also zero pad DHE public key in ClientKeyExchange message for interop #12331
Conversation
openssl-machine
added
the
hold: cla required
openssl-machine
removed
the
hold: cla required
heinzelotto
force-pushed
the
master
branch
2 times, most recently
from
7737456
to
4ca393b
Compare
|
@mattcaswell are you familiar with the WPACKET API and would you taking a look? |
ssl/statem/statem_clnt.c
Outdated
| /* | ||
| * for interoperability with some versions of the Microsoft TLS | ||
| * stack, we need to zero pad the DHE pub key to the same length | ||
| * as the prime, so use the length of the prime here |
There was a problem hiding this comment.
If we have to make other changes, we could use a capital 'F' to start the comment and a period at the end, to make it a complete sentence, but it's not worth changing just to fix that.
(And the ServerKeyExchange case doesn't do either, anyway.)
ssl/statem/statem_clnt.c
Outdated
| EVP_PKEY *ckey = NULL, *skey = NULL; | ||
| unsigned char *keybytes = NULL; | ||
| int np; |
There was a problem hiding this comment.
I'd consider a different name for this variable, maybe prime_len -- I'm not actually sure what "np" is supposed to indicate or stand for.
|
I'm going to dismiss @davidben 's review, since it was before the force-push. |
kaduk
added
approval: otc review pending
|
(the travis failures are the spurious "../../_srcdir/config: no such file or directory" that we've been seeing lately) |
|
Thank you @kaduk for your comments. I wanted to ask whether there were any necessary steps on my side once marked as "approval: otc review pending"? And I figured that if I am going to do an additional round trip anyway, I will just add the changes you suggested. (Hopefully I did the fixup! correctly) |
|
@heinzelotto the fixup looks good, thank you. |
ssl/statem/statem_clnt.c
Outdated
| SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, | ||
| ERR_R_INTERNAL_ERROR); | ||
| goto err; | ||
| } | ||
|
|
||
| BN_bn2bin(pub_key, keybytes); | ||
| BN_bn2binpad(DH_get0_pub_key(dh_clnt), keybytes, prime_len); |
There was a problem hiding this comment.
Please add check for the return value. Although it is in practice "can't happen" condition, if prime_len is lower than the length of the actual pub_key, the function will fail. You can move the call to the if condition above.
|
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago |
t8m
added
approval: done
openssl-machine
removed
the
approval: done
|
This pull request is ready to merge |
openssl-machine
added
the
approval: ready to merge
Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12331)
|
Merged to master. Thank you for your contribution and patience when waiting for the reviews. |
Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#12331)
|
This makes openssl as the client send out zero padded DHE pubkey in TLSv1.2 which means it breaks the standard as leading zeros should be stripped in TLSv1.2 (as opposite to TLSv1.3 where they should be left in the stream!). Is this really what you need/want? |
|
The spec says the resulting secret has leading zeros removed. I believe RFC5246 is silent as to whether the public key is padded. (Which is a mistake. It should have picked one, and the correct one to pick is fixed-width. But a bit late to fix that now, so implementations have to pick one.) |
|
So on the server side, you have to support (try...) both because your clients could have picked padding and not-padding? ;-) |
|
No, just have your parser tolerate leading zeros, as OpenSSL does. The resulting secret is different because it's a KDF input. (Alternatively, stop doing TLS 1.2 DHE as it's beyond saving.) |
The Windows SChannel TLS stack has problems when the DHE pub key is encoded with fewer bytes than the DHE prime.
In #1320 padding has already been added to work around this problem for the OpenSSL server case, and I experimented a little and Microsoft seems to have also fixed this in their client code.
I guess that OpenSSL server <-> windows client is the more common case, but the opposite case still causes handshakes to randomly fail when a DHE suite is selected. By adding padding for the OpenSSL client key exchange I hope to fix that.
This is my first contribution to OpenSSL, I tried to follow the style guide and conventions. Any corrections are much appreciated.