Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> | ||
21 | Signed-off-by: T.O. Radzy Radzykewycz <radzy@windriver.com> | ||
22 | --- | ||
23 | apps/ca.c | 2 +- | ||
24 | apps/dgst.c | 2 +- | ||
25 | apps/enc.c | 2 +- | ||
26 | 3 files changed, 3 insertions(+), 3 deletions(-) | ||
27 | |||
28 | diff --git a/apps/ca.c b/apps/ca.c | ||
29 | index 3b7336c..8f3a84b 100644 | ||
30 | --- a/apps/ca.c | ||
31 | +++ b/apps/ca.c | ||
32 | @@ -1612,7 +1612,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, | ||
33 | } else | ||
34 | BIO_printf(bio_err, "Signature ok\n"); | ||
35 | |||
36 | - if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL) | ||
37 | + if ((rreq = X509_to_X509_REQ(req, NULL, NULL)) == NULL) | ||
38 | goto err; | ||
39 | |||
40 | ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, | ||
41 | diff --git a/apps/dgst.c b/apps/dgst.c | ||
42 | index 95e5fa3..0d1529f 100644 | ||
43 | --- a/apps/dgst.c | ||
44 | +++ b/apps/dgst.c | ||
45 | @@ -442,7 +442,7 @@ int MAIN(int argc, char **argv) | ||
46 | goto end; | ||
47 | } | ||
48 | if (md == NULL) | ||
49 | - md = EVP_md5(); | ||
50 | + md = EVP_sha256(); | ||
51 | if (!EVP_DigestInit_ex(mctx, md, impl)) { | ||
52 | BIO_printf(bio_err, "Error setting digest %s\n", pname); | ||
53 | ERR_print_errors(bio_err); | ||
54 | diff --git a/apps/enc.c b/apps/enc.c | ||
55 | index 7b7c70b..a7d944c 100644 | ||
56 | --- a/apps/enc.c | ||
57 | +++ b/apps/enc.c | ||
58 | @@ -344,7 +344,7 @@ int MAIN(int argc, char **argv) | ||
59 | } | ||
60 | |||
61 | if (dgst == NULL) { | ||
62 | - dgst = EVP_md5(); | ||
63 | + dgst = EVP_sha256(); | ||
64 | } | ||
65 | |||
66 | if (bufsize != NULL) { | ||
67 | -- | ||
68 | 1.9.1 | ||
69 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/debian/ca.patch b/meta/recipes-connectivity/openssl/openssl/debian/ca.patch index aba4d42983..fb745e4394 100644 --- a/meta/recipes-connectivity/openssl/openssl/debian/ca.patch +++ b/meta/recipes-connectivity/openssl/openssl/debian/ca.patch | |||
@@ -7,7 +7,7 @@ Index: openssl-0.9.8m/apps/CA.pl.in | |||
7 | @@ -65,6 +65,7 @@ | 7 | @@ -65,6 +65,7 @@ |
8 | foreach (@ARGV) { | 8 | foreach (@ARGV) { |
9 | if ( /^(-\?|-h|-help)$/ ) { | 9 | if ( /^(-\?|-h|-help)$/ ) { |
10 | print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; | 10 | print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n"; |
11 | + print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n"; | 11 | + print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n"; |
12 | exit 0; | 12 | exit 0; |
13 | } elsif (/^-newcert$/) { | 13 | } elsif (/^-newcert$/) { |
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh new file mode 100644 index 0000000000..6620fdcb53 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh | |||
@@ -0,0 +1,222 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | # Ben Secrest <blsecres@gmail.com> | ||
4 | # | ||
5 | # sh c_rehash script, scan all files in a directory | ||
6 | # and add symbolic links to their hash values. | ||
7 | # | ||
8 | # based on the c_rehash perl script distributed with openssl | ||
9 | # | ||
10 | # LICENSE: See OpenSSL license | ||
11 | # ^^acceptable?^^ | ||
12 | # | ||
13 | |||
14 | # default certificate location | ||
15 | DIR=/etc/openssl | ||
16 | |||
17 | # for filetype bitfield | ||
