diff options
author | Saul Wold <sgw@linux.intel.com> | 2014-10-20 14:16:23 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-10-23 21:43:11 +0100 |
commit | e93f9a838260100ece7cac36f01e42e321e6414b (patch) | |
tree | ebda072a37a097b22b65b6fc573b7e7a0669cf50 /meta/recipes-connectivity | |
parent | df4a397df9213eb2f419120fc2c32d51d0bf6a05 (diff) | |
download | poky-e93f9a838260100ece7cac36f01e42e321e6414b.tar.gz |
openssl: Upgrade to 1.0.1j
This address the latest set of CVE issues
(From OE-Core rev: 461e598815f8749bb26e97369e3b877f7ce749cf)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity')
12 files changed, 145 insertions, 688 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc index ee02fb796e..9ec884f332 100644 --- a/meta/recipes-connectivity/openssl/openssl.inc +++ b/meta/recipes-connectivity/openssl/openssl.inc | |||
@@ -9,6 +9,7 @@ LICENSE = "openssl" | |||
9 | LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8" | 9 | LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8" |
10 | 10 | ||
11 | DEPENDS = "perl-native-runtime" | 11 | DEPENDS = "perl-native-runtime" |
12 | DEPENDS_append_class-target = " openssl-native" | ||
12 | 13 | ||
13 | SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ | 14 | SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ |
14 | " | 15 | " |
@@ -30,14 +31,14 @@ export DIRS = "crypto ssl apps" | |||
30 | export EX_LIBS = "-lgcc -ldl" | 31 | export EX_LIBS = "-lgcc -ldl" |
31 | export AS = "${CC} -c" | 32 | export AS = "${CC} -c" |
32 | 33 | ||
33 | inherit pkgconfig siteinfo multilib_header | 34 | inherit pkgconfig siteinfo multilib_header ptest |
34 | 35 | ||
35 | PACKAGES =+ "libcrypto libssl ${PN}-misc openssl-conf" | 36 | PACKAGES =+ "libcrypto libssl ${PN}-misc openssl-conf" |
36 | FILES_libcrypto = "${base_libdir}/libcrypto${SOLIBS}" | 37 | FILES_libcrypto = "${base_libdir}/libcrypto${SOLIBS}" |
37 | FILES_libssl = "${libdir}/libssl.so.*" | 38 | FILES_libssl = "${libdir}/libssl.so.*" |
38 | FILES_${PN} =+ " ${libdir}/ssl/*" | 39 | FILES_${PN} =+ " ${libdir}/ssl/*" |
39 | FILES_${PN}-misc = "${libdir}/ssl/misc ${bindir}/c_rehash" | 40 | FILES_${PN}-misc = "${libdir}/ssl/misc ${bindir}/c_rehash" |
40 | RDEPENDS_${PN}-misc = "${@base_contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" | 41 | RDEPENDS_${PN}-misc = "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" |
41 | FILES_${PN}-dev += "${base_libdir}/libcrypto${SOLIBSDEV}" | 42 | FILES_${PN}-dev += "${base_libdir}/libcrypto${SOLIBSDEV}" |
42 | 43 | ||
43 | # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto | 44 | # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto |
@@ -47,6 +48,7 @@ FILES_${PN}-dev += "${base_libdir}/libcrypto${SOLIBSDEV}" | |||
47 | FILES_openssl-conf = "${libdir}/ssl/openssl.cnf" | 48 | FILES_openssl-conf = "${libdir}/ssl/openssl.cnf" |
48 | CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf" | 49 | CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf" |
49 | RRECOMMENDS_libcrypto += "openssl-conf" | 50 | RRECOMMENDS_libcrypto += "openssl-conf" |
51 | RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc" | ||
50 | 52 | ||
51 | do_configure_prepend_darwin () { | 53 | do_configure_prepend_darwin () { |
52 | sed -i -e '/version-script=openssl\.ld/d' Configure | 54 | sed -i -e '/version-script=openssl\.ld/d' Configure |
@@ -59,17 +61,18 @@ do_configure () { | |||
59 | ln -sf apps/openssl.pod crypto/crypto.pod ssl/ssl.pod doc/ | 61 | ln -sf apps/openssl.pod crypto/crypto.pod ssl/ssl.pod doc/ |
60 | 62 | ||
61 | os=${HOST_OS} | 63 | os=${HOST_OS} |
62 | if [ "x$os" = "xlinux-uclibc" ]; then | 64 | case $os in |
65 | linux-uclibc |\ | ||
66 | linux-uclibceabi |\ | ||
67 | linux-gnueabi |\ | ||
68 | linux-uclibcspe |\ | ||
69 | linux-gnuspe |\ | ||
70 | linux-musl*) | ||
63 | os=linux | 71 | os=linux |
64 | elif [ "x$os" = "xlinux-uclibceabi" ]; then | 72 | ;; |
65 | os=linux | 73 | *) |
66 | elif [ "x$os" = "xlinux-uclibcspe" ]; then | 74 | ;; |
67 | os=linux | 75 | esac |
68 | elif [ "x$os" = "xlinux-gnuspe" ]; then | ||
69 | os=linux | ||
70 | elif [ "x$os" = "xlinux-gnueabi" ]; then | ||
71 | os=linux | ||
72 | fi | ||
73 | target="$os-${HOST_ARCH}" | 76 | target="$os-${HOST_ARCH}" |
74 | case $target in | 77 | case $target in |
75 | linux-arm) | 78 | linux-arm) |
@@ -136,10 +139,18 @@ do_configure () { | |||
136 | perl ./Configure ${EXTRA_OECONF} shared --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=`basename ${libdir}` $target | 139 | perl ./Configure ${EXTRA_OECONF} shared --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=`basename ${libdir}` $target |
137 | } | 140 | } |
138 | 141 | ||
142 | do_compile_prepend_class-target () { | ||
143 | sed -i 's/\((OPENSSL=\)".*"/\1"openssl"/' Makefile | ||
144 | } | ||
145 | |||
139 | do_compile () { | 146 | do_compile () { |
140 | oe_runmake | 147 | oe_runmake |
141 | } | 148 | } |
142 | 149 | ||
150 | do_compile_ptest () { | ||
151 | oe_runmake buildtest | ||
152 | } | ||
153 | |||
143 | do_install () { | 154 | do_install () { |
