|
 |
78ef1d |
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod.rsa-ephemeral openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod
|
|
|
78ef1d |
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod.rsa-ephemeral 2013-02-11 16:26:04.000000000 +0100
|
|
|
78ef1d |
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod 2015-01-13 11:15:25.096957795 +0100
|
|
|
78ef1d |
@@ -151,15 +151,7 @@ temporary/ephemeral DH parameters are us
|
|
|
78ef1d |
|
|
|
78ef1d |
=item SSL_OP_EPHEMERAL_RSA
|
|
|
78ef1d |
|
|
|
78ef1d |
-Always use ephemeral (temporary) RSA key when doing RSA operations
|
|
|
78ef1d |
-(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
|
|
|
78ef1d |
-According to the specifications this is only done, when a RSA key
|
|
|
78ef1d |
-can only be used for signature operations (namely under export ciphers
|
|
|
78ef1d |
-with restricted RSA keylength). By setting this option, ephemeral
|
|
|
78ef1d |
-RSA keys are always used. This option breaks compatibility with the
|
|
|
78ef1d |
-SSL/TLS specifications and may lead to interoperability problems with
|
|
|
78ef1d |
-clients and should therefore never be used. Ciphers with EDH (ephemeral
|
|
|
78ef1d |
-Diffie-Hellman) key exchange should be used instead.
|
|
|
78ef1d |
+This option is no longer implemented and is treated as no op.
|
|
|
78ef1d |
|
|
|
78ef1d |
=item SSL_OP_CIPHER_SERVER_PREFERENCE
|
|
|
78ef1d |
|
|
|
78ef1d |
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.rsa-ephemeral openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
|
|
|
78ef1d |
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.rsa-ephemeral 2013-02-11 16:02:48.000000000 +0100
|
|
|
78ef1d |
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod 2015-01-13 11:15:25.096957795 +0100
|
|
|
78ef1d |
@@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-H
|
|
|
78ef1d |
in order to achieve forward secrecy (see
|
|
|
78ef1d |
L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
|
|
|
78ef1d |
|
|
|
78ef1d |
-On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default
|
|
|
78ef1d |
-and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of
|
|
|
78ef1d |
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL
|
|
|
78ef1d |
-standard. When ephemeral RSA key exchange is required for export ciphers,
|
|
|
78ef1d |
-it will automatically be used without this option!
|
|
|
78ef1d |
-
|
|
|
78ef1d |
-An application may either directly specify the key or can supply the key via
|
|
|
78ef1d |
-a callback function. The callback approach has the advantage, that the
|
|
|
78ef1d |
-callback may generate the key only in case it is actually needed. As the
|
|
|
78ef1d |
-generation of a RSA key is however costly, it will lead to a significant
|
|
|
78ef1d |
-delay in the handshake procedure. Another advantage of the callback function
|
|
|
78ef1d |
-is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA
|
|
|
78ef1d |
-usage) while the explicit setting of the key is only useful for key size of
|
|
|
78ef1d |
-512 bits to satisfy the export restricted ciphers and does give away key length
|
|
|
78ef1d |
-if a longer key would be allowed.
|
|
|
78ef1d |
+An application may either directly specify the key or can supply the key via a
|
|
|
78ef1d |
+callback function. The callback approach has the advantage, that the callback
|
|
|
78ef1d |
+may generate the key only in case it is actually needed. As the generation of a
|
|
|
78ef1d |
+RSA key is however costly, it will lead to a significant delay in the handshake
|
|
|
78ef1d |
+procedure. Another advantage of the callback function is that it can supply
|
|
|
78ef1d |
+keys of different size while the explicit setting of the key is only useful for
|
|
|
78ef1d |
+key size of 512 bits to satisfy the export restricted ciphers and does give
|
|
|
78ef1d |
+away key length if a longer key would be allowed.
