diff options
| author | John Klug <john.klug@multitech.com> | 2017-03-02 19:04:08 -0600 |
|---|---|---|
| committer | John Klug <john.klug@multitech.com> | 2017-03-02 19:04:08 -0600 |
| commit | c4358577e54f6368070121718f6fd1cd54c34acf (patch) | |
| tree | c23b726798fda75ac6614d710f7b90f1a474010f | |
| parent | 196a4a0cdb26d3a2ff5d2b8fcf65b19c113ecb86 (diff) | |
| download | meta-mlinux-c4358577e54f6368070121718f6fd1cd54c34acf.tar.gz meta-mlinux-c4358577e54f6368070121718f6fd1cd54c34acf.tar.bz2 meta-mlinux-c4358577e54f6368070121718f6fd1cd54c34acf.zip | |
Add debian backport patches
21 files changed, 5835 insertions, 0 deletions
diff --git a/recipes-connectivity/openssl/openssl/debian_bpo8+1/Mark-3DES-and-RC4-ciphers-as-weak.patch b/recipes-connectivity/openssl/openssl/debian_bpo8+1/Mark-3DES-and-RC4-ciphers-as-weak.patch new file mode 100644 index 0000000..31df8fc --- /dev/null +++ b/recipes-connectivity/openssl/openssl/debian_bpo8+1/Mark-3DES-and-RC4-ciphers-as-weak.patch @@ -0,0 +1,429 @@ +From e9f3a3d6d707c5f9b8d67f44f8d7283296935415 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +Date: Sun, 18 Dec 2016 15:37:52 +0100 +Subject: [PATCH] Mark 3DES and RC4 ciphers as weak + +This disables RC4 and 3DES in our build + +Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +--- + ssl/s3_lib.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 58 insertions(+), 1 deletion(-) + +diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c +index 0385e039c8d4..cf785f994917 100644 +--- a/ssl/s3_lib.c ++++ b/ssl/s3_lib.c +@@ -216,6 +216,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 04 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_RSA_RC4_128_MD5, +@@ -230,8 +231,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher 05 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_RSA_RC4_128_SHA, +@@ -246,7 +249,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, +- ++#endif + /* Cipher 06 */ + #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { +@@ -320,6 +323,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 0A */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_RSA_DES_192_CBC3_SHA, +@@ -334,6 +338,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* The DH ciphers */ + /* Cipher 0B */ +@@ -373,6 +378,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 0D */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, +@@ -387,6 +393,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher 0E */ + #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS +@@ -425,6 +432,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 10 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, +@@ -439,6 +447,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* The Ephemeral DH ciphers */ + /* Cipher 11 */ +@@ -478,6 +487,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 13 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, +@@ -492,6 +502,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher 14 */ + #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS +@@ -530,6 +541,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 16 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, +@@ -544,6 +556,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher 17 */ + #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS +@@ -564,6 +577,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 18 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_ADH_RC4_128_MD5, +@@ -578,6 +592,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher 19 */ + #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS +@@ -616,6 +631,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 1B */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_ADH_DES_192_CBC_SHA, +@@ -630,6 +646,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Fortezza ciphersuite from SSL 3.0 spec */ + #if 0 +@@ -703,6 +720,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + # endif + + /* Cipher 1F */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_KRB5_DES_192_CBC3_SHA, +@@ -717,8 +735,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher 20 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_KRB5_RC4_128_SHA, +@@ -733,6 +753,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher 21 */ + { +@@ -769,6 +790,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + # endif + + /* Cipher 23 