initial commit for Enea Linux 4.0

Migrated from the internal git server on the daisy-enea branch Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Adrian Dudau <adrian.dudau@enea.com> 2014-06-26 14:36:22 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2014-06-26 15:32:53 +0200
commit: f4cf9fe05bb3f32fabea4e54dd92d368967a80da (patch)
tree: 487180fa9866985ea7b28e625651765d86f515c3 /meta/recipes-support/gnupg/gnupg-1.4.7
download: poky-f4cf9fe05bb3f32fabea4e54dd92d368967a80da.tar.gz
7 files changed, 373 insertions, 0 deletions
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
new file mode 100644
index 0000000000..b29ede4233
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
@@ -0,0 +1,44 @@
+Upstream-Status: Backport
+Index: gnupg-1.4.7/g10/getkey.c
+===================================================================
+--- gnupg-1.4.7.orig/g10/getkey.c       2007-03-05 16:54:41.000000000 +0800
+++ gnupg-1.4.7/g10/getkey.c    2013-11-28 14:41:59.640212240 +0800
+@@ -1454,7 +1454,11 @@
+ 
+       if(flags)
+        key_usage |= PUBKEY_USAGE_UNKNOWN;
+      if (!key_usage)
+       key_usage |= PUBKEY_USAGE_NONE;
+     }
+  else if (p)
+    key_usage |= PUBKEY_USAGE_NONE;
+ 
+   /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a
+      capability that we do not handle.  This serves to distinguish
+Index: gnupg-1.4.7/g10/keygen.c
+===================================================================
+--- gnupg-1.4.7.orig/g10/keygen.c       2007-02-05 00:27:40.000000000 +0800
+++ gnupg-1.4.7/g10/keygen.c    2013-11-28 14:43:05.016670092 +0800
+@@ -209,9 +209,6 @@
+     if (use & PUBKEY_USAGE_AUTH)
+         buf[0] |= 0x20;
+ 
+-    if (!buf[0]) 
+-        return;
+-
+     build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1);
+ }
+ 
+Index: gnupg-1.4.7/include/cipher.h
+===================================================================
+--- gnupg-1.4.7.orig/include/cipher.h   2006-04-21 20:39:49.000000000 +0800
+++ gnupg-1.4.7/include/cipher.h        2013-11-28 14:49:24.159322744 +0800
+@@ -52,6 +52,7 @@
+ #define PUBKEY_USAGE_CERT    4      /* key is also good to certify other keys*/
+ #define PUBKEY_USAGE_AUTH    8      /* key is good for authentication */
+ #define PUBKEY_USAGE_UNKNOWN 128    /* key has an unknown usage bit */
+#define PUBKEY_USAGE_NONE    256    /* No usage given. */
+ 
+ #define DIGEST_ALGO_MD5       1
+ #define DIGEST_ALGO_SHA1      2
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
new file mode 100644
index 0000000000..b1a22f5853
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
@@ -0,0 +1,153 @@
+Upstream-Status: Backport
+Index: gnupg-1.4.7/cipher/dsa.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/dsa.c       2006-12-12 02:27:21.000000000 +0800
+++ gnupg-1.4.7/cipher/dsa.c    2014-01-23 11:30:17.300915919 +0800
+@@ -287,6 +287,8 @@
+     MPI kinv;
+     MPI tmp;
+ 
+    mpi_normalize (hash);
+
+     /* select a random k with 0 < k < q */
+     k = gen_k( skey->q );
+ 
+Index: gnupg-1.4.7/cipher/elgamal.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/elgamal.c   2006-12-12 03:08:05.000000000 +0800
+++ gnupg-1.4.7/cipher/elgamal.c        2014-01-23 11:30:17.300915919 +0800
+@@ -376,6 +376,9 @@
+ {
+     MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
+ 
+    mpi_normalize (a);
+    mpi_normalize (b);
+
+     /* output = b/(a^x) mod p */
+     mpi_powm( t1, a, skey->x, skey->p );
+     mpi_invm( t1, t1, skey->p );
+Index: gnupg-1.4.7/cipher/random.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/random.c    2006-11-03 18:09:39.000000000 +0800
+++ gnupg-1.4.7/cipher/random.c 2014-01-23 11:31:53.993495462 +0800
+@@ -273,6 +273,18 @@
+ }
+ 
+ 
+/* Randomize the MPI */ 
+void
+randomize_mpi (MPI mpi, size_t nbits, int level)
+{
+  unsigned char *buffer;
+
+  buffer = get_random_bits (nbits, level, mpi_is_secure (mpi));
+  mpi_set_buffer (mpi, buffer, (nbits+7)/8, 0);
