diff options
Diffstat (limited to 'recipes-support')
28 files changed, 1497 insertions, 0 deletions
diff --git a/recipes-support/gdbm/gdbm-1.8.3/ldflags.patch b/recipes-support/gdbm/gdbm-1.8.3/ldflags.patch new file mode 100644 index 0000000..d3cb43b --- /dev/null +++ b/recipes-support/gdbm/gdbm-1.8.3/ldflags.patch @@ -0,0 +1,22 @@ +Obey LDFLAGS + +Signed-off-by: Christopher Larson <chris_larson@mentor.com> +Upstream-Status: Inappropriate [old version] + +--- gdbm-1.8.3.orig/Makefile.in ++++ gdbm-1.8.3/Makefile.in +@@ -156,12 +156,12 @@ install-compat: + + libgdbm.la: $(LOBJS) gdbm.h + rm -f libgdbm.la +- $(LIBTOOL) --mode=link $(CC) -o libgdbm.la -rpath $(libdir) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o libgdbm.la -rpath $(libdir) \ + -version-info $(SHLIB_VER) $(LOBJS) + + libgdbm_compat.la: $(C_LOBJS) gdbm.h + rm -f libgdbm_compat.la +- $(LIBTOOL) --mode=link $(CC) -o libgdbm_compat.la -rpath $(libdir) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o libgdbm_compat.la -rpath $(libdir) \ + -version-info $(SHLIB_VER) $(C_LOBJS) + + gdbm.h: gdbm.proto gdbmerrno.h gdbm.proto2 diff --git a/recipes-support/gdbm/gdbm-1.8.3/libtool-mode.patch b/recipes-support/gdbm/gdbm-1.8.3/libtool-mode.patch new file mode 100644 index 0000000..0f9d04f --- /dev/null +++ b/recipes-support/gdbm/gdbm-1.8.3/libtool-mode.patch @@ -0,0 +1,22 @@ +Upstream-Status: Pending + +--- gdbm-1.8.3/Makefile.in.orig 2006-02-16 15:17:25.000000000 +0000 ++++ gdbm-1.8.3/Makefile.in 2006-02-16 15:18:08.000000000 +0000 +@@ -131,7 +131,7 @@ + $(srcdir)/mkinstalldirs $(DESTDIR)$(libdir) \ + $(DESTDIR)$(includedir) $(DESTDIR)$(man3dir) \ + $(DESTDIR)$(infodir) +- $(LIBTOOL) $(INSTALL) -c libgdbm.la $(DESTDIR)$(libdir)/libgdbm.la ++ $(LIBTOOL) --mode=install $(INSTALL) -c libgdbm.la $(DESTDIR)$(libdir)/libgdbm.la + $(INSTALL_DATA) gdbm.h \ + $(DESTDIR)$(includedir)/gdbm.h + $(INSTALL_DATA) $(srcdir)/gdbm.3 \ +@@ -142,7 +142,7 @@ + install-compat: + $(srcdir)/mkinstalldirs $(DESTDIR)$(libdir) \ + $(DESTDIR)$(includedir) +- $(LIBTOOL) $(INSTALL) -c libgdbm_compat.la \ ++ $(LIBTOOL) --mode=install $(INSTALL) -c libgdbm_compat.la \ + $(DESTDIR)$(libdir)/libgdbm_compat.la + $(INSTALL_DATA) $(srcdir)/dbm.h \ + $(DESTDIR)$(includedir)/dbm.h diff --git a/recipes-support/gdbm/gdbm-1.8.3/makefile.patch b/recipes-support/gdbm/gdbm-1.8.3/makefile.patch new file mode 100644 index 0000000..369145c --- /dev/null +++ b/recipes-support/gdbm/gdbm-1.8.3/makefile.patch @@ -0,0 +1,60 @@ +Upstream-Status: Pending + +# +# Patch managed by http://www.mn-logistik.de/unsupported/pxa250/patcher +# + +--- gdbm-1.8.3/Makefile.in~makefile ++++ gdbm-1.8.3/Makefile.in +@@ -22,6 +22,7 @@ + TEXI2DVI = texi2dvi + + DEFS = ++DESTDIR = + + # Where the system [n]dbm routines are... + LIBS = @LIBS@ -lc +@@ -127,26 +128,26 @@ + progs: $(PROGS) + + install: libgdbm.la gdbm.h gdbm.info +- $(srcdir)/mkinstalldirs $(INSTALL_ROOT)$(libdir) \ +- $(INSTALL_ROOT)$(includedir) $(INSTALL_ROOT)$(man3dir) \ +- $(INSTALL_ROOT)$(infodir) +- $(LIBTOOL) $(INSTALL) -c libgdbm.la $(INSTALL_ROOT)$(libdir)/libgdbm.la +- $(INSTALL_DATA) -o $(BINOWN) -g $(BINGRP) gdbm.h \ +- $(INSTALL_ROOT)$(includedir)/gdbm.h +- $(INSTALL_DATA) -o $(BINOWN) -g $(BINGRP) $(srcdir)/gdbm.3 \ +- $(INSTALL_ROOT)$(man3dir)/gdbm.3 +- $(INSTALL_DATA) -o $(BINOWN) -g $(BINGRP) $(srcdir)/gdbm.info \ +- $(INSTALL_ROOT)$(infodir)/gdbm.info ++ $(srcdir)/mkinstalldirs $(DESTDIR)$(libdir) \ ++ $(DESTDIR)$(includedir) $(DESTDIR)$(man3dir) \ ++ $(DESTDIR)$(infodir) ++ $(LIBTOOL) $(INSTALL) -c libgdbm.la $(DESTDIR)$(libdir)/libgdbm.la ++ $(INSTALL_DATA) gdbm.h \ ++ $(DESTDIR)$(includedir)/gdbm.h ++ $(INSTALL_DATA) $(srcdir)/gdbm.3 \ ++ $(DESTDIR)$(man3dir)/gdbm.3 ++ $(INSTALL_DATA) $(srcdir)/gdbm.info \ ++ $(DESTDIR)$(infodir)/gdbm.info + + install-compat: +- $(srcdir)/mkinstalldirs $(INSTALL_ROOT)$(libdir) \ +- $(INSTALL_ROOT)$(includedir) ++ $(srcdir)/mkinstalldirs $(DESTDIR)$(libdir) \ ++ $(DESTDIR)$(includedir) + $(LIBTOOL) $(INSTALL) -c libgdbm_compat.la \ +- $(INSTALL_ROOT)$(libdir)/libgdbm_compat.la +- $(INSTALL_DATA) -o $(BINOWN) -g $(BINGRP) $(srcdir)/dbm.h \ +- $(INSTALL_ROOT)$(includedir)/dbm.h +- $(INSTALL_DATA) -o $(BINOWN) -g $(BINGRP) $(srcdir)/ndbm.h \ +- $(INSTALL_ROOT)$(includedir)/ndbm.h ++ $(DESTDIR)$(libdir)/libgdbm_compat.la ++ $(INSTALL_DATA) $(srcdir)/dbm.h \ ++ $(DESTDIR)$(includedir)/dbm.h ++ $(INSTALL_DATA) $(srcdir)/ndbm.h \ ++ $(DESTDIR)$(includedir)/ndbm.h + + #libgdbm.a: $(OBJS) gdbm.h + # rm -f libgdbm.a diff --git a/recipes-support/gdbm/gdbm_1.8.3.bb b/recipes-support/gdbm/gdbm_1.8.3.bb new file mode 100644 index 0000000..b253dc1 --- /dev/null +++ b/recipes-support/gdbm/gdbm_1.8.3.bb @@ -0,0 +1,30 @@ +SUMMARY = "Key/value database library with extensible hashing" +HOMEPAGE = "http://www.gnu.org/software/gdbm/" +SECTION = "libs" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://COPYING;md5=d8e20eece214df8ef953ed5857862150" + +PR = "r4" + +SRC_URI = "${GNU_MIRROR}/gdbm/gdbm-${PV}.tar.gz \ + file://makefile.patch \ + file://libtool-mode.patch \ + file://ldflags.patch" + +SRC_URI[md5sum] = "1d1b1d5c0245b1c00aff92da751e9aa1" +SRC_URI[sha256sum] = "cc340338a2e28b40058ab9eb5354a21d53f88a1582ea21ba0bb185c37a281dc9" + +inherit autotools texinfo + +BBCLASSEXTEND = "native nativesdk" + +do_install_append () { + oe_runmake install-compat DESTDIR=${D} + install -d ${D}${includedir}/gdbm + install -m 0644 ${S}/dbm.h ${D}${includedir}/ + install -m 0644 ${S}/ndbm.h ${D}${includedir}/ + # Create a symlink to ndbm.h and gdbm.h in include/gdbm to let other packages to find + # these headers + ln -sf ../ndbm.h ${D}/${includedir}/gdbm/ndbm.h + ln -sf ../gdbm.h ${D}/${includedir}/gdbm/gdbm.h +} diff --git a/recipes-support/gmp/gmp-4.2.1/Use-__gnu_inline__-attribute.patch b/recipes-support/gmp/gmp-4.2.1/Use-__gnu_inline__-attribute.patch new file mode 100644 index 0000000..627d71a --- /dev/null +++ b/recipes-support/gmp/gmp-4.2.1/Use-__gnu_inline__-attribute.patch @@ -0,0 +1,36 @@ +From 3cb33502bafd04b8ad4ca3454fab16d5ff313297 Mon Sep 17 00:00:00 2001 +From: Jussi Kukkonen <jussi.kukkonen@intel.com> +Date: Tue, 22 Sep 2015 13:16:23 +0300 +Subject: [PATCH] Use __gnu_inline__ attribute + +gcc5 uses C11 inline rules. This means the old "extern inline" +semantics are not available without a special attribute. + +See: https://gcc.gnu.org/gcc-5/porting_to.html + +Upstream-Status: Inappropriate [Fixed in current versions] +Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> +--- + gmp-h.in | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/gmp-h.in b/gmp-h.in +index eed6fe4..361dd1d 100644 +--- a/gmp-h.in ++++ b/gmp-h.in +@@ -419,8 +419,11 @@ typedef __mpq_struct *mpq_ptr; + /* gcc has __inline__ in all modes, including strict ansi. Give a prototype + for an inline too, so as to correctly specify "dllimport" on windows, in + case the function is called rather than inlined. */ ++ ++/* Use __gnu_inline__ attribute: later gcc uses different "extern inline" ++ behaviour */ + #ifdef __GNUC__ +-#define __GMP_EXTERN_INLINE extern __inline__ ++#define __GMP_EXTERN_INLINE extern __inline__ __attribute__ ((__gnu_inline__)) + #define __GMP_INLINE_PROTOTYPES 1 + #endif + +-- +2.1.4 + diff --git a/recipes-support/gmp/gmp-4.2.1/avoid-h-asm-constraint-for-MIPS.patch b/recipes-support/gmp/gmp-4.2.1/avoid-h-asm-constraint-for-MIPS.patch new file mode 100644 index 0000000..6da0be9 --- /dev/null +++ b/recipes-support/gmp/gmp-4.2.1/avoid-h-asm-constraint-for-MIPS.patch @@ -0,0 +1,57 @@ +From d50686de0406a88ef9112f5252103f799982e84a Mon Sep 17 00:00:00 2001 +From: Andre McCurdy <armccurdy@gmail.com> +Date: Thu, 4 Feb 2016 14:00:00 -0800 +Subject: [PATCH] avoid h asm constraint for MIPS + +The h asm constrain (to extract the high part of a multiplication +result) has not been recognised since gcc 4.4: + + https://gcc.gnu.org/gcc-4.4/changes.html + +Drop the MIPS umul_ppmm() implementations which rely on "=h" and fall +back to the older implementations (which use explicit mfhi and mflo +instructions to move the high and low parts of the multiplication +result into their destinations). + +Upstream-Status: Inappropriate [upstream has a different solution] + +Signed-off-by: Andre McCurdy <armccurdy@gmail.com> +--- + longlong.h | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/longlong.h b/longlong.h +index b53fbee..0193abb 100644 +--- a/longlong.h ++++ b/longlong.h +@@ -1011,27 +1011,17 @@ extern UWtype __MPN(udiv_qrnnd) _PROTO ((UWtype *, UWtype, UWtype, UWtype)); + #endif /* __m88000__ */ + + #if defined (__mips) && W_TYPE_SIZE == 32 +-#if __GNUC__ > 2 || __GNUC_MINOR__ >= 7 +-#define umul_ppmm(w1, w0, u, v) \ +- __asm__ ("multu %2,%3" : "=l" (w0), "=h" (w1) : "d" (u), "d" (v)) +-#else + #define umul_ppmm(w1, w0, u, v) \ + __asm__ ("multu %2,%3\n\tmflo %0\n\tmfhi %1" \ + : "=d" (w0), "=d" (w1) : "d" (u), "d" (v)) +-#endif + #define UMUL_TIME 10 + #define UDIV_TIME 100 + #endif /* __mips */ + + #if (defined (__mips) && __mips >= 3) && W_TYPE_SIZE == 64 +-#if __GNUC__ > 2 || __GNUC_MINOR__ >= 7 +-#define umul_ppmm(w1, w0, u, v) \ +- __asm__ ("dmultu %2,%3" : "=l" (w0), "=h" (w1) : "d" (u), "d" (v)) +-#else + #define umul_ppmm(w1, w0, u, v) \ + __asm__ ("dmultu %2,%3\n\tmflo %0\n\tmfhi %1" \ + : "=d" (w0), "=d" (w1) : "d" (u), "d" (v)) +-#endif + #define UMUL_TIME 20 + #define UDIV_TIME 140 + #endif /* __mips */ +-- +1.9.1 + diff --git a/recipes-support/gmp/gmp-4.2.1/gmp_fix_for_automake-1.12.patch b/recipes-support/gmp/gmp-4.2.1/gmp_fix_for_automake-1.12.patch new file mode 100644 index 0000000..26fd8ef --- /dev/null +++ b/recipes-support/gmp/gmp-4.2.1/gmp_fix_for_automake-1.12.patch @@ -0,0 +1,56 @@ +automake 1.12 has depricated automatic de-ANSI-fication support + +this patch avoids these kinds of errors: + +| configure.in:2240: error: automatic de-ANSI-fication support has been removed +| Makefile.am:28: error: automatic de-ANSI-fication support has been removed + +Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com> +2012/05/02 + + +This patch was removed in f181c6ce8b3 when gmp 4.2.1 was mistakenly +dropped. + +Upstream is not interested in patches for ancient versions. + +Upstream-Status: Inappropriate +Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> + + +Index: gmp-4.2.1/configure.in +=================================================================== +--- gmp-4.2.1.orig/configure.in ++++ gmp-4.2.1/configure.in +@@ -67,7 +67,7 @@ dnl + dnl Note that there's a copy of these options in the top-level Makefile.am, + dnl so update there too if changing anything. + dnl +-AM_INIT_AUTOMAKE([1.8 gnu no-dependencies $(top_builddir)/ansi2knr]) ++AM_INIT_AUTOMAKE([1.8 gnu no-dependencies]) + AM_CONFIG_HEADER(config.h:config.in) + AM_MAINTAINER_MODE + +@@ -2022,9 +2022,6 @@ fi + echo " MPN_PATH=\"$path\"" + + +-# Automake ansi2knr support. +-AM_C_PROTOTYPES +- + GMP_PROG_AR + GMP_PROG_NM + +Index: gmp-4.2.1/Makefile.am +=================================================================== +--- gmp-4.2.1.orig/Makefile.am ++++ gmp-4.2.1/Makefile.am +@@ -27,7 +27,7 @@ + # Makefiles in subdirectories, but here we must omit it so automake gives + # the actual ansi2knr build rule, not "cd $(top_builddir) && make ansi2knr". + # +-AUTOMAKE_OPTIONS = 1.8 gnu no-dependencies ansi2knr ++AUTOMAKE_OPTIONS = 1.8 gnu no-dependencies + + + # Libtool -version-info for libgmp.la and libmp.la. See "Versioning" in the diff --git a/recipes-support/gmp/gmp.inc b/recipes-support/gmp/gmp.inc new file mode 100644 index 0000000..abac8cf --- /dev/null +++ b/recipes-support/gmp/gmp.inc @@ -0,0 +1,12 @@ +SUMMARY = "GNU multiprecision arithmetic library" +DESCRIPTION = "GMP is a free library for arbitrary precision arithmetic, operating on signed integers, rational numbers, and floating point numbers" +HOMEPAGE = "http://gmplib.org/" +SECTION = "devel" + +inherit autotools texinfo + +PACKAGECONFIG ??= "" +PACKAGECONFIG[readline] = "--with-readline=yes,--with-readline=no,readline" + +ARM_INSTRUCTION_SET_armv4 = "arm" +ARM_INSTRUCTION_SET_armv5 = "arm" diff --git a/recipes-support/gmp/gmp_4.2.1.bb b/recipes-support/gmp/gmp_4.2.1.bb new file mode 100644 index 0000000..5e8ee29 --- /dev/null +++ b/recipes-support/gmp/gmp_4.2.1.bb @@ -0,0 +1,17 @@ +require gmp.inc + +LICENSE = "LGPLv2.1+ & GPLv2+" +LICENSE_${PN} = "LGPLv2.1+" + +LIC_FILES_CHKSUM = "file://COPYING;md5=892f569a555ba9c07a568a7c0c4fa63a \ + file://COPYING.LIB;md5=fbc093901857fcd118f065f900982c24 \ + file://gmp-h.in;beginline=6;endline=21;md5=e056f74a12c3277d730dbcfb85d2ca34" + +SRC_URI = "https://gmplib.org/download/${BPN}/archive/${BP}.tar.bz2 \ + file://Use-__gnu_inline__-attribute.patch \ + file://gmp_fix_for_automake-1.12.patch \ + file://avoid-h-asm-constraint-for-MIPS.patch \ +" + +SRC_URI[md5sum] = "091c56e0e1cca6b09b17b69d47ef18e3" +SRC_URI[sha256sum] = "d07ffcb37eecec35c5ec72516d10b35fdf6e6fef1fcf1dcd37e30b8cbf8bf941" diff --git a/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch b/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch new file mode 100644 index 0000000..f066774 --- /dev/null +++ b/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch @@ -0,0 +1,63 @@ +From e2202ff2b704623efc6277fb5256e4e15bac5676 Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Thu, 25 Jul 2013 11:17:52 +0200 +Subject: [PATCH] Mitigate a flush+reload cache attack on RSA secret + exponents. + +commit e2202ff2b704623efc6277fb5256e4e15bac5676 from +git://git.gnupg.org/libgcrypt.git + +* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for +exponents in secure memory. + +Upstream-Status: Backport +CVE: CVE-2013-4242 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +-- + +The attack is published as http://eprint.iacr.org/2013/448 : + +Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel +Attack by Yuval Yarom and Katrina Falkner. 