Accepting request 869986 from home:jsikes:branches:security:tls

Small change to undo another small change. Sorry. OBS-URL: https://build.opensuse.org/request/show/869986 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=84
2021-02-06 23:06:18 +00:00 · 2021-02-06 23:06:18 +00:00 · 1f67f5cc44
commit 1f67f5cc44
parent 083820900d
3 changed files with 7 additions and 40 deletions
--- a/openssl-1_1.changes
+++ b/openssl-1_1.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sat Feb  6 14:44:12 UTC 2021 - Jason Sikes <jsikes@suse.com>
+
+- Removed patch because it was causing problems with other servers.
+  * openssl-zero-pad-DHE-public-key.patch
+  * bsc#1181796
+
 -------------------------------------------------------------------
 Thu Feb  4 18:23:17 UTC 2021 - Jason Sikes <jsikes@suse.com>

--- a/openssl-1_1.spec
+++ b/openssl-1_1.spec
@ -91,7 +91,6 @@ Patch52:        openssl-1.1.1-system-cipherlist.patch
 Patch53:        openssl-1_1-seclevel.patch
 Patch54:        openssl-1_1-use-seclevel2-in-tests.patch
 Patch55:        openssl-1_1-disable-test_srp-sslapi.patch
-Patch56:        openssl-zero-pad-DHE-public-key.patch
 BuildRequires:  pkgconfig
 Conflicts:      ssl
 Provides:       ssl
--- a/openssl-zero-pad-DHE-public-key.patch
+++ b/openssl-zero-pad-DHE-public-key.patch
@ -1,39 +0,0 @@
-Index: openssl-1.1.1i/ssl/statem/statem_clnt.c
-===================================================================
--- openssl-1.1.1i.orig/ssl/statem/statem_clnt.c
-+++ openssl-1.1.1i/ssl/statem/statem_clnt.c
-@@ -3057,9 +3057,9 @@ static int tls_construct_cke_dhe(SSL *s,
- {
- #ifndef OPENSSL_NO_DH
-     DH *dh_clnt = NULL;
-    const BIGNUM *pub_key;
-     EVP_PKEY *ckey = NULL, *skey = NULL;
-     unsigned char *keybytes = NULL;
-+    int prime_len;
- 
-     skey = s->s3->peer_tmp;
-     if (skey == NULL) {
-@@ -3089,15 +3089,19 @@ static int tls_construct_cke_dhe(SSL *s,
-     }
- 
-     /* send off the data */
-    DH_get0_key(dh_clnt, &pub_key, NULL);
-    if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key),
-                                        &keybytes)) {
-+    prime_len = BN_num_bytes(DH_get0_p(dh_clnt));
-+    /*
-+     * For interoperability with some versions of the Microsoft TLS
-+     * stack, we need to zero pad the DHE pub key to the same length
-+     * as the prime, so use the length of the prime here.
-+     */
-+    if (!WPACKET_sub_allocate_bytes_u16(pkt, prime_len, &keybytes)
-+            || BN_bn2binpad(DH_get0_pub_key(dh_clnt), keybytes, prime_len) < 0) {
-         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE,
-                  ERR_R_INTERNAL_ERROR);
-         goto err;
-     }
- 
-    BN_bn2bin(pub_key, keybytes);
-     EVP_PKEY_free(ckey);
- 
-     return 1;