18 | IS_CERT=$(( 1 << 0 )) | ||
19 | IS_CRL=$(( 1 << 1 )) | ||
20 | |||
21 | |||
22 | # check to see if a file is a certificate file or a CRL file | ||
23 | # arguments: | ||
24 | # 1. the filename to be scanned | ||
25 | # returns: | ||
26 | # bitfield of file type; uses ${IS_CERT} and ${IS_CRL} | ||
27 | # | ||
28 | check_file() | ||
29 | { | ||
30 | local IS_TYPE=0 | ||
31 | |||
32 | # make IFS a newline so we can process grep output line by line | ||
33 | local OLDIFS=${IFS} | ||
34 | IFS=$( printf "\n" ) | ||
35 | |||
36 | # XXX: could be more efficient to have two 'grep -m' but is -m portable? | ||
37 | for LINE in $( grep '^-----BEGIN .*-----' ${1} ) | ||
38 | do | ||
39 | if echo ${LINE} \ | ||
40 | | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----' | ||
41 | then | ||
42 | IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} )) | ||
43 | |||
44 | if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ] | ||
45 | then | ||
46 | break | ||
47 | fi | ||
48 | elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----' | ||
49 | then | ||
50 | IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} )) | ||
51 | |||
52 | if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ] | ||
53 | then | ||
54 | break | ||
55 | fi | ||
56 | fi | ||
57 | done | ||
58 | |||
59 | # restore IFS | ||
60 | IFS=${OLDIFS} | ||
61 | |||
62 | return ${IS_TYPE} | ||
63 | } | ||
64 | |||
65 | |||
66 | # | ||
67 | # use openssl to fingerprint a file | ||
68 | # arguments: | ||
69 | # 1. the filename to fingerprint | ||
70 | # 2. the method to use (x509, crl) | ||
71 | # returns: | ||
72 | # none | ||
73 | # assumptions: | ||
74 | # user will capture output from last stage of pipeline | ||
75 | # | ||
76 | fingerprint() | ||
77 | { | ||
78 | ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':' | ||
79 | } | ||
80 | |||
81 | |||
82 | # | ||
83 | # link_hash - create links to certificate files | ||
84 | # arguments: | ||
85 | # 1. the filename to create a link for | ||
86 | # 2. the type of certificate being linked (x509, crl) | ||
87 | # returns: | ||
88 | # 0 on success, 1 otherwise | ||
89 | # | ||
90 | link_hash() | ||
91 | { | ||
92 | local FINGERPRINT=$( fingerprint ${1} ${2} ) | ||
93 | local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} ) | ||
94 | local SUFFIX=0 | ||
95 | local LINKFILE='' | ||
96 | local TAG='' | ||
97 | |||
98 | if [ ${2} = "crl" ] | ||
99 | then | ||
100 | TAG='r' | ||
101 | fi | ||
102 | |||
103 | LINKFILE=${HASH}.${TAG}${SUFFIX} | ||
104 | |||
105 | while [ -f ${LINKFILE} ] | ||
106 | do | ||
107 | if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ] | ||
108 | then | ||
109 | echo "NOTE: Skipping duplicate file ${1}" >&2 | ||
110 | return 1 | ||
111 | fi | ||
112 | |||
113 | SUFFIX=$(( ${SUFFIX} + 1 )) | ||
114 | LINKFILE=${HASH}.${TAG}${SUFFIX} | ||
115 | done | ||
116 | |||
117 | echo "${3} => ${LINKFILE}" | ||
118 | |||
119 | # assume any system with a POSIX shell will either support symlinks or | ||
120 | # do something to handle this gracefully | ||
121 | ln -s ${3} ${LINKFILE} | ||
122 | |||
123 | return 0 | ||
124 | } | ||
125 | |||
126 | |||
127 | # hash_dir create hash links in a given directory | ||
128 | hash_dir() | ||
129 | { | ||
130 | echo "Doing ${1}" | ||
131 | |||
132 | cd ${1} | ||
133 | |||
