diff options
| author | Marcel Ziswiler <marcel.ziswiler@toradex.com> | 2017-04-06 09:56:43 +0200 |
|---|---|---|
| committer | Marcel Ziswiler <marcel.ziswiler@toradex.com> | 2017-04-06 09:56:43 +0200 |
| commit | 2c7ba109910c171acea3561746f8ee37dc6de361 (patch) | |
| tree | a8f614f8c5799c4fac43dccd3988eb787fd6d4a0 /recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch | |
| parent | 947ffa0680228c52c6aed322a84ad451e1c140c1 (diff) | |
openssl: update 1.0.2d -> 1.0.2k
This is basically a back port of the following commits from the
openembedded-core master branch:
openssl: actually apply Use-SHA256-not-MD5-as-default-digest.patch
openssl: Fix symlink creation
openssl: Updgrade 1.0.2j -> 1.0.2k
openssl: Use linux-aarch64 target for aarch64
openssl-native: Compile with -fPIC
openssl: Security fix CVE-2016-7055
OpenSSL: CVE-2004-2761 replace MD5 hash algorithm
openssl: fix bashism in c_rehash shell script
openssl: rehash actual mozilla certificates inside rootfs
openssl: Upgrade 1.0.2i -> 1.0.2j
openssl.inc: avoid random ptest failures
openssl: update to 1.0.2i (CVE-2016-6304 and more)
openssl: fix do_configure error when cwd is not in @INC
openssl: fix add missing dependencies building for test directory
openssl: Security fix CVE-2016-2178
openssl: Security fix CVE-2016-2177
openssl: prevent warnings from openssl-c_rehash.sh
openssl: fix the dangling libcrypto.a symlink
openssl: Ensure SSL certificates are stored on sysconfdir
openssl: Add Shell-Script based c_rehash utility
openssl: Security fix via update to 1.0.2h
openssl.inc: minor packaging cleanup
openssl: don't move libcrypto to base_libdir
openssl: add a patch to fix parallel builds
openssl: Security fix Drown via 1.0.2g update
openssl.inc: drop obsolete mtx-1 and mtx-2 over-rides
openssl: Explicitly set EXTRA_OEMAKE as required
openssl: update 1.0.2e -> 1.0.2f ( CVE-2016-0701 CVE-2015-3197 )
openssl: Add musl configuration support
openssl: update to 1.0.2e
openssl: enable parallel make
openssl: fix ptest issues
openssl: use subdir= instead of moving files in do_configure_prepend()
openssl: sanity check that the bignum module is present
openssl: fix ptest failures
Note that this requires a complete image rebuild due to ABI breakage. If
that is not desired something along those lines would need to be
integrated as well:
http://cgit.openembedded.org/openembedded-core/commit?id=480db6be99f9a53d8657b31b846f0079ee1a124f
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Diffstat (limited to 'recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch')
| -rw-r--r-- | recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch b/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch new file mode 100644 index 0000000..58c9ee7 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch @@ -0,0 +1,69 @@ +From d795f5f20a29adecf92c09459a3ee07ffac01a99 Mon Sep 17 00:00:00 2001 +From: Rich Salz <rsalz@akamai.com> +Date: Sat, 13 Jun 2015 17:03:39 -0400 +Subject: [PATCH] Use SHA256 not MD5 as default digest. + +Commit f8547f62c212837dbf44fb7e2755e5774a59a57b upstream. + +Upstream-Status: Backport +Backport from OpenSSL 2.0 to OpenSSL 1.0.2 +Commit f8547f62c212837dbf44fb7e2755e5774a59a57b + +CVE: CVE-2004-2761 + + The MD5 Message-Digest Algorithm is not collision resistant, + which makes it easier for context-dependent attackers to + conduct spoofing attacks, as demonstrated by attacks on the + use of MD5 in the signature algorithm of an X.509 certificate. + +Reviewed-by: Viktor Dukhovni <viktor@openssl.org> +Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> +Signed-off-by: T.O. Radzy Radzykewycz <radzy@windriver.com> +--- + apps/ca.c | 2 +- + apps/dgst.c | 2 +- + apps/enc.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/apps/ca.c b/apps/ca.c +index 3b7336c..8f3a84b 100644 +--- a/apps/ca.c ++++ b/apps/ca.c +@@ -1612,7 +1612,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, + } else + BIO_printf(bio_err, "Signature ok\n"); + +- if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL) ++ if ((rreq = X509_to_X509_REQ(req, NULL, NULL)) == NULL) + goto err; + + ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, +diff --git a/apps/dgst.c b/apps/dgst.c +index 95e5fa3..0d1529f 100644 +--- a/apps/dgst.c ++++ b/apps/dgst.c +@@ -442,7 +442,7 @@ int MAIN(int argc, char **argv) + goto end; + } + if (md == NULL) +- md = EVP_md5(); ++ md = EVP_sha256(); + if (!EVP_DigestInit_ex(mctx, md, impl)) { + BIO_printf(bio_err, "Error setting digest %s\n", pname); + ERR_print_errors(bio_err); +diff --git a/apps/enc.c b/apps/enc.c +index 7b7c70b..a7d944c 100644 +--- a/apps/enc.c ++++ b/apps/enc.c +@@ -344,7 +344,7 @@ int MAIN(int argc, char **argv) + } + + if (dgst == NULL) { +- dgst = EVP_md5(); ++ dgst = EVP_sha256(); + } + + if (bufsize != NULL) { +-- +1.9.1 + |