diff options
author | Richard Levitte <levitte@openssl.org> | 2016-12-30 21:57:28 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-01-26 10:54:36 +0000 |
commit | a39aa18644d3338087a827c6555b18bc857346fe (patch) | |
tree | 76de6f9b8fa690fb4fcfd6d023236ac57ced30b8 /ssl | |
parent | 00d965474b22b54e4275232bc71ee0c699c5cd21 (diff) |
Better check of DH parameters in TLS data
When the client reads DH parameters from the TLS stream, we only
checked that they all are non-zero. This change updates the check to
use DH_check_params()
DH_check_params() is a new function for light weight checking of the p
and g parameters:
check that p is odd
check that 1 < g < p - 1
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/statem/statem_clnt.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index a7cf227ce4..dc6443ddaf 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1414,6 +1414,8 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) DH *dh = NULL; BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL; + int check_bits = 0; + if (!PACKET_get_length_prefixed_2(pkt, &prime) || !PACKET_get_length_prefixed_2(pkt, &generator) || !PACKET_get_length_prefixed_2(pkt, &pub_key)) { @@ -1441,7 +1443,8 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) goto err; } - if (BN_is_zero(p) || BN_is_zero(g) || BN_is_zero(bnpub_key)) { + /* test non-zero pupkey */ + if (BN_is_zero(bnpub_key)) { *al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_BAD_DH_VALUE); goto err; @@ -1454,6 +1457,12 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) } p = g = NULL; + if (DH_check_params(dh, &check_bits) == 0 || check_bits != 0) { + *al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_BAD_DH_VALUE); + goto err; + } + if (!DH_set0_key(dh, bnpub_key, NULL)) { *al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB); |