This should address the problem described in #1662.
1. `EVP_PKEY_derive_set_peer` requires the peer's public certificate to have exactly the same DH parameters, hence we need to merge the `OSSL_PARAMs` containing the public key with the DH parameters:
https://github.com/xrootd/xrootd/blob/7a4871cd64f153b7a704415dcc6cb5ba67254285/src/XrdCrypto/openssl3/XrdCryptosslCipher.cc#L580-L586
2. `EVP_PKEY_derive` requires for the keylen argument to contain the length of key buffer (if not null):
https://www.openssl.org/docs/man1.0.2/man3/EVP_PKEY_derive.html
```
If key is not NULL then before the call the keylen parameter should contain the length of the key buffer, if the call is successful the shared secret is written to key and the amount of data written to keylen.
```
You can view, comment on, or merge this pull request online at:
https://github.com/xrootd/xrootd/pull/1665
-- Commit Summary --
* [XrdCrypto] openssl3: correctly initialize cipher with public key and DH parameters, fixes #1662
-- File Changes --
M src/XrdCrypto/openssl3/XrdCryptosslCipher.cc (14)
-- Patch Links --
https://github.com/xrootd/xrootd/pull/1665.patch
https://github.com/xrootd/xrootd/pull/1665.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/pull/1665
You are receiving this because you are subscribed to this thread.
Message ID: <[log in to unmask]>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
