initial commit for Enea Linux 5.0 arm

Signed-off-by: Tudor Florea <tudor.florea@enea.com>

11 files changed, 662 insertions, 0 deletions

diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch
new file mode 100644
index 0000000000..c9addca28e
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch
@@ -0,0 +1,62 @@
+From e2202ff2b704623efc6277fb5256e4e15bac5676 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Thu, 25 Jul 2013 11:17:52 +0200
+Subject: [PATCH] Mitigate a flush+reload cache attack on RSA secret
+ exponents.
+
+commit e2202ff2b704623efc6277fb5256e4e15bac5676 from
+git://git.gnupg.org/libgcrypt.git
+
+* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for
+exponents in secure memory.
+
+Upstream-Status: Backport
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+--
+
+The attack is published as http://eprint.iacr.org/2013/448 :
+
+Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
+Attack by Yuval Yarom and Katrina Falkner. 18 July 2013.
+
+  Flush+Reload is a cache side-channel attack that monitors access to
+  data in shared pages. In this paper we demonstrate how to use the
+  attack to extract private encryption keys from GnuPG.  The high
+  resolution and low noise of the Flush+Reload attack enables a spy
+  program to recover over 98% of the bits of the private key in a
+  single decryption or signing round. Unlike previous attacks, the
+  attack targets the last level L3 cache. Consequently, the spy
+  program and the victim do not need to share the execution core of
+  the CPU. The attack is not limited to a traditional OS and can be
+  used in a virtualised environment, where it can attack programs
+  executing in a different VM.
+
+Index: gnupg-1.4.7/mpi/mpi-pow.c
+===================================================================
+--- gnupg-1.4.7.orig/mpi/mpi-pow.c
++++ gnupg-1.4.7/mpi/mpi-pow.c
+@@ -212,7 +212,13 @@ mpi_powm( MPI res, MPI base, MPI exponen
+                tp = rp; rp = xp; xp = tp;
+                rsize = xsize;
+ 
+-               if( (mpi_limb_signed_t)e < 0 ) {
++            /* To mitigate the Yarom/Falkner flush+reload cache
++             * side-channel attack on the RSA secret exponent, we do
++             * the multiplication regardless of the value of the
++             * high-bit of E.  But to avoid this performance penalty
++             * we do it only if the exponent has been stored in secure
++             * memory and we can thus assume it is a secret exponent.  */
++               if (esec || (mpi_limb_signed_t)e < 0) {
+                    /*mpihelp_mul( xp, rp, rsize, bp, bsize );*/
+                    if( bsize < KARATSUBA_THRESHOLD ) {
+                        mpihelp_mul( xp, rp, rsize, bp, bsize );
+@@ -227,6 +233,8 @@ mpi_powm( MPI res, MPI base, MPI exponen
+                        mpihelp_divrem(xp + msize, 0, xp, xsize, mp, msize);
+                        xsize = msize;
+                    }
++               }
++               if ( (mpi_limb_signed_t)e < 0 ) {
+ 
+                    tp = rp; rp = xp; xp = tp;
+                    rsize = xsize;
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
new file mode 100644
index 0000000000..b29ede4233
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
@@ -0,0 +1,44 @@
+Upstream-Status: Backport
+
+Index: gnupg-1.4.7/g10/getkey.c
+===================================================================
+--- gnupg-1.4.7.orig/g10/getkey.c       2007-03-05 16:54:41.000000000 +0800
