From b031ebb35ec461c0ca25e1117c81e359d5c6bb21 Mon Sep 17 00:00:00 2001
From: Tudor Florea <tudor.florea@enea.com>
Date: Tue, 7 Jul 2015 00:38:40 +0200
Subject: openssl: Upgrade to 1.0.1o to address some CVEs

Upgrade from 1.0.1m to 1.0.1n addresses following vulnerabilities:

CVE-2015-4000, DHE man-in-the-middle protection (Logjam)
CVE-2015-1788, Malformed ECParameters causes infinite loop
CVE-2015-1789, Exploitable out-of-bounds read in X509_cmp_time
CVE-2015-1790, PKCS7 crash with missing EnvelopedContent
CVE-2015-1791, Race condition handling NewSessionTicket
CVE-2015-1792, CMS verify infinite loop with unknown hash function

Upgrade from 1.0.1n to 1.0.1o fixes ABI compatibility issues:
Fix HMAC ABI incompatibility. The previous version introduced an ABI
incompatibility in the handling of HMAC. The previous ABI has now been
restored.

References:
http://openssl.org/news/secadv_20150611.txt
https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/CHANGES

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
---
 .../openssl/openssl/debian/man-section.patch       | 15 +++---
 .../recipes-connectivity/openssl/openssl_1.0.1m.bb | 56 ----------------------
 .../recipes-connectivity/openssl/openssl_1.0.1o.bb | 56 ++++++++++++++++++++++
 3 files changed, 63 insertions(+), 64 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl_1.0.1m.bb
 create mode 100644 meta/recipes-connectivity/openssl/openssl_1.0.1o.bb

diff --git a/meta/recipes-connectivity/openssl/openssl/debian/man-section.patch b/meta/recipes-connectivity/openssl/openssl/debian/man-section.patch
index 21c1d1a4eb..dfe4877f46 100644
--- a/meta/recipes-connectivity/openssl/openssl/debian/man-section.patch
+++ b/meta/recipes-connectivity/openssl/openssl/debian/man-section.patch
@@ -1,11 +1,10 @@
 Upstream-Status: Backport [debian]
 
-Index: openssl-1.0.0c/Makefile.org
-===================================================================
---- openssl-1.0.0c.orig/Makefile.org	2010-12-12 16:11:37.000000000 +0100
-+++ openssl-1.0.0c/Makefile.org	2010-12-12 16:13:28.000000000 +0100
-@@ -160,7 +160,8 @@
- MANDIR=/usr/share/man
+diff -Naur openssl-1.0.1o-orig/Makefile openssl-1.0.1o/Makefile
+--- openssl-1.0.1o-orig/Makefile	2015-06-12 17:20:59.000000000 +0200
++++ openssl-1.0.1o/Makefile	2015-06-15 10:40:20.243874349 +0200
+@@ -162,7 +162,8 @@
+ MANDIR=$(OPENSSLDIR)/man
  MAN1=1
  MAN3=3
 -MANSUFFIX=
@@ -14,7 +13,7 @@ Index: openssl-1.0.0c/Makefile.org
  HTMLSUFFIX=html
  HTMLDIR=$(OPENSSLDIR)/html
  SHELL=/bin/sh
-@@ -651,7 +652,7 @@
+@@ -644,7 +645,7 @@
  		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
  		(cd `$(PERL) util/dirname.pl $$i`; \
  		sh -c "$$pod2man \
@@ -23,7 +22,7 @@ Index: openssl-1.0.0c/Makefile.org
  			--release=$(VERSION) `basename $$i`") \
  			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
  		$(PERL) util/extract-names.pl < $$i | \
-@@ -668,7 +669,7 @@
+@@ -661,7 +662,7 @@
  		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
  		(cd `$(PERL) util/dirname.pl $$i`; \
  		sh -c "$$pod2man \
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1m.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1m.bb
deleted file mode 100644
index cab6b3fdf4..0000000000
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1m.bb
+++ /dev/null
@@ -1,56 +0,0 @@
-require openssl.inc
-
-# For target side versions of openssl enable support for OCF Linux driver
-# if they are available.
-DEPENDS += "cryptodev-linux"
-
-CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS"
-
-LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8"
-
-export DIRS = "crypto ssl apps engines"
-export OE_LDFLAGS="${LDFLAGS}"
-
-SRC_URI += "file://configure-targets.patch \
-            file://shared-libs.patch \
-            file://oe-ldflags.patch \
-            file://engines-install-in-libdir-ssl.patch \
-            file://openssl-fix-link.patch \
-            file://debian/version-script.patch \
-            file://debian/pic.patch \
-            file://debian/c_rehash-compat.patch \
-            file://debian/ca.patch \
-            file://debian/make-targets.patch \
-            file://debian/no-rpath.patch \
-            file://debian/man-dir.patch \
-            file://debian/man-section.patch \
-            file://debian/no-symbolic.patch \
-            file://debian/debian-targets.patch \
-            file://openssl_fix_for_x32.patch \
-            file://fix-cipher-des-ede3-cfb1.patch \
-            file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \
-            file://initial-aarch64-bits.patch \
-            file://find.pl \
-            file://openssl-fix-des.pod-error.patch \
-            file://Makefiles-ptest.patch \
-            file://ptest-deps.patch \
-            file://run-ptest \
-           "
-
-SRC_URI[md5sum] = "d143d1555d842a069cb7cc34ba745a06"
-SRC_URI[sha256sum] = "095f0b7b09116c0c5526422088058dc7e6e000aa14d22acca6a4e2babcdfef74"
-
-PACKAGES =+ " \
-	${PN}-engines \
-	${PN}-engines-dbg \
-	"
-
-FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
-FILES_${PN}-engines-dbg = "${libdir}/ssl/engines/.debug"
-
-PARALLEL_MAKE = ""
-PARALLEL_MAKEINST = ""
-
-do_configure_prepend() {
-  cp ${WORKDIR}/find.pl ${S}/util/find.pl
-}
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1o.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1o.bb
new file mode 100644
index 0000000000..44d4d27c4b
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1o.bb
@@ -0,0 +1,56 @@
+require openssl.inc
+
+# For target side versions of openssl enable support for OCF Linux driver
+# if they are available.
+DEPENDS += "cryptodev-linux"
+
+CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS"
+
+LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8"
+
+export DIRS = "crypto ssl apps engines"
+export OE_LDFLAGS="${LDFLAGS}"
+
+SRC_URI += "file://configure-targets.patch \
+            file://shared-libs.patch \
+            file://oe-ldflags.patch \
+            file://engines-install-in-libdir-ssl.patch \
+            file://openssl-fix-link.patch \
+            file://debian/version-script.patch \
+            file://debian/pic.patch \
+            file://debian/c_rehash-compat.patch \
+            file://debian/ca.patch \
+            file://debian/make-targets.patch \
+            file://debian/no-rpath.patch \
+            file://debian/man-dir.patch \
+            file://debian/man-section.patch \
+            file://debian/no-symbolic.patch \
+            file://debian/debian-targets.patch \
+            file://openssl_fix_for_x32.patch \
+            file://fix-cipher-des-ede3-cfb1.patch \
+            file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \
+            file://initial-aarch64-bits.patch \
+            file://find.pl \
+            file://openssl-fix-des.pod-error.patch \
+            file://Makefiles-ptest.patch \
+            file://ptest-deps.patch \
+            file://run-ptest \
+           "
+
+SRC_URI[md5sum] = "af1096f500a612e2e2adacb958d7eab1"
+SRC_URI[sha256sum] = "16e678c6a05f2502811e075f2c4059ac01c878d091c9c585afc49ebc541f7b13"
+
+PACKAGES =+ " \
+	${PN}-engines \
+	${PN}-engines-dbg \
+	"
+
+FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
+FILES_${PN}-engines-dbg = "${libdir}/ssl/engines/.debug"
+
+PARALLEL_MAKE = ""
+PARALLEL_MAKEINST = ""
+
+do_configure_prepend() {
+  cp ${WORKDIR}/find.pl ${S}/util/find.pl
+}
-- 
cgit v1.2.3-54-g00ecf