Update OpenSSL. This does also fix the following CVEs:
- CVE-2017-3737
- CVE-2017-3738
The patches are ported; two patches have been applied upstream and are
deleted:
- 0012-Fix-no-ssl3-build.patch
- 0013-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch
Signed-off-by: Robert Schwebel <r.schwe...@pengutronix.de>
---
.../openssl-1.0.2m/0012-Fix-no-ssl3-build.patch | 28 -------
...saes-armv7-sha256-armv4-.pl-make-it-work-.patch | 93 ----------------------
.../0001-debian-targets.patch | 0
.../0002-engines-path.patch | 0
.../0003-no-rpath.patch | 0
.../0004-no-symbolic.patch | 0
.../0005-pic.patch | 0
.../0006-valgrind.patch | 0
.../0007-shared-lib-ext.patch | 0
.../0008-block_diginotar.patch | 0
.../0009-block_digicert_malaysia.patch | 0
.../0010-Disable-the-freelist.patch | 0
.../0011-Mark-3DES-and-RC4-ciphers-as-weak.patch | 0
...-don-t-ask-dpkg-buildflags-for-more-flags.patch | 0
.../0101-fix-parallel-building.patch | 0
patches/{openssl-1.0.2m => openssl-1.0.2n}/series | 2 -
rules/openssl.make | 4 +-
17 files changed, 2 insertions(+), 125 deletions(-)
delete mode 100644 patches/openssl-1.0.2m/0012-Fix-no-ssl3-build.patch
delete mode 100644
patches/openssl-1.0.2m/0013-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch
rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0001-debian-targets.patch
(100%)
rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0002-engines-path.patch
(100%)
rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0003-no-rpath.patch (100%)
rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0004-no-symbolic.patch (100%)
rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0005-pic.patch (100%)
rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0006-valgrind.patch (100%)
rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0007-shared-lib-ext.patch
(100%)
rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0008-block_diginotar.patch
(100%)
rename patches/{openssl-1.0.2m =>
openssl-1.0.2n}/0009-block_digicert_malaysia.patch (100%)
rename patches/{openssl-1.0.2m =>
openssl-1.0.2n}/0010-Disable-the-freelist.patch (100%)
rename patches/{openssl-1.0.2m =>
openssl-1.0.2n}/0011-Mark-3DES-and-RC4-ciphers-as-weak.patch (100%)
rename patches/{openssl-1.0.2m =>
openssl-1.0.2n}/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch
(100%)
rename patches/{openssl-1.0.2m =>
openssl-1.0.2n}/0101-fix-parallel-building.patch (100%)
rename patches/{openssl-1.0.2m => openssl-1.0.2n}/series (85%)
diff --git a/patches/openssl-1.0.2m/0012-Fix-no-ssl3-build.patch
b/patches/openssl-1.0.2m/0012-Fix-no-ssl3-build.patch
deleted file mode 100644
index c4cadf43f..000000000
--- a/patches/openssl-1.0.2m/0012-Fix-no-ssl3-build.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: Kurt Roeckx <k...@roeckx.be>
-Date: Thu, 2 Nov 2017 18:53:16 +0100
-Subject: [PATCH] Fix no-ssl3 build
-
-Imported from openssl1.0_1.0.2m-3.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbr...@pengutronix.de>
----
- ssl/s23_clnt.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
-index 92f41dd549ad..05b892b72387 100644
---- a/ssl/s23_clnt.c
-+++ b/ssl/s23_clnt.c
-@@ -757,10 +757,12 @@ static int ssl23_get_server_hello(SSL *s)
- s->version = TLS1_VERSION;
- s->method = TLSv1_client_method();
- break;
-+#ifndef OPENSSL_NO_SSL3_METHOD
- case SSL3_VERSION:
- s->version = SSL3_VERSION;
- s->method = SSLv3_client_method();
- break;
-+#endif
- }
- SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
diff --git
a/patches/openssl-1.0.2m/0013-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch
b/patches/openssl-1.0.2m/0013-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch
deleted file mode 100644
index 90769273b..000000000
---
a/patches/openssl-1.0.2m/0013-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From: Andy Polyakov <ap...@openssl.org>
-Date: Sun, 5 Nov 2017 17:08:16 +0100
-Subject: [PATCH] {aes-armv4|bsaes-armv7|sha256-armv4}.pl: make it work with
- binutils-2.29
-
-It's not clear if it's a feature or bug, but binutils-2.29[.1]
-interprets 'adr' instruction with Thumb2 code reference differently,
-in a way that affects calculation of addresses of constants' tables.
