[PATCH 1/4] openssl10: Upgrade 1.0.2l -> 1.0.2m

[PATCH 1/4] openssl10: Upgrade 1.0.2l -> 1.0.2m

[Stefan Agner]

From: Stefan Agner <stefan.agner@toradex.com>

Deals with two CVEs:
* bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
* Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)

Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
---
 .../0001-Fix-build-with-clang-using-external-assembler.patch          | 0
 .../0001-openssl-force-soft-link-to-avoid-rare-race.patch             | 0
 .../openssl/{openssl-1.0.2l => openssl-1.0.2m}/Makefiles-ptest.patch  | 0
 .../Use-SHA256-not-MD5-as-default-digest.patch                        | 0
 .../{openssl-1.0.2l => openssl-1.0.2m}/configure-musl-target.patch    | 0
 .../{openssl-1.0.2l => openssl-1.0.2m}/configure-targets.patch        | 0
 .../{openssl-1.0.2l => openssl-1.0.2m}/debian/c_rehash-compat.patch   | 0
 .../openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian/ca.patch        | 0
 .../{openssl-1.0.2l => openssl-1.0.2m}/debian/debian-targets.patch    | 0
 .../openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian/man-dir.patch   | 0
 .../{openssl-1.0.2l => openssl-1.0.2m}/debian/man-section.patch       | 0
 .../openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian/no-rpath.patch  | 0
 .../{openssl-1.0.2l => openssl-1.0.2m}/debian/no-symbolic.patch       | 0
 .../openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian/pic.patch       | 0
 .../{openssl-1.0.2l => openssl-1.0.2m}/debian/version-script.patch    | 0
 .../debian1.0.2/block_digicert_malaysia.patch                         | 0
 .../debian1.0.2/block_diginotar.patch                                 | 0
 .../{openssl-1.0.2l => openssl-1.0.2m}/debian1.0.2/soname.patch       | 0
 .../debian1.0.2/version-script.patch                                  | 0
 .../engines-install-in-libdir-ssl.patch                               | 0
 .../openssl/{openssl-1.0.2l => openssl-1.0.2m}/find.pl                | 0
 .../openssl/{openssl-1.0.2l => openssl-1.0.2m}/oe-ldflags.patch       | 0
 .../{openssl-1.0.2l => openssl-1.0.2m}/openssl-1.0.2a-x32-asm.patch   | 0
 .../openssl/{openssl-1.0.2l => openssl-1.0.2m}/openssl-c_rehash.sh    | 0
 .../openssl-fix-des.pod-error.patch                                   | 0
 .../openssl-util-perlpath.pl-cwd.patch                                | 0
 .../{openssl-1.0.2l => openssl-1.0.2m}/openssl_fix_for_x32.patch      | 0
 .../openssl/{openssl-1.0.2l => openssl-1.0.2m}/parallel.patch         | 0
 .../openssl/{openssl-1.0.2l => openssl-1.0.2m}/ptest-deps.patch       | 0
 .../{openssl-1.0.2l => openssl-1.0.2m}/ptest_makefile_deps.patch      | 0
 .../openssl/{openssl-1.0.2l => openssl-1.0.2m}/run-ptest              | 0
 .../openssl/{openssl-1.0.2l => openssl-1.0.2m}/shared-libs.patch      | 0
 .../openssl/{openssl_1.0.2l.bb => openssl_1.0.2m.bb}                  | 4 ++--
 33 files changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/0001-Fix-build-with-clang-using-external-assembler.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/0001-openssl-force-soft-link-to-avoid-rare-race.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/Makefiles-ptest.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/Use-SHA256-not-MD5-as-default-digest.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/configure-musl-target.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/configure-targets.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian/c_rehash-compat.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian/ca.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian/debian-targets.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian/man-dir.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian/man-section.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian/no-rpath.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian/no-symbolic.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian/pic.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian/version-script.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian1.0.2/block_digicert_malaysia.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian1.0.2/block_diginotar.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian1.0.2/soname.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/debian1.0.2/version-script.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/engines-install-in-libdir-ssl.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/find.pl (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/oe-ldflags.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/openssl-1.0.2a-x32-asm.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/openssl-c_rehash.sh (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/openssl-fix-des.pod-error.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/openssl-util-perlpath.pl-cwd.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/openssl_fix_for_x32.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/parallel.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/ptest-deps.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/ptest_makefile_deps.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/run-ptest (100%)
 rename meta/recipes-connectivity/openssl/{openssl-1.0.2l => openssl-1.0.2m}/shared-libs.patch (100%)
 rename meta/recipes-connectivity/openssl/{openssl_1.0.2l.bb => openssl_1.0.2m.bb} (94%)

diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/0001-Fix-build-with-clang-using-external-assembler.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/0001-Fix-build-with-clang-using-external-assembler.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/0001-Fix-build-with-clang-using-external-assembler.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/0001-Fix-build-with-clang-using-external-assembler.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/0001-openssl-force-soft-link-to-avoid-rare-race.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/0001-openssl-force-soft-link-to-avoid-rare-race.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/0001-openssl-force-soft-link-to-avoid-rare-race.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/0001-openssl-force-soft-link-to-avoid-rare-race.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/Makefiles-ptest.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/Makefiles-ptest.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/Makefiles-ptest.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/Makefiles-ptest.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/Use-SHA256-not-MD5-as-default-digest.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/Use-SHA256-not-MD5-as-default-digest.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/Use-SHA256-not-MD5-as-default-digest.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/Use-SHA256-not-MD5-as-default-digest.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/configure-musl-target.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/configure-musl-target.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/configure-musl-target.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/configure-musl-target.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/configure-targets.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/configure-targets.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/configure-targets.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/configure-targets.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/c_rehash-compat.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/c_rehash-compat.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/c_rehash-compat.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/c_rehash-compat.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/ca.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/ca.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/ca.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/ca.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/debian-targets.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/debian-targets.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/debian-targets.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/debian-targets.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/man-dir.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/man-dir.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/man-dir.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/man-dir.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/man-section.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/man-section.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/man-section.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/man-section.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/no-rpath.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/no-rpath.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/no-rpath.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/no-rpath.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/no-symbolic.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/no-symbolic.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/no-symbolic.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/no-symbolic.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/pic.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/pic.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/pic.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/pic.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/version-script.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/version-script.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/debian/version-script.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/debian/version-script.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian1.0.2/block_digicert_malaysia.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/debian1.0.2/block_digicert_malaysia.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/debian1.0.2/block_digicert_malaysia.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/debian1.0.2/block_digicert_malaysia.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian1.0.2/block_diginotar.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/debian1.0.2/block_diginotar.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/debian1.0.2/block_diginotar.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/debian1.0.2/block_diginotar.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian1.0.2/soname.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/debian1.0.2/soname.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/debian1.0.2/soname.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/debian1.0.2/soname.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian1.0.2/version-script.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/debian1.0.2/version-script.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/debian1.0.2/version-script.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/debian1.0.2/version-script.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/engines-install-in-libdir-ssl.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/engines-install-in-libdir-ssl.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/engines-install-in-libdir-ssl.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/engines-install-in-libdir-ssl.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/find.pl b/meta/recipes-connectivity/openssl/openssl-1.0.2m/find.pl
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/find.pl
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/find.pl
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/oe-ldflags.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/oe-ldflags.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/oe-ldflags.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/oe-ldflags.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/openssl-1.0.2a-x32-asm.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/openssl-1.0.2a-x32-asm.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/openssl-1.0.2a-x32-asm.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/openssl-1.0.2a-x32-asm.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/openssl-c_rehash.sh b/meta/recipes-connectivity/openssl/openssl-1.0.2m/openssl-c_rehash.sh
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/openssl-c_rehash.sh
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/openssl-c_rehash.sh
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/openssl-fix-des.pod-error.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/openssl-fix-des.pod-error.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/openssl-fix-des.pod-error.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/openssl-fix-des.pod-error.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/openssl-util-perlpath.pl-cwd.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/openssl-util-perlpath.pl-cwd.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/openssl-util-perlpath.pl-cwd.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/openssl-util-perlpath.pl-cwd.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/openssl_fix_for_x32.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/openssl_fix_for_x32.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/openssl_fix_for_x32.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/openssl_fix_for_x32.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/parallel.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/parallel.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/parallel.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/parallel.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/ptest-deps.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/ptest-deps.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/ptest-deps.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/ptest-deps.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/ptest_makefile_deps.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/ptest_makefile_deps.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/ptest_makefile_deps.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/ptest_makefile_deps.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/run-ptest b/meta/recipes-connectivity/openssl/openssl-1.0.2m/run-ptest
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/run-ptest
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/run-ptest
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/shared-libs.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/shared-libs.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.2l/shared-libs.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.2m/shared-libs.patch
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2l.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2m.bb
similarity index 94%
rename from meta/recipes-connectivity/openssl/openssl_1.0.2l.bb
rename to meta/recipes-connectivity/openssl/openssl_1.0.2m.bb
index c537aa4cd0..04763ac346 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2l.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2m.bb
@@ -43,8 +43,8 @@ SRC_URI += "file://find.pl;subdir=openssl-${PV}/util/ \
             file://0001-Fix-build-with-clang-using-external-assembler.patch \
             file://0001-openssl-force-soft-link-to-avoid-rare-race.patch  \
             "
-SRC_URI[md5sum] = "f85123cd390e864dfbe517e7616e6566"
-SRC_URI[sha256sum] = "ce07195b659e75f4e1db43552860070061f156a98bb37b672b101ba6e3ddf30c"
+SRC_URI[md5sum] = "10e9e37f492094b9ef296f68f24a7666"
+SRC_URI[sha256sum] = "8c6ff15ec6b319b50788f42c7abc2890c08ba5a1cdcd3810eb9092deada37b0f"
 
