openssl: Upgrade to v1.0.1g

The trigger for the upgrade was the serious "heartbleed" vulnerability
(CVE-2014-0160). More information:
http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-wide-open.aspx

Dropped obsolete patches, because the new version contains them:
        0001-Fix-for-TLS-record-tampering-bug-CVE-2013-4353.patch
        0001-Fix-DTLS-retransmission-from-previous-session.patch
        0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch

Modified 2 patches (small changes), in order to apply properly:
        initial-aarch64-bits.patch
        openssl-fix-doc.patch

Addresses CVEs:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076

Signed-off-by: Cristiana Voicu <cristiana.voicu@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

30 files changed, 522 insertions, 701 deletions

diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-DTLS-retransmission-from-previous-session.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-DTLS-retransmission-from-previous-session.patch
deleted file mode 100644
index 39592e2d67..0000000000
--- a/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-DTLS-retransmission-from-previous-session.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 34628967f1e65dc8f34e000f0f5518e21afbfc7b Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve@openssl.org>
-Date: Fri, 20 Dec 2013 15:26:50 +0000
-Subject: [PATCH] Fix DTLS retransmission from previous session.
-
-Upstream-Status: Backport
-commit 34628967f1e65dc8f34e000f0f5518e21afbfc7b upstream
-
-For DTLS we might need to retransmit messages from the previous session
-so keep a copy of write context in DTLS retransmission buffers instead
-of replacing it after sending CCS. CVE-2013-6450.
----
- ssl/d1_both.c  |    6 ++++++
- ssl/ssl_locl.h |    2 ++
- ssl/t1_enc.c   |   17 +++++++++++------
- 4 files changed, 24 insertions(+), 6 deletions(-)
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index 65ec001..7a5596a 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
- static void
- dtls1_hm_fragment_free(hm_fragment *frag)
- 	{
-+
-+	if (frag->msg_header.is_ccs)
-+		{
-+		EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);
-+		EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
-+		}
- 	if (frag->fragment) OPENSSL_free(frag->fragment);
- 	if (frag->reassembly) OPENSSL_free(frag->reassembly);
- 	OPENSSL_free(frag);
-diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
-index 96ce9a7..e485907 100644
---- a/ssl/ssl_locl.h
-+++ b/ssl/ssl_locl.h
-@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data;
- extern SSL3_ENC_METHOD SSLv3_enc_data;
- extern SSL3_ENC_METHOD DTLSv1_enc_data;
- 
-+#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION)
-+
- #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
- 				s_get_meth) \
- const SSL_METHOD *func_name(void)  \
-diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
-index 72015f5..56db834 100644
---- a/ssl/t1_enc.c
-+++ b/ssl/t1_enc.c
-@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which)
- 			s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
- 			else
- 			s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
--		if (s->enc_write_ctx != NULL)
-+		if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
- 			reuse_dd = 1;
--		else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
-+		else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
- 			goto err;
--		else
--			/* make sure it's intialized in case we exit later with an error */
--			EVP_CIPHER_CTX_init(s->enc_write_ctx);
- 		dd= s->enc_write_ctx;
--		mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
-+		if (SSL_IS_DTLS(s))
-+			{
-+			mac_ctx = EVP_MD_CTX_create();
-+			if (!mac_ctx)
-+				goto err;
-+			s->write_hash = mac_ctx;
-+			}
-+		else
-+			mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
- #ifndef OPENSSL_NO_COMP
- 		if (s->compress != NULL)
- 			{
--- 
-1.7.5.4
-
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-for-TLS-record-tampering-bug-CVE-2013-4353.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-for-TLS-record-tampering-bug-CVE-2013-4353.patch
deleted file mode 100644
index d03dc06daf..0000000000
--- a/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-for-TLS-record-tampering-bug-CVE-2013-4353.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 197e0ea817ad64820789d86711d55ff50d71f631 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve@openssl.org>
-Date: Mon, 6 Jan 2014 14:35:04 +0000
-Subject: [PATCH] Fix for TLS record tampering bug CVE-2013-4353
-
-Upstream-Status: Backport
-commit 197e0ea817ad64820789d86711d55ff50d71f631 upstream
-
- ssl/s3_both.c |    6 +++++-
- 3 files changed, 11 insertions(+), 1 deletions(-)
-
-diff --git a/ssl/s3_both.c b/ssl/s3_both.c
-index 1e5dcab..53b9390 100644
---- a/ssl/s3_both.c
-+++ b/ssl/s3_both.c
-@@ -210,7 +210,11 @@ static void ssl3_take_mac(SSL *s)
- 	{
- 	const char *sender;
- 	int slen;
--
-+	/* If no new cipher setup return immediately: other functions will
-+	 * set the appropriate error.