134 | ls -1 * 2>/dev/null | while read FILE | ||
135 | do | ||
136 | if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \ | ||
137 | && [ -h "${FILE}" ] | ||
138 | then | ||
139 | rm ${FILE} | ||
140 | fi | ||
141 | done | ||
142 | |||
143 | ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE | ||
144 | do | ||
145 | REAL_FILE=${FILE} | ||
146 | # if we run on build host then get to the real files in rootfs | ||
147 | if [ -n "${SYSROOT}" -a -h ${FILE} ] | ||
148 | then | ||
149 | FILE=$( readlink ${FILE} ) | ||
150 | # check the symlink is absolute (or dangling in other word) | ||
151 | if [ "x/" = "x$( echo ${FILE} | cut -c1 -)" ] | ||
152 | then | ||
153 | REAL_FILE=${SYSROOT}/${FILE} | ||
154 | fi | ||
155 | fi | ||
156 | |||
157 | check_file ${REAL_FILE} | ||
158 | local FILE_TYPE=${?} | ||
159 | local TYPE_STR='' | ||
160 | |||
161 | if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ] | ||
162 | then | ||
163 | TYPE_STR='x509' | ||
164 | elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ] | ||
165 | then | ||
166 | TYPE_STR='crl' | ||
167 | else | ||
168 | echo "NOTE: ${FILE} does not contain a certificate or CRL: skipping" >&2 | ||
169 | continue | ||
170 | fi | ||
171 | |||
172 | link_hash ${REAL_FILE} ${TYPE_STR} ${FILE} | ||
173 | done | ||
174 | } | ||
175 | |||
176 | |||
177 | # choose the name of an ssl application | ||
178 | if [ -n "${OPENSSL}" ] | ||
179 | then | ||
180 | SSL_CMD=$(which ${OPENSSL} 2>/dev/null) | ||
181 | else | ||
182 | SSL_CMD=/usr/bin/openssl | ||
183 | OPENSSL=${SSL_CMD} | ||
184 | export OPENSSL | ||
185 | fi | ||
186 | |||
187 | # fix paths | ||
188 | PATH=${PATH}:${DIR}/bin | ||
189 | export PATH | ||
190 | |||
191 | # confirm existance/executability of ssl command | ||
192 | if ! [ -x ${SSL_CMD} ] | ||
193 | then | ||
194 | echo "${0}: rehashing skipped ('openssl' program not available)" >&2 | ||
195 | exit 0 | ||
196 | fi | ||
197 | |||
198 | # determine which directories to process | ||
199 | old_IFS=$IFS | ||
200 | if [ ${#} -gt 0 ] | ||
201 | then | ||
202 | IFS=':' | ||
203 | DIRLIST=${*} | ||
204 | elif [ -n "${SSL_CERT_DIR}" ] | ||
205 | then | ||
206 | DIRLIST=$SSL_CERT_DIR | ||
207 | else | ||
208 | DIRLIST=${DIR}/certs | ||
209 | fi | ||
210 | |||
211 | IFS=':' | ||
212 | |||
213 | # process directories | ||
214 | for CERT_DIR in ${DIRLIST} | ||
215 | do | ||
216 | if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ] | ||
217 | then | ||
218 | IFS=$old_IFS | ||
219 | hash_dir ${CERT_DIR} | ||
220 | IFS=':' | ||
221 | fi | ||
222 | done | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch b/meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch new file mode 100644 index 0000000000..e975a4e7db --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From e427748f3bb5d37e78dc8d70a558c373aa8ababb Mon Sep 17 00:00:00 2001 | ||
2 | From: Robert Yang <liezhi.yang@windriver.com> | ||
3 | Date: Mon, 19 Sep 2016 22:06:28 -0700 | ||
4 | Subject: [PATCH] util/perlpath.pl: make it work when cwd is not in @INC | ||
5 | |||
6 | Fixed when building on Debian-testing: | ||
7 | | Can't locate find.pl in @INC (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.2 /usr/local/share/perl/5.22.2 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at perlpath.pl line 7. | ||
8 | |||
