Squashed 'yocto-poky/' content from commit ea562de
git-subtree-dir: yocto-poky
git-subtree-split: ea562de57590c966cd5a75fda8defecd397e6436
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch
new file mode 100644
index 0000000..c9addca
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch
@@ -0,0 +1,62 @@
+From e2202ff2b704623efc6277fb5256e4e15bac5676 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Thu, 25 Jul 2013 11:17:52 +0200
+Subject: [PATCH] Mitigate a flush+reload cache attack on RSA secret
+ exponents.
+
+commit e2202ff2b704623efc6277fb5256e4e15bac5676 from
+git://git.gnupg.org/libgcrypt.git
+
+* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for
+exponents in secure memory.
+
+Upstream-Status: Backport
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+--
+
+The attack is published as http://eprint.iacr.org/2013/448 :
+
+Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
+Attack by Yuval Yarom and Katrina Falkner. 18 July 2013.
+
+ Flush+Reload is a cache side-channel attack that monitors access to
+ data in shared pages. In this paper we demonstrate how to use the
+ attack to extract private encryption keys from GnuPG. The high
+ resolution and low noise of the Flush+Reload attack enables a spy
+ program to recover over 98% of the bits of the private key in a
+ single decryption or signing round. Unlike previous attacks, the
+ attack targets the last level L3 cache. Consequently, the spy
+ program and the victim do not need to share the execution core of
+ the CPU. The attack is not limited to a traditional OS and can be
+ used in a virtualised environment, where it can attack programs
+ executing in a different VM.
+
+Index: gnupg-1.4.7/mpi/mpi-pow.c
+===================================================================
+--- gnupg-1.4.7.orig/mpi/mpi-pow.c
++++ gnupg-1.4.7/mpi/mpi-pow.c
+@@ -212,7 +212,13 @@ mpi_powm( MPI res, MPI base, MPI exponen
+ tp = rp; rp = xp; xp = tp;
+ rsize = xsize;
+
+- if( (mpi_limb_signed_t)e < 0 ) {
++ /* To mitigate the Yarom/Falkner flush+reload cache
++ * side-channel attack on the RSA secret exponent, we do
++ * the multiplication regardless of the value of the
++ * high-bit of E. But to avoid this performance penalty
++ * we do it only if the exponent has been stored in secure
++ * memory and we can thus assume it is a secret exponent. */
++ if (esec || (mpi_limb_signed_t)e < 0) {
+ /*mpihelp_mul( xp, rp, rsize, bp, bsize );*/
+ if( bsize < KARATSUBA_THRESHOLD ) {
+ mpihelp_mul( xp, rp, rsize, bp, bsize );
+@@ -227,6 +233,8 @@ mpi_powm( MPI res, MPI base, MPI exponen
+ mpihelp_divrem(xp + msize, 0, xp, xsize, mp, msize);
+ xsize = msize;
+ }
++ }
++ if ( (mpi_limb_signed_t)e < 0 ) {
+
+ tp = rp; rp = xp; xp = tp;
+ rsize = xsize;
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
new file mode 100644
index 0000000..b29ede4
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
@@ -0,0 +1,44 @@
+Upstream-Status: Backport
+
+Index: gnupg-1.4.7/g10/getkey.c
+===================================================================
+--- gnupg-1.4.7.orig/g10/getkey.c 2007-03-05 16:54:41.000000000 +0800
++++ gnupg-1.4.7/g10/getkey.c 2013-11-28 14:41:59.640212240 +0800
+@@ -1454,7 +1454,11 @@
+
+ if(flags)
+ key_usage |= PUBKEY_USAGE_UNKNOWN;
++ if (!key_usage)
++ key_usage |= PUBKEY_USAGE_NONE;
+ }
++ else if (p)
++ key_usage |= PUBKEY_USAGE_NONE;
+
+ /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a
+ capability that we do not handle. This serves to distinguish
+Index: gnupg-1.4.7/g10/keygen.c
+===================================================================