144 | oe_runmake INSTALL_PREFIX="${D}" MANDIR="${mandir}" install | 155 | oe_runmake INSTALL_PREFIX="${D}" MANDIR="${mandir}" install |
145 | 156 | ||
@@ -157,7 +168,7 @@ do_install () { | |||
157 | cp --dereference -R include/openssl ${D}${includedir} | 168 | cp --dereference -R include/openssl ${D}${includedir} |
158 | 169 | ||
159 | oe_multilib_header openssl/opensslconf.h | 170 | oe_multilib_header openssl/opensslconf.h |
160 | if [ "${@base_contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" = "perl" ]; then | 171 | if [ "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" = "perl" ]; then |
161 | install -m 0755 ${S}/tools/c_rehash ${D}${bindir} | 172 | install -m 0755 ${S}/tools/c_rehash ${D}${bindir} |
162 | sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${bindir}/c_rehash | 173 | sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${bindir}/c_rehash |
163 | sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/CA.pl | 174 | sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/CA.pl |
@@ -169,5 +180,18 @@ do_install () { | |||
169 | fi | 180 | fi |
170 | } | 181 | } |
171 | 182 | ||
183 | do_install_ptest () { | ||
184 | cp -r Makefile test ${D}${PTEST_PATH} | ||
185 | cp -r certs ${D}${PTEST_PATH} | ||
186 | mkdir -p ${D}${PTEST_PATH}/apps | ||
187 | ln -sf /usr/lib/ssl/misc/CA.sh ${D}${PTEST_PATH}/apps | ||
188 | ln -sf /usr/lib/ssl/openssl.cnf ${D}${PTEST_PATH}/apps | ||
189 | ln -sf /usr/bin/openssl ${D}${PTEST_PATH}/apps | ||
190 | cp apps/server2.pem ${D}${PTEST_PATH}/apps | ||
191 | mkdir -p ${D}${PTEST_PATH}/util | ||
192 | install util/opensslwrap.sh ${D}${PTEST_PATH}/util | ||
193 | install util/shlib_wrap.sh ${D}${PTEST_PATH}/util | ||
194 | } | ||
195 | |||
172 | BBCLASSEXTEND = "native nativesdk" | 196 | BBCLASSEXTEND = "native nativesdk" |
173 | 197 | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch b/meta/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch new file mode 100644 index 0000000000..ac53a9142b --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | Add 'buildtest' and 'runtest' targets to Makefile, to build and run tests | ||
2 | cross-compiled. | ||
3 | |||
4 | Signed-off-by: Anders Roxell <anders.roxell@enea.com> | ||
5 | Signed-off-by: Maxin B. John <maxin.john@enea.com> | ||
6 | Upstream-Status: Pending | ||
7 | --- | ||
8 | diff -uNr a/Makefile b/Makefile | ||
9 | --- a/Makefile.org 2012-05-10 17:06:02.000000000 +0200 | ||
10 | +++ b/Makefile.org 2012-10-27 00:05:55.359424024 +0200 | ||
11 | @@ -411,8 +411,16 @@ | ||
12 | test: tests | ||
13 | |||
14 | tests: rehash | ||
15 | + $(MAKE) buildtest | ||
16 | + $(MAKE) runtest | ||
17 | + | ||
18 | +buildtest: | ||
19 | + @(cd test && \ | ||
20 | + $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf exe apps); | ||
21 | + | ||
22 | +runtest: | ||
23 | @(cd test && echo "testing..." && \ | ||
24 | - $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests ); | ||
25 | + $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf alltests ); | ||
26 | OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a | ||
27 | |||
28 | report: | ||
29 | diff --git a/test/Makefile b/test/Makefile | ||
30 | index 3912f82..1696767 100644 | ||
31 | --- a/test/Makefile | ||
32 | +++ b/test/Makefile | ||
33 | @@ -128,7 +128,7 @@ tests: exe apps $(TESTS) | ||
34 | apps: | ||
35 | @(cd ..; $(MAKE) DIRS=apps all) | ||
36 | |||
37 | -alltests: \ | ||
38 | +all-tests= \ | ||
39 | test_des test_idea test_sha test_md4 test_md5 test_hmac \ | ||
40 | test_md2 test_mdc2 test_wp \ | ||
41 | test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast test_aes \ | ||
42 | @@ -138,6 +138,11 @@ alltests: \ | ||
43 | test_ss test_ca test_engine test_evp test_ssl test_tsa test_ige \ | ||
44 | test_jpake test_cms | ||
45 | |||
46 | +alltests: | ||
47 | + @(for i in $(all-tests); do \ | ||
48 | + ( $(MAKE) $$i && echo "PASS: $$i" ) || echo "FAIL: $$i"; \ | ||
49 | + done) | ||
50 | + | ||
51 | test_evp: | ||
52 | ../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt | ||
53 | |||
54 | @@ -203,7 +208,7 @@ test_x509: | ||
55 | echo test second x509v3 certificate | ||
56 | sh ./tx509 v3-cert2.pem 2>/dev/null | ||
57 | |||
58 | -test_rsa: $(RSATEST)$(EXE_EXT) | ||
59 | +test_rsa: | ||
60 | @sh ./trsa 2>/dev/null | ||
61 | ../util/shlib_wrap.sh ./$(RSATEST) | ||
62 | |||
63 | @@ -298,11 +303,11 @@ test_tsa: | ||
64 | sh ./testtsa; \ | ||
65 | fi | ||
66 | |||
67 | -test_ige: $(IGETEST)$(EXE_EXT) | ||
68 | +test_ige: | ||
69 | @echo "Test IGE mode" | ||
70 | ../util/shlib_wrap.sh ./$(IGETEST) | ||
71 | |||
72 | -test_jpake: $(JPAKETEST)$(EXE_EXT) | ||
73 | +test_jpake: | ||
74 | @echo "Test JPAKE" | ||
75 | ../util/shlib_wrap.sh ./$(JPAKETEST) | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/initial-aarch64-bits.patch b/meta/recipes-connectivity/openssl/openssl/initial-aarch64-bits.patch index 2185ff8a46..770097db78 100644 --- a/meta/recipes-connectivity/openssl/openssl/initial-aarch64-bits.patch +++ b/meta/recipes-connectivity/openssl/openssl/initial-aarch64-bits.patch | |||
@@ -4,6 +4,7 @@ Subject: Initial aarch64 bits. | |||
