New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
also zero pad DHE public key in ClientKeyExchange message for interop #12331
Conversation
7737456
to
4ca393b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks reasonable to me, but I'm not as familiar with the new provider-based APIs and WPACKET
, so you should get a second review from someone more actively involved with the project.
@mattcaswell are you familiar with the WPACKET API and would you taking a look? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code looks fine to me; I just note some optional stylistic tweaks.
(Matt is on holiday at the moment, as I undestand it.)
ssl/statem/statem_clnt.c
Outdated
/* | ||
* for interoperability with some versions of the Microsoft TLS | ||
* stack, we need to zero pad the DHE pub key to the same length | ||
* as the prime, so use the length of the prime here |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we have to make other changes, we could use a capital 'F' to start the comment and a period at the end, to make it a complete sentence, but it's not worth changing just to fix that.
(And the ServerKeyExchange case doesn't do either, anyway.)
ssl/statem/statem_clnt.c
Outdated
EVP_PKEY *ckey = NULL, *skey = NULL; | ||
unsigned char *keybytes = NULL; | ||
int np; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd consider a different name for this variable, maybe prime_len
-- I'm not actually sure what "np" is supposed to indicate or stand for.
I'm going to dismiss @davidben 's review, since it was before the force-push. |
(the travis failures are the spurious "../../_srcdir/config: no such file or directory" that we've been seeing lately) |
Thank you @kaduk for your comments. I wanted to ask whether there were any necessary steps on my side once marked as "approval: otc review pending"? And I figured that if I am going to do an additional round trip anyway, I will just add the changes you suggested. (Hopefully I did the fixup! correctly) |
@heinzelotto the fixup looks good, thank you. |
ssl/statem/statem_clnt.c
Outdated
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, | ||
ERR_R_INTERNAL_ERROR); | ||
goto err; | ||
} | ||
|
||
BN_bn2bin(pub_key, keybytes); | ||
BN_bn2binpad(DH_get0_pub_key(dh_clnt), keybytes, prime_len); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add check for the return value. Although it is in practice "can't happen" condition, if prime_len is lower than the length of the actual pub_key, the function will fail. You can move the call to the if condition above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The fixup (check BN_bn2binpad return value) looks good.
The Travis failures are all the (unrelated) 'pem_to_der_deserializer_functions' declaration issue.
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This pull request is ready to merge |
Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12331)
Merged to master. Thank you for your contribution and patience when waiting for the reviews. |
Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#12331)
This makes openssl as the client send out zero padded DHE pubkey in TLSv1.2 which means it breaks the standard as leading zeros should be stripped in TLSv1.2 (as opposite to TLSv1.3 where they should be left in the stream!). Is this really what you need/want? |
The spec says the resulting secret has leading zeros removed. I believe RFC5246 is silent as to whether the public key is padded. (Which is a mistake. It should have picked one, and the correct one to pick is fixed-width. But a bit late to fix that now, so implementations have to pick one.) |
So on the server side, you have to support (try...) both because your clients could have picked padding and not-padding? ;-) |
No, just have your parser tolerate leading zeros, as OpenSSL does. The resulting secret is different because it's a KDF input. (Alternatively, stop doing TLS 1.2 DHE as it's beyond saving.) |
The Windows SChannel TLS stack has problems when the DHE pub key is encoded with fewer bytes than the DHE prime.
In #1320 padding has already been added to work around this problem for the OpenSSL server case, and I experimented a little and Microsoft seems to have also fixed this in their client code.
I guess that OpenSSL server <-> windows client is the more common case, but the opposite case still causes handshakes to randomly fail when a DHE suite is selected. By adding padding for the OpenSSL client key exchange I hope to fix that.
This is my first contribution to OpenSSL, I tried to follow the style guide and conventions. Any corrections are much appreciated.