-+	 */
-+	if (s->s3->tmp.new_cipher == NULL)
-+		return;
- 	if (s->state & SSL_ST_CONNECT)
- 		{
- 		sender=s->method->ssl3_enc->server_finished_label;
--- 
-1.7.5.4
-
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch
deleted file mode 100644
index e5a8ade936..0000000000
--- a/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From ca989269a2876bae79393bd54c3e72d49975fc75 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve@openssl.org>
-Date: Thu, 19 Dec 2013 14:37:39 +0000
-Subject: [PATCH] Use version in SSL_METHOD not SSL structure.
-
-Upstream-Status: Backport
-commit ca989269a2876bae79393bd54c3e72d49975fc75 upstream
-
-When deciding whether to use TLS 1.2 PRF and record hash algorithms
-use the version number in the corresponding SSL_METHOD structure
-instead of the SSL structure. The SSL structure version is sometimes
-inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
-(CVE-2013-6449)
----
- ssl/s3_lib.c |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index bf832bb..c4ef273 100644
---- a/ssl/s3_lib.c
-+++ b/ssl/s3_lib.c
-@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT.
- long ssl_get_algorithm2(SSL *s)
- 	{
- 	long alg2 = s->s3->tmp.new_cipher->algorithm2;
--	if (TLS1_get_version(s) >= TLS1_2_VERSION &&
-+	if (s->method->version == TLS1_2_VERSION &&
- 	    alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
- 		return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
- 	return alg2;
--- 
-1.7.5.4
-
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/initial-aarch64-bits.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/initial-aarch64-bits.patch
deleted file mode 100644
index 703b8c125b..0000000000
--- a/meta/recipes-connectivity/openssl/openssl-1.0.1e/initial-aarch64-bits.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From: Andy Polyakov <appro@openssl.org>
-Date: Sun, 13 Oct 2013 17:15:15 +0000 (+0200)
-Subject: Initial aarch64 bits.
-X-Git-Url: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=039081b80977e2a5de84e1f88f8b4d025b559956
-
-Initial aarch64 bits.
----
- crypto/bn/bn_lcl.h       |    9 +++++++++
- crypto/md32_common.h     |   18 ++++++++++++++++++
- crypto/modes/modes_lcl.h |    8 ++++++++
- crypto/sha/sha512.c      |   13 +++++++++++++
- 4 files changed, 48 insertions(+)
-
---- a/crypto/bn/bn_lcl.h
-+++ b/crypto/bn/bn_lcl.h
-@@ -300,6 +300,15 @@ extern "C" {
- 	     : "r"(a), "r"(b));
- #    endif
- #  endif
-+# elif defined(__aarch64__) && defined(SIXTY_FOUR_BIT_LONG)
-+#  if defined(__GNUC__) && __GNUC__>=2
-+#   define BN_UMULT_HIGH(a,b)	({	\
-+	register BN_ULONG ret;		\
-+	asm ("umulh	%0,%1,%2"	\
-+	     : "=r"(ret)		\
-+	     : "r"(a), "r"(b));		\
-+	ret;			})
-+#  endif
- # endif		/* cpu */
- #endif		/* OPENSSL_NO_ASM */
- 
---- a/crypto/md32_common.h
-+++ b/crypto/md32_common.h
-@@ -213,6 +213,24 @@
- 				   asm ("bswapl %0":"=r"(r):"0"(r));	\
- 				   *((unsigned int *)(c))=r; (c)+=4; r;	})
- #   endif
-+#  elif defined(__aarch64__)
-+#   if defined(__BYTE_ORDER__)
-+#    if defined(__ORDER_LITTLE_ENDIAN__) && __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__
-+#     define HOST_c2l(c,l)	({ unsigned int r;		\
