diff options
author | Tudor Florea <tudor.florea@enea.com> | 2015-10-09 22:59:03 +0200 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-10-09 22:59:03 +0200 |
commit | 972dcfcdbfe75dcfeb777150c136576cf1a71e99 (patch) | |
tree | 97a61cd7e293d7ae9d56ef7ed0f81253365bb026 /meta/recipes-support/gnupg | |
download | poky-972dcfcdbfe75dcfeb777150c136576cf1a71e99.tar.gz |
initial commit for Enea Linux 5.0 arm
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'meta/recipes-support/gnupg')
11 files changed, 662 insertions, 0 deletions
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch new file mode 100644 index 0000000000..c9addca28e --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From e2202ff2b704623efc6277fb5256e4e15bac5676 Mon Sep 17 00:00:00 2001 | ||
2 | From: Werner Koch <wk@gnupg.org> | ||
3 | Date: Thu, 25 Jul 2013 11:17:52 +0200 | ||
4 | Subject: [PATCH] Mitigate a flush+reload cache attack on RSA secret | ||
5 | exponents. | ||
6 | |||
7 | commit e2202ff2b704623efc6277fb5256e4e15bac5676 from | ||
8 | git://git.gnupg.org/libgcrypt.git | ||
9 | |||
10 | * mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for | ||
11 | exponents in secure memory. | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
16 | -- | ||
17 | |||
18 | The attack is published as http://eprint.iacr.org/2013/448 : | ||
19 | |||
20 | Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel | ||
21 | Attack by Yuval Yarom and Katrina Falkner. 18 July 2013. | ||
22 | |||
23 | Flush+Reload is a cache side-channel attack that monitors access to | ||
24 | data in shared pages. In this paper we demonstrate how to use the | ||
25 | attack to extract private encryption keys from GnuPG. The high | ||
26 | resolution and low noise of the Flush+Reload attack enables a spy | ||
27 | program to recover over 98% of the bits of the private key in a | ||
28 | single decryption or signing round. Unlike previous attacks, the | ||
29 | attack targets the last level L3 cache. Consequently, the spy | ||
30 | program and the victim do not need to share the execution core of | ||
31 | the CPU. The attack is not limited to a traditional OS and can be | ||
32 | used in a virtualised environment, where it can attack programs | ||
33 | executing in a different VM. | ||
34 | |||
35 | Index: gnupg-1.4.7/mpi/mpi-pow.c | ||
36 | =================================================================== | ||
37 | --- gnupg-1.4.7.orig/mpi/mpi-pow.c | ||
38 | +++ gnupg-1.4.7/mpi/mpi-pow.c | ||
39 | @@ -212,7 +212,13 @@ mpi_powm( MPI res, MPI base, MPI exponen | ||
40 | tp = rp; rp = xp; xp = tp; | ||
41 | rsize = xsize; | ||
42 | |||
43 | - if( (mpi_limb_signed_t)e < 0 ) { | ||
44 | + /* To mitigate the Yarom/Falkner flush+reload cache | ||
45 | + * side-channel attack on the RSA secret exponent, we do | ||
46 | + * the multiplication regardless of the value of the | ||
47 | + * high-bit of E. But to avoid this performance penalty | ||
48 | + * we do it only if the exponent has been stored in secure | ||
49 | + * memory and we can thus assume it is a secret exponent. */ | ||
50 | + if (esec || (mpi_limb_signed_t)e < 0) { | ||
51 | /*mpihelp_mul( xp, rp, rsize, bp, bsize );*/ | ||
52 | if( bsize < KARATSUBA_THRESHOLD ) { | ||
53 | mpihelp_mul( xp, rp, rsize, bp, bsize ); | ||
54 | @@ -227,6 +233,8 @@ mpi_powm( MPI res, MPI base, MPI exponen | ||
55 | mpihelp_divrem(xp + msize, 0, xp, xsize, mp, msize); | ||
56 | xsize = msize; | ||
57 | } | ||
58 | + } | ||
59 | + if ( (mpi_limb_signed_t)e < 0 ) { | ||
60 | |||
61 | tp = rp; rp = xp; xp = tp; | ||
62 | rsize = xsize; | ||
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch new file mode 100644 index 0000000000..b29ede4233 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Index: gnupg-1.4.7/g10/getkey.c | ||
