File 0005-client-reject-handshakes-with-DH-parameters-1024-bits.patch of Package compat-openssl098.11471
From 63830384e90d9b36d2793d4891501ec024827433 Mon Sep 17 00:00:00 2001
From: Emilia Kasper <emilia@openssl.org>
Date: Tue, 19 May 2015 12:05:22 +0200
Subject: [PATCH 5/5] client: reject handshakes with DH parameters < 1024 bits.
Since the client has no way of communicating her supported parameter
range to the server, connections to servers that choose weak DH will
simply fail.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
---
CHANGES | 3 ++-
ssl/s3_clnt.c | 22 ++++++++++++++++------
ssl/ssl.h | 1 +
ssl/ssl_err.c | 1 +
4 files changed, 20 insertions(+), 7 deletions(-)
Index: openssl-0.9.8j/ssl/s3_clnt.c
===================================================================
--- openssl-0.9.8j.orig/ssl/s3_clnt.c 2015-06-15 15:13:20.677538365 +0200
+++ openssl-0.9.8j/ssl/s3_clnt.c 2015-06-15 15:17:31.527564646 +0200
@@ -2678,25 +2678,33 @@ int ssl3_check_cert_and_algorithm(SSL *s
}
#endif
#ifndef OPENSSL_NO_DH
- if ((algs & SSL_kEDH) &&
- !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
- {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
+ if ((algs & SSL_kEDH) && dh == NULL) {
+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
goto f_err;
- }
- else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
+ }
+ if ((algs & SSL_kDHr) && !has_bits(i, EVP_PK_DH | EVP_PKS_RSA))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
goto f_err;
}
#ifndef OPENSSL_NO_DSA
- else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
+ if ((algs & SSL_kDHd) && !has_bits(i, EVP_PK_DH | EVP_PKS_DSA))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
goto f_err;
}
#endif
-#endif
+
+ /* Check DHE only: static DH not implemented. */
+ if (algs & SSL_kEDH) {
+ int dh_size = BN_num_bits(dh->p);
+ if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 1024)
+ || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
+ goto f_err;
+ }
+ }
+#endif /* !OPENSSL_NO_DH */
if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
{
Index: openssl-0.9.8j/ssl/ssl.h
===================================================================
--- openssl-0.9.8j.orig/ssl/ssl.h 2015-06-15 15:13:19.519524382 +0200
+++ openssl-0.9.8j/ssl/ssl.h 2015-06-15 15:13:20.678538377 +0200
@@ -1918,6 +1918,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_DATA_LENGTH_TOO_LONG 146
#define SSL_R_DECRYPTION_FAILED 147
#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281
+#define SSL_R_DH_KEY_TOO_SMALL 372
#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148
#define SSL_R_DIGEST_CHECK_FAILED 149
#define SSL_R_DUPLICATE_COMPRESSION_ID 309
Index: openssl-0.9.8j/ssl/ssl_err.c
===================================================================
--- openssl-0.9.8j.orig/ssl/ssl_err.c 2015-06-15 15:13:19.520524394 +0200
+++ openssl-0.9.8j/ssl/ssl_err.c 2015-06-15 15:13:20.678538377 +0200
@@ -323,6 +323,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
{ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"},
{ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"},
{ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"},
+{ERR_REASON(SSL_R_DH_KEY_TOO_SMALL), "dh key too small"},
{ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"},
{ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) ,"digest check failed"},
{ERR_REASON(SSL_R_DUPLICATE_COMPRESSION_ID),"duplicate compression id"},