++++ gnupg-1.4.7/g10/getkey.c    2013-11-28 14:41:59.640212240 +0800
+@@ -1454,7 +1454,11 @@
+ 
+       if(flags)
+        key_usage |= PUBKEY_USAGE_UNKNOWN;
++      if (!key_usage)
++       key_usage |= PUBKEY_USAGE_NONE;
+     }
++  else if (p)
++    key_usage |= PUBKEY_USAGE_NONE;
+ 
+   /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a
+      capability that we do not handle.  This serves to distinguish
+Index: gnupg-1.4.7/g10/keygen.c
+===================================================================
+--- gnupg-1.4.7.orig/g10/keygen.c       2007-02-05 00:27:40.000000000 +0800
++++ gnupg-1.4.7/g10/keygen.c    2013-11-28 14:43:05.016670092 +0800
+@@ -209,9 +209,6 @@
+     if (use & PUBKEY_USAGE_AUTH)
+         buf[0] |= 0x20;
+ 
+-    if (!buf[0]) 
+-        return;
+-
+     build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1);
+ }
+ 
+Index: gnupg-1.4.7/include/cipher.h
+===================================================================
+--- gnupg-1.4.7.orig/include/cipher.h   2006-04-21 20:39:49.000000000 +0800
++++ gnupg-1.4.7/include/cipher.h        2013-11-28 14:49:24.159322744 +0800
+@@ -52,6 +52,7 @@
+ #define PUBKEY_USAGE_CERT    4      /* key is also good to certify other keys*/
+ #define PUBKEY_USAGE_AUTH    8      /* key is good for authentication */
+ #define PUBKEY_USAGE_UNKNOWN 128    /* key has an unknown usage bit */
++#define PUBKEY_USAGE_NONE    256    /* No usage given. */
+ 
+ #define DIGEST_ALGO_MD5       1
+ #define DIGEST_ALGO_SHA1      2
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
new file mode 100644
index 0000000000..b1a22f5853
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
@@ -0,0 +1,153 @@
+Upstream-Status: Backport
+
+Index: gnupg-1.4.7/cipher/dsa.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/dsa.c       2006-12-12 02:27:21.000000000 +0800
++++ gnupg-1.4.7/cipher/dsa.c    2014-01-23 11:30:17.300915919 +0800
+@@ -287,6 +287,8 @@
+     MPI kinv;
+     MPI tmp;
+ 
++    mpi_normalize (hash);
++
+     /* select a random k with 0 < k < q */
+     k = gen_k( skey->q );
+ 
+Index: gnupg-1.4.7/cipher/elgamal.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/elgamal.c   2006-12-12 03:08:05.000000000 +0800
++++ gnupg-1.4.7/cipher/elgamal.c        2014-01-23 11:30:17.300915919 +0800
+@@ -376,6 +376,9 @@
+ {
+     MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
+ 
++    mpi_normalize (a);
++    mpi_normalize (b);
++
+     /* output = b/(a^x) mod p */
+     mpi_powm( t1, a, skey->x, skey->p );
+     mpi_invm( t1, t1, skey->p );
+Index: gnupg-1.4.7/cipher/random.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/random.c    2006-11-03 18:09:39.000000000 +0800
++++ gnupg-1.4.7/cipher/random.c 2014-01-23 11:31:53.993495462 +0800
+@@ -273,6 +273,18 @@
+ }
+ 
+ 
++/* Randomize the MPI */ 
++void
++randomize_mpi (MPI mpi, size_t nbits, int level)
++{
++  unsigned char *buffer;
++
++  buffer = get_random_bits (nbits, level, mpi_is_secure (mpi));
++  mpi_set_buffer (mpi, buffer, (nbits+7)/8, 0);
++  xfree (buffer);
++}
++
++
+ int
+ random_is_faked()
+ {
+Index: gnupg-1.4.7/cipher/random.h
+===================================================================
+--- gnupg-1.4.7.orig/cipher/random.h    2006-02-09 19:29:29.000000000 +0800
++++ gnupg-1.4.7/cipher/random.h 2014-01-23 11:30:17.300915919 +0800
+@@ -32,6 +32,7 @@
+ int  random_is_faked(void);
+ void random_disable_locking (void);
+ void randomize_buffer( byte *buffer, size_t length, int level );
