Update OpenSSL. This does also fix the following CVEs: - CVE-2017-3737 - CVE-2017-3738
The patches are ported; two patches have been applied upstream and are deleted: - 0012-Fix-no-ssl3-build.patch - 0013-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch Signed-off-by: Robert Schwebel <r.schwe...@pengutronix.de> --- .../openssl-1.0.2m/0012-Fix-no-ssl3-build.patch | 28 ------- ...saes-armv7-sha256-armv4-.pl-make-it-work-.patch | 93 ---------------------- .../0001-debian-targets.patch | 0 .../0002-engines-path.patch | 0 .../0003-no-rpath.patch | 0 .../0004-no-symbolic.patch | 0 .../0005-pic.patch | 0 .../0006-valgrind.patch | 0 .../0007-shared-lib-ext.patch | 0 .../0008-block_diginotar.patch | 0 .../0009-block_digicert_malaysia.patch | 0 .../0010-Disable-the-freelist.patch | 0 .../0011-Mark-3DES-and-RC4-ciphers-as-weak.patch | 0 ...-don-t-ask-dpkg-buildflags-for-more-flags.patch | 0 .../0101-fix-parallel-building.patch | 0 patches/{openssl-1.0.2m => openssl-1.0.2n}/series | 2 - rules/openssl.make | 4 +- 17 files changed, 2 insertions(+), 125 deletions(-) delete mode 100644 patches/openssl-1.0.2m/0012-Fix-no-ssl3-build.patch delete mode 100644 patches/openssl-1.0.2m/0013-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0001-debian-targets.patch (100%) rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0002-engines-path.patch (100%) rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0003-no-rpath.patch (100%) rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0004-no-symbolic.patch (100%) rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0005-pic.patch (100%) rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0006-valgrind.patch (100%) rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0007-shared-lib-ext.patch (100%) rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0008-block_diginotar.patch (100%) rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0009-block_digicert_malaysia.patch (100%) rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0010-Disable-the-freelist.patch (100%) rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0011-Mark-3DES-and-RC4-ciphers-as-weak.patch (100%) rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch (100%) rename patches/{openssl-1.0.2m => openssl-1.0.2n}/0101-fix-parallel-building.patch (100%) rename patches/{openssl-1.0.2m => openssl-1.0.2n}/series (85%) diff --git a/patches/openssl-1.0.2m/0012-Fix-no-ssl3-build.patch b/patches/openssl-1.0.2m/0012-Fix-no-ssl3-build.patch deleted file mode 100644 index c4cadf43f..000000000 --- a/patches/openssl-1.0.2m/0012-Fix-no-ssl3-build.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Kurt Roeckx <k...@roeckx.be> -Date: Thu, 2 Nov 2017 18:53:16 +0100 -Subject: [PATCH] Fix no-ssl3 build - -Imported from openssl1.0_1.0.2m-3.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbr...@pengutronix.de> ---- - ssl/s23_clnt.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c -index 92f41dd549ad..05b892b72387 100644 ---- a/ssl/s23_clnt.c -+++ b/ssl/s23_clnt.c -@@ -757,10 +757,12 @@ static int ssl23_get_server_hello(SSL *s) - s->version = TLS1_VERSION; - s->method = TLSv1_client_method(); - break; -+#ifndef OPENSSL_NO_SSL3_METHOD - case SSL3_VERSION: - s->version = SSL3_VERSION; - s->method = SSLv3_client_method(); - break; -+#endif - } - SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION); diff --git a/patches/openssl-1.0.2m/0013-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch b/patches/openssl-1.0.2m/0013-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch deleted file mode 100644 index 90769273b..000000000 --- a/patches/openssl-1.0.2m/0013-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch +++ /dev/null @@ -1,93 +0,0 @@ -From: Andy Polyakov <ap...