Hi folks, I know the following patches will cause a controversy just like the issues they resolve caused me and several other people headaches when debugging them.
But first things first. The attached patches (intentionally) do the following two things: 1. Adjust the limit for maximum allowed size of a received public key to be increased from 516 bytes (just barely enough for 4 KBit RSA public keys) up to 8200 bytes (enough for 64KBit RSA keys with some minor margin) 2. Remove the crippling of the DH/DSA routines for working with at most 10kBit parameters. Find the patches attached to this mail. As the patches were originally submitted as part of Debian Bug #747453 [1] they are in Debian format suiteable for automatic application by the Debian tools. The patches apply (automatically) to the latest released OpenSSL 1.0.1 version. At the Debian BTS you can also find some of the previous discussion of those patches. The problems fixed by those patches surfaced for me in two different situations both being related in nature and both having in common that debugging was non-trivial due to no meaningful error messages being returned. The first issue affects OpenSSL clients connecting to server with DH parameters using a prime larger than 10kBit. While other libraries (GnuTLS and libNSS) handle this without problems OpenSSL simply barks and closes the connection. Debugging this issue required several hours of studying network dumps and circling around in the OpenSSL source without much success. The second issue took about 2 weeks of debugging eJabberd instances returning misleading error messages: Even though both eJabberd servers happily talked to each other in plain (before STARTTLSing to something secure) they failed with a "remote-host-not-found" error when mutually authenticating each other (both servers use properly signed 8KBit RSA keys as server certificates). The cause was finally found only by chance when the certificates where replaced by smaller keys for testing (Usage of 8KBit RSA is common with both server admins involed with this debugging session). Please find more details in the Debian BTS - or feel free to ask. The modifications (new boundaries) are open for discussion as long as the following conditions are met: - a security level of 256 Bit equivalent strength can be reached for the used certificate (which means ~16KBit RSA for Client Certs) OR - the limit can be adjusted by software and defaults to at least 192 bits of symmetric security. Looking forward to seeing those patches or a modification thereof in an upcoming release. Kind regards, Benny Baumann [1] https://bugs.debian.org/747453
Description: Increase the maximum size allowed for client/server certificate packages on the wire Author: Benny Baumann <be...@geshi.org> --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: <vendor|upstream|other>, <url of original patch> Bug: <url in upstream bugtracker> Bug-Debian: http://bugs.debian.org/<bugnumber> Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: <name and email of someone who approved the patch> Last-Update: <YYYY-MM-DD> --- openssl-1.0.1e.orig/ssl/s3_srvr.c +++ openssl-1.0.1e/ssl/s3_srvr.c @@ -2926,7 +2926,7 @@ int ssl3_get_cert_verify(SSL *s) SSL3_ST_SR_CERT_VRFY_A, SSL3_ST_SR_CERT_VRFY_B, -1, - 516, /* Enough for 4096 bit RSA key with TLS v1.2 */ + 8200, /* Enough for 65536 bit RSA key with TLS v1.2 */ &ok); if (!ok) return((int)n);
Description: Remove DSA/DH keysize restrictions Author: Benny Baumann <be...@geshi.org> --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: <vendor|upstream|other>, <url of original patch> Bug: <url in upstream bugtracker> Bug-Debian: http://bugs.debian.org/<bugnumber> Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: <name and email of someone who approved the patch> Last-Update: <YYYY-MM-DD> --- openssl-1.0.1e.orig/crypto/dsa/dsa.h +++ openssl-1.0.1e/crypto/dsa/dsa.h @@ -84,10 +84,6 @@ #endif #endif -#ifndef OPENSSL_DSA_MAX_MODULUS_BITS -# define OPENSSL_DSA_MAX_MODULUS_BITS 10000 -#endif - #define DSA_FLAG_CACHE_MONT_P 0x01 #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA * implementation now uses constant time --- openssl-1.0.1e.orig/crypto/dsa/dsa_ossl.c +++ openssl-1.0.1e/crypto/dsa/dsa_ossl.c @@ -325,11 +325,6 @@ static int dsa_do_verify(const unsigned return -1; } - if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) - { - DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE); - return -1; - } BN_init(&u1); BN_init(&u2); BN_init(&t1);
signature.asc
Description: OpenPGP digital signature