18 July 2013. + + Flush+Reload is a cache side-channel attack that monitors access to + data in shared pages. In this paper we demonstrate how to use the + attack to extract private encryption keys from GnuPG. The high + resolution and low noise of the Flush+Reload attack enables a spy + program to recover over 98% of the bits of the private key in a + single decryption or signing round. Unlike previous attacks, the + attack targets the last level L3 cache. Consequently, the spy + program and the victim do not need to share the execution core of + the CPU. The attack is not limited to a traditional OS and can be + used in a virtualised environment, where it can attack programs + executing in a different VM. + +Index: gnupg-1.4.7/mpi/mpi-pow.c +=================================================================== +--- gnupg-1.4.7.orig/mpi/mpi-pow.c ++++ gnupg-1.4.7/mpi/mpi-pow.c +@@ -212,7 +212,13 @@ mpi_powm( MPI res, MPI base, MPI exponen + tp = rp; rp = xp; xp = tp; + rsize = xsize; + +- if( (mpi_limb_signed_t)e < 0 ) { ++ /* To mitigate the Yarom/Falkner flush+reload cache ++ * side-channel attack on the RSA secret exponent, we do ++ * the multiplication regardless of the value of the ++ * high-bit of E. But to avoid this performance penalty ++ * we do it only if the exponent has been stored in secure ++ * memory and we can thus assume it is a secret exponent. */ ++ if (esec || (mpi_limb_signed_t)e < 0) { + /*mpihelp_mul( xp, rp, rsize, bp, bsize );*/ + if( bsize < KARATSUBA_THRESHOLD ) { + mpihelp_mul( xp, rp, rsize, bp, bsize ); +@@ -227,6 +233,8 @@ mpi_powm( MPI res, MPI base, MPI exponen + mpihelp_divrem(xp + msize, 0, xp, xsize, mp, msize); + xsize = msize; + } ++ } ++ if ( (mpi_limb_signed_t)e < 0 ) { + + tp = rp; rp = xp; xp = tp; + rsize = xsize; diff --git a/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch b/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch new file mode 100644 index 0000000..b50a32f --- /dev/null +++ b/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch @@ -0,0 +1,45 @@ +Upstream-Status: Backport +CVE: CVE-2013-4351 + +Index: gnupg-1.4.7/g10/getkey.c +=================================================================== +--- gnupg-1.4.7.orig/g10/getkey.c 2007-03-05 16:54:41.000000000 +0800 ++++ gnupg-1.4.7/g10/getkey.c 2013-11-28 14:41:59.640212240 +0800 +@@ -1454,7 +1454,11 @@ + + if(flags) + key_usage |= PUBKEY_USAGE_UNKNOWN; ++ if (!key_usage) ++ key_usage |= PUBKEY_USAGE_NONE; + } ++ else if (p) ++ key_usage |= PUBKEY_USAGE_NONE; + + /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a + capability that we do not handle. This serves to distinguish +Index: gnupg-1.4.7/g10/keygen.c +=================================================================== +--- gnupg-1.4.7.orig/g10/keygen.c 2007-02-05 00:27:40.000000000 +0800 ++++ gnupg-1.4.7/g10/keygen.c 2013-11-28 14:43:05.016670092 +0800 +@@ -209,9 +209,6 @@ + if (use & PUBKEY_USAGE_AUTH) + buf[0] |= 0x20; + +- if (!buf[0]) +- return; +- + build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1); + } + +Index: gnupg-1.4.7/include/cipher.h +=================================================================== +--- gnupg-1.4.7.orig/include/cipher.h 2006-04-21 20:39:49.000000000 +0800 ++++ gnupg-1.4.7/include/cipher.h 2013-11-28 14:49:24.159322744 +0800 +@@ -52,6 +52,7 @@ + #define PUBKEY_USAGE_CERT 4 /* key is also good to certify other keys*/ + #define PUBKEY_USAGE_AUTH 8 /* key is good for authentication */ + #define PUBKEY_USAGE_UNKNOWN 128 /* key has an unknown usage bit */ ++#define PUBKEY_USAGE_NONE 256 /* No usage given. */ + + #define DIGEST_ALGO_MD5 1 + #define DIGEST_ALGO_SHA1 2 diff --git a/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch b/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch new file mode 100644 index 0000000..5dcde1f --- /dev/null +++ b/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch @@ -0,0 +1,154 @@ +Upstream-Status: Backport +CVE: CVE-2013-4576 + +Index: gnupg-1.4.7/cipher/dsa.c +=================================================================== +--- gnupg-1.4.7.orig/cipher/dsa.c 2006-12-12 02:27:21.000000000 +0800 ++++ gnupg-1.4.7/cipher/dsa.c 2014-01-23 11:30:17.300915919 +0800 +@@ -287,6 +287,8 @@ + MPI kinv; + MPI tmp; + ++ mpi_normalize (hash); ++ + /* select a random k with 0 < k < q */ + k = gen_k( skey->q ); + +Index: gnupg-1.4.7/cipher/elgamal.c +=================================================================== +--- gnupg-1.4.7.orig/cipher/elgamal.c 2006-12-12 03:08:05.000000000 +0800 ++++ gnupg-1.4.7/cipher/elgamal.c 2014-01-23 11:30:17.300915919 +0800 +@@ -376,6 +376,9 @@ + { + MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) ); + ++ mpi_normalize (a); ++ mpi_normalize (b); ++ + /* output = b/(a^x) mod p */ + mpi_powm( t1, a, skey->x, skey->p ); + mpi_invm( t1, t1, skey->p ); +Index: gnupg-1.4.7/cipher/random.c +=================================================================== +--- gnupg-1.4.7.orig/cipher/random.c 2006-11-03 18:09:39.000000000 +0800 ++++ gnupg-1.4.7/cipher/random.c 2014-01-23 11:31:53.993495462 +0800 +@@ -273,6 +273,18 @@ + } + + ++/* Randomize the MPI */ ++void ++randomize_mpi (MPI mpi, size_t nbits, int level) ++{ ++ unsigned char *buffer; ++ ++ buffer = get_random_bits (nbits, level, mpi_is_secure (mpi)); ++ mpi_set_buffer (mpi, buffer, (nbits+7)/8, 0); ++ xfree (buffer); ++} ++ ++ + int + random_is_faked() + { +Index: gnupg-1.4.7/cipher/random.h +=================================================================== +--- gnupg-1.4.7.orig/cipher/random.h 2006-02-09 19:29:29.000000000 +0800 ++++ gnupg-1.4.7/cipher/random.h 2014-01-23 11:30:17.300915919 +0800 +@@ -32,6 +32,7 @@ + int random_is_faked(void); + void random_disable_locking (void); + void randomize_buffer( byte *buffer, size_t length, int level ); ++void randomize_mpi (MPI mpi, size_t nbits, int level); + byte *get_random_bits( size_t nbits, int level, int secure ); + void fast_random_poll( void ); + +Index: gnupg-1.4.7/cipher/rsa.c +=================================================================== +--- gnupg-1.4.7.orig/cipher/rsa.c 