+--- gnupg-1.4.7.orig/g10/keygen.c 2007-02-05 00:27:40.000000000 +0800
++++ gnupg-1.4.7/g10/keygen.c 2013-11-28 14:43:05.016670092 +0800
+@@ -209,9 +209,6 @@
+ if (use & PUBKEY_USAGE_AUTH)
+ buf[0] |= 0x20;
+
+- if (!buf[0])
+- return;
+-
+ build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1);
+ }
+
+Index: gnupg-1.4.7/include/cipher.h
+===================================================================
+--- gnupg-1.4.7.orig/include/cipher.h 2006-04-21 20:39:49.000000000 +0800
++++ gnupg-1.4.7/include/cipher.h 2013-11-28 14:49:24.159322744 +0800
+@@ -52,6 +52,7 @@
+ #define PUBKEY_USAGE_CERT 4 /* key is also good to certify other keys*/
+ #define PUBKEY_USAGE_AUTH 8 /* key is good for authentication */
+ #define PUBKEY_USAGE_UNKNOWN 128 /* key has an unknown usage bit */
++#define PUBKEY_USAGE_NONE 256 /* No usage given. */
+
+ #define DIGEST_ALGO_MD5 1
+ #define DIGEST_ALGO_SHA1 2
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
new file mode 100644
index 0000000..b1a22f5
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
@@ -0,0 +1,153 @@
+Upstream-Status: Backport
+
+Index: gnupg-1.4.7/cipher/dsa.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/dsa.c 2006-12-12 02:27:21.000000000 +0800
++++ gnupg-1.4.7/cipher/dsa.c 2014-01-23 11:30:17.300915919 +0800
+@@ -287,6 +287,8 @@
+ MPI kinv;
+ MPI tmp;
+
++ mpi_normalize (hash);
++
+ /* select a random k with 0 < k < q */
+ k = gen_k( skey->q );
+
+Index: gnupg-1.4.7/cipher/elgamal.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/elgamal.c 2006-12-12 03:08:05.000000000 +0800
++++ gnupg-1.4.7/cipher/elgamal.c 2014-01-23 11:30:17.300915919 +0800
+@@ -376,6 +376,9 @@
+ {
+ MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
+
++ mpi_normalize (a);
++ mpi_normalize (b);
++
+ /* output = b/(a^x) mod p */
+ mpi_powm( t1, a, skey->x, skey->p );
+ mpi_invm( t1, t1, skey->p );
+Index: gnupg-1.4.7/cipher/random.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/random.c 2006-11-03 18:09:39.000000000 +0800
++++ gnupg-1.4.7/cipher/random.c 2014-01-23 11:31:53.993495462 +0800
+@@ -273,6 +273,18 @@
+ }
+
+
++/* Randomize the MPI */
++void
++randomize_mpi (MPI mpi, size_t nbits, int level)
++{
++ unsigned char *buffer;
++
++ buffer = get_random_bits (nbits, level, mpi_is_secure (mpi));
++ mpi_set_buffer (mpi, buffer, (nbits+7)/8, 0);
++ xfree (buffer);
++}
++
++
+ int
+ random_is_faked()
+ {
+Index: gnupg-1.4.7/cipher/random.h
+===================================================================
+--- gnupg-1.4.7.orig/cipher/random.h 2006-02-09 19:29:29.000000000 +0800
++++ gnupg-1.4.7/cipher/random.h 2014-01-23 11:30:17.300915919 +0800
+@@ -32,6 +32,7 @@
+ int random_is_faked(void);
+ void random_disable_locking (void);
+ void randomize_buffer( byte *buffer, size_t length, int level );
++void randomize_mpi (MPI mpi, size_t nbits, int level);
+ byte *get_random_bits( size_t nbits, int level, int secure );
+ void fast_random_poll( void );
+
+Index: gnupg-1.4.7/cipher/rsa.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/rsa.c 2006-12-12 03:09:00.000000000 +0800
++++ gnupg-1.4.7/cipher/rsa.c 2014-01-23 11:35:04.330639125 +0800
+@@ -301,9 +301,26 @@
+ #if 0
+ mpi_powm( output, input, skey->d, skey->n );
+ #else
+- MPI m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+- MPI m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+- MPI h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
++ int nlimbs = mpi_get_nlimbs (skey->n)+1;
++ MPI m1 = mpi_alloc_secure (nlimbs);
++ MPI m2 = mpi_alloc_secure (nlimbs);
++ MPI h = mpi_alloc_secure (nlimbs);
