diff --git a/openssl-1.0.1k-cve-2015-4000.patch b/openssl-1.0.1k-cve-2015-4000.patch new file mode 100644 index 0000000..fe31fba --- /dev/null +++ b/openssl-1.0.1k-cve-2015-4000.patch @@ -0,0 +1,208 @@ +diff -up openssl-1.0.1k/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod.logjam openssl-1.0.1k/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod +--- openssl-1.0.1k/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod.logjam 2015-05-29 16:02:33.335187143 +0200 ++++ openssl-1.0.1k/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod 2015-05-29 16:05:16.611940775 +0200 +@@ -61,12 +61,12 @@ negotiation is being saved. + + If "strong" primes were used to generate the DH parameters, it is not strictly + necessary to generate a new key for each handshake but it does improve forward +-secrecy. If it is not assured, that "strong" primes were used (see especially +-the section about DSA parameters below), SSL_OP_SINGLE_DH_USE must be used +-in order to prevent small subgroup attacks. Always using SSL_OP_SINGLE_DH_USE +-has an impact on the computer time needed during negotiation, but it is not +-very large, so application authors/users should consider to always enable +-this option. ++secrecy. If it is not assured that "strong" primes were used, ++SSL_OP_SINGLE_DH_USE must be used in order to prevent small subgroup ++attacks. Always using SSL_OP_SINGLE_DH_USE has an impact on the ++computer time needed during negotiation, but it is not very large, so ++application authors/users should consider always enabling this option. ++The option is required to implement perfect forward secrecy (PFS). + + As generating DH parameters is extremely time consuming, an application + should not generate the parameters on the fly but supply the parameters. +@@ -74,82 +74,62 @@ DH parameters can be reused, as the actu + the negotiation. The risk in reusing DH parameters is that an attacker + may specialize on a very often used DH group. Applications should therefore + generate their own DH parameters during the installation process using the +-openssl L application. In order to reduce the computer +-time needed for this generation, it is possible to use DSA parameters +-instead (see L), but in this case SSL_OP_SINGLE_DH_USE +-is mandatory. ++openssl L application. This application ++guarantees that "strong" primes are used. + +-Application authors may compile in DH parameters. Files dh512.pem, +-dh1024.pem, dh2048.pem, and dh4096.pem in the 'apps' directory of current ++Files dh2048.pem, and dh4096.pem in the 'apps' directory of the current + version of the OpenSSL distribution contain the 'SKIP' DH parameters, + which use safe primes and were generated verifiably pseudo-randomly. + These files can be converted into C code using the B<-C> option of the +-L application. +-Authors may also generate their own set of parameters using +-L, but a user may not be sure how the parameters were +-generated. The generation of DH parameters during installation is therefore +-recommended. ++L application. Generation of custom DH ++parameters during installation should still be preferred to stop an ++attacker from specializing on a commonly used group. Files dh1024.pem ++and dh512.pem contain old parameters that must not be used by ++applications. + + An application may either directly specify the DH parameters or +-can supply the DH parameters via a callback function. The callback approach +-has the advantage, that the callback may supply DH parameters for different +-key lengths. +- +-The B is called with the B needed and +-the B information. The B flag is set, when the +-ephemeral DH key exchange is performed with an export cipher. ++can supply the DH parameters via a callback function. ++ ++Previous versions of the callback used B and B ++parameters to control parameter generation for export and non-export ++cipher suites. Modern servers that do not support export ciphersuites ++are advised to either use SSL_CTX_set_tmp_dh() in combination with ++SSL_OP_SINGLE_DH_USE, or alternatively, use the callback but ignore ++B and B and simply supply at least 2048-bit ++parameters in the callback. + + =head1 EXAMPLES + +-Handle DH parameters for key lengths of 512 and 1024 bits. (Error handling ++Setup DH parameters with a key length of 2048 bits. (Error handling + partly left out.) + +- ... +- /* Set up ephemeral DH stuff */ +- DH *dh_512 = NULL; +- DH *dh_1024 = NULL; +- FILE *paramfile; ++ Command-line parameter generation: ++ $ openssl dhparam -out dh_param_2048.pem 2048 ++ ++ Code for setting up parameters during server initialization: + + ... +- /* "openssl dhparam -out dh_param_512.pem -2 512" */ +- paramfile = fopen("dh_param_512.pem", "r"); ++ SSL_CTX ctx = SSL_CTX_new(); ++ ... ++ ++ /* Set up ephemeral DH parameters. */ ++ DH *dh_2048 = NULL; ++ FILE *paramfile; ++ paramfile = fopen("dh_param_2048.pem", "r"); + if (paramfile) { +- dh_512 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); ++ dh_2048 