 PACKAGES =+ "${PN}-engines"
 FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
-- 
2.13.6

[PATCH 2/4] openssl10: fix runtime errors with Thumb2 when using binutils 2.29

[Stefan Agner]

From: Stefan Agner <stefan.agner@toradex.com>

When compiling OpenSSL with binutils 2.29 for ARM with Thumb2 enabled
crashes and unexpected behavior occurs. E.g. connecting to a OpenSSH
server using the affected binary fails with:
  ssh_dispatch_run_fatal: Connection to 192.168.10.171 port 22: incorrect signature

Backport upstream bugfix:
https://github.com/openssl/openssl/issues/4659

Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
---
 ...saes-armv7-sha256-armv4-.pl-make-it-work-.patch | 99 ++++++++++++++++++++++
 .../recipes-connectivity/openssl/openssl_1.0.2m.bb |  1 +
 2 files changed, 100 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.2m/0001-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch

diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2m/0001-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2m/0001-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch
new file mode 100644
index 0000000000..20ffa3ca07
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl-1.0.2m/0001-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch
@@ -0,0 +1,99 @@
+From d1d6c69b6fd25e71dbae67fad17b2c7737f6b2dc Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro@openssl.org>
+Date: Sun, 5 Nov 2017 17:08:16 +0100
+Subject: [PATCH] {aes-armv4|bsaes-armv7|sha256-armv4}.pl: make it work with
+ binutils-2.29
+
+It's not clear if it's a feature or bug, but binutils-2.29[.1]
+interprets 'adr' instruction with Thumb2 code reference differently,
+in a way that affects calculation of addresses of constants' tables.
+
+Upstream-Status: Backport
+
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
+(Merged from https://github.com/openssl/openssl/pull/4673)
+---
+ crypto/aes/asm/aes-armv4.pl    | 6 +++---
+ crypto/aes/asm/bsaes-armv7.pl  | 6 +++---
+ crypto/sha/asm/sha256-armv4.pl | 2 +-
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/crypto/aes/asm/aes-armv4.pl b/crypto/aes/asm/aes-armv4.pl
+index 4f8917089f..c1b5e352d7 100644
+--- a/crypto/aes/asm/aes-armv4.pl
++++ b/crypto/aes/asm/aes-armv4.pl
+@@ -184,7 +184,7 @@ AES_encrypt:
+ #if __ARM_ARCH__<7
+ 	sub	r3,pc,#8		@ AES_encrypt
+ #else
+-	adr	r3,AES_encrypt
++	adr	r3,.
+ #endif
+ 	stmdb   sp!,{r1,r4-r12,lr}
+ 	mov	$rounds,r0		@ inp
+@@ -430,7 +430,7 @@ _armv4_AES_set_encrypt_key:
+ #if __ARM_ARCH__<7
+ 	sub	r3,pc,#8		@ AES_set_encrypt_key
+ #else
+-	adr	r3,private_AES_set_encrypt_key
++	adr	r3,.
+ #endif
+ 	teq	r0,#0
+ #if __ARM_ARCH__>=7
+@@ -952,7 +952,7 @@ AES_decrypt:
+ #if __ARM_ARCH__<7
+ 	sub	r3,pc,#8		@ AES_decrypt
+ #else
+-	adr	r3,AES_decrypt
++	adr	r3,.
+ #endif
+ 	stmdb   sp!,{r1,r4-r12,lr}
+ 	mov	$rounds,r0		@ inp
+diff --git a/crypto/aes/asm/bsaes-armv7.pl b/crypto/aes/asm/bsaes-armv7.pl
+index 70b3f9656f..ec66b0502a 100644
+--- a/crypto/aes/asm/bsaes-armv7.pl
++++ b/crypto/aes/asm/bsaes-armv7.pl
