| 1 |
vip-ire |
1.1 |
diff -up openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.rsa-ephemeral openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod |
| 2 |
|
|
--- openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.rsa-ephemeral 2014-08-08 11:54:24.000000000 +0200 |
| 3 |
|
|
+++ openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod 2015-02-03 10:26:12.735168700 +0100 |
| 4 |
|
|
@@ -151,15 +151,7 @@ temporary/ephemeral DH parameters are us |
| 5 |
|
|
|
| 6 |
|
|
=item SSL_OP_EPHEMERAL_RSA |
| 7 |
|
|
|
| 8 |
|
|
-Always use ephemeral (temporary) RSA key when doing RSA operations |
| 9 |
|
|
-(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>). |
| 10 |
|
|
-According to the specifications this is only done, when a RSA key |
| 11 |
|
|
-can only be used for signature operations (namely under export ciphers |
| 12 |
|
|
-with restricted RSA keylength). By setting this option, ephemeral |
| 13 |
|
|
-RSA keys are always used. This option breaks compatibility with the |
| 14 |
|
|
-SSL/TLS specifications and may lead to interoperability problems with |
| 15 |
|
|
-clients and should therefore never be used. Ciphers with EDH (ephemeral |
| 16 |
|
|
-Diffie-Hellman) key exchange should be used instead. |
| 17 |
|
|
+This option is no longer implemented and is treated as no op. |
| 18 |
|
|
|
| 19 |
|
|
=item SSL_OP_CIPHER_SERVER_PREFERENCE |
| 20 |
|
|
|
| 21 |
|
|
diff -up openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.rsa-ephemeral openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod |
| 22 |
|
|
--- openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.rsa-ephemeral 2006-12-06 10:12:28.000000000 +0100 |
| 23 |
|
|
+++ openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod 2015-02-03 10:26:12.735168700 +0100 |
| 24 |
|
|
@@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-H |
| 25 |
|
|
in order to achieve forward secrecy (see |
| 26 |
|
|
L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>). |
| 27 |
|
|
|
| 28 |
|
|
-On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default |
| 29 |
|
|
-and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of |
| 30 |
|
|
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL |
| 31 |
|
|
-standard. When ephemeral RSA key exchange is required for export ciphers, |
| 32 |
|
|
-it will automatically be used without this option! |
| 33 |
|
|
- |
| 34 |
|
|
-An application may either directly specify the key or can supply the key via |
| 35 |
|
|
-a callback function. The callback approach has the advantage, that the |
| 36 |
|
|
-callback may generate the key only in case it is actually needed. As the |
| 37 |
|
|
-generation of a RSA key is however costly, it will lead to a significant |
| 38 |
|
|
-delay in the handshake procedure. Another advantage of the callback function |
| 39 |
|
|
-is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA |
| 40 |
|
|
-usage) while the explicit setting of the key is only useful for key size of |
| 41 |
|