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); + fclose(paramfile); ++ } else { ++ /* Error. */ + } +- /* "openssl dhparam -out dh_param_1024.pem -2 1024" */ +- paramfile = fopen("dh_param_1024.pem", "r"); +- if (paramfile) { +- dh_1024 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); +- fclose(paramfile); ++ if (dh_2048 == NULL) { ++ /* Error. */ + } +- ... +- +- /* "openssl dhparam -C -2 512" etc... */ +- DH *get_dh512() { ... } +- DH *get_dh1024() { ... } +- +- DH *tmp_dh_callback(SSL *s, int is_export, int keylength) +- { +- DH *dh_tmp=NULL; +- +- switch (keylength) { +- case 512: +- if (!dh_512) +- dh_512 = get_dh512(); +- dh_tmp = dh_512; +- break; +- case 1024: +- if (!dh_1024) +- dh_1024 = get_dh1024(); +- dh_tmp = dh_1024; +- break; +- default: +- /* Generating a key on the fly is very costly, so use what is there */ +- setup_dh_parameters_like_above(); ++ if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) { ++ /* Error. */ + } +- return(dh_tmp); +- } ++ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); ++ ... + + =head1 RETURN VALUES + +diff -up openssl-1.0.1k/ssl/ssl_err.c.logjam openssl-1.0.1k/ssl/ssl_err.c +--- openssl-1.0.1k/ssl/ssl_err.c.logjam 2015-01-08 15:00:36.000000000 +0100 ++++ openssl-1.0.1k/ssl/ssl_err.c 2015-05-29 16:02:33.336187166 +0200 +@@ -362,6 +362,7 @@ static ERR_STRING_DATA SSL_str_reasons[] + {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"}, + {ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"}, + {ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"}, ++{ERR_REASON(SSL_R_DH_KEY_TOO_SMALL) ,"dh key too small"}, + {ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"}, + {ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) ,"digest check failed"}, + {ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG) ,"dtls message too big"}, +diff -up openssl-1.0.1k/ssl/ssl.h.logjam openssl-1.0.1k/ssl/ssl.h +--- openssl-1.0.1k/ssl/ssl.h.logjam 2015-05-29 16:02:19.210862433 +0200 ++++ openssl-1.0.1k/ssl/ssl.h 2015-05-29 16:02:33.337187189 +0200 +@@ -2317,6 +2317,7 @@ void ERR_load_SSL_strings(void); + #define SSL_R_DATA_LENGTH_TOO_LONG 146 + #define SSL_R_DECRYPTION_FAILED 147 + #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281 ++#define SSL_R_DH_KEY_TOO_SMALL 372 + #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148 + #define SSL_R_DIGEST_CHECK_FAILED 149 + #define SSL_R_DTLS_MESSAGE_TOO_BIG 334 +diff -up openssl-1.0.1k/ssl/s3_clnt.c.logjam openssl-1.0.1k/ssl/s3_clnt.c +--- openssl-1.0.1k/ssl/s3_clnt.c.logjam 2015-01-08 15:00:56.000000000 +0100 ++++ openssl-1.0.1k/ssl/s3_clnt.c 2015-05-29 16:02:33.338187212 +0200 +@@ -3393,24 +3393,34 @@ int ssl3_check_cert_and_algorithm(SSL *s + } + #endif + #ifndef OPENSSL_NO_DH +- if ((alg_k & SSL_kEDH) && +- !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) ++ if ((alg_k & SSL_kEDH) && dh == NULL) + { +- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); ++ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR); + goto f_err; + } +- else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) ++ if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) + { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); + goto f_err; + } + #ifndef OPENSSL_NO_DSA +- else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) ++ if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) + { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); + goto f_err; + } + #endif ++ /* Check DHE only: static DH not implemented. */ ++ if (alg_k & SSL_kEDH) ++ { ++ int dh_size = BN_num_bits(dh->p); ++ if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768) ++ || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) ++ { ++ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL); ++ goto f_err; ++ } ++ } + #endif + + if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) diff --git a/openssl.spec b/openssl.spec index 7573615..19b650a 100644 --- a/openssl.spec +++ b/openssl.spec @@ -23,7 +23,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1k -Release: 8%{?dist} +Release: 9%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -97,6 +97,7 @@ Patch104: openssl-1.0.1e-cve-2015-0288.patch Patch105: openssl-1.0.1k-cve-2015-0289.patch Patch106: openssl-1.0.1e-cve-2015-0293.patch Patch107: openssl-1.0.1k-alt-chains.patch +Patch108: openssl-1.0.1k-cve-2015-4000.patch License: OpenSSL Group: System Environment/Libraries @@ -227,6 +228,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch105 -p1 -b .pkcs7-null-deref %patch106 -p1 -b .ssl2-assert %patch107 -p1 -b .alt-chains +%patch108 -p1 -b .logjam sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h @@ -494,6 +496,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Fri May 29 2015 Tomáš Mráz 1.0.1k-9 +- fix CVE-2015-4000 - prevent the logjam attack on client - restrict + the DH key size to at least 768 bits (limit will be increased in future) + * Thu Apr 30 2015 Tomáš Mráz 1.0.1k-8 - try to find alternative cert chains (#1166614)