[openssl-commits] [openssl] master update

Rich Salz Mon, 25 Jul 2016 10:46:27 -0700

The branch master has been updated
       via  78a01b3f69f563a1577a6f90edbd9ebde80d6b70 (commit)
      from  fe0169b09717b3c3d52c0fba96e1dcf5e8a60d94 (commit)



- Log -----------------------------------------------------------------
commit 78a01b3f69f563a1577a6f90edbd9ebde80d6b70
Author: russor <[email protected]>
Date:   Mon Jul 25 10:30:13 2016 -0700

    zero pad DHE public key in ServerKeyExchange message for interop
    
    Some versions of the Microsoft TLS stack have problems when the DHE public 
key
    is encoded with fewer bytes than the DHE prime.
    
    There's some public acknowledgement of the bug at these links:
    
    
https://connect.microsoft.com/IE/feedback/details/1253526/tls-serverkeyexchange-with-1024-dhe-may-encode-dh-y-as-127-bytes-breaking-internet-explorer-11
    
https://connect.microsoft.com/IE/feedback/details/1104905/wininet-calculation-of-mac-in-tls-handshake-intermittently-fails-for-dhe-rsa-key-exchange
    
    This encoding issue also causes the same errors with 2048-bit DHE, if the
    public key is encoded in fewer than 256 bytes and includes the TLS stack on
    Windows Phone 8.x.
    
    Reviewed-by: Matt Caswell <[email protected]>
    Reviewed-by: Rich Salz <[email protected]>
    (Merged from https://github.com/openssl/openssl/pull/1320)

-----------------------------------------------------------------------

Summary of changes:
 ssl/statem/statem_srvr.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index b7f2a0f..dc43095 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1608,6 +1608,7 @@ int tls_construct_server_key_exchange(SSL *s)
 {
 #ifndef OPENSSL_NO_DH
     EVP_PKEY *pkdh = NULL;
+    int j;
 #endif
 #ifndef OPENSSL_NO_EC
     unsigned char *encodedPoint = NULL;
@@ -1799,6 +1800,16 @@ int tls_construct_server_key_exchange(SSL *s)
             n += 1 + nr[i];
         else
 #endif
+#ifndef OPENSSL_NO_DH
+        /*
+         * for interoperability with some versions of the Microsoft TLS
+         * stack, we need to zero pad the DHE pub key to the same length
+         * as the prime, so use the length of the prime here
+         */
+        if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK)))
+            n += 2 + nr[0];
+        else
+#endif
             n += 2 + nr[i];
     }
 
@@ -1856,6 +1867,20 @@ int tls_construct_server_key_exchange(SSL *s)
             p++;
         } else
 #endif
+#ifndef OPENSSL_NO_DH
+        /*
+         * for interoperability with some versions of the Microsoft TLS
+         * stack, we need to zero pad the DHE pub key to the same length
+         * as the prime
+         */
+        if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
+            s2n(nr[0], p);
+            for (j = 0; j < (nr[0] - nr[2]); ++j) {
+                *p = 0;
+                ++p;
+            }
+        } else
+#endif
             s2n(nr[i], p);
         BN_bn2bin(r[i], p);
         p += nr[i];
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

Reply via email to