++void randomize_mpi (MPI mpi, size_t nbits, int level);
+ byte *get_random_bits( size_t nbits, int level, int secure );
+ void fast_random_poll( void );
+ 
+Index: gnupg-1.4.7/cipher/rsa.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/rsa.c       2006-12-12 03:09:00.000000000 +0800
++++ gnupg-1.4.7/cipher/rsa.c    2014-01-23 11:35:04.330639125 +0800
+@@ -301,9 +301,26 @@
+ #if 0
+     mpi_powm( output, input, skey->d, skey->n );
+ #else
+-    MPI m1   = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+-    MPI m2   = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+-    MPI h    = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
++    int nlimbs = mpi_get_nlimbs (skey->n)+1;
++    MPI m1   = mpi_alloc_secure (nlimbs);
++    MPI m2   = mpi_alloc_secure (nlimbs);
++    MPI h    = mpi_alloc_secure (nlimbs);
++# if 1
++    MPI bdata= mpi_alloc_secure (nlimbs);
++    MPI r    = mpi_alloc_secure (nlimbs);
++# endif
++
++    /* Remove superfluous leading zeroes from INPUT.  */
++    mpi_normalize (input);
++
++# if 1 
++    /* Blind:  bdata = (data * r^e) mod n   */
++    randomize_mpi (r, mpi_get_nbits (skey->n), 0);
++    mpi_fdiv_r (r, r, skey->n);
++    mpi_powm (bdata, r, skey->e, skey->n);
++    mpi_mulm (bdata, bdata, input, skey->n);
++    input = bdata;
++# endif
+ 
+     /* m1 = c ^ (d mod (p-1)) mod p */
+     mpi_sub_ui( h, skey->p, 1  );
+@@ -321,8 +338,15 @@
+     /* m = m2 + h * p */
+     mpi_mul ( h, h, skey->p );
+     mpi_add ( output, m1, h );
+-    /* ready */
+-    
++
++# if 1
++    mpi_free (bdata);
++    /* Unblind: output = (output * r^(-1)) mod n  */
++    mpi_invm (r, r, skey->n);
++    mpi_mulm (output, output, r, skey->n);
++    mpi_free (r);
++# endif
++
+     mpi_free ( h );
+     mpi_free ( m1 );
+     mpi_free ( m2 );
+@@ -397,6 +421,7 @@
+ rsa_decrypt( int algo, MPI *result, MPI *data, MPI *skey )
+ {
+     RSA_secret_key sk;
++    MPI input;
+ 
+     if( algo != 1 && algo != 2 )
+        return G10ERR_PUBKEY_ALGO;
+@@ -407,8 +432,14 @@
+     sk.p = skey[3];
+     sk.q = skey[4];
+     sk.u = skey[5];
+-    *result = mpi_alloc_secure( mpi_get_nlimbs( sk.n ) );
+-    secret( *result, data[0], &sk );
++
++    /* Mitigates side-channel attacks (CVE-2013-4576).  */
++    input = mpi_alloc (0);
++    mpi_normalize (data[0]);
++    mpi_fdiv_r (input, data[0], sk.n);
++    *result = mpi_alloc_secure (mpi_get_nlimbs (sk.n));
++    secret (*result, input, &sk);
++    mpi_free (input);
+     return 0;
+ }
+ 
+Index: gnupg-1.4.7/g10/gpgv.c
+===================================================================
+--- gnupg-1.4.7.orig/g10/gpgv.c 2006-12-13 19:25:04.000000000 +0800
++++ gnupg-1.4.7/g10/gpgv.c      2014-01-23 11:30:17.300915919 +0800
+@@ -390,6 +390,7 @@
+ void random_dump_stats(void) {}
+ int quick_random_gen( int onoff ) { return -1;}
+ void randomize_buffer( byte *buffer, size_t length, int level ) {}
++void randomize_mpi (MPI mpi, size_t nbits, int level) {}
+ int random_is_faked() { return -1;}
+ byte *get_random_bits( size_t nbits, int level, int secure ) { return NULL;}
+ void set_random_seed_file( const char *name ) {}
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch
new file mode 100644
index 0000000000..8b5d9a1693
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch
@@ -0,0 +1,63 @@
+commit f0b33b6fb8e0586e9584a7a409dcc31263776a67
+Author: Werner Koch <wk@gnupg.org>
+Date:   Thu Dec 20 09:43:41 2012 +0100
+
+    gpg: Import only packets which are allowed in a keyblock.
+    
+    * g10/import.c (valid_keyblock_packet): New.
+    (read_block): Store only valid packets.
+    --
+    
+    A corrupted key, which for example included a mangled public key
+    encrypted packet, used to corrupt the keyring.  This change skips all
+    packets which are not allowed in a keyblock.
+    
+    GnuPG-bug-id: 1455
+    
+    (cherry-picked from commit f795a0d59e197455f8723c300eebf59e09853efa)
+
+Upstream-Status: Backport
+
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+
+diff --git a/g10/import.c b/g10/import.c
+index bfe02eb..a57b32e 100644
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -384,6 +384,27 @@ import_print_stats (void *hd)
+ }
+ 
+ 
++/* Return true if PKTTYPE is valid in a keyblock.  */
++static int
++valid_keyblock_packet (int pkttype)
++{
++  switch (pkttype)
++    {
++    case PKT_PUBLIC_KEY:
++    case PKT_PUBLIC_SUBKEY:
++    case PKT_SECRET_KEY:
++    case PKT_SECRET_SUBKEY:
++    case PKT_SIGNATURE:
++    case PKT_USER_ID:
++    case PKT_ATTRIBUTE:
++    case PKT_RING_TRUST:
++      return 1;
++    default:
++      return 0;
++    }
++}
++
++
+ /****************
+  * Read the next keyblock from stream A.
+  * PENDING_PKT should be initialzed to NULL
+@@ -461,7 +482,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root )
+            }
+            in_cert = 1;
+          default:
+-           if( in_cert ) {
++           if (in_cert && valid_keyblock_packet (pkt->pkttype)) {
+                if( !root )
+                    root = new_kbnode( pkt );
+                else
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch
new file mode 100644
index 0000000000..e005ac658f
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch
@@ -0,0 +1,17 @@
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+
+Index: gnupg-1.4.7/configure.ac
+===================================================================
+--- gnupg-1.4.7.orig/configure.ac
++++ gnupg-1.4.7/configure.ac
+@@ -827,7 +827,6 @@ else
+   AC_SUBST(USE_NLS)
+   AC_SUBST(USE_INCLUDED_LIBINTL)
+   AC_SUBST(BUILD_INCLUDED_LIBINTL)
+-  AM_PO_SUBDIRS
+ fi
+ 
+ if test "$try_extensions" = yes || test x"$card_support" = xyes ; then
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch
new file mode 100644
index 0000000000..e5fb24aa63
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch
@@ -0,0 +1,27 @@
+
+This has been discussed in a couple of different bug reported
+upstream:
+
+http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486250
+http://bugs.sourcemage.org/show_bug.cgi?id=14446
+
+Fix:
+http://lists.gnupg.org/pipermail/gnupg-devel/2008-April/024344.html
+
+Upstream-Status: Backport [Debian]
+
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+
+Index: gnupg-1.4.7/keyserver/gpgkeys_curl.c
+===================================================================
+--- gnupg-1.4.7.orig/keyserver/gpgkeys_curl.c
++++ gnupg-1.4.7/keyserver/gpgkeys_curl.c
+@@ -286,7 +286,7 @@ main(int argc,char *argv[])
+       curl_easy_setopt(curl,CURLOPT_VERBOSE,1);
+     }
+ 
+-  curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,opt->flags.check_cert);
++  curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert);
+   curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file);
+ 
+   if(proxy)
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch
new file mode 100644
index 0000000000..2855cab24b
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch
@@ -0,0 +1,19 @@
+Orignal Patch came from OpenWrt via OE-Classic
+https://dev.openwrt.org/browser/packages/utils/gnupg/patches/001-mips_gcc4.4
+which is no longer a valid revision!
