File 0005-client-reject-handshakes-with-DH-parameter... of Package openssl.openSUSE_13.1_Update

Overview Repositories Revisions Requests Users Attributes Meta

File 0005-client-reject-handshakes-with-DH-parameters-768-bits.patch of Package openssl.openSUSE_13.1_Update

From 63830384e90d9b36d2793d4891501ec024827433 Mon Sep 17 00:00:00 2001
From: Emilia Kasper <emilia@openssl.org>
Date: Tue, 19 May 2015 12:05:22 +0200
Subject: [PATCH 5/5] client: reject handshakes with DH parameters < 768 bits.

Since the client has no way of communicating her supported parameter
range to the server, connections to servers that choose weak DH will
simply fail.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
---
 CHANGES       |  3 ++-
 ssl/s3_clnt.c | 22 ++++++++++++++++------
 ssl/ssl.h     |  1 +
 ssl/ssl_err.c |  1 +
 4 files changed, 20 insertions(+), 7 deletions(-)

Index: openssl-1.0.1k/CHANGES
===================================================================
--- openssl-1.0.1k.orig/CHANGES	2015-01-08 15:03:40.000000000 +0100
+++ openssl-1.0.1k/CHANGES	2015-06-12 14:41:15.091141190 +0200
@@ -183,6 +183,9 @@
 
      [Steve Henson]
 
+  *) Reject DH handshakes with parameters shorter than 768 bits.
+     [Kurt Roeckx and Emilia Kasper]
+
  Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
 
   *) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
Index: openssl-1.0.1k/ssl/s3_clnt.c
===================================================================
--- openssl-1.0.1k.orig/ssl/s3_clnt.c	2015-06-12 14:35:09.321393147 +0200
+++ openssl-1.0.1k/ssl/s3_clnt.c	2015-06-12 14:41:15.092141203 +0200
@@ -3425,26 +3425,34 @@ int ssl3_check_cert_and_algorithm(SSL *s
 		}
 #endif
 #ifndef OPENSSL_NO_DH
-	if ((alg_k & SSL_kEDH) &&
-		!(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
-		{
-		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
+    if ((alg_k & SSL_kEDH) && dh == NULL) {
+        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
 		goto f_err;
-		}
-	else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
+    }
+    if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH | EVP_PKS_RSA))
 		{
 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
 		goto f_err;
 		}
 #ifndef OPENSSL_NO_DSA
-	else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
+    if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH | EVP_PKS_DSA))
 		{
 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
 		goto f_err;
 		}
 #endif
-#endif
 
+    /* Check DHE only: static DH not implemented. */
+    if (alg_k & SSL_kEDH) {
+        int dh_size = BN_num_bits(dh->p);
+        if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768)
+            || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
+            SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
+            goto f_err;
+        }
+    }
+#endif  /* !OPENSSL_NO_DH */
+ 
 	if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
 		{
 #ifndef OPENSSL_NO_RSA
Index: openssl-1.0.1k/ssl/ssl.h
===================================================================
--- openssl-1.0.1k.orig/ssl/ssl.h	2015-06-12 14:35:09.320393134 +0200
+++ openssl-1.0.1k/ssl/ssl.h	2015-06-12 14:41:15.092141203 +0200
@@ -2383,6 +2383,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_DATA_LENGTH_TOO_LONG			 146
 #define SSL_R_DECRYPTION_FAILED				 147
 #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC	 281
+#define SSL_R_DH_KEY_TOO_SMALL                           372
 #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG		 148
 #define SSL_R_DIGEST_CHECK_FAILED			 149
 #define SSL_R_DTLS_MESSAGE_TOO_BIG			 334
Index: openssl-1.0.1k/ssl/ssl_err.c
===================================================================
--- openssl-1.0.1k.orig/ssl/ssl_err.c	2015-06-12 14:35:09.321393147 +0200
+++ openssl-1.0.1k/ssl/ssl_err.c	2015-06-12 14:41:15.092141203 +0200
@@ -363,6 +363,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
 {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG)  ,"data length too long"},
 {ERR_REASON(SSL_R_DECRYPTION_FAILED)     ,"decryption failed"},
 {ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"},
+{ERR_REASON(SSL_R_DH_KEY_TOO_SMALL), "dh key too small"},
 {ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"},
 {ERR_REASON(SSL_R_DIGEST_CHECK_FAILED)   ,"digest check failed"},
 {ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG)  ,"dtls message too big"},

Places

File 0005-client-reject-handshakes-with-DH-parameters-768-bits.patch of Package openssl.openSUSE_13.1_Update

Places