+  xfree (buffer);
+}
+
+
+ int
+ random_is_faked()
+ {
+Index: gnupg-1.4.7/cipher/random.h
+===================================================================
+--- gnupg-1.4.7.orig/cipher/random.h    2006-02-09 19:29:29.000000000 +0800
+++ gnupg-1.4.7/cipher/random.h 2014-01-23 11:30:17.300915919 +0800
+@@ -32,6 +32,7 @@
+ int  random_is_faked(void);
+ void random_disable_locking (void);
+ void randomize_buffer( byte *buffer, size_t length, int level );
+void randomize_mpi (MPI mpi, size_t nbits, int level);
+ byte *get_random_bits( size_t nbits, int level, int secure );
+ void fast_random_poll( void );
+ 
+Index: gnupg-1.4.7/cipher/rsa.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/rsa.c       2006-12-12 03:09:00.000000000 +0800
+++ gnupg-1.4.7/cipher/rsa.c    2014-01-23 11:35:04.330639125 +0800
+@@ -301,9 +301,26 @@
+ #if 0
+     mpi_powm( output, input, skey->d, skey->n );
+ #else
+-    MPI m1   = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+-    MPI m2   = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+-    MPI h    = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+    int nlimbs = mpi_get_nlimbs (skey->n)+1;
+    MPI m1   = mpi_alloc_secure (nlimbs);
+    MPI m2   = mpi_alloc_secure (nlimbs);
+    MPI h    = mpi_alloc_secure (nlimbs);
+# if 1
+    MPI bdata= mpi_alloc_secure (nlimbs);
+    MPI r    = mpi_alloc_secure (nlimbs);
+# endif
+
+    /* Remove superfluous leading zeroes from INPUT.  */
+    mpi_normalize (input);
+
+# if 1 
+    /* Blind:  bdata = (data * r^e) mod n   */
+    randomize_mpi (r, mpi_get_nbits (skey->n), 0);
+    mpi_fdiv_r (r, r, skey->n);
+    mpi_powm (bdata, r, skey->e, skey->n);
+    mpi_mulm (bdata, bdata, input, skey->n);
+    input = bdata;
+# endif
+ 
+     /* m1 = c ^ (d mod (p-1)) mod p */
+     mpi_sub_ui( h, skey->p, 1  );
+@@ -321,8 +338,15 @@
+     /* m = m2 + h * p */
+     mpi_mul ( h, h, skey->p );
+     mpi_add ( output, m1, h );
+-    /* ready */
+-    
+
+# if 1
+    mpi_free (bdata);
+    /* Unblind: output = (output * r^(-1)) mod n  */
+    mpi_invm (r, r, skey->n);
+    mpi_mulm (output, output, r, skey->n);
+    mpi_free (r);
+# endif
+
+     mpi_free ( h );
+     mpi_free ( m1 );
+     mpi_free ( m2 );
+@@ -397,6 +421,7 @@
+ rsa_decrypt( int algo, MPI *result, MPI *data, MPI *skey )
+ {
+     RSA_secret_key sk;
+    MPI input;
+ 
+     if( algo != 1 && algo != 2 )
+        return G10ERR_PUBKEY_ALGO;
+@@ -407,8 +432,14 @@
+     sk.p = skey[3];
+     sk.q = skey[4];
+     sk.u = skey[5];
+-    *result = mpi_alloc_secure( mpi_get_nlimbs( sk.n ) );
+-    secret( *result, data[0], &sk );
+
+    /* Mitigates side-channel attacks (CVE-2013-4576).  */
+    input = mpi_alloc (0);
+    mpi_normalize (data[0]);
+    mpi_fdiv_r (input, data[0], sk.n);
+    *result = mpi_alloc_secure (mpi_get_nlimbs (sk.n));
+    secret (*result, input, &sk);
+    mpi_free (input);
+     return 0;
+ }
+ 
+Index: gnupg-1.4.7/g10/gpgv.c
+===================================================================
+--- gnupg-1.4.7.orig/g10/gpgv.c 2006-12-13 19:25:04.000000000 +0800
+++ gnupg-1.4.7/g10/gpgv.c      2014-01-23 11:30:17.300915919 +0800
+@@ -390,6 +390,7 @@
+ void random_dump_stats(void) {}
+ int quick_random_gen( int onoff ) { return -1;}
+ void randomize_buffer( byte *buffer, size_t length, int level ) {}
+void randomize_mpi (MPI mpi, size_t nbits, int level) {}
+ int random_is_faked() { return -1;}
+ byte *get_random_bits( size_t nbits, int level, int secure ) { return NULL;}
+ void set_random_seed_file( const char *name ) {}
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch
new file mode 100644
index 0000000000..8b5d9a1693
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch
@@ -0,0 +1,63 @@
+commit f0b33b6fb8e0586e9584a7a409dcc31263776a67
+Author: Werner Koch <wk@gnupg.org>
+Date:   Thu Dec 20 09:43:41 2012 +0100
+    gpg: Import only packets which are allowed in a keyblock.
