From 94e9e6a21b26c8bd0b194d4c2a65cbcb9464a553 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Mon, 9 May 2016 13:29:01 +0200 Subject: OpenSSL: Upgrade to 1.0.1t to fix multiple CVEs Upgrade 1.0.1p --> 1.0.1t addresses following vulnerabilities: CVE-2016-2107 CVE-2016-2108 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 CVE-2016-2176 Reference: URL for the OpenSSL Security Advisory: https://www.openssl.org/news/secadv/20160503.txt Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea --- .../openssl/openssl/debian/man-section.patch | 17 ++--- .../openssl/openssl/debian/version-script.patch | 80 +++++++++++----------- ...-pointer-dereference-in-EVP_DigestInit_ex.patch | 14 ++-- .../openssl/openssl/openssl_fix_for_x32.patch | 76 ++++++++++---------- 4 files changed, 94 insertions(+), 93 deletions(-) (limited to 'meta/recipes-connectivity/openssl/openssl') diff --git a/meta/recipes-connectivity/openssl/openssl/debian/man-section.patch b/meta/recipes-connectivity/openssl/openssl/debian/man-section.patch index 21c1d1a4eb..1bd42efc9c 100644 --- a/meta/recipes-connectivity/openssl/openssl/debian/man-section.patch +++ b/meta/recipes-connectivity/openssl/openssl/debian/man-section.patch @@ -1,9 +1,10 @@ Upstream-Status: Backport [debian] -Index: openssl-1.0.0c/Makefile.org -=================================================================== ---- openssl-1.0.0c.orig/Makefile.org 2010-12-12 16:11:37.000000000 +0100 -+++ openssl-1.0.0c/Makefile.org 2010-12-12 16:13:28.000000000 +0100 +Signed-off-by: Sona Sarmadi +--- +diff -ruN a/Makefile.org b/Makefile.org +--- a/Makefile.org 2016-05-04 08:24:51.982013676 +0200 ++++ b/Makefile.org 2016-05-04 08:35:43.581929188 +0200 @@ -160,7 +160,8 @@ MANDIR=/usr/share/man MAN1=1 @@ -14,21 +15,21 @@ Index: openssl-1.0.0c/Makefile.org HTMLSUFFIX=html HTMLDIR=$(OPENSSLDIR)/html SHELL=/bin/sh -@@ -651,7 +652,7 @@ +@@ -650,7 +651,7 @@ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ - --section=$$sec --center=OpenSSL \ -+ --section=$${sec}$(MANSECTION) --center=OpenSSL \ ++ --section=$${sec}$(MANSECTION) --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ -@@ -668,7 +669,7 @@ +@@ -667,7 +668,7 @@ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ - --section=$$sec --center=OpenSSL \ -+ --section=$${sec}$(MANSECTION) --center=OpenSSL \ ++ --section=$${sec}$(MANSECTION) --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ diff --git a/meta/recipes-connectivity/openssl/openssl/debian/version-script.patch b/meta/recipes-connectivity/openssl/openssl/debian/version-script.patch index ece8b9b46c..ac78adb802 100644 --- a/meta/recipes-connectivity/openssl/openssl/debian/version-script.patch +++ b/meta/recipes-connectivity/openssl/openssl/debian/version-script.patch @@ -1,10 +1,11 @@ Upstream-Status: Backport [debian] -Index: openssl-1.0.1d/Configure -=================================================================== ---- openssl-1.0.1d.orig/Configure 2013-02-06 19:41:43.000000000 +0100 -+++ openssl-1.0.1d/Configure 2013-02-06 19:41:43.000000000 +0100 -@@ -1621,6 +1621,8 @@ +Signed-off-by: Sona Sarmadi +--- +diff -ruN a/Configure b/Configure +--- a/Configure 2016-05-09 12:05:53.135685172 +0200 ++++ b/Configure 2016-05-09 12:07:43.962952937 +0200 +@@ -1667,6 +1667,8 @@ } } @@ -13,11 +14,38 @@ Index: openssl-1.0.1d/Configure open(IN,'$Makefile.new") || die "unable to create $Makefile.new:$!