Reject DH keys sent by a server if they are considered too small; inspired

by a similar BoringSSL change, but raising the limit to 1024 bits.
ok jsing@ markus@ guenther@ deraadt@

1 files changed, 4 insertions, 38 deletions

diff --git a/regress/lib/libssl/ssl/ssltest.c b/regress/lib/libssl/ssl/ssltest.c
index 91956a1322c..5b03e0e0b8e 100644
--- a/regress/lib/libssl/ssl/ssltest.c
+++ b/regress/lib/libssl/ssl/ssltest.c
@@ -194,7 +194,6 @@ struct app_verify_arg {
 	char *proxy_cond;
 };
 
-static DH *get_dh512(void);
 static DH *get_dh1024(void);
 static DH *get_dh1024dsa(void);
 
@@ -428,7 +427,6 @@ sv_usage(void)
 	fprintf(stderr, " -reuse        - use session-id reuse\n");
 	fprintf(stderr, " -num <val>    - number of connections to perform\n");
 	fprintf(stderr, " -bytes <val>  - number of bytes to swap between client/server\n");
-	fprintf(stderr, " -dhe1024      - use 1024 bit key (safe prime) for DHE\n");
 	fprintf(stderr, " -dhe1024dsa   - use 1024 bit key (with 160-bit subprime) for DHE\n");
 	fprintf(stderr, " -no_dhe       - disable DHE\n");
 	fprintf(stderr, " -no_ecdhe     - disable ECDHE\n");
@@ -569,7 +567,7 @@ main(int argc, char *argv[])
 	int number = 1, reuse = 0;
 	long bytes = 256L;
 	DH *dh;
-	int dhe1024 = 0, dhe1024dsa = 0;
+	int dhe1024dsa = 0;
 	EC_KEY *ecdh = NULL;
 	int no_dhe = 0;
 	int no_ecdhe = 0;
@@ -612,9 +610,7 @@ main(int argc, char *argv[])
 			debug = 1;
 		else if (strcmp(*argv, "-reuse") == 0)
 			reuse = 1;
-		else if (strcmp(*argv, "-dhe1024") == 0) {
-			dhe1024 = 1;
-		} else if (strcmp(*argv, "-dhe1024dsa") == 0) {
+		else if (strcmp(*argv, "-dhe1024dsa") == 0) {
 			dhe1024dsa = 1;
 		} else if (strcmp(*argv, "-no_dhe") == 0)
 			no_dhe = 1;
@@ -787,10 +783,8 @@ bad:
 			/* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
 			SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
 			dh = get_dh1024dsa();
-		} else if (dhe1024)
+		} else
 			dh = get_dh1024();
-		else
-			dh = get_dh512();
 		SSL_CTX_set_tmp_dh(s_ctx, dh);
 		DH_free(dh);
 	}
@@ -2089,39 +2083,11 @@ free_tmp_rsa(void)
 }
 
 /* These DH parameters have been generated as follows:
- *    $ openssl dhparam -C -noout 512
  *    $ openssl dhparam -C -noout 1024
  *    $ openssl dhparam -C -noout -dsaparam 1024
- * (The third function has been renamed to avoid name conflicts.)
+ * (The second function has been renamed to avoid name conflicts.)
  */
 static DH *
-get_dh512()
-{
-	static unsigned char dh512_p[] = {
-		0xCB, 0xC8, 0xE1, 0x86, 0xD0, 0x1F, 0x94, 0x17, 0xA6, 0x99, 0xF0, 0xC6,
-		0x1F, 0x0D, 0xAC, 0xB6, 0x25, 0x3E, 0x06, 0x39, 0xCA, 0x72, 0x04, 0xB0,
-		0x6E, 0xDA, 0xC0, 0x61, 0xE6, 0x7A, 0x77, 0x25, 0xE8, 0x3B, 0xB9, 0x5F,
-		0x9A, 0xB6, 0xB5, 0xFE, 0x99, 0x0B, 0xA1, 0x93, 0x4E, 0x35, 0x33, 0xB8,
-		0xE1, 0xF1, 0x13, 0x4F, 0x59, 0x1A, 0xD2, 0x57, 0xC0, 0x26, 0x21, 0x33,
-		0x02, 0xC5, 0xAE, 0x23,
-	};
-	static unsigned char dh512_g[] = {
-		0x02,
-	};
-	DH *dh;
-
-	if ((dh = DH_new()) == NULL)
-		return (NULL);
-	dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
-	dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
-	if ((dh->p == NULL) || (dh->g == NULL)) {
-		DH_free(dh);
-		return (NULL);
-	}
-	return (dh);
-}
-
-static DH *
 get_dh1024()
 {
 	static unsigned char dh1024_p[] = {