diff options
author | Felix Monninger <felix.monninger@gmail.com> | 2020-06-30 22:57:36 +0200 |
---|---|---|
committer | Tomas Mraz <tmraz@fedoraproject.org> | 2020-09-01 14:27:05 +0200 |
commit | 807b0a1dbb65fcf0d432184326e76e9f745dc3f1 (patch) | |
tree | 0cb6a66cb6f5bf6a625e0f99f8282cdc104e4ebb /ssl | |
parent | 72c1e37421ffe9a4db4bba46f3d736dbc227c255 (diff) |
also zero pad DHE public key in ClientKeyExchange message for interop
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12331)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/statem/statem_clnt.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 4c994dd389..0780e5fc9a 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -3069,9 +3069,9 @@ static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) { #ifndef OPENSSL_NO_DH DH *dh_clnt = NULL; - const BIGNUM *pub_key; EVP_PKEY *ckey = NULL, *skey = NULL; unsigned char *keybytes = NULL; + int prime_len; skey = s->s3.peer_tmp; if (skey == NULL) { @@ -3101,15 +3101,19 @@ static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) } /* send off the data */ - DH_get0_key(dh_clnt, &pub_key, NULL); - if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key), - &keybytes)) { + prime_len = BN_num_bytes(DH_get0_p(dh_clnt)); + /* + * For interoperability with some versions of the Microsoft TLS + * stack, we need to zero pad the DHE pub key to the same length + * as the prime, so use the length of the prime here. + */ + if (!WPACKET_sub_allocate_bytes_u16(pkt, prime_len, &keybytes) + || BN_bn2binpad(DH_get0_pub_key(dh_clnt), keybytes, prime_len) < 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR); goto err; } - BN_bn2bin(pub_key, keybytes); EVP_PKEY_free(ckey); return 1; |