4 | X-Git-Url: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=039081b80977e2a5de84e1f88f8b4d025b559956 | 4 | X-Git-Url: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=039081b80977e2a5de84e1f88f8b4d025b559956 |
5 | 5 | ||
6 | Initial aarch64 bits. | 6 | Initial aarch64 bits. |
7 | Upstream-Status: backport (will be included in 1.0.2) | ||
7 | --- | 8 | --- |
8 | crypto/bn/bn_lcl.h | 9 +++++++++ | 9 | crypto/bn/bn_lcl.h | 9 +++++++++ |
9 | crypto/md32_common.h | 18 ++++++++++++++++++ | 10 | crypto/md32_common.h | 18 ++++++++++++++++++ |
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch deleted file mode 100644 index 0c43919427..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch +++ /dev/null | |||
@@ -1,40 +0,0 @@ | |||
1 | commit 208d54db20d58c9a5e45e856a0650caadd7d9612 | ||
2 | Author: Dr. Stephen Henson <steve@openssl.org> | ||
3 | Date: Tue May 13 18:48:31 2014 +0100 | ||
4 | |||
5 | Fix for CVE-2014-0195 | ||
6 | |||
7 | A buffer overrun attack can be triggered by sending invalid DTLS fragments | ||
8 | to an OpenSSL DTLS client or server. This is potentially exploitable to | ||
9 | run arbitrary code on a vulnerable client or server. | ||
10 | |||
11 | Fixed by adding consistency check for DTLS fragments. | ||
12 | |||
13 | Thanks to Jüri Aedla for reporting this issue. | ||
14 | |||
15 | Patch borrowed from Fedora | ||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
18 | |||
19 | diff --git a/ssl/d1_both.c b/ssl/d1_both.c | ||
20 | index 2e8cf68..07f67f8 100644 | ||
21 | --- a/ssl/d1_both.c | ||
22 | +++ b/ssl/d1_both.c | ||
23 | @@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) | ||
24 | frag->msg_header.frag_off = 0; | ||
25 | } | ||
26 | else | ||
27 | + { | ||
28 | frag = (hm_fragment*) item->data; | ||
29 | + if (frag->msg_header.msg_len != msg_hdr->msg_len) | ||
30 | + { | ||
31 | + item = NULL; | ||
32 | + frag = NULL; | ||
33 | + goto err; | ||
34 | + } | ||
35 | + } | ||
36 | + | ||
37 | |||
38 | /* If message is already reassembled, this must be a | ||
39 | * retransmit and can be dropped. | ||
40 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0198.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0198.patch deleted file mode 100644 index 12dcfb7f3a..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0198.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | From: Matt Caswell <matt@openssl.org> | ||
2 | Date: Sun, 11 May 2014 23:38:37 +0000 (+0100) | ||
3 | Subject: Fixed NULL pointer dereference. See PR#3321 | ||
4 | X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=b107586 | ||
5 | |||
6 | Fixed NULL pointer dereference. See PR#3321 | ||
7 | |||
8 | Patch borrowed from Fedora | ||
9 | Upstream-Status: Backport | ||
10 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
11 | |||
12 | --- | ||
13 | |||
14 | diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c | ||
15 | index 40eb0dd..d961d12 100644 | ||
16 | --- a/ssl/s3_pkt.c | ||
17 | +++ b/ssl/s3_pkt.c | ||
18 | @@ -657,9 +657,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, | ||
19 | SSL3_BUFFER *wb=&(s->s3->wbuf); | ||
20 | SSL_SESSION *sess; | ||
21 | |||
22 | - if (wb->buf == NULL) | ||
23 | - if (!ssl3_setup_write_buffer(s)) | ||
24 | - return -1; | ||
25 | |||
26 | /* first check if there is a SSL3_BUFFER still being written | ||
27 | * out. This will happen with non blocking IO */ | ||
28 | @@ -675,6 +672,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, | ||
29 | /* if it went, fall through and send more stuff */ | ||
30 | } | ||
31 | |||
32 | + if (wb->buf == NULL) | ||
33 | + if (!ssl3_setup_write_buffer(s)) | ||
34 | + return -1; | ||
35 | + | ||
36 | if (len == 0 && !create_empty_fragment) | ||
37 | return 0; | ||
38 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0221.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0221.patch deleted file mode 100644 index bf730a8124..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0221.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | commit d30e582446b027868cdabd0994681643682045a4 | ||
2 | Author: Dr. Stephen Henson <steve@openssl.org> | ||
3 | Date: Fri May 16 13:00:45 2014 +0100 | ||
4 | |||
5 | Fix CVE-2014-0221 | ||
6 | |||
7 | Unnecessary recursion when receiving a DTLS hello request can be used to | ||
8 | crash a DTLS client. Fixed by handling DTLS hello request without recursion. | ||
9 | |||
10 | Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. | ||
11 | |||
12 | Patch borrowed from Fedora | ||
13 | Upstream-Status: Backport | ||
14 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
15 | |||
16 | diff --git a/ssl/d1_both.c b/ssl/d1_both.c | ||
17 | index 07f67f8..4c2fd03 100644 | ||
18 | --- a/ssl/d1_both.c | ||
19 | +++ b/ssl/d1_both.c | ||
20 | @@ -793,6 +793,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) | ||
21 | int i,al; | ||
22 | struct hm_header_st msg_hdr; | ||
23 | |||
24 | + redo: | ||
25 | /* see if we have the required fragment already */ | ||
26 | if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok) | ||