-+				   asm ("rev	%w0,%w1"	\
-+					:"=r"(r)		\
-+					:"r"(*((const unsigned int *)(c))));\
-+				   (c)+=4; (l)=r;		})
-+#     define HOST_l2c(l,c)	({ unsigned int r;		\
-+				   asm ("rev	%w0,%w1"	\
-+					:"=r"(r)		\
-+					:"r"((unsigned int)(l)));\
-+				   *((unsigned int *)(c))=r; (c)+=4; r;	})
-+#    elif defined(__ORDER_BIG_ENDIAN__) && __BYTE_ORDER__==__ORDER_BIG_ENDIAN__
-+#     define HOST_c2l(c,l)	((l)=*((const unsigned int *)(c)), (c)+=4, (l))
-+#     define HOST_l2c(l,c)	(*((unsigned int *)(c))=(l), (c)+=4, (l))
-+#    endif
-+#   endif
- #  endif
- # endif
- #endif
---- a/crypto/modes/modes_lcl.h
-+++ b/crypto/modes/modes_lcl.h
-@@ -29,6 +29,7 @@ typedef unsigned char u8;
- #if defined(__i386)	|| defined(__i386__)	|| \
-     defined(__x86_64)	|| defined(__x86_64__)	|| \
-     defined(_M_IX86)	|| defined(_M_AMD64)	|| defined(_M_X64) || \
-+    defined(__aarch64__)			|| \    
-     defined(__s390__)	|| defined(__s390x__)	|| \
-     ( (defined(__arm__)	|| defined(__arm)) && \
-       (defined(__ARM_ARCH_7__)	|| defined(__ARM_ARCH_7A__) || \
-@@ -53,6 +54,13 @@ typedef unsigned char u8;
- #  define BSWAP4(x) ({	u32 ret=(x);			\
- 			asm ("bswapl %0"		\
- 			: "+r"(ret));	ret;		})
-+# elif defined(__aarch64__)
-+#  define BSWAP8(x) ({	u64 ret;			\
-+			asm ("rev %0,%1"		\
-+			: "=r"(ret) : "r"(x)); ret;	})
-+#  define BSWAP4(x) ({	u32 ret;			\
-+			asm ("rev %w0,%w1"		\
-+			: "=r"(ret) : "r"(x)); ret;	})
- # elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT)
- #  define BSWAP8(x) ({	u32 lo=(u64)(x)>>32,hi=(x);	\
- 			asm ("rev %0,%0; rev %1,%1"	\
---- a/crypto/sha/sha512.c
-+++ b/crypto/sha/sha512.c
-@@ -55,6 +55,7 @@ const char SHA512_version[]="SHA-512" OP
- #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
-     defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64) || \
-     defined(__s390__) || defined(__s390x__) || \
-+    defined(__aarch64__) || \
-     defined(SHA512_ASM)
- #define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
- #endif
-@@ -340,6 +341,18 @@ static const SHA_LONG64 K512[80] = {
- 				asm ("rotrdi %0,%1,%2"	\
- 				: "=r"(ret)		\
- 				: "r"(a),"K"(n)); ret;	})
-+#  elif defined(__aarch64__)
-+#   define ROTR(a,n)	({ SHA_LONG64 ret;		\
-+				asm ("ror %0,%1,%2"	\
-+				: "=r"(ret)		\
-+				: "r"(a),"I"(n)); ret;	})
-+#   if  defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \
-+	__BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__
-+#    define PULL64(x)	({ SHA_LONG64 ret;			\
-+				asm ("rev	%0,%1"		\
-+				: "=r"(ret)			\
-+				: "r"(*((const SHA_LONG64 *)(&(x))))); ret;		})
-+#   endif
- #  endif
- # elif defined(_MSC_VER)
- #  if defined(_WIN64)	/* applies to both IA-64 and AMD64 */
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-doc.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-doc.patch
deleted file mode 100644
index e87ed80736..0000000000
--- a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-doc.patch
+++ /dev/null
@@ -1,435 +0,0 @@
-Fix documentation build errors with Perl 5.18 pod2man
-
-This fixes errors building man pages with newer versions of pod2man
-included with Perl 5.18.
