aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssl
Commit message (Collapse)AuthorAgeFilesLines
* openssl: fix for CVE-2010-5298Yue Tao2014-06-092-0/+25
| | | | | | | | | | | | | | | | | | Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298 (From OE-Core master rev: 751f81ed8dc488c500837aeb3eb41ebf3237e10b) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
* openssl: fix CVE-2014-3470Paul Eggleton2014-06-092-0/+32
| | | | | | | | | | | | | | From the OpenSSL Security Advisory [05 Jun 2014] http://www.openssl.org/news/secadv_20140605.txt Anonymous ECDH denial of service (CVE-2014-3470) OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack. (Patch borrowed from Fedora.) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
* openssl: fix CVE-2014-0224Paul Eggleton2014-06-092-0/+104
| | | | | | | | | | | | | | | | | | | | | From the OpenSSL Security Advisory [05 Jun 2014] http://www.openssl.org/news/secadv_20140605.txt SSL/TLS MITM vulnerability (CVE-2014-0224) An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. (Patch borrowed from Fedora.) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
* openssl: fix CVE-2014-0221Paul Eggleton2014-06-092-0/+39
| | | | | | | | | | | | | | | | From the OpenSSL Security Advisory [05 Jun 2014] http://www.openssl.org/news/secadv_20140605.txt DTLS recursion flaw (CVE-2014-0221) By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected. (Patch borrowed from Fedora.) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
* openssl: use upstream fix for CVE-2014-0198Paul Eggleton2014-06-093-24/+39
| | | | | | | | | | This replaces the fix for CVE-2014-0198 with one borrowed from Fedora, which is the same as the patch which was actually applied upstream for the issue, i.e.: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b107586c0c3447ea22dba8698ebbcd81bb29d48c Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
* openssl: fix CVE-2014-0195Paul Eggleton2014-06-092-0/+41
| | | | | | | | | | | | | | | | | From the OpenSSL Security Advisory [05 Jun 2014] http://www.openssl.org/news/secadv_20140605.txt DTLS invalid fragment vulnerability (CVE-2014-0195) A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected. (Patch borrowed from Fedora.) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
* openssl: fix CVE-2014-0198Maxin B. John2014-05-122-1/+25
| | | | | | | | | | | | A null pointer dereference bug was discovered in do_ssl3_write(). An attacker could possibly use this to cause OpenSSL to crash, resulting in a denial of service. https://access.redhat.com/security/cve/CVE-2014-0198 Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: bump PRPaul Eggleton2014-04-111-1/+1
| | | | | | | | | | We don't normally do this, but with the recent CVE fixes (most importantly the one for the serious CVE-2014-0160 vulnerability) I am bumping PR explicitly to make it a bit more obvious that the patch has been applied. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: backport fix for CVE-2014-0160Paul Eggleton2014-04-092-0/+119
| | | | | | | | | | | | | | Fixes the "heartbleed" TLS vulnerability (CVE-2014-0160). More information here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 Patch borrowed from Debian; this is just a tweaked version of the upstream commit (without patching the CHANGES file which otherwise would fail to apply on top of this version). Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Security Advisory - openssl - CVE-2013-6449Yue Tao2014-04-092-0/+34
| | | | | | | | | | | | | The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client. (From OE-Core master rev: 3e0ac7357a962e3ef6595d21ec4843b078a764dd) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Security Advisory - openssl - CVE-2013-6450Yue Tao2014-04-092-0/+82
| | | | | | | | | | | | | | The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c. (From OE-Core master rev: 94352e694cd828aa84abd846149712535f48ab0f) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Security Advisory - openssl - CVE-2013-4353Yue Tao2014-04-092-0/+32
| | | | | | | | | | | | | The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake. (From OE-Core master rev: 35ccce7002188c8270d2fead35f9763b22776877) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Add fix for cipher des-ede3-cfb1Muhammad Shakeel2013-07-042-0/+23
