From e93f9a838260100ece7cac36f01e42e321e6414b Mon Sep 17 00:00:00 2001 From: Saul Wold Date: Mon, 20 Oct 2014 14:16:23 -0700 Subject: openssl: Upgrade to 1.0.1j This address the latest set of CVE issues (From OE-Core rev: 461e598815f8749bb26e97369e3b877f7ce749cf) Signed-off-by: Saul Wold Signed-off-by: Richard Purdie --- meta/recipes-connectivity/openssl/openssl.inc | 50 ++- .../openssl/openssl/Makefiles-ptest.patch | 75 ++++ .../openssl/openssl/initial-aarch64-bits.patch | 1 + .../openssl/openssl-1.0.1e-cve-2014-0195.patch | 40 -- .../openssl/openssl-1.0.1e-cve-2014-0198.patch | 38 -- .../openssl/openssl-1.0.1e-cve-2014-0221.patch | 38 -- .../openssl/openssl-1.0.1e-cve-2014-0224.patch | 103 ------ .../openssl/openssl-1.0.1e-cve-2014-3470.patch | 31 -- .../openssl/openssl/openssl-CVE-2010-5298.patch | 24 -- .../openssl/openssl/openssl-fix-doc.patch | 401 --------------------- .../openssl/openssl/ptest-deps.patch | 30 ++ .../recipes-connectivity/openssl/openssl/run-ptest | 2 + 12 files changed, 145 insertions(+), 688 deletions(-) create mode 100644 meta/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0198.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0221.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0224.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-3470.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/ptest-deps.patch create mode 100755 meta/recipes-connectivity/openssl/openssl/run-ptest diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc index ee02fb796e..9ec884f332 100644 --- a/meta/recipes-connectivity/openssl/openssl.inc +++ b/meta/recipes-connectivity/openssl/openssl.inc @@ -9,6 +9,7 @@ LICENSE = "openssl" LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8" DEPENDS = "perl-native-runtime" +DEPENDS_append_class-target = " openssl-native" SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ " @@ -30,14 +31,14 @@ export DIRS = "crypto ssl apps" export EX_LIBS = "-lgcc -ldl" export AS = "${CC} -c" -inherit pkgconfig siteinfo multilib_header +inherit pkgconfig siteinfo multilib_header ptest PACKAGES =+ "libcrypto libssl ${PN}-misc openssl-conf" FILES_libcrypto = "${base_libdir}/libcrypto${SOLIBS}" FILES_libssl = "${libdir}/libssl.so.*" FILES_${PN} =+ " ${libdir}/ssl/*" FILES_${PN}-misc = "${libdir}/ssl/misc ${bindir}/c_rehash" -RDEPENDS_${PN}-misc = "${@base_contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" +RDEPENDS_${PN}-misc = "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" FILES_${PN}-dev += "${base_libdir}/libcrypto${SOLIBSDEV}" # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto @@ -47,6 +48,7 @@ FILES_${PN}-dev += "${base_libdir}/libcrypto${SOLIBSDEV}" FILES_openssl-conf = "${libdir}/ssl/openssl.cnf" CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf" RRECOMMENDS_libcrypto += "openssl-conf" +RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc" do_configure_prepend_darwin () { sed -i -e '/version-script=openssl\.ld/d' Configure @@ -59,17 +61,18 @@ do_configure () { ln -sf apps/openssl.pod crypto/crypto.pod ssl/ssl.pod doc/ os=${HOST_OS} - if [ "x$os" = "xlinux-uclibc" ]; then + case $os in + linux-uclibc |\ + linux-uclibceabi |\ + linux-gnueabi |\ + linux-uclibcspe |\ + linux-gnuspe |\ + linux-musl*) os=linux - elif [ "x$os" = "xlinux-uclibceabi" ]; then - os=linux - elif [ "x$os" = "xlinux-uclibcspe" ]; then - os=linux - elif [ "x$os" = "xlinux-gnuspe" ]; then - os=linux - elif [ "x$os" = "xlinux-gnueabi" ]; then - os=linux - fi + ;; + *) + ;; + esac target="$os-${HOST_ARCH}" case $target in linux-arm) @@ -136,10 +139,18 @@ do_configure () { perl ./Configure ${EXTRA_OECONF} shared --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=`basename ${libdir}` $target } +do_compile_prepend_class-target () { + sed -i 's/\((OPENSSL=\)".