27 | { | ||
28 | @@ -851,8 +852,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) | ||
29 | s->msg_callback_arg); | ||
30 | |||
31 | s->init_num = 0; | ||
32 | - return dtls1_get_message_fragment(s, st1, stn, | ||
33 | - max, ok); | ||
34 | + goto redo; | ||
35 | } | ||
36 | else /* Incorrectly formated Hello request */ | ||
37 | { | ||
38 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0224.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0224.patch deleted file mode 100644 index 0ed1d12551..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0224.patch +++ /dev/null | |||
@@ -1,103 +0,0 @@ | |||
1 | Fix for CVE-2014-0224 | ||
2 | |||
3 | Only accept change cipher spec when it is expected instead of at any | ||
4 | time. This prevents premature setting of session keys before the master | ||
5 | secret is determined which an attacker could use as a MITM attack. | ||
6 | |||
7 | Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue | ||
8 | and providing the initial fix this patch is based on. | ||
9 | |||
10 | |||
11 | Patch borrowed from Fedora | ||
12 | Upstream-Status: Backport | ||
13 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
14 | |||
15 | |||
16 | diff -up openssl-1.0.1e/ssl/ssl3.h.keying-mitm openssl-1.0.1e/ssl/ssl3.h | ||
17 | --- openssl-1.0.1e/ssl/ssl3.h.keying-mitm 2014-06-02 19:48:04.518100562 +0200 | ||
18 | +++ openssl-1.0.1e/ssl/ssl3.h 2014-06-02 19:48:04.642103429 +0200 | ||
19 | @@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st | ||
20 | #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 | ||
21 | #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 | ||
22 | #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 | ||
23 | +#define SSL3_FLAGS_CCS_OK 0x0080 | ||
24 | |||
25 | /* SSL3_FLAGS_SGC_RESTART_DONE is set when we | ||
26 | * restart a handshake because of MS SGC and so prevents us | ||
27 | diff -up openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm openssl-1.0.1e/ssl/s3_clnt.c | ||
28 | --- openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm 2013-02-11 16:26:04.000000000 +0100 | ||
29 | +++ openssl-1.0.1e/ssl/s3_clnt.c 2014-06-02 19:49:57.042701985 +0200 | ||
30 | @@ -559,6 +559,7 @@ int ssl3_connect(SSL *s) | ||
31 | case SSL3_ST_CR_FINISHED_A: | ||
32 | case SSL3_ST_CR_FINISHED_B: | ||
33 | |||
34 | + s->s3->flags |= SSL3_FLAGS_CCS_OK; | ||
35 | ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, | ||
36 | SSL3_ST_CR_FINISHED_B); | ||
37 | if (ret <= 0) goto end; | ||
38 | @@ -916,6 +917,7 @@ int ssl3_get_server_hello(SSL *s) | ||
39 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); | ||
40 | goto f_err; | ||
41 | } | ||
42 | + s->s3->flags |= SSL3_FLAGS_CCS_OK; | ||
43 | s->hit=1; | ||
44 | } | ||
45 | else /* a miss or crap from the other end */ | ||
46 | diff -up openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm openssl-1.0.1e/ssl/s3_pkt.c | ||
47 | --- openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm 2014-06-02 19:48:04.640103383 +0200 | ||
48 | +++ openssl-1.0.1e/ssl/s3_pkt.c 2014-06-02 19:48:04.643103452 +0200 | ||
49 | @@ -1298,6 +1298,15 @@ start: | ||
50 | goto f_err; | ||
51 | } | ||
52 | |||
53 | + if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) | ||
54 | + { | ||
55 | + al=SSL_AD_UNEXPECTED_MESSAGE; | ||
56 | + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY); | ||
57 | + goto f_err; | ||
58 | + } | ||
59 | + | ||
60 | + s->s3->flags &= ~SSL3_FLAGS_CCS_OK; | ||
61 | + | ||
62 | rr->length=0; | ||
63 | |||
64 | if (s->msg_callback) | ||
65 | @@ -1432,7 +1441,7 @@ int ssl3_do_change_cipher_spec(SSL *s) | ||
66 | |||
67 | if (s->s3->tmp.key_block == NULL) | ||
68 | { | ||
69 | - if (s->session == NULL) | ||
70 | + if (s->session == NULL || s->session->master_key_length == 0) | ||
71 | { | ||
72 | /* might happen if dtls1_read_bytes() calls this */ | ||
73 | SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY); | ||
74 | diff -up openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm openssl-1.0.1e/ssl/s3_srvr.c | ||
75 | --- openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm 2014-06-02 19:48:04.630103151 +0200 | ||
76 | +++ openssl-1.0.1e/ssl/s3_srvr.c 2014-06-02 19:48:04.643103452 +0200 | ||
77 | @@ -673,6 +673,7 @@ int ssl3_accept(SSL *s) | ||
78 | case SSL3_ST_SR_CERT_VRFY_A: | ||
79 | case SSL3_ST_SR_CERT_VRFY_B: | ||
80 | |||
81 | + s->s3->flags |= SSL3_FLAGS_CCS_OK; | ||
82 | /* we should decide if we expected this one */ | ||
83 | ret=ssl3_get_cert_verify(s); | ||
84 | if (ret <= 0) goto end; | ||
85 | @@ -700,6 +701,7 @@ int ssl3_accept(SSL *s) | ||
86 | |||
87 | case SSL3_ST_SR_FINISHED_A: | ||
88 | case SSL3_ST_SR_FINISHED_B: | ||
89 | + s->s3->flags |= SSL3_FLAGS_CCS_OK; | ||
90 | ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, | ||
91 | SSL3_ST_SR_FINISHED_B); | ||
92 | if (ret <= 0) goto end; | ||
93 | @@ -770,7 +772,10 @@ int ssl3_accept(SSL *s) | ||
94 | s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; | ||
95 | #else | ||
96 | if (s->s3->next_proto_neg_seen) | ||
97 | + { | ||
98 | + s->s3->flags |= SSL3_FLAGS_CCS_OK; | ||