++# if 1
++ MPI bdata= mpi_alloc_secure (nlimbs);
++ MPI r = mpi_alloc_secure (nlimbs);
++# endif
++
++ /* Remove superfluous leading zeroes from INPUT. */
++ mpi_normalize (input);
++
++# if 1
++ /* Blind: bdata = (data * r^e) mod n */
++ randomize_mpi (r, mpi_get_nbits (skey->n), 0);
++ mpi_fdiv_r (r, r, skey->n);
++ mpi_powm (bdata, r, skey->e, skey->n);
++ mpi_mulm (bdata, bdata, input, skey->n);
++ input = bdata;
++# endif
+
+ /* m1 = c ^ (d mod (p-1)) mod p */
+ mpi_sub_ui( h, skey->p, 1 );
+@@ -321,8 +338,15 @@
+ /* m = m2 + h * p */
+ mpi_mul ( h, h, skey->p );
+ mpi_add ( output, m1, h );
+- /* ready */
+-
++
++# if 1
++ mpi_free (bdata);
++ /* Unblind: output = (output * r^(-1)) mod n */
++ mpi_invm (r, r, skey->n);
++ mpi_mulm (output, output, r, skey->n);
++ mpi_free (r);
++# endif
++
+ mpi_free ( h );
+ mpi_free ( m1 );
+ mpi_free ( m2 );
+@@ -397,6 +421,7 @@
+ rsa_decrypt( int algo, MPI *result, MPI *data, MPI *skey )
+ {
+ RSA_secret_key sk;
++ MPI input;
+
+ if( algo != 1 && algo != 2 )
+ return G10ERR_PUBKEY_ALGO;
+@@ -407,8 +432,14 @@
+ sk.p = skey[3];
+ sk.q = skey[4];
+ sk.u = skey[5];
+- *result = mpi_alloc_secure( mpi_get_nlimbs( sk.n ) );
+- secret( *result, data[0], &sk );
++
++ /* Mitigates side-channel attacks (CVE-2013-4576). */
++ input = mpi_alloc (0);
++ mpi_normalize (data[0]);
++ mpi_fdiv_r (input, data[0], sk.n);
++ *result = mpi_alloc_secure (mpi_get_nlimbs (sk.n));
++ secret (*result, input, &sk);
++ mpi_free (input);
+ return 0;
+ }
+
+Index: gnupg-1.4.7/g10/gpgv.c
+===================================================================
+--- gnupg-1.4.7.orig/g10/gpgv.c 2006-12-13 19:25:04.000000000 +0800
++++ gnupg-1.4.7/g10/gpgv.c 2014-01-23 11:30:17.300915919 +0800
+@@ -390,6 +390,7 @@
+ void random_dump_stats(void) {}
+ int quick_random_gen( int onoff ) { return -1;}
+ void randomize_buffer( byte *buffer, size_t length, int level ) {}
++void randomize_mpi (MPI mpi, size_t nbits, int level) {}
+ int random_is_faked() { return -1;}
+ byte *get_random_bits( size_t nbits, int level, int secure ) { return NULL;}
+ void set_random_seed_file( const char *name ) {}
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch
new file mode 100644
index 0000000..8b5d9a1
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch
@@ -0,0 +1,63 @@
+commit f0b33b6fb8e0586e9584a7a409dcc31263776a67
+Author: Werner Koch <wk@gnupg.org>
+Date: Thu Dec 20 09:43:41 2012 +0100
+
+ gpg: Import only packets which are allowed in a keyblock.
+
+ * g10/import.c (valid_keyblock_packet): New.
+ (read_block): Store only valid packets.
+ --
+
+ A corrupted key, which for example included a mangled public key
+ encrypted packet, used to corrupt the keyring. This change skips all
+ packets which are not allowed in a keyblock.
+
+ GnuPG-bug-id: 1455
+
+ (cherry-picked from commit f795a0d59e197455f8723c300eebf59e09853efa)
+
+Upstream-Status: Backport
+
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+
+diff --git a/g10/import.c b/g10/import.c
+index bfe02eb..a57b32e 100644
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -384,6 +384,27 @@ import_print_stats (void *hd)
+ }
+
+
++/* Return true if PKTTYPE is valid in a keyblock. */
++static int
++valid_keyblock_packet (int pkttype)
++{
++ switch (pkttype)
++ {
++ case PKT_PUBLIC_KEY:
++ case PKT_PUBLIC_SUBKEY:
++ case PKT_SECRET_KEY:
++ case PKT_SECRET_SUBKEY:
++ case PKT_SIGNATURE:
++ case PKT_USER_ID:
++ case PKT_ATTRIBUTE:
++ case PKT_RING_TRUST:
++ return 1;
++ default:
++ return 0;
++ }
++}
++
++
+ /****************
+ * Read the next keyblock from stream A.