|
-512 bits to satisfy the export restricted ciphers and does give away key length |
| 42 |
|
|
-if a longer key would be allowed. |
| 43 |
|
|
+An application may either directly specify the key or can supply the key via a |
| 44 |
|
|
+callback function. The callback approach has the advantage, that the callback |
| 45 |
|
|
+may generate the key only in case it is actually needed. As the generation of a |
| 46 |
|
|
+RSA key is however costly, it will lead to a significant delay in the handshake |
| 47 |
|
|
+procedure. Another advantage of the callback function is that it can supply |
| 48 |
|
|
+keys of different size while the explicit setting of the key is only useful for |
| 49 |
|
|
+key size of 512 bits to satisfy the export restricted ciphers and does give |
| 50 |
|
|
+away key length if a longer key would be allowed. |
| 51 |
|
|
|
| 52 |
|
|
The B<tmp_rsa_callback> is called with the B<keylength> needed and |
| 53 |
|
|
the B<is_export> information. The B<is_export> flag is set, when the |
| 54 |
|
|
diff -up openssl-fips-0.9.8e/ssl/d1_srvr.c.rsa-ephemeral openssl-fips-0.9.8e/ssl/d1_srvr.c |
| 55 |
|
|
--- openssl-fips-0.9.8e/ssl/d1_srvr.c.rsa-ephemeral 2014-08-08 11:54:24.000000000 +0200 |
| 56 |
|
|
+++ openssl-fips-0.9.8e/ssl/d1_srvr.c 2015-02-03 10:26:12.738168768 +0100 |
| 57 |
|
|
@@ -323,23 +323,11 @@ int dtls1_accept(SSL *s) |
| 58 |
|
|
|
| 59 |
|
|
/* clear this, it may get reset by |
| 60 |
|
|
* send_server_key_exchange */ |
| 61 |
|
|
- if ((s->options & SSL_OP_EPHEMERAL_RSA) |
| 62 |
|
|
-#ifndef OPENSSL_NO_KRB5 |
| 63 |
|
|
- && !(l & SSL_KRB5) |
| 64 |
|
|
-#endif /* OPENSSL_NO_KRB5 */ |
| 65 |
|
|
- ) |
| 66 |
|
|
- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key |
| 67 |
|
|
- * even when forbidden by protocol specs |
| 68 |
|
|
- * (handshake may fail as clients are not required to |
| 69 |
|
|
- * be able to handle this) */ |
| 70 |
|
|
- s->s3->tmp.use_rsa_tmp=1; |
| 71 |
|
|
- else |
| 72 |
|
|
- s->s3->tmp.use_rsa_tmp=0; |
| 73 |
|
|
+ s->s3->tmp.use_rsa_tmp=0; |
| 74 |
|
|
|
| 75 |
|
|
/* only send if a DH key exchange, fortezza or |
| 76 |
|
|
* RSA but we have a sign only certificate */ |
| 77 |
|
|
- if (s->s3->tmp.use_rsa_tmp |
| 78 |
|
|
- || (l & (SSL_DH|SSL_kFZA)) |
| 79 |
|
|
+ if ((l & (SSL_DH|SSL_kFZA)) |
| 80 |
|
|
|| ((l & SSL_kRSA) |
| 81 |
|
|
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL |
| 82 |
|
|
|| (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) |
| 83 |
|
|
diff -up openssl-fips-0.9.8e/ssl/ssl.h.rsa-ephemeral openssl-fips-0.9.8e/ssl/ssl.h |
| 84 |
|
|
--- openssl-fips-0.9.8e/ssl/ssl.h.rsa-ephemeral 2014-10-15 16:33:56.329898526 +0200 |
| 85 |
|
|
+++ openssl-fips-0.9.8e/ssl/ssl.h 2015-02-03 10:26:12.741168836 +0100 |
| 86 |
|
|
@@ -514,9 +514,8 @@ typedef struct ssl_session_st |
| 87 |
|
|
#define SSL_OP_SINGLE_ECDH_USE 0x00080000L |
| 88 |
|
|
/* If set, always create a new key when using tmp_dh parameters */ |
| 89 |
|
|
#define SSL_OP_SINGLE_DH_USE 0x00100000L |
