Accepting request 869986 from home:jsikes:branches:security:tls
Small change to undo another small change. Sorry. OBS-URL: https://build.opensuse.org/request/show/869986 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=84
This commit is contained in:
parent
083820900d
commit
1f67f5cc44
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Feb 6 14:44:12 UTC 2021 - Jason Sikes <jsikes@suse.com>
|
||||||
|
|
||||||
|
- Removed patch because it was causing problems with other servers.
|
||||||
|
* openssl-zero-pad-DHE-public-key.patch
|
||||||
|
* bsc#1181796
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Feb 4 18:23:17 UTC 2021 - Jason Sikes <jsikes@suse.com>
|
Thu Feb 4 18:23:17 UTC 2021 - Jason Sikes <jsikes@suse.com>
|
||||||
|
|
||||||
|
@ -91,7 +91,6 @@ Patch52: openssl-1.1.1-system-cipherlist.patch
|
|||||||
Patch53: openssl-1_1-seclevel.patch
|
Patch53: openssl-1_1-seclevel.patch
|
||||||
Patch54: openssl-1_1-use-seclevel2-in-tests.patch
|
Patch54: openssl-1_1-use-seclevel2-in-tests.patch
|
||||||
Patch55: openssl-1_1-disable-test_srp-sslapi.patch
|
Patch55: openssl-1_1-disable-test_srp-sslapi.patch
|
||||||
Patch56: openssl-zero-pad-DHE-public-key.patch
|
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
Conflicts: ssl
|
Conflicts: ssl
|
||||||
Provides: ssl
|
Provides: ssl
|
||||||
|
@ -1,39 +0,0 @@
|
|||||||
Index: openssl-1.1.1i/ssl/statem/statem_clnt.c
|
|
||||||
===================================================================
|
|
||||||
--- openssl-1.1.1i.orig/ssl/statem/statem_clnt.c
|
|
||||||
+++ openssl-1.1.1i/ssl/statem/statem_clnt.c
|
|
||||||
@@ -3057,9 +3057,9 @@ static int tls_construct_cke_dhe(SSL *s,
|
|
||||||
{
|
|
||||||
#ifndef OPENSSL_NO_DH
|
|
||||||
DH *dh_clnt = NULL;
|
|
||||||
- const BIGNUM *pub_key;
|
|
||||||
EVP_PKEY *ckey = NULL, *skey = NULL;
|
|
||||||
unsigned char *keybytes = NULL;
|
|
||||||
+ int prime_len;
|
|
||||||
|
|
||||||
skey = s->s3->peer_tmp;
|
|
||||||
if (skey == NULL) {
|
|
||||||
@@ -3089,15 +3089,19 @@ static int tls_construct_cke_dhe(SSL *s,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* send off the data */
|
|
||||||
- DH_get0_key(dh_clnt, &pub_key, NULL);
|
|
||||||
- if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key),
|
|
||||||
- &keybytes)) {
|
|
||||||
+ prime_len = BN_num_bytes(DH_get0_p(dh_clnt));
|
|
||||||
+ /*
|
|
||||||
+ * For interoperability with some versions of the Microsoft TLS
|
|
||||||
+ * stack, we need to zero pad the DHE pub key to the same length
|
|
||||||
+ * as the prime, so use the length of the prime here.
|
|
||||||
+ */
|
|
||||||
+ if (!WPACKET_sub_allocate_bytes_u16(pkt, prime_len, &keybytes)
|
|
||||||
+ || BN_bn2binpad(DH_get0_pub_key(dh_clnt), keybytes, prime_len) < 0) {
|
|
||||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE,
|
|
||||||
ERR_R_INTERNAL_ERROR);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
- BN_bn2bin(pub_key, keybytes);
|
|
||||||
EVP_PKEY_free(ckey);
|
|
||||||
|
|
||||||
return 1;
|
|
Loading…
Reference in New Issue
Block a user