diff options
Diffstat (limited to 'meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch')
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch | 503 |
1 files changed, 0 insertions, 503 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch deleted file mode 100644 index d2602447f3..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch +++ /dev/null @@ -1,503 +0,0 @@ -From bc38a7d2d3c6082163c50ddf99464736110f2000 Mon Sep 17 00:00:00 2001 -From: Viktor Dukhovni <openssl-users@dukhovni.org> -Date: Fri, 19 Feb 2016 13:05:11 -0500 -Subject: [PATCH] Disable EXPORT and LOW SSLv3+ ciphers by default -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Emilia Käsper <emilia@openssl.org> - -Upstream-Status: Backport - -https://git.openssl.org/?p=openssl.git;a=commit;h=bc38a7d2d3c6082163c50ddf99464736110f2000 - -CVE: CVE-2016-0800 #3 patch -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - CHANGES | 5 +++++ - Configure | 5 +++++ - NEWS | 1 + - doc/apps/ciphers.pod | 30 ++++++++++++++++++++--------- - ssl/s3_lib.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 86 insertions(+), 9 deletions(-) - -Index: openssl-1.0.2d/Configure -=================================================================== ---- openssl-1.0.2d.orig/Configure -+++ openssl-1.0.2d/Configure -@@ -58,6 +58,10 @@ my $usage="Usage: Configure [no-<cipher> - # library and will be loaded in run-time by the OpenSSL library. - # sctp include SCTP support - # 386 generate 80386 code -+# enable-weak-ssl-ciphers -+# Enable EXPORT and LOW SSLv3 ciphers that are disabled by -+# default. Note, weak SSLv2 ciphers are unconditionally -+# disabled. - # no-sse2 disables IA-32 SSE2 code, above option implies no-sse2 - # no-<cipher> build without specified algorithm (rsa, idea, rc5, ...) - # -<xxx> +<xxx> compiler options are passed through -@@ -853,6 +857,7 @@ my %disabled = ( # "what" => "co - "ssl2" => "default", - "store" => "experimental", - "unit-test" => "default", -+ "weak-ssl-ciphers" => "default", - "zlib" => "default", - "zlib-dynamic" => "default" - ); -Index: openssl-1.0.2d/doc/apps/ciphers.pod -=================================================================== ---- openssl-1.0.2d.orig/doc/apps/ciphers.pod -+++ openssl-1.0.2d/doc/apps/ciphers.pod -@@ -136,34 +136,46 @@ than 128 bits, and some cipher suites wi - - =item B<LOW> - --"low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms --but excluding export cipher suites. -+Low strength encryption cipher suites, currently those using 64 or 56 bit -+encryption algorithms but excluding export cipher suites. -+As of OpenSSL 1.0.2g, these are disabled in default builds. - - =item B<EXP>, B<EXPORT> - --export encryption algorithms. Including 40 and 56 bits algorithms. -+Export strength encryption algorithms. Including 40 and 56 bits algorithms. -+As of OpenSSL 1.0.2g, these are disabled in default builds. - - =item B<EXPORT40> - --40 bit export encryption algorithms -+40-bit export encryption algorithms -+As of OpenSSL 1.0.2g, these are disabled in default builds. - - =item B<EXPORT56> - --56 bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of -+56-bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of - 56 bit export ciphers is empty unless OpenSSL has been explicitly configured - with support for experimental ciphers. -+As of OpenSSL 1.0.2g, these are disabled in default builds. - - =item B<eNULL>, B<NULL> - --the "NULL" ciphers that is those offering no encryption. Because these offer no --encryption at all and are a security risk they are disabled unless explicitly --included. -+The "NULL" ciphers that is those offering no encryption. Because these offer no -+encryption at all and are a security risk they are not enabled via either the -+B<DEFAULT> or B<ALL> cipher strings. -+Be careful when building cipherlists out of lower-level primitives such as -+B<kRSA> or B<aECDSA> as these do overlap with the B<eNULL> ciphers. -+When in doubt, include B<!eNULL> in your cipherlist. - - =item B<aNULL> - --the cipher suites offering no authentication. This is currently the anonymous -+The cipher suites offering no authentication. This is currently the anonymous - DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable - to a "man in the middle" attack and so their use is normally discouraged. -+These are excluded from the B<DEFAULT> ciphers, but included in the B<ALL> -+ciphers. -+Be careful when building cipherlists out of lower-level primitives such as -+B<kDHE> or B<AES> as these do overlap with the B<aNULL> ciphers. -+When in doubt, include B<!aNULL> in your cipherlist. - - =item B<kRSA>, B<RSA> - -Index: openssl-1.0.2d/ssl/s3_lib.c -=================================================================== ---- openssl-1.0.2d.orig/ssl/s3_lib.c -+++ openssl-1.0.2d/ssl/s3_lib.c -@@ -198,6 +198,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - }, - - /* Cipher 03 */ -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_RSA_RC4_40_MD5, -@@ -212,6 +213,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 40, - 128, - }, -+#endif - - /* Cipher 04 */ - { -@@ -246,6 +248,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - }, - - /* Cipher 06 */ -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_RSA_RC2_40_MD5, -@@ -260,6 +263,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 40, - 128, - }, -+#endif - - /* Cipher 07 */ - #ifndef OPENSSL_NO_IDEA -@@ -280,6 +284,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - #endif - - /* Cipher 08 */ -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_RSA_DES_40_CBC_SHA, -@@ -294,8 +299,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 40, - 56, - }, -+#endif - - /* Cipher 09 */ -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_RSA_DES_64_CBC_SHA, -@@ -310,6 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 56, - 56, - }, -+#endif - - /* Cipher 0A */ - { -@@ -329,6 +337,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - - /* The DH ciphers */ - /* Cipher 0B */ -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 0, - SSL3_TXT_DH_DSS_DES_40_CBC_SHA, -@@ -343,8 +352,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 40, - 56, - }, -+#endif - - /* Cipher 