+ * PENDING_PKT should be initialzed to NULL
+@@ -461,7 +482,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root )
+ }
+ in_cert = 1;
+ default:
+- if( in_cert ) {
++ if (in_cert && valid_keyblock_packet (pkt->pkttype)) {
+ if( !root )
+ root = new_kbnode( pkt );
+ else
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch
new file mode 100644
index 0000000..e005ac6
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/configure.patch
@@ -0,0 +1,17 @@
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+
+Index: gnupg-1.4.7/configure.ac
+===================================================================
+--- gnupg-1.4.7.orig/configure.ac
++++ gnupg-1.4.7/configure.ac
+@@ -827,7 +827,6 @@ else
+ AC_SUBST(USE_NLS)
+ AC_SUBST(USE_INCLUDED_LIBINTL)
+ AC_SUBST(BUILD_INCLUDED_LIBINTL)
+- AM_PO_SUBDIRS
+ fi
+
+ if test "$try_extensions" = yes || test x"$card_support" = xyes ; then
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch
new file mode 100644
index 0000000..e5fb24a
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/curl_typeof_fix_backport.patch
@@ -0,0 +1,27 @@
+
+This has been discussed in a couple of different bug reported
+upstream:
+
+http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486250
+http://bugs.sourcemage.org/show_bug.cgi?id=14446
+
+Fix:
+http://lists.gnupg.org/pipermail/gnupg-devel/2008-April/024344.html
+
+Upstream-Status: Backport [Debian]
+
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+
+Index: gnupg-1.4.7/keyserver/gpgkeys_curl.c
+===================================================================
+--- gnupg-1.4.7.orig/keyserver/gpgkeys_curl.c
++++ gnupg-1.4.7/keyserver/gpgkeys_curl.c
+@@ -286,7 +286,7 @@ main(int argc,char *argv[])
+ curl_easy_setopt(curl,CURLOPT_VERBOSE,1);
+ }
+
+- curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,opt->flags.check_cert);
++ curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert);
+ curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file);
+
+ if(proxy)
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch
new file mode 100644
index 0000000..2855cab
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/long-long-thumb.patch
@@ -0,0 +1,19 @@
+Orignal Patch came from OpenWrt via OE-Classic
+https://dev.openwrt.org/browser/packages/utils/gnupg/patches/001-mips_gcc4.4
+which is no longer a valid revision!
+
+Upstream-Status: Inappropriate [configuration]
+
+
+--- gnupg/mpi/longlong.h~ 2006-02-14 10:09:55.000000000 +0000
++++ gnupg/mpi/longlong.h 2008-10-27 13:11:09.000000000 +0000
+@@ -181,7 +181,7 @@
+ /***************************************
+ ************** ARM ******************
+ ***************************************/
+-#if defined (__arm__) && W_TYPE_SIZE == 32
++#if defined (__arm__) && W_TYPE_SIZE == 32 && !defined(__thumb__)
+ #define add_ssaaaa(sh, sl, ah, al, bh, bl) \
+ __asm__ ("adds %1, %4, %5\n" \
+ "adc %0, %2, %3" \
+
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch
new file mode 100644
index 0000000..9a03b2b
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/mips_gcc4.4.patch
@@ -0,0 +1,50 @@
+
+From Openembedded-Classic
+
+ gnupg-1.4.10: Readd the ARM Thumb patch as debian has no thumb support
+
+
+Upstream-Status: Inappropriate [embedded-specific]
+
+Index: gnupg-1.4.10/mpi/longlong.h
+===================================================================
+--- gnupg-1.4.10.orig/mpi/longlong.h 2008-12-11 17:39:43.000000000 +0100
++++ gnupg-1.4.10/mpi/longlong.h 2010-03-27 14:27:53.000000000 +0100
+@@ -706,18 +706,35 @@
+ #endif /* __m88110__ */
+ #endif /* __m88000__ */
+
++/* Test for gcc >= maj.min, as per __GNUC_PREREQ in glibc */
++#if defined (__GNUC__) && defined (__GNUC_MINOR__)
++#define __GNUC_PREREQ(maj, min) \
++ ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min))
++#else
++#define __GNUC_PREREQ(maj, min) 0
++#endif
++
+ /***************************************
+ ************** MIPS *****************
+ ***************************************/
+ #if defined (__mips__) && W_TYPE_SIZE == 32
