Commit Graph

151 Commits

Author SHA1 Message Date
Gustavo Zacarias
e290ae7202 openssl: use $(HOST_MAKE_ENV) when calling $(MAKE)
Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-10-22 15:19:24 +02:00
Gustavo Zacarias
a5a74fcdf2 openssl: use $(TARGET_MAKE_ENV) when calling $(MAKE)
Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-10-15 14:16:54 +02:00
Gustavo Zacarias
7ba5ed97bc openssl: security bump to version 1.0.2j
Fixes:
CVE-2016-7052 - Missing CRL sanity check

[Peter: drop CVE 6309 from description as pointed out by Baruch]
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-09-27 07:27:27 +02:00
Bernd Kuhls
ba16a7a93e package/openssl: security bump to version 1.0.2i
https://www.openssl.org/news/secadv/20160922.txt

Fixes
SSL_peek() hang on empty record (CVE-2016-6305)
SWEET32 Mitigation (CVE-2016-2183)
OOB write in MDC2_Update() (CVE-2016-6303)
Malformed SHA512 ticket DoS (CVE-2016-6302)
OOB write in BN_bn2dec() (CVE-2016-2182)
OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
Pointer arithmetic undefined behaviour (CVE-2016-2177)
Constant time flag not preserved in DSA signing (CVE-2016-2178)
DTLS buffered message DoS (CVE-2016-2179)
DTLS replay protection DoS (CVE-2016-2181)
Certificate message OOB reads (CVE-2016-6306)
Excessive allocation of memory in tls_get_message_header()
  (CVE-2016-6307)
Excessive allocation of memory in dtls1_preprocess_fragment()
  (CVE-2016-6308)

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-09-22 21:09:33 +02:00
Yann E. MORIN
cf03d6fe04 package/openssl: depend on the virtual cryptodev package
Instead of depending on each provider of cryptodev, make openssl depend
on the virtual package.

This is easy because in both cases the openssl build systems needs the
same configuration options.

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-09-04 15:39:27 +02:00
Waldemar Brodkorb
7d0607253c openssl: fix m68k uclinux compile
The GCC manual suggest when getting:
relocation truncated to fit: R_68K_GOT16O foobar
to use -mxgot.

Fixes:
http://autobuild.buildroot.net/results/455fd0f274bfa4bbd786bcd6740ecf960e47c1bd/

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-08-01 23:03:24 +02:00
Gustavo Zacarias
cc89c4c5b0 openssl: disable assembly for ARMv7M
It requires interwork and v7M is thumb-only. Fixes:
http://autobuild.buildroot.net/results/55d/55dc9d6826defd2c9048c2991019d4d573d34af4/

[Peter: use R2_ARM_CPU_HAS_ARM for logic]
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-06-22 16:59:23 +02:00
Gustavo Zacarias
2de2570477 openssl: security bump to version 1.0.2h
Fixes:
CVE-2016-2105 - Fix EVP_EncodeUpdate overflow
CVE-2016-2106 - Fix EVP_EncryptUpdate overflow
CVE-2016-2107 - Prevent padding oracle in AES-NI CBC MAC check
CVE-2016-2109 - Prevent ASN.1 BIO excessive memory allocation
CVE-2016-2176 - EBCDIC overread

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-05-04 22:44:51 +02:00
Matthew Shyu
817d3a02ac openssl: enable aarch64 optimization
Signed-off-by: Matthew Shyu <matthew.shyu@amlogic.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-04-20 08:59:32 +02:00
Thomas Petazzoni
6cb4814c87 arch/x86: remove support for i386
The Linux kernel doesn't even support i386 anymore, there is no NPTL
support for i386 and uClibc-ng only supports NPTL on x86, so there is
essentially no usable thread implementation. Most likely glibc and
musl also don't support i386 either. So it's time to remove the
support for this architecture variant.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-04-18 23:38:34 +02:00
Gustavo Zacarias
25b218c144 openssl: security bump to version 1.0.2g
Fixes:
CVE-2016-0800 - Cross-protocol attack on TLS using SSLv2 (DROWN)
CVE-2016-0705 - Double-free in DSA code
CVE-2016-0798 - Memory leak in SRP database lookups
CVE-2016-0797 - BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
CVE-2016-0799 - Fix memory issues in BIO_*printf functions
CVE-2016-0702 - Side channel attack on modular exponentiation

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-03-01 15:48:08 +01:00
Bernd Kuhls
7d8b6bdd00 package/openssl: security bump to version 1.0.2f
Fixes
DH small subgroups (CVE-2016-0701)
SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
An update on DHE man-in-the-middle protection (Logjam)

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-01-28 22:26:15 +01:00
Gustavo Zacarias
37e7c34aaf openssl: re-enable parallel build
The previous incarnation was incomplete, it only applied one of the
Gentoo patches, hence it had corner cases.
Apply all 4 patches as pointed out by Mike on the mailing list.

Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-12-17 22:15:33 +01:00
Gustavo Zacarias
e9fb14ecef openssl: security bump to version 1.0.2e
Fixes:
CVE-2015-3193 - BN_mod_exp may produce incorrect results on x86_64
CVE-2015-3194 - Certificate verify crash with missing PSS parameter
CVE-2015-3195 - X509_ATTRIBUTE memory leak

Enable IDEA as well since otherwise the build breaks (always great
upstream) - it's no longer patent encumbered.

[Peter: correct sha256]
Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-12-03 22:08:27 +01:00
Yann E. MORIN
a597e3c676 Revert "openssl: enable parallel build and installation"
This reverts commit 55e4ec054c.

There are still build failures in parallel builds:
    http://autobuild.buildroot.org/results/9a0/9a0fc1064010a658155e6a18ec72e0e3c58ec7f6/
    http://autobuild.buildroot.org/results/c28/c28064f383da1f577bd9227d004f1939daf4579f/
    http://autobuild.buildroot.org/results/218/2180b9d900b27103acc92a2932f7ffa560b04831/
    and so on...

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Ryan Barnett <rjbarnet@rockwellcollins.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-11-23 18:32:25 +01:00
Gustavo Zacarias
35495daed3 openssl: change sed expression delimiter
Switch from : to # since CFLAGS can include :'s spilled in from
BR2_TARGET_OPTIMIZATION, for example:

BR2_TARGET_OPTIMIZATION="-Wl,-rpath,/lib:/usr/lib" would cause the sed
expression to fail thus breaking the build.

Changed all of the SEDs to # for consistency.

Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-09-23 23:27:42 +02:00
Ryan Barnett
55e4ec054c openssl: enable parallel build and installation
This is a patch that is originally based on a patch Thomas P.
submitted for an earlier version of this package. I have adopted this
patch to use the latest available Gentoo parallel patch. I have also
seen about a minute improvement on my build times of openssl.

Part of Thomas P's original message:

On my build server, the current build of OpenSSL takes 1 minutes and
20 seconds. With this commit applied, enabling parallel build and
installation, the build only takes 28 seconds.

All the patches are downloaded from Gentoo.

There is apparently some interest in upstream OpenSSL to enable
parallel build, see for example commit
c3f22253b1. This
commit is not part of any OpenSSL release, but we can hope that the
problem will resolved in the future.

Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
CC: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
CC: Gustavo Zacarias <gustavo@zacarias.com.ar>
CC: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-09-16 22:20:52 +02:00
Ryan Barnett
4062459b82 openssl: use git formatted patches
Using Git formatted patches makes it easier to adjust the patches when
needed.

[Thomas: remove patch numbering.]

Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
CC: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
CC: Gustavo Zacarias <gustavo@zacarias.com.ar>
CC: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-09-16 22:20:30 +02:00
Gustavo Zacarias
d4e547438c openssl: security bump to version 1.0.2d
Fixes CVE-2015-1793 - Alternative chains certificate forgery.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-07-09 22:03:05 +02:00
Peter Korsgaard
ecd8e9b238 openssl: drop !static dependency from OPENSSL_BIN option
The dependency doesn't make sense now that the option only controls if the
built binary gets installed into the target or not, so drop it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-07-09 08:55:16 +02:00
Benoît Thébaudeau
ca58207df0 openssl: fix static build
If configured with no-dso, the openssl binary still gets linked with
-ldl, while libdl is not available for static-only builds. The OpenSSL
framework does not support automatically dropping -ldl with no-dso, so
-ldl has to be removed from Makefile after calling ./Configure as
explained in PROBLEMS.