+@@ -724,7 +724,7 @@ $code.=<<___;
+ .type	_bsaes_decrypt8,%function
+ .align	4
+ _bsaes_decrypt8:
+-	adr	$const,_bsaes_decrypt8
++	adr	$const,.
+ 	vldmia	$key!, {@XMM[9]}		@ round 0 key
+ 	add	$const,$const,#.LM0ISR-_bsaes_decrypt8
+ 
+@@ -819,7 +819,7 @@ _bsaes_const:
+ .type	_bsaes_encrypt8,%function
+ .align	4
+ _bsaes_encrypt8:
+-	adr	$const,_bsaes_encrypt8
++	adr	$const,.
+ 	vldmia	$key!, {@XMM[9]}		@ round 0 key
+ 	sub	$const,$const,#_bsaes_encrypt8-.LM0SR
+ 
+@@ -923,7 +923,7 @@ $code.=<<___;
+ .type	_bsaes_key_convert,%function
+ .align	4
+ _bsaes_key_convert:
+-	adr	$const,_bsaes_key_convert
++	adr	$const,.
+ 	vld1.8	{@XMM[7]},  [$inp]!		@ load round 0 key
+ 	sub	$const,$const,#_bsaes_key_convert-.LM0
+ 	vld1.8	{@XMM[15]}, [$inp]!		@ load round 1 key
+diff --git a/crypto/sha/asm/sha256-armv4.pl b/crypto/sha/asm/sha256-armv4.pl
+index 4fee74d832..750216eb42 100644
+--- a/crypto/sha/asm/sha256-armv4.pl
++++ b/crypto/sha/asm/sha256-armv4.pl
+@@ -205,7 +205,7 @@ sha256_block_data_order:
+ #if __ARM_ARCH__<7
+ 	sub	r3,pc,#8		@ sha256_block_data_order
+ #else
+-	adr	r3,sha256_block_data_order
++	adr	r3,.
+ #endif
+ #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
+ 	ldr	r12,.LOPENSSL_armcap
+-- 
+2.15.0
+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2m.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2m.bb
index 04763ac346..9270f52bc6 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2m.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2m.bb
@@ -42,6 +42,7 @@ SRC_URI += "file://find.pl;subdir=openssl-${PV}/util/ \
             file://Use-SHA256-not-MD5-as-default-digest.patch \
             file://0001-Fix-build-with-clang-using-external-assembler.patch \
             file://0001-openssl-force-soft-link-to-avoid-rare-race.patch  \
+            file://0001-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch \
             "
 SRC_URI[md5sum] = "10e9e37f492094b9ef296f68f24a7666"
 SRC_URI[sha256sum] = "8c6ff15ec6b319b50788f42c7abc2890c08ba5a1cdcd3810eb9092deada37b0f"
-- 
2.13.6

[PATCH 3/4] openssl: Upgrade 1.1.0f -> 1.1.0g

[Stefan Agner]

From: Stefan Agner <stefan.agner@toradex.com>

Deals with two CVEs:
* bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
* Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)

Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
---
 .../openssl/{openssl_1.1.0f.bb => openssl_1.1.0g.bb}                  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-connectivity/openssl/{openssl_1.1.0f.bb => openssl_1.1.0g.bb} (96%)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0f.bb b/meta/recipes-connectivity/openssl/openssl_1.1.0g.bb
similarity index 96%
rename from meta/recipes-connectivity/openssl/openssl_1.1.0f.bb
rename to meta/recipes-connectivity/openssl/openssl_1.1.0g.bb
index 4517f8734a..c85a1d27a2 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.0f.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.0g.bb
@@ -10,8 +10,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=cae6da10f4ffd9703214776d2aabce32"
 