| | | | | | | | | | | | Add patch file for one of the ciphers used in openssl, namely the cipher des-ede3-cfb1. Details of the bug, without this patch, can be found here. http://rt.openssl.org/Ticket/Display.html?id=2867 (From OE-Core master rev: ed61c28b9af2f11f46488332b80752b734a3cdeb) Signed-off-by: Muhammad Shakeel <muhammad_shakeel@mentor.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: fix documentation build errors with Perl 5.18 pod2manJonathan Liu2013-07-042-0/+436
| | | | | | | (From OE-Core master rev: 8792b7fb4ef8d66336d52de7e81efbb818e16b08) Signed-off-by: Jonathan Liu <net147@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Disable parallel makePhil Blundell2013-06-101-0/+1
| | | | | | | | | | | | | | Otherwise you get errors like: | ../libcrypto.so: file not recognized: File truncated | collect2: error: ld returned 1 exit status | make[2]: *** [link_o.gnu] Error 1 (From OE-Core master rev: 61c21a0f7a2041446a82b76ee3658fda5dfbff1d) Signed-off-by: Phil Blundell <philb@gnu.org> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: update range information in man-section.patchTing Liu2013-04-161-3/+3
| | | | | | | | | | | | | | | | | | | | do_patch failed after upgrading to openssl-1.0.1e. Log: | ERROR: Command Error: exit status: 1 Output: | Applying patch man-section.patch | patching file Makefile.org | Hunk #1 succeeded at 160 (offset 26 lines). | Hunk #2 succeeded at 626 (offset 19 lines). | misordered hunks! output would be garbled | Hunk #3 FAILED at 633. | 1 out of 3 hunks FAILED -- rejects in file Makefile.org | Patch man-section.patch does not apply (enforce with -f) | ERROR: Function failed: patch_do_patch | ERROR: Logfile of failure stored in:temp/log.do_patch.14679 | ERROR: Task 646 (virtual:native:openssl_1.0.1e.bb, do_patch) failed with exit code '1' Change-Id: Ib63031fdbd09443e387ee57efa70381e0aca382c Signed-off-by: Ting Liu <b28495@freescale.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Upgrade to v1.0.1eRadu Moisan2013-04-0920-387/+482
| | | | | | | | | | | | | | | Dropped obolete patches and pulled updates for debian patches. Addresses CVEs: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2686 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0166 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 [YOCTO #3965] Signed-off-by: Radu Moisan <radu.moisan@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: build always with -Wa,--noexecstackEnrico Scholz2013-03-181-5/+3
| | | | | | | | | | | There is no reason to disable exec-stack only for -native builds; binaries on the target will suffer from the same SELinux ACLs. OpenSSL does not use executable stack so this option can be disabled unconditionally. Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* recipes: Fix ALLOW_EMPTY with no package specifiedRichard Purdie2013-03-041-1/+1
| | | | | | | | | There are various usages of ALLOW_EMPTY with no packages specified. This is not recommended syntax, nor is it likely to be supported in the future. This patch improves the references in OE-Core, either removing them if they're pointless (e.g. when PACKAGES="") or specifying which package it applies to. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Add mips64 configure support.Randy MacLeod2013-02-081-0/+3
| | | | | | | | Add mips64 configure support but assume mips(32) userspace. Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* ocf-linux: Update to 20120127Saul Wold2012-12-033-8/+7
| | | | | | | | README changes to update the CHKSUM ocf directory is now in main tarball so no need to untar now. Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* recipes-connectivity: replace virtclass-native(sdk) with class-native(sdk)Robert Yang2012-11-021-1/+1
| | | | | | | | | | The overrides virtclass-native and virtclass-nativesdk are deprecated, which should be replaced by class-native and class-nativesdk. [YOCTO #3297] Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssl: Use ${CFLAGS} not ${FULL_OPTIMIZATION}Phil Blundell2012-10-301-1/+1
