diff options
Diffstat (limited to 'yocto-poky/meta/recipes-support/gnupg')
13 files changed, 759 insertions, 0 deletions
diff --git a/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch new file mode 100644 index 000000000..c9addca28 --- /dev/null +++ b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch @@ -0,0 +1,62 @@ +From e2202ff2b704623efc6277fb5256e4e15bac5676 Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Thu, 25 Jul 2013 11:17:52 +0200 +Subject: [PATCH] Mitigate a flush+reload cache attack on RSA secret + exponents. + +commit e2202ff2b704623efc6277fb5256e4e15bac5676 from +git://git.gnupg.org/libgcrypt.git + +* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for +exponents in secure memory. + +Upstream-Status: Backport + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +-- + +The attack is published as http://eprint.iacr.org/2013/448 : + +Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel +Attack by Yuval Yarom and Katrina Falkner. 18 July 2013. + + Flush+Reload is a cache side-channel attack that monitors access to + data in shared pages. In this paper we demonstrate how to use the + attack to extract private encryption keys from GnuPG. The high + resolution and low noise of the Flush+Reload attack enables a spy + program to recover over 98% of the bits of the private key in a + single decryption or signing round. Unlike previous attacks, the + attack targets the last level L3 cache. Consequently, the spy + program and the victim do not need to share the execution core of + the CPU. The attack is not limited to a traditional OS and can be + used in a virtualised environment, where it can attack programs + executing in a different VM. + +Index: gnupg-1.4.7/mpi/mpi-pow.c +=================================================================== +--- gnupg-1.4.7.orig/mpi/mpi-pow.c ++++ gnupg-1.4.7/mpi/mpi-pow.c +@@ -212,7 +212,13 @@ mpi_powm( MPI res, MPI base, MPI exponen + tp = rp; rp = xp; xp = tp; + rsize = xsize; + +- if( (mpi_limb_signed_t)e < 0 ) { ++ /* To mitigate the Yarom/Falkner flush+reload cache ++ * side-channel attack on the RSA secret exponent, we do ++ * the multiplication regardless of the value of the ++ * high-bit of E. But to avoid this performance penalty ++ * we do it only if the exponent has been stored in secure ++ * memory and we can thus assume it is a secret exponent. */ ++ if (esec || (mpi_limb_signed_t)e < 0) { + /*mpihelp_mul( xp, rp, rsize, bp, bsize );*/ + if( bsize < KARATSUBA_THRESHOLD ) { + mpihelp_mul( xp, rp, rsize, bp, bsize ); +@@ -227,6 +233,8 @@ mpi_powm( MPI res, MPI base, MPI exponen + mpihelp_divrem(xp + msize, 0, xp, xsize, mp, msize); + xsize = msize; + } ++ } ++ if ( (mpi_limb_signed_t)e < 0 ) { + + tp = rp; rp = xp; xp = tp; + rsize = xsize; diff --git a/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch new file mode 100644 index 000000000..b29ede423 --- /dev/null +++ b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch @@ -0,0 +1,44 @@ +Upstream-Status: Backport + +Index: gnupg-1.4.7/g10/getkey.c +=================================================================== +--- gnupg-1.4.7.orig/g10/getkey.c 2007-03-05 16:54:41.000000000 +0800 ++++ gnupg-1.4.7/g10/getkey.c 2013-11-28 14:41:59.640212240 +0800 +@@ -1454,7 +1454,11 @@ + + if(flags) + key_usage |= PUBKEY_USAGE_UNKNOWN; ++ if (!key_usage) ++ key_usage |= PUBKEY_USAGE_NONE; + } ++ else if (p) ++ key_usage |= PUBKEY_USAGE_NONE; + + /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a + capability that we do not handle. This serves to distinguish +Index: gnupg-1.4.7/g10/keygen.c +=================================================================== +--- gnupg-1.4.7.orig/g10/keygen.c 2007-02-05 00:27:40.000000000 +0800 ++++ gnupg-1.4.7/g10/keygen.c 2013-11-28 14:43:05.016670092 +0800 +@@ -209,9 +209,6 @@ + if (use & PUBKEY_USAGE_AUTH) + buf[0] |= 0x20; + +- if (!buf[0]) +- return; +- + build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1); + } + +Index: gnupg-1.4.7/include/cipher.h +=================================================================== +--- gnupg-1.4.7.orig/include/cipher.h 2006-04-21 20:39:49.000000000 +0800 ++++ gnupg-1.4.7/include/cipher.h 2013-11-28 14:49:24.159322744 +0800 +@@ -52,6 +52,7 @@ + #define PUBKEY_USAGE_CERT 4 /* key is also good to certify other keys*/ + #define PUBKEY_USAGE_AUTH 8 /* key is good for authentication */ + #define PUBKEY_USAGE_UNKNOWN 128 /* key has an unknown usage bit */ ++#define PUBKEY_USAGE_NONE 256 /* No usage given. */ + + #define DIGEST_ALGO_MD5 1 + #define DIGEST_ALGO_SHA1 2 diff --git a/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch new file mode 100644 index 000000000..b1a22f585 --- /dev/null +++ b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch @@ -0,0 +1,153 @@ +Upstream-Status: Backport + +Index: gnupg-1.4.7/cipher/dsa.c +=================================================================== +--- gnupg-1.4.7.orig/cipher/dsa.c 2006-12-12 02:27:21.000000000 +0800 ++++ gnupg-1.4.7/cipher/dsa.c 2014-01-23 11:30:17.300915919 +0800 +@@ -287,6 +287,8 @@ + MPI kinv; + MPI tmp; + ++ mpi_normalize (hash); ++ + /* select a random k with 0 < k < q */ + k = gen_k( skey->q ); + +Index: gnupg-1.4.7/cipher/elgamal.c +=================================================================== +--- gnupg-1.4.7.orig/cipher/elgamal.c 2006-12-12 03:08:05.000000000 +0800 ++++ gnupg-1.4.7/cipher/elgamal.c 2014-01-23 11:30:17.300915919 +0800 +@@ -376,6 +376,9 @@ + { + MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) ); + ++ mpi_normalize (a); ++ mpi_normalize (b); ++ + /* output = b/(a^x) mod p */ + mpi_powm( t1, a, skey->x, skey->p ); + mpi_invm( t1, t1, skey->p ); +Index: gnupg-1.4.7/cipher/random.c +=================================================================== +--- gnupg-1.4.7.orig/cipher/random.c 2006-11-03 18:09:39.000000000 +0800 ++++ gnupg-1.4.7/cipher/random.c 2014-01-23 11:31:53.993495462 +0800 +@@ -273,6 +273,18 @@ + } + + ++/* Randomize the MPI */ ++void ++randomize_mpi (MPI mpi, size_t nbits, int level) ++{ ++ unsigned char *buffer; ++ ++ buffer = get_random_bits (nbits, level, mpi_is_secure (mpi)); ++ mpi_set_buffer (mpi, buffer, (nbits+7)/8, 0); ++ xfree (buffer); ++} ++ ++ + int + random_is_faked() + { +Index: gnupg-1.4.7/cipher/random.h +=================================================================== +--- gnupg-1.4.7.orig/cipher/random.h 2006-02-09 19:29:29.000000000 +0800 ++++ gnupg-1.4.7/cipher/random.h 2014-01-23 11:30:17.300915919 +0800 +@@ -32,6 +32,7 @@ + int random_is_faked(void); + void random_disable_locking (void); + void randomize_buffer( byte *buffer, size_t length, int level ); ++void randomize_mpi (MPI mpi, size_t nbits, int level); + byte *get_random_bits( size_t nbits, int level, int secure ); + void fast_random_poll( void ); + +Index: gnupg-1.4.7/cipher/rsa.c +=================================================================== +--- gnupg-1.4.7.orig/cipher/rsa.c 2006-12-12 03:09:00.000000000 +0800 ++++ gnupg-1.4.7/cipher/rsa.c 2014-01-23 11:35:04.330639125 +0800 +@@ -301,9 +301,26 @@ + #if 0 + mpi_powm( output, input, skey->d, skey->n ); + #else +- MPI m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); +- MPI