|
|
|
78ef1d |
|
|
|
78ef1d |
The B<tmp_rsa_callback> is called with the B<keylength> needed and
|
|
|
78ef1d |
the B<is_export> information. The B<is_export> flag is set, when the
|
|
|
78ef1d |
diff -up openssl-1.0.1e/CHANGES.rsa-ephemeral openssl-1.0.1e/CHANGES
|
|
|
78ef1d |
diff -up openssl-1.0.1e/ssl/d1_srvr.c.rsa-ephemeral openssl-1.0.1e/ssl/d1_srvr.c
|
|
|
78ef1d |
--- openssl-1.0.1e/ssl/d1_srvr.c.rsa-ephemeral 2015-01-12 17:49:04.912808002 +0100
|
|
|
78ef1d |
+++ openssl-1.0.1e/ssl/d1_srvr.c 2015-01-13 11:15:25.096957795 +0100
|
|
|
78ef1d |
@@ -450,24 +450,15 @@ int dtls1_accept(SSL *s)
|
|
|
78ef1d |
case SSL3_ST_SW_KEY_EXCH_B:
|
|
|
78ef1d |
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
|
|
|
78ef1d |
|
|
|
78ef1d |
- /* clear this, it may get reset by
|
|
|
78ef1d |
- * send_server_key_exchange */
|
|
|
78ef1d |
- if ((s->options & SSL_OP_EPHEMERAL_RSA)
|
|
|
78ef1d |
-#ifndef OPENSSL_NO_KRB5
|
|
|
78ef1d |
- && !(alg_k & SSL_kKRB5)
|
|
|
78ef1d |
-#endif /* OPENSSL_NO_KRB5 */
|
|
|
78ef1d |
- )
|
|
|
78ef1d |
- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
|
|
|
78ef1d |
- * even when forbidden by protocol specs
|
|
|
78ef1d |
- * (handshake may fail as clients are not required to
|
|
|
78ef1d |
- * be able to handle this) */
|
|
|
78ef1d |
- s->s3->tmp.use_rsa_tmp=1;
|
|
|
78ef1d |
- else
|
|
|
78ef1d |
- s->s3->tmp.use_rsa_tmp=0;
|
|
|
78ef1d |
+ /*
|
|
|
78ef1d |
+ * clear this, it may get reset by
|
|
|
78ef1d |
+ * send_server_key_exchange
|
|
|
78ef1d |
+ */
|
|
|
78ef1d |
+ s->s3->tmp.use_rsa_tmp=0;
|
|
|
78ef1d |
|
|
|
78ef1d |
/* only send if a DH key exchange or
|
|
|
78ef1d |
* RSA but we have a sign only certificate */
|
|
|
78ef1d |
- if (s->s3->tmp.use_rsa_tmp
|
|
|
78ef1d |
+ if (0
|
|
|
78ef1d |
/* PSK: send ServerKeyExchange if PSK identity
|
|
|
78ef1d |
* hint if provided */
|
|
|
78ef1d |
#ifndef OPENSSL_NO_PSK
|
|
|
78ef1d |
diff -up openssl-1.0.1e/ssl/ssl.h.rsa-ephemeral openssl-1.0.1e/ssl/ssl.h
|
|
|
78ef1d |
--- openssl-1.0.1e/ssl/ssl.h.rsa-ephemeral 2015-01-12 17:49:04.936808545 +0100
|
|
|
78ef1d |
+++ openssl-1.0.1e/ssl/ssl.h 2015-01-13 11:15:25.098957840 +0100
|
|
|
78ef1d |
@@ -587,9 +587,8 @@ struct ssl_session_st
|
|
|
78ef1d |
#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
|
|
|
78ef1d |
/* If set, always create a new key when using tmp_dh parameters */
|
|
|
78ef1d |
#define SSL_OP_SINGLE_DH_USE 0x00100000L
|
|
|
78ef1d |
-/* Set to always use the tmp_rsa key when doing RSA operations,
|
|
|
78ef1d |
- * even when this violates protocol specs */
|
|
|
78ef1d |
-#define SSL_OP_EPHEMERAL_RSA 0x00200000L
|
|
|
78ef1d |
+/* Does nothing: retained for compatibiity */
|
|
|
78ef1d |
+#define SSL_OP_EPHEMERAL_RSA 0x0
|
|
|
78ef1d |
/* Set on servers to choose the cipher according to the server's
