forked from pool/openssl-1_1
Accepting request 869551 from home:jsikes:branches:security:tls
Small fix. Enjoy! OBS-URL: https://build.opensuse.org/request/show/869551 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=83
This commit is contained in:
parent
3d07044ba3
commit
083820900d
@ -1,3 +1,12 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 4 18:23:17 UTC 2021 - Jason Sikes <jsikes@suse.com>
|
||||
|
||||
- Zero pad the DHE public key in ClientKeyExchange for interoperability with
|
||||
Windows Server 2019.
|
||||
* openssl-zero-pad-DHE-public-key.patch
|
||||
* bsc#1181796
|
||||
* sourced from https://github.com/openssl/openssl/pull/12331/files
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 20 15:59:01 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
|
@ -91,6 +91,7 @@ Patch52: openssl-1.1.1-system-cipherlist.patch
|
||||
Patch53: openssl-1_1-seclevel.patch
|
||||
Patch54: openssl-1_1-use-seclevel2-in-tests.patch
|
||||
Patch55: openssl-1_1-disable-test_srp-sslapi.patch
|
||||
Patch56: openssl-zero-pad-DHE-public-key.patch
|
||||
BuildRequires: pkgconfig
|
||||
Conflicts: ssl
|
||||
Provides: ssl
|
||||
|
39
openssl-zero-pad-DHE-public-key.patch
Normal file
39
openssl-zero-pad-DHE-public-key.patch
Normal file
@ -0,0 +1,39 @@
|
||||
Index: openssl-1.1.1i/ssl/statem/statem_clnt.c
|
||||
===================================================================
|
||||
--- openssl-1.1.1i.orig/ssl/statem/statem_clnt.c
|
||||
+++ openssl-1.1.1i/ssl/statem/statem_clnt.c
|
||||
@@ -3057,9 +3057,9 @@ static int tls_construct_cke_dhe(SSL *s,
|
||||
{
|
||||
#ifndef OPENSSL_NO_DH
|
||||
DH *dh_clnt = NULL;
|
||||
- const BIGNUM *pub_key;
|
||||
EVP_PKEY *ckey = NULL, *skey = NULL;
|
||||
unsigned char *keybytes = NULL;
|
||||
+ int prime_len;
|
||||
|
||||
skey = s->s3->peer_tmp;
|
||||
if (skey == NULL) {
|
||||
@@ -3089,15 +3089,19 @@ static int tls_construct_cke_dhe(SSL *s,
|
||||
}
|
||||
|
||||
/* send off the data */
|
||||
- DH_get0_key(dh_clnt, &pub_key, NULL);
|
||||
- if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key),
|
||||
- &keybytes)) {
|
||||
+ prime_len = BN_num_bytes(DH_get0_p(dh_clnt));
|
||||
+ /*
|
||||
+ * For interoperability with some versions of the Microsoft TLS
|
||||
+ * stack, we need to zero pad the DHE pub key to the same length
|
||||
+ * as the prime, so use the length of the prime here.
|
||||
+ */
|
||||
+ if (!WPACKET_sub_allocate_bytes_u16(pkt, prime_len, &keybytes)
|
||||
+ || BN_bn2binpad(DH_get0_pub_key(dh_clnt), keybytes, prime_len) < 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
goto err;
|
||||
}
|
||||
|
||||
- BN_bn2bin(pub_key, keybytes);
|
||||
EVP_PKEY_free(ckey);
|
||||
|
||||
return 1;
|
Loading…
Reference in New Issue
Block a user