Lutz,
I created the enclosed patches for SSLeay-0.8.1 and 0.9.0 with help from
Eric Young, for a customer who needed to check for weak DES keys and
abort/retry the SSL connection if a weak key was chosen. Since the main
impact is on the EVP layer, I thought you should take a close look at it.
I must confess I haven't read in detail the emails that you have been
exchanging with Steve H, but I'm sure you'll understand the impact of my
patches and will think up a good way to integrate them.
I also include a patch to the DES library, which has for years had an
incorrect list of weak keys! This was posted before, and I haven't checked
whether it has been included, so you might want to ensure that it's in.
The EVP patches are provided in a SSLeay-0.8.1 version and an 0.9.0 one.
You might want to generalise the interface to allow for tests on other
algorithms - I just did DES because I wanted to minimise the impact on the
SSLeay code body. Our customers had spent a lot of money on a third-party
review of the source code and wanted to minimise re-inspection.
I use the EVP_CIPHER_CTX_weak_des_key() macro after SSL_connect succeeds,
by saying:
if (EVP_CIPHER_CTX_weak_des_key(ssl->enc_read_ctx)
>= EVP_DES_SOME_WEAK)
{
SSL_free(ssl);
ssl = 0;
SHUTDOWN(ssl_fd);
ssl_fd = -1;
continue;
}
and in the server by just cleaning up the connection and exiting.
--
Clifford Heath http://www.osa.com.au/~cjh
Open Software Associates Limited mailto:[EMAIL PROTECTED]
29 Ringwood Street / PO Box 4414 Phone +613 9871 1694
Ringwood VIC 3134 AUSTRALIA Fax +613 9871 1711
------------------------------------------------------------
Deploying Solutions to the Enterprise
des.pat
evp.pat
evp090.pat
