[PATCH] gnutls DH prime minimum for wheezy, plus question about openssl

To: debian-security@lists.debian.org
Cc: Kurt Roeckx <kurt@openssl.org>, Nikos Mavrogiannopoulos <nmav@redhat.com>
Subject: [PATCH] gnutls DH prime minimum for wheezy, plus question about openssl
From: Thorsten Glaser <t.glaser@tarent.de>
Date: Fri, 5 Jun 2015 13:56:18 +0200 (CEST)
Message-id: <[🔎] alpine.DEB.2.20.1506051350060.19769@tglase.lan.tarent.de>

Hi,

GnuTLS 3.3 introduced a minimum security level requirement for
DH parameters of 1008 bit. This patch enforces this (hard, I’ve
not backported the --dh-bits argument for gnutls-cli, nor the
required machinery to be able to override it) for GnuTLS 2.x in
wheezy. Please review, suggest improvements, and then forward it
to the maintainer for inclusion in wheezy-security. (This is a
quick hack just to mitigate LogJam in SSL clients without needing
to disable DH kex.)

OpenSSL upstream is said (citation needed) to wish to require a
1024 bit minimum in some later version but require 768 bits now.
I cannot find this in either upstream’s 1.0.2a release or the one
currently in sid.
I did find it as commit 10a70da729948bb573d27cef4459077c49f3eb46
in upstream’s git, except the error path needs to set al too AFAICS.

I think we should consider standardising on a size. In MirBSD I’ve
used 1017 bit as minimum, but 1008 bit (126 octets) sounds reasonable
considering that even randomly-generated 1024-bit numbers may have
a number of leading zeroes.

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

diff -Nru gnutls26-2.12.20/debian/changelog gnutls26-2.12.20/debian/changelog
--- gnutls26-2.12.20/debian/changelog	2015-03-15 09:14:56.000000000 +0100
+++ gnutls26-2.12.20/debian/changelog	2015-06-05 13:44:06.000000000 +0200
@@ -1,3 +1,10 @@
+gnutls26 (2.12.20-8+deb7u3tarent1) tarent; urgency=high
+
+  * Non-maintainer upload.
+  * Add debian/patches/DH-min-1008-bits.diff patch.
+
+ -- Thorsten Glaser <tg@mirbsd.de>  Fri, 05 Jun 2015 13:43:47 +0200
+
 gnutls26 (2.12.20-8+deb7u3) wheezy-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru gnutls26-2.12.20/debian/patches/DH-min-1008-bits.diff gnutls26-2.12.20/debian/patches/DH-min-1008-bits.diff
--- gnutls26-2.12.20/debian/patches/DH-min-1008-bits.diff	1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/patches/DH-min-1008-bits.diff	2015-06-05 13:43:42.000000000 +0200
@@ -0,0 +1,13 @@
+# DP: require a minimum of 1008 bits for server temp DH key
+
+--- a/lib/gnutls_state.c
++++ b/lib/gnutls_state.c
+@@ -443,7 +443,7 @@ gnutls_deinit (gnutls_session_t session)
+ int
+ _gnutls_dh_get_allowed_prime_bits (gnutls_session_t session)
+ {
+-  return session->internals.dh_prime_bits;
++  return MAX(session->internals.dh_prime_bits, 1008);
+ }
+ 
+ int
diff -Nru gnutls26-2.12.20/debian/patches/series gnutls26-2.12.20/debian/patches/series
--- gnutls26-2.12.20/debian/patches/series	2015-03-15 09:14:56.000000000 +0100
+++ gnutls26-2.12.20/debian/patches/series	2015-06-05 13:42:09.000000000 +0200
@@ -15,3 +15,4 @@
 39_Prevent-memory-corruption.diff
 40_CVE-2015-0294.diff
 41_CVE-2015-0282.diff
+DH-min-1008-bits.diff

Reply to:

Follow-Ups:
- Re: [PATCH] gnutls DH prime minimum for wheezy, plus question about openssl
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Rép: [SECURITY] [DSA 3278-1] libapache-mod-jk security update
Next by Date: [PATCH] openssl DH prime minimum for wheezy
Previous by thread: Rép: [SECURITY] [DSA 3278-1] libapache-mod-jk security update
Next by thread: Re: [PATCH] gnutls DH prime minimum for wheezy, plus question about openssl
Index(es):
- Date
- Thread