-
-Imported from openssl1.0_1.0.2m-3.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbr...@pengutronix.de>
----
- crypto/aes/asm/aes-armv4.pl | 6 +++---
- crypto/aes/asm/bsaes-armv7.pl | 6 +++---
- crypto/sha/asm/sha256-armv4.pl | 2 +-
- 3 files changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/crypto/aes/asm/aes-armv4.pl b/crypto/aes/asm/aes-armv4.pl
-index 4f8917089f6c..c1b5e352d76f 100644
---- a/crypto/aes/asm/aes-armv4.pl
-+++ b/crypto/aes/asm/aes-armv4.pl
-@@ -184,7 +184,7 @@ AES_encrypt:
- #if __ARM_ARCH__<7
- sub r3,pc,#8 @ AES_encrypt
- #else
-- adr r3,AES_encrypt
-+ adr r3,.
- #endif
- stmdb sp!,{r1,r4-r12,lr}
- mov $rounds,r0 @ inp
-@@ -430,7 +430,7 @@ _armv4_AES_set_encrypt_key:
- #if __ARM_ARCH__<7
- sub r3,pc,#8 @ AES_set_encrypt_key
- #else
-- adr r3,private_AES_set_encrypt_key
-+ adr r3,.
- #endif
- teq r0,#0
- #if __ARM_ARCH__>=7
-@@ -952,7 +952,7 @@ AES_decrypt:
- #if __ARM_ARCH__<7
- sub r3,pc,#8 @ AES_decrypt
- #else
-- adr r3,AES_decrypt
-+ adr r3,.
- #endif
- stmdb sp!,{r1,r4-r12,lr}
- mov $rounds,r0 @ inp
-diff --git a/crypto/aes/asm/bsaes-armv7.pl b/crypto/aes/asm/bsaes-armv7.pl
-index 70b3f9656f4f..ec66b0502a64 100644
---- a/crypto/aes/asm/bsaes-armv7.pl
-+++ b/crypto/aes/asm/bsaes-armv7.pl
-@@ -724,7 +724,7 @@ $code.=<<___;
- .type _bsaes_decrypt8,%function
- .align 4
- _bsaes_decrypt8:
-- adr $const,_bsaes_decrypt8
-+ adr $const,.
- vldmia $key!, {@XMM[9]} @ round 0 key
- add $const,$const,#.LM0ISR-_bsaes_decrypt8
-
-@@ -819,7 +819,7 @@ _bsaes_const:
- .type _bsaes_encrypt8,%function
- .align 4
- _bsaes_encrypt8:
-- adr $const,_bsaes_encrypt8
-+ adr $const,.
- vldmia $key!, {@XMM[9]} @ round 0 key
- sub $const,$const,#_bsaes_encrypt8-.LM0SR
-
-@@ -923,7 +923,7 @@ $code.=<<___;
- .type _bsaes_key_convert,%function
- .align 4
- _bsaes_key_convert:
-- adr $const,_bsaes_key_convert
-+ adr $const,.
- vld1.8 {@XMM[7]}, [$inp]! @ load round 0 key
- sub $const,$const,#_bsaes_key_convert-.LM0
- vld1.8 {@XMM[15]}, [$inp]! @ load round 1 key
-diff --git a/crypto/sha/asm/sha256-armv4.pl b/crypto/sha/asm/sha256-armv4.pl
-index 4fee74d832d1..750216eb4267 100644
---- a/crypto/sha/asm/sha256-armv4.pl
-+++ b/crypto/sha/asm/sha256-armv4.pl
-@@ -205,7 +205,7 @@ sha256_block_data_order:
- #if __ARM_ARCH__<7
- sub r3,pc,#8 @ sha256_block_data_order
- #else
-- adr r3,sha256_block_data_order
-+ adr r3,.