-
-Upstream-Status: Submitted
-Signed-off-by: Jonathan Liu
-
-diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod
-index a09588a..881d387 100644
---- a/doc/apps/cms.pod
-+++ b/doc/apps/cms.pod
-@@ -450,28 +450,28 @@ remains DER.
- 
- =over 4
- 
--=item 0
-+=item Z<>0
- 
- the operation was completely successfully.
- 
--=item 1 
-+=item Z<>1 
- 
- an error occurred parsing the command options.
- 
--=item 2
-+=item Z<>2
- 
- one of the input files could not be read.
- 
--=item 3
-+=item Z<>3
- 
- an error occurred creating the CMS file or when reading the MIME
- message.
- 
--=item 4
-+=item Z<>4
- 
- an error occurred decrypting or verifying the message.
- 
--=item 5
-+=item Z<>5
- 
- the message was verified correctly but an error occurred writing out
- the signers certificates.
-diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod
-index e4e89af..ef8e8cd 100644
---- a/doc/apps/smime.pod
-+++ b/doc/apps/smime.pod
-@@ -308,28 +308,28 @@ remains DER.
- 
- =over 4
- 
--=item 0
-+=item Z<>0
- 
- the operation was completely successfully.
- 
--=item 1 
-+=item Z<>1 
- 
- an error occurred parsing the command options.
- 
--=item 2
-+=item Z<>2
- 
- one of the input files could not be read.
- 
--=item 3
-+=item Z<>3
- 
- an error occurred creating the PKCS#7 file or when reading the MIME
- message.
- 
--=item 4
-+=item Z<>4
- 
- an error occurred decrypting or verifying the message.
- 
--=item 5
-+=item Z<>5
- 
- the message was verified correctly but an error occurred writing out
- the signers certificates.
-diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod
-index a883f6c..60e8332 100644
---- a/doc/crypto/X509_STORE_CTX_get_error.pod
-+++ b/doc/crypto/X509_STORE_CTX_get_error.pod
-@@ -278,6 +278,8 @@ happen if extended CRL checking is enabled.
- an application specific error. This will never be returned unless explicitly
- set by an application.
- 
-+=back
-+
- =head1 NOTES
- 
- The above functions should be used instead of directly referencing the fields
-diff --git a/doc/ssl/SSL_COMP_add_compression_method.pod b/doc/ssl/SSL_COMP_add_compression_method.pod
-index 42fa66b..f4d191c 100644
---- a/doc/ssl/SSL_COMP_add_compression_method.pod
-+++ b/doc/ssl/SSL_COMP_add_compression_method.pod
-@@ -53,11 +53,11 @@ SSL_COMP_add_compression_method() may return the following values:
- 
- =over 4
- 
--=item 0
-+=item Z<>0
- 
- The operation succeeded.
- 
--=item 1
-+=item Z<>1
- 
- The operation failed. Check the error queue to find out the reason.
- 
-diff --git a/doc/ssl/SSL_CTX_add_session.pod b/doc/ssl/SSL_CTX_add_session.pod
-index 82676b2..8e0abd3 100644
---- a/doc/ssl/SSL_CTX_add_session.pod
-+++ b/doc/ssl/SSL_CTX_add_session.pod
-@@ -52,13 +52,13 @@ The following values are returned by all functions:
- 
- =over 4
- 
--=item 0
-+=item Z<>0
- 
-  The operation failed. In case of the add operation, it was tried to add
-  the same (identical) session twice. In case of the remove operation, the
-  session was not found in the cache.
- 
--=item 1
-+=item Z<>1
-  
-  The operation succeeded.
- 
-diff --git a/doc/ssl/SSL_CTX_load_verify_locations.pod b/doc/ssl/SSL_CTX_load_verify_locations.pod
-index 84a799f..d1d8977 100644
---- a/doc/ssl/SSL_CTX_load_verify_locations.pod
-+++ b/doc/ssl/SSL_CTX_load_verify_locations.pod
-@@ -100,13 +100,13 @@ The following return values can occur:
- 
- =over 4
- 
--=item 0
-+=item Z<>0
- 
- The operation failed because B<CAfile> and B<CApath> are NULL or the
- processing at one of the locations specified failed. Check the error
- stack to find out the reason.
- 
--=item 1
-+=item Z<>1
- 
- The operation succeeded.