4 | =================================================================== | ||
5 | --- gnupg-1.4.7.orig/g10/getkey.c 2007-03-05 16:54:41.000000000 +0800 | ||
6 | +++ gnupg-1.4.7/g10/getkey.c 2013-11-28 14:41:59.640212240 +0800 | ||
7 | @@ -1454,7 +1454,11 @@ | ||
8 | |||
9 | if(flags) | ||
10 | key_usage |= PUBKEY_USAGE_UNKNOWN; | ||
11 | + if (!key_usage) | ||
12 | + key_usage |= PUBKEY_USAGE_NONE; | ||
13 | } | ||
14 | + else if (p) | ||
15 | + key_usage |= PUBKEY_USAGE_NONE; | ||
16 | |||
17 | /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a | ||
18 | capability that we do not handle. This serves to distinguish | ||
19 | Index: gnupg-1.4.7/g10/keygen.c | ||
20 | =================================================================== | ||
21 | --- gnupg-1.4.7.orig/g10/keygen.c 2007-02-05 00:27:40.000000000 +0800 | ||
22 | +++ gnupg-1.4.7/g10/keygen.c 2013-11-28 14:43:05.016670092 +0800 | ||
23 | @@ -209,9 +209,6 @@ | ||
24 | if (use & PUBKEY_USAGE_AUTH) | ||
25 | buf[0] |= 0x20; | ||
26 | |||
27 | - if (!buf[0]) | ||
28 | - return; | ||
29 | - | ||
30 | build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1); | ||
31 | } | ||
32 | |||
33 | Index: gnupg-1.4.7/include/cipher.h | ||
34 | =================================================================== | ||
35 | --- gnupg-1.4.7.orig/include/cipher.h 2006-04-21 20:39:49.000000000 +0800 | ||
36 | +++ gnupg-1.4.7/include/cipher.h 2013-11-28 14:49:24.159322744 +0800 | ||
37 | @@ -52,6 +52,7 @@ | ||
38 | #define PUBKEY_USAGE_CERT 4 /* key is also good to certify other keys*/ | ||
39 | #define PUBKEY_USAGE_AUTH 8 /* key is good for authentication */ | ||
40 | #define PUBKEY_USAGE_UNKNOWN 128 /* key has an unknown usage bit */ | ||
41 | +#define PUBKEY_USAGE_NONE 256 /* No usage given. */ | ||
42 | |||
43 | #define DIGEST_ALGO_MD5 1 | ||
44 | #define DIGEST_ALGO_SHA1 2 | ||
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch new file mode 100644 index 0000000000..b1a22f5853 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch | |||
@@ -0,0 +1,153 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Index: gnupg-1.4.7/cipher/dsa.c | ||
4 | =================================================================== | ||
5 | --- gnupg-1.4.7.orig/cipher/dsa.c 2006-12-12 02:27:21.000000000 +0800 | ||
6 | +++ gnupg-1.4.7/cipher/dsa.c 2014-01-23 11:30:17.300915919 +0800 | ||
7 | @@ -287,6 +287,8 @@ | ||
8 | MPI kinv; | ||
9 | MPI tmp; | ||
10 | |||
11 | + mpi_normalize (hash); | ||
12 | + | ||
13 | /* select a random k with 0 < k < q */ | ||
14 | k = gen_k( skey->q ); | ||
15 | |||
16 | Index: gnupg-1.4.7/cipher/elgamal.c | ||
17 | =================================================================== | ||
18 | --- gnupg-1.4.7.orig/cipher/elgamal.c 2006-12-12 03:08:05.000000000 +0800 | ||
19 | +++ gnupg-1.4.7/cipher/elgamal.c 2014-01-23 11:30:17.300915919 +0800 | ||
20 | @@ -376,6 +376,9 @@ | ||
21 | { | ||
22 | MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) ); | ||
23 | |||
24 | + mpi_normalize (a); | ||
25 | + mpi_normalize (b); | ||
26 | + | ||
27 | /* output = b/(a^x) mod p */ | ||
28 | mpi_powm( t1, a, skey->x, skey->p ); | ||
29 | mpi_invm( t1, t1, skey->p ); | ||
30 | Index: gnupg-1.4.7/cipher/random.c | ||
31 | =================================================================== | ||
32 | --- gnupg-1.4.7.orig/cipher/random.c 2006-11-03 18:09:39.000000000 +0800 | ||
33 | +++ gnupg-1.4.7/cipher/random.c 2014-01-23 11:31:53.993495462 +0800 | ||
34 | @@ -273,6 +273,18 @@ | ||
35 | } | ||
36 | |||
37 | |||
38 | +/* Randomize the MPI */ | ||
39 | +void | ||
40 | +randomize_mpi (MPI mpi, size_t nbits, int level) | ||
41 | +{ | ||
42 | + unsigned char *buffer; | ||
43 | + | ||
44 | + buffer = get_random_bits (nbits, level, mpi_is_secure (mpi)); | ||
45 | + mpi_set_buffer (mpi, buffer, (nbits+7)/8, 0); | ||
46 | + xfree (buffer); | ||