 BBCLASSEXTEND = "native nativesdk"
 
-SRC_URI[md5sum] = "7b521dea79ab159e8ec879d2333369fa"
-SRC_URI[sha256sum] = "12f746f3f2493b2f39da7ecf63d7ee19c6ac9ec6a4fcd8c229da8a522cb12765"
+SRC_URI[md5sum] = "ba5f1b8b835b88cadbce9b35ed9531a6"
+SRC_URI[sha256sum] = "de4d501267da39310905cb6dc8c6121f7a2cad45a7707f76df828fe1b85073af"
 
 SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://run-ptest \
-- 
2.13.6

[PATCH 4/4] openssl: fix runtime errors with Thumb2 when using binutils 2.29

[Stefan Agner]

From: Stefan Agner <stefan.agner@toradex.com>

When compiling OpenSSL with binutils 2.29 for ARM with Thumb2 enabled
crashes and unexpected behavior occurs. E.g. connecting to a OpenSSH
server using the affected binary fails with:
  ssh_dispatch_run_fatal: Connection to 192.168.10.171 port 22: incorrect signature

Backport upstream bugfix:
https://github.com/openssl/openssl/issues/4659

Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
---
 ...-armv4-bsaes-armv7-.pl-make-it-work-with-.patch | 85 ++++++++++++++++++++++
 .../recipes-connectivity/openssl/openssl_1.1.0g.bb |  1 +
 2 files changed, 86 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch b/meta/recipes-connectivity/openssl/openssl/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch
new file mode 100644
index 0000000000..684f659715
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch
@@ -0,0 +1,85 @@
+From bcc096a50811bf0f0c4fd34b2993fed7a7015972 Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro@openssl.org>
+Date: Fri, 3 Nov 2017 23:30:01 +0100
+Subject: [PATCH] aes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with
+ binutils-2.29.
+
+It's not clear if it's a feature or bug, but binutils-2.29[.1]
+interprets 'adr' instruction with Thumb2 code reference differently,
+in a way that affects calculation of addresses of constants' tables.
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+(Merged from https://github.com/openssl/openssl/pull/4669)
+
+(cherry picked from commit b82acc3c1a7f304c9df31841753a0fa76b5b3cda)
+---
+ crypto/aes/asm/aes-armv4.pl   | 6 +++---
+ crypto/aes/asm/bsaes-armv7.pl | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/crypto/aes/asm/aes-armv4.pl b/crypto/aes/asm/aes-armv4.pl
+index 16d79aae53..c6474b8aad 100644
+--- a/crypto/aes/asm/aes-armv4.pl
++++ b/crypto/aes/asm/aes-armv4.pl
+@@ -200,7 +200,7 @@ AES_encrypt:
+ #ifndef	__thumb2__
+ 	sub	r3,pc,#8		@ AES_encrypt
+ #else
+-	adr	r3,AES_encrypt
++	adr	r3,.
+ #endif
+ 	stmdb   sp!,{r1,r4-r12,lr}
+ #ifdef	__APPLE__
+@@ -450,7 +450,7 @@ _armv4_AES_set_encrypt_key:
+ #ifndef	__thumb2__
+ 	sub	r3,pc,#8		@ AES_set_encrypt_key
+ #else
+-	adr	r3,AES_set_encrypt_key
++	adr	r3,.
+ #endif
+ 	teq	r0,#0
+ #ifdef	__thumb2__
+@@ -976,7 +976,7 @@ AES_decrypt:
+ #ifndef	__thumb2__
+ 	sub	r3,pc,#8		@ AES_decrypt
+ #else
+-	adr	r3,AES_decrypt
++	adr	r3,.
+ #endif
+ 	stmdb   sp!,{r1,r4-r12,lr}
+ #ifdef	__APPLE__
+diff --git a/crypto/aes/asm/bsaes-armv7.pl b/crypto/aes/asm/bsaes-armv7.pl
+index 9f288660ef..a27bb4a179 100644
+--- a/crypto/aes/asm/bsaes-armv7.pl
++++ b/crypto/aes/asm/bsaes-armv7.pl
+@@ -744,7 +744,7 @@ $code.=<<___;
+ .type	_bsaes_decrypt8,%function
+ .align	4
+ _bsaes_decrypt8:
+-	adr	$const,_bsaes_decrypt8
++	adr	$const,.
+ 	vldmia	$key!, {@XMM[9]}		@ round 0 key
+ #ifdef	__APPLE__
+ 	adr	$const,.LM0ISR
+@@ -843,7 +843,7 @@ _bsaes_const:
+ .type	_bsaes_encrypt8,%function
+ .align	4
+ _bsaes_encrypt8:
+-	adr	$const,_bsaes_encrypt8
++	adr	$const,.
+ 	vldmia	$key!, {@XMM[9]}		@ round 0 key
+ #ifdef	__APPLE__
+ 	adr	$const,.LM0SR
+@@ -951,7 +951,7 @@ $code.=<<___;
+ .type	_bsaes_key_convert,%function
+ .align	4
+ _bsaes_key_convert:
+-	adr	$const,_bsaes_key_convert
++	adr	$const,.
+ 	vld1.8	{@XMM[7]},  [$inp]!		@ load round 0 key
+ #ifdef	__APPLE__
+ 	adr	$const,.LM0
+-- 
+2.15.0
+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0g.bb b/meta/recipes-connectivity/openssl/openssl_1.1.0g.bb
index c85a1d27a2..53f397a3e0 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.0g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.0g.bb
@@ -18,6 +18,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://openssl-c_rehash.sh \
            file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \
            file://0001-Remove-test-that-requires-running-as-non-root.patch \
+           file://0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch \
           "
 