@openssl.org> -Date: Sun, 5 Nov 2017 17:08:16 +0100 -Subject: [PATCH] {aes-armv4|bsaes-armv7|sha256-armv4}.pl: make it work with - binutils-2.29 - -It's not clear if it's a feature or bug, but binutils-2.29[.1] -interprets 'adr' instruction with Thumb2 code reference differently, -in a way that affects calculation of addresses of constants' tables. - -Imported from openssl1.0_1.0.2m-3.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbr...@pengutronix.de> ---- - crypto/aes/asm/aes-armv4.pl | 6 +++--- - crypto/aes/asm/bsaes-armv7.pl | 6 +++--- - crypto/sha/asm/sha256-armv4.pl | 2 +- - 3 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/crypto/aes/asm/aes-armv4.pl b/crypto/aes/asm/aes-armv4.pl -index 4f8917089f6c..c1b5e352d76f 100644 ---- a/crypto/aes/asm/aes-armv4.pl -+++ b/crypto/aes/asm/aes-armv4.pl -@@ -184,7 +184,7 @@ AES_encrypt: - #if __ARM_ARCH__<7 - sub r3,pc,#8 @ AES_encrypt - #else -- adr r3,AES_encrypt -+ adr r3,. - #endif - stmdb sp!,{r1,r4-r12,lr} - mov $rounds,r0 @ inp -@@ -430,7 +430,7 @@ _armv4_AES_set_encrypt_key: - #if __ARM_ARCH__<7 - sub r3,pc,#8 @ AES_set_encrypt_key - #else -- adr r3,private_AES_set_encrypt_key -+ adr r3,. - #endif - teq r0,#0 - #if __ARM_ARCH__>=7 -@@ -952,7 +952,7 @@ AES_decrypt: - #if __ARM_ARCH__<7 - sub r3,pc,#8 @ AES_decrypt - #else -- adr r3,AES_decrypt -+ adr r3,. - #endif - stmdb sp!,{r1,r4-r12,lr} - mov $rounds,r0 @ inp -diff --git a/crypto/aes/asm/bsaes-armv7.pl b/crypto/aes/asm/bsaes-armv7.pl -index 70b3f9656f4f..ec66b0502a64 100644 ---- a/crypto/aes/asm/bsaes-armv7.pl -+++ b/crypto/aes/asm/bsaes-armv7.pl -@@ -724,7 +724,7 @@ $code.=<<___; - .type _bsaes_decrypt8,%function - .align 4 - _bsaes_decrypt8: -- adr $const,_bsaes_decrypt8 -+ adr $const,. - vldmia $key!, {@XMM[9]} @ round 0 key - add $const,$const,#.LM0ISR-_bsaes_decrypt8 - -@@ -819,7 +819,7 @@ _bsaes_const: - .type _bsaes_encrypt8,%function - .align 4 - _bsaes_encrypt8: -- adr $const,_bsaes_encrypt8 -+ adr $const,. - vldmia $key!, {@XMM[9]} @ round 0 key - sub $const,$const,#_bsaes_encrypt8-.LM0SR - -@@ -923,7 +923,7 @@ $code.=<<___; - .type _bsaes_key_convert,%function - .align 4 - _bsaes_key_convert: -- adr $const,_bsaes_key_convert -+ adr $const,. - vld1.8 {@XMM[7]}, [$inp]! @ load round 0 key - sub $const,$const,#_bsaes_key_convert-.LM0 - vld1.8 {@XMM[15]}, [$inp]! @ load round 1 key -diff --git a/crypto/sha/asm/sha256-armv4.pl b/crypto/sha/asm/sha256-armv4.pl -index 4fee74d832d1..750216eb4267 100644 ---- a/crypto/sha/asm/sha256-armv4.pl -+++ b/crypto/sha/asm/sha256-armv4.pl -@@ -205,7 +205,7 @@ sha256_block_data_order: - #if __ARM_ARCH__<7 - sub r3,pc,#8 @ sha256_block_data_order - #else -- adr r3,sha256_block_data_order -+ adr r3,. - #endif - #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) - ldr r12,.LOPENSSL_armcap diff --git a/patches/openssl-1.0.2m/0001-debian-targets.patch b/patches/openssl-1.0.2n/0001-debian-targets.patch similarity index 100% rename from patches/openssl-1.0.2m/0001-debian-targets.patch rename to patches/openssl-1.0.2n/0001-debian-targets.patch diff --git a/patches/openssl-1.0.2m/0002-engines-path.patch b/patches/openssl-1.0.2n/0002-engines-path.patch similarity index 100% rename from patches/openssl-1.0.2m/0002-engines-path.patch rename to patches/openssl-1.0.2n/0002-engines-path.patch diff --git a/patches/openssl-1.0.2m/0003-no-rpath.patch b/patches/openssl-1.0.2n/0003-no-rpath.patch similarity index 100% rename from patches/openssl-1.0.2m/0003-no-rpath.patch rename to patches/openssl-1.0.2n/0003-no-rpath.patch diff --git a/patches/openssl-1.0.2m/0004-no-symbolic.patch b/patches/openssl-1.0.2n/0004-no-symbolic.patch similarity index 100% rename from patches/openssl-1.0.2m/0004-no-symbolic.patch rename to