2006-12-12 03:09:00.000000000 +0800 ++++ gnupg-1.4.7/cipher/rsa.c 2014-01-23 11:35:04.330639125 +0800 +@@ -301,9 +301,26 @@ + #if 0 + mpi_powm( output, input, skey->d, skey->n ); + #else +- MPI m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); +- MPI m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); +- MPI h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); ++ int nlimbs = mpi_get_nlimbs (skey->n)+1; ++ MPI m1 = mpi_alloc_secure (nlimbs); ++ MPI m2 = mpi_alloc_secure (nlimbs); ++ MPI h = mpi_alloc_secure (nlimbs); ++# if 1 ++ MPI bdata= mpi_alloc_secure (nlimbs); ++ MPI r = mpi_alloc_secure (nlimbs); ++# endif ++ ++ /* Remove superfluous leading zeroes from INPUT. */ ++ mpi_normalize (input); ++ ++# if 1 ++ /* Blind: bdata = (data * r^e) mod n */ ++ randomize_mpi (r, mpi_get_nbits (skey->n), 0); ++ mpi_fdiv_r (r, r, skey->n); ++ mpi_powm (bdata, r, skey->e, skey->n); ++ mpi_mulm (bdata, bdata, input, skey->n); ++ input = bdata; ++# endif + + /* m1 = c ^ (d mod (p-1)) mod p */ + mpi_sub_ui( h, skey->p, 1 ); +@@ -321,8 +338,15 @@ + /* m = m2 + h * p */ + mpi_mul ( h, h, skey->p ); + mpi_add ( output, m1, h ); +- /* ready */ +- ++ ++# if 1 ++ mpi_free (bdata); ++ /* Unblind: output = (output * r^(-1)) mod n */ ++ mpi_invm (r, r, skey->n); ++ mpi_mulm (output, output, r, skey->n); ++ mpi_free (r); ++# endif ++ + mpi_free ( h ); + mpi_free ( m1 ); + mpi_free ( m2 ); +@@ -397,6 +421,7 @@ + rsa_decrypt( int algo, MPI *result, MPI *data, MPI *skey ) + { + RSA_secret_key sk; ++ MPI input; + + if( algo != 1 && algo != 2 ) + return G10ERR_PUBKEY_ALGO; +@@ -407,8 +432,14 @@ + sk.p = skey[3]; + sk.q = skey[4]; + sk.u = skey[5]; +- *result = mpi_alloc_secure( mpi_get_nlimbs( sk.n ) ); +- secret( *result, data[0], &sk ); ++ ++ /* Mitigates side-channel attacks (CVE-2013-4576). */ ++ input = mpi_alloc (0); ++ mpi_normalize (data[0]); ++ mpi_fdiv_r (input, data[0], sk.n); ++ *result = mpi_alloc_secure (mpi_get_nlimbs (sk.n)); ++ secret (*result, input, &sk); ++ mpi_free (input); + return 0; + } + +Index: gnupg-1.4.7/g10/gpgv.c +=================================================================== +--- gnupg-1.4.7.orig/g10/gpgv.c 2006-12-13 19:25:04.000000000 +0800 ++++ gnupg-1.4.7/g10/gpgv.c 2014-01-23 11:30:17.300915919 +0800 +@@ -390,6 +390,7 @@ + void random_dump_stats(void) {} + int quick_random_gen( int onoff ) { return -1;} + void randomize_buffer( byte *buffer, size_t length, int level ) {} ++void randomize_mpi (MPI mpi, size_t nbits, int level) {} + int random_is_faked() { return -1;} + byte *get_random_bits( size_t nbits, int level, int secure ) { return NULL;} + void set_random_seed_file( const char *name ) {} diff --git a/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch b/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch new file mode 100644 index 0000000..3627176 --- /dev/null +++ b/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch @@ -0,0 +1,64 @@ +commit f0b33b6fb8e0586e9584a7a409dcc31263776a67 +Author: Werner Koch <wk@gnupg.org> +Date: Thu Dec 20 09:43:41 2012 +0100 + + gpg: Import only packets which are allowed in a keyblock. + + * g10/import.c (valid_keyblock_packet): New. + (read_block): Store only valid packets. + -- + + A corrupted key, which for example included a mangled public key + encrypted packet, used to corrupt the keyring. This change skips all + packets which are not allowed in a keyblock. + + GnuPG-bug-id: 1455 + + (cherry-picked from commit f795a0d59e197455f8723c300eebf59e09853efa) + +Upstream-Status: Backport +CVE: CVE-2012-6085 + +Signed-off-by: Saul Wold <sgw@linux.intel.com> + +diff --git a/g10/import.c b/g10/import.c +index bfe02eb..a57b32e 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -384,6 +384,27 @@ import_print_stats (void *hd) + } + + ++/* Return true if PKTTYPE is valid in a keyblock. */ ++static int ++valid_keyblock_packet (int pkttype) ++{ ++ switch (pkttype) ++ { ++ case PKT_PUBLIC_KEY: ++ case PKT_PUBLIC_SUBKEY: ++ case PKT_SECRET_KEY: ++ case PKT_SECRET_SUBKEY: ++ case PKT_SIGNATURE: ++ case PKT_USER_ID: ++ case PKT_ATTRIBUTE: ++ case PKT_RING_TRUST: ++ return 1; ++ default: ++ return 0; ++ } ++} ++ ++ + /**************** + * Read the next keyblock from stream A. + * PENDING_PKT should be initialzed to NULL +@@ -461,7 +482,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root ) + } + in_cert = 1; + default: +- if( in_cert ) { ++ if (in_cert && valid_keyblock_packet (pkt->pkttype)) { + if( !root ) + root = new_kbnode( pkt ); + else diff --git a/recipes-support/gnupg/gnupg-1.4.7/configure.patch b/recipes-support/gnupg/gnupg-1.4.7/configure.patch new file mode 100644 index 0000000..e005ac6 --- /dev/null +++ b/recipes-support/gnupg/gnupg-1.4.7/configure.patch @@ -0,0 +1,17 @@ + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Saul Wold <sgw@linux.intel.com> + +Index: gnupg-1.4.7/configure.ac +=================================================================== +--- gnupg-1.4.7.orig/configure.ac ++++ gnupg-1.4.7/configure.ac +@@ -827,7 +827,6 @@ else + AC_SUBST(USE_NLS) + AC_SUBST(USE_INCLUDED_LIBINTL) + AC_SUBST(BUILD_INCLUDED_LIBINTL) +- AM_PO_SUBDIRS + fi + + if test "$try_extensions" = yes || test x"$card_support" = xyes ; then diff --git a/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch b/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch new file mode 100644 index 0000000..e5fb24a --- /dev/null +++ b/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch @@ -0,0 +1,27 @@ + +This has been discussed in a couple of different bug reported +upstream: + +http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486250 +http://bugs.sourcemage.org/show_bug.cgi?id=14446 + +Fix: +http://lists.gnupg.org/pipermail/gnupg-devel/2008-April/024344.html + +Upstream-Status: Backport [Debian] + +Signed-off-by: Saul Wold <sgw@linux.intel.com> + +Index: gnupg-1.4.7/keyserver/gpgkeys_curl.c +=================================================================== +--- gnupg-1.4.7.orig/keyserver/gpgkeys_curl.c ++++ gnupg-1.4.7/keyserver/gpgkeys_curl.c +@@ -286,7 +286,7 @@ main(int argc,char *argv[]) + curl_easy_setopt(curl,CURLOPT_VERBOSE,1); + } + +- curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,opt->flags.check_cert); ++ curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert); + curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file); + + if(proxy) diff --git a/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch b/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch new file mode 100644 index 0000000..2855cab --- /dev/null +++ b/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch @@ -0,0 +1,19 @@ +Orignal Patch came from OpenWrt via OE-Classic +https://dev.openwrt.org/browser/packages/utils/gnupg/patches/001-mips_gcc4.4 +which is no longer a valid revision! + +Upstream-Status: Inappropriate [configuration] + + +--- gnupg/mpi/longlong.h~ 2006-02-14 10:09:55.000000000 +0000 ++++ gnupg/mpi/longlong.h 2008-10-27 13:11:09.000000000 +0000 +@@ -181,7 +181,7 @@ + /*************************************** + ************** ARM ****************** + ***************************************/ +-#if defined (__arm__) && W_TYPE_SIZE == 32 ++#if defined (__arm__) && W_TYPE_SIZE == 32 && !defined(__thumb__) + #define add_ssaaaa(sh, sl, ah, al, bh, bl) \ + __asm__ ("adds %1, %4, %5\n" \ + "adc %0, %2, %3" \ + diff --git a/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch b/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch new file mode 100644 index 0000000..9a03b2b --- /dev/null +++ b/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch @@ -0,0 +1,50 @@ + +From Openembedded-Classic + + gnupg-1.4.10: Readd the ARM Thumb patch as debian has no thumb support + + +Upstream-Status: Inappropriate [embedded-specific] + +Index: gnupg-1.4.10/mpi/longlong.h +=================================================================== +--- gnupg-1.4.10.orig/mpi/longlong.h 2008-12-11 17:39:43.000000000 +0100 ++++ gnupg-1.4.10/mpi/longlong.h 2010-03-27 14:27:53.000000000 +0100 +@@ -706,18 +706,35 @@ + #endif /* __m88110__ */ + #endif /* __m88000__ */ + ++/* Test for gcc >= maj.min, as per __GNUC_PREREQ in glibc */ ++#if defined (__GNUC__) && defined (__GNUC_MINOR__) ++#define __GNUC_PREREQ(maj, min) \ ++ ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min)) ++#else ++#define __GNUC_PREREQ(maj, min) 0 ++#endif ++ + /*************************************** + ************** MIPS ***************** + ***************************************/ + #if defined (__mips__) && W_TYPE_SIZE == 32 +-#if __GNUC__ > 2 || __GNUC_MINOR__ >= 7 ++#if __GNUC_PREREQ (4,4) ++#define umul_ppmm(w1, w0, u, v) \ ++ do { \ ++ UDItype __ll = (UDItype)(u) * (v); \ ++ w1 = __ll >> 32; \ ++ w0 = __ll; \ ++ } while (0) ++#endif ++#if !defined (umul_ppmm) && __GNUC_PREREQ (2,7) + #define umul_ppmm(w1, w0, u, v) \ + __asm__ ("multu %2,%3" \ + : "=l" ((USItype)(w0)), \ + "=h" ((USItype)(w1)) \ + : "d" ((USItype)(u)), \ + "d" ((USItype)(v))) +-#else ++#endif ++#if !defined (umul_ppmm) + #define umul_ppmm(w1, w0, u, v) \ + __asm__ ("multu %2,%3 \n" \ + "mflo %0 \n" \ diff --git a/recipes-support/gnupg/gnupg_1.4.7.bb b/recipes-support/gnupg/gnupg_1.4.7.bb new file mode 100644 index 0000000..6ccffd5 --- /dev/null +++ b/recipes-support/gnupg/gnupg_1.4.7.bb @@ -0,0 +1,104 @@ +SUMMARY = "GNU Privacy Guard - encryption and signing tools" +HOMEPAGE = "http://www.gnupg.org/" +DEPENDS = "zlib bzip2 readline" +SECTION = "console/utils" + +LICENSE = "GPLv2" + +LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a" + +PR = "r9" + +SRC_URI = "${GNUPG_MIRROR}/gnupg/gnupg-${PV}.tar.bz2 \ + file://long-long-thumb.patch \ + file://configure.patch \ + file://mips_gcc4.4.patch \ + file://GnuPG1-CVE-2012-6085.patch \ + file://curl_typeof_fix_backport.patch \ + file://CVE-2013-4351.patch \ + file://CVE-2013-4576.patch \ + file://CVE-2013-4242.patch \ + " + +SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c" +SRC_URI[sha256sum] = "69d18b7d193f62ca27ed4febcb4c9044aa0c95305d3258fe902e2fae5fc6468d" + +inherit autotools gettext texinfo + +# --with-egd-socket=NAME use NAME for the EGD socket +# --with-photo-viewer=FIXED_VIEWER set a fixed photo ID viewer +# --with-included-zlib use the zlib code included here +# --with-capabilities use linux capabilities default=no +# --with-mailprog=NAME use "NAME -t" for mail transport +# --with-libiconv-prefix[=DIR] search for libiconv in DIR/include and DIR/lib +# --without-libiconv-prefix don't search for libiconv in includedir and libdir +# --with-included-gettext use the GNU gettext library included here +# --with-libintl-prefix[=DIR] search for libintl in DIR/include and DIR/lib +# --without-libintl-prefix don't search for libintl in includedir and libdir +# --without-readline do not support fancy command line editing +# --with-included-regex use the included GNU regex library +# --with-zlib=DIR use libz in DIR +# --with-bzip2=DIR look for bzip2 in DIR +# --enable-static-rnd=egd|unix|linux|auto +# --disable-dev-random disable the use of dev random +# --disable-asm do not use assembler modules +# --enable-m-guard enable memory guard facility +# --enable-selinux-support +# enable SELinux support +# --disable-card-support disable OpenPGP card support +# --disable-gnupg-iconv disable the new iconv code +# --enable-backsigs enable the experimental backsigs code +# --enable-minimal build the smallest gpg binary possible +# --disable-rsa disable the RSA public key algorithm +# --disable-idea disable the IDEA cipher +# --disable-cast5 disable the CAST5 cipher +# --disable-blowfish disable the BLOWFISH cipher +# --disable-aes disable the AES, AES192, and AES256 ciphers +# --disable-twofish disable the TWOFISH cipher +# --disable-sha256 disable the SHA-256 digest +# --disable-sha512 disable the SHA-384 and SHA-512 digests +# --disable-bzip2 disable the BZIP2 compression algorithm +# --disable-exec disable all external program execution +# --disable-photo-viewers disable photo ID viewers +# --disable-keyserver-helpers disable all external keyserver support +# --disable-ldap disable LDAP keyserver interface +# --disable-hkp disable HKP keyserver interface +# --disable-http disable HTTP key fetching interface +# --disable-finger disable Finger key fetching interface +# --disable-mailto disable email keyserver interface +# --disable-keyserver-path disable the exec-path option for keyserver helpers +# --enable-key-cache=SIZE Set key cache to SIZE (default 4096) +# --disable-largefile omit support for large files +# --disable-dns-srv disable the use of DNS SRV in HKP and HTTP +# --disable-nls do not use Native Language Support +# --disable-regex do not handle regular expressions in trust sigs + +EXTRA_OECONF = "--disable-ldap \ + --with-zlib=${STAGING_LIBDIR}/.. \ + --with-bzip2=${STAGING_LIBDIR}/.. \ + --disable-selinux-support \ + --with-readline=${STAGING_LIBDIR}/.. \ + ac_cv_sys_symbol_underscore=no \ + " + +# Force gcc's traditional handling of inline to avoid issues with gcc 5 +CFLAGS += "-fgnu89-inline" + +do_install () { + autotools_do_install + install -d ${D}${docdir}/${BPN} + mv ${D}${datadir}/${BPN}/* ${D}/${docdir}/${BPN}/ || : + mv ${D}${prefix}/doc/* ${D}/${docdir}/${BPN}/ || : +} + +# split out gpgv from main package +RDEPENDS_${PN} = "gpgv" +PACKAGES =+ "gpgv" +FILES_gpgv = "${bindir}/gpgv" + +# Exclude debug files from the main packages +FILES_${PN} = "${bindir}/* ${datadir}/${BPN} ${libexecdir}/${BPN}/*" + +PACKAGECONFIG ??