| | | | | | | | | The latter variable is only applicable for target builds and could result in passing incompatible options (and/or failing to pass required options) to ${BUILD_CC} for a virtclass-native build. Signed-off-by: Phil Blundell <philb@gnu.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: add AArch64 supportMarcin Juszkiewicz2012-10-182-6/+13
| | | | | Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssl: upgrade to 1.0.0jScott Garman2012-07-2218-2/+2
| | | | | | | | | Addresses CVE-2012-2333 Fixes [YOCTO #2682] Signed-off-by: Scott Garman <scott.a.garman@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: add deprecated and unmaintained find.pl from perl-5.14 to fix ↵Martin Jansa2012-06-212-1/+60
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | perlpath.pl * openembedded-core/meta/recipes-connectivity/openssl/openssl.inc * * is using perlpath.pl: * * do_configure () { * cd util * perl perlpath.pl ${STAGING_BINDIR_NATIVE} * ... * * and perlpath.pl is using find.pl: * openssl-1.0.0i/util/perlpath.pl: * #!/usr/local/bin/perl * # * # modify the '#!/usr/local/bin/perl' * # line in all scripts that rely on perl. * # * * require "find.pl"; * ... * * which was removed in perl-5.16.0 and marked as deprecated and * unmaintained in 5.14 and older: * /tmp/usr/lib/perl5/5.14.2/find.pl: * warn "Legacy library @{[(caller(0))[6]]} will be removed from the Perl * core distribution in the next major release. Please install it from the * CPAN distribution Perl4::CoreLibs. It is being used at @{[(caller)[1]]}, * line @{[(caller)[2]]}.\n"; * * # This library is deprecated and unmaintained. It is included for * # compatibility with Perl 4 scripts which may use it, but it will be * # removed in a future version of Perl. Please use the File::Find module * # instead. Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
* openssl: Fix build for mips64(el)Khem Raj2012-05-092-9/+9
| | | | Signed-off-by: Khem Raj <raj.khem@gmail.com>
* openssl: fix incorrect INC_PRScott Garman2012-05-081-1/+2
| | | | | | | | Restore INC_PR to r15 to prevent breakage with out of tree openssl recipes (e.g, meta-oe). Signed-off-by: Scott Garman <scott.a.garman@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: upgrade to 1.0.0iScott Garman2012-04-2518-4/+3
| | | | | | | | | Addresses CVE-2012-2110 Fixes bug [YOCTO #2368] Signed-off-by: Scott Garman <scott.a.garman@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: upgrade to 1.0.0.hScott Garman2012-03-2118-39/+2
| | | | | | | | | | Removed pkg-config.patch, which was incorporated upstream. Addresses CVE-2012-0884. Fixes bug [YOCTO #2139]. Signed-off-by: Scott Garman <scott.a.garman@intel.com>
* openssl: Move libcrypto to base_libdirAndrei Gherzan2012-02-232-2/+10
| | | | | | | | | | | | | This fix is for dhclient. It needs libcrypto at runtime and if libcrypto is in libdir, it's path can be inaccessible on systems where /usr is on nfs for example or dhclient is needed before /usr is mounted. Signed-off-by: Andrei Gherzan <andrei@gherzan.ro> [Fix comment to from /usr -> /lib - sgw] Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssl-0.9.8: Remove in favor or 1.0.0Saul Wold2012-02-0724-1678/+0
| | | | | | | Now that Openssl 1.0.0 has been out for a while, there is no need to keep multiple versions. Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssl: Update to 0.9.8t (gplv2)Saul Wold2012-02-0224-0/+0
| | | | Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssl: Update to 1.0.0gSaul Wold2012-02-0218-2/+2
| | | | Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssl-1.0.0: Update to 1.0.0e and fix QA WarningSaul Wold2012-01-1718-4/+4
| | | | | | | | | | | | | | | | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4108 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4576 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4577 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4619 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0027 [YOCTO #1905] Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssl-0.9.8: Update to 0.9.8sSaul Wold2012-01-1724-4/+4
| | | | | | | | | | | | | | | | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4108 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4109 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4576 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4577 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4619 [YOCTO #1904] Signed-off-by: Saul Wold <sgw@linux.intel.com>
