Increase minimum DH size to 1024 bitsv5.4.2 37.0.2062-based

Applying upstream fixes to openssl and NSS, fixing the weakdh/logjam issue. See http://code.google.com/p/chromium/issues/detail?id=490240 Change-Id: Ifc4ff53e52583e6214b0064d8f4d38373729e756 Task-number: QTBUG-46261 Reviewed-by: Andras Becsi <andras.becsi@theqtcompany.com>
author: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> 2015-05-21 14:09:44 +0200
committer: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> 2015-05-21 12:21:41 +0000
commit: 85973dd6b8b9bd9fea0a9b3e9441919d8da10974 (patch)
tree: f064f1f5b3af1b70f614a5ee039be9a688d082c6
parent: 140893bef70011645c686f5fabe45018dd2e392a (diff)
8 files changed, 17 insertions, 2 deletions
diff --git a/chromium/chrome/common/localized_error.cc b/chromium/chrome/common/localized_error.cc
index bbddc9e7028..03ae03f1f95 100644
--- a/chromium/chrome/common/localized_error.cc
+++ b/chromium/chrome/common/localized_error.cc
@@ -45,7 +45,7 @@ namespace {
 static const char kRedirectLoopLearnMoreUrl[] =
     "https://www.google.com/support/chrome/bin/answer.py?answer=95626";
 static const char kWeakDHKeyLearnMoreUrl[] =
-    "http://sites.google.com/a/chromium.org/dev/"
+    "https://www.chromium.org/administrators/"
     "err_ssl_weak_server_ephemeral_dh_key";
 #if defined(OS_CHROMEOS)
 static const char kAppWarningLearnMoreUrl[] =
diff --git a/chromium/net/third_party/nss/README.chromium b/chromium/net/third_party/nss/README.chromium
index a1c53038b13..b3f98533c73 100644
--- a/chromium/net/third_party/nss/README.chromium
+++ b/chromium/net/third_party/nss/README.chromium
@@ -109,6 +109,9 @@ Patches:
     patches/ignorechangecipherspec.patch
     https://bugzilla.mozilla.org/show_bug.cgi?id=1009227
 
+  * Increase the minimum DH group size to 1024
+    patches/dh1024.patch
+
 Apply the patches to NSS by running the patches/applypatches.sh script.  Read
 the comments at the top of patches/applypatches.sh for instructions.
 
diff --git a/chromium/net/third_party/nss/patches/applypatches.sh b/chromium/net/third_party/nss/patches/applypatches.sh
index b5f9d30a197..f8c1f6c3edd 100755
--- a/chromium/net/third_party/nss/patches/applypatches.sh
+++ b/chromium/net/third_party/nss/patches/applypatches.sh
@@ -50,3 +50,5 @@ patch -p4 < $patches_dir/nssrwlock.patch
 patch -p4 < $patches_dir/paddingextvalue.patch
 
 patch -p4 < $patches_dir/reorderextensions.patch
+
+patch -p2 < $patches_dir/dh1024.patch
diff --git a/chromium/net/third_party/nss/ssl/ssl3con.c b/chromium/net/third_party/nss/ssl/ssl3con.c
index 7ff7beacbc1..67fdfe1d28f 100644
--- a/chromium/net/third_party/nss/ssl/ssl3con.c
+++ b/chromium/net/third_party/nss/ssl/ssl3con.c
@@ -6922,7 +6922,8 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
     	if (rv != SECSuccess) {
 	    goto loser;		/* malformed. */
 	}
-	if (dh_p.len < 512/8) {
+	if (dh_p.len < 1024/8 ||
+	    (dh_p.len == 1024/8 && (dh_p.data[0] & 0x80) == 0)) {
 	    errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
 	    goto alert_loser;
 	}
diff --git a/chromium/third_party/openssl/openssl/include/openssl/ssl.h b/chromium/third_party/openssl/openssl/include/openssl/ssl.h
index 6743f3c0f11..5c87c603618 100644
--- a/chromium/third_party/openssl/openssl/include/openssl/ssl.h
+++ b/chromium/third_party/openssl/openssl/include/openssl/ssl.h
@@ -2663,6 +2663,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNSUPPORTED_SSL_VERSION			 259
 #define SSL_R_UNSUPPORTED_STATUS_TYPE			 329
 #define SSL_R_USE_SRTP_NOT_NEGOTIATED			 369
+#define SSL_R_WEAK_DH_GROUP				 394
 #define SSL_R_WRITE_BIO_NOT_SET				 260
 #define SSL_R_WRONG_CIPHER_RETURNED			 261
 #define SSL_R_WRONG_MESSAGE_TYPE			 262
diff --git a/chromium/third_party/openssl/openssl/ssl/s3_clnt.c b/chromium/third_party/openssl/openssl/ssl/s3_clnt.c
index 448dbeaa70f..ecda12a3bf5 100644
--- a/chromium/third_party/openssl/openssl/ssl/s3_clnt.c
+++ b/chromium/third_party/openssl/openssl/ssl/s3_clnt.c
@@ -3347,6 +3347,12 @@ int ssl3_check_cert_and_algorithm(SSL *s)
 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
 		goto f_err;
 		}
+        else if ((alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) &&
+		(dh == NULL || DH_size(dh)*8 < 1024))
+		{
+		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_WEAK_DH_GROUP);
+		goto f_err;
+		}
 #ifndef OPENSSL_NO_DSA
 	else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
 		{
diff --git a/chromium/third_party/openssl/openssl/ssl/ssl.h b/chromium/third_party/openssl/openssl/ssl/ssl.h
index 5faae95c1d5..1600a539b31 100644
--- a/chromium/third_party/openssl/openssl/ssl/ssl.h
+++ b/chromium/third_party/openssl/openssl/ssl/ssl.h
@@ -2663,6 +2663,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNSUPPORTED_SSL_VERSION			 259
 #define SSL_R_UNSUPPORTED_STATUS_TYPE			 329
 #define SSL_R_USE_SRTP_NOT_NEGOTIATED			 369
+#define SSL_R_WEAK_DH_GROUP				 394
 #define SSL_R_WRITE_BIO_NOT_SET				 260
 #define SSL_R_WRONG_CIPHER_RETURNED			 261
 #define SSL_R_WRONG_MESSAGE_TYPE			 262
diff --git a/chromium/third_party/openssl/openssl/ssl/ssl_err.c b/chromium/third_party/openssl/openssl/ssl/ssl_err.c
index c29391ce0e2..98d9675cdee 100644
--- a/chromium/third_party/openssl/openssl/ssl/ssl_err.c
+++ b/chromium/third_party/openssl/openssl/ssl/ssl_err.c
@@ -596,6 +596,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported ssl version"},
 {ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE),"unsupported status type"},
 {ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED),"use srtp not negotiated"},
+{ERR_REASON(SSL_R_WEAK_DH_GROUP)         ,"weak dh group"},
 {ERR_REASON(SSL_R_WRITE_BIO_NOT_SET)     ,"write bio not set"},
 {ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"},
 {ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE)    ,"wrong message type"},
author	Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>	2015-05-21 14:09:44 +0200
committer	Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>	2015-05-21 12:21:41 +0000
commit	85973dd6b8b9bd9fea0a9b3e9441919d8da10974 (patch)
tree	f064f1f5b3af1b70f614a5ee039be9a688d082c6
parent	140893bef70011645c686f5fabe45018dd2e392a (diff)