+
+Upstream-Status: Inappropriate [configuration]
+
+
+--- gnupg/mpi/longlong.h~      2006-02-14 10:09:55.000000000 +0000
++++ gnupg/mpi/longlong.h       2008-10-27 13:11:09.000000000 +0000
+@@ -181,7 +181,7 @@
+ /***************************************
+  **************  ARM  ******************
+  ***************************************/
+-#if defined (__arm__) && W_TYPE_SIZE == 32
++#if defined (__arm__) && W_TYPE_SIZE == 32 && !defined(__thumb__)
+ #define add_ssaaaa(sh, sl, ah, al, bh, bl) \
+   __asm__ ("adds %1, %4, %5\n"                                          \
+          "adc  %0, %2, %3"                                            \
+
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch
new file mode 100644
index 0000000000..9a03b2b705
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch
@@ -0,0 +1,50 @@
+
+From Openembedded-Classic
+
+    gnupg-1.4.10: Readd the ARM Thumb patch as debian has no thumb support
+
+
+Upstream-Status: Inappropriate [embedded-specific]
+
+Index: gnupg-1.4.10/mpi/longlong.h
+===================================================================
+--- gnupg-1.4.10.orig/mpi/longlong.h    2008-12-11 17:39:43.000000000 +0100
++++ gnupg-1.4.10/mpi/longlong.h 2010-03-27 14:27:53.000000000 +0100
+@@ -706,18 +706,35 @@
+ #endif /* __m88110__ */
+ #endif /* __m88000__ */
+ 
++/* Test for gcc >= maj.min, as per __GNUC_PREREQ in glibc */
++#if defined (__GNUC__) && defined (__GNUC_MINOR__)
++#define __GNUC_PREREQ(maj, min) \
++       ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min))
++#else
++#define __GNUC_PREREQ(maj, min)  0
++#endif
++
+ /***************************************
+  **************  MIPS  *****************
+  ***************************************/
+ #if defined (__mips__) && W_TYPE_SIZE == 32
+-#if __GNUC__ > 2 || __GNUC_MINOR__ >= 7
++#if __GNUC_PREREQ (4,4)
++#define umul_ppmm(w1, w0, u, v) \
++  do {                                                                 \
++       UDItype __ll = (UDItype)(u) * (v);                                 \
++       w1 = __ll >> 32;                                                   \
++       w0 = __ll;                                                         \
++  } while (0)
++#endif
++#if !defined (umul_ppmm) && __GNUC_PREREQ (2,7)
+ #define umul_ppmm(w1, w0, u, v) \
+   __asm__ ("multu %2,%3"                                                \
+           : "=l" ((USItype)(w0)),                                      \
+             "=h" ((USItype)(w1))                                       \
+           : "d" ((USItype)(u)),                                        \
+             "d" ((USItype)(v)))
+-#else
++#endif
++#if !defined (umul_ppmm)
+ #define umul_ppmm(w1, w0, u, v) \
+   __asm__ ("multu %2,%3 \n" \
+           "mflo %0 \n"     \
diff --git a/meta/recipes-support/gnupg/gnupg/pkgconfig.patch b/meta/recipes-support/gnupg/gnupg/pkgconfig.patch
new file mode 100644
index 0000000000..ae92392dae
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/pkgconfig.patch
@@ -0,0 +1,86 @@
+Use pkg-config to find pth instead of pth-config.
+
+Upstream-Status: Rejected
+[not submitted but they've been clear they don't want a pkg-config dependency]
+
+RP 2014/5/22
+
+Index: gnupg-2.0.22/m4/gnupg-pth.m4
+===================================================================
+--- gnupg-2.0.22.orig/m4/gnupg-pth.m4   2013-10-04 12:32:53.000000000 +0000
++++ gnupg-2.0.22/m4/gnupg-pth.m4        2014-05-13 21:33:21.000000000 +0000
+@@ -17,33 +17,9 @@
+ # Taken and modified from the m4 macros which come with Pth.
