From 7e13901c0c99c9d50f22a8fda5778e335fbf6b07 Mon Sep 17 00:00:00 2001
From: deuce <>
Date: Mon, 17 Feb 2020 20:46:38 +0000
Subject: [PATCH] Fix incorrect AES blocksizes.
The block sizes for TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 were incorrect in the suite
definitions.
This is the root cause befind the old cl-suites.patch which disabled
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (no great loss). This patch also
fixes the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 suite, which may be what
new Apple phones were negotiating for pop3s connections.
---
3rdp/build/GNUmakefile | 4 +--
3rdp/build/cl-ssl-suite-blocksizes.patch | 41 ++++++++++++++++++++++++
2 files changed, 43 insertions(+), 2 deletions(-)
create mode 100644 3rdp/build/cl-ssl-suite-blocksizes.patch
diff --git a/3rdp/build/GNUmakefile b/3rdp/build/GNUmakefile
index 3bd7f1ae5c..f49de92e69 100644
--- a/3rdp/build/GNUmakefile
+++ b/3rdp/build/GNUmakefile
@@ -67,7 +67,7 @@ $(CRYPT_SRC): | $(3RDPSRCDIR)
$(CRYPT_IDIR): | $(3RDPODIR)
$(QUIET)$(IFNOTEXIST) mkdir $(CRYPT_IDIR)
-$(CRYPTLIB_BUILD): $(3RDP_ROOT)$(DIRSEP)dist/cryptlib.zip $(3RDP_ROOT)$(DIRSEP)build/terminal-params.patch $(3RDP_ROOT)$(DIRSEP)build/cl-mingw32-static.patch $(3RDP_ROOT)$(DIRSEP)build/cl-ranlib.patch $(3RDP_ROOT)$(DIRSEP)build/cl-win32-noasm.patch $(3RDP_ROOT)$(DIRSEP)build/cl-zz-country.patch $(3RDP_ROOT)$(DIRSEP)build/cl-algorithms.patch $(3RDP_ROOT)$(DIRSEP)build/cl-allow-duplicate-ext.patch $(3RDP_ROOT)$(DIRSEP)build/cl-macosx-minver.patch $(3RDP_ROOT)$(DIRSEP)build/cl-endian.patch $(3RDP_ROOT)$(DIRSEP)build/cl-cryptodev.patch $(3RDP_ROOT)$(DIRSEP)build/cl-posix-me-gently.patch $(3RDP_ROOT)$(DIRSEP)build/cl-tpm-linux.patch $(3RDP_ROOT)$(DIRSEP)build/cl-PAM-noprompts.patch $(3RDP_ROOT)$(DIRSEP)build/cl-zlib.patch $(3RDP_ROOT)$(DIRSEP)build/Dynamic-linked-static-lib.patch $(3RDP_ROOT)$(DIRSEP)build/SSL-fix.patch $(3RDP_ROOT)$(DIRSEP)build/cl-bigger-maxattribute.patch $(3RDP_ROOT)$(DIRSEP)build/cl-vcxproj.patch $(3RDP_ROOT)$(DIRSEP)build/cl-mingw-vcver.patch $(3RDP_ROOT)$(DIRSEP)build/cl-win32-build-fix.patch $(3RDP_ROOT)$(DIRSEP)build/cl-gcc-non-const-time-val.patch $(3RDP_ROOT)$(DIRSEP)build/cl-no-odbc.patch $(3RDP_ROOT)$(DIRSEP)build/cl-suites.patch $(3RDP_ROOT)$(DIRSEP)build/cl-noasm-defines.patch $(3RDP_ROOT)$(DIRSEP)build/cl-bn-noasm64-fix.patch $(3RDP_ROOT)$(DIRSEP)build/cl-no-RSA-suites.patch $(3RDP_ROOT)$(DIRSEP)build/cl-fix-ECC-RSA.patch $(3RDP_ROOT)$(DIRSEP)build/cl-prefer-ECC.patch $(3RDP_ROOT)$(DIRSEP)build/cl-prefer-ECC-harder.patch $(3RDP_ROOT)$(DIRSEP)build/cl-more-RSA-ECC-fixes.patch $(3RDP_ROOT)$(DIRSEP)build/cl-DH-key-init.patch $(3RDP_ROOT)$(DIRSEP)build/cl-clear-GCM-flag.patch $(3RDP_ROOT)$(DIRSEP)build/cl-use-ssh-ctr.patch $(3RDP_ROOT)$(DIRSEP)build/cl-ssh-list-ctr-modes.patch $(3RDP_ROOT)$(DIRSEP)build/cl-ssh-incCtr.patch | $(CRYPT_SRC) $(CRYPT_IDIR)
+$(CRYPTLIB_BUILD): $(3RDP_ROOT)$(DIRSEP)dist/cryptlib.zip $(3RDP_ROOT)$(DIRSEP)build/terminal-params.patch $(3RDP_ROOT)$(DIRSEP)build/cl-mingw32-static.patch $(3RDP_ROOT)$(DIRSEP)build/cl-ranlib.patch $(3RDP_ROOT)$(DIRSEP)build/cl-win32-noasm.patch $(3RDP_ROOT)$(DIRSEP)build/cl-zz-country.patch $(3RDP_ROOT)$(DIRSEP)build/cl-algorithms.patch $(3RDP_ROOT)$(DIRSEP)build/cl-allow-duplicate-ext.patch $(3RDP_ROOT)$(DIRSEP)build/cl-macosx-minver.patch $(3RDP_ROOT)$(DIRSEP)build/cl-endian.patch $(3RDP_ROOT)$(DIRSEP)build/cl-cryptodev.patch $(3RDP_ROOT)$(DIRSEP)build/cl-posix-me-gently.patch $(3RDP_ROOT)$(DIRSEP)build/cl-tpm-linux.patch $(3RDP_ROOT)$(DIRSEP)build/cl-PAM-noprompts.patch $(3RDP_ROOT)$(DIRSEP)build/cl-zlib.patch $(3RDP_ROOT)$(DIRSEP)build/Dynamic-linked-static-lib.patch $(3RDP_ROOT)$(DIRSEP)build/SSL-fix.patch $(3RDP_ROOT)$(DIRSEP)build/cl-bigger-maxattribute.patch $(3RDP_ROOT)$(DIRSEP)build/cl-vcxproj.patch $(3RDP_ROOT)$(DIRSEP)build/cl-mingw-vcver.patch $(3RDP_ROOT)$(DIRSEP)build/cl-win32-build-fix.patch $(3RDP_ROOT)$(DIRSEP)build/cl-gcc-non-const-time-val.patch $(3RDP_ROOT)$(DIRSEP)build/cl-no-odbc.patch $(3RDP_ROOT)$(DIRSEP)build/cl-noasm-defines.patch $(3RDP_ROOT)$(DIRSEP)build/cl-bn-noasm64-fix.patch $(3RDP_ROOT)$(DIRSEP)build/cl-no-RSA-suites.patch $(3RDP_ROOT)$(DIRSEP)build/cl-fix-ECC-RSA.patch $(3RDP_ROOT)$(DIRSEP)build/cl-prefer-ECC.patch $(3RDP_ROOT)$(DIRSEP)build/cl-prefer-ECC-harder.patch $(3RDP_ROOT)$(DIRSEP)build/cl-more-RSA-ECC-fixes.patch $(3RDP_ROOT)$(DIRSEP)build/cl-DH-key-init.patch $(3RDP_ROOT)$(DIRSEP)build/cl-clear-GCM-flag.patch $(3RDP_ROOT)$(DIRSEP)build/cl-use-ssh-ctr.patch $(3RDP_ROOT)$(DIRSEP)build/cl-ssh-list-ctr-modes.patch $(3RDP_ROOT)$(DIRSEP)build/cl-ssh-incCtr.patch $(3RDP_ROOT)$(DIRSEP)build/cl-ssl-suite-blocksizes.patch | $(CRYPT_SRC) $(CRYPT_IDIR)
@echo Creating $@ ...