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_KRB5_DES_192_CBC3_MD5, +@@ -783,8 +805,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher 24 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_KRB5_RC4_128_MD5, +@@ -799,6 +823,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher 25 */ + { +@@ -1418,6 +1443,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + # endif + + /* Cipher 66 */ ++# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, +@@ -1433,6 +1459,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + }, + #endif ++#endif + + /* TLS v1.2 ciphersuites */ + /* Cipher 67 */ +@@ -1703,6 +1730,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + + #ifndef OPENSSL_NO_PSK + /* Cipher 8A */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_PSK_WITH_RC4_128_SHA, +@@ -1717,8 +1745,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher 8B */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA, +@@ -1733,6 +1763,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher 8C */ + { +@@ -2095,6 +2126,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + }, + + /* Cipher C002 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, +@@ -2109,8 +2141,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher C003 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, +@@ -2125,6 +2159,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C004 */ + { +@@ -2175,6 +2210,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + }, + + /* Cipher C007 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, +@@ -2189,8 +2225,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher C008 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, +@@ -2205,6 +2243,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C009 */ + { +@@ -2255,6 +2294,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + }, + + /* Cipher C00C */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA, +@@ -2269,8 +2309,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher C00D */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA, +@@ -2285,6 +2327,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C00E */ + { +@@ -2335,6 +2378,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + }, + + /* Cipher C011 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, +@@ -2349,8 +2393,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher C012 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, +@@ -2365,6 +2411,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C013 */ + { +@@ -2415,6 +2462,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + }, + + /* Cipher C016 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, +@@ -2429,8 +2477,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher C017 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, +@@ -2445,6 +2495,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C018 */ + { +@@ -2481,6 +2532,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + + #ifndef OPENSSL_NO_SRP + /* Cipher C01A */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA, +@@ -2495,8 +2547,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C01B */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA, +@@ -2511,8 +2565,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C01C */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA, +@@ -2527,6 +2583,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C01D */ + { +-- +2.1.4 + diff --git a/recipes-connectivity/openssl/openssl/debian_bpo8+1/README b/recipes-connectivity/openssl/openssl/debian_bpo8+1/README new file mode 100644 index 0000000..0053096 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/debian_bpo8+1/README @@ -0,0 +1,4 @@ +This patch list is from jessie-backports: +Package: openssl (1.0.2k-1~bpo8+1) +Secure Sockets Layer toolkit - cryptographic utility +https://packages.debian.org/jessie-backports/openssl diff --git a/recipes-connectivity/openssl/openssl/debian_bpo8+1/block_digicert_malaysia.patch b/recipes-connectivity/openssl/openssl/debian_bpo8+1/block_digicert_malaysia.patch new file mode 100644 index 0000000..877d534 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/debian_bpo8+1/block_digicert_malaysia.patch @@ -0,0 +1,26 @@ +From: Raphael Geissert <geissert@debian.org> +Description: make X509_verify_cert indicate that any certificate whose + name contains "Digicert Sdn. Bhd." (from Malaysia) is revoked. +Forwarded: not-needed +Origin: vendor +Last-Update: 2011-11-05 + +Index: openssl-1.0.2~beta1/crypto/x509/x509_vfy.c +=================================================================== +--- openssl-1.0.2~beta1.orig/crypto/x509/x509_vfy.c 2014-02-25 00:16:12.488028844 +0100 ++++ openssl-1.0.2~beta1/crypto/x509/x509_vfy.c 2014-02-25 00:16:12.484028929 +0100 +@@ -964,10 +964,11 @@ + for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) + { + x = sk_X509_value(ctx->chain, i); +- /* Mark DigiNotar certificates as revoked, no matter +- * where in the chain they are. ++ /* Mark certificates containing the following names as ++ * revoked, no matter where in the chain they are. + */ +- if (x->name && strstr(x->name, "DigiNotar")) ++ if (x->name && (strstr(x->name, "DigiNotar") || ++ strstr(x->name, "Digicert Sdn. Bhd."))) + { + ctx->error = X509_V_ERR_CERT_REVOKED; + ctx->error_depth = i; diff --git a/recipes-connectivity/openssl/openssl/debian_bpo8+1/block_diginotar.patch b/recipes-connectivity/openssl/openssl/debian_bpo8+1/block_diginotar.patch new file mode 100644 index 0000000..2cbbb10 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/debian_bpo8+1/block_diginotar.patch @@ -0,0 +1,64 @@ +From: Raphael Geissert <geissert@debian.org> +Description: make X509_verify_cert indicate that any certificate whose + name contains "DigiNotar" is revoked. +Forwarded: not-needed +Origin: vendor +Last-Update: 2011-09-08 +Bug: http://bugs.debian.org/639744 +Reviewed-by: Kurt Roeckx <kurt@roeckx.be> +Reviewed-by: Dr Stephen N Henson <shenson@drh-consultancy.co.uk> + +This is not meant as final patch. + +Index: openssl-1.0.2g/crypto/x509/x509_vfy.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/x509/x509_vfy.c ++++ openssl-1.0.2g/crypto/x509/x509_vfy.c +@@ -119,6 +119,7 @@ static int check_trust(X509_STORE_CTX *c + static int check_revocation(X509_STORE_CTX *ctx); + static int check_cert(X509_STORE_CTX *ctx); + static int check_policy(X509_STORE_CTX *ctx); ++static int check_ca_blacklist(X509_STORE_CTX *ctx); + + static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, + unsigned int *preasons, X509_CRL *crl, X509 *x); +@@ -489,6 +490,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx + if (!ok) + goto err; + ++ ok = check_ca_blacklist(ctx); ++ if(!ok) goto err; ++ + #ifndef OPENSSL_NO_RFC3779 + /* RFC 3779 path validation, now that CRL check has been done */ + ok = v3_asid_validate_path(ctx); +@@ -996,6 +1000,29 @@ static int check_crl_time(X509_STORE_CTX + return 1; + } + ++static int check_ca_blacklist(X509_STORE_CTX *ctx) ++ { ++ X509 *x; ++ int i; ++ /* Check all certificates against the blacklist */ ++ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) ++ { ++ x = sk_X509_value(ctx->chain, i); ++ /* Mark DigiNotar certificates as revoked, no matter ++ * where in the chain they are. ++ */ ++ if (x->name && strstr(x->name, "DigiNotar")) ++ { ++ ctx->error = X509_V_ERR_CERT_REVOKED; ++ ctx->error_depth = i; ++ ctx->current_cert = x; ++ if (!ctx->verify_cb(0,ctx)) ++ return 0; ++ } ++ } ++ return 1; ++ } ++ + static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, + X509 **pissuer, int *pscore, unsigned int *preasons, + STACK_OF(X509_CRL) *crls) diff --git a/recipes-connectivity/openssl/openssl/debian_bpo8+1/c_rehash-compat.patch b/recipes-connectivity/openssl/openssl/debian_bpo8+1/c_rehash-compat.patch new file mode 100644 index 0000000..102210a --- /dev/null +++ b/recipes-connectivity/openssl/openssl/debian_bpo8+1/c_rehash-compat.patch @@ -0,0 +1,73 @@ +From 83f318d68bbdab1ca898c94576a838cc97df4700 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel <ludwig.nussel@suse.de> +Date: Wed, 21 Apr 2010 15:52:10 +0200 +Subject: [PATCH] also create old hash for compatibility + +--- + tools/c_rehash.in | 8 +++++++- + 1 files changed, 7 insertions(+), 1 deletions(-) + +Index: openssl-1.0.2b/tools/c_rehash.in +=================================================================== +--- openssl-1.0.2b.orig/tools/c_rehash.in ++++ openssl-1.0.2b/tools/c_rehash.in +@@ -8,8 +8,6 @@ my $prefix; + + my $openssl = $ENV{OPENSSL} || "openssl"; + my $pwd; +-my $x509hash = "-subject_hash"; +-my $crlhash = "-hash"; + my $verbose = 0; + my $symlink_exists=eval {symlink("",""); 1}; + my $removelinks = 1; +@@ -18,10 +16,7 @@ my $removelinks = 1; + while ( $ARGV[0] =~ /^-/ ) { + my $flag = shift @ARGV; + last if ( $flag