|
|
|
78ef1d |
* preferences */
|
|
|
78ef1d |
#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
|
|
|
78ef1d |
diff -up openssl-1.0.1e/ssl/s3_clnt.c.rsa-ephemeral openssl-1.0.1e/ssl/s3_clnt.c
|
|
|
78ef1d |
--- openssl-1.0.1e/ssl/s3_clnt.c.rsa-ephemeral 2015-01-12 17:49:04.946808771 +0100
|
|
|
78ef1d |
+++ openssl-1.0.1e/ssl/s3_clnt.c 2015-01-13 11:15:25.097957817 +0100
|
|
|
78ef1d |
@@ -1492,6 +1492,13 @@ int ssl3_get_key_exchange(SSL *s)
|
|
|
78ef1d |
#ifndef OPENSSL_NO_RSA
|
|
|
78ef1d |
if (alg_k & SSL_kRSA)
|
|
|
78ef1d |
{
|
|
|
78ef1d |
+ /* Temporary RSA keys only allowed in export ciphersuites */
|
|
|
78ef1d |
+ if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher))
|
|
|
78ef1d |
+ {
|
|
|
78ef1d |
+ al=SSL_AD_UNEXPECTED_MESSAGE;
|
|
|
78ef1d |
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
|
|
|
78ef1d |
+ goto f_err;
|
|
|
78ef1d |
+ }
|
|
|
78ef1d |
if ((rsa=RSA_new()) == NULL)
|
|
|
78ef1d |
{
|
|
|
78ef1d |
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
|
|
|
78ef1d |
diff -up openssl-1.0.1e/ssl/s3_srvr.c.rsa-ephemeral openssl-1.0.1e/ssl/s3_srvr.c
|
|
|
78ef1d |
--- openssl-1.0.1e/ssl/s3_srvr.c.rsa-ephemeral 2015-01-12 17:51:32.044135496 +0100
|
|
|
78ef1d |
+++ openssl-1.0.1e/ssl/s3_srvr.c 2015-01-13 11:15:25.098957840 +0100
|
|
|
78ef1d |
@@ -441,20 +441,11 @@ int ssl3_accept(SSL *s)
|
|
|
78ef1d |
case SSL3_ST_SW_KEY_EXCH_B:
|
|
|
78ef1d |
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
|
|
|
78ef1d |
|
|
|
78ef1d |
- /* clear this, it may get reset by
|
|
|
78ef1d |
- * send_server_key_exchange */
|
|
|
78ef1d |
- if ((s->options & SSL_OP_EPHEMERAL_RSA)
|
|
|
78ef1d |
-#ifndef OPENSSL_NO_KRB5
|
|
|
78ef1d |
- && !(alg_k & SSL_kKRB5)
|
|
|
78ef1d |
-#endif /* OPENSSL_NO_KRB5 */
|
|
|
78ef1d |
- )
|
|
|
78ef1d |
- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
|
|
|
78ef1d |
- * even when forbidden by protocol specs
|
|
|
78ef1d |
- * (handshake may fail as clients are not required to
|
|
|
78ef1d |
- * be able to handle this) */
|
|
|
78ef1d |
- s->s3->tmp.use_rsa_tmp=1;
|
|
|
78ef1d |
- else
|
|
|
78ef1d |
- s->s3->tmp.use_rsa_tmp=0;
|
|
|
78ef1d |
+ /*
|
|
|
78ef1d |
+ * clear this, it may get reset by
|
|
|
78ef1d |
+ * send_server_key_exchange
|
|
|
78ef1d |
+ */
|
|
|
78ef1d |
+ s->s3->tmp.use_rsa_tmp=0;
|
|
|
78ef1d |
|
|
|
78ef1d |
|
|
|
78ef1d |
/* only send if a DH key exchange, fortezza or
|
|
|
78ef1d |
@@ -468,7 +459,7 @@ int ssl3_accept(SSL *s)
|
|
|
78ef1d |
* server certificate contains the server's
|
|
|
78ef1d |
* public key for key exchange.
|
|
|
78ef1d |
*/
|
|
|
78ef1d |
- if (s->s3->tmp.use_rsa_tmp
|
|
|
78ef1d |
+ if (0
|
|
|
78ef1d |
/* PSK: send ServerKeyExchange if PSK identity
|
|
|
78ef1d |
* hint if provided */
|
|
|
78ef1d |
#ifndef OPENSSL_NO_PSK
|