99 | s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; | ||
100 | + } | ||
101 | else | ||
102 | s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; | ||
103 | #endif | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-3470.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-3470.patch deleted file mode 100644 index 025727f587..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-3470.patch +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | commit 4ad43d511f6cf064c66eb4bfd0fb0919b5dd8a86 | ||
2 | Author: Dr. Stephen Henson <steve@openssl.org> | ||
3 | Date: Thu May 29 15:00:05 2014 +0100 | ||
4 | |||
5 | Fix CVE-2014-3470 | ||
6 | |||
7 | Check session_cert is not NULL before dereferencing it. | ||
8 | |||
9 | Patch borrowed from Fedora | ||
10 | Upstream-Status: Backport | ||
11 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
12 | |||
13 | |||
14 | diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c | ||
15 | index d35376d..4324f8d 100644 | ||
16 | --- a/ssl/s3_clnt.c | ||
17 | +++ b/ssl/s3_clnt.c | ||
18 | @@ -2511,6 +2511,13 @@ int ssl3_send_client_key_exchange(SSL *s) | ||
19 | int ecdh_clnt_cert = 0; | ||
20 | int field_size = 0; | ||
21 | |||
22 | + if (s->session->sess_cert == NULL) | ||
23 | + { | ||
24 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); | ||
25 | + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); | ||
26 | + goto err; | ||
27 | + } | ||
28 | + | ||
29 | /* Did we send out the client's | ||
30 | * ECDH share for use in premaster | ||
31 | * computation as part of client certificate? | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch b/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch deleted file mode 100644 index 417a774ba2..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch +++ /dev/null | |||
@@ -1,24 +0,0 @@ | |||
1 | openssl fix for CVE-2010-5298 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL | ||
6 | through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote | ||
7 | attackers to inject data across sessions or cause a denial of service | ||
8 | (use-after-free and parsing error) via an SSL connection in a | ||
9 | multithreaded environment. | ||
10 | |||
11 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298 | ||
12 | |||
13 | Signed-off-by: Yue Tao <Yue.Tao@windriver.com> | ||
14 | --- a/ssl/s3_pkt.c | ||
15 | +++ b/ssl/s3_pkt.c | ||
16 | @@ -1013,7 +1013,7 @@ start: | ||
17 | { | ||
18 | s->rstate=SSL_ST_READ_HEADER; | ||
19 | rr->off=0; | ||
20 | - if (s->mode & SSL_MODE_RELEASE_BUFFERS) | ||
21 | + if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) | ||
22 | ssl3_release_read_buffer(s); | ||
23 | } | ||
24 | } | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch b/meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch deleted file mode 100644 index 451256eaa5..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch +++ /dev/null | |||
@@ -1,401 +0,0 @@ | |||
1 | Fix documentation build errors with Perl 5.18 pod2man | ||
2 | |||
3 | This fixes errors building man pages with newer versions of pod2man | ||
4 | included with Perl 5.18. | ||
5 | |||
6 | Upstream-Status: Submitted | ||
7 | Signed-off-by: Jonathan Liu | ||
8 | |||
9 | Index: openssl-1.0.1f/doc/apps/cms.pod | ||
10 | =================================================================== | ||
11 | --- openssl-1.0.1f.orig/doc/apps/cms.pod 2014-01-06 15:47:42.000000000 +0200 | ||
12 | +++ openssl-1.0.1f/doc/apps/cms.pod 2014-02-28 10:13:51.899979213 +0200 | ||
13 | @@ -450,28 +450,28 @@ | ||
14 | |||
15 | =over 4 | ||
16 | |||
17 | -=item 0 | ||
18 | +=item Z<>0 | ||
19 | |||
20 | the operation was completely successfully. | ||
21 | |||
22 | -=item 1 | ||
23 | +=item Z<>1 | ||
24 | |||
25 | an error occurred parsing the command options. | ||
26 | |||
27 | -=item 2 | ||
28 | +=item Z<>2 | ||
29 | |||
30 | one of the input files could not be read. | ||
31 | |||
32 | -=item 3 | ||
33 | +=item Z<>3 | ||
34 | |||
35 | an error occurred creating the CMS file or when reading the MIME | ||
36 | message. | ||
37 | |||
38 | -=item 4 | ||
39 | +=item Z<>4 | ||
40 | |||
41 | an error occurred decrypting or verifying the message. | ||
42 | |||
43 | -=item 5 | ||
44 | +=item Z<>5 | ||
45 | |||
46 | the message was verified correctly but an error occurred writing out | ||
47 | the signers certificates. | ||
48 | Index: openssl-1.0.1f/doc/apps/smime.pod | ||
49 | =================================================================== | ||
50 | --- openssl-1.0.1f.orig/doc/apps/smime.pod 2014-01-06 15:47:42.000000000 +0200 | ||
51 | +++ openssl-1.0.1f/doc/apps/smime.pod 2014-02-28 10:16:57.795979233 +0200 | ||
52 | @@ -308,28 +308,28 @@ | ||
53 | |||
54 | =over 4 | ||
55 | |||
56 | -=item 0 | ||
57 | +=item Z<>0 | ||
58 | |||
59 | the operation was completely successfully. | ||
60 | |||
61 | -=item 1 | ||
62 | +=item Z<>1 | ||
63 | |||
64 | an error occurred parsing the command options. | ||
65 | |||
66 | -=item 2 | ||
67 | +=item Z<>2 | ||
68 | |||
69 | one of the input files could not be read. | ||