*"/\1"openssl"/' Makefile +} + do_compile () { oe_runmake } +do_compile_ptest () { + oe_runmake buildtest +} + do_install () { oe_runmake INSTALL_PREFIX="${D}" MANDIR="${mandir}" install @@ -157,7 +168,7 @@ do_install () { cp --dereference -R include/openssl ${D}${includedir} oe_multilib_header openssl/opensslconf.h - if [ "${@base_contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" = "perl" ]; then + if [ "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" = "perl" ]; then install -m 0755 ${S}/tools/c_rehash ${D}${bindir} sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${bindir}/c_rehash sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/CA.pl @@ -169,5 +180,18 @@ do_install () { fi } +do_install_ptest () { + cp -r Makefile test ${D}${PTEST_PATH} + cp -r certs ${D}${PTEST_PATH} + mkdir -p ${D}${PTEST_PATH}/apps + ln -sf /usr/lib/ssl/misc/CA.sh ${D}${PTEST_PATH}/apps + ln -sf /usr/lib/ssl/openssl.cnf ${D}${PTEST_PATH}/apps + ln -sf /usr/bin/openssl ${D}${PTEST_PATH}/apps + cp apps/server2.pem ${D}${PTEST_PATH}/apps + mkdir -p ${D}${PTEST_PATH}/util + install util/opensslwrap.sh ${D}${PTEST_PATH}/util + install util/shlib_wrap.sh ${D}${PTEST_PATH}/util +} + BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch b/meta/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch new file mode 100644 index 0000000000..ac53a9142b --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch @@ -0,0 +1,75 @@ +Add 'buildtest' and 'runtest' targets to Makefile, to build and run tests +cross-compiled. + +Signed-off-by: Anders Roxell +Signed-off-by: Maxin B. John +Upstream-Status: Pending +--- +diff -uNr a/Makefile b/Makefile +--- a/Makefile.org 2012-05-10 17:06:02.000000000 +0200 ++++ b/Makefile.org 2012-10-27 00:05:55.359424024 +0200 +@@ -411,8 +411,16 @@ + test: tests + + tests: rehash ++ $(MAKE) buildtest ++ $(MAKE) runtest ++ ++buildtest: ++ @(cd test && \ ++ $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf exe apps); ++ ++runtest: + @(cd test && echo "testing..." && \ +- $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests ); ++ $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf alltests ); + OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a + + report: +diff --git a/test/Makefile b/test/Makefile +index 3912f82..1696767 100644 +--- a/test/Makefile ++++ b/test/Makefile +@@ -128,7 +128,7 @@ tests: exe apps $(TESTS) + apps: + @(cd ..; $(MAKE) DIRS=apps all) + +-alltests: \ ++all-tests= \ + test_des test_idea test_sha test_md4 test_md5 test_hmac \ + test_md2 test_mdc2 test_wp \ + test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast test_aes \ +@@ -138,6 +138,11 @@ alltests: \ + test_ss test_ca test_engine test_evp test_ssl test_tsa test_ige \ + test_jpake test_cms + ++alltests: ++ @(for i in $(all-tests); do \ ++ ( $(MAKE) $$i && echo "PASS: $$i" ) || echo "FAIL: $$i"; \ ++ done) ++ + test_evp: + ../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt + +@@ -203,7 +208,7 @@ test_x509: + echo test second x509v3 certificate + sh ./tx509 v3-cert2.pem 2>/dev/null + +-test_rsa: $(RSATEST)$(EXE_EXT) ++test_rsa: + @sh ./trsa 2>/dev/null + ../util/shlib_wrap.sh ./$(RSATEST) + +@@ -298,11 +303,11 @@ test_tsa: + sh ./testtsa; \ + fi + +-test_ige: $(IGETEST)$(EXE_EXT) ++test_ige: + @echo "Test IGE mode" + ../util/shlib_wrap.sh ./$(IGETEST) + +-test_jpake: $(JPAKETEST)$(EXE_EXT) ++test_jpake: + @echo "Test JPAKE" + ../util/shlib_wrap.sh ./$(JPAKETEST) diff --git a/meta/recipes-connectivity/openssl/openssl/initial-aarch64-bits.patch b/meta/recipes-connectivity/openssl/openssl/initial-aarch64-bits.patch index 2185ff8a46..770097db78 100644 --- a/meta/recipes-connectivity/openssl/openssl/initial-aarch64-bits.patch +++ b/meta/recipes-connectivity/openssl/openssl/initial-aarch64-bits.patch @@ -4,6 +4,7 @@ Subject: Initial aarch64 bits. X-Git-Url: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=039081b80977e2a5de84e1f88f8b4d025b559956 Initial aarch64 bits. +Upstream-Status: backport (will be included in 1.0.2) --- crypto/bn/bn_lcl.h | 9 +++++++++ crypto/md32_common.h | 18 ++++++++++++++++++ diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch deleted file mode 100644 index 0c43919427..