+-#if __GNUC__ > 2 || __GNUC_MINOR__ >= 7
++#if __GNUC_PREREQ (4,4)
++#define umul_ppmm(w1, w0, u, v) \
++ do { \
++ UDItype __ll = (UDItype)(u) * (v); \
++ w1 = __ll >> 32; \
++ w0 = __ll; \
++ } while (0)
++#endif
++#if !defined (umul_ppmm) && __GNUC_PREREQ (2,7)
+ #define umul_ppmm(w1, w0, u, v) \
+ __asm__ ("multu %2,%3" \
+ : "=l" ((USItype)(w0)), \
+ "=h" ((USItype)(w1)) \
+ : "d" ((USItype)(u)), \
+ "d" ((USItype)(v)))
+-#else
++#endif
++#if !defined (umul_ppmm)
+ #define umul_ppmm(w1, w0, u, v) \
+ __asm__ ("multu %2,%3 \n" \
+ "mflo %0 \n" \
diff --git a/meta/recipes-support/gnupg/gnupg/dirmngr-uses-libgpg-error.patch b/meta/recipes-support/gnupg/gnupg/dirmngr-uses-libgpg-error.patch
new file mode 100644
index 0000000..7af1955
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/dirmngr-uses-libgpg-error.patch
@@ -0,0 +1,16 @@
+Upstream-Status: Pending
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+Index: gnupg-2.1.0/dirmngr/Makefile.am
+===================================================================
+--- gnupg-2.1.0.orig/dirmngr/Makefile.am
++++ gnupg-2.1.0/dirmngr/Makefile.am
+@@ -78,7 +78,8 @@ endif
+ dirmngr_LDADD = $(libcommontlsnpth) $(libcommonpth) \
+ $(DNSLIBS) $(LIBASSUAN_LIBS) \
+ $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \
+- $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV)
++ $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) \
++ $(GPG_ERROR_LIBS)
+ if USE_LDAP
+ dirmngr_LDADD += $(ldaplibs)
+ endif
diff --git a/meta/recipes-support/gnupg/gnupg/pkgconfig.patch b/meta/recipes-support/gnupg/gnupg/pkgconfig.patch
new file mode 100644
index 0000000..f958603
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/pkgconfig.patch
@@ -0,0 +1,90 @@
+Use pkg-config to find pth instead of pth-config.
+
+Upstream-Status: Denied
+[not submitted but they've been clear they don't want a pkg-config dependency]
+
+RP 2014/5/22
+
+Index: gnupg-2.1.0/m4/gnupg-pth.m4
+===================================================================
+--- gnupg-2.1.0.orig/m4/gnupg-pth.m4
++++ gnupg-2.1.0/m4/gnupg-pth.m4
+@@ -17,33 +17,9 @@ dnl implied warranty of MERCHANTABILITY
+ # Taken and modified from the m4 macros which come with Pth.
+ AC_DEFUN([GNUPG_PTH_VERSION_CHECK],
+ [
+- _pth_version=`$PTH_CONFIG --version | awk 'NR==1 {print [$]3}'`
+ _req_version="ifelse([$1],,1.2.0,$1)"
++ PKG_CHECK_MODULES(PTH, [pth >= $_req_version], [have_pth=yes], [have_pth=no])
+
+- AC_MSG_CHECKING(for PTH - version >= $_req_version)
+- for _var in _pth_version _req_version; do
+- eval "_val=\"\$${_var}\""
+- _major=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\1/'`
+- _minor=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\2/'`
+- _rtype=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\3/'`
+- _micro=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\4/'`
+- case $_rtype in
+- "a" ) _rtype=0 ;;
+- "b" ) _rtype=1 ;;
+- "." ) _rtype=2 ;;
+- esac
+- _hex=`echo dummy | awk '{ printf("%d%02d%1d%02d", major, minor, rtype, micro); }' \
+- "major=$_major" "minor=$_minor" "rtype=$_rtype" "micro=$_micro"`
+- eval "${_var}_hex=\"\$_hex\""
+- done
+- have_pth=no
+- if test ".$_pth_version_hex" != .; then
+- if test ".$_req_version_hex" != .; then
+- if test $_pth_version_hex -ge $_req_version_hex; then
+- have_pth=yes
+- fi
+- fi
+- fi
+ if test $have_pth = yes; then
+ AC_MSG_RESULT(yes)
+ AC_MSG_CHECKING([whether PTH installation is sane])
+@@ -51,9 +27,9 @@ AC_DEFUN([GNUPG_PTH_VERSION_CHECK],
+ _gnupg_pth_save_cflags=$CFLAGS
+ _gnupg_pth_save_ldflags=$LDFLAGS
+ _gnupg_pth_save_libs=$LIBS
+- CFLAGS="$CFLAGS `$PTH_CONFIG --cflags`"
+- LDFLAGS="$LDFLAGS `$PTH_CONFIG --ldflags`"
+- LIBS="$LIBS `$PTH_CONFIG --libs --all`"
++ CFLAGS="$CFLAGS $PTH_CFLAGS"
++ LDFLAGS="$LDFLAGS $PTH_LDFLAGS"
++ LIBS="$LIBS $PTH_LIBS"
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pth.h>
+ ],
+ [[ pth_init ();]])],
+@@ -80,26 +56,13 @@ AC_DEFUN([GNUPG_PTH_VERSION_CHECK],
+ # PTH_CLFAGS and PTH_LIBS are AS_SUBST.
