1 files changed, 0 insertions, 102 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch
deleted file mode 100644
index cf2d9a7b04..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 878e2c5b13010329c203f309ed0c8f2113f85648 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Mon, 18 Jan 2016 11:31:58 +0000
-Subject: [PATCH] Prevent small subgroup attacks on DH/DHE
-
-Historically OpenSSL only ever generated DH parameters based on "safe"
-primes. More recently (in version 1.0.2) support was provided for
-generating X9.42 style parameter files such as those required for RFC
-5114 support. The primes used in such files may not be "safe". Where an
-application is using DH configured with parameters based on primes that
-are not "safe" then an attacker could use this fact to find a peer's
-private DH exponent. This attack requires that the attacker complete
-multiple handshakes in which the peer uses the same DH exponent.
-
-A simple mitigation is to ensure that y^q (mod p) == 1
-
-CVE-2016-0701 (fix part 1 of 2)
-
-Issue reported by Antonio Sanso.
-
-Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-
-Upstream-Status: Backport
-
-https://github.com/openssl/openssl/commit/878e2c5b13010329c203f309ed0c8f2113f85648
-
-CVE: CVE-2016-0701
-Signed-of-by: Armin Kuster <akuster@mvisa.com>
-
----
- crypto/dh/dh.h       |  1 +
- crypto/dh/dh_check.c | 35 +++++++++++++++++++++++++----------
- 2 files changed, 26 insertions(+), 10 deletions(-)
-
-diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h
-index b177673..5498a9d 100644
---- a/crypto/dh/dh.h
-+++ b/crypto/dh/dh.h
-@@ -174,6 +174,7 @@ struct dh_st {
- /* DH_check_pub_key error codes */
- # define DH_CHECK_PUBKEY_TOO_SMALL       0x01
- # define DH_CHECK_PUBKEY_TOO_LARGE       0x02
-+# define DH_CHECK_PUBKEY_INVALID         0x03
- 
- /*
-  * primes p where (p-1)/2 is prime too are called "safe"; we define this for
-diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
-index 347467c..5adedc0 100644
---- a/crypto/dh/dh_check.c
-+++ b/crypto/dh/dh_check.c
-@@ -151,23 +151,38 @@ int DH_check(const DH *dh, int *ret)
- int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
- {
-     int ok = 0;
--    BIGNUM *q = NULL;
-+    BIGNUM *tmp = NULL;
-+    BN_CTX *ctx = NULL;
- 
-     *ret = 0;
--    q = BN_new();
--    if (q == NULL)
-+    ctx = BN_CTX_new();
-+    if (ctx == NULL)
-         goto err;
--    BN_set_word(q, 1);
--    if (BN_cmp(pub_key, q) <= 0)
-+    BN_CTX_start(ctx);
-+    tmp = BN_CTX_get(ctx);
-+    if (tmp == NULL)
-+        goto err;
-+    BN_set_word(tmp, 1);
-+    if (BN_cmp(pub_key, tmp) <= 0)
-         *ret |= DH_CHECK_PUBKEY_TOO_SMALL;
--    BN_copy(q, dh->p);
--    BN_sub_word(q, 1);
--    if (BN_cmp(pub_key, q) >= 0)
-+    BN_copy(tmp, dh->p);
-+    BN_sub_word(tmp, 1);
-+    if (BN_cmp(pub_key, tmp) >= 0)
-         *ret |= DH_CHECK_PUBKEY_TOO_LARGE;
- 
-+    if (dh->q != NULL) {
-+        /* Check pub_key^q == 1 mod p */
-+        if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx))
-+            goto err;
-+        if (!BN_is_one(tmp))
-+            *ret |= DH_CHECK_PUBKEY_INVALID;
-+    }
-+
-     ok = 1;
-  err:
--    if (q != NULL)
--        BN_free(q);
-+    if (ctx != NULL) {
-+        BN_CTX_end(ctx);
-+        BN_CTX_free(ctx);
-+    }
-     return (ok);
- }
--- 
-2.3.5
-