Commit 63830384 authored by Emilia Kasper's avatar Emilia Kasper
Browse files

client: reject handshakes with DH parameters < 768 bits. 



Since the client has no way of communicating her supported parameter
range to the server, connections to servers that choose weak DH will
simply fail.

Reviewed-by: default avatarKurt Roeckx <kurt@openssl.org>
parent ff4de7dd

CHANGES

+2 −1
Original line number Diff line number Diff line
@@ -4,7 +4,8 @@ 


 Changes between 1.0.1m and 1.0.1n [xx XXX xxxx]



  *)

  *) Reject DH handshakes with parameters shorter than 768 bits.

     [Kurt Roeckx and Emilia Kasper]



 Changes between 1.0.1l and 1.0.1m [19 Mar 2015]

ssl/s3_clnt.c

+16 −6
Original line number Diff line number Diff line
@@ -3295,23 +3295,33 @@ int ssl3_check_cert_and_algorithm(SSL *s) 
    }

#endif

#ifndef OPENSSL_NO_DH

    if ((alg_k & SSL_kEDH) &&

        !(has_bits(i, EVP_PK_DH | EVP_PKT_EXCH) || (dh != NULL))) {

        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_KEY);

    if ((alg_k & SSL_kEDH) && dh == NULL) {

        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);

        goto f_err;

    } else if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH | EVP_PKS_RSA)) {

    }

    if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH | EVP_PKS_RSA)) {

        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,

               SSL_R_MISSING_DH_RSA_CERT);

        goto f_err;

    }

# ifndef OPENSSL_NO_DSA

    else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH | EVP_PKS_DSA)) {

    if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH | EVP_PKS_DSA)) {

        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,

               SSL_R_MISSING_DH_DSA_CERT);

        goto f_err;

    }

# endif

#endif



    /* Check DHE only: static DH not implemented. */

    if (alg_k & SSL_kEDH) {

        int dh_size = BN_num_bits(dh->p);

        if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768)

            || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {

            SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);

            goto f_err;

        }

    }

#endif  /* !OPENSSL_NO_DH */



    if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) {

#ifndef OPENSSL_NO_RSA

ssl/ssl.h

+1 −0
Original line number Diff line number Diff line
@@ -2524,6 +2524,7 @@ void ERR_load_SSL_strings(void); 
# define SSL_R_DATA_LENGTH_TOO_LONG                       146

# define SSL_R_DECRYPTION_FAILED                          147

# define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC        281

# define SSL_R_DH_KEY_TOO_SMALL                           372

# define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG            148

# define SSL_R_DIGEST_CHECK_FAILED                        149

# define SSL_R_DTLS_MESSAGE_TOO_BIG                       334

ssl/ssl_err.c

+1 −0
Original line number Diff line number Diff line
@@ -441,6 +441,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = { 
    {ERR_REASON(SSL_R_DECRYPTION_FAILED), "decryption failed"},

    {ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),

     "decryption failed or bad record mac"},

    {ERR_REASON(SSL_R_DH_KEY_TOO_SMALL), "dh key too small"},

    {ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),

     "dh public value length is wrong"},

    {ERR_REASON(SSL_R_DIGEST_CHECK_FAILED), "digest check failed"},