+ #
+ AC_DEFUN([GNUPG_PATH_PTH],
+-[ AC_ARG_WITH(pth-prefix,
+- AC_HELP_STRING([--with-pth-prefix=PFX],
+- [prefix where GNU Pth is installed (optional)]),
+- pth_config_prefix="$withval", pth_config_prefix="")
+- if test x$pth_config_prefix != x ; then
+- PTH_CONFIG="$pth_config_prefix/bin/pth-config"
+- fi
+- AC_PATH_PROG(PTH_CONFIG, pth-config, no)
++[
+ tmp=ifelse([$1], ,1.3.7,$1)
+- if test "$PTH_CONFIG" != "no"; then
+- GNUPG_PTH_VERSION_CHECK($tmp)
+- if test $have_pth = yes; then
+- PTH_CFLAGS=`$PTH_CONFIG --cflags`
+- PTH_LIBS=`$PTH_CONFIG --ldflags`
+- PTH_LIBS="$PTH_LIBS `$PTH_CONFIG --libs --all`"
+- AC_DEFINE(HAVE_PTH, 1,
++ GNUPG_PTH_VERSION_CHECK($tmp)
++ if test $have_pth = yes; then
++ AC_DEFINE(HAVE_PTH, 1,
+ [Defined if the GNU Pth is available])
+- fi
+ fi
+ AC_SUBST(PTH_CFLAGS)
+ AC_SUBST(PTH_LIBS)
+ ])
+-
diff --git a/meta/recipes-support/gnupg/gnupg/use-pkgconfig-instead-of-npth-config.patch b/meta/recipes-support/gnupg/gnupg/use-pkgconfig-instead-of-npth-config.patch
new file mode 100644
index 0000000..c6dbf1b
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/use-pkgconfig-instead-of-npth-config.patch
@@ -0,0 +1,72 @@
+Upstream-Status: Inappropriate [openembedded specific]
+
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+
+
+Index: gnupg-2.1.0/m4/npth.m4
+===================================================================
+--- gnupg-2.1.0.orig/m4/npth.m4
++++ gnupg-2.1.0/m4/npth.m4
+@@ -17,10 +17,10 @@ AC_DEFUN([_AM_PATH_NPTH_CONFIG],
+ if test "x$npth_config_prefix" != x ; then
+ NPTH_CONFIG="$npth_config_prefix/bin/npth-config"
+ fi
+- AC_PATH_PROG(NPTH_CONFIG, npth-config, no)
++ AC_PATH_PROG(PKGCONFIG, pkg-config, no)
+
+- if test "$NPTH_CONFIG" != "no" ; then
+- npth_version=`$NPTH_CONFIG --version`
++ if test "$PKGCONFIG" != "no" ; then
++ npth_version=`$PKGCONFIG --modversion npth`
+ fi
+ npth_version_major=`echo $npth_version | \
+ sed 's/\([[0-9]]*\)\.\([[0-9]]*\).*/\1/'`
+@@ -45,7 +45,7 @@ AC_DEFUN([AM_PATH_NPTH],
+
+ AC_MSG_CHECKING(for NPTH - version >= $min_npth_version)
+ ok=no
+- if test "$NPTH_CONFIG" != "no" ; then
++ if test "$PKGCONFIG" != "no" ; then
+ req_major=`echo $min_npth_version | \
+ sed 's/\([[0-9]]*\)\.\([[0-9]]*\)/\1/'`
+ req_minor=`echo $min_npth_version | \
+@@ -66,28 +66,9 @@ AC_DEFUN([AM_PATH_NPTH],
+ fi
+ if test $ok = yes; then
+ AC_MSG_RESULT([yes ($npth_version)])
+- else
+- AC_MSG_RESULT(no)
+- fi
+- if test $ok = yes; then
+- # If we have a recent NPTH, we should also check that the
+- # API is compatible.
