Search
j0ke.net Open Build Service
>
Projects
>
home:netmax
:
monitoring
>
openssl1
> openssl-DH_fix_logjam.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File openssl-DH_fix_logjam.patch of Package openssl1
Index: openssl-1.0.1i/ssl/ssl_err.c =================================================================== --- openssl-1.0.1i.orig/ssl/ssl_err.c 2017-11-03 12:16:48.447870381 +0100 +++ openssl-1.0.1i/ssl/ssl_err.c 2017-11-03 12:16:48.559872195 +0100 @@ -113,6 +113,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_GET_SERVER_FINISHED), "GET_SERVER_FINISHED"}, {ERR_FUNC(SSL_F_GET_SERVER_HELLO), "GET_SERVER_HELLO"}, {ERR_FUNC(SSL_F_GET_SERVER_VERIFY), "GET_SERVER_VERIFY"}, +{ERR_FUNC(SSL_F_GET_SERVER_STATIC_DH_KEY), "GET_SERVER_STATIC_DH_KEY"}, {ERR_FUNC(SSL_F_I2D_SSL_SESSION), "i2d_SSL_SESSION"}, {ERR_FUNC(SSL_F_READ_N), "READ_N"}, {ERR_FUNC(SSL_F_REQUEST_CERTIFICATE), "REQUEST_CERTIFICATE"}, Index: openssl-1.0.1i/ssl/ssl.h =================================================================== --- openssl-1.0.1i.orig/ssl/ssl.h 2017-11-03 12:16:48.547872001 +0100 +++ openssl-1.0.1i/ssl/ssl.h 2017-11-03 12:16:48.559872195 +0100 @@ -2121,6 +2121,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_GET_CLIENT_MASTER_KEY 107 #define SSL_F_GET_SERVER_FINISHED 108 #define SSL_F_GET_SERVER_HELLO 109 +#define SSL_F_GET_SERVER_STATIC_DH_KEY 340 #define SSL_F_GET_SERVER_VERIFY 110 #define SSL_F_I2D_SSL_SESSION 111 #define SSL_F_READ_N 112 Index: openssl-1.0.1i/ssl/s3_clnt.c =================================================================== --- openssl-1.0.1i.orig/ssl/s3_clnt.c 2017-11-03 12:16:48.547872001 +0100 +++ openssl-1.0.1i/ssl/s3_clnt.c 2017-11-03 12:16:48.559872195 +0100 @@ -2284,6 +2284,24 @@ int ssl3_get_server_done(SSL *s) return(ret); } +#ifndef OPENSSL_NO_DH +static DH *get_server_static_dh_key(SESS_CERT *scert) +{ + DH *dh_srvr = NULL; + EVP_PKEY *spkey = NULL; + int idx = scert->peer_cert_type; + + if (idx >= 0) + spkey = X509_get_pubkey(scert->peer_pkeys[idx].x509); + if (spkey) { + dh_srvr = EVP_PKEY_get1_DH(spkey); + EVP_PKEY_free(spkey); + } + if (dh_srvr == NULL) + SSLerr(SSL_F_GET_SERVER_STATIC_DH_KEY, ERR_R_INTERNAL_ERROR); + return dh_srvr; +} +#endif int ssl3_send_client_key_exchange(SSL *s) { @@ -3358,9 +3376,19 @@ int ssl3_check_cert_and_algorithm(SSL *s } #endif - /* Check DHE only: static DH not implemented. */ - if (alg_k & SSL_kEDH) { - int dh_size = BN_num_bits(dh->p); + + if (alg_k & (SSL_kEDH | SSL_kDHr | SSL_kDHd)) { + int dh_size; + if (alg_k & SSL_kEDH) { + dh_size = BN_num_bits(dh->p); + } else { + DH *dh_srvr = get_server_static_dh_key(sc); + if (dh_srvr == NULL) + goto f_err; + dh_size = BN_num_bits(dh_srvr->p); + DH_free(dh_srvr); + } + if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 1024) || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);