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch +++ /dev/null @@ -1,40 +0,0 @@ -commit 208d54db20d58c9a5e45e856a0650caadd7d9612 -Author: Dr. Stephen Henson -Date: Tue May 13 18:48:31 2014 +0100 - - Fix for CVE-2014-0195 - - A buffer overrun attack can be triggered by sending invalid DTLS fragments - to an OpenSSL DTLS client or server. This is potentially exploitable to - run arbitrary code on a vulnerable client or server. - - Fixed by adding consistency check for DTLS fragments. - - Thanks to Jüri Aedla for reporting this issue. - -Patch borrowed from Fedora -Upstream-Status: Backport -Signed-off-by: Paul Eggleton - -diff --git a/ssl/d1_both.c b/ssl/d1_both.c -index 2e8cf68..07f67f8 100644 ---- a/ssl/d1_both.c -+++ b/ssl/d1_both.c -@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) - frag->msg_header.frag_off = 0; - } - else -+ { - frag = (hm_fragment*) item->data; -+ if (frag->msg_header.msg_len != msg_hdr->msg_len) -+ { -+ item = NULL; -+ frag = NULL; -+ goto err; -+ } -+ } -+ - - /* If message is already reassembled, this must be a - * retransmit and can be dropped. - diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0198.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0198.patch deleted file mode 100644 index 12dcfb7f3a..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0198.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Matt Caswell -Date: Sun, 11 May 2014 23:38:37 +0000 (+0100) -Subject: Fixed NULL pointer dereference. See PR#3321 -X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=b107586 - -Fixed NULL pointer dereference. See PR#3321 - -Patch borrowed from Fedora -Upstream-Status: Backport -Signed-off-by: Paul Eggleton - ---- - -diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c -index 40eb0dd..d961d12 100644 ---- a/ssl/s3_pkt.c -+++ b/ssl/s3_pkt.c -@@ -657,9 +657,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, - SSL3_BUFFER *wb=&(s->s3->wbuf); - SSL_SESSION *sess; - -- if (wb->buf == NULL) -- if (!ssl3_setup_write_buffer(s)) -- return -1; - - /* first check if there is a SSL3_BUFFER still being written - * out. This will happen with non blocking IO */ -@@ -675,6 +672,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, - /* if it went, fall through and send more stuff */ - } - -+ if (wb->buf == NULL) -+ if (!ssl3_setup_write_buffer(s)) -+ return -1; -+ - if (len == 0 && !create_empty_fragment) - return 0; - diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0221.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0221.patch deleted file mode 100644 index bf730a8124..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0221.patch +++ /dev/null @@ -1,38 +0,0 @@ -commit d30e582446b027868cdabd0994681643682045a4 -Author: Dr. Stephen Henson -Date: Fri May 16 13:00:45 2014 +0100 - - Fix CVE-2014-0221 - - Unnecessary recursion when receiving a DTLS hello request can be used to - crash a DTLS client. Fixed by handling DTLS hello request without recursion. - - Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. - -Patch borrowed from Fedora -Upstream-Status: Backport -Signed-off-by: Paul Eggleton - -diff --git a/ssl/d1_both.c b/ssl/d1_both.c -index 07f67f8..4c2fd03 100644 ---- a/ssl/d1_both.c -+++ b/ssl/d1_both.c -@@ -793,6 +793,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) - int i,al; - struct hm_header_st msg_hdr; - -+ redo: - /* see if we have the required fragment already */ - if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok) - { -@@ -851,8 +852,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) - s->msg_callback_arg); - - s->init_num = 0; -- return dtls1_get_message_fragment(s, st1, stn, -- max, ok); -+ goto redo; - } - else /* Incorrectly formated Hello request */ - { - diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0224.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0224.patch deleted file mode 100644 index 0ed1d12551..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0224.patch +++ /dev/null @@ -1,103 +0,0 @@ -Fix for CVE-2014-0224 - -Only accept change cipher spec when it is expected instead of at any -time. This prevents premature setting of session keys before the master -secret is determined which an attacker could use as a MITM attack. - -Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue -and providing the initial fix this patch is based on. - - -Patch borrowed from Fedora -Upstream-Status: Backport -Signed-off-by: Paul Eggleton - - -diff -up openssl-1.0.1e/ssl/ssl3.h.keying-mitm openssl-1.0.1e/ssl/ssl3.h ---- openssl-1.0.1e/ssl/ssl3.h.keying-mitm 2014-06-02 19:48:04.518100562 +0200 -+++ openssl-1.0.1e/ssl/ssl3.h 2014-06-02 19:48:04.642103429 +0200 -@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st - #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 - #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 - #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 -+#define SSL3_FLAGS_CCS_OK 0x0080 - - /* SSL3_FLAGS_SGC_RESTART_DONE is set when we - * restart a handshake because of MS SGC and so prevents us -diff -up openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm openssl-1.0.1e/ssl/s3_clnt.c ---- openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/ssl/s3_clnt.c 2014-06-02 19:49:57.042701985 +0200 -@@ -559,6 +559,7 @@ int ssl3_connect(SSL *s) - case SSL3_ST_CR_FINISHED_A: - case SSL3_ST_CR_FINISHED_B: - -+ s->s3->flags |= SSL3_FLAGS_CCS_OK; - ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, - SSL3_ST_CR_FINISHED_B); - if (ret <= 0) goto end; -@@ -916,6 +917,7 @@ int ssl3_get_server_hello(SSL *s) - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); - goto f_err; - } -+ s->s3->flags |= SSL3_FLAGS_CCS_OK; - s->hit=1; - } - else /* a miss or crap from the other end */ -diff -up openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm openssl-1.0.1e/ssl/s3_pkt.c ---- openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm 2014-06-02 19:48:04.640103383 +0200 -+++ openssl-1.0.1e/ssl/s3_pkt.c 2014-06-02 19:48:04.643103452 +0200 -@@ -1298,6 +1298,15 @@ start: - goto f_err; - } - -+ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) -+ { -+ al=SSL_AD_UNEXPECTED_MESSAGE; -+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY); -+ goto f_err; -+ } -+ -+ s->s3->flags &= ~SSL3_FLAGS_CCS_OK; -+ - rr->length=0; - - if (s->msg_callback) -@@ -1432,7 +1441,7 @@ int ssl3_do_change_cipher_spec(SSL *s) - - if (s->s3->tmp.key_block == NULL) - { -- if (s->session == NULL) -+ if (s->session == NULL || s->session->master_key_length == 0) - { - /* might happen if dtls1_read_bytes() calls this */ - SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY); -diff -up openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm openssl-1.0.1e/ssl/s3_srvr.c ---- openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm 2014-06-02 19:48:04.630103151 +0200 -+++ openssl-1.0.1e/ssl/s3_srvr.c 2014-06-02 19:48:04.643103452 +0200 -@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s) - case SSL3_ST_SR_CERT_VRFY_A: - case SSL3_ST_SR_CERT_VRFY_B: - -+ s->s3->flags |= SSL3_FLAGS_CCS_OK; - /* we should decide if we expected this one */ - ret=ssl3_get_cert_verify(s); - if (ret <= 0) goto end; -@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s) - - case SSL3_ST_SR_FINISHED_A: - case SSL3_ST_SR_FINISHED_B: -+ s->s3->flags |= SSL3_FLAGS_CCS_OK; - ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, - SSL3_ST_SR_FINISHED_B); - if (ret <= 0) goto end; -@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s) - s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; - #else - if (s->s3->next_proto_neg_seen) -+ { -+ s->s3->flags |= SSL3_FLAGS_CCS_OK; - s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; -+ } - else - s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; - #endif diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-3470.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-3470.patch deleted file mode 100644 index 025727f587..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-3470.patch +++ /dev/null @@ -1,31 +0,0 @@ -commit 4ad43d511f6cf064c66eb4bfd0fb0919b5dd8a86 -Author: Dr. Stephen Henson -Date: Thu May 29 15:00:05 2014 +0100 - - Fix CVE-2014-3470 - - Check session_cert is not NULL before dereferencing it. - -Patch borrowed from Fedora -Upstream-Status: Backport -Signed-off-by: Paul Eggleton - - -diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c -index d35376d..4324f8d 100644 ---- a/ssl/s3_clnt.c -+++ b/ssl/s3_clnt.c -@@ -2511,6 +2511,13 @@ int ssl3_send_client_key_exchange(SSL *s) - int ecdh_clnt_cert = 0; - int field_size = 0; - -+ if (s->session->sess_cert == NULL) -+ { -+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); -+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); -+ goto err; -+ } -+ - /* Did we send out the client's - * ECDH share for use in premaster - * computation as part of client certificate? diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch b/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch deleted file mode 100644 index 417a774ba2..