+ AC_DEFUN([GNUPG_PTH_VERSION_CHECK],
+   [
+-    _pth_version=`$PTH_CONFIG --version | awk 'NR==1 {print [$]3}'`
+     _req_version="ifelse([$1],,1.2.0,$1)"
++    PKG_CHECK_MODULES(PTH, [pth >= $_req_version], [have_pth=yes], [have_pth=no])
+ 
+-    AC_MSG_CHECKING(for PTH - version >= $_req_version)
+-    for _var in _pth_version _req_version; do
+-        eval "_val=\"\$${_var}\""
+-        _major=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\1/'`
+-        _minor=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\2/'`
+-        _rtype=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\3/'`
+-        _micro=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\4/'`
+-        case $_rtype in
+-            "a" ) _rtype=0 ;;
+-            "b" ) _rtype=1 ;;
+-            "." ) _rtype=2 ;;
+-        esac
+-        _hex=`echo dummy | awk '{ printf("%d%02d%1d%02d", major, minor, rtype, micro); }' \
+-              "major=$_major" "minor=$_minor" "rtype=$_rtype" "micro=$_micro"`
+-        eval "${_var}_hex=\"\$_hex\""
+-    done
+-    have_pth=no
+-    if test ".$_pth_version_hex" != .; then
+-        if test ".$_req_version_hex" != .; then
+-            if test $_pth_version_hex -ge $_req_version_hex; then
+-                have_pth=yes
+-            fi
+-        fi
+-    fi
+     if test $have_pth = yes; then
+        AC_MSG_RESULT(yes)
+        AC_MSG_CHECKING([whether PTH installation is sane])
+@@ -51,9 +29,9 @@
+          _gnupg_pth_save_cflags=$CFLAGS
+          _gnupg_pth_save_ldflags=$LDFLAGS
+          _gnupg_pth_save_libs=$LIBS
+-         CFLAGS="$CFLAGS `$PTH_CONFIG --cflags`"
+-         LDFLAGS="$LDFLAGS `$PTH_CONFIG --ldflags`"
+-         LIBS="$LIBS `$PTH_CONFIG --libs --all`"
++         CFLAGS="$CFLAGS $PTH_CFLAGS"
++         LDFLAGS="$LDFLAGS $PTH_LDFLAGS"
++         LIBS="$LIBS $PTH_LIBS"
+          AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pth.h>
+                                          ],
+                                          [[ pth_init ();]])],
+@@ -81,23 +59,11 @@
+ #
+ AC_DEFUN([GNUPG_PATH_PTH],
++[
+-[ AC_ARG_WITH(pth-prefix,
+-             AC_HELP_STRING([--with-pth-prefix=PFX],
+-                           [prefix where GNU Pth is installed]),
+-     pth_config_prefix="$withval", pth_config_prefix="")
+-  if test x$pth_config_prefix != x ; then
+-     PTH_CONFIG="$pth_config_prefix/bin/pth-config"
+-  fi
+-  AC_PATH_PROG(PTH_CONFIG, pth-config, no)
+   tmp=ifelse([$1], ,1.3.7,$1)
+-  if test "$PTH_CONFIG" != "no"; then
+-    GNUPG_PTH_VERSION_CHECK($tmp)
+-    if test $have_pth = yes; then
+-       PTH_CFLAGS=`$PTH_CONFIG --cflags`
+-       PTH_LIBS=`$PTH_CONFIG --ldflags`
+-       PTH_LIBS="$PTH_LIBS `$PTH_CONFIG --libs --all`"
++  GNUPG_PTH_VERSION_CHECK($tmp)
++  if test $have_pth = yes; then
+        AC_DEFINE(HAVE_PTH, 1,
+                 [Defined if the GNU Pth is available])
+-    fi
+   fi
+   AC_SUBST(PTH_CFLAGS)
+   AC_SUBST(PTH_LIBS)
diff --git a/meta/recipes-support/gnupg/gnupg_1.4.7.bb b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
new file mode 100644
index 0000000000..aef515d534
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
@@ -0,0 +1,102 @@