47 | +} | ||
48 | + | ||
49 | + | ||
50 | int | ||
51 | random_is_faked() | ||
52 | { | ||
53 | Index: gnupg-1.4.7/cipher/random.h | ||
54 | =================================================================== | ||
55 | --- gnupg-1.4.7.orig/cipher/random.h 2006-02-09 19:29:29.000000000 +0800 | ||
56 | +++ gnupg-1.4.7/cipher/random.h 2014-01-23 11:30:17.300915919 +0800 | ||
57 | @@ -32,6 +32,7 @@ | ||
58 | int random_is_faked(void); | ||
59 | void random_disable_locking (void); | ||
60 | void randomize_buffer( byte *buffer, size_t length, int level ); | ||
61 | +void randomize_mpi (MPI mpi, size_t nbits, int level); | ||
62 | byte *get_random_bits( size_t nbits, int level, int secure ); | ||
63 | void fast_random_poll( void ); | ||
64 | |||
65 | Index: gnupg-1.4.7/cipher/rsa.c | ||
66 | =================================================================== | ||
67 | --- gnupg-1.4.7.orig/cipher/rsa.c 2006-12-12 03:09:00.000000000 +0800 | ||
68 | +++ gnupg-1.4.7/cipher/rsa.c 2014-01-23 11:35:04.330639125 +0800 | ||
69 | @@ -301,9 +301,26 @@ | ||
70 | #if 0 | ||
71 | mpi_powm( output, input, skey->d, skey->n ); | ||
72 | #else | ||
73 | - MPI m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); | ||
74 | - MPI m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); | ||
75 | - MPI h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); | ||
76 | + int nlimbs = mpi_get_nlimbs (skey->n)+1; | ||
77 | + MPI m1 = mpi_alloc_secure (nlimbs); | ||
78 | + MPI m2 = mpi_alloc_secure (nlimbs); | ||
79 | + MPI h = mpi_alloc_secure (nlimbs); | ||
80 | +# if 1 | ||
81 | + MPI bdata= mpi_alloc_secure (nlimbs); | ||
82 | + MPI r = mpi_alloc_secure (nlimbs); | ||
83 | +# endif | ||
84 | + | ||
85 | + /* Remove superfluous leading zeroes from INPUT. */ | ||
86 | + mpi_normalize (input); | ||
87 | + | ||
88 | +# if 1 | ||
89 | + /* Blind: bdata = (data * r^e) mod n */ | ||
90 | + randomize_mpi (r, mpi_get_nbits (skey->n), 0); | ||
91 | + mpi_fdiv_r (r, r, skey->n); | ||
92 | + mpi_powm (bdata, r, skey->e, skey->n); | ||
93 | + mpi_mulm (bdata, bdata, input, skey->n); | ||
94 | + input = bdata; | ||
95 | +# endif | ||
96 | |||
97 | /* m1 = c ^ (d mod (p-1)) mod p */ | ||
98 | mpi_sub_ui( h, skey->p, 1 ); | ||
99 | @@ -321,8 +338,15 @@ | ||
100 | /* m = m2 + h * p */ | ||
101 | mpi_mul ( h, h, skey->p ); | ||
102 | mpi_add ( output, m1, h ); | ||
103 | - /* ready */ | ||
104 | - | ||
105 | + | ||
106 | +# if 1 | ||
107 | + mpi_free (bdata); | ||
108 | + /* Unblind: output = (output * r^(-1)) mod n */ | ||
109 | + mpi_invm (r, r, skey->n); | ||
110 | + mpi_mulm (output, output, r, skey->n); | ||
111 | + mpi_free (r); | ||
112 | +# endif | ||
113 | + | ||
114 | mpi_free ( h ); | ||
115 | mpi_free ( m1 ); | ||
116 | mpi_free ( m2 ); | ||
117 | @@ -397,6 +421,7 @@ | ||
118 | rsa_decrypt( int algo, MPI *result, MPI *data, MPI *skey ) | ||
119 | { | ||
120 | RSA_secret_key sk; | ||
121 | + MPI input; | ||
122 | |||
123 | if( algo != 1 && algo != 2 ) | ||
124 | return G10ERR_PUBKEY_ALGO; | ||
125 | @@ -407,8 +432,14 @@ | ||
126 | sk.p = skey[3]; | ||
127 | sk.q = skey[4]; | ||
128 | sk.u = skey[5]; | ||
129 | - *result = mpi_alloc_secure( mpi_get_nlimbs( sk.n ) ); | ||
130 | - secret( *result, data[0], &sk ); | ||
131 | + | ||
132 | + /* Mitigates side-channel attacks (CVE-2013-4576). */ | ||
133 | + input = mpi_alloc (0); | ||
134 | + mpi_normalize (data[0]); | ||
135 | + mpi_fdiv_r (input, data[0], sk.n); | ||
136 | + *result = mpi_alloc_secure (mpi_get_nlimbs (sk.n)); | ||
137 | + secret (*result, input, &sk); | ||
138 | + mpi_free (input); | ||
139 | return 0; | ||
140 | } | ||
141 | |||
142 | Index: gnupg-1.4.7/g10/gpgv.c | ||
143 | =================================================================== | ||
144 | --- gnupg-1.4.7.orig/g10/gpgv.c 2006-12-13 19:25:04.000000000 +0800 | ||