70 | |||
71 | -=item 3 | ||
72 | +=item Z<>3 | ||
73 | |||
74 | an error occurred creating the PKCS#7 file or when reading the MIME | ||
75 | message. | ||
76 | |||
77 | -=item 4 | ||
78 | +=item Z<>4 | ||
79 | |||
80 | an error occurred decrypting or verifying the message. | ||
81 | |||
82 | -=item 5 | ||
83 | +=item Z<>5 | ||
84 | |||
85 | the message was verified correctly but an error occurred writing out | ||
86 | the signers certificates. | ||
87 | Index: openssl-1.0.1f/doc/ssl/SSL_COMP_add_compression_method.pod | ||
88 | =================================================================== | ||
89 | --- openssl-1.0.1f.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2014-01-06 15:47:42.000000000 +0200 | ||
90 | +++ openssl-1.0.1f/doc/ssl/SSL_COMP_add_compression_method.pod 2014-02-28 10:18:09.679979225 +0200 | ||
91 | @@ -53,11 +53,11 @@ | ||
92 | |||
93 | =over 4 | ||
94 | |||
95 | -=item 0 | ||
96 | +=item Z<>0 | ||
97 | |||
98 | The operation succeeded. | ||
99 | |||
100 | -=item 1 | ||
101 | +=item Z<>1 | ||
102 | |||
103 | The operation failed. Check the error queue to find out the reason. | ||
104 | |||
105 | Index: openssl-1.0.1f/doc/ssl/SSL_CTX_add_session.pod | ||
106 | =================================================================== | ||
107 | --- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_add_session.pod 2014-01-06 15:47:42.000000000 +0200 | ||
108 | +++ openssl-1.0.1f/doc/ssl/SSL_CTX_add_session.pod 2014-02-28 10:18:42.687979221 +0200 | ||
109 | @@ -52,13 +52,13 @@ | ||
110 | |||
111 | =over 4 | ||
112 | |||
113 | -=item 0 | ||
114 | +=item Z<>0 | ||
115 | |||
116 | The operation failed. In case of the add operation, it was tried to add | ||
117 | the same (identical) session twice. In case of the remove operation, the | ||
118 | session was not found in the cache. | ||
119 | |||
120 | -=item 1 | ||
121 | +=item Z<>1 | ||
122 | |||
123 | The operation succeeded. | ||
124 | |||
125 | Index: openssl-1.0.1f/doc/ssl/SSL_CTX_load_verify_locations.pod | ||
126 | =================================================================== | ||
127 | --- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_load_verify_locations.pod 2014-01-06 15:47:42.000000000 +0200 | ||
128 | +++ openssl-1.0.1f/doc/ssl/SSL_CTX_load_verify_locations.pod 2014-02-28 10:19:09.079979218 +0200 | ||
129 | @@ -100,13 +100,13 @@ | ||
130 | |||
131 | =over 4 | ||
132 | |||
133 | -=item 0 | ||
134 | +=item Z<>0 | ||
135 | |||
136 | The operation failed because B<CAfile> and B<CApath> are NULL or the | ||
137 | processing at one of the locations specified failed. Check the error | ||
138 | stack to find out the reason. | ||
139 | |||
140 | -=item 1 | ||
141 | +=item Z<>1 | ||
142 | |||
143 | The operation succeeded. | ||
144 | |||
145 | Index: openssl-1.0.1f/doc/ssl/SSL_CTX_set_client_CA_list.pod | ||
146 | =================================================================== | ||
147 | --- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_set_client_CA_list.pod 2014-01-06 15:47:42.000000000 +0200 | ||
148 | +++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_client_CA_list.pod 2014-02-28 10:19:42.999979220 +0200 | ||
149 | @@ -66,13 +66,13 @@ | ||
150 | |||
151 | =over 4 | ||
152 | |||
153 | -=item 0 | ||
154 | +=item Z<>0 | ||
155 | |||
156 | A failure while manipulating the STACK_OF(X509_NAME) object occurred or | ||
157 | the X509_NAME could not be extracted from B<cacert>. Check the error stack | ||
158 | to find out the reason. | ||
159 | |||
160 | -=item 1 | ||
161 | +=item Z<>1 | ||
162 | |||
163 | The operation succeeded. | ||
164 | |||
165 | Index: openssl-1.0.1f/doc/ssl/SSL_CTX_set_session_id_context.pod | ||
166 | =================================================================== | ||
167 | --- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_set_session_id_context.pod 2014-01-06 15:47:42.000000000 +0200 | ||
168 | +++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_session_id_context.pod 2014-02-28 10:20:06.495979211 +0200 | ||
169 | @@ -64,13 +64,13 @@ | ||
170 | |||
171 | =over 4 | ||
172 | |||
173 | -=item 0 | ||
174 | +=item Z<>0 | ||
175 | |||
176 | The length B<sid_ctx_len> of the session id context B<sid_ctx> exceeded | ||
177 | the maximum allowed length of B<SSL_MAX_SSL_SESSION_ID_LENGTH>. The error | ||
178 | is logged to the error stack. | ||
179 | |||
180 | -=item 1 | ||
181 | +=item Z<>1 | ||
182 | |||
183 | The operation succeeded. | ||
184 | |||
185 | Index: openssl-1.0.1f/doc/ssl/SSL_CTX_set_ssl_version.pod | ||
186 | =================================================================== | ||
187 | --- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_set_ssl_version.pod 2014-01-06 15:47:42.000000000 +0200 | ||
188 | +++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_ssl_version.pod 2014-02-28 10:20:32.111979208 +0200 | ||
189 | @@ -42,11 +42,11 @@ | ||
190 | |||
191 | =over 4 | ||
192 | |||
193 | -=item 0 | ||
194 | +=item Z<>0 | ||
195 | |||
196 | The new choice failed, check the error stack to find out the reason. | ||
197 | |||
