This is a hard-coded patch to make OpenSSL clients reject connections
which use DHE handshakes with < 1024 bits.
This patch has no compile-time or runtime configurability. If the
project wants something more nuanced, we need discussion about what
the right form(s) of configurability should be.
Note that ssltest has also been changed to default to a 1024-bit
(instead of 512-bit) safe-prime DHE so that tests all pass
---
ssl/s3_clnt.c | 5 +++++
ssl/ssl.h | 1 +
ssl/ssl_err.c | 3 ++-
ssl/ssltest.c | 13 +++++++++++--
4 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 9755a0f..7f0d14a 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2635,6 +2635,11 @@ int ssl3_send_client_key_exchange(SSL *s)
else
{
/* generate a new random key */
+ if (DH_size(dh_srvr) < 1024/8)
+ {
+
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_DH_WEAK_GROUP);
+ goto err;
+ }
if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
{
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
diff --git a/ssl/ssl.h b/ssl/ssl.h
index c6cd6a9..8bcd7ca 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2826,6 +2826,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_BAD_DH_G_LENGTH 108
#define SSL_R_BAD_DH_PUB_KEY_LENGTH 109
#define SSL_R_BAD_DH_P_LENGTH 110
+#define SSL_R_BAD_DH_WEAK_GROUP 394
#define SSL_R_BAD_DIGEST_LENGTH 111
#define SSL_R_BAD_DSA_SIGNATURE 112
#define SSL_R_BAD_ECC_CERT 304
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index e663483..24bc75c 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -1,6 +1,6 @@
/* ssl/ssl_err.c */
/* ====================================================================
- * Copyright (c) 1999-2013 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -327,6 +327,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_BAD_DH_G_LENGTH) ,"bad dh g length"},
{ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH) ,"bad dh pub key length"},
{ERR_REASON(SSL_R_BAD_DH_P_LENGTH) ,"bad dh p length"},
+{ERR_REASON(SSL_R_BAD_DH_WEAK_GROUP) ,"bad dh weak group"},
{ERR_REASON(SSL_R_BAD_DIGEST_LENGTH) ,"bad digest length"},
{ERR_REASON(SSL_R_BAD_DSA_SIGNATURE) ,"bad dsa signature"},
{ERR_REASON(SSL_R_BAD_ECC_CERT) ,"bad ecc cert"},
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index 64c6743..809abf3 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -870,7 +870,8 @@ static void sv_usage(void)
fprintf(stderr," -num <val> - number of connections to perform\n");
fprintf(stderr," -bytes <val> - number of bytes to swap between
client/server\n");
#ifndef OPENSSL_NO_DH
- fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for
DHE\n");
+ fprintf(stderr," -dhe512 - use 512 bit key (safe prime) for
DHE\n");
+ fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE
(default)\n");
fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit
subprime) for DHE\n");
fprintf(stderr," -no_dhe - disable DHE\n");
#endif
@@ -1079,7 +1080,7 @@ int main(int argc, char *argv[])
long bytes=256L;
#ifndef OPENSSL_NO_DH
DH *dh;
- int dhe1024 = 0, dhe1024dsa = 0;
+ int dhe1024 = 1, dhe1024dsa = 0;
#endif
#ifndef OPENSSL_NO_ECDH
EC_KEY *ecdh = NULL;
@@ -1164,6 +1165,14 @@ int main(int argc, char *argv[])
debug=1;
else if (strcmp(*argv,"-reuse") == 0)
reuse=1;
+ else if (strcmp(*argv,"-dhe512") == 0)
+ {
+#ifndef OPENSSL_NO_DH
+ dhe1024=0;
+#else
+ fprintf(stderr,"ignoring -dhe512, since I'm compiled
without DH\n");
+#endif
+ }
else if (strcmp(*argv,"-dhe1024") == 0)
{
#ifndef OPENSSL_NO_DH
--
1.9.0
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