0C */ -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_DH_DSS_DES_64_CBC_SHA, -@@ -359,6 +370,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 56, - 56, - }, -+#endif - - /* Cipher 0D */ - { -@@ -377,6 +389,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - }, - - /* Cipher 0E */ -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 0, - SSL3_TXT_DH_RSA_DES_40_CBC_SHA, -@@ -391,8 +404,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 40, - 56, - }, -+#endif - - /* Cipher 0F */ -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_DH_RSA_DES_64_CBC_SHA, -@@ -407,6 +422,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 56, - 56, - }, -+#endif - - /* Cipher 10 */ - { -@@ -426,6 +442,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - - /* The Ephemeral DH ciphers */ - /* Cipher 11 */ -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, -@@ -440,8 +457,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 40, - 56, - }, -+#endif - - /* Cipher 12 */ -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, -@@ -456,6 +475,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 56, - 56, - }, -+#endif - - /* Cipher 13 */ - { -@@ -474,6 +494,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - }, - - /* Cipher 14 */ -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, -@@ -488,8 +509,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 40, - 56, - }, -+#endif - - /* Cipher 15 */ -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, -@@ -504,6 +527,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 56, - 56, - }, -+#endif - - /* Cipher 16 */ - { -@@ -522,6 +546,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - }, - - /* Cipher 17 */ -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_ADH_RC4_40_MD5, -@@ -536,6 +561,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 40, - 128, - }, -+#endif - - /* Cipher 18 */ - { -@@ -554,6 +580,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - }, - - /* Cipher 19 */ -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_ADH_DES_40_CBC_SHA, -@@ -568,8 +595,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 40, - 128, - }, -+#endif - - /* Cipher 1A */ -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_ADH_DES_64_CBC_SHA, -@@ -584,6 +613,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 56, - 56, - }, -+#endif - - /* Cipher 1B */ - { -@@ -655,6 +685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - #ifndef OPENSSL_NO_KRB5 - /* The Kerberos ciphers*/ - /* Cipher 1E */ -+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_KRB5_DES_64_CBC_SHA, -@@ -669,6 +700,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 56, - 56, - }, -+# endif - - /* Cipher 1F */ - { -@@ -719,6 +751,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - }, - - /* Cipher 22 */ -+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_KRB5_DES_64_CBC_MD5, -@@ -733,6 +766,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 56, - 56, - }, -+# endif - - /* Cipher 23 */ - { -@@ -783,6 +817,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - }, - - /* Cipher 26 */ -+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_KRB5_DES_40_CBC_SHA, -@@ -797,8 +832,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 40, - 56, - }, -+# endif - - /* Cipher 27 */ -+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_KRB5_RC2_40_CBC_SHA, -@@ -813,8 +850,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 40, - 128, - }, -+# endif - - /* Cipher 28 */ -+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_KRB5_RC4_40_SHA, -@@ -829,8 +868,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 40, - 128, - }, -+# endif - - /* Cipher 29 */ -+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_KRB5_DES_40_CBC_MD5, -@@ -845,8 +886,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 40, - 56, - }, -+# endif - - /* Cipher 2A */ -+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_KRB5_RC2_40_CBC_MD5, -@@ -861,8 +904,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 40, - 128, - }, -+# endif - - /* Cipher 2B */ -+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - SSL3_TXT_KRB5_RC4_40_MD5, -@@ -877,6 +922,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 40, - 128, - }, -+# endif - #endif /* OPENSSL_NO_KRB5 */ - - /* New AES ciphersuites */ -@@ -1300,6 +1346,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - # endif - - /* Cipher 62 */ -+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, -@@ -1314,8 +1361,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 56, - 56, - }, -+# endif - - /* Cipher 63 */ -+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, -@@ -1330,8 +1379,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 56, - 56, - }, -+# endif - - /* Cipher 64 */ -+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, -@@ -1346,8 +1397,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 56, - 128, - }, -+# endif - - /* Cipher 65 */ -+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS - { - 1, - TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, -@@ -1362,6 +1415,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 56, - 128, - }, -+# endif - - /* Cipher 66 */ - { -Index: openssl-1.0.2d/CHANGES -=================================================================== ---- openssl-1.0.2d.orig/CHANGES -+++ openssl-1.0.2d/CHANGES -@@ -2,7 +2,11 @@ - OpenSSL CHANGES - _______________ - -- -+ * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. -+ Builds that are not configured with "enable-weak-ssl-ciphers" will not -+ provide any "EXPORT" or "LOW" strength ciphers. -+ [Viktor Dukhovni] -+ - * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 - is by default disabled at build-time. Builds that are not configured with - "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, -Index: openssl-1.0.2d/NEWS -=================================================================== ---- openssl-1.0.2d.orig/NEWS -+++ openssl-1.0.2d/NEWS -@@ -1,6 +1,7 @@ - - NEWS - ==== -+ Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. - Disable SSLv2 default build, default negotiation and weak ciphers. - - This file gives a brief overview of the major changes between each OpenSSL |