From: Hubert Kario Date: Fri, 5 Jun 2020 18:21:55 +0000 (+0200) Subject: use safe primes in ssl_get_auto_dh() X-Git-Tag: openssl-3.0.0-alpha4~148 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=7646610;p=oweals%2Fopenssl.git use safe primes in ssl_get_auto_dh() DH_get_1024_160() and DH_get_2048_224() return parameters from RFC5114. Those parameters include primes with known small subgroups, making them unsafe. Change the code to use parameters from RFC 2409 and RFC 3526 instead (group 2 and 14 respectively). This patch also adds automatic selection of 4096 bit params for 4096 bit RSA keys Signed-off-by: Hubert Kario Reviewed-by: Kurt Roeckx Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12061) --- diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 68bd5f2611..89450943d1 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2646,46 +2646,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) #ifndef OPENSSL_NO_DH DH *ssl_get_auto_dh(SSL *s) { + DH *dhp; + BIGNUM *p, *g; int dh_secbits = 80; - if (s->cert->dh_tmp_auto == 2) - return DH_get_1024_160(); - if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { - if (s->s3.tmp.new_cipher->strength_bits == 256) - dh_secbits = 128; - else - dh_secbits = 80; - } else { - if (s->s3.tmp.cert == NULL) - return NULL; - dh_secbits = EVP_PKEY_security_bits(s->s3.tmp.cert->privatekey); + if (s->cert->dh_tmp_auto != 2) { + if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { + if (s->s3.tmp.new_cipher->strength_bits == 256) + dh_secbits = 128; + else + dh_secbits = 80; + } else { + if (s->s3.tmp.cert == NULL) + return NULL; + dh_secbits = EVP_PKEY_security_bits(s->s3.tmp.cert->privatekey); + } } - if (dh_secbits >= 128) { - DH *dhp = DH_new(); - BIGNUM *p, *g; - if (dhp == NULL) - return NULL; - g = BN_new(); - if (g == NULL || !BN_set_word(g, 2)) { - DH_free(dhp); - BN_free(g); - return NULL; - } - if (dh_secbits >= 192) - p = BN_get_rfc3526_prime_8192(NULL); - else - p = BN_get_rfc3526_prime_3072(NULL); - if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { - DH_free(dhp); - BN_free(p); - BN_free(g); - return NULL; - } - return dhp; + dhp = DH_new(); + if (dhp == NULL) + return NULL; + g = BN_new(); + if (g == NULL || !BN_set_word(g, 2)) { + DH_free(dhp); + BN_free(g); + return NULL; + } + if (dh_secbits >= 192) + p = BN_get_rfc3526_prime_8192(NULL); + else if (dh_secbits >= 152) + p = BN_get_rfc3526_prime_4096(NULL); + else if (dh_secbits >= 128) + p = BN_get_rfc3526_prime_3072(NULL); + else if (dh_secbits >= 112) + p = BN_get_rfc3526_prime_2048(NULL); + else + p = BN_get_rfc2409_prime_1024(NULL); + if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { + DH_free(dhp); + BN_free(p); + BN_free(g); + return NULL; } - if (dh_secbits >= 112) - return DH_get_2048_224(); - return DH_get_1024_160(); + return dhp; } #endif