diff options
Diffstat (limited to 'meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch')
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch | 198 |
1 files changed, 0 insertions, 198 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch deleted file mode 100644 index e5635fec19..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch +++ /dev/null @@ -1,198 +0,0 @@ -From 9dfd2be8a1761fffd152a92d8f1b356ad667eea7 Mon Sep 17 00:00:00 2001 -From: Viktor Dukhovni <openssl-users@dukhovni.org> -Date: Wed, 17 Feb 2016 21:07:48 -0500 -Subject: [PATCH] Disable SSLv2 default build, default negotiation and weak - ciphers. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -SSLv2 is by default disabled at build-time. Builds that are not -configured with "enable-ssl2" will not support SSLv2. Even if -"enable-ssl2" is used, users who want to negotiate SSLv2 via the -version-flexible SSLv23_method() will need to explicitly call either -of: - - SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); -or - SSL_clear_options(ssl, SSL_OP_NO_SSLv2); - -as appropriate. Even if either of those is used, or the application -explicitly uses the version-specific SSLv2_method() or its client -or server variants, SSLv2 ciphers vulnerable to exhaustive search -key recovery have been removed. Specifically, the SSLv2 40-bit -EXPORT ciphers, and SSLv2 56-bit DES are no longer available. - -Mitigation for CVE-2016-0800 - -Reviewed-by: Emilia Käsper <emilia@openssl.org> - -Upstream-Status: Backport - -https://git.openssl.org/?p=openssl.git;a=commit;h=9dfd2be8a1761fffd152a92d8f1b356ad667eea7 - -CVE: CVE-2016-0800 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - CHANGES | 17 +++++++++++++++++ - Configure | 3 ++- - NEWS | 2 +- - ssl/s2_lib.c | 6 ++++++ - ssl/ssl_conf.c | 10 +++++++++- - ssl/ssl_lib.c | 7 +++++++ - 6 files changed, 42 insertions(+), 3 deletions(-) - -Index: openssl-1.0.2d/Configure -=================================================================== ---- openssl-1.0.2d.orig/Configure -+++ openssl-1.0.2d/Configure -@@ -847,9 +847,10 @@ my %disabled = ( # "what" => "co - "md2" => "default", - "rc5" => "default", - "rfc3779" => "default", -- "sctp" => "default", -+ "sctp" => "default", - "shared" => "default", - "ssl-trace" => "default", -+ "ssl2" => "default", - "store" => "experimental", - "unit-test" => "default", - "zlib" => "default", -Index: openssl-1.0.2d/ssl/s2_lib.c -=================================================================== ---- openssl-1.0.2d.orig/ssl/s2_lib.c -+++ openssl-1.0.2d/ssl/s2_lib.c -@@ -156,6 +156,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip - 128, - }, - -+# if 0 - /* RC4_128_EXPORT40_WITH_MD5 */ - { - 1, -@@ -171,6 +172,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip - 40, - 128, - }, -+# endif - - /* RC2_128_CBC_WITH_MD5 */ - { -@@ -188,6 +190,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip - 128, - }, - -+# if 0 - /* RC2_128_CBC_EXPORT40_WITH_MD5 */ - { - 1, -@@ -203,6 +206,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip - 40, - 128, - }, -+# endif - - # ifndef OPENSSL_NO_IDEA - /* IDEA_128_CBC_WITH_MD5 */ -@@ -222,6 +226,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip - }, - # endif - -+# if 0 - /* DES_64_CBC_WITH_MD5 */ - { - 1, -@@ -237,6 +242,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip - 56, - 56, - }, -+# endif - - /* DES_192_EDE3_CBC_WITH_MD5 */ - { -Index: openssl-1.0.2d/ssl/ssl_conf.c -=================================================================== ---- openssl-1.0.2d.orig/ssl/ssl_conf.c -+++ openssl-1.0.2d/ssl/ssl_conf.c -@@ -330,11 +330,19 @@ static int cmd_Protocol(SSL_CONF_CTX *cc - SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1), - SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2) - }; -+ int ret; -+ int sslv2off; -+ - if (!(cctx->flags & SSL_CONF_FLAG_FILE)) - return -2; - cctx->tbl = ssl_protocol_list; - cctx->ntbl = sizeof(ssl_protocol_list) / sizeof(ssl_flag_tbl); -- return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); -+ -+ sslv2off = *cctx->poptions & SSL_OP_NO_SSLv2; -+ ret = CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); -+ /* Never turn on SSLv2 through configuration */ -+ *cctx->poptions |= sslv2off; -+ return ret; - } - - static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) -Index: openssl-1.0.2d/ssl/ssl_lib.c -=================================================================== ---- openssl-1.0.2d.orig/ssl/ssl_lib.c -+++ openssl-1.0.2d/ssl/ssl_lib.c -@@ -2052,6 +2052,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m - */ - ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; - -+ /* -+ * Disable SSLv2 by default, callers that want to enable SSLv2 will have to -+ * explicitly clear this option via either of SSL_CTX_clear_options() or -+ * SSL_clear_options(). -+ */ -+ ret->options |= SSL_OP_NO_SSLv2; -+ - return (ret); - err: - SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); -Index: openssl-1.0.2d/CHANGES -=================================================================== ---- openssl-1.0.2d.orig/CHANGES -+++ openssl-1.0.2d/CHANGES -@@ -2,6 +2,25 @@ - OpenSSL CHANGES - _______________ - -+ -+ * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 -+ is by default disabled at build-time. Builds that are not configured with -+ "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, -+ users who want to negotiate SSLv2 via the version-flexible SSLv23_method() -+ will need to explicitly call either of: -+ -+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); -+ or -+ SSL_clear_options(ssl, SSL_OP_NO_SSLv2); -+ -+ as appropriate. Even if either of those is used, or the application -+ explicitly uses the version-specific SSLv2_method() or its client and -+ server variants, SSLv2 ciphers vulnerable to exhaustive search key -+ recovery have been removed. Specifically, the SSLv2 40-bit EXPORT -+ ciphers, and SSLv2 56-bit DES are no longer available. -+ [Viktor Dukhovni] -+ -+ - Changes between 1.0.2c and 1.0.2d [9 Jul 2015] - - *) Alternate chains certificate forgery -Index: openssl-1.0.2d/NEWS -=================================================================== ---- openssl-1.0.2d.orig/NEWS -+++ openssl-1.0.2d/NEWS -@@ -1,6 +1,7 @@ - - NEWS - ==== -+ Disable SSLv2 default build, default negotiation and weak ciphers. - - This file gives a brief overview of the major changes between each OpenSSL - release. For more details please read the CHANGES file. |