nettle: update to 3.4.1

Bug fix only release

Include:

  CVE-2018-16868 gnutls: Bleichenbacher-like side channel leakage in
  PKCS#1 1.5 verification and padding oracle verification

  CVE-2018-16869 nettle: Leaky data conversion exposing a manager oracle

For full details see:
http://lists.lysator.liu.se/pipermail/nettle-bugs/2018/007369.html

[V2]
Add -std=c99 to cflags

(From OE-Core rev: 8ac8fa8ee10c59a081d368a5429e0eced8dd5d3c)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

4 files changed, 130 insertions, 0 deletions

diff --git a/meta/recipes-support/nettle/nettle-3.4.1/Add-target-to-only-build-tests-not-run-them.patch b/meta/recipes-support/nettle/nettle-3.4.1/Add-target-to-only-build-tests-not-run-them.patch
new file mode 100644
index 0000000000..c007060ee6
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.4.1/Add-target-to-only-build-tests-not-run-them.patch
@@ -0,0 +1,38 @@
+Add target to only build tests (not run them)
+
+Not sending upstream as this is only a start of a solution to
+installable tests: It's useful for us already as is.
+
+Upstream-Status: Inappropriate [not a complete solution]
+
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+Refactored for 3.4
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: nettle-3.4/Makefile.in
+===================================================================
+--- nettle-3.4.orig/Makefile.in
++++ nettle-3.4/Makefile.in
+@@ -55,6 +55,9 @@ clean distclean mostlyclean maintainer-c
+          echo "Making $@ in $$d" ; (cd $$d && $(MAKE) $@); done
+        $(MAKE) $@-here
+ 
++buildtest:
++       echo "Making $@ in testsuite" ; (cd testsuite && $(MAKE) $@)
++
+ check-here:
+        true
+ 
+Index: nettle-3.4/testsuite/Makefile.in
+===================================================================
+--- nettle-3.4.orig/testsuite/Makefile.in
++++ nettle-3.4/testsuite/Makefile.in
+@@ -131,6 +131,8 @@ $(TARGETS) $(EXTRA_TARGETS): testutils.$
+ # data.
+ VALGRIND = valgrind --error-exitcode=1 --leak-check=full --show-reachable=yes @IF_ASM@ --partial-loads-ok=yes
+ 
++buildtest: $(TS_ALL)
++
+ # The PATH update is for windows dlls, DYLD_LIBRARY_PATH is for OSX.
+ check: $(TS_ALL)
+        LD_LIBRARY_PATH=../.lib PATH="../.lib:$$PATH" DYLD_LIBRARY_PATH=../.lib \
diff --git a/meta/recipes-support/nettle/nettle-3.4.1/check-header-files-of-openssl-only-if-enable_.patch b/meta/recipes-support/nettle/nettle-3.4.1/check-header-files-of-openssl-only-if-enable_.patch
new file mode 100644
index 0000000000..d5f266681e
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.4.1/check-header-files-of-openssl-only-if-enable_.patch
@@ -0,0 +1,36 @@
+From ffee6b5f6204a0210f717968ec6ce514d70acca1 Mon Sep 17 00:00:00 2001
+From: Haiqing Bai <Haiqing.Bai@windriver.com>
+Date: Fri, 9 Dec 2016 15:23:17 +0800
+Subject: [PATCH] nettle: check header files of openssl only if
+ 'enable_openssl=yes'.
+
+The original configure script checks openssl header files to generate
+config.h even if 'enable_openssl' is not set to yes, this made inconsistent
+building for nettle.
+
+Upstream-Status: Pending
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+
+refactored for 3.4. pending not in as of 3.4
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: nettle-3.4/configure.ac
+===================================================================
+--- nettle-3.4.orig/configure.ac
++++ nettle-3.4/configure.ac
+@@ -185,9 +185,11 @@ AC_HEADER_TIME
+ AC_CHECK_SIZEOF(long)
+ AC_CHECK_SIZEOF(size_t)
+ 
+-AC_CHECK_HEADERS([openssl/evp.h openssl/ecdsa.h],,
+-[enable_openssl=no
+- break])
++if test "x$enable_openssl" = "xyes"; then
++  AC_CHECK_HEADERS([openssl/evp.h openssl/ecdsa.h],,
++  [enable_openssl=no
++   break])
++fi
+ 
+ # For use by the testsuite
+ AC_CHECK_HEADERS([valgrind/memcheck.h])
diff --git a/meta/recipes-support/nettle/nettle-3.4.1/dlopen-test.patch b/meta/recipes-support/nettle/nettle-3.4.1/dlopen-test.patch
new file mode 100644
index 0000000000..c4f0b7ea1c
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.4.1/dlopen-test.patch
@@ -0,0 +1,20 @@
+Replace relative path of libnettle.so with absolute path so the test
+program can find it.
+Relative paths are not suitable, as the folder strucure for ptest
+is different from the one expected by the nettle testsuite.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
+
+--- a/testsuite/dlopen-test.c   2016-10-01 00:28:38.000000000 -0700
++++ b/testsuite/dlopen-test.c   2017-10-13 11:08:57.227572860 -0700
+@@ -9,7 +9,7 @@
+ main (int argc UNUSED, char **argv UNUSED)
+ {
+ #if HAVE_LIBDL
+-  void *handle = dlopen ("../libnettle.so", RTLD_NOW);
++  void *handle = dlopen ("/usr/lib/libnettle.so", RTLD_NOW);
+   int (*get_version)(void);
+   if (!handle)
+     {
diff --git a/meta/recipes-support/nettle/nettle-3.4.1/run-ptest b/meta/recipes-support/nettle/nettle-3.4.1/run-ptest
new file mode 100644
index 0000000000..b90bed66d2
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.4.1/run-ptest
@@ -0,0 +1,36 @@
+#! /bin/sh
+
+cd testsuite
+
+failed=0
+all=0
+
+for f in *-test; do
+    if [ "$f" = "sha1-huge-test" ] ; then
+        echo "SKIP: $f (skipped for ludicrous run time)"
+        continue
+    fi
+
+    "./$f"
+    case "$?" in
+        0)
+            echo "PASS: $f"
+            all=$((all + 1))
+            ;;
+        77)
+            echo "SKIP: $f"
+            ;;
+        *)
+            echo "FAIL: $f"
+            failed=$((failed + 1))
+            all=$((all + 1))
+            ;;
+    esac
+done
+
+if [ "$failed" -eq 0 ] ; then
+  echo "All $all tests passed"
+else
+  echo "$failed of $all tests failed"
+fi
+