Source: openssl Severity: critical Tags: security patch OpenSSL contains a set of arbitrary limitations on the size of accepted key parameters that make unrelated software fail to establish secure connections. The problem was found while debugging a XMPP s2s connection issue where two servers with long certificate keys (8192 Bit RSA) failed to establish a secure connection because OpenSSL rejected the handshake.
The attached two patches fix the following issues: 1. Remove the restriction on DSA/DHE parameters to allow for arbitrary size 2. Increase the maximum allowed size for transmitted (client/server) keys from 516 byte (e.g. 4096 bit RSA) to 8200 byte (e.g. 65536 bit RSA) The first issue was found with a server using GnuTLS that used DH parameters with 13337 bits for negotiating the session key. While a website test succeeded in determining the cipher configuration it failed to negotiate a session key and did not provide any reasonable error message back to the user. As the issue depended on the ciphers offered by the client a real client like a webbrowser would not be able to gracefully fall back to some other algorithm. Thus the only workaround would be to use no encryption which would be the worst of all alternatives. The second issue was found while debugging issues with two ejabberd instances that both used certificates with 8192 bit RSA. While both servers could correctly determine the opposite's server's connection parameters (using provided SRV records) and properly established a cleartext connection they unexpectedly and without proper diagnosis terminated the SSL connection after negotiating to upgrade to STARTTLS. After both parties sent their certificates the connection was suddently terminated without even providing a SSL fatal error alert - thus no useful information could be provided by the application layer. Only after increasing the maximum size for key parameters were both servers able to connect to each other. This once again demonstrates that you MUST NOT introduce statically compiled-in magic numbers to place arbitrary limits on the size of used parameters. Furthermore it should be noted that the parameters used are neither very large, nor do they require excessive processing power (about 1-2 seconds for one handshake on average). This might not be an option for everybody but is well within parameters that are to be expected in casually-paranoid setups. Please apply both patches ASAP and forward them to be included upstream. Kind regards, Benny Baumann -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (900, 'testing'), (800, 'stable'), (750, 'experimental'), (700, 'unstable'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 3.13-1-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- no debconf informationn
Description: Increase the maximum size allowed for client/server certificate packages on the wire Author: Benny Baumann <be...@geshi.org> --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: <vendor|upstream|other>, <url of original patch> Bug: <url in upstream bugtracker> Bug-Debian: http://bugs.debian.org/<bugnumber> Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: <name and email of someone who approved the patch> Last-Update: <YYYY-MM-DD> --- openssl-1.0.1e.orig/ssl/s3_srvr.c +++ openssl-1.0.1e/ssl/s3_srvr.c @@ -2926,7 +2926,7 @@ int ssl3_get_cert_verify(SSL *s) SSL3_ST_SR_CERT_VRFY_A, SSL3_ST_SR_CERT_VRFY_B, -1, - 516, /* Enough for 4096 bit RSA key with TLS v1.2 */ + 8200, /* Enough for 65536 bit RSA key with TLS v1.2 */ &ok); if (!ok) return((int)n);
Description: Remove DSA/DH keysize restrictions Author: Benny Baumann <be...@geshi.org> --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: <vendor|upstream|other>, <url of original patch> Bug: <url in upstream bugtracker> Bug-Debian: http://bugs.debian.org/<bugnumber> Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: <name and email of someone who approved the patch> Last-Update: <YYYY-MM-DD> --- openssl-1.0.1e.orig/crypto/dsa/dsa.h +++ openssl-1.0.1e/crypto/dsa/dsa.h @@ -84,10 +84,6 @@ #endif #endif -#ifndef OPENSSL_DSA_MAX_MODULUS_BITS -# define OPENSSL_DSA_MAX_MODULUS_BITS 10000 -#endif - #define DSA_FLAG_CACHE_MONT_P 0x01 #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA * implementation now uses constant time --- openssl-1.0.1e.orig/crypto/dsa/dsa_ossl.c +++ openssl-1.0.1e/crypto/dsa/dsa_ossl.c @@ -325,11 +325,6 @@ static int dsa_do_verify(const unsigned return -1; } - if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) - { - DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE); - return -1; - } BN_init(&u1); BN_init(&u2); BN_init(&t1);