+    
+    * g10/import.c (valid_keyblock_packet): New.
+    (read_block): Store only valid packets.
+    --
+    
+    A corrupted key, which for example included a mangled public key
+    encrypted packet, used to corrupt the keyring.  This change skips all
+    packets which are not allowed in a keyblock.
+    
+    GnuPG-bug-id: 1455
+    
+    (cherry-picked from commit f795a0d59e197455f8723c300eebf59e09853efa)
+Upstream-Status: Backport
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+diff --git a/g10/import.c b/g10/import.c
+index bfe02eb..a57b32e 100644
+--- a/g10/import.c
+++ b/g10/import.c
+@@ -384,6 +384,27 @@ import_print_stats (void *hd)
+ }
+ 
+ 
+/* Return true if PKTTYPE is valid in a keyblock.  */
+static int
+valid_keyblock_packet (int pkttype)
+{
+  switch (pkttype)
+    {
+    case PKT_PUBLIC_KEY:
+    case PKT_PUBLIC_SUBKEY:
+    case PKT_SECRET_KEY:
+    case PKT_SECRET_SUBKEY:
+    case PKT_SIGNATURE:
+    case PKT_USER_ID:
+    case PKT_ATTRIBUTE:
+    case PKT_RING_TRUST:
+      return 1;
+    default:
+      return 0;
+    }
+}
+
+
+ /****************
+  * Read the next keyblock from stream A.
+  * PENDING_PKT should be initialzed to NULL
+@@ -461,7 +482,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root )
+            }
+            in_cert = 1;
+          default:
+-           if( in_cert ) {
+           if (in_cert && valid_keyblock_packet (pkt->pkttype)) {
+                if( !root )
+                    root = new_kbnode( pkt );
+                else
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch
new file mode 100644
index 0000000000..e005ac658f
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch
@@ -0,0 +1,17 @@
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+Index: gnupg-1.4.7/configure.ac
+===================================================================
+--- gnupg-1.4.7.orig/configure.ac
+++ gnupg-1.4.7/configure.ac
+@@ -827,7 +827,6 @@ else
+   AC_SUBST(USE_NLS)
+   AC_SUBST(USE_INCLUDED_LIBINTL)
+   AC_SUBST(BUILD_INCLUDED_LIBINTL)
+-  AM_PO_SUBDIRS
+ fi
+ 
+ if test "$try_extensions" = yes || test x"$card_support" = xyes ; then
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch
new file mode 100644
index 0000000000..e5fb24aa63
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch
@@ -0,0 +1,27 @@
+This has been discussed in a couple of different bug reported
+upstream:
+http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486250
+http://bugs.sourcemage.org/show_bug.cgi?id=14446
+Fix:
+http://lists.gnupg.org/pipermail/gnupg-devel/2008-April/024344.html
+Upstream-Status: Backport [Debian]
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+Index: gnupg-1.4.7/keyserver/gpgkeys_curl.c
+===================================================================
+--- gnupg-1.4.7.orig/keyserver/gpgkeys_curl.c
+++ gnupg-1.4.7/keyserver/gpgkeys_curl.c
+@@ -286,7 +286,7 @@ main(int argc,char *argv[])
+       curl_easy_setopt(curl,CURLOPT_VERBOSE,1);
+     }
+ 
+-  curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,opt->flags.check_cert);
+  curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert);
+   curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file);
+ 
+   if(proxy)
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch
new file mode 100644
index 0000000000..2855cab24b
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch
@@ -0,0 +1,19 @@
+Orignal Patch came from OpenWrt via OE-Classic
+https://dev.openwrt.org/browser/packages/utils/gnupg/patches/001-mips_gcc4.4
+which is no longer a valid revision!