Fixes http://autobuild.buildroot.org/results/cbb35f2582f1cfeb3d11cb4952a80784ff660baf

[Peter: add reference to PROBLEMS file]
Signed-off-by: Benoît Thébaudeau <benoit@wsystem.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-07-09 08:54:00 +02:00
Benoît Thébaudeau
a7bc0b9623 openssl: always build apps
Now that building the openssl binary without MMU is supported, the only
reason left for not building apps if the openssl binary is disabled is
to save build time. Moreover, the commit
720893b625 "openssl: disable apps for
NOMMU", which added this behavior, had a side effect: the scripts from
apps (CA.pl, CA.sh and tsget) and the default configuration file
(openssl.cnf) were no longer installed, which is not advertized by the
BR2_PACKAGE_OPENSSL_BIN option. CA.pl and CA.sh use the openssl binary,
so not installing them without the latter makes sense. But tsget does
not use the openssl binary, and openssl.cnf can be used by libcrypto, so
it is preferable to handle BR2_PACKAGE_OPENSSL_BIN like before the
commit mentioned above, i.e. to always build and install apps and to
just remove the openssl binary afterwards if needed.

This is what the current commit does, but installing only the helper
scripts having their dependencies (perl or the openssl binary)
satisfied. The help text is updated accordingly.

Signed-off-by: Benoît Thébaudeau <benoit@wsystem.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-07-06 17:09:45 +02:00
Benoît Thébaudeau
c8937ade4b openssl: support building the binary without MMU
The commit 720893b625 "openssl: disable
apps for NOMMU" prevented the openssl binary from being built without
MMU in order to fix a build failure without fork(). However, openssl is
designed to support the lack of fork() with -DHAVE_FORK=0, so allow the
openssl binary to be enabled without MMU thanks to this option.

Signed-off-by: Benoît Thébaudeau <benoit@wsystem.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-06-30 16:44:12 +02:00
Gustavo Zacarias
e4f2d3b12a openssl: bump to version 1.0.2c
Fixes HMAC ABI breakage from 1.0.2b

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-06-12 22:16:11 +02:00
Gustavo Zacarias
53c8d64c08 openssl: security bump to version 1.0.2b
CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
CVE-2015-1788 - Malformed ECParameters causes infinite loop
CVE-2015-1792 - CMS verify infinite loop with unknown hash function
CVE-2015-1791 - Race condition handling NewSessionTicket

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-06-12 21:28:21 +02:00
Bernd Kuhls
ffd5125be1 package/openssl: bin/openssl depends on dynamic linking
Fixes
/home/br/br3/output/host/usr/lib/gcc/i586-buildroot-linux-uclibc/4.8.4/../../../../i586-buildroot-linux-uclibc/bin/ld: cannot find -ldl

using this defconfig

BR2_STATIC_LIBS=y
BR2_PACKAGE_OPENSSL=y
BR2_PACKAGE_OPENSSL_BIN=y

Quoting PROBLEMS:
"We don't have framework to associate -ldl with no-dso, therefore the only
way is to edit Makefile right after ./config no-dso and remove -ldl from
EX_LIBS line."

To not make the build procedure more complicated disable static building of
bin/openssl.

[Thomas: add corresponding kconfig comment.]

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-19 11:38:37 +02:00
Gustavo Zacarias
415765b5a8 packages: remove non-lfs enabler patches
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-01 22:53:11 +02:00
Jerzy Grzegorek
bd8c733fb4 packages: indentation cleanup
This commit doesn't touch infra packages.

Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-03-31 13:57:41 +02:00
Gustavo Zacarias
85e7efff1a openssl: security bump to version 1.0.2a
Fixes:
CVE-2015-0291 - ClientHello sigalgs DoS
CVE-2015-0290 - Multiblock corrupted pointer
CVE-2015-0207 - Segmentation fault in DTLSv1_listen
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0208 - Segmentation fault for invalid PSS parameters
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences
CVE-2015-0293 - DoS via reachable assert in SSLv2 servers
CVE-2015-1787 - Empty CKE with client auth and DHE
CVE-2015-0285 - Handshake with unseeded PRNG
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref

musl patch removed since it's no longer necessary.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-03-19 21:50:58 +01:00
Gustavo Zacarias
5fb048645b openssl: update cryptodev digests patch
The adaptation from commit 74dd54bf is incomplete/bad causing segfaults when
using cryptodev for digest offload, examples: openssh, openssl speed, others.
Tested on real hardware (talitos).

