[openssl] OpenSSL_1_1_1-stable update

Wed Jun 17 16:38:34 UTC 2020

The branch OpenSSL_1_1_1-stable has been updated
       via  e705b920bf9a6737b5abcb57ca14824959e1e630 (commit)
      from  4151e303a488c53613f7b8c6eae4372759d7fa35 (commit)


- Log -----------------------------------------------------------------
commit e705b920bf9a6737b5abcb57ca14824959e1e630
Author: Hubert Kario <hkario at redhat.com>
Date:   Fri Jun 5 20:21:55 2020 +0200

    use safe primes in ssl_get_auto_dh()
    
    DH_get_1024_160() and DH_get_2048_224() return parameters from
    RFC5114. Those parameters include primes with known small subgroups,
    making them unsafe. Change the code to use parameters from
    RFC 2409 and RFC 3526 instead (group 2 and 14 respectively).
    
    This patch also adds automatic selection of 4096 bit params for 4096 bit
    RSA keys
    
    backport of 7646610
    
    Signed-off-by: Hubert Kario <hkario at redhat.com>
    
    Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12160)

-----------------------------------------------------------------------

Summary of changes:
 ssl/t1_lib.c | 74 +++++++++++++++++++++++++++++++-----------------------------
 1 file changed, 38 insertions(+), 36 deletions(-)

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 76b4baa388..48d46f8a48 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2439,46 +2439,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
 #ifndef OPENSSL_NO_DH
 DH *ssl_get_auto_dh(SSL *s)
 {
+    DH *dhp = NULL;
+    BIGNUM *p = NULL, *g = NULL;
     int dh_secbits = 80;
-    if (s->cert->dh_tmp_auto == 2)
-        return DH_get_1024_160();
-    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
-        if (s->s3->tmp.new_cipher->strength_bits == 256)
-            dh_secbits = 128;
-        else
-            dh_secbits = 80;
-    } else {
-        if (s->s3->tmp.cert == NULL)
-            return NULL;
-        dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
+    if (s->cert->dh_tmp_auto != 2) {
+        if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
+            if (s->s3->tmp.new_cipher->strength_bits == 256)
+                dh_secbits = 128;
+            else
+                dh_secbits = 80;
+        } else {
+            if (s->s3->tmp.cert == NULL)
+                return NULL;
+            dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
+        }
     }
 
-    if (dh_secbits >= 128) {
-        DH *dhp = DH_new();
-        BIGNUM *p, *g;
-        if (dhp == NULL)
-            return NULL;
-        g = BN_new();
-        if (g == NULL || !BN_set_word(g, 2)) {
-            DH_free(dhp);
-            BN_free(g);
-            return NULL;
-        }
-        if (dh_secbits >= 192)
-            p = BN_get_rfc3526_prime_8192(NULL);
-        else
-            p = BN_get_rfc3526_prime_3072(NULL);
-        if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
-            DH_free(dhp);
-            BN_free(p);
-            BN_free(g);
-            return NULL;
-        }
-        return dhp;
+    dhp = DH_new();
+    if (dhp == NULL)
+        return NULL;
+    g = BN_new();
+    if (g == NULL || !BN_set_word(g, 2)) {
+        DH_free(dhp);
+        BN_free(g);
+        return NULL;
+    }
+    if (dh_secbits >= 192)
+        p = BN_get_rfc3526_prime_8192(NULL);
+    else if (dh_secbits >= 152)
+        p = BN_get_rfc3526_prime_4096(NULL);
+    else if (dh_secbits >= 128)
+        p = BN_get_rfc3526_prime_3072(NULL);
+    else if (dh_secbits >= 112)
+        p = BN_get_rfc3526_prime_2048(NULL);
+    else
+        p = BN_get_rfc2409_prime_1024(NULL);
+    if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
+        DH_free(dhp);
+        BN_free(p);
+        BN_free(g);
+        return NULL;
     }
-    if (dh_secbits >= 112)
-        return DH_get_2048_224();
-    return DH_get_1024_160();
+    return dhp;
 }
 #endif
 
