use safe primes in ssl_get_auto_dh()

DH_get_1024_160() and DH_get_2048_224() return parameters from RFC5114. Those parameters include primes with known small subgroups, making them unsafe. Change the code to use parameters from RFC 2409 and RFC 3526 instead (group 2 and 14 respectively). This patch also adds automatic selection of 4096 bit params for 4096 bit RSA keys Signed-off-by: N Hubert Kario <hkario@redhat.com> Reviewed-by: N Kurt Roeckx <kurt@roeckx.be> Reviewed-by: N Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12061)

use safe primes in ssl_get_auto_dh()
DH_get_1024_160() and DH_get_2048_224() return parameters from RFC5114. Those parameters include primes with known small subgroups, making them unsafe. Change the code to use parameters from RFC 2409 and RFC 3526 instead (group 2 and 14 respectively). This patch also adds automatic selection of 4096 bit params for 4096 bit RSA keys Signed-off-by: N Hubert Kario <hkario@redhat.com> Reviewed-by: N Kurt Roeckx <kurt@roeckx.be> Reviewed-by: N Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12061)
7646610b · Hubert Kario · Tomas Mraz · 78215852 · 7646610b
显示空白变更内容
内联并排

Showing with 38 addition and 36 deletion

ssl/t1_lib.c ssl/t1_lib.c +38 -36

未找到文件。
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2646,9 +2646,10 @@ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
 #ifndef OPENSSL_NO_DH
 DH *ssl_get_auto_dh(SSL *s)
 {
+    DH *dhp;
+    BIGNUM *p, *g;
    int dh_secbits = 80;
-    if (s->cert->dh_tmp_auto == 2)
-        return DH_get_1024_160();
+    if (s->cert->dh_tmp_auto != 2) {
        if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
            if (s->s3.tmp.new_cipher->strength_bits == 256)
                dh_secbits = 128;
@@ -2659,10 +2660,9 @@ DH *ssl_get_auto_dh(SSL *s)
                return NULL;
            dh_secbits = EVP_PKEY_security_bits(s->s3.tmp.cert->privatekey);
        }
+    }

-    if (dh_secbits >= 128) {
-        DH *dhp = DH_new();
-        BIGNUM *p, *g;
+    dhp = DH_new();
    if (dhp == NULL)
        return NULL;
    g = BN_new();
@@ -2673,8 +2673,14 @@ DH *ssl_get_auto_dh(SSL *s)
    }
    if (dh_secbits >= 192)
        p = BN_get_rfc3526_prime_8192(NULL);
-        else
+    else if (dh_secbits >= 152)
+        p = BN_get_rfc3526_prime_4096(NULL);
+    else if (dh_secbits >= 128)
        p = BN_get_rfc3526_prime_3072(NULL);
+    else if (dh_secbits >= 112)
+        p = BN_get_rfc3526_prime_2048(NULL);
+    else
+        p = BN_get_rfc2409_prime_1024(NULL);
    if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
        DH_free(dhp);
        BN_free(p);
@@ -2682,10 +2688,6 @@ DH *ssl_get_auto_dh(SSL *s)
        return NULL;
    }
    return dhp;
-    }
-    if (dh_secbits >= 112)
-        return DH_get_2048_224();
-    return DH_get_1024_160();
 }
 #endif