9 | The find.pl is added by oe-core, so once openssl/find.pl is removed, | ||
10 | then this patch can be dropped. | ||
11 | |||
12 | Upstream-Status: Inappropriate [OE-Specific] | ||
13 | |||
14 | Signed-off-by: Robert Yang <liezhi.yang@windriver.com> | ||
15 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
16 | --- | ||
17 | util/perlpath.pl | 2 ++ | ||
18 | 1 file changed, 2 insertions(+) | ||
19 | |||
20 | diff --git a/util/perlpath.pl b/util/perlpath.pl | ||
21 | index a1f236b..5599892 100755 | ||
22 | --- a/util/perlpath.pl | ||
23 | +++ b/util/perlpath.pl | ||
24 | @@ -4,6 +4,8 @@ | ||
25 | # line in all scripts that rely on perl. | ||
26 | # | ||
27 | |||
28 | +BEGIN { unshift @INC, "."; } | ||
29 | + | ||
30 | require "find.pl"; | ||
31 | |||
32 | $#ARGV == 0 || print STDERR "usage: perlpath newpath (eg /usr/bin)\n"; | ||
33 | -- | ||
34 | 2.9.0 | ||
35 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/parallel.patch b/meta/recipes-connectivity/openssl/openssl/parallel.patch index b6c2c148b1..f3f4c99888 100644 --- a/meta/recipes-connectivity/openssl/openssl/parallel.patch +++ b/meta/recipes-connectivity/openssl/openssl/parallel.patch | |||
@@ -6,6 +6,9 @@ https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1 | |||
6 | Upstream-Status: Pending | 6 | Upstream-Status: Pending |
7 | Signed-off-by: Ross Burton <ross.burton@intel.com> | 7 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
8 | 8 | ||
9 | Refreshed for 1.0.2i | ||
10 | Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> | ||
11 | |||
9 | --- openssl-1.0.2g/crypto/Makefile | 12 | --- openssl-1.0.2g/crypto/Makefile |
10 | +++ openssl-1.0.2g/crypto/Makefile | 13 | +++ openssl-1.0.2g/crypto/Makefile |
11 | @@ -85,11 +85,11 @@ | 14 | @@ -85,11 +85,11 @@ |
@@ -133,7 +136,7 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> | |||
133 | fi; \ | 136 | fi; \ |
134 | --- openssl-1.0.2g/test/Makefile | 137 | --- openssl-1.0.2g/test/Makefile |
135 | +++ openssl-1.0.2g/test/Makefile | 138 | +++ openssl-1.0.2g/test/Makefile |
136 | @@ -139,7 +139,7 @@ | 139 | @@ -144,7 +144,7 @@ |
137 | tags: | 140 | tags: |
138 | ctags $(SRC) | 141 | ctags $(SRC) |
139 | 142 | ||
@@ -142,7 +145,7 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> | |||
142 | 145 | ||
143 | apps: | 146 | apps: |
144 | @(cd ..; $(MAKE) DIRS=apps all) | 147 | @(cd ..; $(MAKE) DIRS=apps all) |
145 | @@ -421,130 +421,130 @@ | 148 | @@ -438,136 +438,136 @@ |
146 | link_app.$${shlib_target} | 149 | link_app.$${shlib_target} |
147 | 150 | ||
148 | $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO) | 151 | $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO) |
@@ -309,13 +312,21 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> | |||
309 | - @target=$(CLIENTHELLOTEST) $(BUILD_CMD) | 312 | - @target=$(CLIENTHELLOTEST) $(BUILD_CMD) |
310 | + +@target=$(CLIENTHELLOTEST) $(BUILD_CMD) | 313 | + +@target=$(CLIENTHELLOTEST) $(BUILD_CMD) |
311 | 314 | ||
315 | $(BADDTLSTEST)$(EXE_EXT): $(BADDTLSTEST).o | ||
316 | - @target=$(BADDTLSTEST) $(BUILD_CMD) | ||
317 | + +@target=$(BADDTLSTEST) $(BUILD_CMD) | ||
318 | |||
312 | $(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o | 319 | $(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o |
313 | - @target=$(SSLV2CONFTEST) $(BUILD_CMD) | 320 | - @target=$(SSLV2CONFTEST) $(BUILD_CMD) |
