openssl: 1.0.2d -> 1.0.2h (mainly for CVEs)

* CVEs: - CVE-2016-0705 - CVE-2016-0798 - CVE-2016-0797 - CVE-2016-0799 - CVE-2016-0702 - CVE-2016-0703 - CVE-2016-0704 - CVE-2016-2105 - CVE-2016-2106 - CVE-2016-2109 - CVE-2016-2176 * The LICENSE's checksum is changed because of date changes (2011 -> 2016), the contents are the same. * Remove backport patches - 0001-Add-test-for-CVE-2015-3194.patch - CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch - CVE-2015-3194-1-Add-PSS-parameter-check.patch - CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch - CVE-2015-3197.patch - CVE-2016-0701_1.patch - CVE-2016-0701_2.patch - CVE-2016-0800.patch - CVE-2016-0800_2.patch - CVE-2016-0800_3.patch * Update crypto_use_bigint_in_x86-64_perl.patch * Add version-script.patch and update block_diginotar.patch (From master branch) * Update openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch (From Armin) (From OE-Core master rev: bca156013af0a98cb18d8156626b9acc8f9883e3) (From OE-Core rev: 6ed7c8a9f82bc173ae0cc8b494af5a2c838f08fc) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Robert Yang <liezhi.yang@windriver.com> 2016-05-11 00:43:28 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-05-11 18:00:11 +0100
commit: 3cea047b6cc9e93308e5aebbacc74183438fae57 (patch)
tree: 0075f669416d5adb6da8b1b06f28aeafb6f32b68 /meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
parent: 8463c062909dba7367d56105cc56126ba971984e (diff)
download: poky-3cea047b6cc9e93308e5aebbacc74183438fae57.tar.gz
1 files changed, 0 insertions, 63 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
deleted file mode 100644
index dd288c93fb..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From d81a1600588b726c2bdccda7efad3cc7a87d6245 Mon Sep 17 00:00:00 2001
-From: Viktor Dukhovni <openssl-users@dukhovni.org>
-Date: Wed, 30 Dec 2015 22:44:51 -0500
-Subject: [PATCH] Better SSLv2 cipher-suite enforcement
-Based on patch by: Nimrod Aviram <nimrod.aviram@gmail.com>
-CVE-2015-3197
-Reviewed-by: Tim Hudson <tjh@openssl.org>
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-Upstream-Status: Backport
-https://github.com/openssl/openssl/commit/d81a1600588b726c2bdccda7efad3cc7a87d6245
-CVE: CVE-2015-3197
-Signed-off-by: Armin Kuster <akuster@mvista.com>
---
- ssl/s2_srvr.c | 15 +++++++++++++--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-Index: openssl-1.0.2d/ssl/s2_srvr.c
-===================================================================
--- openssl-1.0.2d.orig/ssl/s2_srvr.c
-+++ openssl-1.0.2d/ssl/s2_srvr.c
-@@ -402,7 +402,7 @@ static int get_client_master_key(SSL *s)
-         }
- 
-         cp = ssl2_get_cipher_by_char(p);
-        if (cp == NULL) {
-+        if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) {
-             ssl2_return_error(s, SSL2_PE_NO_CIPHER);
-             SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
-             return (-1);
-@@ -687,8 +687,12 @@ static int get_client_hello(SSL *s)
-             prio = cs;
-             allow = cl;
-         }
-+
-+        /* Generate list of SSLv2 ciphers shared between client and server */
-         for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) {
-            if (sk_SSL_CIPHER_find(allow, sk_SSL_CIPHER_value(prio, z)) < 0) {
-+            const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
-+            if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
-+                sk_SSL_CIPHER_find(allow, cp) < 0) {
-                 (void)sk_SSL_CIPHER_delete(prio, z);
-                 z--;
-             }
-@@ -697,6 +701,13 @@ static int get_client_hello(SSL *s)
-             sk_SSL_CIPHER_free(s->session->ciphers);
-             s->session->ciphers = prio;
-         }
-+
-+        /* Make sure we have at least one cipher in common */
-+        if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) {
-+            ssl2_return_error(s, SSL2_PE_NO_CIPHER);
-+            SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
-+            return -1;
-+        }
-         /*
-          * s->session->ciphers should now have a list of ciphers that are on
-          * both the client and server. This list is ordered by the order the
author	Robert Yang <liezhi.yang@windriver.com>	2016-05-11 00:43:28 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-05-11 18:00:11 +0100
commit	3cea047b6cc9e93308e5aebbacc74183438fae57 (patch)
tree	0075f669416d5adb6da8b1b06f28aeafb6f32b68 /meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
parent	8463c062909dba7367d56105cc56126ba971984e (diff)
download	poky-3cea047b6cc9e93308e5aebbacc74183438fae57.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch deleted file mode 100644 index dd288c93fb..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch +++ /dev/null
@@ -1,63 +0,0 @@
1	From d81a1600588b726c2bdccda7efad3cc7a87d6245 Mon Sep 17 00:00:00 2001
2	From: Viktor Dukhovni <openssl-users@dukhovni.org>
3	Date: Wed, 30 Dec 2015 22:44:51 -0500
4	Subject: [PATCH] Better SSLv2 cipher-suite enforcement
5
6	Based on patch by: Nimrod Aviram <nimrod.aviram@gmail.com>
7
8	CVE-2015-3197
9
10	Reviewed-by: Tim Hudson <tjh@openssl.org>
11	Reviewed-by: Richard Levitte <levitte@openssl.org>
12
13	Upstream-Status: Backport
14	https://github.com/openssl/openssl/commit/d81a1600588b726c2bdccda7efad3cc7a87d6245
15
16	CVE: CVE-2015-3197
17	Signed-off-by: Armin Kuster <akuster@mvista.com>
18
19	---
20	ssl/s2_srvr.c \| 15 +++++++++++++--
21	1 file changed, 13 insertions(+), 2 deletions(-)
22
23	Index: openssl-1.0.2d/ssl/s2_srvr.c
24	===================================================================
25	--- openssl-1.0.2d.orig/ssl/s2_srvr.c
26	+++ openssl-1.0.2d/ssl/s2_srvr.c
27	@@ -402,7 +402,7 @@ static int get_client_master_key(SSL *s)
28	}
29
30	cp = ssl2_get_cipher_by_char(p);
31	- if (cp == NULL) {
32	+ if (cp == NULL \|\| sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) {
33	ssl2_return_error(s, SSL2_PE_NO_CIPHER);
34	SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
35	return (-1);
36	@@ -687,8 +687,12 @@ static int get_client_hello(SSL *s)
37	prio = cs;
38	allow = cl;
39	}
40	+
41	+ /* Generate list of SSLv2 ciphers shared between client and server */
42	for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) {
43	- if (sk_SSL_CIPHER_find(allow, sk_SSL_CIPHER_value(prio, z)) < 0) {
44	+ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
45	+ if ((cp->algorithm_ssl & SSL_SSLV2) == 0 \|\|
46	+ sk_SSL_CIPHER_find(allow, cp) < 0) {
47	(void)sk_SSL_CIPHER_delete(prio, z);
48	z--;
49	}
50	@@ -697,6 +701,13 @@ static int get_client_hello(SSL *s)
51	sk_SSL_CIPHER_free(s->session->ciphers);
52	s->session->ciphers = prio;
53	}
54	+
55	+ /* Make sure we have at least one cipher in common */
56	+ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) {
57	+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
58	+ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
59	+ return -1;
60	+ }
61	/*
62	* s->session->ciphers should now have a list of ciphers that are on
63	* both the client and server. This list is ordered by the order the