Better check of DH parameters in TLS data
When the client reads DH parameters from the TLS stream, we only
checked that they all are non-zero. This change updates the check
as follows:
check that p is odd
check that 1 < g < p - 1
Reviewed-by: Matt Caswell <matt@openssl.org>
Richard Levitte authored 7 years ago
Matt Caswell committed 7 years ago
1709 | 1709 | } |
1710 | 1710 | p += i; |
1711 | 1711 | |
1712 | if (BN_is_zero(dh->p)) { | |
1713 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_VALUE); | |
1714 | goto f_err; | |
1715 | } | |
1716 | ||
1717 | ||
1718 | 1712 | if (2 > n - param_len) { |
1719 | 1713 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); |
1720 | 1714 | goto f_err; |
1735 | 1729 | } |
1736 | 1730 | p += i; |
1737 | 1731 | |
1738 | if (BN_is_zero(dh->g)) { | |
1739 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE); | |
1740 | goto f_err; | |
1741 | } | |
1742 | ||
1743 | 1732 | if (2 > n - param_len) { |
1744 | 1733 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); |
1745 | 1734 | goto f_err; |
1764 | 1753 | if (BN_is_zero(dh->pub_key)) { |
1765 | 1754 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_PUB_KEY_VALUE); |
1766 | 1755 | goto f_err; |
1756 | } | |
1757 | ||
1758 | /*- | |
1759 | * Check that p and g are suitable enough | |
1760 | * | |
1761 | * p is odd | |
1762 | * 1 < g < p - 1 | |
1763 | */ | |
1764 | { | |
1765 | BIGNUM *tmp = NULL; | |
1766 | ||
1767 | if (!BN_is_odd(dh->p)) { | |
1768 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_VALUE); | |
1769 | goto f_err; | |
1770 | } | |
1771 | if (BN_is_negative(dh->g) || BN_is_zero(dh->g) | |
1772 | || BN_is_one(dh->g)) { | |
1773 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE); | |
1774 | goto f_err; | |
1775 | } | |
1776 | if ((tmp = BN_new()) == NULL | |
1777 | || BN_copy(tmp, dh->p) == NULL | |
1778 | || !BN_sub_word(tmp, 1)) { | |
1779 | BN_free(tmp); | |
1780 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); | |
1781 | goto err; | |
1782 | } | |
1783 | if (BN_cmp(dh->g, tmp) >= 0) { | |
1784 | BN_free(tmp); | |
1785 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE); | |
1786 | goto f_err; | |
1787 | } | |
1788 | BN_free(tmp); | |
1767 | 1789 | } |
1768 | 1790 | |
1769 | 1791 | # ifndef OPENSSL_NO_RSA |