m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); +- MPI h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); ++ int nlimbs = mpi_get_nlimbs (skey->n)+1; ++ MPI m1 = mpi_alloc_secure (nlimbs); ++ MPI m2 = mpi_alloc_secure (nlimbs); ++ MPI h = mpi_alloc_secure (nlimbs); ++# if 1 ++ MPI bdata= mpi_alloc_secure (nlimbs); ++ MPI r = mpi_alloc_secure (nlimbs); ++# endif ++ ++ /* Remove superfluous leading zeroes from INPUT. */ ++ mpi_normalize (input); ++ ++# if 1 ++ /* Blind: bdata = (data * r^e) mod n */ ++ randomize_mpi (r, mpi_get_nbits (skey->n), 0); ++ mpi_fdiv_r (r, r, skey->n); ++ mpi_powm (bdata, r, skey->e, skey->n); ++ mpi_mulm (bdata, bdata, input, skey->n); ++ input = bdata; ++# endif + + /* m1 = c ^ (d mod (p-1)) mod p */ + mpi_sub_ui( h, skey->p, 1 ); +@@ -321,8 +338,15 @@ + /* m = m2 + h * p */ + mpi_mul ( h, h, skey->p ); + mpi_add ( output, m1, h ); +- /* ready */ +- ++ ++# if 1 ++ mpi_free (bdata); ++ /* Unblind: output = (output * r^(-1)) mod n */ ++ mpi_invm (r, r, skey->n); ++ mpi_mulm (output, output, r, skey->n); ++ mpi_free (r); ++# endif ++ + mpi_free ( h ); + mpi_free ( m1 ); + mpi_free ( m2 ); +@@ -397,6 +421,7 @@ + rsa_decrypt( int algo, MPI *result, MPI *data, MPI *skey ) + { + RSA_secret_key sk; ++ MPI input; + + if( algo != 1 && algo != 2 ) + return G10ERR_PUBKEY_ALGO; +@@ -407,8 +432,14 @@ + sk.p = skey[3]; + sk.q = skey[4]; + sk.u = skey[5]; +- *result = mpi_alloc_secure( mpi_get_nlimbs( sk.n ) ); +- secret( *result, data[0], &sk ); ++ ++ /* Mitigates side-channel attacks (CVE-2013-4576). */ ++ input = mpi_alloc (0); ++ mpi_normalize (data[0]); ++ mpi_fdiv_r (input, data[0], sk.n); ++ *result = mpi_alloc_secure (mpi_get_nlimbs (sk.n)); ++ secret (*result, input, &sk); ++ mpi_free (input); + return 0; + } + +Index: gnupg-1.4.7/g10/gpgv.c +=================================================================== +--- gnupg-1.4.7.orig/g10/gpgv.c 2006-12-13 19:25:04.000000000 +0800 ++++ gnupg-1.4.7/g10/gpgv.c 2014-01-23 11:30:17.300915919 +0800 +@@ -390,6 +390,7 @@ + void random_dump_stats(void) {} + int quick_random_gen( int onoff ) { return -1;} + void randomize_buffer( byte *buffer, size_t length, int level ) {} ++void randomize_mpi (MPI mpi, size_t nbits, int level) {} + int random_is_faked() { return -1;} + byte *get_random_bits( size_t nbits, int level, int secure ) { return NULL;} + void set_random_seed_file( const char *name ) {} diff --git a/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch new file mode 100644 index 000000000..8b5d9a169 --- /dev/null +++ b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch @@ -0,0 +1,63 @@ +commit f0b33b6fb8e0586e9584a7a409dcc31263776a67 +Author: Werner Koch <wk@gnupg.org> +Date: Thu Dec 20 09:43:41 2012 +0100 + + gpg: Import only packets which are allowed in a keyblock. + + * g10/import.c (valid_keyblock_packet): New. + (read_block): Store only valid packets. + -- + + A corrupted key, which for example included a mangled public key + encrypted packet, used to corrupt the keyring. This change skips all + packets which are not allowed in a keyblock. + + GnuPG-bug-id: 1455 + + (cherry-picked from commit f795a0d59e197455f8723c300eebf59e09853efa) + +Upstream-Status: Backport + +Signed-off-by: Saul Wold <sgw@linux.intel.com> + +diff --git a/g10/import.c b/g10/import.c +index bfe02eb..a57b32e 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -384,6 +384,27 @@ import_print_stats (void *hd) + } + + ++/* Return true if PKTTYPE is valid in a keyblock. */ ++static int ++valid_keyblock_packet (int pkttype) ++{ ++ switch (pkttype) ++ { ++ case PKT_PUBLIC_KEY: ++ case PKT_PUBLIC_SUBKEY: ++ case PKT_SECRET_KEY: ++ case PKT_SECRET_SUBKEY: ++ case PKT_SIGNATURE: ++ case PKT_USER_ID: ++ case PKT_ATTRIBUTE: ++ case PKT_RING_TRUST: ++ return 1; ++ default: ++ return 0; ++ } ++} ++ ++ + /**************** + * Read the next keyblock from stream A. + * PENDING_PKT should be initialzed to NULL +@@ -461,7 +482,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root ) + } + in_cert = 1; + default: +- if( in_cert ) { ++ if (in_cert && valid_keyblock_packet (pkt->pkttype)) { + if( !root ) + root = new_kbnode( pkt ); + else diff --git a/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch new file mode 100644 index 000000000..e005ac658 --- /dev/null +++ b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch @@ -0,0 +1,17 @@ + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Saul Wold <sgw@linux.intel.com> + +Index: gnupg-1.4.7/configure.ac +=================================================================== +--- gnupg-1.4.7.orig/configure.ac ++++ gnupg-1.4.7/configure.ac +@@ -827,7 +827,6 @@ else + AC_SUBST(USE_NLS) + AC_SUBST(USE_INCLUDED_LIBINTL) + AC_SUBST(BUILD_INCLUDED_LIBINTL) +- AM_PO_SUBDIRS + fi + + if test "$try_extensions" = yes || test x"$card_support" = xyes ; then diff --git a/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch new file mode 100644 index 000000000..e5fb24aa6 --- /dev/null +++ b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch @@ -0,0 +1,27 @@ + +This has been discussed in a couple of different bug reported +upstream: + +http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486250 +http://bugs.sourcemage.org/show_bug.cgi?id=14446 + +Fix: +http://lists.gnupg.org/pipermail/gnupg-devel/2008-April/024344.html + +Upstream-Status: Backport [Debian] + +Signed-off-by: Saul Wold <sgw@linux.intel.com> + +Index: gnupg-1.4.7/keyserver/gpgkeys_curl.c +=================================================================== +--- gnupg-1.4.7.orig/keyserver/gpgkeys_curl.c ++++ gnupg-1.4.7/keyserver/gpgkeys_curl.c +@@ -286,7 +286,7 @@ main(int argc,char *argv[]) + curl_easy_setopt(curl,CURLOPT_VERBOSE,1); + } + +- curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,opt->flags.check_cert); ++ curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert); + curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file); + + if(proxy) diff --git a/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch new file mode 100644 index 000000000..2855cab24 --- /dev/null +++ b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch @@ -0,0 +1,19 @@ +Orignal Patch came from OpenWrt via OE-Classic +https://dev.openwrt.org/browser/packages/utils/gnupg/patches/001-mips_gcc4.4 +which is no longer a valid revision! + +Upstream-Status: Inappropriate [configuration] + + +--- gnupg/mpi/longlong.h~ 2006-02-14 10:09:55.000000000 +0000 ++++ gnupg/mpi/longlong.h 2008-10-27 13:11:09.000000000 +0000 +@@ -181,7 +181,7 @@ + /*************************************** + ************** ARM ****************** + ***************************************/ +-#if defined (__arm__) && W_TYPE_SIZE == 32 ++#if defined (__arm__) && W_TYPE_SIZE == 32 && !defined(__thumb__) + #define add_ssaaaa(sh, sl, ah, al, bh, bl) \ + __asm__ ("adds %1, %4, %5\n" \ + "adc %0, %2, %3" \ + diff --git a/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch new file mode 100644 index 000000000..9a03b2b70 --- /dev/null +++ b/yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch @@ -0,0 +1,50 @@ + +From Openembedded-Classic + + gnupg-1.4.10: Readd the ARM Thumb patch as debian has no thumb support + + +Upstream-Status: Inappropriate [embedded-specific] + +Index: gnupg-1.4.10/mpi/longlong.h +=================================================================== +--- gnupg-1.4.10.orig/mpi/longlong.h 2008-12-11 17:39:43.000000000 +0100 ++++ gnupg-1.4.10/mpi/longlong.h 2010-03-27 14:27:53.000000000 +0100 +@@ -706,18 +706,35 @@ + #endif /* __m88110__ */ + #endif /* __m88000__ */ + ++/* Test for gcc >= maj.min, as per __GNUC_PREREQ in glibc */ ++#if defined (__GNUC__) && defined (__GNUC_MINOR__) ++#define __GNUC_PREREQ(maj, min) \ ++ ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min)) ++#else ++#define __GNUC_PREREQ(maj, min) 0 ++#endif ++ + /*************************************** + ************** MIPS ***************** + ***************************************/ + #if defined (__mips__) && W_TYPE_SIZE == 32 +-#if __GNUC__ > 2 || __GNUC_MINOR__ >= 7 ++#if __GNUC_PREREQ (4,4) ++#define umul_ppmm(w1, w0, u, v) \ ++ do { \ ++ UDItype __ll = (UDItype)(u) * (v); \ ++ w1 = __ll >> 32; \ ++ w0 = __ll; \ ++ } while (0) ++#endif ++#if !defined (umul_ppmm) && __GNUC_PREREQ (2,7) + #define umul_ppmm(w1, w0, u, v) \ + __asm__ ("multu %2,%3" \ + : "=l" ((USItype)(w0)), \ + "=h" ((USItype)(w1)) \ + : "d" ((USItype)(u)), \ + "d" ((USItype)(v))) +-#else ++#endif ++#if !defined (umul_ppmm) + #define umul_ppmm(w1, w0, u, v) \ + __asm__ ("multu %2,%3 \n" \ + "mflo %0 \n" \ diff --git a/yocto-poky/meta/recipes-support/gnupg/gnupg/dirmngr-uses-libgpg-error.patch b/yocto-poky/meta/recipes-support/gnupg/gnupg/dirmngr-uses-libgpg-error.patch new file mode 100644 index 000000000..7af1955d5 --- /dev/null +++ b/yocto-poky/meta/recipes-support/gnupg/gnupg/dirmngr-uses-libgpg-error.patch @@ -0,0 +1,16 @@ +Upstream-Status: Pending +Signed-off-by: Saul Wold <sgw@linux.intel.com> +Index: gnupg-2.1.0/dirmngr/Makefile.am +=================================================================== +--- gnupg-2.1.0.orig/dirmngr/Makefile.am ++++ gnupg-2.1.0/dirmngr/Makefile.am +@@ -78,7 +78,8 @@ endif + dirmngr_LDADD = $(libcommontlsnpth) $(libcommonpth) \ + $(DNSLIBS) $(LIBASSUAN_LIBS) \ + $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \ +- $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) ++ $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) \ ++ $(GPG_ERROR_LIBS) + if USE_LDAP + dirmngr_LDADD += $(ldaplibs) + endif diff --git a/yocto-poky/meta/recipes-support/gnupg/gnupg/pkgconfig.patch b/yocto-poky/meta/recipes-support/gnupg/gnupg/pkgconfig.patch new file mode 100644 index 000000000..f958603ca --- /dev/null +++ b/yocto-poky/meta/recipes-support/gnupg/gnupg/pkgconfig.patch @@ -0,0 +1,90 @@ +Use pkg-config to find pth instead of pth-config. + +Upstream-Status: Denied +[not submitted but they've been clear they don't want a pkg-config dependency] + +RP 2014/5/22 + +Index: gnupg-2.1.0/m4/gnupg-pth.m4 +=================================================================== +--- gnupg-2.1.0.orig/m4/gnupg-pth.m4 ++++ gnupg-2.1.0/m4/gnupg-pth.m4 +@@ -17,33 +17,9 @@ dnl implied warranty of MERCHANTABILITY + # Taken and modified from the m4 macros which come with Pth. + AC_DEFUN([GNUPG_PTH_VERSION_CHECK], + [ +- _pth_version=`$PTH_CONFIG --version | awk 'NR==1 {print [$]3}'` + _req_version="ifelse([$1],,1.2.0,$1)" ++ PKG_CHECK_MODULES(PTH, [pth >= $_req_version], [have_pth=yes], [have_pth=no]) + +- AC_MSG_CHECKING(for PTH - version >= $_req_version) +- for _var in _pth_version _req_version; do +- eval "_val=\"\$${_var}\"" +- _major=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\1/'` +- _minor=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\2/'` +- _rtype=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\3/'` +- _micro=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\4/'` +- case $_rtype in +- "a" ) _rtype=0 ;; +- "b" ) _rtype=1 ;; +- "." ) _rtype=2 ;; +- esac +- _hex=`echo dummy | awk '{ printf("%d%02d%1d%02d", major, minor, rtype, micro); }' \ +- "major=$_major" "minor=$_minor" "rtype=$_rtype" "micro=$_micro"` +- eval "${_var}_hex=\"\$_hex\"" +- done +- have_pth=no +- if test ".