+Upstream-Status: Inappropriate [configuration]
+--- gnupg/mpi/longlong.h~      2006-02-14 10:09:55.000000000 +0000
+++ gnupg/mpi/longlong.h       2008-10-27 13:11:09.000000000 +0000
+@@ -181,7 +181,7 @@
+ /***************************************
+  **************  ARM  ******************
+  ***************************************/
+-#if defined (__arm__) && W_TYPE_SIZE == 32
+#if defined (__arm__) && W_TYPE_SIZE == 32 && !defined(__thumb__)
+ #define add_ssaaaa(sh, sl, ah, al, bh, bl) \
+   __asm__ ("adds %1, %4, %5\n"                                          \
+          "adc  %0, %2, %3"                                            \
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch
new file mode 100644
index 0000000000..9a03b2b705
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch
@@ -0,0 +1,50 @@
+From Openembedded-Classic
+    gnupg-1.4.10: Readd the ARM Thumb patch as debian has no thumb support
+Upstream-Status: Inappropriate [embedded-specific]
+Index: gnupg-1.4.10/mpi/longlong.h
+===================================================================
+--- gnupg-1.4.10.orig/mpi/longlong.h    2008-12-11 17:39:43.000000000 +0100
+++ gnupg-1.4.10/mpi/longlong.h 2010-03-27 14:27:53.000000000 +0100
+@@ -706,18 +706,35 @@
+ #endif /* __m88110__ */
+ #endif /* __m88000__ */
+ 
+/* Test for gcc >= maj.min, as per __GNUC_PREREQ in glibc */
+#if defined (__GNUC__) && defined (__GNUC_MINOR__)
+#define __GNUC_PREREQ(maj, min) \
+       ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min))
+#else
+#define __GNUC_PREREQ(maj, min)  0
+#endif
+
+ /***************************************
+  **************  MIPS  *****************
+  ***************************************/
+ #if defined (__mips__) && W_TYPE_SIZE == 32
+-#if __GNUC__ > 2 || __GNUC_MINOR__ >= 7
+#if __GNUC_PREREQ (4,4)
+#define umul_ppmm(w1, w0, u, v) \
+  do {                                                                 \
+       UDItype __ll = (UDItype)(u) * (v);                                 \
+       w1 = __ll >> 32;                                                   \
+       w0 = __ll;                                                         \
+  } while (0)
+#endif
+#if !defined (umul_ppmm) && __GNUC_PREREQ (2,7)
+ #define umul_ppmm(w1, w0, u, v) \
+   __asm__ ("multu %2,%3"                                                \
+           : "=l" ((USItype)(w0)),                                      \
+             "=h" ((USItype)(w1))                                       \
+           : "d" ((USItype)(u)),                                        \
+             "d" ((USItype)(v)))
+-#else
+#endif
+#if !defined (umul_ppmm)
+ #define umul_ppmm(w1, w0, u, v) \
+   __asm__ ("multu %2,%3 \n" \
+           "mflo %0 \n"     \
author	Adrian Dudau <adrian.dudau@enea.com>	2014-06-26 14:36:22 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2014-06-26 15:32:53 +0200
commit	f4cf9fe05bb3f32fabea4e54dd92d368967a80da (patch)
tree	487180fa9866985ea7b28e625651765d86f515c3 /meta/recipes-support/gnupg/gnupg-1.4.7
download	poky-f4cf9fe05bb3f32fabea4e54dd92d368967a80da.tar.gz

diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch new file mode 100644 index 0000000000..b29ede4233 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
@@ -0,0 +1,44 @@
	1	Upstream-Status: Backport
	2
	3	Index: gnupg-1.4.7/g10/getkey.c
	4	===================================================================
	5	--- gnupg-1.4.7.orig/g10/getkey.c 2007-03-05 16:54:41.000000000 +0800
	6	+++ gnupg-1.4.7/g10/getkey.c 2013-11-28 14:41:59.640212240 +0800
	7	@@ -1454,7 +1454,11 @@
	8
	9	if(flags)
	10	key_usage \|= PUBKEY_USAGE_UNKNOWN;
	11	+ if (!key_usage)
	12	+ key_usage \|= PUBKEY_USAGE_NONE;
	13	}
	14	+ else if (p)
	15	+ key_usage \|= PUBKEY_USAGE_NONE;
	16
	17	/* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a
	18	capability that we do not handle. This serves to distinguish
	19	Index: gnupg-1.4.7/g10/keygen.c
	20	===================================================================
	21	--- gnupg-1.4.7.orig/g10/keygen.c 2007-02-05 00:27:40.000000000 +0800
	22	+++ gnupg-1.4.7/g10/keygen.c 2013-11-28 14:43:05.016670092 +0800
	23	@@ -209,9 +209,6 @@
	24	if (use & PUBKEY_USAGE_AUTH)
	25	buf[0] \|= 0x20;
	26
	27	- if (!buf[0])
	28	- return;
	29	-
	30	build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1);
	31	}
	32
	33	Index: gnupg-1.4.7/include/cipher.h
	34	===================================================================
	35	--- gnupg-1.4.7.orig/include/cipher.h 2006-04-21 20:39:49.000000000 +0800
	36	+++ gnupg-1.4.7/include/cipher.h 2013-11-28 14:49:24.159322744 +0800
	37	@@ -52,6 +52,7 @@
	38	#define PUBKEY_USAGE_CERT 4 /* key is also good to certify other keys*/
	39	#define PUBKEY_USAGE_AUTH 8 /* key is good for authentication */
	40	#define PUBKEY_USAGE_UNKNOWN 128 /* key has an unknown usage bit */
	41	+#define PUBKEY_USAGE_NONE 256 /* No usage given. */
	42
	43	#define DIGEST_ALGO_MD5 1
	44	#define DIGEST_ALGO_SHA1 2


diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch new file mode 100644 index 0000000000..b1a22f5853 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
@@ -0,0 +1,153 @@
	1	Upstream-Status: Backport
	2
	3	Index: gnupg-1.4.7/cipher/dsa.c
	4	===================================================================
	5	--- gnupg-1.4.7.orig/cipher/dsa.c 2006-12-12 02:27:21.000000000 +0800
	6	+++ gnupg-1.4.7/cipher/dsa.c 2014-01-23 11:30:17.300915919 +0800
	7	@@ -287,6 +287,8 @@
	8	MPI kinv;
	9	MPI tmp;
	10
	11	+ mpi_normalize (hash);
	12	+
	13	/* select a random k with 0 < k < q */
	14	k = gen_k( skey->q );
	15
	16	Index: gnupg-1.4.7/cipher/elgamal.c
	17	===================================================================
	18	--- gnupg-1.4.7.orig/cipher/elgamal.c 2006-12-12 03:08:05.000000000 +0800
	19	+++ gnupg-1.4.7/cipher/elgamal.c 2014-01-23 11:30:17.300915919 +0800
	20	@@ -376,6 +376,9 @@
	21	{
	22	MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
	23
	24	+ mpi_normalize (a);
	25	+ mpi_normalize (b);
	26	+
	27	/* output = b/(a^x) mod p */
	28	mpi_powm( t1, a, skey->x, skey->p );
	29	mpi_invm( t1, t1, skey->p );
	30	Index: gnupg-1.4.7/cipher/random.c
	31	===================================================================
	32	--- gnupg-1.4.7.orig/cipher/random.c 2006-11-03 18:09:39.000000000 +0800
	33	+++ gnupg-1.4.7/cipher/random.c 2014-01-23 11:31:53.993495462 +0800
	34	@@ -273,6 +273,18 @@
	35	}
	36
	37
	38	+/* Randomize the MPI */
	39	+void
	40	+randomize_mpi (MPI mpi, size_t nbits, int level)
	41	+{
	42	+ unsigned char *buffer;
	43	+
	44	+ buffer = get_random_bits (nbits, level, mpi_is_secure (mpi));
	45	+ mpi_set_buffer (mpi, buffer, (nbits+7)/8, 0);
	46	+ xfree (buffer);
	47	+}
	48	+
	49	+
	50	int
	51	random_is_faked()
	52	{
	53	Index: gnupg-1.4.7/cipher/random.h
	54	===================================================================
	55	--- gnupg-1.4.7.orig/cipher/random.h 2006-02-09 19:29:29.000000000 +0800
	56	+++ gnupg-1.4.7/cipher/random.h 2014-01-23 11:30:17.300915919 +0800
	57	@@ -32,6 +32,7 @@
	58	int random_is_faked(void);
	59	void random_disable_locking (void);
	60	void randomize_buffer( byte *buffer, size_t length, int level );
	61	+void randomize_mpi (MPI mpi, size_t nbits, int level);
	62	byte *get_random_bits( size_t nbits, int level, int secure );
	63	void fast_random_poll( void );
	64
	65	Index: gnupg-1.4.7/cipher/rsa.c
	66	===================================================================
	67	--- gnupg-1.4.7.orig/cipher/rsa.c 2006-12-12 03:09:00.000000000 +0800
	68	+++ gnupg-1.4.7/cipher/rsa.c 2014-01-23 11:35:04.330639125 +0800
	69	@@ -301,9 +301,26 @@
	70	#if 0
	71	mpi_powm( output, input, skey->d, skey->n );
	72	#else
	73	- MPI m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
	74	- MPI m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
	75	- MPI h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
	76	+ int nlimbs = mpi_get_nlimbs (skey->n)+1;
	77	+ MPI m1 = mpi_alloc_secure (nlimbs);
	78	+ MPI m2 = mpi_alloc_secure (nlimbs);
	79	+ MPI h = mpi_alloc_secure (nlimbs);
	80	+# if 1
	81	+ MPI bdata= mpi_alloc_secure (nlimbs);
	82	+ MPI r = mpi_alloc_secure (nlimbs);
	83	+# endif
	84	+
	85	+ /* Remove superfluous leading zeroes from INPUT. */
	86	+ mpi_normalize (input);
	87	+
	88	+# if 1
	89	+ /* Blind: bdata = (data * r^e) mod n */
	90	+ randomize_mpi (r, mpi_get_nbits (skey->n), 0);
	91	+ mpi_fdiv_r (r, r, skey->n);
	92	+ mpi_powm (bdata, r, skey->e, skey->n);
	93	+ mpi_mulm (bdata, bdata, input, skey->n);
	94	+ input = bdata;
	95	+# endif
	96
	97	/* m1 = c ^ (d mod (p-1)) mod p */
	98	mpi_sub_ui( h, skey->p, 1 );
	99	@@ -321,8 +338,15 @@
	100	/* m = m2 + h * p */
	101	mpi_mul ( h, h, skey->p );
	102	mpi_add ( output, m1, h );
	103	- /* ready */
	104	-
	105	+
	106	+# if 1
	107	+ mpi_free (bdata);
	108	+ /* Unblind: output = (output * r^(-1)) mod n */
	109	+ mpi_invm (r, r, skey->n);
	110	+ mpi_mulm (output, output, r, skey->n);
	111	+ mpi_free (r);
	112	+# endif
	113	+
	114	mpi_free ( h );
	115	mpi_free ( m1 );
	116	mpi_free ( m2 );
	117	@@ -397,6 +421,7 @@
	118	rsa_decrypt( int algo, MPI result, MPI data, MPI *skey )
	119	{
	120	RSA_secret_key sk;
	121	+ MPI input;
	122
	123	if( algo != 1 && algo != 2 )
	124	return G10ERR_PUBKEY_ALGO;
	125	@@ -407,8 +432,14 @@
	126	sk.p = skey[3];
	127	sk.q = skey[4];
	128	sk.u = skey[5];
	129	- *result = mpi_alloc_secure( mpi_get_nlimbs( sk.n ) );
	130	- secret( *result, data[0], &sk );
	131	+
	132	+ /* Mitigates side-channel attacks (CVE-2013-4576). */
	133	+ input = mpi_alloc (0);
	134	+ mpi_normalize (data[0]);
	135	+ mpi_fdiv_r (input, data[0], sk.n);
	136	+ *result = mpi_alloc_secure (mpi_get_nlimbs (sk.n));
	137	+ secret (*result, input, &sk);
	138	+ mpi_free (input);
	139	return 0;
	140	}
	141
	142	Index: gnupg-1.4.7/g10/gpgv.c
	143	===================================================================
	144	--- gnupg-1.4.7.orig/g10/gpgv.c 2006-12-13 19:25:04.000000000 +0800
	145	+++ gnupg-1.4.7/g10/gpgv.c 2014-01-23 11:30:17.300915919 +0800
	146	@@ -390,6 +390,7 @@
	147	void random_dump_stats(void) {}
	148	int quick_random_gen( int onoff ) { return -1;}
	149	void randomize_buffer( byte *buffer, size_t length, int level ) {}
	150	+void randomize_mpi (MPI mpi, size_t nbits, int level) {}
	151	int random_is_faked() { return -1;}
	152	byte *get_random_bits( size_t nbits, int level, int secure ) { return NULL;}
	153	void set_random_seed_file( const char *name ) {}


diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch new file mode 100644 index 0000000000..8b5d9a1693 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch
@@ -0,0 +1,63 @@
	1	commit f0b33b6fb8e0586e9584a7a409dcc31263776a67
	2	Author: Werner Koch <wk@gnupg.org>
	3	Date: Thu Dec 20 09:43:41 2012 +0100
	4
	5	gpg: Import only packets which are allowed in a keyblock.
	6
	7	* g10/import.c (valid_keyblock_packet): New.
	8	(read_block): Store only valid packets.
	9	--
	10
	11	A corrupted key, which for example included a mangled public key
	12	encrypted packet, used to corrupt the keyring. This change skips all
	13	packets which are not allowed in a keyblock.
	14
	15	GnuPG-bug-id: 1455
	16
	17	(cherry-picked from commit f795a0d59e197455f8723c300eebf59e09853efa)
	18
	19	Upstream-Status: Backport
	20
	21	Signed-off-by: Saul Wold <sgw@linux.intel.com>
	22
	23	diff --git a/g10/import.c b/g10/import.c
	24	index bfe02eb..a57b32e 100644
	25	--- a/g10/import.c
	26	+++ b/g10/import.c
	27	@@ -384,6 +384,27 @@ import_print_stats (void *hd)
	28	}
	29
	30
	31	+/* Return true if PKTTYPE is valid in a keyblock. */
	32	+static int
	33	+valid_keyblock_packet (int pkttype)
	34	+{
	35	+ switch (pkttype)
	36	+ {
	37	+ case PKT_PUBLIC_KEY:
	38	+ case PKT_PUBLIC_SUBKEY:
	39	+ case PKT_SECRET_KEY:
	40	+ case PKT_SECRET_SUBKEY:
	41	+ case PKT_SIGNATURE:
	42	+ case PKT_USER_ID:
	43	+ case PKT_ATTRIBUTE:
	44	+ case PKT_RING_TRUST:
	45	+ return 1;
	46	+ default:
	47	+ return 0;
	48	+ }
	49	+}
	50	+
	51	+
	52	/****************
	53	* Read the next keyblock from stream A.
	54	* PENDING_PKT should be initialzed to NULL
	55	@@ -461,7 +482,7 @@ read_block( IOBUF a, PACKET *pending_pkt, KBNODE ret_root )
	56	}
	57	in_cert = 1;
	58	default:
	59	- if( in_cert ) {
	60	+ if (in_cert && valid_keyblock_packet (pkt->pkttype)) {
	61	if( !root )
	62	root = new_kbnode( pkt );
	63	else


diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch new file mode 100644 index 0000000000..e005ac658f --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch
@@ -0,0 +1,17 @@
	1
	2	Upstream-Status: Inappropriate [configuration]
	3
	4	Signed-off-by: Saul Wold <sgw@linux.intel.com>
	5
	6	Index: gnupg-1.4.7/configure.ac
	7	===================================================================
	8	--- gnupg-1.4.7.orig/configure.ac
	9	+++ gnupg-1.4.7/configure.ac
	10	@@ -827,7 +827,6 @@ else
	11	AC_SUBST(USE_NLS)
	12	AC_SUBST(USE_INCLUDED_LIBINTL)
	13	AC_SUBST(BUILD_INCLUDED_LIBINTL)
	14	- AM_PO_SUBDIRS
	15	fi
	16
	17	if test "$try_extensions" = yes \|\| test x"$card_support" = xyes ; then


diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch new file mode 100644 index 0000000000..e5fb24aa63 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch
@@ -0,0 +1,27 @@
	1
	2	This has been discussed in a couple of different bug reported
	3	upstream:
	4
	5	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486250
	6	http://bugs.sourcemage.org/show_bug.cgi?id=14446
	7
	8	Fix:
	9	http://lists.gnupg.org/pipermail/gnupg-devel/2008-April/024344.html
	10
	11	Upstream-Status: Backport [Debian]
	12
	13	Signed-off-by: Saul Wold <sgw@linux.intel.com>
	14
	15	Index: gnupg-1.4.7/keyserver/gpgkeys_curl.c
	16	===================================================================
	17	--- gnupg-1.4.7.orig/keyserver/gpgkeys_curl.c
	18	+++ gnupg-1.4.7/keyserver/gpgkeys_curl.c
	19	@@ -286,7 +286,7 @@ main(int argc,char *argv[])
	20	curl_easy_setopt(curl,CURLOPT_VERBOSE,1);
	21	}
	22
	23	- curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,opt->flags.check_cert);
	24	+ curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert);
	25	curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file);
	26
	27	if(proxy)


diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch new file mode 100644 index 0000000000..2855cab24b --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch
@@ -0,0 +1,19 @@
	1	Orignal Patch came from OpenWrt via OE-Classic
	2	https://dev.openwrt.org/browser/packages/utils/gnupg/patches/001-mips_gcc4.4
	3	which is no longer a valid revision!