198 | -=item 1 | ||
199 | +=item Z<>1 | ||
200 | |||
201 | The operation succeeded. | ||
202 | |||
203 | Index: openssl-1.0.1f/doc/ssl/SSL_CTX_use_psk_identity_hint.pod | ||
204 | =================================================================== | ||
205 | --- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2014-01-06 15:47:42.000000000 +0200 | ||
206 | +++ openssl-1.0.1f/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2014-02-28 10:21:12.351979203 +0200 | ||
207 | @@ -96,7 +96,7 @@ | ||
208 | connection will fail with decryption_error before it will be finished | ||
209 | completely. | ||
210 | |||
211 | -=item 0 | ||
212 | +=item Z<>0 | ||
213 | |||
214 | PSK identity was not found. An "unknown_psk_identity" alert message | ||
215 | will be sent and the connection setup fails. | ||
216 | Index: openssl-1.0.1f/doc/ssl/SSL_accept.pod | ||
217 | =================================================================== | ||
218 | --- openssl-1.0.1f.orig/doc/ssl/SSL_accept.pod 2014-01-06 15:47:42.000000000 +0200 | ||
219 | +++ openssl-1.0.1f/doc/ssl/SSL_accept.pod 2014-02-28 10:21:51.535979215 +0200 | ||
220 | @@ -44,13 +44,13 @@ | ||
221 | |||
222 | =over 4 | ||
223 | |||
224 | -=item 0 | ||
225 | +=item Z<>0 | ||
226 | |||
227 | The TLS/SSL handshake was not successful but was shut down controlled and | ||
228 | by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the | ||
229 | return value B<ret> to find out the reason. | ||
230 | |||
231 | -=item 1 | ||
232 | +=item Z<>1 | ||
233 | |||
234 | The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been | ||
235 | established. | ||
236 | Index: openssl-1.0.1f/doc/ssl/SSL_clear.pod | ||
237 | =================================================================== | ||
238 | --- openssl-1.0.1f.orig/doc/ssl/SSL_clear.pod 2014-01-06 15:47:42.000000000 +0200 | ||
239 | +++ openssl-1.0.1f/doc/ssl/SSL_clear.pod 2014-02-28 10:22:13.087979196 +0200 | ||
240 | @@ -56,12 +56,12 @@ | ||
241 | |||
242 | =over 4 | ||
243 | |||
244 | -=item 0 | ||
245 | +=item Z<>0 | ||
246 | |||
247 | The SSL_clear() operation could not be performed. Check the error stack to | ||
248 | find out the reason. | ||
249 | |||
250 | -=item 1 | ||
251 | +=item Z<>1 | ||
252 | |||
253 | The SSL_clear() operation was successful. | ||
254 | |||
255 | Index: openssl-1.0.1f/doc/ssl/SSL_connect.pod | ||
256 | =================================================================== | ||
257 | --- openssl-1.0.1f.orig/doc/ssl/SSL_connect.pod 2014-01-06 15:47:42.000000000 +0200 | ||
258 | +++ openssl-1.0.1f/doc/ssl/SSL_connect.pod 2014-02-28 10:22:33.991979193 +0200 | ||
259 | @@ -41,13 +41,13 @@ | ||
260 | |||
261 | =over 4 | ||
262 | |||
263 | -=item 0 | ||
264 | +=item Z<>0 | ||
265 | |||
266 | The TLS/SSL handshake was not successful but was shut down controlled and | ||
267 | by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the | ||
268 | return value B<ret> to find out the reason. | ||
269 | |||
270 | -=item 1 | ||
271 | +=item Z<>1 | ||
272 | |||
273 | The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been | ||
274 | established. | ||
275 | Index: openssl-1.0.1f/doc/ssl/SSL_do_handshake.pod | ||
276 | =================================================================== | ||
277 | --- openssl-1.0.1f.orig/doc/ssl/SSL_do_handshake.pod 2014-01-06 15:47:42.000000000 +0200 | ||
278 | +++ openssl-1.0.1f/doc/ssl/SSL_do_handshake.pod 2014-02-28 10:22:56.887979159 +0200 | ||
279 | @@ -45,13 +45,13 @@ | ||
280 | |||
281 | =over 4 | ||
282 | |||
283 | -=item 0 | ||
284 | +=item Z<>0 | ||
285 | |||
286 | The TLS/SSL handshake was not successful but was shut down controlled and | ||
287 | by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the | ||
288 | return value B<ret> to find out the reason. | ||
289 | |||
290 | -=item 1 | ||
291 | +=item Z<>1 | ||
292 | |||
293 | The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been | ||
294 | established. | ||
295 | Index: openssl-1.0.1f/doc/ssl/SSL_read.pod | ||
296 | =================================================================== | ||
297 | --- openssl-1.0.1f.orig/doc/ssl/SSL_read.pod 2014-01-06 15:47:42.000000000 +0200 | ||
298 | +++ openssl-1.0.1f/doc/ssl/SSL_read.pod 2014-02-28 10:23:15.303979188 +0200 | ||
299 | @@ -86,7 +86,7 @@ | ||
300 | The read operation was successful; the return value is the number of | ||
301 | bytes actually read from the TLS/SSL connection. | ||
302 | |||
303 | -=item 0 | ||
304 | +=item Z<>0 | ||
305 | |||
306 | The read operation was not successful. The reason may either be a clean | ||
307 | shutdown due to a "close notify" alert sent by the peer (in which case | ||
308 | Index: openssl-1.0.1f/doc/ssl/SSL_session_reused.pod | ||
309 | =================================================================== | ||
310 | --- openssl-1.0.1f.orig/doc/ssl/SSL_session_reused.pod 2014-01-06 15:47:42.000000000 +0200 | ||
311 | +++ openssl-1.0.1f/doc/ssl/SSL_session_reused.pod 2014-02-28 10:23:36.615979186 +0200 | ||
312 | @@ -27,11 +27,11 @@ | ||
313 | |||
314 | =over 4 | ||
315 | |||