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch +++ /dev/null @@ -1,24 +0,0 @@ -openssl fix for CVE-2010-5298 - -Upstream-Status: Backport - -Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL -through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote -attackers to inject data across sessions or cause a denial of service -(use-after-free and parsing error) via an SSL connection in a -multithreaded environment. - -http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298 - -Signed-off-by: Yue Tao ---- a/ssl/s3_pkt.c -+++ b/ssl/s3_pkt.c -@@ -1013,7 +1013,7 @@ start: - { - s->rstate=SSL_ST_READ_HEADER; - rr->off=0; -- if (s->mode & SSL_MODE_RELEASE_BUFFERS) -+ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) - ssl3_release_read_buffer(s); - } - } diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch b/meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch deleted file mode 100644 index 451256eaa5..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch +++ /dev/null @@ -1,401 +0,0 @@ -Fix documentation build errors with Perl 5.18 pod2man - -This fixes errors building man pages with newer versions of pod2man -included with Perl 5.18. - -Upstream-Status: Submitted -Signed-off-by: Jonathan Liu - -Index: openssl-1.0.1f/doc/apps/cms.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/apps/cms.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/apps/cms.pod 2014-02-28 10:13:51.899979213 +0200 -@@ -450,28 +450,28 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - the operation was completely successfully. - --=item 1 -+=item Z<>1 - - an error occurred parsing the command options. - --=item 2 -+=item Z<>2 - - one of the input files could not be read. - --=item 3 -+=item Z<>3 - - an error occurred creating the CMS file or when reading the MIME - message. - --=item 4 -+=item Z<>4 - - an error occurred decrypting or verifying the message. - --=item 5 -+=item Z<>5 - - the message was verified correctly but an error occurred writing out - the signers certificates. -Index: openssl-1.0.1f/doc/apps/smime.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/apps/smime.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/apps/smime.pod 2014-02-28 10:16:57.795979233 +0200 -@@ -308,28 +308,28 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - the operation was completely successfully. - --=item 1 -+=item Z<>1 - - an error occurred parsing the command options. - --=item 2 -+=item Z<>2 - - one of the input files could not be read. - --=item 3 -+=item Z<>3 - - an error occurred creating the PKCS#7 file or when reading the MIME - message. - --=item 4 -+=item Z<>4 - - an error occurred decrypting or verifying the message. - --=item 5 -+=item Z<>5 - - the message was verified correctly but an error occurred writing out - the signers certificates. -Index: openssl-1.0.1f/doc/ssl/SSL_COMP_add_compression_method.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_COMP_add_compression_method.pod 2014-02-28 10:18:09.679979225 +0200 -@@ -53,11 +53,11 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - The operation succeeded. - --=item 1 -+=item Z<>1 - - The operation failed. Check the error queue to find out the reason. - -Index: openssl-1.0.1f/doc/ssl/SSL_CTX_add_session.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_add_session.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_CTX_add_session.pod 2014-02-28 10:18:42.687979221 +0200 -@@ -52,13 +52,13 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - The operation failed. In case of the add operation, it was tried to add - the same (identical) session twice. In case of the remove operation, the - session was not found in the cache. - --=item 1 -+=item Z<>1 - - The operation succeeded. - -Index: openssl-1.0.1f/doc/ssl/SSL_CTX_load_verify_locations.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_load_verify_locations.