From 899e25643dc63a84a924d08f86d7d19613714431 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 9 Feb 2021 15:50:05 +0000 Subject: Implement EVP_PKEY_param_check_quick() and use it in libssl The low level DH API has two functions for checking parameters: DH_check_ex() and DH_check_params_ex(). The former does a "full" check, while the latter does a "quick" check. Most importantly it skips the check for a safe prime. We're ok without using safe primes here because we're doing ephemeral DH. Now that libssl is fully using the EVP API, we need a way to specify that we want a quick check instead of a full check. Therefore we introduce EVP_PKEY_param_check_quick() and use it. Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14146) --- ssl/statem/statem_clnt.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'ssl/statem') diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 2358e2c616..e5a255d75d 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2071,7 +2071,13 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) EVP_PKEY_CTX_free(pctx); pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, peer_tmp, s->ctx->propq); if (pctx == NULL - || EVP_PKEY_param_check(pctx) != 1 + /* + * EVP_PKEY_param_check() will verify that the DH params are using + * a safe prime. In this context, because we're using ephemeral DH, + * we're ok with it not being a safe prime. + * EVP_PKEY_param_check_quick() skips the safe prime check. + */ + || EVP_PKEY_param_check_quick(pctx) != 1 || EVP_PKEY_public_check(pctx) != 1) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DH_VALUE); goto err; -- cgit v1.2.3