$_pth_version_hex" != .; then +- if test ".$_req_version_hex" != .; then +- if test $_pth_version_hex -ge $_req_version_hex; then +- have_pth=yes +- fi +- fi +- fi + if test $have_pth = yes; then + AC_MSG_RESULT(yes) + AC_MSG_CHECKING([whether PTH installation is sane]) +@@ -51,9 +27,9 @@ AC_DEFUN([GNUPG_PTH_VERSION_CHECK], + _gnupg_pth_save_cflags=$CFLAGS + _gnupg_pth_save_ldflags=$LDFLAGS + _gnupg_pth_save_libs=$LIBS +- CFLAGS="$CFLAGS `$PTH_CONFIG --cflags`" +- LDFLAGS="$LDFLAGS `$PTH_CONFIG --ldflags`" +- LIBS="$LIBS `$PTH_CONFIG --libs --all`" ++ CFLAGS="$CFLAGS $PTH_CFLAGS" ++ LDFLAGS="$LDFLAGS $PTH_LDFLAGS" ++ LIBS="$LIBS $PTH_LIBS" + AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pth.h> + ], + [[ pth_init ();]])], +@@ -80,26 +56,13 @@ AC_DEFUN([GNUPG_PTH_VERSION_CHECK], + # PTH_CLFAGS and PTH_LIBS are AS_SUBST. + # + AC_DEFUN([GNUPG_PATH_PTH], +-[ AC_ARG_WITH(pth-prefix, +- AC_HELP_STRING([--with-pth-prefix=PFX], +- [prefix where GNU Pth is installed (optional)]), +- pth_config_prefix="$withval", pth_config_prefix="") +- if test x$pth_config_prefix != x ; then +- PTH_CONFIG="$pth_config_prefix/bin/pth-config" +- fi +- AC_PATH_PROG(PTH_CONFIG, pth-config, no) ++[ + tmp=ifelse([$1], ,1.3.7,$1) +- if test "$PTH_CONFIG" != "no"; then +- GNUPG_PTH_VERSION_CHECK($tmp) +- if test $have_pth = yes; then +- PTH_CFLAGS=`$PTH_CONFIG --cflags` +- PTH_LIBS=`$PTH_CONFIG --ldflags` +- PTH_LIBS="$PTH_LIBS `$PTH_CONFIG --libs --all`" +- AC_DEFINE(HAVE_PTH, 1, ++ GNUPG_PTH_VERSION_CHECK($tmp) ++ if test $have_pth = yes; then ++ AC_DEFINE(HAVE_PTH, 1, + [Defined if the GNU Pth is available]) +- fi + fi + AC_SUBST(PTH_CFLAGS) + AC_SUBST(PTH_LIBS) + ]) +- diff --git a/yocto-poky/meta/recipes-support/gnupg/gnupg/use-pkgconfig-instead-of-npth-config.patch b/yocto-poky/meta/recipes-support/gnupg/gnupg/use-pkgconfig-instead-of-npth-config.patch new file mode 100644 index 000000000..c6dbf1b75 --- /dev/null +++ b/yocto-poky/meta/recipes-support/gnupg/gnupg/use-pkgconfig-instead-of-npth-config.patch @@ -0,0 +1,72 @@ +Upstream-Status: Inappropriate [openembedded specific] + +Signed-off-by: Saul Wold <sgw@linux.intel.com> + + +Index: gnupg-2.1.0/m4/npth.m4 +=================================================================== +--- gnupg-2.1.0.orig/m4/npth.m4 ++++ gnupg-2.1.0/m4/npth.m4 +@@ -17,10 +17,10 @@ AC_DEFUN([_AM_PATH_NPTH_CONFIG], + if test "x$npth_config_prefix" != x ; then + NPTH_CONFIG="$npth_config_prefix/bin/npth-config" + fi +- AC_PATH_PROG(NPTH_CONFIG, npth-config, no) ++ AC_PATH_PROG(PKGCONFIG, pkg-config, no) + +- if test "$NPTH_CONFIG" != "no" ; then +- npth_version=`$NPTH_CONFIG --version` ++ if test "$PKGCONFIG" != "no" ; then ++ npth_version=`$PKGCONFIG --modversion npth` + fi + npth_version_major=`echo $npth_version | \ + sed 's/\([[0-9]]*\)\.\([[0-9]]*\).*/\1/'` +@@ -45,7 +45,7 @@ AC_DEFUN([AM_PATH_NPTH], + + AC_MSG_CHECKING(for NPTH - version >= $min_npth_version) + ok=no +- if test "$NPTH_CONFIG" != "no" ; then ++ if test "$PKGCONFIG" != "no" ; then + req_major=`echo $min_npth_version | \ + sed 's/\([[0-9]]*\)\.