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_CTX_load_verify_locations.pod 2014-02-28 10:19:09.079979218 +0200 -@@ -100,13 +100,13 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - The operation failed because B and B are NULL or the - processing at one of the locations specified failed. Check the error - stack to find out the reason. - --=item 1 -+=item Z<>1 - - The operation succeeded. - -Index: openssl-1.0.1f/doc/ssl/SSL_CTX_set_client_CA_list.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_set_client_CA_list.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_client_CA_list.pod 2014-02-28 10:19:42.999979220 +0200 -@@ -66,13 +66,13 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - A failure while manipulating the STACK_OF(X509_NAME) object occurred or - the X509_NAME could not be extracted from B. Check the error stack - to find out the reason. - --=item 1 -+=item Z<>1 - - The operation succeeded. - -Index: openssl-1.0.1f/doc/ssl/SSL_CTX_set_session_id_context.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_set_session_id_context.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_session_id_context.pod 2014-02-28 10:20:06.495979211 +0200 -@@ -64,13 +64,13 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - The length B of the session id context B exceeded - the maximum allowed length of B. The error - is logged to the error stack. - --=item 1 -+=item Z<>1 - - The operation succeeded. - -Index: openssl-1.0.1f/doc/ssl/SSL_CTX_set_ssl_version.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_set_ssl_version.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_ssl_version.pod 2014-02-28 10:20:32.111979208 +0200 -@@ -42,11 +42,11 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - The new choice failed, check the error stack to find out the reason. - --=item 1 -+=item Z<>1 - - The operation succeeded. - -Index: openssl-1.0.1f/doc/ssl/SSL_CTX_use_psk_identity_hint.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2014-02-28 10:21:12.351979203 +0200 -@@ -96,7 +96,7 @@ - connection will fail with decryption_error before it will be finished - completely. - --=item 0 -+=item Z<>0 - - PSK identity was not found. An "unknown_psk_identity" alert message - will be sent and the connection setup fails. -Index: openssl-1.0.1f/doc/ssl/SSL_accept.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_accept.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_accept.pod 2014-02-28 10:21:51.535979215 +0200 -@@ -44,13 +44,13 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - --=item 1 -+=item Z<>1 - - The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been - established. -Index: openssl-1.0.1f/doc/ssl/SSL_clear.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_clear.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_clear.pod 2014-02-28 10:22:13.087979196 +0200 -@@ -56,12 +56,12 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - The SSL_clear() operation could not be performed. Check the error stack to - find out the reason. - --=item 1 -+=item Z<>1 - - The SSL_clear() operation was successful. - -Index: openssl-1.0.1f/doc/ssl/SSL_connect.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_connect.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_connect.pod 2014-02-28 10:22:33.991979193 +0200 -@@ -41,13 +41,13 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - --=item 1 -+=item Z<>1 - - The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been - established. -Index: openssl-1.0.1f/doc/ssl/SSL_do_handshake.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_do_handshake.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_do_handshake.pod 2014-02-28 10:22:56.887979159 +0200 -@@ -45,13 +45,13 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - --=item 1 -+=item Z<>1 - - The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been - established. -Index: openssl-1.0.1f/doc/ssl/SSL_read.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_read.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_read.pod 2014-02-28 10:23:15.303979188 +0200 -@@ -86,7 +86,7 @@ - The read operation was successful; the return value is the number of - bytes actually read from the TLS/SSL connection. - --=item 0 -+=item Z<>0 - - The read operation was not successful. The reason may either be a clean - shutdown due to a "close notify" alert sent by the peer (in which case -Index: openssl-1.0.1f/doc/ssl/SSL_session_reused.