145 | +++ gnupg-1.4.7/g10/gpgv.c 2014-01-23 11:30:17.300915919 +0800 | ||
146 | @@ -390,6 +390,7 @@ | ||
147 | void random_dump_stats(void) {} | ||
148 | int quick_random_gen( int onoff ) { return -1;} | ||
149 | void randomize_buffer( byte *buffer, size_t length, int level ) {} | ||
150 | +void randomize_mpi (MPI mpi, size_t nbits, int level) {} | ||
151 | int random_is_faked() { return -1;} | ||
152 | byte *get_random_bits( size_t nbits, int level, int secure ) { return NULL;} | ||
153 | void set_random_seed_file( const char *name ) {} | ||
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch new file mode 100644 index 0000000000..8b5d9a1693 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | commit f0b33b6fb8e0586e9584a7a409dcc31263776a67 | ||
2 | Author: Werner Koch <wk@gnupg.org> | ||
3 | Date: Thu Dec 20 09:43:41 2012 +0100 | ||
4 | |||
5 | gpg: Import only packets which are allowed in a keyblock. | ||
6 | |||
7 | * g10/import.c (valid_keyblock_packet): New. | ||
8 | (read_block): Store only valid packets. | ||
9 | -- | ||
10 | |||
11 | A corrupted key, which for example included a mangled public key | ||
12 | encrypted packet, used to corrupt the keyring. This change skips all | ||
13 | packets which are not allowed in a keyblock. | ||
14 | |||
15 | GnuPG-bug-id: 1455 | ||
16 | |||
17 | (cherry-picked from commit f795a0d59e197455f8723c300eebf59e09853efa) | ||
18 | |||
19 | Upstream-Status: Backport | ||
20 | |||
21 | Signed-off-by: Saul Wold <sgw@linux.intel.com> | ||
22 | |||
23 | diff --git a/g10/import.c b/g10/import.c | ||
24 | index bfe02eb..a57b32e 100644 | ||
25 | --- a/g10/import.c | ||
26 | +++ b/g10/import.c | ||
27 | @@ -384,6 +384,27 @@ import_print_stats (void *hd) | ||
28 | } | ||
29 | |||
30 | |||
31 | +/* Return true if PKTTYPE is valid in a keyblock. */ | ||
32 | +static int | ||
33 | +valid_keyblock_packet (int pkttype) | ||
34 | +{ | ||
35 | + switch (pkttype) | ||
36 | + { | ||
37 | + case PKT_PUBLIC_KEY: | ||
38 | + case PKT_PUBLIC_SUBKEY: | ||
39 | + case PKT_SECRET_KEY: | ||
40 | + case PKT_SECRET_SUBKEY: | ||
41 | + case PKT_SIGNATURE: | ||
42 | + case PKT_USER_ID: | ||
43 | + case PKT_ATTRIBUTE: | ||
44 | + case PKT_RING_TRUST: | ||
45 | + return 1; | ||
46 | + default: | ||
47 | + return 0; | ||
48 | + } | ||
49 | +} | ||
50 | + | ||
51 | + | ||
52 | /**************** | ||
53 | * Read the next keyblock from stream A. | ||
54 | * PENDING_PKT should be initialzed to NULL | ||
55 | @@ -461,7 +482,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root ) | ||
56 | } | ||
57 | in_cert = 1; | ||
58 | default: | ||
59 | - if( in_cert ) { | ||
60 | + if (in_cert && valid_keyblock_packet (pkt->pkttype)) { | ||
61 | if( !root ) | ||
62 | root = new_kbnode( pkt ); | ||
63 | else | ||
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch new file mode 100644 index 0000000000..e005ac658f --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch | |||
@@ -0,0 +1,17 @@ | |||
1 | |||
2 | Upstream-Status: Inappropriate [configuration] | ||
3 | |||
4 | Signed-off-by: Saul Wold <sgw@linux.intel.com> | ||
5 | |||
6 | Index: gnupg-1.4.7/configure.ac | ||
7 | =================================================================== | ||
8 | --- gnupg-1.4.7.orig/configure.ac | ||
9 | +++ gnupg-1.4.7/configure.ac | ||
10 | @@ -827,7 +827,6 @@ else | ||
11 | AC_SUBST(USE_NLS) | ||
12 | AC_SUBST(USE_INCLUDED_LIBINTL) | ||
13 | AC_SUBST(BUILD_INCLUDED_LIBINTL) | ||
14 | - AM_PO_SUBDIRS | ||
15 | fi | ||
16 | |||
17 | if test "$try_extensions" = yes || test x"$card_support" = xyes ; then | ||
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch new file mode 100644 index 0000000000..e5fb24aa63 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | |||
2 | This has been discussed in a couple of different bug reported | ||