	4
	5	Upstream-Status: Inappropriate [configuration]
	6
	7
	8	--- gnupg/mpi/longlong.h~ 2006-02-14 10:09:55.000000000 +0000
	9	+++ gnupg/mpi/longlong.h 2008-10-27 13:11:09.000000000 +0000
	10	@@ -181,7 +181,7 @@
	11	/***************************************
	12	************ ARM ****************
	13	***************************************/
	14	-#if defined (__arm__) && W_TYPE_SIZE == 32
	15	+#if defined (__arm__) && W_TYPE_SIZE == 32 && !defined(__thumb__)
	16	#define add_ssaaaa(sh, sl, ah, al, bh, bl) \
	17	__asm__ ("adds %1, %4, %5\n" \
	18	"adc %0, %2, %3" \
	19


diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch new file mode 100644 index 0000000000..9a03b2b705 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch
@@ -0,0 +1,50 @@
	1
	2	From Openembedded-Classic
	3
	4	gnupg-1.4.10: Readd the ARM Thumb patch as debian has no thumb support
	5
	6
	7	Upstream-Status: Inappropriate [embedded-specific]
	8
	9	Index: gnupg-1.4.10/mpi/longlong.h
	10	===================================================================
	11	--- gnupg-1.4.10.orig/mpi/longlong.h 2008-12-11 17:39:43.000000000 +0100
	12	+++ gnupg-1.4.10/mpi/longlong.h 2010-03-27 14:27:53.000000000 +0100
	13	@@ -706,18 +706,35 @@
	14	#endif /* __m88110__ */
	15	#endif /* __m88000__ */
	16
	17	+/* Test for gcc >= maj.min, as per __GNUC_PREREQ in glibc */
	18	+#if defined (__GNUC__) && defined (__GNUC_MINOR__)
	19	+#define __GNUC_PREREQ(maj, min) \
	20	+ ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min))
	21	+#else
	22	+#define __GNUC_PREREQ(maj, min) 0
	23	+#endif
	24	+
	25	/***************************************
	26	************ MIPS ***************
	27	***************************************/
	28	#if defined (__mips__) && W_TYPE_SIZE == 32
	29	-#if __GNUC__ > 2 \|\| __GNUC_MINOR__ >= 7
	30	+#if __GNUC_PREREQ (4,4)
	31	+#define umul_ppmm(w1, w0, u, v) \
	32	+ do { \
	33	+ UDItype __ll = (UDItype)(u) * (v); \
	34	+ w1 = __ll >> 32; \
	35	+ w0 = __ll; \
	36	+ } while (0)
	37	+#endif
	38	+#if !defined (umul_ppmm) && __GNUC_PREREQ (2,7)
	39	#define umul_ppmm(w1, w0, u, v) \
	40	__asm__ ("multu %2,%3" \
	41	: "=l" ((USItype)(w0)), \
	42	"=h" ((USItype)(w1)) \
	43	: "d" ((USItype)(u)), \
	44	"d" ((USItype)(v)))
	45	-#else
	46	+#endif
	47	+#if !defined (umul_ppmm)
	48	#define umul_ppmm(w1, w0, u, v) \
	49	__asm__ ("multu %2,%3 \n" \
	50	"mflo %0 \n" \