* misc patches: fix patch headersNitin A Kamble2012-01-031-1/+1
| | | | | | | These patches were marked by "UpstreamStatus:" line, fix it to use "Upstream-Status:" instead. Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
* openssl-1.0.0e: Update x32 ConfigureH.J. Lu2011-12-121-1/+1
| | | | | | | | | | | | | Make linux-x32 as close to linux-x86_64 as possible: 1. Add -mx32 -DMD32_REG_T=int. 2. Changed to -O3. 3. Remove -pipe -g -feliminate-unused-debug-types. 4. Remove -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS. 5. Add :::x32 for multilib. Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com> Signed-Off-By: H.J. Lu <hjl.tools@gmail.com>
* openssl-1.0.0e: fix to wotk with x32 toolchainNitin A Kamble2011-12-053-10/+98
| | | | | | | | | | | | | | | | | Add BN_ADDR for address type instead of using BN_ULONG or unsigned long: 1. For W64, address type is unsigned long long, not unsigned long. 2. For x32, address type is unsigned long , not BN_ULONG. Added a new targetlinux-x32 in the config file The do_install() code to move lib/* to lib64 is not needed now with the enhanced multilib support. Make the x86-64 assembly syntax compatible with x32 compiler. Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com> Signed-off-by: H.J. Lu <hjl.tools@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Add openssl 1.0Saul Wold2011-11-3018-4/+5280
| | | | | | | | | * Thanks to meta-oe for this contribution * Add Patch Upstream-Status info * Merged the meta-oe version of openssl-1.0.inc with openssl.inc * Fix make install parallel issue with PARALLEL_MAKEINST = "" Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssl-0.9.8: move parallel-make fix to 0.9.8Saul Wold2011-11-302-2/+2
| | | | Signed-off-by: Saul Wold <sgw@linux.intel.com>
* ocf-linux: Add ocf-linux to support openssl 1.0Saul Wold2011-11-302-0/+31
| | | | Signed-off-by: Saul Wold <sgw@linux.intel.com>
* libcense.bbclass: fix OpenSSL mappingMartin Jansa2011-11-071-1/+1
| | | | | | | | | | [YOCTO #1712] Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Fixed YOCTO bug format and location Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssl: Ensure perl scripts reference the correct perlRichard Purdie2011-09-282-1/+2
| | | | | | Without this change the perl path from the build system is used. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: Rename SITEINFO_ENDIANESS to SITEINFO_ENDIANNESSKhem Raj2011-07-262-2/+2
| | | | | | | | | | | There is this discrepency in spelling. Lets fix it in core. There are lot of layers using SITEINFO_ENDIANNESS This was shielded since meta-oe had its own copy of siteinfo class. But that class has now been deleted in favor of oe-core Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Add handling for building on linux-powerpc64Kumar Gala2011-07-221-0/+3
| | | | | | | | If try to build for an ppc64 target openssl will fail to build since the configure script didn't know how to handle a 'linux-powerpc64' target. Signed-off-by: Kumar Gala <galak@kernel.crashing.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Add handling for linux-gnuspe-powerpcKumar Gala2011-07-202-1/+4
| | | | | | | If trying to build for an e500v2 target openssl will fail to build since the configure script didn't know how to handle a 'gnuspe' target. Signed-off-by: Kumar Gala <galak@kernel.crashing.org>
* openssl: pass ${mandir} explicitly to "make install"Phil Blundell2011-07-142-2/+2
| | | | | | | Otherwise it will use the openssl internal default of /usr/share/man which may not be correct. Signed-off-by: Phil Blundell <philb@gnu.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: fix for non /usr/lib libdir caseYu Ke2011-07-122-2/+2
| | | | | | | | | | | if libdir is not /usr/lib, e.g /usr/lib64, openssl build will fail because it still use /usr/lib as library dir. this patch appends the configure option "--libdir" to specify the correct library directory Signed-off-by: Yu Ke <ke.yu@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: should depend on perl-native-runtime rather than perl-nativeDexuan Cui2011-06-142-2/+2
| | | | Signed-off-by: Dexuan Cui <dexuan.cui@intel.com>