\n"; -Index: openssl-1.0.1d/openssl.ld -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.0.1d/openssl.ld 2013-02-06 19:44:25.000000000 +0100 -@@ -0,0 +1,4620 @@ +diff -ruN a/engines/ccgost/openssl.ld b/engines/ccgost/openssl.ld +--- a/engines/ccgost/openssl.ld 1970-01-01 01:00:00.000000000 +0100 ++++ b/engines/ccgost/openssl.ld 2016-05-09 12:07:44.034949863 +0200 +@@ -0,0 +1,10 @@ ++OPENSSL_1.0.0 { ++ global: ++ bind_engine; ++ v_check; ++ OPENSSL_init; ++ OPENSSL_finish; ++ local: ++ *; ++}; ++ +diff -ruN a/engines/openssl.ld b/engines/openssl.ld +--- a/engines/openssl.ld 1970-01-01 01:00:00.000000000 +0100 ++++ b/engines/openssl.ld 2016-05-09 12:07:43.990951742 +0200 +@@ -0,0 +1,10 @@ ++OPENSSL_1.0.0 { ++ global: ++ bind_engine; ++ v_check; ++ OPENSSL_init; ++ OPENSSL_finish; ++ local: ++ *; ++}; ++ +diff -ruN a/openssl.ld b/openssl.ld +--- a/openssl.ld 1970-01-01 01:00:00.000000000 +0100 ++++ b/openssl.ld 2016-05-09 12:34:19.174771028 +0200 +@@ -0,0 +1,4622 @@ +OPENSSL_1.0.0 { + global: + BIO_f_ssl; @@ -4526,6 +4554,8 @@ Index: openssl-1.0.1d/openssl.ld + SSL_SESSION_get_compress_id; + + SRP_VBASE_get_by_user; ++ SRP_VBASE_get1_by_user; ++ SRP_user_pwd_free; + SRP_Calc_server_key; + SRP_create_verifier; + SRP_create_verifier_BN; @@ -4638,33 +4668,3 @@ Index: openssl-1.0.1d/openssl.ld + CRYPTO_memcmp; +} OPENSSL_1.0.1; + -Index: openssl-1.0.1d/engines/openssl.ld -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.0.1d/engines/openssl.ld 2013-02-06 19:41:43.000000000 +0100 -@@ -0,0 +1,10 @@ -+OPENSSL_1.0.0 { -+ global: -+ bind_engine; -+ v_check; -+ OPENSSL_init; -+ OPENSSL_finish; -+ local: -+ *; -+}; -+ -Index: openssl-1.0.1d/engines/ccgost/openssl.ld -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.0.1d/engines/ccgost/openssl.ld 2013-02-06 19:41:43.000000000 +0100 -@@ -0,0 +1,10 @@ -+OPENSSL_1.0.0 { -+ global: -+ bind_engine; -+ v_check; -+ OPENSSL_init; -+ OPENSSL_finish; -+ local: -+ *; -+}; -+ diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch b/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch index 36aa442223..57e39eb673 100644 --- a/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch +++ b/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch @@ -10,15 +10,19 @@ Signed-off-by: Xufeng Zhang ported the patch to the 1.0.0m version Signed-off-by: Brendan Le Foll 2015/03/24 + +Ported the patch to 1.0.1t version. +Signed-off-by: Sona Sarmadi --- ---- a/crypto/evp/digest.c -+++ b/crypto/evp/digest.c -@@ -199,7 +199,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) +diff -ruN a/crypto/evp/digest.c b/crypto/evp/digest.c +--- a/crypto/evp/digest.c 2016-05-03 15:49:00.000000000 +0200 ++++ b/crypto/evp/digest.c 2016-05-04 09:17:47.629259835 +0200 +@@ -199,7 +199,7 @@ type = ctx->digest; } #endif - if (ctx->digest != type) { + if (type && (ctx->digest != type)) { - if (ctx->digest && ctx->digest->ctx_size) + if (ctx->digest && ctx->digest->ctx_size) { OPENSSL_free(ctx->md_data); - ctx->digest = type; + ctx->md_data = NULL; diff --git a/meta/recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch b/meta/recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch index ab1434a0e7..59a4b7ce9a 100644 --- a/meta/recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch +++ b/meta/recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch @@ -9,22 +9,24 @@ Signed-Off-By: Nitin A Kamble 2011/12/01 ported the patch to the 1.0.0m version Signed-off-by: Brendan Le Foll 2015/03/24 -Index: openssl-1.0.1e/Configure -=================================================================== ---- openssl-1.0.1e.orig/Configure -+++ openssl-1.0.1e/Configure -@@ -402,6 +402,7 @@ my %table=( + +Ported the patch to 1.0.1t version. +Signed-off-by: Sona Sarmadi 2016/05/09 +--- +diff -ruN a/Configure b/Configure +--- a/Configure 2016-05-04 08:24:51.630028856 +0200 ++++ b/Configure 2016-05-04 09:09:14.987332751 +0200 +@@ -417,6 +417,7 @@ "linux-ia64-ecc","ecc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", +"linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32", + "linux-x86_64-clang","clang: -m64 -DL_ENDIAN -O3 -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", #### So called "highgprs" target for z/Architecture CPUs - # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see -Index: openssl-1.0.1e/crypto/bn/asm/x86_64-gcc.c -=================================================================== ---- openssl-1.0.1e.orig/crypto/bn/asm/x86_64-gcc.c -+++ openssl-1.0.1e/crypto/bn/asm/x86_64-gcc.c +diff -ruN a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c +--- a/crypto/bn/asm/x86_64-gcc.c 2016-05-03 15:49:00.000000000 +0200 ++++ b/crypto/bn/asm/x86_64-gcc.c 2016-05-04 09:07:52.974863300 +0200 @@ -55,7 +55,7 @@ * machine. */ @@ -34,30 +36,8 @@ Index: openssl-1.0.1e/crypto/bn/asm/x86_64-gcc.c # define BN_ULONG unsigned long long # else # define BN_ULONG unsigned long -Index: openssl-1.0.1e/crypto/bn/bn.h -=================================================================== ---- openssl-1.0.1e.orig/crypto/bn/bn.h -+++ openssl-1.0.1e/crypto/bn/bn.h -@@ -173,6 +173,13 @@ extern "C" { - # endif - # endif - -+/* Address type. */ -+# ifdef _WIN64 -+# define BN_ADDR unsigned long long -+# else -+# define BN_ADDR unsigned long -+# endif -+ - /* - * assuming long is 64bit - this is the DEC Alpha unsigned long long is only - * 64 bits :-(, don't define BN_LLONG for the DEC Alpha -Index: openssl-1.0.1e/crypto/bn/asm/x86_64-gcc.c -=================================================================== ---- openssl-1.0.1m/crypto/bn/asm/x86_64-gcc.c 2015-03-19 13:37:10.000000000 +0000 -+++ openssl-1.0.1m-modif/crypto/bn/asm/x86_64-gcc.c 2015-04-14 17:09:11.876533194 +0100 @@ -211,9 +211,9 @@ - + asm volatile (" subq %2,%2 \n" ".p2align 4 \n" - "1: movq (%4,%2,8),%0 \n" @@ -70,7 +50,7 @@ Index: openssl-1.0.1e/crypto/bn/asm/x86_64-gcc.c " loop 1b \n" " sbbq %0,%0 \n":"=&a" (ret), "+c"(n), @@ -235,9 +235,9 @@ - + asm volatile (" subq %2,%2 \n" ".p2align 4 \n" - "1: movq (%4,%2,8),%0 \n" @@ -81,12 +61,11 @@ Index: openssl-1.0.1e/crypto/bn/asm/x86_64-gcc.c + " movq %0,(%q3,%2,8) \n" " leaq 1(%2),%2 \n" " loop 1b \n" - " sbbq %0,%0 \n":"=&a" (ret), "+c"(n) -Index: openssl-1.0.1e/crypto/bn/bn_exp.c -=================================================================== ---- openssl-1.0.1e.orig/crypto/bn/bn_exp.c -+++ openssl-1.0.1e/crypto/bn/bn_exp.c -@@ -572,7 +572,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, + " sbbq %0,%0 \n":"=&a" (ret), "+c"(n), +diff -ruN a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c +--- a/crypto/bn/bn_exp.c 2016-05-03 15:49:00.000000000 +0200 ++++ b/crypto/bn/bn_exp.c 2016-05-04 09:07:52.974863300 +0200 +@@ -622,7 +622,7 @@ * multiple. */ #define MOD_EXP_CTIME_ALIGN(x_) \ @@ -95,3 +74,20 @@ Index: openssl-1.0.1e/crypto/bn/bn_exp.c /* * This variant of BN_mod_exp_mont() uses fixed windows and the special +diff -ruN a/crypto/bn/bn.h b/crypto/bn/bn.h +--- a/crypto/bn/bn.h 2016-05-03 15:49:00.000000000 +0200 ++++ b/crypto/bn/bn.h 2016-05-04 09:07:52.974863300 +0200 +@@ -174,6 +174,13 @@ + # endif + # endif + ++/* Address type. */ ++# ifdef _WIN64 ++# define BN_ADDR unsigned long long ++# else ++# define BN_ADDR unsigned long ++# endif ++ + /* + * assuming long is 64bit - this is the DEC Alpha unsigned long long is only + * 64 bits :-(, don't define BN_LLONG for the DEC Alpha -- cgit v1.2.3-54-g00ecf