316 | -=item 0 | ||
317 | +=item Z<>0 | ||
318 | |||
319 | A new session was negotiated. | ||
320 | |||
321 | -=item 1 | ||
322 | +=item Z<>1 | ||
323 | |||
324 | A session was reused. | ||
325 | |||
326 | Index: openssl-1.0.1f/doc/ssl/SSL_set_fd.pod | ||
327 | =================================================================== | ||
328 | --- openssl-1.0.1f.orig/doc/ssl/SSL_set_fd.pod 2014-01-06 15:47:42.000000000 +0200 | ||
329 | +++ openssl-1.0.1f/doc/ssl/SSL_set_fd.pod 2014-02-28 10:23:57.599979183 +0200 | ||
330 | @@ -35,11 +35,11 @@ | ||
331 | |||
332 | =over 4 | ||
333 | |||
334 | -=item 0 | ||
335 | +=item Z<>0 | ||
336 | |||
337 | The operation failed. Check the error stack to find out why. | ||
338 | |||
339 | -=item 1 | ||
340 | +=item Z<>1 | ||
341 | |||
342 | The operation succeeded. | ||
343 | |||
344 | Index: openssl-1.0.1f/doc/ssl/SSL_set_session.pod | ||
345 | =================================================================== | ||
346 | --- openssl-1.0.1f.orig/doc/ssl/SSL_set_session.pod 2014-01-06 15:47:42.000000000 +0200 | ||
347 | +++ openssl-1.0.1f/doc/ssl/SSL_set_session.pod 2014-02-28 10:24:16.943979181 +0200 | ||
348 | @@ -37,11 +37,11 @@ | ||
349 | |||
350 | =over 4 | ||
351 | |||
352 | -=item 0 | ||
353 | +=item Z<>0 | ||
354 | |||
355 | The operation failed; check the error stack to find out the reason. | ||
356 | |||
357 | -=item 1 | ||
358 | +=item Z<>1 | ||
359 | |||
360 | The operation succeeded. | ||
361 | |||
362 | Index: openssl-1.0.1f/doc/ssl/SSL_shutdown.pod | ||
363 | =================================================================== | ||
364 | --- openssl-1.0.1f.orig/doc/ssl/SSL_shutdown.pod 2014-01-06 15:47:42.000000000 +0200 | ||
365 | +++ openssl-1.0.1f/doc/ssl/SSL_shutdown.pod 2014-02-28 10:25:03.623979175 +0200 | ||
366 | @@ -92,19 +92,19 @@ | ||
367 | |||
368 | =over 4 | ||
369 | |||
370 | -=item 0 | ||
371 | +=item Z<>0 | ||
372 | |||
373 | The shutdown is not yet finished. Call SSL_shutdown() for a second time, | ||
374 | if a bidirectional shutdown shall be performed. | ||
375 | The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an | ||
376 | erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. | ||
377 | |||
378 | -=item 1 | ||
379 | +=item Z<>1 | ||
380 | |||
381 | The shutdown was successfully completed. The "close notify" alert was sent | ||
382 | and the peer's "close notify" alert was received. | ||
383 | |||
384 | -=item -1 | ||
385 | +=item Z<>-1 | ||
386 | |||
387 | The shutdown was not successful because a fatal error occurred either | ||
388 | at the protocol level or a connection failure occurred. It can also occur if | ||
389 | Index: openssl-1.0.1f/doc/ssl/SSL_write.pod | ||
390 | =================================================================== | ||
391 | --- openssl-1.0.1f.orig/doc/ssl/SSL_write.pod 2014-01-06 15:47:42.000000000 +0200 | ||
392 | +++ openssl-1.0.1f/doc/ssl/SSL_write.pod 2014-02-28 10:25:36.031979168 +0200 | ||
393 | @@ -79,7 +79,7 @@ | ||
394 | The write operation was successful, the return value is the number of | ||
395 | bytes actually written to the TLS/SSL connection. | ||
396 | |||
397 | -=item 0 | ||
398 | +=item Z<>0 | ||
399 | |||
400 | The write operation was not successful. Probably the underlying connection | ||
401 | was closed. Call SSL_get_error() with the return value B<ret> to find out, | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/ptest-deps.patch b/meta/recipes-connectivity/openssl/openssl/ptest-deps.patch new file mode 100644 index 0000000000..527e10c53b --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/ptest-deps.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | Remove Makefile dependencies for test targets | ||
2 | |||
3 | These are probably here because the executables aren't always built for | ||
4 | other platforms (e.g. Windows); however we can safely assume they'll | ||
5 | always be there. None of the other test targets have such dependencies | ||
6 | and if we don't remove them, make tries to rebuild the executables and | ||
7 | fails during run-ptest. | ||
8 | |||
9 | Upstream-Status: Inappropriate [config] | ||
10 | |||
11 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
12 | |||
13 | diff --git a/test/Makefile b/test/Makefile | ||
14 | index e6fcfb4..5ae043b 100644 | ||
15 | --- a/test/Makefile | ||
16 | +++ b/test/Makefile | ||
17 | @@ -322,11 +322,11 @@ test_cms: | ||
18 | @echo "CMS consistency test" | ||
19 | $(PERL) cms-test.pl | ||
20 | |||
21 | -test_srp: $(SRPTEST)$(EXE_EXT) | ||
22 | +test_srp: | ||
23 | @echo "Test SRP" | ||
24 | ../util/shlib_wrap.sh ./srptest | ||
25 | |||
26 | -test_heartbeat: $(HEARTBEATTEST)$(EXE_EXT) | ||
27 | +test_heartbeat: | ||
28 | ../util/shlib_wrap.sh ./$(HEARTBEATTEST) | ||
29 | |||
30 | lint: | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/run-ptest b/meta/recipes-connectivity/openssl/openssl/run-ptest new file mode 100755 index 0000000000..3b20fce1ee --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/run-ptest | |||
@@ -0,0 +1,2 @@ | |||
1 | #!/bin/sh | ||
2 | make -k runtest | ||