diff options
author | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2015-05-21 14:29:55 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2015-05-21 14:54:08 +0000 |
commit | 8f3cc602a63d46744a6b8bb89cc04d3d473791de (patch) | |
tree | a16ebe4b2c36552792c00aabcf4346d8d0545297 | |
parent | 9f558465dfb4452382efafef3028dbaef1526616 (diff) |
Increase minimum DH size to 1024 bits
Applying upstream fixes to boringssl and NSS, fixing the
weakdh/logjam issue.
See http://code.google.com/p/chromium/issues/detail?id=490240
Change-Id: I1dd186af57dbe616851b3394d9b7eb79eb215aca
Task-number: QTBUG-46261
Reviewed-by: Andras Becsi <andras.becsi@theqtcompany.com>
-rw-r--r-- | chromium/chrome/common/localized_error.cc | 2 | ||||
-rw-r--r-- | chromium/net/third_party/nss/README.chromium | 3 | ||||
-rwxr-xr-x | chromium/net/third_party/nss/patches/applypatches.sh | 2 | ||||
-rw-r--r-- | chromium/net/third_party/nss/ssl/ssl3con.c | 3 | ||||
-rw-r--r-- | chromium/third_party/boringssl/src/crypto/dh/dh.c | 2 | ||||
-rw-r--r-- | chromium/third_party/boringssl/src/include/openssl/dh.h | 4 | ||||
-rw-r--r-- | chromium/third_party/boringssl/src/ssl/s3_clnt.c | 2 |
7 files changed, 15 insertions, 3 deletions
diff --git a/chromium/chrome/common/localized_error.cc b/chromium/chrome/common/localized_error.cc index 5e4be5720fa..ed2c56bf831 100644 --- a/chromium/chrome/common/localized_error.cc +++ b/chromium/chrome/common/localized_error.cc @@ -41,7 +41,7 @@ namespace { static const char kRedirectLoopLearnMoreUrl[] = "https://www.google.com/support/chrome/bin/answer.py?answer=95626"; static const char kWeakDHKeyLearnMoreUrl[] = - "http://sites.google.com/a/chromium.org/dev/" + "https://www.chromium.org/administrators/" "err_ssl_weak_server_ephemeral_dh_key"; #if defined(OS_CHROMEOS) static const char kAppWarningLearnMoreUrl[] = diff --git a/chromium/net/third_party/nss/README.chromium b/chromium/net/third_party/nss/README.chromium index f2ead3cb04d..d77e5e182b4 100644 --- a/chromium/net/third_party/nss/README.chromium +++ b/chromium/net/third_party/nss/README.chromium @@ -113,6 +113,9 @@ Patches: patches/alpnserver.patch https://bugzilla.mozilla.org/show_bug.cgi?id=996250 + * Increase the minimum DH group size to 1024 + patches/dh1024.patch + Apply the patches to NSS by running the patches/applypatches.sh script. Read the comments at the top of patches/applypatches.sh for instructions. diff --git a/chromium/net/third_party/nss/patches/applypatches.sh b/chromium/net/third_party/nss/patches/applypatches.sh index 878d40364bd..5855abaa381 100755 --- a/chromium/net/third_party/nss/patches/applypatches.sh +++ b/chromium/net/third_party/nss/patches/applypatches.sh @@ -55,3 +55,5 @@ patch -p5 < $patches_dir/alpnserver.patch patch -p4 < $patches_dir/removebuildmetadata.patch +patch -p2 < $patches_dir/dh1024.patch + diff --git a/chromium/net/third_party/nss/ssl/ssl3con.c b/chromium/net/third_party/nss/ssl/ssl3con.c index ffb757a9a9d..5a18a199d39 100644 --- a/chromium/net/third_party/nss/ssl/ssl3con.c +++ b/chromium/net/third_party/nss/ssl/ssl3con.c @@ -6924,7 +6924,8 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) if (rv != SECSuccess) { goto loser; /* malformed. */ } - if (dh_p.len < 512/8) { + if (dh_p.len < 1024/8 || + (dh_p.len == 1024/8 && (dh_p.data[0] & 0x80) == 0)) { errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY; goto alert_loser; } diff --git a/chromium/third_party/boringssl/src/crypto/dh/dh.c b/chromium/third_party/boringssl/src/crypto/dh/dh.c index cee306b1458..9b581c48a3f 100644 --- a/chromium/third_party/boringssl/src/crypto/dh/dh.c +++ b/chromium/third_party/boringssl/src/crypto/dh/dh.c @@ -156,6 +156,8 @@ int DH_compute_key(unsigned char *out, const BIGNUM *peers_key, DH *dh) { int DH_size(const DH *dh) { return BN_num_bytes(dh->p); } +unsigned DH_num_bits(const DH *dh) { return BN_num_bits(dh->p); } + int DH_up_ref(DH *r) { CRYPTO_add(&r->references, 1, CRYPTO_LOCK_DH); return 1; diff --git a/chromium/third_party/boringssl/src/include/openssl/dh.h b/chromium/third_party/boringssl/src/include/openssl/dh.h index 9d8bda2215d..0f6049636ca 100644 --- a/chromium/third_party/boringssl/src/include/openssl/dh.h +++ b/chromium/third_party/boringssl/src/include/openssl/dh.h @@ -136,6 +136,10 @@ OPENSSL_EXPORT int DH_compute_key(uint8_t *out, const BIGNUM *peers_key, /* DH_size returns the number of bytes in the DH group's prime. */ OPENSSL_EXPORT int DH_size(const DH *dh); +/* DH_num_bits returns the minimum number of bits needed to represent the + * absolute value of the DH group's prime. */ +OPENSSL_EXPORT unsigned DH_num_bits(const DH *dh); + #define DH_CHECK_P_NOT_PRIME 0x01 #define DH_CHECK_P_NOT_SAFE_PRIME 0x02 #define DH_CHECK_UNABLE_TO_CHECK_GENERATOR 0x04 diff --git a/chromium/third_party/boringssl/src/ssl/s3_clnt.c b/chromium/third_party/boringssl/src/ssl/s3_clnt.c index 8b052abec52..a45e6900836 100644 --- a/chromium/third_party/boringssl/src/ssl/s3_clnt.c +++ b/chromium/third_party/boringssl/src/ssl/s3_clnt.c @@ -1326,7 +1326,7 @@ int ssl3_get_server_key_exchange(SSL *s) goto err; } - if (DH_size(dh) < 512/8) + if (DH_num_bits(dh) < 1024) { { OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_BAD_DH_P_LENGTH); goto err; |