| 90 |
|
|
-/* Set to always use the tmp_rsa key when doing RSA operations, |
| 91 |
|
|
- * even when this violates protocol specs */ |
| 92 |
|
|
-#define SSL_OP_EPHEMERAL_RSA 0x00200000L |
| 93 |
|
|
+/* Does nothing: retained for compatibiity */ |
| 94 |
|
|
+#define SSL_OP_EPHEMERAL_RSA 0x0 |
| 95 |
|
|
/* Set on servers to choose the cipher according to the server's |
| 96 |
|
|
* preferences */ |
| 97 |
|
|
#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L |
| 98 |
|
|
diff -up openssl-fips-0.9.8e/ssl/s3_clnt.c.rsa-ephemeral openssl-fips-0.9.8e/ssl/s3_clnt.c |
| 99 |
|
|
--- openssl-fips-0.9.8e/ssl/s3_clnt.c.rsa-ephemeral 2014-08-08 11:54:24.000000000 +0200 |
| 100 |
|
|
+++ openssl-fips-0.9.8e/ssl/s3_clnt.c 2015-02-03 10:27:12.018509441 +0100 |
| 101 |
|
|
@@ -1086,6 +1086,13 @@ int ssl3_get_key_exchange(SSL *s) |
| 102 |
|
|
#ifndef OPENSSL_NO_RSA |
| 103 |
|
|
if (alg & SSL_kRSA) |
| 104 |
|
|
{ |
| 105 |
|
|
+ /* Temporary RSA keys only allowed in export ciphersuites */ |
| 106 |
|
|
+ if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) |
| 107 |
|
|
+ { |
| 108 |
|
|
+ al=SSL_AD_UNEXPECTED_MESSAGE; |
| 109 |
|
|
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); |
| 110 |
|
|
+ goto f_err; |
| 111 |
|
|
+ } |
| 112 |
|
|
if ((rsa=RSA_new()) == NULL) |
| 113 |
|
|
{ |
| 114 |
|
|
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); |
| 115 |
|
|
diff -up openssl-fips-0.9.8e/ssl/s3_srvr.c.rsa-ephemeral openssl-fips-0.9.8e/ssl/s3_srvr.c |
| 116 |
|
|
--- openssl-fips-0.9.8e/ssl/s3_srvr.c.rsa-ephemeral 2014-08-08 11:54:24.000000000 +0200 |
| 117 |
|
|
+++ openssl-fips-0.9.8e/ssl/s3_srvr.c 2015-02-03 10:26:12.740168813 +0100 |
| 118 |
|
|
@@ -332,18 +332,7 @@ int ssl3_accept(SSL *s) |
| 119 |
|
|
|
| 120 |
|
|
/* clear this, it may get reset by |
| 121 |
|
|
* send_server_key_exchange */ |
| 122 |
|
|
- if ((s->options & SSL_OP_EPHEMERAL_RSA) |
| 123 |
|
|
-#ifndef OPENSSL_NO_KRB5 |
| 124 |
|
|
- && !(l & SSL_KRB5) |
| 125 |
|
|
-#endif /* OPENSSL_NO_KRB5 */ |
| 126 |
|
|
- ) |
| 127 |
|
|
- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key |
| 128 |
|
|
- * even when forbidden by protocol specs |
| 129 |
|
|
- * (handshake may fail as clients are not required to |
| 130 |
|
|
- * be able to handle this) */ |
| 131 |
|
|
- s->s3->tmp.use_rsa_tmp=1; |
| 132 |
|
|
- else |
| 133 |
|
|
- s->s3->tmp.use_rsa_tmp=0; |
| 134 |
|
|
+ s->s3->tmp.use_rsa_tmp=0; |
| 135 |
|
|
|
| 136 |
|
|
|
| 137 |
|
|
/* only send if a DH key exchange, fortezza or |
| 138 |
|
|
@@ -355,8 +344,7 @@ int ssl3_accept(SSL *s) |
| 139 |
|
|
* server certificate contains the server's |
| 140 |
|
|
* public key for key exchange. |
| 141 |
|
|
*/ |
| 142 |
|
|
- if (s->s3->tmp.use_rsa_tmp |
| 143 |
|
|
- || (l & SSL_kECDHE) |
| 144 |
|
|
+ if ((l & SSL_kECDHE) |
| 145 |
|
|
|| (l & (SSL_DH|SSL_kFZA)) |
| 146 |
|
|
|| ((l & SSL_kRSA) |
| 147 |
|
|
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL |
Parent Directory
| 
Revision Log
| 
Revision Graph
