File openssl-DH_fix_logjam.patch of Package openssl.11276

Index: openssl-1.0.1i/ssl/ssl_err.c
===================================================================
--- openssl-1.0.1i.orig/ssl/ssl_err.c	2017-11-03 12:16:48.447870381 +0100
+++ openssl-1.0.1i/ssl/ssl_err.c	2017-11-03 12:16:48.559872195 +0100
@@ -113,6 +113,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_GET_SERVER_FINISHED),	"GET_SERVER_FINISHED"},
 {ERR_FUNC(SSL_F_GET_SERVER_HELLO),	"GET_SERVER_HELLO"},
 {ERR_FUNC(SSL_F_GET_SERVER_VERIFY),	"GET_SERVER_VERIFY"},
+{ERR_FUNC(SSL_F_GET_SERVER_STATIC_DH_KEY), "GET_SERVER_STATIC_DH_KEY"},
 {ERR_FUNC(SSL_F_I2D_SSL_SESSION),	"i2d_SSL_SESSION"},
 {ERR_FUNC(SSL_F_READ_N),	"READ_N"},
 {ERR_FUNC(SSL_F_REQUEST_CERTIFICATE),	"REQUEST_CERTIFICATE"},
Index: openssl-1.0.1i/ssl/ssl.h
===================================================================
--- openssl-1.0.1i.orig/ssl/ssl.h	2017-11-03 12:16:48.547872001 +0100
+++ openssl-1.0.1i/ssl/ssl.h	2017-11-03 12:16:48.559872195 +0100
@@ -2121,6 +2121,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_GET_CLIENT_MASTER_KEY			 107
 #define SSL_F_GET_SERVER_FINISHED			 108
 #define SSL_F_GET_SERVER_HELLO				 109
+#define SSL_F_GET_SERVER_STATIC_DH_KEY                   340
 #define SSL_F_GET_SERVER_VERIFY				 110
 #define SSL_F_I2D_SSL_SESSION				 111
 #define SSL_F_READ_N					 112
Index: openssl-1.0.1i/ssl/s3_clnt.c
===================================================================
--- openssl-1.0.1i.orig/ssl/s3_clnt.c	2017-11-03 12:16:48.547872001 +0100
+++ openssl-1.0.1i/ssl/s3_clnt.c	2017-11-03 12:16:48.559872195 +0100
@@ -2284,6 +2284,24 @@ int ssl3_get_server_done(SSL *s)
 	return(ret);
 	}
 
+#ifndef OPENSSL_NO_DH
+static DH *get_server_static_dh_key(SESS_CERT *scert)
+{
+    DH *dh_srvr = NULL;
+    EVP_PKEY *spkey = NULL;
+    int idx = scert->peer_cert_type;
+
+    if (idx >= 0)
+        spkey = X509_get_pubkey(scert->peer_pkeys[idx].x509);
+    if (spkey) {
+        dh_srvr = EVP_PKEY_get1_DH(spkey);
+        EVP_PKEY_free(spkey);
+    }
+    if (dh_srvr == NULL)
+        SSLerr(SSL_F_GET_SERVER_STATIC_DH_KEY, ERR_R_INTERNAL_ERROR);
+    return dh_srvr;
+}
+#endif
 
 int ssl3_send_client_key_exchange(SSL *s)
 	{
@@ -3358,9 +3376,19 @@ int ssl3_check_cert_and_algorithm(SSL *s
 		}
 #endif
 
-    /* Check DHE only: static DH not implemented. */
-    if (alg_k & SSL_kEDH) {
-        int dh_size = BN_num_bits(dh->p);
+
+    if (alg_k & (SSL_kEDH | SSL_kDHr | SSL_kDHd)) {
+        int dh_size;
+        if (alg_k & SSL_kEDH) {
+            dh_size = BN_num_bits(dh->p);
+        } else {
+            DH *dh_srvr = get_server_static_dh_key(sc);
+            if (dh_srvr == NULL)
+                goto f_err;
+            dh_size = BN_num_bits(dh_srvr->p);
+            DH_free(dh_srvr);
+        }
+
         if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 1024)
             || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
             SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
openSUSE Build Service is sponsored by