$(QUIET)-rm -rf $(CRYPT_SRC)/*
$(QUIET)unzip -oa $(3RDPDISTDIR)$(DIRSEP)cryptlib.zip -d $(CRYPT_SRC)
@@ -94,7 +94,6 @@ $(CRYPTLIB_BUILD): $(3RDP_ROOT)$(DIRSEP)dist/cryptlib.zip $(3RDP_ROOT)$(DIRSEP)b
$(QUIET)patch -p0 -d $(CRYPT_SRC) < cl-win32-build-fix.patch
$(QUIET)patch -p0 -d $(CRYPT_SRC) < cl-gcc-non-const-time-val.patch
$(QUIET)patch -p0 -d $(CRYPT_SRC) < cl-no-odbc.patch
- $(QUIET)patch -p0 -d $(CRYPT_SRC) < cl-suites.patch
$(QUIET)patch -p0 -d $(CRYPT_SRC) < cl-noasm-defines.patch
$(QUIET)patch -p0 -d $(CRYPT_SRC) < cl-bn-noasm64-fix.patch
$(QUIET)patch -p0 -d $(CRYPT_SRC) < cl-no-RSA-suites.patch
@@ -107,6 +106,7 @@ $(CRYPTLIB_BUILD): $(3RDP_ROOT)$(DIRSEP)dist/cryptlib.zip $(3RDP_ROOT)$(DIRSEP)b
$(QUIET)patch -p0 -d $(CRYPT_SRC) < cl-use-ssh-ctr.patch
$(QUIET)patch -p0 -d $(CRYPT_SRC) < cl-ssh-list-ctr-modes.patch
$(QUIET)patch -p0 -d $(CRYPT_SRC) < cl-ssh-incCtr.patch
+ $(QUIET)patch -p0 -d $(CRYPT_SRC) < cl-ssl-suite-blocksizes.patch
ifeq ($(CC),mingw32-gcc)
$(QUIET)cd $(CRYPT_SRC) && env - PATH="$(PATH)" CC="$(CC)" AR="$(AR)" RANLIB="$(RANLIB)" make directories
$(QUIET)cd $(CRYPT_SRC) && env - PATH="$(PATH)" CC="$(CC)" AR="$(AR)" RANLIB="$(RANLIB)" make toolscripts
diff --git a/3rdp/build/cl-ssl-suite-blocksizes.patch b/3rdp/build/cl-ssl-suite-blocksizes.patch
new file mode 100644
index 0000000000..05cdc2ac2a
--- /dev/null
+++ b/3rdp/build/cl-ssl-suite-blocksizes.patch
@@ -0,0 +1,41 @@
+--- session/ssl_suites.c.orig 2020-02-17 15:37:41.582802000 -0500
++++ session/ssl_suites.c 2020-02-17 15:40:10.099185000 -0500
+@@ -135,7 +135,7 @@
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ DESCRIPTION( "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" )
+ CRYPT_ALGO_ECDH, CRYPT_ALGO_RSA, CRYPT_ALGO_AES,
+- CRYPT_ALGO_HMAC_SHA2, 0, 32, SHA2MAC_SIZE,
++ CRYPT_ALGO_HMAC_SHA2, 0, 16, SHA2MAC_SIZE,
+ CIPHERSUITE_FLAG_ECC | CIPHERSUITE_FLAG_TLS12 },
+ /* { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+ DESCRIPTION( "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" )
+@@ -190,7 +190,7 @@
+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ DESCRIPTION( "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" )
+ CRYPT_ALGO_ECDH, CRYPT_ALGO_RSA, CRYPT_ALGO_AES,
+- CRYPT_ALGO_HMAC_SHA2, 48, 16, GCMICV_SIZE,
++ CRYPT_ALGO_HMAC_SHA2, 48, 32, GCMICV_SIZE,
+ CIPHERSUITE_FLAG_ECC | CIPHERSUITE_FLAG_GCM | CIPHERSUITE_FLAG_TLS12 },
+
+ /* AES-GCM with DH */
+@@ -200,9 +200,9 @@
+ CRYPT_ALGO_HMAC_SHA2, 0, 16, GCMICV_SIZE,
+ CIPHERSUITE_FLAG_DH | CIPHERSUITE_FLAG_GCM | CIPHERSUITE_FLAG_TLS12 },
+ /* { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+- DESCRIPTION( "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" )
++ DESCRIPTION( "TLS_DHE_RSA_WITH_AES_256_GCM_SHA256" )
+ CRYPT_ALGO_DH, CRYPT_ALGO_RSA, CRYPT_ALGO_AES,
+- CRYPT_ALGO_HMAC_SHA2, 0, 16, GCMICV_SIZE,
++ CRYPT_ALGO_HMAC_SHA2, 0, 32, GCMICV_SIZE,
+ CIPHERSUITE_FLAG_DH | CIPHERSUITE_FLAG_GCM | CIPHERSUITE_FLAG_TLS12 }, */
+
+ /* AES-GCM with RSA */
+@@ -214,7 +214,7 @@
+ /* { TLS_RSA_WITH_AES_256_GCM_SHA384,
+ DESCRIPTION( "TLS_RSA_WITH_AES_256_GCM_SHA384" )
+ CRYPT_ALGO_RSA, CRYPT_ALGO_RSA, CRYPT_ALGO_AES,
+- CRYPT_ALGO_HMAC_SHA2, 48, 16, GCMICV_SIZE,
++ CRYPT_ALGO_HMAC_SHA2, 48, 32, GCMICV_SIZE,
+ CIPHERSUITE_FLAG_GCM | CIPHERSUITE_FLAG_TLS12 }, */
+
+ /* End-of-list marker */
--
GitLab