void-packages/srcpkgs/chromium/patches/0001-NSS-reject-DH-groups-s...

34 lines
1.1 KiB
Diff

From 1da1e686a87ad9f95d26786d2b53a1a4c280189f Mon Sep 17 00:00:00 2001
From: agl <agl@chromium.org>
Date: Wed, 20 May 2015 13:20:29 -0700
Subject: [PATCH] NSS: reject DH groups smaller than 1024 bits.
Since some platforms are still using NSS for now, this change mirrors https://boringssl-review.googlesource.com/#/c/4813/ in NSS.
BUG=490240
Review URL: https://codereview.chromium.org/1143303002
Cr-Commit-Position: refs/heads/master@{#330791}
---
net/third_party/nss/ssl/ssl3con.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index 89c98ea..861d434 100644
--- net/third_party/nss/ssl/ssl3con.c
+++ net/third_party/nss/ssl/ssl3con.c
@@ -6946,7 +6946,8 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
if (rv != SECSuccess) {
goto loser; /* malformed. */
}
- if (dh_p.len < 512/8) {
+ if (dh_p.len < 1024/8 ||
+ (dh_p.len == 1024/8 && (dh_p.data[0] & 0x80) == 0)) {
errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
goto alert_loser;
}
--
2.4.2