eq '--'); +- if ( $flag eq '-old') { +- $x509hash = "-subject_hash_old"; +- $crlhash = "-hash_old"; +- } elsif ( $flag eq '-h') { ++ if ( $flag eq '-h') { + help(); + } elsif ( $flag eq '-n' ) { + $removelinks = 0; +@@ -113,7 +108,9 @@ sub hash_dir { + next; + } + link_hash_cert($fname) if($cert); ++ link_hash_cert_old($fname) if($cert); + link_hash_crl($fname) if($crl); ++ link_hash_crl_old($fname) if($crl); + } + } + +@@ -146,6 +143,7 @@ sub check_file { + + sub link_hash_cert { + my $fname = $_[0]; ++ my $x509hash = $_[1] || '-subject_hash'; + $fname =~ s/'/'\\''/g; + my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; + chomp $hash; +@@ -177,10 +175,20 @@ sub link_hash_cert { + $hashlist{$hash} = $fprint; + } + ++sub link_hash_cert_old { ++ link_hash_cert($_[0], '-subject_hash_old'); ++} ++ ++sub link_hash_crl_old { ++ link_hash_crl($_[0], '-hash_old'); ++} ++ ++ + # Same as above except for a CRL. CRL links are of the form <hash>.r<n> + + sub link_hash_crl { + my $fname = $_[0]; ++ my $crlhash = $_[1] || "-hash"; + $fname =~ s/'/'\\''/g; + my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; + chomp $hash; diff --git a/recipes-connectivity/openssl/openssl/debian_bpo8+1/config-hurd.patch b/recipes-connectivity/openssl/openssl/debian_bpo8+1/config-hurd.patch new file mode 100644 index 0000000..abe35f6 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/debian_bpo8+1/config-hurd.patch @@ -0,0 +1,17 @@ +--- + config | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/config ++++ b/config +@@ -170,8 +170,8 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${ + echo "${MACHINE}-whatever-linux1"; exit 0 + ;; + +- GNU*) +- echo "hurd-x86"; exit 0; ++ GNU:*|GNU/*:*) ++ echo "${MACHINE}-gnuish"; exit 0; + ;; + + LynxOS:*) diff --git a/recipes-connectivity/openssl/openssl/debian_bpo8+1/debian-targets.patch b/recipes-connectivity/openssl/openssl/debian_bpo8+1/debian-targets.patch new file mode 100644 index 0000000..d2f8420 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/debian_bpo8+1/debian-targets.patch @@ -0,0 +1,72 @@ +Index: openssl-1.0.2g/Configure +=================================================================== +--- openssl-1.0.2g.orig/Configure ++++ openssl-1.0.2g/Configure +@@ -131,6 +131,10 @@ my $clang_devteam_warn = "-Wno-unused-pa + # Warn that "make depend" should be run? + my $warn_make_depend = 0; + ++# There are no separate CFLAGS/CPPFLAGS/LDFLAGS, set everything in CFLAGS ++my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall"; ++$debian_cflags =~ s/\n/ /g; ++ + my $strict_warnings = 0; + + my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL"; +@@ -367,6 +371,56 @@ my %table=( + "osf1-alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so", + "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::-msym:.so", + ++# Debian GNU/* (various architectures) ++"debian-alpha","gcc:${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-alpha-ev4","gcc:${debian_cflags} -mcpu=ev4::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-alpha-ev5","gcc:${debian_cflags} -mcpu=ev5::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-arm64","gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-armel","gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-armhf","gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-amd64", "gcc:-m64 -DL_ENDIAN ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::", ++"debian-avr32", "gcc:-DB_ENDIAN ${debian_cflags} -fomit-frame-pointer::-D_REENTRANT::-ldl:BN_LLONG_BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-kfreebsd-amd64","gcc:-m64 -DL_ENDIAN ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-kfreebsd-i386","gcc:-DL_ENDIAN ${debian_cflags} -march=i486::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-hppa","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-hurd-i386","gcc:-DL_ENDIAN -O3 -Wa,--noexecstack -g -mtune=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-ia64","gcc:${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-i386","gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-i386-i486","gcc:-DL_ENDIAN ${debian_cflags} -march=i486::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-i386-i586","gcc:-DL_ENDIAN ${debian_cflags} -march=i586::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-i386-i686/cmov","gcc:-DL_ENDIAN ${debian_cflags} -march=i686::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-m68k","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-mips", "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-mipsel", "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-mipsn32", "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-mipsn32el", "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-mips64", "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-mips64el", "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-netbsd-i386", "gcc:-DL_ENDIAN ${debian_cflags} -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-netbsd-m68k", "gcc:-DB_ENDIAN ${debian_cflags}::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-netbsd-sparc", "gcc:-DB_ENDIAN ${debian_cflags} -mv8::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-nios2", "gcc:-DB_ENDIAN ${debian_cflags}::(unknown)::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-openbsd-alpha","gcc:${debian_cflags}::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-openbsd-i386", "gcc:-DL_ENDIAN ${debian_cflags} -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-openbsd-mips","gcc:-DL_ENDIAN ${debian_cflags}::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-or1k", "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-powerpc","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-powerpcspe","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-ppc64","gcc:-m64 -DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-ppc64el","gcc:-m64 -DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-s390","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-s390x","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sh3", "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sh4", "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sh3eb", "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sh4eb", "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-m32r","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sparc","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sparc-v8","gcc:-DB_ENDIAN ${debian_cflags} -mcpu=v8 -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sparc-v9","gcc:-DB_ENDIAN ${debian_cflags} -mcpu=v9 -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sparc64","gcc:-m64 -DB_ENDIAN ${debian_cflags} -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-x32","gcc:-mx32 -DL_ENDIAN ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32", ++ + #### + #### Variety of LINUX:-) + #### diff --git a/recipes-connectivity/openssl/openssl/debian_bpo8+1/disable_freelist.patch b/recipes-connectivity/openssl/openssl/debian_bpo8+1/disable_freelist.patch new file mode 100644 index 0000000..354fed8 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/debian_bpo8+1/disable_freelist.patch @@ -0,0 +1,32 @@ +From: Kurt Roeckx <kurt@roeckx.be> +Subject: Disable the freelist + +We don't define OPENSSL_NO_BUF_FREELISTS globally sinc it changes structures and +would break the ABI. Instead we just do it in the .c files that try to do +something with it. + +Index: openssl-1.0.2/ssl/s3_both.c +=================================================================== +--- openssl-1.0.2.orig/ssl/s3_both.c ++++ openssl-1.0.2/ssl/s3_both.c +@@ -573,6 +573,7 @@ int ssl_verify_alarm_type(long type) + return (al); + } + ++#define OPENSSL_NO_BUF_FREELISTS + #ifndef OPENSSL_NO_BUF_FREELISTS + /*- + * On some platforms, malloc() performance is bad enough that you can't just +Index: openssl-1.0.2/ssl/ssl_lib.c +=================================================================== +--- openssl-1.0.2.orig/ssl/ssl_lib.c ++++ openssl-1.0.2/ssl/ssl_lib.c +@@ -162,6 +162,8 @@ + + const char *SSL_version_str = OPENSSL_VERSION_TEXT; + ++#define OPENSSL_NO_BUF_FREELISTS ++ + SSL3_ENC_METHOD ssl3_undef_enc_method = { + /* + * evil casts, but these functions are only called if there's a library diff --git a/recipes-connectivity/openssl/openssl/debian_bpo8+1/engines-path.patch b/recipes-connectivity/openssl/openssl/debian_bpo8+1/engines-path.patch new file mode 100644 index 0000000..9d5646f --- /dev/null +++ b/recipes-connectivity/openssl/openssl/debian_bpo8+1/engines-path.patch @@ -0,0 +1,96 @@ +Index: openssl-1.0.2i/Makefile.org +=================================================================== +--- openssl-1.0.2i.orig/Makefile.org ++++ openssl-1.0.2i/Makefile.org +@@ -368,7 +368,7 |