Fix DH Key exchange incompatibility #10864
Open
+35
−5
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A change in key types for DH keys was introduced in 42.0.0 such that DH key exchange with older versions (e.g. 41.0.7) no longer works. This affects key exchange with other OpenSSL servers as well. This commit reverts the code that attepmts to differentiate between DH and DHX key exchanges.
alex
reviewed
Apr 27, 2024
| } else { | ||
| Ok(openssl::pkey::PKey::from_dh(dh)?) | ||
| } | ||
| Ok(openssl::pkey::PKey::from_dh(dh)?) |
There was a problem hiding this comment.
So with this change it will never create a dhx variant, which I think is more aggressive than we want.
I'm honestly unsure how it is that no tests fail because of that.
I think you only want to apply this change to the generate codepaths. My suggest would be to add an allow_dhx param (maybe a better name), pass false in generate, but true everywhere else.
alex
reviewed
Apr 27, 2024
| @@ -473,6 +474,39 @@ def test_public_key_copy(self): | |||
|
|
|||
| assert key1 == key2 | |||
|
|
|||
| def test_old_public_key_exchange(self, backend): | |||
| # This is a public key generated on cryptograpy version 41.0.7 | |||
| key_data = textwrap.dedent( | |||
There was a problem hiding this comment.
Generally we use keys from the vectors/ directory in our tests -- there should be an existing one with a matching format.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A change in key types for DH keys was introduced in 42.0.0 such that DH key exchange with older versions (e.g. 41.0.7) no longer works. This affects key exchange with other OpenSSL servers as well.
This commit reverts the code that attempts to differentiate between DH and DHX key exchanges.
Fixes issue #10790