031387
Change the DH key length from 512 to 1024 bits to meet minimum requirements
031387
of FIPS 140-2.  (In principle we could use the larger size only when FIPS
031387
mode is on, but it doesn't seem worth the trouble.)
031387
031387
The new parameter value was generated using "openssl dhparam -C 1024".
031387
031387
031387
diff -Naur mysql-5.5.28.orig/vio/viosslfactories.c mysql-5.5.28/vio/viosslfactories.c
031387
--- mysql-5.5.28.orig/vio/viosslfactories.c	2012-08-29 04:50:46.000000000 -0400
031387
+++ mysql-5.5.28/vio/viosslfactories.c	2012-11-15 11:19:38.575701435 -0500
031387
@@ -20,27 +20,32 @@
031387
 static my_bool     ssl_algorithms_added    = FALSE;
031387
 static my_bool     ssl_error_strings_loaded= FALSE;
031387
 
031387
-static unsigned char dh512_p[]=
031387
+static unsigned char dh1024_p[]=
031387
 {
031387
-  0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
031387
-  0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
031387
-  0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
031387
-  0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
031387
-  0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
031387
-  0x47,0x74,0xE8,0x33,
031387
+  0xBF,0x5C,0xFA,0xD1,0xDD,0xBB,0xB3,0x0A,0x58,0x29,0x05,0xF5,
031387
+  0x7D,0x64,0xB2,0xE1,0xCE,0xE8,0xE0,0xE1,0x7A,0xB6,0xBC,0x5B,
031387
+  0x21,0x56,0xDF,0x2C,0x82,0x60,0xDC,0x31,0xCA,0x1E,0x02,0xFE,
031387
+  0xC4,0xE7,0x24,0x63,0x31,0xE4,0x67,0x1C,0x0B,0xFF,0x86,0x12,
031387
+  0x0D,0x2E,0xE6,0x35,0x0A,0x07,0x4F,0xE7,0x3F,0xDE,0xFE,0xF0,
031387
+  0x13,0x1C,0xA2,0x2B,0xF4,0xEE,0x2C,0x90,0x10,0x57,0x6B,0x2B,
031387
+  0xB9,0x1E,0x1B,0x47,0xB0,0x25,0xBF,0x45,0x86,0xDA,0x87,0x35,
031387
+  0x2C,0xF5,0x6A,0x41,0xA2,0x57,0xD8,0x16,0x5E,0x82,0x91,0x99,
031387
+  0x33,0xA0,0x8B,0x9D,0x34,0xCE,0x03,0x01,0x80,0x32,0x07,0x3B,
031387
+  0xF2,0x93,0xFC,0x3A,0x25,0xEC,0xB3,0xED,0x5C,0x4E,0x57,0xF2,
031387
+  0x3C,0x2E,0x0D,0xB1,0x59,0xA2,0x08,0x93,
031387
 };
031387
 
031387
-static unsigned char dh512_g[]={
031387
+static unsigned char dh1024_g[]={
031387
   0x02,
031387
 };
031387
 
031387
-static DH *get_dh512(void)
031387
+static DH *get_dh1024(void)
031387
 {
031387
   DH *dh;
031387
   if ((dh=DH_new()))
031387
   {
031387
-    dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
031387
-    dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
031387
+    dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
031387
+    dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
031387
     if (! dh->p || ! dh->g)
031387
     {
031387
       DH_free(dh);
031387
@@ -255,7 +260,7 @@
031387
   }
031387
 
031387
   /* DH stuff */
031387
-  dh=get_dh512();
031387
+  dh=get_dh1024();
031387
   SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh);
031387
   DH_free(dh);
031387