 S = "${WORKDIR}/openssl-${PV}"
-- 
2.13.6

Re: [PATCH 1/4] openssl10: Upgrade 1.0.2l -> 1.0.2m

[Otavio Salvador]

On Fri, Nov 17, 2017 at 3:53 PM, Stefan Agner <stefan@agner.ch> wrote:
> From: Stefan Agner <stefan.agner@toradex.com>
>
> Deals with two CVEs:
> * bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
> * Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
>
> Signed-off-by: Stefan Agner <stefan.agner@toradex.com>

Acked-by: Otavio Salvador <otavio@ossystems.com.br>

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750

✗ patchtest: failure for "openssl10: Upgrade 1.0.2l -> 1..." and 3 more

[Patchwork]

== Series Details ==

Series: "openssl10: Upgrade 1.0.2l -> 1..." and 3 more
Revision: 1
URL   : https://patchwork.openembedded.org/series/9856/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Patch            [1/4] openssl10: Upgrade 1.0.2l -> 1.0.2m
 Issue             Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format] 
  Suggested fix    Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"

* Issue             A patch file has been added, but does not have a Signed-off-by tag [test_signed_off_by_presence] 
  Suggested fix    Sign off the added patch file (meta/recipes-connectivity/openssl/openssl-1.0.2m/0001-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch)

* Issue             Added patch file is missing Upstream-Status in the header [test_upstream_status_presence_format] 
  Suggested fix    Add Upstream-Status: <Valid status> to the header of meta/recipes-connectivity/openssl/openssl/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch
  Standard format  Upstream-Status: <Valid status>
  Valid status     Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

✗ patchtest: failure for "openssl10: Upgrade 1.0.2l -> 1..." and 3 more

[Patchwork]

== Series Details ==

Series: "openssl10: Upgrade 1.0.2l -> 1..." and 3 more
Revision: 1
URL   : https://patchwork.openembedded.org/series/9856/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Patch            [1/4] openssl10: Upgrade 1.0.2l -> 1.0.2m
 Issue             Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format] 
  Suggested fix    Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"

* Issue             A patch file has been added, but does not have a Signed-off-by tag [test_signed_off_by_presence] 
  Suggested fix    Sign off the added patch file (meta/recipes-connectivity/openssl/openssl-1.0.2m/0001-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch)

* Issue             Added patch file is missing Upstream-Status in the header [test_upstream_status_presence_format] 
  Suggested fix    Add Upstream-Status: <Valid status> to the header of meta/recipes-connectivity/openssl/openssl/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch
  Standard format  Upstream-Status: <Valid status>
  Valid status     Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe