From fa10989900c7e0761002a9b0d3087e591f0e754a Mon Sep 17 00:00:00 2001 From: Joel Sing Date: Sat, 4 Dec 2021 13:50:36 +0000 Subject: Move the minimum DHE key size check into ssl_kex_peer_params_dhe() ok inoguchi@ tb@ --- lib/libssl/ssl_clnt.c | 13 +++++-------- lib/libssl/ssl_kex.c | 16 ++++++++++++---- lib/libssl/ssl_locl.h | 4 ++-- 3 files changed, 19 insertions(+), 14 deletions(-) diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 04b3132d358..a3c78096f78 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.121 2021/12/04 13:15:10 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.122 2021/12/04 13:50:35 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1223,7 +1223,7 @@ ssl3_get_server_certificate(SSL *s) static int ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) { - int invalid_key; + int invalid_params, invalid_key; SESS_CERT *sc = NULL; DH *dh = NULL; long alg_a; @@ -1234,16 +1234,13 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) if ((dh = DH_new()) == NULL) goto err; - if (!ssl_kex_peer_params_dhe(dh, cbs)) + if (!ssl_kex_peer_params_dhe(dh, cbs, &invalid_params)) goto decode_err; if (!ssl_kex_peer_public_dhe(dh, cbs, &invalid_key)) goto decode_err; - /* - * Check the strength of the DH key just constructed. - * Reject keys weaker than 1024 bits. - */ - if (DH_size(dh) < 1024 / 8) { + if (invalid_params) { + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); SSLerror(s, SSL_R_BAD_DH_P_LENGTH); goto err; } diff --git a/lib/libssl/ssl_kex.c b/lib/libssl/ssl_kex.c index 68d83cedbe5..639981bec96 100644 --- a/lib/libssl/ssl_kex.c +++ b/lib/libssl/ssl_kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_kex.c,v 1.6 2021/12/04 13:15:10 jsing Exp $ */ +/* $OpenBSD: ssl_kex.c,v 1.7 2021/12/04 13:50:35 jsing Exp $ */ /* * Copyright (c) 2020 Joel Sing * @@ -25,6 +25,8 @@ #include "bytestring.h" +#define DHE_MINIMUM_BITS 1024 + int ssl_kex_generate_dhe(DH *dh, DH *dh_params) { @@ -110,12 +112,14 @@ ssl_kex_public_dhe(DH *dh, CBB *cbb) } int -ssl_kex_peer_params_dhe(DH *dh, CBS *cbs) +ssl_kex_peer_params_dhe(DH *dh, CBS *cbs, int *invalid_params) { - CBS dh_p, dh_g; BIGNUM *p = NULL, *g = NULL; + CBS dh_p, dh_g; int ret = 0; + *invalid_params = 0; + if (!CBS_get_u16_length_prefixed(cbs, &dh_p)) goto err; if (!CBS_get_u16_length_prefixed(cbs, &dh_g)) @@ -128,10 +132,14 @@ ssl_kex_peer_params_dhe(DH *dh, CBS *cbs) if (!DH_set0_pqg(dh, p, NULL, g)) goto err; - p = NULL; g = NULL; + /* XXX - consider calling DH_check(). */ + + if (DH_bits(dh) < DHE_MINIMUM_BITS) + *invalid_params = 1; + ret = 1; err: diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 93bdd2a4fcd..0051989ea0a 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.370 2021/12/04 13:15:10 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.371 2021/12/04 13:50:35 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1450,7 +1450,7 @@ int ssl3_get_cert_verify(SSL *s); int ssl_kex_generate_dhe(DH *dh, DH *dh_params); int ssl_kex_params_dhe(DH *dh, CBB *cbb); int ssl_kex_public_dhe(DH *dh, CBB *cbb); -int ssl_kex_peer_params_dhe(DH *dh, CBS *cbs); +int ssl_kex_peer_params_dhe(DH *dh, CBS *cbs, int *invalid_params); int ssl_kex_peer_public_dhe(DH *dh, CBS *cbs, int *invalid_key); int ssl_kex_derive_dhe(DH *dh, DH *dh_peer, uint8_t **shared_key, size_t *shared_key_len); -- cgit v1.2.3