- #endif
- #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
- ldr r12,.LOPENSSL_armcap
diff --git a/patches/openssl-1.0.2m/0001-debian-targets.patch
b/patches/openssl-1.0.2n/0001-debian-targets.patch
similarity index 100%
rename from patches/openssl-1.0.2m/0001-debian-targets.patch
rename to patches/openssl-1.0.2n/0001-debian-targets.patch
diff --git a/patches/openssl-1.0.2m/0002-engines-path.patch
b/patches/openssl-1.0.2n/0002-engines-path.patch
similarity index 100%
rename from patches/openssl-1.0.2m/0002-engines-path.patch
rename to patches/openssl-1.0.2n/0002-engines-path.patch
diff --git a/patches/openssl-1.0.2m/0003-no-rpath.patch
b/patches/openssl-1.0.2n/0003-no-rpath.patch
similarity index 100%
rename from patches/openssl-1.0.2m/0003-no-rpath.patch
rename to patches/openssl-1.0.2n/0003-no-rpath.patch
diff --git a/patches/openssl-1.0.2m/0004-no-symbolic.patch
b/patches/openssl-1.0.2n/0004-no-symbolic.patch
similarity index 100%
rename from patches/openssl-1.0.2m/0004-no-symbolic.patch
rename to patches/openssl-1.0.2n/0004-no-symbolic.patch
diff --git a/patches/openssl-1.0.2m/0005-pic.patch
b/patches/openssl-1.0.2n/0005-pic.patch
similarity index 100%
rename from patches/openssl-1.0.2m/0005-pic.patch
rename to patches/openssl-1.0.2n/0005-pic.patch
diff --git a/patches/openssl-1.0.2m/0006-valgrind.patch
b/patches/openssl-1.0.2n/0006-valgrind.patch
similarity index 100%
rename from patches/openssl-1.0.2m/0006-valgrind.patch
rename to patches/openssl-1.0.2n/0006-valgrind.patch
diff --git a/patches/openssl-1.0.2m/0007-shared-lib-ext.patch
b/patches/openssl-1.0.2n/0007-shared-lib-ext.patch
similarity index 100%
rename from patches/openssl-1.0.2m/0007-shared-lib-ext.patch
rename to patches/openssl-1.0.2n/0007-shared-lib-ext.patch
diff --git a/patches/openssl-1.0.2m/0008-block_diginotar.patch
b/patches/openssl-1.0.2n/0008-block_diginotar.patch
similarity index 100%
rename from patches/openssl-1.0.2m/0008-block_diginotar.patch
rename to patches/openssl-1.0.2n/0008-block_diginotar.patch
diff --git a/patches/openssl-1.0.2m/0009-block_digicert_malaysia.patch
b/patches/openssl-1.0.2n/0009-block_digicert_malaysia.patch
similarity index 100%
rename from patches/openssl-1.0.2m/0009-block_digicert_malaysia.patch
rename to patches/openssl-1.0.2n/0009-block_digicert_malaysia.patch
diff --git a/patches/openssl-1.0.2m/0010-Disable-the-freelist.patch
b/patches/openssl-1.0.2n/0010-Disable-the-freelist.patch
similarity index 100%
rename from patches/openssl-1.0.2m/0010-Disable-the-freelist.patch
rename to patches/openssl-1.0.2n/0010-Disable-the-freelist.patch
diff --git
a/patches/openssl-1.0.2m/0011-Mark-3DES-and-RC4-ciphers-as-weak.patch
b/patches/openssl-1.0.2n/0011-Mark-3DES-and-RC4-ciphers-as-weak.patch
similarity index 100%
rename from patches/openssl-1.0.2m/0011-Mark-3DES-and-RC4-ciphers-as-weak.patch
rename to patches/openssl-1.0.2n/0011-Mark-3DES-and-RC4-ciphers-as-weak.patch
diff --git
a/patches/openssl-1.0.2m/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch
b/patches/openssl-1.0.2n/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch
similarity index 100%
rename from
patches/openssl-1.0.2m/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch
rename to
patches/openssl-1.0.2n/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch
diff --git a/patches/openssl-1.0.2m/0101-fix-parallel-building.patch
b/patches/openssl-1.0.2n/0101-fix-parallel-building.patch
similarity index 100%
rename from patches/openssl-1.0.2m/0101-fix-parallel-building.patch
rename to patches/openssl-1.0.2n/0101-fix-parallel-building.patch
diff --git a/patches/openssl-1.0.2m/series b/patches/openssl-1.0.2n/series
similarity index 85%
rename from patches/openssl-1.0.2m/series
rename to patches/openssl-1.0.2n/series
index 4c8abffcb..d81c31bd3 100644
--- a/patches/openssl-1.0.2m/series
+++ b/patches/openssl-1.0.2n/series
@@ -12,8 +12,6 @@
0009-block_digicert_malaysia.patch
0010-Disable-the-freelist.patch
0011-Mark-3DES-and-RC4-ciphers-as-weak.patch
-0012-Fix-no-ssl3-build.patch
-0013-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch
#tag:ptx --start-number 100
0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch
0101-fix-parallel-building.patch
diff --git a/rules/openssl.make b/rules/openssl.make
index 77efe7df9..19d196087 100644
--- a/rules/openssl.make
+++ b/rules/openssl.make
@@ -19,9 +19,9 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
# Paths and names
#
OPENSSL_BASE := 1.0.2
-OPENSSL_BUGFIX := m
+OPENSSL_BUGFIX := n
OPENSSL_VERSION := $(OPENSSL_BASE)$(OPENSSL_BUGFIX)
-OPENSSL_MD5 := 10e9e37f492094b9ef296f68f24a7666
+OPENSSL_MD5 := 13bdc1b1d1ff39b6fd42a255e74676a4
OPENSSL := openssl-$(OPENSSL_VERSION)
OPENSSL_SUFFIX := tar.gz
OPENSSL_URL := \
--
2.15.1
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