\([[0-9]]*\)/\1/'` + req_minor=`echo $min_npth_version | \ +@@ -66,28 +66,9 @@ AC_DEFUN([AM_PATH_NPTH], + fi + if test $ok = yes; then + AC_MSG_RESULT([yes ($npth_version)]) +- else +- AC_MSG_RESULT(no) +- fi +- if test $ok = yes; then +- # If we have a recent NPTH, we should also check that the +- # API is compatible. +- if test "$req_npth_api" -gt 0 ; then +- tmp=`$NPTH_CONFIG --api-version 2>/dev/null || echo 0` +- if test "$tmp" -gt 0 ; then +- AC_MSG_CHECKING([NPTH API version]) +- if test "$req_npth_api" -eq "$tmp" ; then +- AC_MSG_RESULT([okay]) +- else +- ok=no +- AC_MSG_RESULT([does not match. want=$req_npth_api got=$tmp]) +- fi +- fi +- fi +- fi +- if test $ok = yes; then +- NPTH_CFLAGS=`$NPTH_CONFIG --cflags` +- NPTH_LIBS=`$NPTH_CONFIG --libs` ++ NPTH_CFLAGS=`$PKGCONFIG --cflags npth` ++ NPTH_LIBS=`$PKGCONFIG --libs npth` ++ AC_MSG_WARN([[GOT HERE - $NPTH_LIBS ]]) + ifelse([$2], , :, [$2]) + npth_config_host=`$NPTH_CONFIG --host 2>/dev/null || echo none` + if test x"$npth_config_host" != xnone ; then +@@ -103,6 +84,7 @@ AC_DEFUN([AM_PATH_NPTH], + fi + fi + else ++ AC_MSG_RESULT(no) + NPTH_CFLAGS="" + NPTH_LIBS="" + ifelse([$3], , :, [$3]) diff --git a/yocto-poky/meta/recipes-support/gnupg/gnupg_1.4.7.bb b/yocto-poky/meta/recipes-support/gnupg/gnupg_1.4.7.bb new file mode 100644 index 000000000..6999f81f8 --- /dev/null +++ b/yocto-poky/meta/recipes-support/gnupg/gnupg_1.4.7.bb @@ -0,0 +1,105 @@ +SUMMARY = "GNU Privacy Guard - encryption and signing tools" +HOMEPAGE = "http://www.gnupg.org/" +DEPENDS = "zlib bzip2 readline" +SECTION = "console/utils" + +LICENSE = "GPLv2" + +LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a" + +PR = "r9" + +SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-${PV}.tar.bz2 \ + file://long-long-thumb.patch \ + file://configure.patch \ + file://mips_gcc4.4.patch \ + file://GnuPG1-CVE-2012-6085.patch \ + file://curl_typeof_fix_backport.patch \ + file://CVE-2013-4351.patch \ + file://CVE-2013-4576.patch \ + file://CVE-2013-4242.patch \ + " + +SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c" +SRC_URI[sha256sum] = "69d18b7d193f62ca27ed4febcb4c9044aa0c95305d3258fe902e2fae5fc6468d" + +inherit autotools gettext texinfo + +# --with-egd-socket=NAME use NAME for the EGD socket +# --with-photo-viewer=FIXED_VIEWER set a fixed photo ID viewer +# --with-included-zlib use the zlib code included here +# --with-capabilities use linux capabilities default=no +# --with-mailprog=NAME use "NAME -t" for mail transport +# --with-libiconv-prefix[=DIR] search for libiconv in DIR/include and DIR/lib +# --without-libiconv-prefix don't search for libiconv in includedir and libdir +# --with-included-gettext use the GNU gettext library included here +# --with-libintl-prefix[=DIR] search for libintl in DIR/include and DIR/lib +# --without-libintl-prefix don't search for libintl in includedir and libdir +# --without-readline do not support fancy command line editing +# --with-included-regex use the included GNU regex library +# --with-zlib=DIR use libz in DIR +# --with-bzip2=DIR look for bzip2 in DIR +# --enable-static-rnd=egd|unix|linux|auto +# --disable-dev-random disable the use of dev random +# --disable-asm do not use assembler modules +# --enable-m-guard enable memory guard facility +# --enable-selinux-support +# enable SELinux support +# --disable-card-support disable OpenPGP card support +# --disable-gnupg-iconv disable the new iconv code +# --enable-backsigs enable the experimental backsigs code +# --enable-minimal build the smallest gpg binary possible +# --disable-rsa disable the RSA public key algorithm +# --disable-idea disable the IDEA cipher +# --disable-cast5 disable the CAST5 cipher +# --disable-blowfish disable the BLOWFISH cipher +# --disable-aes disable the AES, AES192, and AES256 ciphers +# --disable-twofish disable the TWOFISH cipher +# --disable-sha256 disable the SHA-256 digest +# --disable-sha512 disable the SHA-384 and SHA-512 digests +# --disable-bzip2 disable the BZIP2 compression algorithm +# --disable-exec disable all external program execution +# --disable-photo-viewers disable photo ID viewers +# --disable-keyserver-helpers disable all external keyserver support +# --disable-ldap disable LDAP keyserver interface +# --disable-hkp disable HKP keyserver interface +# --disable-http disable HTTP key fetching interface +# --disable-finger disable Finger key fetching interface +# --disable-mailto disable email keyserver interface +# --disable-keyserver-path disable the exec-path option for keyserver helpers +# --enable-key-cache=SIZE Set key cache to SIZE (default 4096) +# --disable-largefile omit support for large files +# --disable-dns-srv disable the use of DNS SRV in HKP and HTTP +# --disable-nls do not use Native Language Support +# --disable-regex do not handle regular expressions in trust sigs + +EXTRA_OECONF = "--disable-ldap \ + --with-zlib=${STAGING_LIBDIR}/.. \ + --with-bzip2=${STAGING_LIBDIR}/.. \ + --disable-selinux-support \ + --with-readline=${STAGING_LIBDIR}/.. \ + ac_cv_sys_symbol_underscore=no \ + " + +# Force gcc's traditional handling of inline to avoid issues with gcc 5 +CFLAGS += "-fgnu89-inline" + +do_install () { + autotools_do_install + install -d ${D}${docdir}/${BPN} + mv ${D}${datadir}/${BPN}/* ${D}/${docdir}/${BPN}/ || : + mv ${D}${prefix}/doc/* ${D}/${docdir}/${BPN}/ || : +} + +# split out gpgv from main package +RDEPENDS_${PN} = "gpgv" +PACKAGES =+ "gpgv" +FILES_gpgv = "${bindir}/gpgv" + +# Exclude debug files from the main packages +FILES_${PN} = "${bindir}/* ${datadir}/${BPN} ${libexecdir}/${BPN}/*" +FILES_${PN}-dbg += "${libexecdir}/${BPN}/.debug" + +PACKAGECONFIG ??= "" +PACKAGECONFIG[curl] = "--with-libcurl=${STAGING_LIBDIR},--without-libcurl,curl" +PACKAGECONFIG[libusb] = "--with-libusb=${STAGING_LIBDIR},--without-libusb,libusb-compat" diff --git a/yocto-poky/meta/recipes-support/gnupg/gnupg_2.1.7.bb b/yocto-poky/meta/recipes-support/gnupg/gnupg_2.1.7.bb new file mode 100644 index 000000000..48c7c9622 --- /dev/null +++ b/yocto-poky/meta/recipes-support/gnupg/gnupg_2.1.7.bb @@ -0,0 +1,41 @@ +SUMMARY = "GNU Privacy Guard - encryption and signing tools (2.x)" +HOMEPAGE = "http://www.gnupg.org/" +LICENSE = "GPLv3 & LGPLv3" +LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949 \ + file://COPYING.LIB;md5=6a6a8e020838b23406c81b19c1d46df6" + +DEPENDS = "npth libassuan libksba zlib bzip2 readline libgcrypt" + +inherit autotools gettext texinfo pkgconfig + +SRC_URI = "ftp://ftp.gnupg.org/gcrypt/${BPN}/${BPN}-${PV}.tar.bz2 \ + file://pkgconfig.patch \ + file://use-pkgconfig-instead-of-npth-config.patch \ + file://dirmngr-uses-libgpg-error.patch \ + " + +SRC_URI[md5sum] = "ebdf92b15b8bcd8579b643c7f41a3238" +SRC_URI[sha256sum] = "c18a3776d47fec98892d51d28b6574ef16bf0a25eabb0956231058aaf2e7846e" + +EXTRA_OECONF = "--disable-ldap \ + --disable-ccid-driver \ + --with-zlib=${STAGING_LIBDIR}/.. \ + --with-bzip2=${STAGING_LIBDIR}/.. \ + --with-readline=${STAGING_LIBDIR}/.. \ + " +RRECOMMENDS_${PN} = "pinentry" + +do_configure_prepend () { + # Else these could be used in prefernce to those in aclocal-copy + rm -f ${S}/m4/gpg-error.m4 + rm -f ${S}/m4/libassuan.m4 + rm -f ${S}/m4/ksba.m4 + rm -f ${S}/m4/libgcrypt.m4 +} + +do_install_append() { + ln -sf gpg2 ${D}${bindir}/gpg + ln -sf gpgv2 ${D}${bindir}/gpgv +} + +RDEPENDS_${PN} = "gnutls" |