+- if test "$req_npth_api" -gt 0 ; then
+- tmp=`$NPTH_CONFIG --api-version 2>/dev/null || echo 0`
+- if test "$tmp" -gt 0 ; then
+- AC_MSG_CHECKING([NPTH API version])
+- if test "$req_npth_api" -eq "$tmp" ; then
+- AC_MSG_RESULT([okay])
+- else
+- ok=no
+- AC_MSG_RESULT([does not match. want=$req_npth_api got=$tmp])
+- fi
+- fi
+- fi
+- fi
+- if test $ok = yes; then
+- NPTH_CFLAGS=`$NPTH_CONFIG --cflags`
+- NPTH_LIBS=`$NPTH_CONFIG --libs`
++ NPTH_CFLAGS=`$PKGCONFIG --cflags npth`
++ NPTH_LIBS=`$PKGCONFIG --libs npth`
++ AC_MSG_WARN([[GOT HERE - $NPTH_LIBS ]])
+ ifelse([$2], , :, [$2])
+ npth_config_host=`$NPTH_CONFIG --host 2>/dev/null || echo none`
+ if test x"$npth_config_host" != xnone ; then
+@@ -103,6 +84,7 @@ AC_DEFUN([AM_PATH_NPTH],
+ fi
+ fi
+ else
++ AC_MSG_RESULT(no)
+ NPTH_CFLAGS=""
+ NPTH_LIBS=""
+ ifelse([$3], , :, [$3])
diff --git a/meta/recipes-support/gnupg/gnupg_1.4.7.bb b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
new file mode 100644
index 0000000..6999f81
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
@@ -0,0 +1,105 @@
+SUMMARY = "GNU Privacy Guard - encryption and signing tools"
+HOMEPAGE = "http://www.gnupg.org/"
+DEPENDS = "zlib bzip2 readline"
+SECTION = "console/utils"
+
+LICENSE = "GPLv2"
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a"
+
+PR = "r9"
+
+SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-${PV}.tar.bz2 \
+ file://long-long-thumb.patch \
+ file://configure.patch \
+ file://mips_gcc4.4.patch \
+ file://GnuPG1-CVE-2012-6085.patch \
+ file://curl_typeof_fix_backport.patch \
+ file://CVE-2013-4351.patch \
+ file://CVE-2013-4576.patch \
+ file://CVE-2013-4242.patch \
+ "
+
+SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c"
+SRC_URI[sha256sum] = "69d18b7d193f62ca27ed4febcb4c9044aa0c95305d3258fe902e2fae5fc6468d"
+
+inherit autotools gettext texinfo
+
+# --with-egd-socket=NAME use NAME for the EGD socket
+# --with-photo-viewer=FIXED_VIEWER set a fixed photo ID viewer
+# --with-included-zlib use the zlib code included here
+# --with-capabilities use linux capabilities default=no
+# --with-mailprog=NAME use "NAME -t" for mail transport
+# --with-libiconv-prefix[=DIR] search for libiconv in DIR/include and DIR/lib
+# --without-libiconv-prefix don't search for libiconv in includedir and libdir
+# --with-included-gettext use the GNU gettext library included here
+# --with-libintl-prefix[=DIR] search for libintl in DIR/include and DIR/lib
+# --without-libintl-prefix don't search for libintl in includedir and libdir
+# --without-readline do not support fancy command line editing
+# --with-included-regex use the included GNU regex library
+# --with-zlib=DIR use libz in DIR
+# --with-bzip2=DIR look for bzip2 in DIR
+# --enable-static-rnd=egd|unix|linux|auto
+# --disable-dev-random disable the use of dev random
+# --disable-asm do not use assembler modules
+# --enable-m-guard enable memory guard facility
+# --enable-selinux-support
+# enable SELinux support
+# --disable-card-support disable OpenPGP card support
+# --disable-gnupg-iconv disable the new iconv code
+# --enable-backsigs enable the experimental backsigs code
+# --enable-minimal build the smallest gpg binary possible
+# --disable-rsa disable the RSA public key algorithm
+# --disable-idea disable the IDEA cipher
+# --disable-cast5 disable the CAST5 cipher
+# --disable-blowfish disable the BLOWFISH cipher
+# --disable-aes disable the AES, AES192, and AES256 ciphers
+# --disable-twofish disable the TWOFISH cipher
