diff options
8 files changed, 17 insertions, 2 deletions
diff --git a/chromium/chrome/common/localized_error.cc b/chromium/chrome/common/localized_error.cc index bbddc9e7028..03ae03f1f95 100644 --- a/chromium/chrome/common/localized_error.cc +++ b/chromium/chrome/common/localized_error.cc @@ -45,7 +45,7 @@ namespace { static const char kRedirectLoopLearnMoreUrl[] = "https://www.google.com/support/chrome/bin/answer.py?answer=95626"; static const char kWeakDHKeyLearnMoreUrl[] = - "http://sites.google.com/a/chromium.org/dev/" + "https://www.chromium.org/administrators/" "err_ssl_weak_server_ephemeral_dh_key"; #if defined(OS_CHROMEOS) static const char kAppWarningLearnMoreUrl[] = diff --git a/chromium/net/third_party/nss/README.chromium b/chromium/net/third_party/nss/README.chromium index a1c53038b13..b3f98533c73 100644 --- a/chromium/net/third_party/nss/README.chromium +++ b/chromium/net/third_party/nss/README.chromium @@ -109,6 +109,9 @@ Patches: patches/ignorechangecipherspec.patch https://bugzilla.mozilla.org/show_bug.cgi?id=1009227 + * Increase the minimum DH group size to 1024 + patches/dh1024.patch + Apply the patches to NSS by running the patches/applypatches.sh script. Read the comments at the top of patches/applypatches.sh for instructions. diff --git a/chromium/net/third_party/nss/patches/applypatches.sh b/chromium/net/third_party/nss/patches/applypatches.sh index b5f9d30a197..f8c1f6c3edd 100755 --- a/chromium/net/third_party/nss/patches/applypatches.sh +++ b/chromium/net/third_party/nss/patches/applypatches.sh @@ -50,3 +50,5 @@ patch -p4 < $patches_dir/nssrwlock.patch patch -p4 < $patches_dir/paddingextvalue.patch patch -p4 < $patches_dir/reorderextensions.patch + +patch -p2 < $patches_dir/dh1024.patch diff --git a/chromium/net/third_party/nss/ssl/ssl3con.c b/chromium/net/third_party/nss/ssl/ssl3con.c index 7ff7beacbc1..67fdfe1d28f 100644 --- a/chromium/net/third_party/nss/ssl/ssl3con.c +++ b/chromium/net/third_party/nss/ssl/ssl3con.c @@ -6922,7 +6922,8 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) if (rv != SECSuccess) { goto loser; /* malformed. */ } - if (dh_p.len < 512/8) { + if (dh_p.len < 1024/8 || + (dh_p.len == 1024/8 && (dh_p.data[0] & 0x80) == 0)) { errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY; goto alert_loser; } diff --git a/chromium/third_party/openssl/openssl/include/openssl/ssl.h b/chromium/third_party/openssl/openssl/include/openssl/ssl.h index 6743f3c0f11..5c87c603618 100644 --- a/chromium/third_party/openssl/openssl/include/openssl/ssl.h +++ b/chromium/third_party/openssl/openssl/include/openssl/ssl.h @@ -2663,6 +2663,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_UNSUPPORTED_SSL_VERSION 259 #define SSL_R_UNSUPPORTED_STATUS_TYPE 329 #define SSL_R_USE_SRTP_NOT_NEGOTIATED 369 +#define SSL_R_WEAK_DH_GROUP 394 #define SSL_R_WRITE_BIO_NOT_SET 260 #define SSL_R_WRONG_CIPHER_RETURNED 261 #define SSL_R_WRONG_MESSAGE_TYPE 262 diff --git a/chromium/third_party/openssl/openssl/ssl/s3_clnt.c b/chromium/third_party/openssl/openssl/ssl/s3_clnt.c index 448dbeaa70f..ecda12a3bf5 100644 --- a/chromium/third_party/openssl/openssl/ssl/s3_clnt.c +++ b/chromium/third_party/openssl/openssl/ssl/s3_clnt.c @@ -3347,6 +3347,12 @@ int ssl3_check_cert_and_algorithm(SSL *s) SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); goto f_err; } + else if ((alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) && + (dh == NULL || DH_size(dh)*8 < 1024)) + { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_WEAK_DH_GROUP); + goto f_err; + } #ifndef OPENSSL_NO_DSA else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) { diff --git a/chromium/third_party/openssl/openssl/ssl/ssl.h b/chromium/third_party/openssl/openssl/ssl/ssl.h index 5faae95c1d5..1600a539b31 100644 --- a/chromium/third_party/openssl/openssl/ssl/ssl.h +++ b/chromium/third_party/openssl/openssl/ssl/ssl.h @@ -2663,6 +2663,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_UNSUPPORTED_SSL_VERSION 259 #define SSL_R_UNSUPPORTED_STATUS_TYPE 329 #define SSL_R_USE_SRTP_NOT_NEGOTIATED 369 +#define SSL_R_WEAK_DH_GROUP 394 #define SSL_R_WRITE_BIO_NOT_SET 260 #define SSL_R_WRONG_CIPHER_RETURNED 261 #define SSL_R_WRONG_MESSAGE_TYPE 262 diff --git a/chromium/third_party/openssl/openssl/ssl/ssl_err.c b/chromium/third_party/openssl/openssl/ssl/ssl_err.c index c29391ce0e2..98d9675cdee 100644 --- a/chromium/third_party/openssl/openssl/ssl/ssl_err.c +++ b/chromium/third_party/openssl/openssl/ssl/ssl_err.c @@ -596,6 +596,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported ssl version"}, {ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE),"unsupported status type"}, {ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED),"use srtp not negotiated"}, +{ERR_REASON(SSL_R_WEAK_DH_GROUP) ,"weak dh group"}, {ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) ,"write bio not set"}, {ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"}, {ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE) ,"wrong message type"}, |