- 
-diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod
-index 632b556..6122a02 100644
---- a/doc/ssl/SSL_CTX_set_client_CA_list.pod
-+++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod
-@@ -66,11 +66,11 @@ values:
- 
- =over 4
- 
--=item 1
-+=item Z<>1
- 
- The operation succeeded.
- 
--=item 0
-+=item Z<>0
- 
- A failure while manipulating the STACK_OF(X509_NAME) object occurred or
- the X509_NAME could not be extracted from B<cacert>. Check the error stack
-diff --git a/doc/ssl/SSL_CTX_set_session_id_context.pod b/doc/ssl/SSL_CTX_set_session_id_context.pod
-index 58fc685..7c9e515 100644
---- a/doc/ssl/SSL_CTX_set_session_id_context.pod
-+++ b/doc/ssl/SSL_CTX_set_session_id_context.pod
-@@ -64,13 +64,13 @@ return the following values:
- 
- =over 4
- 
--=item 0
-+=item Z<>0
- 
- The length B<sid_ctx_len> of the session id context B<sid_ctx> exceeded
- the maximum allowed length of B<SSL_MAX_SSL_SESSION_ID_LENGTH>. The error
- is logged to the error stack.
- 
--=item 1
-+=item Z<>1
- 
- The operation succeeded.
- 
-diff --git a/doc/ssl/SSL_CTX_set_ssl_version.pod b/doc/ssl/SSL_CTX_set_ssl_version.pod
-index 254f2b4..e254f96 100644
---- a/doc/ssl/SSL_CTX_set_ssl_version.pod
-+++ b/doc/ssl/SSL_CTX_set_ssl_version.pod
-@@ -42,11 +42,11 @@ and SSL_set_ssl_method():
- 
- =over 4
- 
--=item 0
-+=item Z<>0
- 
- The new choice failed, check the error stack to find out the reason.
- 
--=item 1
-+=item Z<>1
- 
- The operation succeeded.
- 
-diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
-index b80e25b..31e6626 100644
---- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
-+++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
-@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return
- 
- Return values from the server callback are interpreted as follows:
- 
-+=over 4
-+
- =item > 0
- 
- PSK identity was found and the server callback has provided the PSK
-@@ -94,9 +96,11 @@ data to B<psk> and return the length of the random data, so the
- connection will fail with decryption_error before it will be finished
- completely.
- 
--=item 0
-+=item Z<>0
- 
- PSK identity was not found. An "unknown_psk_identity" alert message
- will be sent and the connection setup fails.
- 
-+=back
-+
- =cut
-diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod
-index cc724c0..4915e5a 100644
---- a/doc/ssl/SSL_accept.pod
-+++ b/doc/ssl/SSL_accept.pod
-@@ -44,12 +44,12 @@ The following return values can occur:
- 
- =over 4
- 
--=item 1
-+=item Z<>1
- 
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
- 
--=item 0
-+=item Z<>0
- 
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
-diff --git a/doc/ssl/SSL_clear.pod b/doc/ssl/SSL_clear.pod
-index d4df1bf..ba192bd 100644
---- a/doc/ssl/SSL_clear.pod
-+++ b/doc/ssl/SSL_clear.pod
-@@ -56,12 +56,12 @@ The following return values can occur:
- 
- =over 4
- 
--=item 0
-+=item Z<>0
- 
- The SSL_clear() operation could not be performed. Check the error stack to
- find out the reason.
- 
--=item 1
-+=item Z<>1
- 
- The SSL_clear() operation was successful.
- 
-diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod
-index cc56ebb..61cabb7 100644
---- a/doc/ssl/SSL_connect.pod
-+++ b/doc/ssl/SSL_connect.pod
-@@ -41,12 +41,12 @@ The following return values can occur:
- 
- =over 4
- 
--=item 1
-+=item Z<>1
- 
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
- 
--=item 0
-+=item Z<>0
- 
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
-diff --git a/doc/ssl/SSL_do_handshake.pod b/doc/ssl/SSL_do_handshake.pod
-index 2435764..beb0dd1 100644
---- a/doc/ssl/SSL_do_handshake.pod
-+++ b/doc/ssl/SSL_do_handshake.pod
-@@ -45,12 +45,12 @@ The following return values can occur:
- 
- =over 4
- 
--=item 1
-+=item Z<>1
- 
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
- 
--=item 0
-+=item Z<>0
- 
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
-diff --git a/doc/ssl/SSL_read.pod b/doc/ssl/SSL_read.pod
-index 7038cd2..8ca0ce5 100644
---- a/doc/ssl/SSL_read.pod
-+++ b/doc/ssl/SSL_read.pod
-@@ -86,7 +86,7 @@ The following return values can occur:
- The read operation was successful; the return value is the number of
- bytes actually read from the TLS/SSL connection.