3 | upstream: | ||
4 | |||
5 | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486250 | ||
6 | http://bugs.sourcemage.org/show_bug.cgi?id=14446 | ||
7 | |||
8 | Fix: | ||
9 | http://lists.gnupg.org/pipermail/gnupg-devel/2008-April/024344.html | ||
10 | |||
11 | Upstream-Status: Backport [Debian] | ||
12 | |||
13 | Signed-off-by: Saul Wold <sgw@linux.intel.com> | ||
14 | |||
15 | Index: gnupg-1.4.7/keyserver/gpgkeys_curl.c | ||
16 | =================================================================== | ||
17 | --- gnupg-1.4.7.orig/keyserver/gpgkeys_curl.c | ||
18 | +++ gnupg-1.4.7/keyserver/gpgkeys_curl.c | ||
19 | @@ -286,7 +286,7 @@ main(int argc,char *argv[]) | ||
20 | curl_easy_setopt(curl,CURLOPT_VERBOSE,1); | ||
21 | } | ||
22 | |||
23 | - curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,opt->flags.check_cert); | ||
24 | + curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert); | ||
25 | curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file); | ||
26 | |||
27 | if(proxy) | ||
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch new file mode 100644 index 0000000000..2855cab24b --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch | |||
@@ -0,0 +1,19 @@ | |||
1 | Orignal Patch came from OpenWrt via OE-Classic | ||
2 | https://dev.openwrt.org/browser/packages/utils/gnupg/patches/001-mips_gcc4.4 | ||
3 | which is no longer a valid revision! | ||
4 | |||
5 | Upstream-Status: Inappropriate [configuration] | ||
6 | |||
7 | |||
8 | --- gnupg/mpi/longlong.h~ 2006-02-14 10:09:55.000000000 +0000 | ||
9 | +++ gnupg/mpi/longlong.h 2008-10-27 13:11:09.000000000 +0000 | ||
10 | @@ -181,7 +181,7 @@ | ||
11 | /*************************************** | ||
12 | ************** ARM ****************** | ||
13 | ***************************************/ | ||
14 | -#if defined (__arm__) && W_TYPE_SIZE == 32 | ||
15 | +#if defined (__arm__) && W_TYPE_SIZE == 32 && !defined(__thumb__) | ||
16 | #define add_ssaaaa(sh, sl, ah, al, bh, bl) \ | ||
17 | __asm__ ("adds %1, %4, %5\n" \ | ||
18 | "adc %0, %2, %3" \ | ||
19 | |||
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch new file mode 100644 index 0000000000..9a03b2b705 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | |||
2 | From Openembedded-Classic | ||
3 | |||
4 | gnupg-1.4.10: Readd the ARM Thumb patch as debian has no thumb support | ||
5 | |||
6 | |||
7 | Upstream-Status: Inappropriate [embedded-specific] | ||
8 | |||
9 | Index: gnupg-1.4.10/mpi/longlong.h | ||
10 | =================================================================== | ||
11 | --- gnupg-1.4.10.orig/mpi/longlong.h 2008-12-11 17:39:43.000000000 +0100 | ||
12 | +++ gnupg-1.4.10/mpi/longlong.h 2010-03-27 14:27:53.000000000 +0100 | ||
13 | @@ -706,18 +706,35 @@ | ||
14 | #endif /* __m88110__ */ | ||
15 | #endif /* __m88000__ */ | ||
16 | |||
17 | +/* Test for gcc >= maj.min, as per __GNUC_PREREQ in glibc */ | ||
18 | +#if defined (__GNUC__) && defined (__GNUC_MINOR__) | ||
19 | +#define __GNUC_PREREQ(maj, min) \ | ||
20 | + ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min)) | ||
21 | +#else | ||
22 | +#define __GNUC_PREREQ(maj, min) 0 | ||
23 | +#endif | ||
24 | + | ||
25 | /*************************************** | ||
26 | ************** MIPS ***************** | ||
27 | ***************************************/ | ||
28 | #if defined (__mips__) && W_TYPE_SIZE == 32 | ||
29 | -#if __GNUC__ > 2 || __GNUC_MINOR__ >= 7 | ||
30 | +#if __GNUC_PREREQ (4,4) | ||
31 | +#define umul_ppmm(w1, w0, u, v) \ | ||
32 | + do { \ | ||
33 | + UDItype __ll = (UDItype)(u) * (v); \ | ||
34 | + w1 = __ll >> 32; \ | ||
35 | + w0 = __ll; \ | ||
36 | + } while (0) | ||
37 | +#endif | ||
38 | +#if !defined (umul_ppmm) && __GNUC_PREREQ (2,7) | ||
39 | #define umul_ppmm(w1, w0, u, v) \ | ||
40 | __asm__ ("multu %2,%3" \ | ||