+# --disable-sha256 disable the SHA-256 digest
+# --disable-sha512 disable the SHA-384 and SHA-512 digests
+# --disable-bzip2 disable the BZIP2 compression algorithm
+# --disable-exec disable all external program execution
+# --disable-photo-viewers disable photo ID viewers
+# --disable-keyserver-helpers disable all external keyserver support
+# --disable-ldap disable LDAP keyserver interface
+# --disable-hkp disable HKP keyserver interface
+# --disable-http disable HTTP key fetching interface
+# --disable-finger disable Finger key fetching interface
+# --disable-mailto disable email keyserver interface
+# --disable-keyserver-path disable the exec-path option for keyserver helpers
+# --enable-key-cache=SIZE Set key cache to SIZE (default 4096)
+# --disable-largefile omit support for large files
+# --disable-dns-srv disable the use of DNS SRV in HKP and HTTP
+# --disable-nls do not use Native Language Support
+# --disable-regex do not handle regular expressions in trust sigs
+
+EXTRA_OECONF = "--disable-ldap \
+ --with-zlib=${STAGING_LIBDIR}/.. \
+ --with-bzip2=${STAGING_LIBDIR}/.. \
+ --disable-selinux-support \
+ --with-readline=${STAGING_LIBDIR}/.. \
+ ac_cv_sys_symbol_underscore=no \
+ "
+
+# Force gcc's traditional handling of inline to avoid issues with gcc 5
+CFLAGS += "-fgnu89-inline"
+
+do_install () {
+ autotools_do_install
+ install -d ${D}${docdir}/${BPN}
+ mv ${D}${datadir}/${BPN}/* ${D}/${docdir}/${BPN}/ || :
+ mv ${D}${prefix}/doc/* ${D}/${docdir}/${BPN}/ || :
+}
+
+# split out gpgv from main package
+RDEPENDS_${PN} = "gpgv"
+PACKAGES =+ "gpgv"
+FILES_gpgv = "${bindir}/gpgv"
+
+# Exclude debug files from the main packages
+FILES_${PN} = "${bindir}/* ${datadir}/${BPN} ${libexecdir}/${BPN}/*"
+FILES_${PN}-dbg += "${libexecdir}/${BPN}/.debug"
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[curl] = "--with-libcurl=${STAGING_LIBDIR},--without-libcurl,curl"
+PACKAGECONFIG[libusb] = "--with-libusb=${STAGING_LIBDIR},--without-libusb,libusb-compat"
diff --git a/meta/recipes-support/gnupg/gnupg_2.1.7.bb b/meta/recipes-support/gnupg/gnupg_2.1.7.bb
new file mode 100644
index 0000000..48c7c96
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg_2.1.7.bb
@@ -0,0 +1,41 @@
+SUMMARY = "GNU Privacy Guard - encryption and signing tools (2.x)"
+HOMEPAGE = "http://www.gnupg.org/"
+LICENSE = "GPLv3 & LGPLv3"
+LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949 \
+ file://COPYING.LIB;md5=6a6a8e020838b23406c81b19c1d46df6"
+
+DEPENDS = "npth libassuan libksba zlib bzip2 readline libgcrypt"
+
+inherit autotools gettext texinfo pkgconfig
+
+SRC_URI = "ftp://ftp.gnupg.org/gcrypt/${BPN}/${BPN}-${PV}.tar.bz2 \
+ file://pkgconfig.patch \
+ file://use-pkgconfig-instead-of-npth-config.patch \
+ file://dirmngr-uses-libgpg-error.patch \
+ "
+
+SRC_URI[md5sum] = "ebdf92b15b8bcd8579b643c7f41a3238"
+SRC_URI[sha256sum] = "c18a3776d47fec98892d51d28b6574ef16bf0a25eabb0956231058aaf2e7846e"
+
+EXTRA_OECONF = "--disable-ldap \
+ --disable-ccid-driver \
+ --with-zlib=${STAGING_LIBDIR}/.. \
+ --with-bzip2=${STAGING_LIBDIR}/.. \
+ --with-readline=${STAGING_LIBDIR}/.. \
+ "
+RRECOMMENDS_${PN} = "pinentry"
+
+do_configure_prepend () {
+ # Else these could be used in prefernce to those in aclocal-copy
+ rm -f ${S}/m4/gpg-error.m4
+ rm -f ${S}/m4/libassuan.m4
+ rm -f ${S}/m4/ksba.m4
+ rm -f ${S}/m4/libgcrypt.m4
+}
+
+do_install_append() {
+ ln -sf gpg2 ${D}${bindir}/gpg
+ ln -sf gpgv2 ${D}${bindir}/gpgv
+}
+
+RDEPENDS_${PN} = "gnutls"