Re: Possible mod_ssl's backports to 2.2.x? (was: Looking ahead to 2.4.13 / 2.2.30)

Tue, 05 May 2015 11:03:54 -0700 

Please note that the primes constants in modules/ssl/ssl_engine_dh.c
are from openssl/crypto/bn/bn_const.c.
FWIW, attached is a (stripped) diff between the two files that shows
constants are the same...

On Tue, May 5, 2015 at 7:12 PM, Yann Ylavic <ylavic....@gmail.com> wrote:
> Possible backport patch attached.
>
> On Tue, May 5, 2015 at 3:14 PM, Yann Ylavic <ylavic....@gmail.com> wrote:
>> I'd like to propose those 2.4.x CHANGES (r1542327+r1569005+r1542327)
>> for backport to 2.2.x (in reverse order):
>>
>>   *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
>>      larger keys and support up to 8192-bit keys.  [Ruediger Pluem,
>>      Joe Orton]
>>
>>   *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
>>      allowing custom parameters to be configured via SSLCertificateFile,
>>      and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
>>      Unless custom parameters are configured, the standardized parameters
>>      are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
>>
>>   *) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand]
>>
>>   *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
>>      keys, and unconditionally disable aNULL, eNULL and EXP ciphers
>>      (not overridable via SSLCipherSuite). [Kaspar Brand]
>>
>> or at least partly.
>>
>> Beyond the (problematic?) requirement on OpenSSL 0.9.8a (discussed
>> below), and what may look like an improvement only (first one), there
>> are also security considerations:
>> - ephemeral DH keys (for EDH ciphers) are currently limited to 1024
>> bits in 2.2.x, so with 2048 bits or more certificates (quite
>> recommended today), one should use its own dhparams for (E)DH ciphers,
>> - ecparams loadable from certificate allow to configure the curve/key
>> (plus SSL_CTX_set_ecdh_auto() when openssl >= 1.0.2),
>> - export grade ciphers (removed from openssl's maintained versions)
>> are still in use with default/general configurations (FREAK, ...).
>>
>> Regarding requirement on OpenSSL 0.9.8a (what's the actual requirement
>> in 2.2.x?), if that's really a stopper, it only concerns the use of
>> get_rfc{2409,3526}_prime_{1024,2048,..}() introduced in 0.9.8a
>> (AFAICT), and we could eventually include (statically) that primes in
>> the code for versions < 0.9.8a.
>> But is there real 2.2.x user with OpenSSL < 0.9.8a?
>>
>> Also, those changes are effective since 2.4.7, and hence are quite
>> largely tested already.
>>
>> Any pros/cons/comments before I try to resolve (hopefully) small conflicts?
>>
>> Regards,
>> Yann.

--- openssl-1.0.1m/crypto/bn/bn_const.c 2015-03-19 14:19:00.000000000 +0100
+++ modules/ssl/ssl_engine_dh.c 2015-05-05 19:27:03.689262006 +0200
@@ -1,48 +1,116 @@
[]
-/*-
+/* ----END GENERATED SECTION---------- */
+
+/*
  * "Second Oakley Default Group" from RFC2409, section 6.2.
  *
  * The prime is: 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
  *
  * RFC2409 specifies a generator of 2.
- * RFC2412 specifies a generator of 22.
  */
-
-BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn)
-{
-    static const unsigned char RFC2409_PRIME_1024[] = {
+static const unsigned char dh1024_p[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
         0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
         0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
@@ -60,60 +128,24 @@
         0x49, 0x28, 0x66, 0x51, 0xEC, 0xE6, 0x53, 0x81,
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
     };
-    return BN_bin2bn(RFC2409_PRIME_1024, sizeof(RFC2409_PRIME_1024), bn);
+static const unsigned char dh1024_g[] = {
+    0x02,
+};
[]
-/*-
+/*
  * "2048-bit MODP Group" from RFC3526, Section 3.
  *
  * The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }
  *
  * RFC3526 specifies a generator of 2.
  */
-
-BIGNUM *get_rfc3526_prime_2048(BIGNUM *bn)
-{
-    static const unsigned char RFC3526_PRIME_2048[] = {
+static const unsigned char dh2048_p[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
         0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
         0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
@@ -147,20 +179,24 @@
         0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68,
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
     };
-    return BN_bin2bn(RFC3526_PRIME_2048, sizeof(RFC3526_PRIME_2048), bn);
+static const unsigned char dh2048_g[] = {
+    0x02,
+};
[]
-/*-
+/*
  * "3072-bit MODP Group" from RFC3526, Section 4.
  *
  * The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 }
  *
  * RFC3526 specifies a generator of 2.
  */
-
-BIGNUM *get_rfc3526_prime_3072(BIGNUM *bn)
-{
-    static const unsigned char RFC3526_PRIME_3072[] = {
+static const unsigned char dh3072_p[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
         0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
         0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
@@ -210,20 +246,24 @@
         0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA,
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
     };
-    return BN_bin2bn(RFC3526_PRIME_3072, sizeof(RFC3526_PRIME_3072), bn);
+static const unsigned char dh3072_g[] = {
+    0x02,
+};
[]
-/*-
+/*
  * "4096-bit MODP Group" from RFC3526, Section 5.
  *
  * The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 }
  *
  * RFC3526 specifies a generator of 2.
  */
-
-BIGNUM *get_rfc3526_prime_4096(BIGNUM *bn)
-{
-    static const unsigned char RFC3526_PRIME_4096[] = {
+static const unsigned char dh4096_p[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
         0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
         0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
@@ -289,20 +329,24 @@
         0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99,
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
     };
-    return BN_bin2bn(RFC3526_PRIME_4096, sizeof(RFC3526_PRIME_4096), bn);
+static const unsigned char dh4096_g[] = {
+    0x02,
+};
[]
-/*-
+/*
  * "6144-bit MODP Group" from RFC3526, Section 6.
  *
  * The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 }
  *
  * RFC3526 specifies a generator of 2.
  */
-
-BIGNUM *get_rfc3526_prime_6144(BIGNUM *bn)
-{
-    static const unsigned char RFC3526_PRIME_6144[] = {
+static const unsigned char dh6144_p[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
         0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
         0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
@@ -400,20 +444,24 @@
         0xE6, 0x94, 0xF9, 0x1E, 0x6D, 0xCC, 0x40, 0x24,
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
     };
-    return BN_bin2bn(RFC3526_PRIME_6144, sizeof(RFC3526_PRIME_6144), bn);
+static const unsigned char dh6144_g[] = {
+    0x02,
+};
[]
-/*-
+/*
  * "8192-bit MODP Group" from RFC3526, Section 7.
  *
  * The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 }
  *
  * RFC3526 specifies a generator of 2.
  */
-
-BIGNUM *get_rfc3526_prime_8192(BIGNUM *bn)
-{
-    static const unsigned char RFC3526_PRIME_8192[] = {
+static const unsigned char dh8192_p[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
         0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
         0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
@@ -543,5 +591,196 @@
         0x60, 0xC9, 0x80, 0xDD, 0x98, 0xED, 0xD3, 0xDF,
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
     };
-    return BN_bin2bn(RFC3526_PRIME_8192, sizeof(RFC3526_PRIME_8192), bn);
+static const unsigned char dh8192_g[] = {
+    0x02,
+};
[]

Reply via email to