Move the minimum DHE key size check into ssl_kex_peer_params_dhe()

ok inoguchi@ tb@

3 files changed, 19 insertions, 14 deletions

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 04b3132d358..a3c78096f78 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.121 2021/12/04 13:15:10 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.122 2021/12/04 13:50:35 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1223,7 +1223,7 @@ ssl3_get_server_certificate(SSL *s)
 static int
 ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
 {
-	int invalid_key;
+	int invalid_params, invalid_key;
 	SESS_CERT *sc = NULL;
 	DH *dh = NULL;
 	long alg_a;
@@ -1234,16 +1234,13 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
 	if ((dh = DH_new()) == NULL)
 		goto err;
 
-	if (!ssl_kex_peer_params_dhe(dh, cbs))
+	if (!ssl_kex_peer_params_dhe(dh, cbs, &invalid_params))
 		goto decode_err;
 	if (!ssl_kex_peer_public_dhe(dh, cbs, &invalid_key))
 		goto decode_err;
 
-	/*
-	 * Check the strength of the DH key just constructed.
-	 * Reject keys weaker than 1024 bits.
-	 */
-	if (DH_size(dh) < 1024 / 8) {
+	if (invalid_params) {
+		ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
 		SSLerror(s, SSL_R_BAD_DH_P_LENGTH);
 		goto err;
 	}
diff --git a/lib/libssl/ssl_kex.c b/lib/libssl/ssl_kex.c
index 68d83cedbe5..639981bec96 100644
--- a/lib/libssl/ssl_kex.c
+++ b/lib/libssl/ssl_kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_kex.c,v 1.6 2021/12/04 13:15:10 jsing Exp $ */
+/* $OpenBSD: ssl_kex.c,v 1.7 2021/12/04 13:50:35 jsing Exp $ */
 /*
  * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
  *
@@ -25,6 +25,8 @@
 
 #include "bytestring.h"
 
+#define DHE_MINIMUM_BITS	1024
+
 int
 ssl_kex_generate_dhe(DH *dh, DH *dh_params)
 {
@@ -110,12 +112,14 @@ ssl_kex_public_dhe(DH *dh, CBB *cbb)
 }
 
 int
-ssl_kex_peer_params_dhe(DH *dh, CBS *cbs)
+ssl_kex_peer_params_dhe(DH *dh, CBS *cbs, int *invalid_params)
 {
-	CBS dh_p, dh_g;
 	BIGNUM *p = NULL, *g = NULL;
+	CBS dh_p, dh_g;
 	int ret = 0;
 
+	*invalid_params = 0;
+
 	if (!CBS_get_u16_length_prefixed(cbs, &dh_p))
 		goto err;
 	if (!CBS_get_u16_length_prefixed(cbs, &dh_g))
@@ -128,10 +132,14 @@ ssl_kex_peer_params_dhe(DH *dh, CBS *cbs)
 
 	if (!DH_set0_pqg(dh, p, NULL, g))
 		goto err;
-
 	p = NULL;
 	g = NULL;
 
+	/* XXX - consider calling DH_check(). */
+
+	if (DH_bits(dh) < DHE_MINIMUM_BITS)
+		*invalid_params = 1;
+
 	ret = 1;
 
  err:
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 93bdd2a4fcd..0051989ea0a 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.370 2021/12/04 13:15:10 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.371 2021/12/04 13:50:35 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1450,7 +1450,7 @@ int ssl3_get_cert_verify(SSL *s);
 int ssl_kex_generate_dhe(DH *dh, DH *dh_params);
 int ssl_kex_params_dhe(DH *dh, CBB *cbb);
 int ssl_kex_public_dhe(DH *dh, CBB *cbb);
-int ssl_kex_peer_params_dhe(DH *dh, CBS *cbs);
+int ssl_kex_peer_params_dhe(DH *dh, CBS *cbs, int *invalid_params);
 int ssl_kex_peer_public_dhe(DH *dh, CBS *cbs, int *invalid_key);
 int ssl_kex_derive_dhe(DH *dh, DH *dh_peer,
     uint8_t **shared_key, size_t *shared_key_len);