Commit e95f5e03 authored by Rich Salz's avatar Rich Salz
Browse files

SWEET32 (CVE-2016-2183): Move DES from HIGH to MEDIUM 



Reviewed-by: default avatarViktor Dukhovni <viktor@openssl.org>
Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
(cherry picked from commit 0fff5065)
parent 1bbe48ab

CHANGES

+3 −1
Original line number Diff line number Diff line
@@ -4,7 +4,9 @@ 


 Changes between 1.0.1t and 1.0.1u [xx XXX xxxx]



  *)

  *) In order to mitigate the SWEET32 attack (CVE-2016-2183),

     the DES ciphers were moved from HIGH to MEDIUM.

     [Rich Salz]



 Changes between 1.0.1s and 1.0.1t [3 May 2016]

ssl/s3_lib.c

+17 −17
Original line number Diff line number Diff line
@@ -334,7 +334,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_SSLV3,

     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,

     SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -387,7 +387,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_SSLV3,

     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,

     SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -439,7 +439,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_SSLV3,

     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,

     SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -492,7 +492,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_SSLV3,

     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,

     SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -544,7 +544,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_SSLV3,

     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,

     SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -630,7 +630,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_SSLV3,

     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,

     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -717,7 +717,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_SSLV3,

     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,

     SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -783,7 +783,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_MD5,

     SSL_SSLV3,

     SSL_NOT_EXP | SSL_HIGH,

     SSL_NOT_EXP | SSL_MEDIUM,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -1733,7 +1733,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_TLSV1,

     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,

     SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -2110,7 +2110,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_TLSV1,

     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,

     SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -2190,7 +2190,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_TLSV1,

     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,

     SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -2270,7 +2270,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_TLSV1,

     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,

     SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -2350,7 +2350,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_TLSV1,

     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,

     SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -2430,7 +2430,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_TLSV1,

     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,

     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -2480,7 +2480,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_TLSV1,

     SSL_NOT_EXP | SSL_HIGH,

     SSL_NOT_EXP | SSL_MEDIUM,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -2496,7 +2496,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_TLSV1,

     SSL_NOT_EXP | SSL_HIGH,

     SSL_NOT_EXP | SSL_MEDIUM,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,
@@ -2512,7 +2512,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
     SSL_3DES,

     SSL_SHA1,

     SSL_TLSV1,

     SSL_NOT_EXP | SSL_HIGH,

     SSL_NOT_EXP | SSL_MEDIUM,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     112,

     168,