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-01-28 21:57:25 +01:00
Gustavo Zacarias
4c7e93a6ea openssl: fix c_rehash dumbness
The new c_rehash from openssl 1.0.2 can't take a minus in the directory
string since the regex for matching commands checks for - in any
position instead of just the beginning to trigger the command parser. Fixes:
http://autobuild.buildroot.net/results/ee6/ee683569350d5deaf0ccc603ed7066bffb83cbe3/

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-01-27 23:13:07 +01:00
Vicente Olivert Riera
74dd54bf73 openssl: bump version to 1.0.2
- Bump version to 1.0.2
- Adapt patches to new version
- Update hash value

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-01-27 14:31:35 +01:00
Gustavo Zacarias
e06d091d59 openssl: bump to version 1.0.1l
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-01-20 00:43:33 +01:00
Gustavo Zacarias
04f99f9659 openssl: security bump to version 1.0.1k
Fixes:
CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
CVE-2015-0206 - DTLS memory leak in dtls1_buffer_record
CVE-2014-3569 - no-ssl3 configuration sets method to NULL
CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA [Client]
CVE-2015-0205 - DH client certificates accepted without verification
[Server]
CVE-2014-8275 - Certificate fingerprints can be modified
CVE-2014-3570 - Bignum squaring may produce incorrect results

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-01-08 21:16:53 +01:00
Thomas Petazzoni
665e13c85e Rename BR2_PREFER_STATIC_LIB to BR2_STATIC_LIBS
Since a while, the semantic of BR2_PREFER_STATIC_LIB has been changed
from "prefer static libraries when possible" to "use only static
libraries". The former semantic didn't make much sense, since the user
had absolutely no control/idea of which package would use static
libraries, and which packages would not. Therefore, for quite some
time, we have been starting to enforce that BR2_PREFER_STATIC_LIB
should really build everything with static libraries.

As a consequence, this patch renames BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS, and adjust the Config.in option accordingly.

This also helps preparing the addition of other options to select
shared, shared+static or just static.

Note that we have verified that this commit can be reproduced by
simply doing a global rename of BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS plus adding BR2_PREFER_STATIC_LIB to Config.in.legacy.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
2014-12-11 22:48:13 +01:00
Peter Korsgaard
fe1b2ef1d3 Merge branch 'next'
Conflicts:
	Makefile
	package/flac/0001-fix-altivec-logic.patch
	package/grantlee/Config.in

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-12-01 11:16:42 +01:00
Bernd Kuhls
b4c7db619e package/openssl: drop libdl from more pc files
This is a follow-up patch for
http://git.buildroot.net/buildroot/commit/package/openssl/openssl.mk?id=c130c5d4635e2a4c7338161953152faf8fca07c4

Fixes
http://autobuild.buildroot.net/results/358/35899961b6dc01c1522b17f63946da5ab809bff8/
http://autobuild.buildroot.net/results/c86/c865214e74dd3766b6343ef73c666fa89c0b5dec/
http://autobuild.buildroot.net/results/fc1/fc12e88fb789e2b68d427c37f39789954309b05d/
http://autobuild.buildroot.net/results/f4d/f4deef4e7d2e2cf5fbc9ce5f02289b4dc60cd23b/
http://autobuild.buildroot.net/results/dfd/dfd81f1f1f0f315317b2a85d24b286a277ac7c16/
http://autobuild.buildroot.net/results/918/9188fc9a63d880cac28c5a9a246ca5504dd11bb2/
http://autobuild.buildroot.net/results/dd1/dd1c326345f8f9c8b5838601ace19002f5360bb2/
http://autobuild.buildroot.net/results/27b/27b4544c59166a9f40092403ed3f530190544a82/
http://autobuild.buildroot.net/results/c37/c37022e334d763bad2a59f7311b93504a569b2dd/
http://autobuild.buildroot.net/results/e89/e89265937a6b4808b817be16bcab79bae4a9aed1/
http://autobuild.buildroot.net/results/4a2/4a222a40d627fda6e49714b13b4321d62c9c2e51/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-11-22 19:54:25 +01:00
Bernd Kuhls
924d832cb4 package/openssl: rename patches to the new convention
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-11-18 23:37:21 +01:00
Peter Korsgaard
93951c8f24 host-openssl: use correct prefix so libssl / libcrypto can be found
Fixes (root cause of):
http://autobuild.buildroot.net/results/d01/d0190a6e5c6b5aa78cfefc29e4e8a4e4b135450b/
http://autobuild.buildroot.net/results/9bb/9bb8defedb8024de83eb3a609ab584efb5d0d2b0/
http://autobuild.buildroot.net/results/e4a/e4a1b298e7e158d3614b89e61d40ef9a00e7ff67/
http://autobuild.buildroot.net/results/5e2/5e24a90058111f7d5618047410f809b45bc165f6/

And many others.