314 | + +@target=$(SSLV2CONFTEST) $(BUILD_CMD) | 321 | + +@target=$(SSLV2CONFTEST) $(BUILD_CMD) |
315 | 322 | ||
323 | $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssltestlib.o $(DLIBSSL) $(DLIBCRYPTO) | ||
324 | - @target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD) | ||
325 | + +@target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD) | ||
326 | |||
316 | #$(AESTEST).o: $(AESTEST).c | 327 | #$(AESTEST).o: $(AESTEST).c |
317 | # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c | 328 | # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c |
318 | @@ -557,7 +557,7 @@ | 329 | @@ -580,6 +580,6 @@ |
319 | # fi | 330 | # fi |
320 | 331 | ||
321 | dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO) | 332 | dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO) |
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb index a9146bb1dc..922819b3d5 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb | |||
@@ -5,6 +5,7 @@ require openssl.inc | |||
5 | DEPENDS += "cryptodev-linux" | 5 | DEPENDS += "cryptodev-linux" |
6 | 6 | ||
7 | CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS" | 7 | CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS" |
8 | CFLAG_append_class-native = " -fPIC" | ||
8 | 9 | ||
9 | LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6" | 10 | LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6" |
10 | 11 | ||
@@ -13,6 +14,7 @@ export OE_LDFLAGS="${LDFLAGS}" | |||
13 | 14 | ||
14 | SRC_URI += "file://find.pl;subdir=${BP}/util/ \ | 15 | SRC_URI += "file://find.pl;subdir=${BP}/util/ \ |
15 | file://run-ptest \ | 16 | file://run-ptest \ |
17 | file://openssl-c_rehash.sh \ | ||
16 | file://configure-targets.patch \ | 18 | file://configure-targets.patch \ |
17 | file://shared-libs.patch \ | 19 | file://shared-libs.patch \ |
18 | file://oe-ldflags.patch \ | 20 | file://oe-ldflags.patch \ |
@@ -38,21 +40,11 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \ | |||
38 | file://ptest_makefile_deps.patch \ | 40 | file://ptest_makefile_deps.patch \ |
39 | file://configure-musl-target.patch \ | 41 | file://configure-musl-target.patch \ |
40 | file://parallel.patch \ | 42 | file://parallel.patch \ |
41 | file://CVE-2016-2178.patch \ | 43 | file://openssl-util-perlpath.pl-cwd.patch \ |
42 | file://CVE-2016-2179.patch \ | 44 | file://Use-SHA256-not-MD5-as-default-digest.patch \ |
43 | file://CVE-2016-2180.patch \ | ||
44 | file://CVE-2016-2181_p1.patch \ | ||
45 | file://CVE-2016-2181_p2.patch \ | ||
46 | file://CVE-2016-2181_p3.patch \ | ||
47 | file://CVE-2016-2182.patch \ | ||
48 | file://CVE-2016-6302.patch \ | ||
49 | file://CVE-2016-6303.patch \ | ||
50 | file://CVE-2016-6304.patch \ | ||
51 | file://CVE-2016-6306.patch \ | ||
52 | file://CVE-2016-8610.patch \ | ||
53 | " | 45 | " |
54 | SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" | 46 | SRC_URI[md5sum] = "f965fc0bf01bf882b31314b61391ae65" |
55 | SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919" | 47 | SRC_URI[sha256sum] = "6b3977c61f2aedf0f96367dcfb5c6e578cf37e7b8d913b4ecb6643c3cb88d8c0" |
56 | 48 | ||
57 | PACKAGES =+ "${PN}-engines" | 49 | PACKAGES =+ "${PN}-engines" |
58 | FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines" | 50 | FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines" |