41 | : "=l" ((USItype)(w0)), \ | ||
42 | "=h" ((USItype)(w1)) \ | ||
43 | : "d" ((USItype)(u)), \ | ||
44 | "d" ((USItype)(v))) | ||
45 | -#else | ||
46 | +#endif | ||
47 | +#if !defined (umul_ppmm) | ||
48 | #define umul_ppmm(w1, w0, u, v) \ | ||
49 | __asm__ ("multu %2,%3 \n" \ | ||
50 | "mflo %0 \n" \ | ||
diff --git a/meta/recipes-support/gnupg/gnupg/pkgconfig.patch b/meta/recipes-support/gnupg/gnupg/pkgconfig.patch new file mode 100644 index 0000000000..ae92392dae --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg/pkgconfig.patch | |||
@@ -0,0 +1,86 @@ | |||
1 | Use pkg-config to find pth instead of pth-config. | ||
2 | |||
3 | Upstream-Status: Rejected | ||
4 | [not submitted but they've been clear they don't want a pkg-config dependency] | ||
5 | |||
6 | RP 2014/5/22 | ||
7 | |||
8 | Index: gnupg-2.0.22/m4/gnupg-pth.m4 | ||
9 | =================================================================== | ||
10 | --- gnupg-2.0.22.orig/m4/gnupg-pth.m4 2013-10-04 12:32:53.000000000 +0000 | ||
11 | +++ gnupg-2.0.22/m4/gnupg-pth.m4 2014-05-13 21:33:21.000000000 +0000 | ||
12 | @@ -17,33 +17,9 @@ | ||
13 | # Taken and modified from the m4 macros which come with Pth. | ||
14 | AC_DEFUN([GNUPG_PTH_VERSION_CHECK], | ||
15 | [ | ||
16 | - _pth_version=`$PTH_CONFIG --version | awk 'NR==1 {print [$]3}'` | ||
17 | _req_version="ifelse([$1],,1.2.0,$1)" | ||
18 | + PKG_CHECK_MODULES(PTH, [pth >= $_req_version], [have_pth=yes], [have_pth=no]) | ||
19 | |||
20 | - AC_MSG_CHECKING(for PTH - version >= $_req_version) | ||
21 | - for _var in _pth_version _req_version; do | ||
22 | - eval "_val=\"\$${_var}\"" | ||
23 | - _major=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\1/'` | ||
24 | - _minor=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\2/'` | ||
25 | - _rtype=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\3/'` | ||
26 | - _micro=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\4/'` | ||
27 | - case $_rtype in | ||
28 | - "a" ) _rtype=0 ;; | ||
29 | - "b" ) _rtype=1 ;; | ||
30 | - "." ) _rtype=2 ;; | ||
31 | - esac | ||
32 | - _hex=`echo dummy | awk '{ printf("%d%02d%1d%02d", major, minor, rtype, micro); }' \ | ||
33 | - "major=$_major" "minor=$_minor" "rtype=$_rtype" "micro=$_micro"` | ||
34 | - eval "${_var}_hex=\"\$_hex\"" | ||
35 | - done | ||
36 | - have_pth=no | ||
37 | - if test ".$_pth_version_hex" != .; then | ||
38 | - if test ".$_req_version_hex" != .; then | ||
39 | - if test $_pth_version_hex -ge $_req_version_hex; then | ||
40 | - have_pth=yes | ||
41 | - fi | ||
42 | - fi | ||
43 | - fi | ||
44 | if test $have_pth = yes; then | ||
45 | AC_MSG_RESULT(yes) | ||
46 | AC_MSG_CHECKING([whether PTH installation is sane]) | ||
47 | @@ -51,9 +29,9 @@ | ||
48 | _gnupg_pth_save_cflags=$CFLAGS | ||
49 | _gnupg_pth_save_ldflags=$LDFLAGS | ||
50 | _gnupg_pth_save_libs=$LIBS | ||
51 | - CFLAGS="$CFLAGS `$PTH_CONFIG --cflags`" | ||
52 | - LDFLAGS="$LDFLAGS `$PTH_CONFIG --ldflags`" | ||
53 | - LIBS="$LIBS `$PTH_CONFIG --libs --all`" | ||
54 | + CFLAGS="$CFLAGS $PTH_CFLAGS" | ||
55 | + LDFLAGS="$LDFLAGS $PTH_LDFLAGS" | ||
56 | + LIBS="$LIBS $PTH_LIBS" | ||
57 | AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pth.h> | ||
58 | ], | ||
59 | [[ pth_init ();]])], | ||
60 | @@ -81,23 +59,11 @@ | ||
61 | # | ||
62 | AC_DEFUN([GNUPG_PATH_PTH], | ||
63 | +[ | ||
64 | -[ AC_ARG_WITH(pth-prefix, | ||
65 | - AC_HELP_STRING([--with-pth-prefix=PFX], | ||
66 | - [prefix where GNU Pth is installed]), | ||
67 | - pth_config_prefix="$withval", pth_config_prefix="") | ||
68 | - if test x$pth_config_prefix != x ; then | ||
69 | - PTH_CONFIG="$pth_config_prefix/bin/pth-config" | ||
70 | - fi | ||
71 | - AC_PATH_PROG(PTH_CONFIG, pth-config, no) | ||
72 | tmp=ifelse([$1], ,1.3.7,$1) | ||
73 | - if test "$PTH_CONFIG" != "no"; then | ||