+SUMMARY = "GNU Privacy Guard - encryption and signing tools"
+HOMEPAGE = "http://www.gnupg.org/"
+DEPENDS = "zlib bzip2 readline"
+SECTION = "console/utils"
+
+LICENSE = "GPLv2"
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a"
+
+PR = "r9"
+
+SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-${PV}.tar.bz2 \
+           file://long-long-thumb.patch \
+           file://configure.patch \
+           file://mips_gcc4.4.patch \
+           file://GnuPG1-CVE-2012-6085.patch \
+           file://curl_typeof_fix_backport.patch \
+           file://CVE-2013-4351.patch \
+           file://CVE-2013-4576.patch \
+           file://CVE-2013-4242.patch \
+          "
+
+SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c"
+SRC_URI[sha256sum] = "69d18b7d193f62ca27ed4febcb4c9044aa0c95305d3258fe902e2fae5fc6468d"
+
+inherit autotools gettext texinfo
+
+#   --with-egd-socket=NAME  use NAME for the EGD socket
+#   --with-photo-viewer=FIXED_VIEWER  set a fixed photo ID viewer
+#   --with-included-zlib    use the zlib code included here
+#   --with-capabilities     use linux capabilities default=no
+#   --with-mailprog=NAME    use "NAME -t" for mail transport
+#   --with-libiconv-prefix[=DIR]  search for libiconv in DIR/include and DIR/lib
+#   --without-libiconv-prefix     don't search for libiconv in includedir and libdir
+#   --with-included-gettext use the GNU gettext library included here
+#   --with-libintl-prefix[=DIR]  search for libintl in DIR/include and DIR/lib
+#   --without-libintl-prefix     don't search for libintl in includedir and libdir
+#   --without-readline      do not support fancy command line editing
+#   --with-included-regex   use the included GNU regex library
+#   --with-zlib=DIR         use libz in DIR
+#   --with-bzip2=DIR        look for bzip2 in DIR
+#   --enable-static-rnd=egd|unix|linux|auto
+#   --disable-dev-random    disable the use of dev random
+#   --disable-asm           do not use assembler modules
+#   --enable-m-guard        enable memory guard facility
+#   --enable-selinux-support
+#                           enable SELinux support
+#   --disable-card-support  disable OpenPGP card support
+#   --disable-gnupg-iconv   disable the new iconv code
+#   --enable-backsigs       enable the experimental backsigs code
+#   --enable-minimal        build the smallest gpg binary possible
+#   --disable-rsa           disable the RSA public key algorithm
+#   --disable-idea          disable the IDEA cipher
+#   --disable-cast5         disable the CAST5 cipher
+#   --disable-blowfish      disable the BLOWFISH cipher
+#   --disable-aes           disable the AES, AES192, and AES256 ciphers
+#   --disable-twofish       disable the TWOFISH cipher
+#   --disable-sha256        disable the SHA-256 digest
+#   --disable-sha512        disable the SHA-384 and SHA-512 digests
+#   --disable-bzip2         disable the BZIP2 compression algorithm
+#   --disable-exec          disable all external program execution
+#   --disable-photo-viewers disable photo ID viewers
+#   --disable-keyserver-helpers  disable all external keyserver support
+#   --disable-ldap          disable LDAP keyserver interface
+#   --disable-hkp           disable HKP keyserver interface
