1 files changed, 0 insertions, 198 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
deleted file mode 100644
index e5635fec19..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
+++ /dev/null
@@ -1,198 +0,0 @@
-From 9dfd2be8a1761fffd152a92d8f1b356ad667eea7 Mon Sep 17 00:00:00 2001
-From: Viktor Dukhovni <openssl-users@dukhovni.org>
-Date: Wed, 17 Feb 2016 21:07:48 -0500
-Subject: [PATCH] Disable SSLv2 default build, default negotiation and weak
- ciphers.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-SSLv2 is by default disabled at build-time.  Builds that are not
-configured with "enable-ssl2" will not support SSLv2.  Even if
-"enable-ssl2" is used, users who want to negotiate SSLv2 via the
-version-flexible SSLv23_method() will need to explicitly call either
-of:
-    SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
-or
-    SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
-as appropriate.  Even if either of those is used, or the application
-explicitly uses the version-specific SSLv2_method() or its client
-or server variants, SSLv2 ciphers vulnerable to exhaustive search
-key recovery have been removed.  Specifically, the SSLv2 40-bit
-EXPORT ciphers, and SSLv2 56-bit DES are no longer available.
-Mitigation for CVE-2016-0800
-Reviewed-by: Emilia Käsper <emilia@openssl.org>
-Upstream-Status: Backport
-https://git.openssl.org/?p=openssl.git;a=commit;h=9dfd2be8a1761fffd152a92d8f1b356ad667eea7
-CVE: CVE-2016-0800
-Signed-off-by: Armin Kuster <akuster@mvista.com>
---
- CHANGES        | 17 +++++++++++++++++
- Configure      |  3 ++-
- NEWS           |  2 +-
- ssl/s2_lib.c   |  6 ++++++
- ssl/ssl_conf.c | 10 +++++++++-
- ssl/ssl_lib.c  |  7 +++++++
- 6 files changed, 42 insertions(+), 3 deletions(-)
-Index: openssl-1.0.2d/Configure
-===================================================================
--- openssl-1.0.2d.orig/Configure
-+++ openssl-1.0.2d/Configure
-@@ -847,9 +847,10 @@ my %disabled = ( # "what"         => "co
-                 "md2"            => "default",
-                 "rc5"            => "default",
-                 "rfc3779"        => "default",
-                "sctp"       => "default",
-+                "sctp"           => "default",
-                 "shared"         => "default",
-                 "ssl-trace"      => "default",
-+                "ssl2"           => "default",
-                 "store"          => "experimental",
-                 "unit-test"      => "default",
-                 "zlib"           => "default",
-Index: openssl-1.0.2d/ssl/s2_lib.c
-===================================================================
--- openssl-1.0.2d.orig/ssl/s2_lib.c
-+++ openssl-1.0.2d/ssl/s2_lib.c
-@@ -156,6 +156,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
-      128,
-      },
- 
-+# if 0
- /* RC4_128_EXPORT40_WITH_MD5 */
-     {
-      1,
-@@ -171,6 +172,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
-      40,
-      128,
-      },
-+# endif
- 
- /* RC2_128_CBC_WITH_MD5 */
-     {
-@@ -188,6 +190,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
-      128,
-      },
- 
-+# if 0
- /* RC2_128_CBC_EXPORT40_WITH_MD5 */
-     {
-      1,
-@@ -203,6 +206,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
-      40,
-      128,
-      },
-+# endif
- 
- # ifndef OPENSSL_NO_IDEA
- /* IDEA_128_CBC_WITH_MD5 */
-@@ -222,6 +226,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
-      },
- # endif
- 
-+# if 0
- /* DES_64_CBC_WITH_MD5 */
-     {
-      1,
-@@ -237,6 +242,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
-      56,
-      56,
-      },
-+# endif
- 
- /* DES_192_EDE3_CBC_WITH_MD5 */
-     {
-Index: openssl-1.0.2d/ssl/ssl_conf.c
-===================================================================
--- openssl-1.0.2d.orig/ssl/ssl_conf.c
-+++ openssl-1.0.2d/ssl/ssl_conf.c
-@@ -330,11 +330,19 @@ static int cmd_Protocol(SSL_CONF_CTX *cc
-         SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
-         SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2)
-     };
-+    int ret;
-+    int sslv2off;
-+
-     if (!(cctx->flags & SSL_CONF_FLAG_FILE))
-         return -2;
-     cctx->tbl = ssl_protocol_list;
-     cctx->ntbl = sizeof(ssl_protocol_list) / sizeof(ssl_flag_tbl);
-    return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
-+
-+    sslv2off = *cctx->poptions & SSL_OP_NO_SSLv2;
-+    ret = CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
-+    /* Never turn on SSLv2 through configuration */
-+    *cctx->poptions |= sslv2off;
-+    return ret;
- }
- 
- static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
-Index: openssl-1.0.2d/ssl/ssl_lib.c
-===================================================================
--- openssl-1.0.2d.orig/ssl/ssl_lib.c
-+++ openssl-1.0.2d/ssl/ssl_lib.c
-@@ -2052,6 +2052,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
-      */
-     ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
- 
-+    /*
-+     * Disable SSLv2 by default, callers that want to enable SSLv2 will have to
-+     * explicitly clear this option via either of SSL_CTX_clear_options() or
-+     * SSL_clear_options().