74 | - GNUPG_PTH_VERSION_CHECK($tmp) | ||
75 | - if test $have_pth = yes; then | ||
76 | - PTH_CFLAGS=`$PTH_CONFIG --cflags` | ||
77 | - PTH_LIBS=`$PTH_CONFIG --ldflags` | ||
78 | - PTH_LIBS="$PTH_LIBS `$PTH_CONFIG --libs --all`" | ||
79 | + GNUPG_PTH_VERSION_CHECK($tmp) | ||
80 | + if test $have_pth = yes; then | ||
81 | AC_DEFINE(HAVE_PTH, 1, | ||
82 | [Defined if the GNU Pth is available]) | ||
83 | - fi | ||
84 | fi | ||
85 | AC_SUBST(PTH_CFLAGS) | ||
86 | AC_SUBST(PTH_LIBS) | ||
diff --git a/meta/recipes-support/gnupg/gnupg_1.4.7.bb b/meta/recipes-support/gnupg/gnupg_1.4.7.bb new file mode 100644 index 0000000000..aef515d534 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg_1.4.7.bb | |||
@@ -0,0 +1,102 @@ | |||
1 | SUMMARY = "GNU Privacy Guard - encryption and signing tools" | ||
2 | HOMEPAGE = "http://www.gnupg.org/" | ||
3 | DEPENDS = "zlib bzip2 readline" | ||
4 | SECTION = "console/utils" | ||
5 | |||
6 | LICENSE = "GPLv2" | ||
7 | |||
8 | LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a" | ||
9 | |||
10 | PR = "r9" | ||
11 | |||
12 | SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-${PV}.tar.bz2 \ | ||
13 | file://long-long-thumb.patch \ | ||
14 | file://configure.patch \ | ||
15 | file://mips_gcc4.4.patch \ | ||
16 | file://GnuPG1-CVE-2012-6085.patch \ | ||
17 | file://curl_typeof_fix_backport.patch \ | ||
18 | file://CVE-2013-4351.patch \ | ||
19 | file://CVE-2013-4576.patch \ | ||
20 | file://CVE-2013-4242.patch \ | ||
21 | " | ||
22 | |||
23 | SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c" | ||
24 | SRC_URI[sha256sum] = "69d18b7d193f62ca27ed4febcb4c9044aa0c95305d3258fe902e2fae5fc6468d" | ||
25 | |||
26 | inherit autotools gettext texinfo | ||
27 | |||
28 | # --with-egd-socket=NAME use NAME for the EGD socket | ||
29 | # --with-photo-viewer=FIXED_VIEWER set a fixed photo ID viewer | ||
30 | # --with-included-zlib use the zlib code included here | ||
31 | # --with-capabilities use linux capabilities default=no | ||
32 | # --with-mailprog=NAME use "NAME -t" for mail transport | ||
33 | # --with-libiconv-prefix[=DIR] search for libiconv in DIR/include and DIR/lib | ||
34 | # --without-libiconv-prefix don't search for libiconv in includedir and libdir | ||
35 | # --with-included-gettext use the GNU gettext library included here | ||
36 | # --with-libintl-prefix[=DIR] search for libintl in DIR/include and DIR/lib | ||
37 | # --without-libintl-prefix don't search for libintl in includedir and libdir | ||
38 | # --without-readline do not support fancy command line editing | ||
39 | # --with-included-regex use the included GNU regex library | ||
40 | # --with-zlib=DIR use libz in DIR | ||
41 | # --with-bzip2=DIR look for bzip2 in DIR | ||
42 | # --enable-static-rnd=egd|unix|linux|auto | ||
43 | # --disable-dev-random disable the use of dev random | ||
44 | # --disable-asm do not use assembler modules | ||
45 | # --enable-m-guard enable memory guard facility | ||
46 | # --enable-selinux-support | ||
47 | # enable SELinux support | ||
48 | # --disable-card-support disable OpenPGP card support | ||
49 | # --disable-gnupg-iconv disable the new iconv code | ||
50 | # --enable-backsigs enable the experimental backsigs code | ||
51 | # --enable-minimal build the smallest gpg binary possible | ||
52 | # --disable-rsa disable the RSA public key algorithm | ||
53 | # --disable-idea disable the IDEA cipher | ||
54 | # --disable-cast5 disable the CAST5 cipher | ||
55 | # --disable-blowfish disable the BLOWFISH cipher | ||
56 | # --disable-aes disable the AES, AES192, and AES256 ciphers | ||
57 | # --disable-twofish disable the TWOFISH cipher | ||
58 | # --disable-sha256 disable the SHA-256 digest | ||
59 | # --disable-sha512 disable the SHA-384 and SHA-512 digests | ||
60 | # --disable-bzip2 disable the BZIP2 compression algorithm | ||