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_session_reused.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_session_reused.pod 2014-02-28 10:23:36.615979186 +0200 -@@ -27,11 +27,11 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - A new session was negotiated. - --=item 1 -+=item Z<>1 - - A session was reused. - -Index: openssl-1.0.1f/doc/ssl/SSL_set_fd.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_set_fd.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_set_fd.pod 2014-02-28 10:23:57.599979183 +0200 -@@ -35,11 +35,11 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - The operation failed. Check the error stack to find out why. - --=item 1 -+=item Z<>1 - - The operation succeeded. - -Index: openssl-1.0.1f/doc/ssl/SSL_set_session.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_set_session.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_set_session.pod 2014-02-28 10:24:16.943979181 +0200 -@@ -37,11 +37,11 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - The operation failed; check the error stack to find out the reason. - --=item 1 -+=item Z<>1 - - The operation succeeded. - -Index: openssl-1.0.1f/doc/ssl/SSL_shutdown.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_shutdown.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_shutdown.pod 2014-02-28 10:25:03.623979175 +0200 -@@ -92,19 +92,19 @@ - - =over 4 - --=item 0 -+=item Z<>0 - - The shutdown is not yet finished. Call SSL_shutdown() for a second time, - if a bidirectional shutdown shall be performed. - The output of L may be misleading, as an - erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. - --=item 1 -+=item Z<>1 - - The shutdown was successfully completed. The "close notify" alert was sent - and the peer's "close notify" alert was received. - --=item -1 -+=item Z<>-1 - - The shutdown was not successful because a fatal error occurred either - at the protocol level or a connection failure occurred. It can also occur if -Index: openssl-1.0.1f/doc/ssl/SSL_write.pod -=================================================================== ---- openssl-1.0.1f.orig/doc/ssl/SSL_write.pod 2014-01-06 15:47:42.000000000 +0200 -+++ openssl-1.0.1f/doc/ssl/SSL_write.pod 2014-02-28 10:25:36.031979168 +0200 -@@ -79,7 +79,7 @@ - The write operation was successful, the return value is the number of - bytes actually written to the TLS/SSL connection. - --=item 0 -+=item Z<>0 - - The write operation was not successful. Probably the underlying connection - was closed. Call SSL_get_error() with the return value B to find out, diff --git a/meta/recipes-connectivity/openssl/openssl/ptest-deps.patch b/meta/recipes-connectivity/openssl/openssl/ptest-deps.patch new file mode 100644 index 0000000000..527e10c53b --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/ptest-deps.patch @@ -0,0 +1,30 @@ +Remove Makefile dependencies for test targets + +These are probably here because the executables aren't always built for +other platforms (e.g. Windows); however we can safely assume they'll +always be there. None of the other test targets have such dependencies +and if we don't remove them, make tries to rebuild the executables and +fails during run-ptest. + +Upstream-Status: Inappropriate [config] + +Signed-off-by: Paul Eggleton + +diff --git a/test/Makefile b/test/Makefile +index e6fcfb4..5ae043b 100644 +--- a/test/Makefile ++++ b/test/Makefile +@@ -322,11 +322,11 @@ test_cms: + @echo "CMS consistency test" + $(PERL) cms-test.pl + +-test_srp: $(SRPTEST)$(EXE_EXT) ++test_srp: + @echo "Test SRP" + ../util/shlib_wrap.sh ./srptest + +-test_heartbeat: $(HEARTBEATTEST)$(EXE_EXT) ++test_heartbeat: + ../util/shlib_wrap.sh ./$(HEARTBEATTEST) + + lint: diff --git a/meta/recipes-connectivity/openssl/openssl/run-ptest b/meta/recipes-connectivity/openssl/openssl/run-ptest new file mode 100755 index 0000000000..3b20fce1ee --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/run-ptest @@ -0,0 +1,2 @@ +#!/bin/sh +make -k runtest -- cgit v1.2.3-54-g00ecf