patches/openssl-1.0.2n/0004-no-symbolic.patch diff --git a/patches/openssl-1.0.2m/0005-pic.patch b/patches/openssl-1.0.2n/0005-pic.patch similarity index 100% rename from patches/openssl-1.0.2m/0005-pic.patch rename to patches/openssl-1.0.2n/0005-pic.patch diff --git a/patches/openssl-1.0.2m/0006-valgrind.patch b/patches/openssl-1.0.2n/0006-valgrind.patch similarity index 100% rename from patches/openssl-1.0.2m/0006-valgrind.patch rename to patches/openssl-1.0.2n/0006-valgrind.patch diff --git a/patches/openssl-1.0.2m/0007-shared-lib-ext.patch b/patches/openssl-1.0.2n/0007-shared-lib-ext.patch similarity index 100% rename from patches/openssl-1.0.2m/0007-shared-lib-ext.patch rename to patches/openssl-1.0.2n/0007-shared-lib-ext.patch diff --git a/patches/openssl-1.0.2m/0008-block_diginotar.patch b/patches/openssl-1.0.2n/0008-block_diginotar.patch similarity index 100% rename from patches/openssl-1.0.2m/0008-block_diginotar.patch rename to patches/openssl-1.0.2n/0008-block_diginotar.patch diff --git a/patches/openssl-1.0.2m/0009-block_digicert_malaysia.patch b/patches/openssl-1.0.2n/0009-block_digicert_malaysia.patch similarity index 100% rename from patches/openssl-1.0.2m/0009-block_digicert_malaysia.patch rename to patches/openssl-1.0.2n/0009-block_digicert_malaysia.patch diff --git a/patches/openssl-1.0.2m/0010-Disable-the-freelist.patch b/patches/openssl-1.0.2n/0010-Disable-the-freelist.patch similarity index 100% rename from patches/openssl-1.0.2m/0010-Disable-the-freelist.patch rename to patches/openssl-1.0.2n/0010-Disable-the-freelist.patch diff --git a/patches/openssl-1.0.2m/0011-Mark-3DES-and-RC4-ciphers-as-weak.patch b/patches/openssl-1.0.2n/0011-Mark-3DES-and-RC4-ciphers-as-weak.patch similarity index 100% rename from patches/openssl-1.0.2m/0011-Mark-3DES-and-RC4-ciphers-as-weak.patch rename to patches/openssl-1.0.2n/0011-Mark-3DES-and-RC4-ciphers-as-weak.patch diff --git a/patches/openssl-1.0.2m/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch b/patches/openssl-1.0.2n/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch similarity index 100% rename from patches/openssl-1.0.2m/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch rename to patches/openssl-1.0.2n/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch diff --git a/patches/openssl-1.0.2m/0101-fix-parallel-building.patch b/patches/openssl-1.0.2n/0101-fix-parallel-building.patch similarity index 100% rename from patches/openssl-1.0.2m/0101-fix-parallel-building.patch rename to patches/openssl-1.0.2n/0101-fix-parallel-building.patch diff --git a/patches/openssl-1.0.2m/series b/patches/openssl-1.0.2n/series similarity index 85% rename from patches/openssl-1.0.2m/series rename to patches/openssl-1.0.2n/series index 4c8abffcb..d81c31bd3 100644 --- a/patches/openssl-1.0.2m/series +++ b/patches/openssl-1.0.2n/series @@ -12,8 +12,6 @@ 0009-block_digicert_malaysia.patch 0010-Disable-the-freelist.patch 0011-Mark-3DES-and-RC4-ciphers-as-weak.patch -0012-Fix-no-ssl3-build.patch -0013-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch #tag:ptx --start-number 100 0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch 0101-fix-parallel-building.patch diff --git a/rules/openssl.make b/rules/openssl.make index 77efe7df9..19d196087 100644 --- a/rules/openssl.make +++ b/rules/openssl.make @@ -19,9 +19,9 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl # Paths and names # OPENSSL_BASE := 1.0.2 -OPENSSL_BUGFIX := m +OPENSSL_BUGFIX := n OPENSSL_VERSION := $(OPENSSL_BASE)$(OPENSSL_BUGFIX) -OPENSSL_MD5 := 10e9e37f492094b9ef296f68f24a7666 +OPENSSL_MD5 := 13bdc1b1d1ff39b6fd42a255e74676a4 OPENSSL := openssl-$(OPENSSL_VERSION) OPENSSL_SUFFIX := tar.gz OPENSSL_URL := \ -- 2.15.1 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de