Codebase list openssl / 918d8ea
Better check of DH parameters in TLS data When the client reads DH parameters from the TLS stream, we only checked that they all are non-zero. This change updates the check as follows: check that p is odd check that 1 < g < p - 1 Reviewed-by: Matt Caswell <matt@openssl.org> Richard Levitte authored 7 years ago Matt Caswell committed 7 years ago
1 changed file(s) with 33 addition(s) and 11 deletion(s). Raw diff Collapse all Expand all
+33
-11
ssl/s3_clnt.c less more
17091709 }
17101710 p += i;
17111711
1712 if (BN_is_zero(dh->p)) {
1713 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_VALUE);
1714 goto f_err;
1715 }
1716
1717
17181712 if (2 > n - param_len) {
17191713 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
17201714 goto f_err;
17351729 }
17361730 p += i;
17371731
1738 if (BN_is_zero(dh->g)) {
1739 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE);
1740 goto f_err;
1741 }
1742
17431732 if (2 > n - param_len) {
17441733 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
17451734 goto f_err;
17641753 if (BN_is_zero(dh->pub_key)) {
17651754 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_PUB_KEY_VALUE);
17661755 goto f_err;
1756 }
1757
1758 /*-
1759 * Check that p and g are suitable enough
1760 *
1761 * p is odd
1762 * 1 < g < p - 1
1763 */
1764 {
1765 BIGNUM *tmp = NULL;
1766
1767 if (!BN_is_odd(dh->p)) {
1768 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_VALUE);
1769 goto f_err;
1770 }
1771 if (BN_is_negative(dh->g) || BN_is_zero(dh->g)
1772 || BN_is_one(dh->g)) {
1773 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE);
1774 goto f_err;
1775 }
1776 if ((tmp = BN_new()) == NULL
1777 || BN_copy(tmp, dh->p) == NULL
1778 || !BN_sub_word(tmp, 1)) {
1779 BN_free(tmp);
1780 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1781 goto err;
1782 }
1783 if (BN_cmp(dh->g, tmp) >= 0) {
1784 BN_free(tmp);
1785 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE);
1786 goto f_err;
1787 }
1788 BN_free(tmp);
17671789 }
17681790
17691791 # ifndef OPENSSL_NO_RSA