+#   --disable-http          disable HTTP key fetching interface
+#   --disable-finger        disable Finger key fetching interface
+#   --disable-mailto        disable email keyserver interface
+#   --disable-keyserver-path disable the exec-path option for keyserver helpers
+#   --enable-key-cache=SIZE Set key cache to SIZE (default 4096)
+#   --disable-largefile     omit support for large files
+#   --disable-dns-srv       disable the use of DNS SRV in HKP and HTTP
+#   --disable-nls           do not use Native Language Support
+#   --disable-regex         do not handle regular expressions in trust sigs
+
+EXTRA_OECONF = "--disable-ldap \
+                --with-zlib=${STAGING_LIBDIR}/.. \
+                --with-bzip2=${STAGING_LIBDIR}/.. \
+                --disable-selinux-support \
+                --with-readline=${STAGING_LIBDIR}/.. \
+                ac_cv_sys_symbol_underscore=no \
+                "
+
+do_install () {
+        autotools_do_install
+        install -d ${D}${docdir}/${BPN}
+        mv ${D}${datadir}/${BPN}/* ${D}/${docdir}/${BPN}/ || :
+        mv ${D}${prefix}/doc/* ${D}/${docdir}/${BPN}/ || :
+}
+
+# split out gpgv from main package
+RDEPENDS_${PN} = "gpgv"
+PACKAGES =+ "gpgv"
+FILES_gpgv = "${bindir}/gpgv"
+
+# Exclude debug files from the main packages
+FILES_${PN} = "${bindir}/* ${datadir}/${BPN} ${libexecdir}/${BPN}/*"
+FILES_${PN}-dbg += "${libexecdir}/${BPN}/.debug"
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[curl] = "--with-libcurl=${STAGING_LIBDIR},--without-libcurl,curl"
+PACKAGECONFIG[libusb] = "--with-libusb=${STAGING_LIBDIR},--without-libusb,libusb-compat"
diff --git a/meta/recipes-support/gnupg/gnupg_2.0.26.bb b/meta/recipes-support/gnupg/gnupg_2.0.26.bb
new file mode 100644
index 0000000000..92dd3bd643
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg_2.0.26.bb
@@ -0,0 +1,39 @@
+SUMMARY = "GNU Privacy Guard - encryption and signing tools (2.x)"
+HOMEPAGE = "http://www.gnupg.org/"
+LICENSE = "GPLv3 & LGPLv3"
+LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949 \
+                    file://COPYING.LIB;md5=6a6a8e020838b23406c81b19c1d46df6"
+
+DEPENDS = "${PTH} libassuan libksba zlib bzip2 readline libgcrypt"
+PTH = "pth"
+PTH_libc-uclibc = "npth"
+
+inherit autotools gettext texinfo pkgconfig
+
+SRC_URI = "ftp://ftp.gnupg.org/gcrypt/${BPN}/${BPN}-${PV}.tar.bz2 \
+           file://pkgconfig.patch"
+
+SRC_URI[md5sum] = "fa7e704aad33eb114d1840164455aec1"
+SRC_URI[sha256sum] = "7758e30dc382ae7a7167ed41b7f936aa50af5ea2d6fccdef663b5b750b65b8e0"
+
+EXTRA_OECONF = "--disable-ldap \
+                --disable-ccid-driver \
+                --without-libcurl \
+                --with-zlib=${STAGING_LIBDIR}/.. \
+                --with-bzip2=${STAGING_LIBDIR}/.. \
+                --with-readline=${STAGING_LIBDIR}/.. \
+               "
+RRECOMMENDS_${PN} = "pinentry"
+
+do_configure_prepend () {
+        # Else these could be used in prefernce to those in aclocal-copy
+        rm -f ${S}/m4/gpg-error.m4
+        rm -f ${S}/m4/libassuan.m4
+        rm -f ${S}/m4/ksba.m4
+        rm -f ${S}/m4/libgcrypt.m4
+}
+
+do_install_append() {
+        ln -sf gpg2 ${D}${bindir}/gpg
+        ln -sf gpgv2 ${D}${bindir}/gpgv
+}