61 | # --disable-exec disable all external program execution | ||
62 | # --disable-photo-viewers disable photo ID viewers | ||
63 | # --disable-keyserver-helpers disable all external keyserver support | ||
64 | # --disable-ldap disable LDAP keyserver interface | ||
65 | # --disable-hkp disable HKP keyserver interface | ||
66 | # --disable-http disable HTTP key fetching interface | ||
67 | # --disable-finger disable Finger key fetching interface | ||
68 | # --disable-mailto disable email keyserver interface | ||
69 | # --disable-keyserver-path disable the exec-path option for keyserver helpers | ||
70 | # --enable-key-cache=SIZE Set key cache to SIZE (default 4096) | ||
71 | # --disable-largefile omit support for large files | ||
72 | # --disable-dns-srv disable the use of DNS SRV in HKP and HTTP | ||
73 | # --disable-nls do not use Native Language Support | ||
74 | # --disable-regex do not handle regular expressions in trust sigs | ||
75 | |||
76 | EXTRA_OECONF = "--disable-ldap \ | ||
77 | --with-zlib=${STAGING_LIBDIR}/.. \ | ||
78 | --with-bzip2=${STAGING_LIBDIR}/.. \ | ||
79 | --disable-selinux-support \ | ||
80 | --with-readline=${STAGING_LIBDIR}/.. \ | ||
81 | ac_cv_sys_symbol_underscore=no \ | ||
82 | " | ||
83 | |||
84 | do_install () { | ||
85 | autotools_do_install | ||
86 | install -d ${D}${docdir}/${BPN} | ||
87 | mv ${D}${datadir}/${BPN}/* ${D}/${docdir}/${BPN}/ || : | ||
88 | mv ${D}${prefix}/doc/* ${D}/${docdir}/${BPN}/ || : | ||
89 | } | ||
90 | |||
91 | # split out gpgv from main package | ||
92 | RDEPENDS_${PN} = "gpgv" | ||
93 | PACKAGES =+ "gpgv" | ||
94 | FILES_gpgv = "${bindir}/gpgv" | ||
95 | |||
96 | # Exclude debug files from the main packages | ||
97 | FILES_${PN} = "${bindir}/* ${datadir}/${BPN} ${libexecdir}/${BPN}/*" | ||
98 | FILES_${PN}-dbg += "${libexecdir}/${BPN}/.debug" | ||
99 | |||
100 | PACKAGECONFIG ??= "" | ||
101 | PACKAGECONFIG[curl] = "--with-libcurl=${STAGING_LIBDIR},--without-libcurl,curl" | ||
102 | PACKAGECONFIG[libusb] = "--with-libusb=${STAGING_LIBDIR},--without-libusb,libusb-compat" | ||
diff --git a/meta/recipes-support/gnupg/gnupg_2.0.26.bb b/meta/recipes-support/gnupg/gnupg_2.0.26.bb new file mode 100644 index 0000000000..92dd3bd643 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg_2.0.26.bb | |||
@@ -0,0 +1,39 @@ | |||
1 | SUMMARY = "GNU Privacy Guard - encryption and signing tools (2.x)" | ||
2 | HOMEPAGE = "http://www.gnupg.org/" | ||
3 | LICENSE = "GPLv3 & LGPLv3" | ||
4 | LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949 \ | ||
5 | file://COPYING.LIB;md5=6a6a8e020838b23406c81b19c1d46df6" | ||
6 | |||
7 | DEPENDS = "${PTH} libassuan libksba zlib bzip2 readline libgcrypt" | ||
8 | PTH = "pth" | ||
9 | PTH_libc-uclibc = "npth" | ||
10 | |||
11 | inherit autotools gettext texinfo pkgconfig | ||
12 | |||
13 | SRC_URI = "ftp://ftp.gnupg.org/gcrypt/${BPN}/${BPN}-${PV}.tar.bz2 \ | ||
14 | file://pkgconfig.patch" | ||
15 | |||
16 | SRC_URI[md5sum] = "fa7e704aad33eb114d1840164455aec1" | ||
17 | SRC_URI[sha256sum] = "7758e30dc382ae7a7167ed41b7f936aa50af5ea2d6fccdef663b5b750b65b8e0" | ||
18 | |||
19 | EXTRA_OECONF = "--disable-ldap \ | ||
20 | --disable-ccid-driver \ | ||
21 | --without-libcurl \ | ||
22 | --with-zlib=${STAGING_LIBDIR}/.. \ | ||
23 | --with-bzip2=${STAGING_LIBDIR}/.. \ | ||
24 | --with-readline=${STAGING_LIBDIR}/.. \ | ||
25 | " | ||
26 | RRECOMMENDS_${PN} = "pinentry" | ||
27 | |||
28 | do_configure_prepend () { | ||
29 | # Else these could be used in prefernce to those in aclocal-copy | ||
30 | rm -f ${S}/m4/gpg-error.m4 | ||
31 | rm -f ${S}/m4/libassuan.m4 | ||
32 | rm -f ${S}/m4/ksba.m4 | ||
33 | rm -f ${S}/m4/libgcrypt.m4 | ||
34 | } | ||
35 | |||
36 | do_install_append() { | ||
37 | ln -sf gpg2 ${D}${bindir}/gpg | ||
38 | ln -sf gpgv2 ${D}${bindir}/gpgv | ||
39 | } | ||