SHA256
1
0
forked from pool/openssl-1_1

Accepting request 869986 from home:jsikes:branches:security:tls

Small change to undo another small change. Sorry.

OBS-URL: https://build.opensuse.org/request/show/869986
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=84
This commit is contained in:
Jason Sikes 2021-02-06 23:06:18 +00:00 committed by Git OBS Bridge
parent 083820900d
commit 1f67f5cc44
3 changed files with 7 additions and 40 deletions

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Sat Feb 6 14:44:12 UTC 2021 - Jason Sikes <jsikes@suse.com>
- Removed patch because it was causing problems with other servers.
* openssl-zero-pad-DHE-public-key.patch
* bsc#1181796
-------------------------------------------------------------------
Thu Feb 4 18:23:17 UTC 2021 - Jason Sikes <jsikes@suse.com>

View File

@ -91,7 +91,6 @@ Patch52: openssl-1.1.1-system-cipherlist.patch
Patch53: openssl-1_1-seclevel.patch
Patch54: openssl-1_1-use-seclevel2-in-tests.patch
Patch55: openssl-1_1-disable-test_srp-sslapi.patch
Patch56: openssl-zero-pad-DHE-public-key.patch
BuildRequires: pkgconfig
Conflicts: ssl
Provides: ssl

View File

@ -1,39 +0,0 @@
Index: openssl-1.1.1i/ssl/statem/statem_clnt.c
===================================================================
--- openssl-1.1.1i.orig/ssl/statem/statem_clnt.c
+++ openssl-1.1.1i/ssl/statem/statem_clnt.c
@@ -3057,9 +3057,9 @@ static int tls_construct_cke_dhe(SSL *s,
{
#ifndef OPENSSL_NO_DH
DH *dh_clnt = NULL;
- const BIGNUM *pub_key;
EVP_PKEY *ckey = NULL, *skey = NULL;
unsigned char *keybytes = NULL;
+ int prime_len;
skey = s->s3->peer_tmp;
if (skey == NULL) {
@@ -3089,15 +3089,19 @@ static int tls_construct_cke_dhe(SSL *s,
}
/* send off the data */
- DH_get0_key(dh_clnt, &pub_key, NULL);
- if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key),
- &keybytes)) {
+ prime_len = BN_num_bytes(DH_get0_p(dh_clnt));
+ /*
+ * For interoperability with some versions of the Microsoft TLS
+ * stack, we need to zero pad the DHE pub key to the same length
+ * as the prime, so use the length of the prime here.
+ */
+ if (!WPACKET_sub_allocate_bytes_u16(pkt, prime_len, &keybytes)
+ || BN_bn2binpad(DH_get0_pub_key(dh_clnt), keybytes, prime_len) < 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE,
ERR_R_INTERNAL_ERROR);
goto err;
}
- BN_bn2bin(pub_key, keybytes);
EVP_PKEY_free(ckey);
return 1;