- 
--=item 0
-+=item Z<>0
- 
- The read operation was not successful. The reason may either be a clean
- shutdown due to a "close notify" alert sent by the peer (in which case
-diff --git a/doc/ssl/SSL_session_reused.pod b/doc/ssl/SSL_session_reused.pod
-index da7d062..b09d8a7 100644
---- a/doc/ssl/SSL_session_reused.pod
-+++ b/doc/ssl/SSL_session_reused.pod
-@@ -27,11 +27,11 @@ The following return values can occur:
- 
- =over 4
- 
--=item 0
-+=item Z<>0
- 
- A new session was negotiated.
- 
--=item 1
-+=item Z<>1
- 
- A session was reused.
- 
-diff --git a/doc/ssl/SSL_set_fd.pod b/doc/ssl/SSL_set_fd.pod
-index 7029112..1480871 100644
---- a/doc/ssl/SSL_set_fd.pod
-+++ b/doc/ssl/SSL_set_fd.pod
-@@ -35,11 +35,11 @@ The following return values can occur:
- 
- =over 4
- 
--=item 0
-+=item Z<>0
- 
- The operation failed. Check the error stack to find out why.
- 
--=item 1
-+=item Z<>1
- 
- The operation succeeded.
- 
-diff --git a/doc/ssl/SSL_set_session.pod b/doc/ssl/SSL_set_session.pod
-index 5f54714..197b521 100644
---- a/doc/ssl/SSL_set_session.pod
-+++ b/doc/ssl/SSL_set_session.pod
-@@ -37,11 +37,11 @@ The following return values can occur:
- 
- =over 4
- 
--=item 0
-+=item Z<>0
- 
- The operation failed; check the error stack to find out the reason.
- 
--=item 1
-+=item Z<>1
- 
- The operation succeeded.
- 
-diff --git a/doc/ssl/SSL_set_shutdown.pod b/doc/ssl/SSL_set_shutdown.pod
-index 011a022..fe01308 100644
---- a/doc/ssl/SSL_set_shutdown.pod
-+++ b/doc/ssl/SSL_set_shutdown.pod
-@@ -24,7 +24,7 @@ The shutdown state of an ssl connection is a bitmask of:
- 
- =over 4
- 
--=item 0
-+=item Z<>0
- 
- No shutdown setting, yet.
- 
-diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod
-index 89911ac..132ebc5 100644
---- a/doc/ssl/SSL_shutdown.pod
-+++ b/doc/ssl/SSL_shutdown.pod
-@@ -92,19 +92,19 @@ The following return values can occur:
- 
- =over 4
- 
--=item 1
-+=item Z<>1
- 
- The shutdown was successfully completed. The "close notify" alert was sent
- and the peer's "close notify" alert was received.
- 
--=item 0
-+=item Z<>0
- 
- The shutdown is not yet finished. Call SSL_shutdown() for a second time,
- if a bidirectional shutdown shall be performed.
- The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
- erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
- 
--=item -1
-+=item Z<>-1
- 
- The shutdown was not successful because a fatal error occurred either
- at the protocol level or a connection failure occurred. It can also occur if
-diff --git a/doc/ssl/SSL_write.pod b/doc/ssl/SSL_write.pod
-index e013c12..a57617f 100644
---- a/doc/ssl/SSL_write.pod
-+++ b/doc/ssl/SSL_write.pod
-@@ -79,7 +79,7 @@ The following return values can occur:
- The write operation was successful, the return value is the number of
- bytes actually written to the TLS/SSL connection.
- 
--=item 0
-+=item Z<>0
- 
- The write operation was not successful. Probably the underlying connection
- was closed. Call SSL_get_error() with the return value B<ret> to find out,
diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
index e9249145fb..ee02fb796e 100644
--- a/meta/recipes-connectivity/openssl/open