= "" +PACKAGECONFIG[curl] = "--with-libcurl=${STAGING_LIBDIR},--without-libcurl,curl" +PACKAGECONFIG[libusb] = "--with-libusb=${STAGING_LIBDIR},--without-libusb,libusb-compat" diff --git a/recipes-support/libiconv/libiconv-1.11.1/autoconf.patch b/recipes-support/libiconv/libiconv-1.11.1/autoconf.patch new file mode 100644 index 0000000..3cbf549 --- /dev/null +++ b/recipes-support/libiconv/libiconv-1.11.1/autoconf.patch @@ -0,0 +1,50 @@ +It adds the variables that are needed +for autoconf 2.65 to reconfigure libiconv and defines the m4 macros +directory. Its imported from OE. + +Upstream-Status: Pending + +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +Index: libiconv-1.11.1/configure.ac +=================================================================== +--- libiconv-1.11.1.orig/configure.ac ++++ libiconv-1.11.1/configure.ac +@@ -23,7 +23,7 @@ AC_CONFIG_AUX_DIR(build-aux) + AM_INIT_AUTOMAKE(libiconv, 1.11) + AC_CONFIG_HEADERS(config.h lib/config.h) + AC_PROG_MAKE_SET +- ++AC_CONFIG_MACRO_DIR([m4]) + dnl checks for basic programs + + AC_PROG_CC +Index: libiconv-1.11.1/libcharset/configure.ac +=================================================================== +--- libiconv-1.11.1.orig/libcharset/configure.ac ++++ libiconv-1.11.1/libcharset/configure.ac +@@ -16,17 +16,17 @@ dnl along with the GNU CHARSET Library; + dnl write to the Free Software Foundation, Inc., 51 Franklin Street, + dnl Fifth Floor, Boston, MA 02110-1301, USA. + +-AC_PREREQ(2.13) ++AC_PREREQ(2.61) ++AC_INIT([libcharset],[1.4] ) ++AC_CONFIG_SRCDIR([lib/localcharset.c]) + +-PACKAGE=libcharset +-VERSION=1.4 +- +-AC_INIT(lib/localcharset.c) + AC_CONFIG_AUX_DIR(build-aux) + AC_CONFIG_HEADER(config.h) + AC_PROG_MAKE_SET +-AC_SUBST(PACKAGE) +-AC_SUBST(VERSION) ++dnl AC_SUBST(PACKAGE) ++dnl AC_SUBST(VERSION) ++ ++AC_CONFIG_MACRO_DIR([m4]) + + dnl checks for basic programs + diff --git a/recipes-support/libiconv/libiconv-1.11.1/shared_preloadable_libiconv_linux.patch b/recipes-support/libiconv/libiconv-1.11.1/shared_preloadable_libiconv_linux.patch new file mode 100644 index 0000000..fb07f73 --- /dev/null +++ b/recipes-support/libiconv/libiconv-1.11.1/shared_preloadable_libiconv_linux.patch @@ -0,0 +1,26 @@ +With libtool generating shared and static version of libraries needs -fPIC flags +without this it will not generate the commands to create shared linked library +Its more enforced by libtool 2.4. I have not checked it with older libtool +libiconv 1.11.x is relatively old release and libtool 2.4 did not exist when it +was released these kind of problem are more likely + +Upstream-Status: Pending + +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +Index: libiconv-1.11.1/lib/Makefile.in +=================================================================== +--- libiconv-1.11.1.orig/lib/Makefile.in ++++ libiconv-1.11.1/lib/Makefile.in +@@ -70,9 +70,9 @@ preloadable_libiconv.so : preloadable_li + + preloadable_libiconv_linux.so : $(SOURCES) + if test -n "@GCC@"; then \ +- $(LIBTOOL_LINK) $(CC) $(LDFLAGS) $(INCLUDES) $(CFLAGS) $(CPPFLAGS) $(DEFS) -fPIC -DPIC -DLIBICONV_PLUG $(SOURCES) -shared -o preloadable_libiconv_linux.so; \ ++ $(LIBTOOL_LINK) $(CC) $(LDFLAGS) $(INCLUDES) $(CFLAGS) $(CPPFLAGS) $(DEFS) -fPIC -DPIC -DLIBICONV_PLUG $(SOURCES) -rpath $(libdir) -o libpreload_iconv.la && cp .libs/libpreload_iconv.so preloadable_libiconv_linux.so; \ + else \ +- $(LIBTOOL_LINK) $(CC) $(LDFLAGS) $(INCLUDES) $(CFLAGS) $(CPPFLAGS) $(DEFS) -KPIC -DPIC -DLIBICONV_PLUG $(SOURCES) -shared -o preloadable_libiconv_linux.so; \ ++ $(LIBTOOL_LINK) $(CC) $(LDFLAGS) $(INCLUDES) $(CFLAGS) $(CPPFLAGS) $(DEFS) -KPIC -DPIC -DLIBICONV_PLUG $(SOURCES) -rpath $(libdir) -o libpreload_iconv.la && cp .libs/libpreload_iconv.so preloadable_libiconv_linux.so; \ + fi + + preloadable_libiconv_solaris.so : $(SOURCES) diff --git a/recipes-support/libiconv/libiconv_1.11.1.bb b/recipes-support/libiconv/libiconv_1.11.1.bb new file mode 100644 index 0000000..f28e64a --- /dev/null +++ b/recipes-support/libiconv/libiconv_1.11.1.bb @@ -0,0 +1,47 @@ +SUMMARY = "Character encoding support library" +DESCRIPTION = "GNU libiconv - libiconv is for you if your application needs to support \ +multiple character encodings, but that support lacks from your system." +HOMEPAGE = "http://www.gnu.org/software/libiconv" +SECTION = "libs" +NOTES = "Needs to be stripped down to: ascii iso8859-1 eucjp iso-2022jp gb utf8" +PROVIDES = "virtual/libiconv" + +LICENSE = "LGPLv2.0" +LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=9f604d8a4f8e74f4f5140845a21b6674 \ + file://libcharset/COPYING.LIB;md5=9f604d8a4f8e74f4f5140845a21b6674" + +SRC_URI = "${GNU_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \ + file://autoconf.patch \ + file://shared_preloadable_libiconv_linux.patch \ + " + +SRC_URI[md5sum] = "d42b97f6ef5dd0ba4469d520ed732fed" +SRC_URI[sha256sum] = "e78c347a1a0cb15f2648519e9799151f4b4a934b61ad9ee7424478efe2b8257f" + +S = "${WORKDIR}/libiconv-${PV}" + +inherit autotools pkgconfig gettext + +python __anonymous() { + if d.getVar("TCLIBC") == "glibc": + raise bb.parse.SkipPackage("libiconv is provided for use with uClibc only - glibc already provides iconv") +} + +EXTRA_OECONF += "--enable-shared --enable-static --enable-relocatable" + +LEAD_SONAME = "libiconv.so" + +do_configure_prepend () { + rm -f ${S}/m4/libtool.m4 ${S}/m4/ltoptions.m4 ${S}/m4/ltsugar.m4 ${S}/m4/ltversion.m4 ${S}/m4/lt~obsolete.m4 ${S}/libcharset/m4/libtool.m4 ${S}/libcharset/m4/ltoptions.m4 ${S}/libcharset/m4/ltsugar.m4 ${S}/libcharset/m4/ltversion.m4 ${S}/libcharset/m4/lt~obsolete.m4 +} + +do_configure_append () { + # forcibly remove RPATH from libtool + sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' *libtool + sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=_NO_RPATH_|g' *libtool +} + +do_install_append () { + rm -rf ${D}${libdir}/preloadable_libiconv.so + rm -rf ${D}${libdir}/charset.alias +} diff --git a/recipes-support/nettle/files/Add-target-to-only-build-tests-not-run-them.patch b/recipes-support/nettle/files/Add-target-to-only-build-tests-not-run-them.patch new file mode 100644 index 0000000..23da777 --- /dev/null +++ b/recipes-support/nettle/files/Add-target-to-only-build-tests-not-run-them.patch @@ -0,0 +1,46 @@ +From 46edf01cc98db9f9feec984897836dfdd26bdc8d Mon Sep 17 00:00:00 2001 +From: Jussi Kukkonen <jussi.kukkonen@intel.com> +Date: Wed, 12 Aug 2015 23:27:27 +0300 +Subject: [PATCH] Add target to only build tests (not run them) + +Not sending upstream as this is only a start of a solution to +installable tests: It's useful for us already as is. + +Upstream-Status: Inappropriate [not a complete solution] + +Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> +--- + Makefile.in | 3 +++ + testsuite/Makefile.in | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/Makefile.in b/Makefile.in +index 08efb7d..7909342 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -55,6 +55,9 @@ clean distclean mostlyclean maintainer-clean tags: + echo "Making $@ in $$d" ; (cd $$d && $(MAKE) $@); done + $(MAKE) $@-here + ++buildtest: ++ echo "Making $@ in testsuite" ; (cd testsuite && $(MAKE) $@) ++ + check-here: + true + +diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in +index 6bc1907..bb65bf0 100644 +--- a/testsuite/Makefile.in ++++ b/testsuite/Makefile.in +@@ -116,6 +116,8 @@ $(TARGETS) $(EXTRA_TARGETS): testutils.$(OBJEXT) ../nettle-internal.$(OBJEXT) \ + # data. + VALGRIND = valgrind --error-exitcode=1 --leak-check=full --show-reachable=yes @IF_ASM@ --partial-loads-ok=yes + ++buildtest: $(TS_ALL) ++ + # The PATH update is for locating dlls on w*ndows. + check: $(TS_ALL) + LD_LIBRARY_PATH=../.lib PATH="../.lib:$$PATH" srcdir="$(srcdir)" \ +-- +2.1.4 + diff --git a/recipes-support/nettle/files/run-ptest b/recipes-support/nettle/files/run-ptest new file mode 100644 index 0000000..b90bed6 --- /dev/null +++ b/recipes-support/nettle/files/run-ptest @@ -0,0 +1,36 @@ +#! /bin/sh + +cd testsuite + +failed=0 +all=0 + +for f in *-test; do + if [ "$f" = "sha1-huge-test" ] ; then + echo "SKIP: $f (skipped for ludicrous run time)" + continue + fi + + "./$f" + case "$?" in + 0) + echo "PASS: $f" + all=$((all + 1)) + ;; + 77) + echo "SKIP: $f" + ;; + *) + echo "FAIL: $f" + failed=$((failed + 1)) + all=$((all + 1)) + ;; + esac +done + +if [ "$failed" -eq 0 ] ; then + echo "All $all tests passed" +else + echo "$failed of $all tests failed" +fi + diff --git a/recipes-support/nettle/nettle-2.7.1/CVE-2015-8803_8805.patch b/recipes-support/nettle/nettle-2.7.1/CVE-2015-8803_8805.patch new file mode 100644 index 0000000..a956f42 --- /dev/null +++ b/recipes-support/nettle/nettle-2.7.1/CVE-2015-8803_8805.patch @@ -0,0 +1,71 @@ +Upstream-Status: Backport +https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d + +CVE: CVE-2015-8803 +CVE: CVE-2015-8805 + +Same fix for both. + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: nettle-2.7.1/ecc-256.c +=================================================================== +--- nettle-2.7.1.orig/ecc-256.c ++++ nettle-2.7.1/ecc-256.c +@@ -96,9 +96,19 @@ ecc_256_modp (const struct ecc_curve *ec + q2 += t + (q1 < t); + + assert (q2 < 2); ++ /* ++ n-1 n-2 n-3 n-4 ++ +---+---+---+---+ ++ | u1| u0| u low | ++ +---+---+---+---+ ++ - | q1(2^96-1)| ++ +-------+---+ ++ |q2(2^.)| ++ +-------+ + +- /* We multiply by two low limbs of p, 2^96 - 1, so we could use +- shifts rather than mul. */ ++ We multiply by two low limbs of p, 2^96 - 1, so we could use ++ shifts rather than mul. ++ */ + t = mpn_submul_1 (rp + n - 4, ecc->p, 2, q1); + t += cnd_sub_n (q2, rp + n - 3, ecc->p, 1); + t += (-q2) & 0xffffffff; +@@ -108,7 +118,10 @@ ecc_256_modp (const struct ecc_curve *ec + u0 -= t; + t = (u1 < cy); + u1 -= cy; +- u1 += cnd_add_n (t, rp + n - 4, ecc->p, 3); ++ ++ cy = cnd_add_n (t, rp + n - 4, ecc->p, 2); ++ u0 += cy; ++ u1 += (u0 < cy); + u1 -= (-t) & 0xffffffff; + } + rp[2] = u0; +@@ -195,7 +208,7 @@ ecc_256_modq (const struct ecc_curve *ec + + /* Conditional add of p */ + u1 += t; +- u2 += (t<<32) + (u0 < t); ++ u2 += (t<<32) + (u1 < t); + + t = cnd_add_n (t, rp + n - 4, ecc->q, 2); + u1 += t; +Index: nettle-2.7.1/ChangeLog +=================================================================== +--- nettle-2.7.1.orig/ChangeLog ++++ nettle-2.7.1/ChangeLog +@@ -1,3 +1,9 @@ ++2015-12-10 Niels Möller <nisse@lysator.liu.se> ++ ++ * ecc-256.c (ecc_256_modp): Fixed carry propagation bug. Problem ++ reported by Hanno Böck. ++ (ecc_256_modq): Fixed another carry propagation bug. ++ + 2013-05-28 Niels Möller <nisse@lysator.liu.se> + + * Released nettle-2.7.1. diff --git a/recipes-support/nettle/nettle-2.7.1/CVE-2015-8804.patch b/recipes-support/nettle/nettle-2.7.1/CVE-2015-8804.patch new file mode 100644 index 0000000..73723a9 --- /dev/null +++ b/recipes-support/nettle/nettle-2.7.1/CVE-2015-8804.patch @@ -0,0 +1,272 @@ +Upstream-Status: Backport + https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7 + +CVE: CVE-2015-8804 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: nettle-2.7.1/ChangeLog +=================================================================== +--- nettle-2.7.1.orig/ChangeLog ++++ nettle-2.7.1/ChangeLog +@@ -1,3 +1,11 @@ ++2015-12-15 Niels Möller <nisse@lysator.liu.se> ++ ++ * x86_64/ecc-384-modp.asm: Fixed carry propagation bug. Problem ++ reported by Hanno Böck. Simplified the folding to always use ++ non-negative carry, the old code attempted to add in a carry which ++ could be either positive or negative, but didn't get that case ++ right. ++ + 2015-12-10 Niels Möller <nisse@lysator.liu.se> + + * ecc-256.c (ecc_256_modp): Fixed carry propagation bug. Problem +Index: nettle-2.7.1/x86_64/ecc-384-modp.asm +=================================================================== +--- nettle-2.7.1.orig/x86_64/ecc-384-modp.asm ++++ nettle-2.7.1/x86_64/ecc-384-modp.asm +@@ -20,7 +20,7 @@ C MA 02111-1301, USA. + .file "ecc-384-modp.asm" + + define(<RP>, <%rsi>) +-define(<D4>, <%rax>) ++define(<D5>, <%rax>) + define(<T0>, <%rbx>) + define(<T1>, <%rcx>) + define(<T2>, <%rdx>) +@@ -35,8 +35,8 @@ define(<H4>, <%r13>) + define(<H5>, <%r14>) + define(<C2>, <%r15>) + define(<C0>, H5) C Overlap +-define(<D0>, RP) C Overlap +-define(<TMP>, H4) C Overlap ++define(<TMP>, RP) C Overlap ++ + + PROLOGUE(nettle_ecc_384_modp) + W64_ENTRY(2, 0) +@@ -48,34 +48,38 @@ PROLOGUE(nettle_ecc_384_modp) + push %r14 + push %r15 + +- C First get top 2 limbs, which need folding twice ++ C First get top 2 limbs, which need folding twice. ++ C B^10 = B^6 + B^4 + 2^32 (B-1)B^4. ++ C We handle the terms as follow: + C +- C H5 H4 +- C -H5 +- C ------ +- C H0 D4 ++ C B^6: Folded immediatly. + C +- C Then shift right, (H1,H0,D4) <-- (H0,D4) << 32 +- C and add ++ C B^4: Delayed, added in in the next folding. + C +- C H5 H4 +- C H1 H0 +- C ---------- +- C C2 H1 H0 +- +- mov 80(RP), D4 +- mov 88(RP), H0 +- mov D4, H4 +- mov H0, H5 +- sub H0, D4 +- sbb $0, H0 +- +- mov D4, T2 +- mov H0, H1 +- shl $32, H0 +- shr $32, T2 ++ C 2^32(B-1) B^4: Low half limb delayed until the next ++ C folding. Top 1.5 limbs subtracted and shifter now, resulting ++ C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added ++ C in. ++ ++ mov 80(RP), H4 ++ mov 88(RP), H5 ++ C Shift right 32 bits, into H1, H0 ++ mov H4, H0 ++ mov H5, H1 ++ mov H5, D5 + shr $32, H1 +- or T2, H0 ++ shl $32, D5 ++ shr $32, H0 ++ or D5, H0 ++ ++ C H1 H0 ++ C - H1 H0 ++ C -------- ++ C H1 H0 D5 ++ mov H0, D5 ++ neg D5 ++ sbb H1, H0 ++ sbb $0, H1 + + xor C2, C2 + add H4, H0 +@@ -114,118 +118,95 @@ PROLOGUE(nettle_ecc_384_modp) + adc H3, T5 + adc $0, C0 + +- C H3 H2 H1 H0 0 +- C - H4 H3 H2 H1 H0 +- C --------------- +- C H3 H2 H1 H0 D0 +- +- mov XREG(D4), XREG(D4) +- mov H0, D0 +- neg D0 +- sbb H1, H0 +- sbb H2, H1 +- sbb H3, H2 +- sbb H4, H3 +- sbb $0, D4 +- +- C Shift right. High bits are sign, to be added to C0. +- mov D4, TMP +- sar $32, TMP +- shl $32, D4 +- add TMP, C0 +- ++ C Shift left, including low half of H4 + mov H3, TMP ++ shl $32, H4 + shr $32, TMP +- shl $32, H3 +- or TMP, D4 ++ or TMP, H4 + + mov H2, TMP ++ shl $32, H3 + shr $32, TMP +- shl $32, H2 + or TMP, H3 + + mov H1, TMP ++ shl $32, H2 + shr $32, TMP +- shl $32, H1 + or TMP, H2 + + mov H0, TMP ++ shl $32, H1 + shr $32, TMP +- shl $32, H0 + or TMP, H1 + +- mov D0, TMP +- shr $32, TMP +- shl $32, D0 +- or TMP, H0 ++ shl $32, H0 ++ ++ C H4 H3 H2 H1 H0 0 ++ C - H4 H3 H2 H1 H0 ++ C --------------- ++ C H4 H3 H2 H1 H0 TMP + +- add D0, T0 ++ mov H0, TMP ++ neg TMP ++ sbb H1, H0 ++ sbb H2, H1 ++ sbb H3, H2 ++ sbb H4, H3 ++ sbb $0, H4 ++ ++ add TMP, T0 + adc H0, T1 + adc H1, T2 + adc H2, T3 + adc H3, T4 +- adc D4, T5 ++ adc H4, T5 + adc $0, C0 + + C Remains to add in C2 and C0 +- C C0 C0<<32 (-2^32+1)C0 +- C C2 C2<<32 (-2^32+1)C2 +- C where C2 is always positive, while C0 may be -1. ++ C Set H1, H0 = (2^96 - 2^32 + 1) C0 + mov C0, H0 + mov C0, H1 +- mov C0, H2 +- sar $63, C0 C Get sign + shl $32, H1 +- sub H1, H0 C Gives borrow iff C0 > 0 ++ sub H1, H0 + sbb $0, H1 +- add C0, H2 + ++ C Set H3, H2 = (2^96 - 2^32 + 1) C2 ++ mov C2, H2 ++ mov C2, H3 ++ shl $32, H3 ++ sub H3, H2 ++ sbb $0, H3 ++ add C0, H2 C No carry. Could use lea trick ++ ++ xor C0, C0 + add H0, T0 + adc H1, T1 +- adc $0, H2 +- adc $0, C0 +- +- C Set (H1 H0) <-- C2 << 96 - C2 << 32 + 1 +- mov C2, H0 +- mov C2, H1 +- shl $32, H1 +- sub H1, H0 +- sbb $0, H1 +- +- add H2, H0 +- adc C0, H1 +- adc C2, C0 +- mov C0, H2 +- sar $63, C0 +- add H0, T2 +- adc H1, T3 +- adc H2, T4 +- adc C0, T5 +- sbb C0, C0 ++ adc H2, T2 ++ adc H3, T3 ++ adc C2, T4 ++ adc D5, T5 C Value delayed from initial folding ++ adc $0, C0 C Use sbb and switch sign? + + C Final unlikely carry + mov C0, H0 + mov C0, H1 +- mov C0, H2 +- sar $63, C0 + shl $32, H1 + sub H1, H0 + sbb $0, H1 +- add C0, H2 + + pop RP + +- sub H0, T0 ++ add H0, T0 + mov T0, (RP) +- sbb H1, T1 ++ adc H1, T1 + mov T1, 8(RP) +- sbb H2, T2 ++ adc C0, T2 + mov T2, 16(RP) +- sbb C0, T3 ++ adc $0, T3 + mov T3, 24(RP) +- sbb C0, T4 ++ adc $0, T4 + mov T4, 32(RP) +- sbb C0, T5 ++ adc $0, T5 + mov T5, 40(RP) + + pop %r15 diff --git a/recipes-support/nettle/nettle-2.7.1/check-header-files-of-openssl-only-if-enable_.patch b/recipes-support/nettle/nettle-2.7.1/check-header-files-of-openssl-only-if-enable_.patch new file mode 100644 index 0000000..38d9107 --- /dev/null +++ b/recipes-support/nettle/nettle-2.7.1/check-header-files-of-openssl-only-if-enable_.patch @@ -0,0 +1,38 @@ +From c369dd7049f5a198f8b6c96fde6e294ce5146c2f Mon Sep 17 00:00:00 2001 +From: Haiqing Bai <Haiqing.Bai@windriver.com> +Date: Fri, 9 Dec 2016 16:16:45 +0800 +Subject: [PATCH] nettle: check header files of openssl only if + 'enable_openssl=yes'. + +The original configure script checks openssl header files to generate +config.h even if 'enable_openssl' is not set to yes, this made inconsistent +building for nettle. + +Upstream-Status: Pending +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> +--- + configure.ac | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 78a3d4e..4f16a98 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -603,9 +603,11 @@ AC_CHECK_ALIGNOF(uint64_t) + ALIGNOF_UINT64_T="$ac_cv_alignof_uint64_t" + AC_SUBST(ALIGNOF_UINT64_T) + +-AC_CHECK_HEADERS([openssl/blowfish.h openssl/des.h openssl/cast.h openssl/aes.h],, +-[enable_openssl=no +- break]) ++if test "x$enable_openssl" = "xyes"; then ++ AC_CHECK_HEADERS([openssl/blowfish.h openssl/des.h openssl/cast.h openssl/aes.h],, ++ [enable_openssl=no ++ break]) ++fi + + LSH_FUNC_ALLOCA + LSH_FUNC_STRERROR +-- +1.9.1 + diff --git a/recipes-support/nettle/nettle.inc b/recipes-support/nettle/nettle.inc new file mode 100644 index 0000000..af51fb6 --- /dev/null +++ b/recipes-support/nettle/nettle.inc @@ -0,0 +1,37 @@ +SUMMARY = "A low level cryptographic library" +HOMEPAGE = "http://www.lysator.liu.se/~nisse/nettle/" +SECTION = "libs" + +DEPENDS += "gmp" + +SRC_URI = "http://www.lysator.liu.se/~nisse/archive/${BP}.tar.gz \ + file://Add-target-to-only-build-tests-not-run-them.patch \ + file://run-ptest \ + " + +UPSTREAM_CHECK_REGEX = "nettle-(?P<pver>\d+(\.\d+)+)\.tar" + +inherit autotools ptest + +EXTRA_OECONF = "--disable-openssl" + +do_configure_prepend() { + if [ ! -e ${S}/acinclude.m4 -a -e ${S}/aclocal.m4 ]; then + cp ${S}/aclocal.m4 ${S}/acinclude.m4 + fi +} + +do_compile_ptest() { + oe_runmake buildtest +} + +do_install_ptest() { + install -d ${D}${PTEST_PATH}/testsuite/ + install ${S}/testsuite/gold-bug.txt ${D}${PTEST_PATH}/testsuite/ + install ${S}/testsuite/*-test ${D}${PTEST_PATH}/testsuite/ + # tools can be found in PATH, not in ../tools/ + sed -i -e 's|../tools/||' ${D}${PTEST_PATH}/testsuite/*-test + install ${B}/testsuite/*-test ${D}${PTEST_PATH}/testsuite/ +} + +BBCLASSEXTEND = "native nativesdk" diff --git a/recipes-support/nettle/nettle_2.7.1.bb b/recipes-support/nettle/nettle_2.7.1.bb new file mode 100644 index 0000000..2006146 --- /dev/null +++ b/recipes-support/nettle/nettle_2.7.1.bb @@ -0,0 +1,19 @@ +require nettle.inc + +LICENSE = "LGPLv2.1+ & GPLv2" +LICENSE_${PN} = "LGPLv2.1+" + +LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=2d5025d4aa3495befef8f17206a5b0a1 \ + file://serpent-decrypt.c;beginline=53;endline=67;md5=bcfd4745d53ca57f82907089898e390d \ + file://serpent-set-key.c;beginline=56;endline=70;md5=bcfd4745d53ca57f82907089898e390d" + +SRC_URI[md5sum] = "003d5147911317931dd453520eb234a5" +SRC_URI[sha256sum] = "bc71ebd43435537d767799e414fce88e521b7278d48c860651216e1fc6555b40" + +SRC_URI += "\ + file://CVE-2015-8803_8805.patch \ + file://CVE-2015-8804.patch \ + file://check-header-files-of-openssl-only-if-enable_.patch \ + " + +DISABLE_STATIC = "" |