-+     */
-+    ret->options |= SSL_OP_NO_SSLv2;
-+
-     return (ret);
-  err:
-     SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
-Index: openssl-1.0.2d/CHANGES
-===================================================================
--- openssl-1.0.2d.orig/CHANGES
-+++ openssl-1.0.2d/CHANGES
-@@ -2,6 +2,25 @@
-  OpenSSL CHANGES
-  _______________
- 
-+ 
-+  * Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
-+    is by default disabled at build-time.  Builds that are not configured with
-+    "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
-+    users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
-+    will need to explicitly call either of:
-+
-+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
-+    or
-+        SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
-+
-+    as appropriate.  Even if either of those is used, or the application
-+    explicitly uses the version-specific SSLv2_method() or its client and
-+    server variants, SSLv2 ciphers vulnerable to exhaustive search key
-+    recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
-+    ciphers, and SSLv2 56-bit DES are no longer available.
-+    [Viktor Dukhovni]
-+    
-+
-  Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
- 
-   *) Alternate chains certificate forgery
-Index: openssl-1.0.2d/NEWS
-===================================================================
--- openssl-1.0.2d.orig/NEWS
-+++ openssl-1.0.2d/NEWS
-@@ -1,6 +1,7 @@
- 
-   NEWS
-   ====
-+  Disable SSLv2 default build, default negotiation and weak ciphers.
- 
-   This file gives a brief overview of the major changes between each OpenSSL
-   release. For more details please read the CHANGES file.

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch deleted file mode 100644 index e5635fec19..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch +++ /dev/null
@@ -1,198 +0,0 @@
1	From 9dfd2be8a1761fffd152a92d8f1b356ad667eea7 Mon Sep 17 00:00:00 2001
2	From: Viktor Dukhovni <openssl-users@dukhovni.org>
3	Date: Wed, 17 Feb 2016 21:07:48 -0500
4	Subject: [PATCH] Disable SSLv2 default build, default negotiation and weak
5	ciphers.
6	MIME-Version: 1.0
7	Content-Type: text/plain; charset=UTF-8
8	Content-Transfer-Encoding: 8bit
9
10	SSLv2 is by default disabled at build-time. Builds that are not
11	configured with "enable-ssl2" will not support SSLv2. Even if
12	"enable-ssl2" is used, users who want to negotiate SSLv2 via the
13	version-flexible SSLv23_method() will need to explicitly call either
14	of:
15
16	SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
17	or
18	SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
19
20	as appropriate. Even if either of those is used, or the application
21	explicitly uses the version-specific SSLv2_method() or its client
22	or server variants, SSLv2 ciphers vulnerable to exhaustive search
23	key recovery have been removed. Specifically, the SSLv2 40-bit
24	EXPORT ciphers, and SSLv2 56-bit DES are no longer available.
25
26	Mitigation for CVE-2016-0800
27
28	Reviewed-by: Emilia Käsper <emilia@openssl.org>
29
30	Upstream-Status: Backport
31
32	https://git.openssl.org/?p=openssl.git;a=commit;h=9dfd2be8a1761fffd152a92d8f1b356ad667eea7
33
34	CVE: CVE-2016-0800
35	Signed-off-by: Armin Kuster <akuster@mvista.com>
36
37	---
38	CHANGES \| 17 +++++++++++++++++
39	Configure \| 3 ++-
40	NEWS \| 2 +-
41	ssl/s2_lib.c \| 6 ++++++
42	ssl/ssl_conf.c \| 10 +++++++++-
43	ssl/ssl_lib.c \| 7 +++++++
44	6 files changed, 42 insertions(+), 3 deletions(-)
45
46	Index: openssl-1.0.2d/Configure
47	===================================================================
48	--- openssl-1.0.2d.orig/Configure
49	+++ openssl-1.0.2d/Configure
50	@@ -847,9 +847,10 @@ my %disabled = ( # "what" => "co
51	"md2" => "default",
52	"rc5" => "default",
53	"rfc3779" => "default",
54	- "sctp" => "default",
55	+ "sctp" => "default",
56	"shared" => "default",
57	"ssl-trace" => "default",
58	+ "ssl2" => "default",
59	"store" => "experimental",
60	"unit-test" => "default",
61	"zlib" => "default",
62	Index: openssl-1.0.2d/ssl/s2_lib.c
63	===================================================================
64	--- openssl-1.0.2d.orig/ssl/s2_lib.c
65	+++ openssl-1.0.2d/ssl/s2_lib.c
66	@@ -156,6 +156,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
67	128,
68	},
69
70	+# if 0
71	/* RC4_128_EXPORT40_WITH_MD5 */
72	{
73	1,
74	@@ -171,6 +172,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
75	40,
76	128,
77	},
78	+# endif
79
80	/* RC2_128_CBC_WITH_MD5 */
81	{
82	@@ -188,6 +190,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
83	128,
84	},
85
86	+# if 0
87	/* RC2_128_CBC_EXPORT40_WITH_MD5 */
88	{
89	1,
90	@@ -203,6 +206,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
91	40,
92	128,
93	},
94	+# endif
95
96	# ifndef OPENSSL_NO_IDEA
97	/* IDEA_128_CBC_WITH_MD5 */
98	@@ -222,6 +226,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
99	},
100	# endif
101
102	+# if 0
103	/* DES_64_CBC_WITH_MD5 */
104	{
105	1,
106	@@ -237,6 +242,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
107	56,
108	56,
109	},
110	+# endif
111
112	/* DES_192_EDE3_CBC_WITH_MD5 */
113	{
114	Index: openssl-1.0.2d/ssl/ssl_conf.c
115	===================================================================
116	--- openssl-1.0.2d.orig/ssl/ssl_conf.c
117	+++ openssl-1.0.2d/ssl/ssl_conf.c
118	@@ -330,11 +330,19 @@ static int cmd_Protocol(SSL_CONF_CTX *cc
119	SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
120	SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2)
121	};
122	+ int ret;
123	+ int sslv2off;
124	+
125	if (!(cctx->flags & SSL_CONF_FLAG_FILE))
126	return -2;
127	cctx->tbl = ssl_protocol_list;
128	cctx->ntbl = sizeof(ssl_protocol_list) / sizeof(ssl_flag_tbl);
129	- return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
130	+
131	+ sslv2off = *cctx->poptions & SSL_OP_NO_SSLv2;
132	+ ret = CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
133	+ /* Never turn on SSLv2 through configuration */
134	+ *cctx->poptions \|= sslv2off;
135	+ return ret;
136	}
137
138	static int cmd_Options(SSL_CONF_CTX cctx, const char value)
139	Index: openssl-1.0.2d/ssl/ssl_lib.c
140	===================================================================
141	--- openssl-1.0.2d.orig/ssl/ssl_lib.c
142	+++ openssl-1.0.2d/ssl/ssl_lib.c
143	@@ -2052,6 +2052,13 @@ SSL_CTX SSL_CTX_new(const SSL_METHOD m
144	*/
145	ret->options \|= SSL_OP_LEGACY_SERVER_CONNECT;
146
147	+ /*
148	+ * Disable SSLv2 by default, callers that want to enable SSLv2 will have to
149	+ * explicitly clear this option via either of SSL_CTX_clear_options() or
150	+ * SSL_clear_options().
151	+ */
152	+ ret->options \|= SSL_OP_NO_SSLv2;
153	+
154	return (ret);
155	err:
156	SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
157	Index: openssl-1.0.2d/CHANGES
158	===================================================================
159	--- openssl-1.0.2d.orig/CHANGES
160	+++ openssl-1.0.2d/CHANGES
161	@@ -2,6 +2,25 @@
162	OpenSSL CHANGES
163	_______________
164
165	+
166	+ * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
167	+ is by default disabled at build-time. Builds that are not configured with
168	+ "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
169	+ users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
170	+ will need to explicitly call either of:
171	+
172	+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
173	+ or
174	+ SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
175	+
176	+ as appropriate. Even if either of those is used, or the application
177	+ explicitly uses the version-specific SSLv2_method() or its client and
178	+ server variants, SSLv2 ciphers vulnerable to exhaustive search key
179	+ recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
180	+ ciphers, and SSLv2 56-bit DES are no longer available.
181	+ [Viktor Dukhovni]
182	+
183	+
184	Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
185
186	*) Alternate chains certificate forgery
187	Index: openssl-1.0.2d/NEWS
188	===================================================================
189	--- openssl-1.0.2d.orig/NEWS
190	+++ openssl-1.0.2d/NEWS
191	@@ -1,6 +1,7 @@
192
193	NEWS
194	====
195	+ Disable SSLv2 default build, default negotiation and weak ciphers.
196
197	This file gives a brief overview of the major changes between each OpenSSL
198	release. For more details please read the CHANGES file.