forked from pool/openldap2
dc3d146869
to fix CVE-2015-6908. (bsc#945582) - Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch to address weak DH size vulnerability (bsc#937766) - Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch to fix CVE-2015-6908. (bsc#945582) - Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch to address weak DH size vulnerability (bsc#937766) OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=143
25 lines
887 B
Diff
25 lines
887 B
Diff
The patch was authored by Marcus Meissner <meissner@suse.com> on 2015-07-13
|
|
to address weak DH size vulnerability.
|
|
|
|
--- openldap-2.4.26.orig/libraries/libldap/tls_o.c
|
|
+++ openldap-2.4.26/libraries/libldap/tls_o.c
|
|
@@ -1190,7 +1190,6 @@ jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7t
|
|
-----END DH PARAMETERS-----\n";
|
|
|
|
static const struct dhinfo tlso_dhpem[] = {
|
|
- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) },
|
|
{ 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) },
|
|
{ 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) },
|
|
{ 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) },
|
|
@@ -1205,6 +1204,9 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export,
|
|
DH *dh = NULL;
|
|
int i;
|
|
|
|
+ /* for Logjam, rev up the minimum DH group size to 1024 bit */
|
|
+ if (key_length < 1024) key_length = 1024;
|
|
+
|
|
/* Do we have params of this length already? */
|
|
LDAP_MUTEX_LOCK( &tlso_dh_mutex );
|
|
for ( p = tlso_dhparams; p; p=p->next ) {
|
|
|