From 94e9e6a21b26c8bd0b194d4c2a65cbcb9464a553 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Mon, 9 May 2016 13:29:01 +0200 Subject: OpenSSL: Upgrade to 1.0.1t to fix multiple CVEs Upgrade 1.0.1p --> 1.0.1t addresses following vulnerabilities: CVE-2016-2107 CVE-2016-2108 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 CVE-2016-2176 Reference: URL for the OpenSSL Security Advisory: https://www.openssl.org/news/secadv/20160503.txt Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea --- .../openssl/openssl/debian/man-section.patch | 17 ++--- .../openssl/openssl/debian/version-script.patch | 80 +++++++++++----------- ...-pointer-dereference-in-EVP_DigestInit_ex.patch | 14 ++-- .../openssl/openssl/openssl_fix_for_x32.patch | 76 ++++++++++---------- .../recipes-connectivity/openssl/openssl_1.0.1p.bb | 58 ---------------- .../recipes-connectivity/openssl/openssl_1.0.1t.bb | 55 +++++++++++++++ 6 files changed, 149 insertions(+), 151 deletions(-) delete mode 100644 meta/recipes-connectivity/openssl/openssl_1.0.1p.bb create mode 100644 meta/recipes-connectivity/openssl/openssl_1.0.1t.bb diff --git a/meta/recipes-connectivity/openssl/openssl/debian/man-section.patch b/meta/recipes-connectivity/openssl/openssl/debian/man-section.patch index 21c1d1a4eb..1bd42efc9c 100644 --- a/meta/recipes-connectivity/openssl/openssl/debian/man-section.patch +++ b/meta/recipes-connectivity/openssl/openssl/debian/man-section.patch @@ -1,9 +1,10 @@ Upstream-Status: Backport [debian] -Index: openssl-1.0.0c/Makefile.org -=================================================================== ---- openssl-1.0.0c.orig/Makefile.org 2010-12-12 16:11:37.000000000 +0100 -+++ openssl-1.0.0c/Makefile.org 2010-12-12 16:13:28.000000000 +0100 +Signed-off-by: Sona Sarmadi +--- +diff -ruN a/Makefile.org b/Makefile.org +--- a/Makefile.org 2016-05-04 08:24:51.982013676 +0200 ++++ b/Makefile.org 2016-05-04 08:35:43.581929188 +0200 @@ -160,7 +160,8 @@ MANDIR=/usr/share/man MAN1=1 @@ -14,21 +15,21 @@ Index: openssl-1.0.0c/Makefile.org HTMLSUFFIX=html HTMLDIR=$(OPENSSLDIR)/html SHELL=/bin/sh -@@ -651,7 +652,7 @@ +@@ -650,7 +651,7 @@ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ - --section=$$sec --center=OpenSSL \ -+ --section=$${sec}$(MANSECTION) --center=OpenSSL \ ++ --section=$${sec}$(MANSECTION) --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ -@@ -668,7 +669,7 @@ +@@ -667,7 +668,7 @@ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ - --section=$$sec --center=OpenSSL \ -+ --section=$${sec}$(MANSECTION) --center=OpenSSL \ ++ --section=$${sec}$(MANSECTION) --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ diff --git a/meta/recipes-connectivity/openssl/openssl/debian/version-script.patch b/meta/recipes-connectivity/openssl/openssl/debian/version-script.patch index ece8b9b46c..ac78adb802 100644 --- a/meta/recipes-connectivity/openssl/openssl/debian/version-script.patch +++ b/meta/recipes-connectivity/openssl/openssl/debian/version-script.patch @@ -1,10 +1,11 @@ Upstream-Status: Backport [debian] -Index: openssl-1.0.1d/Configure -=================================================================== ---- openssl-1.0.1d.orig/Configure 2013-02-06 19:41:43.000000000 +0100 -+++ openssl-1.0.1d/Configure 2013-02-06 19:41:43.000000000 +0100 -@@ -1621,6 +1621,8 @@ +Signed-off-by: Sona Sarmadi +--- +diff -ruN a/Configure b/Configure +--- a/Configure 2016-05-09 12:05:53.135685172 +0200 ++++ b/Configure 2016-05-09 12:07:43.962952937 +0200 +@@ -1667,6 +1667,8 @@ } } @@ -13,11 +14,38 @@ Index: openssl-1.0.1d/Configure open(IN,'$Makefile.new") || die "unable to create $Makefile.new:$!\n"; -Index: openssl-1.0.1d/openssl.ld -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.0.1d/openssl.ld 2013-02-06 19:44:25.000000000 +0100 -@@ -0,0 +1,4620 @@ +diff -ruN a/engines/ccgost/openssl.ld b/engines/ccgost/openssl.ld +--- a/engines/ccgost/openssl.ld 1970-01-01 01:00:00.000000000 +0100 ++++ b/engines/ccgost/openssl.ld 2016-05-09 12:07:44.034949863 +0200 +@@ -0,0 +1,10 @@ ++OPENSSL_1.0.0 { ++ global: ++ bind_engine; ++ v_check; ++ OPENSSL_init; ++ OPENSSL_finish; ++ local: ++ *; ++}; ++ +diff -ruN a/engines/openssl.ld b/engines/openssl.ld +--- a/engines/openssl.ld 1970-01-01 01:00:00.000000000 +0100 ++++ b/engines/openssl.ld 2016-05-09 12:07:43.990951742 +0200 +@@ -0,0 +1,10 @@ ++OPENSSL_1.0.0 { ++ global: ++ bind_engine; ++ v_check; ++ OPENSSL_init; ++ OPENSSL_finish; ++ local: ++ *; ++}; ++ +diff -ruN a/openssl.ld b/openssl.ld +--- a/openssl.ld 1970-01-01 01:00:00.000000000 +0100 ++++ b/openssl.ld 2016-05-09 12:34:19.174771028 +0200 +@@ -0,0 +1,4622 @@ +OPENSSL_1.0.0 { + global: + BIO_f_ssl; @@ -4526,6 +4554,8 @@ Index: openssl-1.0.1d/openssl.ld + SSL_SESSION_get_compress_id; + + SRP_VBASE_get_by_user; ++ SRP_VBASE_get1_by_user; ++ SRP_user_pwd_free; + SRP_Calc_server_key; + SRP_create_verifier; + SRP_create_verifier_BN; @@ -4638,33 +4668,3 @@ Index: openssl-1.0.1d/openssl.ld + CRYPTO_memcmp; +} OPENSSL_1.0.1; + -Index: openssl-1.0.1d/engines/openssl.ld -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.0.1d/engines/openssl.ld 2013-02-06 19:41:43.000000000 +0100 -@@ -0,0 +1,10 @@ -+OPENSSL_1.0.0 { -+ global: -+ bind_engine; -+ v_check; -+ OPENSSL_init; -+ OPENSSL_finish; -+ local: -+ *; -+}; -+ -Index: openssl-1.0.1d/engines/ccgost/openssl.ld -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.0.1d/engines/ccgost/openssl.ld 2013-02-06 19:41:43.000000000 +0100 -@@ -0,0 +1,10 @@ -+OPENSSL_1.0.0 { -+ global: -+ bind_engine; -+ v_check; -+ OPENSSL_init; -+ OPENSSL_finish; -+ local: -+ *; -+}; -+ diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch b/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch index 36aa442223..57e39eb673 100644 --- a/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch +++ b/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch @@ -10,15 +10,19 @@ Signed-off-by: Xufeng Zhang ported the patch to the 1.0.0m version Signed-off-by: Brendan Le Foll 2015/03/24 + +Ported the patch to 1.0.1t version. +Signed-off-by: Sona Sarmadi --- ---- a/crypto/evp/digest.c -+++ b/crypto/evp/digest.c -@@ -199,7 +199,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) +diff -ruN a/crypto/evp/digest.c b/crypto/evp/digest.c +--- a/crypto/evp/digest.c 2016-05-03 15:49:00.000000000 +0200 ++++ b/crypto/evp/digest.c 2016-05-04 09:17:47.629259835 +0200 +@@ -199,7 +199,7 @@ type = ctx->digest; } #endif - if (ctx->digest != type) { + if (type && (ctx->digest != type)) { - if (ctx->digest && ctx->digest->ctx_size) + if (ctx->digest && ctx->digest->ctx_size) { OPENSSL_free(ctx->md_data); - ctx->digest = type; + ctx->md_data = NULL; diff --git a/meta/recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch b/meta/recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch index ab1434a0e7..59a4b7ce9a 100644 --- a/meta/recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch +++ b/meta/recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch @@ -9,22 +9,24 @@ Signed-Off-By: Nitin A Kamble 2011/12/01 ported the patch to the 1.0.0m version Signed-off-by: Brendan Le Foll 2015/03/24 -Index: openssl-1.0.1e/Configure -=================================================================== ---- openssl-1.0.1e.orig/Configure -+++ openssl-1.0.1e/Configure -@@ -402,6 +402,7 @@ my %table=( + +Ported the patch to 1.0.1t version. +Signed-off-by: Sona Sarmadi 2016/05/09 +--- +diff -ruN a/Configure b/Configure +--- a/Configure 2016-05-04 08:24:51.630028856 +0200 ++++ b/Configure 2016-05-04 09:09:14.987332751 +0200 +@@ -417,6 +417,7 @@ "linux-ia64-ecc","ecc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", +"linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32", + "linux-x86_64-clang","clang: -m64 -DL_ENDIAN -O3 -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", #### So called "highgprs" target for z/Architecture CPUs - # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see -Index: openssl-1.0.1e/crypto/bn/asm/x86_64-gcc.c -=================================================================== ---- openssl-1.0.1e.orig/crypto/bn/asm/x86_64-gcc.c -+++ openssl-1.0.1e/crypto/bn/asm/x86_64-gcc.c +diff -ruN a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c +--- a/crypto/bn/asm/x86_64-gcc.c 2016-05-03 15:49:00.000000000 +0200 ++++ b/crypto/bn/asm/x86_64-gcc.c 2016-05-04 09:07:52.974863300 +0200 @@ -55,7 +55,7 @@ * machine. */ @@ -34,30 +36,8 @@ Index: openssl-1.0.1e/crypto/bn/asm/x86_64-gcc.c # define BN_ULONG unsigned long long # else # define BN_ULONG unsigned long -Index: openssl-1.0.1e/crypto/bn/bn.h -=================================================================== ---- openssl-1.0.1e.orig/crypto/bn/bn.h -+++ openssl-1.0.1e/crypto/bn/bn.h -@@ -173,6 +173,13 @@ extern "C" { - # endif - # endif - -+/* Address type. */ -+# ifdef _WIN64 -+# define BN_ADDR unsigned long long -+# else -+# define BN_ADDR unsigned long -+# endif -+ - /* - * assuming long is 64bit - this is the DEC Alpha unsigned long long is only - * 64 bits :-(, don't define BN_LLONG for the DEC Alpha -Index: openssl-1.0.1e/crypto/bn/asm/x86_64-gcc.c -=================================================================== ---- openssl-1.0.1m/crypto/bn/asm/x86_64-gcc.c 2015-03-19 13:37:10.000000000 +0000 -+++ openssl-1.0.1m-modif/crypto/bn/asm/x86_64-gcc.c 2015-04-14 17:09:11.876533194 +0100 @@ -211,9 +211,9 @@ - + asm volatile (" subq %2,%2 \n" ".p2align 4 \n" - "1: movq (%4,%2,8),%0 \n" @@ -70,7 +50,7 @@ Index: openssl-1.0.1e/crypto/bn/asm/x86_64-gcc.c " loop 1b \n" " sbbq %0,%0 \n":"=&a" (ret), "+c"(n), @@ -235,9 +235,9 @@ - + asm volatile (" subq %2,%2 \n" ".p2align 4 \n" - "1: movq (%4,%2,8),%0 \n" @@ -81,12 +61,11 @@ Index: openssl-1.0.1e/crypto/bn/asm/x86_64-gcc.c + " movq %0,(%q3,%2,8) \n" " leaq 1(%2),%2 \n" " loop 1b \n" - " sbbq %0,%0 \n":"=&a" (ret), "+c"(n) -Index: openssl-1.0.1e/crypto/bn/bn_exp.c -=================================================================== ---- openssl-1.0.1e.orig/crypto/bn/bn_exp.c -+++ openssl-1.0.1e/crypto/bn/bn_exp.c -@@ -572,7 +572,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, + " sbbq %0,%0 \n":"=&a" (ret), "+c"(n), +diff -ruN a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c +--- a/crypto/bn/bn_exp.c 2016-05-03 15:49:00.000000000 +0200 ++++ b/crypto/bn/bn_exp.c 2016-05-04 09:07:52.974863300 +0200 +@@ -622,7 +622,7 @@ * multiple. */ #define MOD_EXP_CTIME_ALIGN(x_) \ @@ -95,3 +74,20 @@ Index: openssl-1.0.1e/crypto/bn/bn_exp.c /* * This variant of BN_mod_exp_mont() uses fixed windows and the special +diff -ruN a/crypto/bn/bn.h b/crypto/bn/bn.h +--- a/crypto/bn/bn.h 2016-05-03 15:49:00.000000000 +0200 ++++ b/crypto/bn/bn.h 2016-05-04 09:07:52.974863300 +0200 +@@ -174,6 +174,13 @@ + # endif + # endif + ++/* Address type. */ ++# ifdef _WIN64 ++# define BN_ADDR unsigned long long ++# else ++# define BN_ADDR unsigned long ++# endif ++ + /* + * assuming long is 64bit - this is the DEC Alpha unsigned long long is only + * 64 bits :-(, don't define BN_LLONG for the DEC Alpha diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb deleted file mode 100644 index 0fa3572969..0000000000 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb +++ /dev/null @@ -1,58 +0,0 @@ -require openssl.inc - -# For target side versions of openssl enable support for OCF Linux driver -# if they are available. -DEPENDS += "cryptodev-linux" - -CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8" - -export DIRS = "crypto ssl apps engines" -export OE_LDFLAGS="${LDFLAGS}" - -SRC_URI += "file://configure-targets.patch \ - file://shared-libs.patch \ - file://oe-ldflags.patch \ - file://engines-install-in-libdir-ssl.patch \ - file://debian/version-script.patch \ - file://debian/pic.patch \ - file://debian/c_rehash-compat.patch \ - file://debian/ca.patch \ - file://debian/make-targets.patch \ - file://debian/no-rpath.patch \ - file://debian/man-dir.patch \ - file://debian/man-section.patch \ - file://debian/no-symbolic.patch \ - file://debian/debian-targets.patch \ - file://openssl_fix_for_x32.patch \ - file://fix-cipher-des-ede3-cfb1.patch \ - file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \ - file://initial-aarch64-bits.patch \ - file://find.pl \ - file://openssl-fix-des.pod-error.patch \ - file://Makefiles-ptest.patch \ - file://ptest-deps.patch \ - file://run-ptest \ - file://CVE-2015-3194-Add-PSS-parameter-check.patch \ - file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \ - file://CVE-2016-0800.patch \ - " - -SRC_URI[md5sum] = "7563e92327199e0067ccd0f79f436976" -SRC_URI[sha256sum] = "bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1" - -PACKAGES =+ " \ - ${PN}-engines \ - ${PN}-engines-dbg \ - " - -FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines" -FILES_${PN}-engines-dbg = "${libdir}/ssl/engines/.debug" - -PARALLEL_MAKE = "" -PARALLEL_MAKEINST = "" - -do_configure_prepend() { - cp ${WORKDIR}/find.pl ${S}/util/find.pl -} diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1t.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1t.bb new file mode 100644 index 0000000000..1737730065 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1t.bb @@ -0,0 +1,55 @@ +require openssl.inc + +# For target side versions of openssl enable support for OCF Linux driver +# if they are available. +DEPENDS += "cryptodev-linux" + +CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6" + +export DIRS = "crypto ssl apps engines" +export OE_LDFLAGS="${LDFLAGS}" + +SRC_URI += "file://configure-targets.patch \ + file://shared-libs.patch \ + file://oe-ldflags.patch \ + file://engines-install-in-libdir-ssl.patch \ + file://debian/version-script.patch \ + file://debian/pic.patch \ + file://debian/c_rehash-compat.patch \ + file://debian/ca.patch \ + file://debian/make-targets.patch \ + file://debian/no-rpath.patch \ + file://debian/man-dir.patch \ + file://debian/man-section.patch \ + file://debian/no-symbolic.patch \ + file://debian/debian-targets.patch \ + file://openssl_fix_for_x32.patch \ + file://fix-cipher-des-ede3-cfb1.patch \ + file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \ + file://initial-aarch64-bits.patch \ + file://find.pl \ + file://openssl-fix-des.pod-error.patch \ + file://Makefiles-ptest.patch \ + file://ptest-deps.patch \ + file://run-ptest \ + " + +SRC_URI[md5sum] = "9837746fcf8a6727d46d22ca35953da1" +SRC_URI[sha256sum] = "4a6ee491a2fdb22e519c76fdc2a628bb3cec12762cd456861d207996c8a07088" + +PACKAGES =+ " \ + ${PN}-engines \ + ${PN}-engines-dbg \ + " + +FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines" +FILES_${PN}-engines-dbg = "${libdir}/ssl/engines/.debug" + +PARALLEL_MAKE = "" +PARALLEL_MAKEINST = "" + +do_configure_prepend() { + cp ${WORKDIR}/find.pl ${S}/util/find.pl +} -- cgit v1.2.3-54-g00ecf