The host version of openssl should be configured to use the host directory
as its prefix and the INSTALL_PREFIX dance shouldn't be used, as otherwise
host-openssl will look in /usr for its libraries.

While we are at it, ensure our host CFLAGS are used similar to how we do for
the target build.  Also enable zlib support as we already list it as a
dependency.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-11-03 10:59:06 +01:00
Gustavo Zacarias
326781940f openssl: security bump to version 1.0.1j
Fixes:
CVE-2014-3513 - SRTP memory leak
CVE-2014-3567 - Session ticket memory leak
CVE-2014-3568 - Build option no-ssl3 is incomplete
And adds SSL3 fallback protection against POODLE.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-10-17 14:17:48 +02:00
Maarten ter Huurne
0400322f2d openssl: Add patch to fix compilation with musl libc
Signed-off-by: Maarten ter Huurne <maarten@treewalker.org>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-09-28 22:51:07 +02:00
Gustavo Zacarias
d242e6d471 openssl: add hash
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-09-18 21:43:40 +02:00
Gustavo Zacarias
58d3978e4e openssl: add fix for hash cryptodev offloading
See http://rt.openssl.org/Ticket/Display.html?id=2770&user=guest&pass=guest
This has been sitting for ages in the openssl tracker and it's verified
to cause issues.
The patch only touches cryptodev engine offloading so it's pretty safe.
Tested on CAAM SEC4 hardware.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-08-09 10:07:15 +02:00
Gustavo Zacarias
5dd65f2635 openssl: security bump to version 1.0.1i
Fixes:
CVE-2014-3508 - Information leak in pretty printing functions
CVE-2014-5139 - Crash with SRP ciphersuite in Server Hello message
CVE-2014-3509 - Race condition in ssl_parse_serverhello_tlsext
CVE-2014-3505 - Double Free when processing DTLS packets
CVE-2014-3506 - DTLS memory exhaustion
CVE-2014-3507 - DTLS memory leak from zero-length fragments
CVE-2014-3510 - OpenSSL DTLS anonymous EC(DH) denial of service
CVE-2014-3511 - OpenSSL TLS protocol downgrade attack
CVE-2014-3512 - SRP buffer overrun

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-08-07 22:13:14 +02:00
Gustavo Zacarias
c130c5d463 openssl: drop libdl from pc file
Fixes:
http://autobuild.buildroot.net/results/2a2/2a274e2dbffd268a391b0e8a15dae5a759b870a1/

[Thomas: move registration of the hook inside the condition.]

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-07-19 18:06:19 +02:00
Baruch Siach
5e00a5e3a9 openssl: security bump to version 1.0.1h
Fixes CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198 among others.
See https://www.openssl.org/news/secadv_20140605.txt for details.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-06-05 21:26:30 +02:00
Cody P Schafer
7e674dfa4f powerpc: add powerpc64 and powerpc64le support
This enables powerpc64 and powerpc64le. Currently, le needs at least
glibc 2.19 and gcc 4.9.0. For gdb, 7.7.1 works (added in an earlier
patch).

[Peter: also disallow gcc 4.8 for ppc64le]
Signed-off-by: Cody P Schafer <cody@linux.vnet.ibm.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-05-26 21:48:33 +02:00
Baruch Siach
ab39c1b47c openssl: bump to version 1.0.1g
Fixes highly critical CVE-2014-0160. See http://heartbleed.com .

Drop patch applied upstream.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-04-08 08:53:09 +02:00
Gustavo Zacarias
e85696b9bf openssl: fix bug
openssl 1.0.1f Makefile.org doesn't quote $(CC) when passing the
parameter in another invocation of make, hence breaking when the
compiler string contains a space with multiple strings (for example with
ccache).

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-01-10 15:40:21 +01:00
Gustavo Zacarias
757690a262 openssl: bump to version 1.0.1f
Fixes CVE-2013-4343, CVE-2013-6450 and the previously patched
CVE-2013-6449.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-01-07 17:25:04 +01:00