Add domain parameter match check for DH and ECDH key exchange.#14823
Closed
slontis wants to merge 4 commits intoopenssl:masterfrom
Closed
Add domain parameter match check for DH and ECDH key exchange.#14823slontis wants to merge 4 commits intoopenssl:masterfrom
slontis wants to merge 4 commits intoopenssl:masterfrom
Conversation
slontis
added
branch: master
Member
Author
|
rebased |
Member
Author
|
The appveyor issue is unrelated to this PR (See #14851) |
paulidale
approved these changes
Apr 13, 2021
paulidale
added
approval: done
t8m
reviewed
Apr 13, 2021
Member
t8m
left a comment
t8m
left a comment
There was a problem hiding this comment.
Please rename the error to PROV_R_MISMATCHING_DOMAIN_PARAMETERS or PROV_R_DOMAIN_PARAMETERS_MISMATCH. Otherwise OK.
Fixes openssl#14808 Validation checks were moved into EVP_PKEY_derive_set_peer() which broke an external negative test. Originally the old code was semi working by checking the peers public key was in the range of other parties p. It was not actually ever checking that the domain parameters were consistent between the 2 parties. It now checks the parameters match as well as validating the peers public key.
Member
Author
|
Apart from renaming the error there are no changes. Rebased also. |
Member
Author
|
I am assuming the approval still holds and that this is ready for merge if the CI loop passes.. |
Collaborator
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
paulidale
approved these changes
Apr 14, 2021
paulidale
added
approval: ready to merge
Member
Author
|
pauli - can I merge this now? |
openssl-machine
pushed a commit
that referenced
this pull request
Apr 14, 2021
Fixes #14808 Validation checks were moved into EVP_PKEY_derive_set_peer() which broke an external negative test. Originally the old code was semi working by checking the peers public key was in the range of other parties p. It was not actually ever checking that the domain parameters were consistent between the 2 parties. It now checks the parameters match as well as validating the peers public key. Reviewed-by: Paul Dale <[email protected]> (Merged from #14823)
Member
Author
|
Thanks for reviewing. Merged to master. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #14808
Validation checks were moved into EVP_PKEY_derive_set_peer() which broke
an external negative test. Originally the old code was semi working by checking the peers public key was in the range of other parties p. It was not actually ever
checking that the domain parameters were consistent between the 2
parties. It now checks the parameters match as well as validating the
peers public key.
Checklist