Clean up and refactor server side DHE key exchange.

Provide ssl_kex_generate_dhe_params_auto() which handles DHE key generation based on parameters determined by the specified key bits. Convert the existing DHE auto parameter selection code into a function that just tells us how many key bits to use. Untangle and rework the server side DHE key exchange to use the ssl_kex_* functions. ok inoguchi@ tb@
author: jsing <> 2021-12-04 14:03:22 +0000
committer: jsing <> 2021-12-04 14:03:22 +0000
commit: 553bc9b478f48580c6c51ddaa65c906cac0ee4e7 (patch)
tree: eaa42a538f5b252c276e4477b5f4bd6b0fd7a981
parent: 7747938abe289fe6b8f9dd672e16cfcfcbdf8c95 (diff)
download: openbsd-553bc9b478f48580c6c51ddaa65c906cac0ee4e7.tar.gz
openbsd-553bc9b478f48580c6c51ddaa65c906cac0ee4e7.tar.bz2
openbsd-553bc9b478f48580c6c51ddaa65c906cac0ee4e7.zip
4 files changed, 116 insertions, 120 deletions
diff --git a/src/lib/libssl/ssl_kex.c b/src/lib/libssl/ssl_kex.c
index 639981bec9..78b528b168 100644
--- a/src/lib/libssl/ssl_kex.c
+++ b/src/lib/libssl/ssl_kex.c
@@ -1,6 +1,6 @@
-/* $OpenBSD: ssl_kex.c,v 1.7 2021/12/04 13:50:35 jsing Exp $ */
+/* $OpenBSD: ssl_kex.c,v 1.8 2021/12/04 14:03:22 jsing Exp $ */
 /*
- * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
+ * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -17,6 +17,7 @@
 #include <stdlib.h>
+#include <openssl/bn.h>
 #include <openssl/dh.h>
 #include <openssl/ec.h>
 #include <openssl/ecdh.h>
@@ -40,7 +41,50 @@ ssl_kex_generate_dhe(DH *dh, DH *dh_params)
        if (!DH_set0_pqg(dh, p, NULL, g))
                goto err;
+        p = NULL;
+        g = NULL;
+        if (!DH_generate_key(dh))
+                goto err;
+        ret = 1;
+ err:
+        BN_free(p);
+        BN_free(g);
+        return ret;
+}
+int
+ssl_kex_generate_dhe_params_auto(DH *dh, size_t key_bits)
+{
+        BIGNUM *p = NULL, *g = NULL;
+        int ret = 0;
+        if (key_bits >= 8192)
+                p = get_rfc3526_prime_8192(NULL);
+        else if (key_bits >= 4096)
+                p = get_rfc3526_prime_4096(NULL);
+        else if (key_bits >= 3072)
+                p = get_rfc3526_prime_3072(NULL);
+        else if (key_bits >= 2048)
+                p = get_rfc3526_prime_2048(NULL);
+        else if (key_bits >= 1536)
+                p = get_rfc3526_prime_1536(NULL);
+        else
+                p = get_rfc2409_prime_1024(NULL);
+        if (p == NULL)
+                goto err;
+        if ((g = BN_new()) == NULL)
+                goto err;
+        if (!BN_set_word(g, 2))
+                goto err;
+        if (!DH_set0_pqg(dh, p, NULL, g))
+                goto err;
        p = NULL;
        g = NULL;
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 662013378e..a0d3d05775 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.279 2021/11/14 22:31:29 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.280 2021/12/04 14:03:22 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -147,7 +147,6 @@
 #include <limits.h>
 #include <stdio.h>
-#include <openssl/bn.h>
 #include <openssl/dh.h>
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
@@ -2319,54 +2318,29 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd,
        return (pkey);
 }
-DH *
+size_t
-ssl_get_auto_dh(SSL *s)
+ssl_dhe_params_auto_key_bits(SSL *s)
 {
        CERT_PKEY *cpk;
-        int keylen;
+        int key_bits;
-        DH *dhp;
        if (s->cert->dh_tmp_auto == 2) {
-                keylen = 1024;
+                key_bits = 1024;
        } else if (S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL) {
-                keylen = 1024;
+                key_bits = 1024;
                if (S3I(s)->hs.cipher->strength_bits == 256)
-                        keylen = 3072;
+                        key_bits = 3072;
        } else {
                if ((cpk = ssl_get_server_send_pkey(s)) == NULL)
-                        return (NULL);
+                        return 0;
                if (cpk->privatekey == NULL ||
                    EVP_PKEY_get0_RSA(cpk->privatekey) == NULL)
-                        return (NULL);
+                        return 0;
-                if ((keylen = EVP_PKEY_bits(cpk->privatekey)) <= 0)
+                if ((key_bits = EVP_PKEY_bits(cpk->privatekey)) <= 0)
-                        return (NULL);
+                        return 0;
        }
-        if ((dhp = DH_new()) == NULL)
+        return key_bits;
-                return (NULL);
-        dhp->g = BN_new();
-        if (dhp->g != NULL)
-                BN_set_word(dhp->g, 2);
-        if (keylen >= 8192)
-                dhp->p = get_rfc3526_prime_8192(NULL);
-        else if (keylen >= 4096)
-                dhp->p = get_rfc3526_prime_4096(NULL);
-        else if (keylen >= 3072)
-                dhp->p = get_rfc3526_prime_3072(NULL);
-        else if (keylen >= 2048)
-                dhp->p = get_rfc3526_prime_2048(NULL);
-        else if (keylen >= 1536)
-                dhp->p = get_rfc3526_prime_1536(NULL);
-        else
-                dhp->p = get_rfc2409_prime_1024(NULL);
-        if (dhp->p == NULL || dhp->g == NULL) {
-                DH_free(dhp);
-                return (NULL);
-        }
-        return (dhp);
 }
 static int
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 0051989ea0..d53c9ec273 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.371 2021/12/04 13:50:35 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.372 2021/12/04 14:03:22 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1343,7 +1343,7 @@ int ssl_undefined_const_function(const SSL *s);
 CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
 EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd,
    const struct ssl_sigalg **sap);
-DH *ssl_get_auto_dh(SSL *s);
+size_t ssl_dhe_params_auto_key_bits(SSL *s);
 int ssl_cert_type(X509 *x, EVP_PKEY *pkey);
 void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
@@ -1448,6 +1448,7 @@ int ssl3_get_client_key_exchange(SSL *s);
 int ssl3_get_cert_verify(SSL *s);
 int ssl_kex_generate_dhe(DH *dh, DH *dh_params);
+int ssl_kex_generate_dhe_params_auto(DH *dh, size_t key_len);
 int ssl_kex_params_dhe(DH *dh, CBB *cbb);
 int ssl_kex_public_dhe(DH *dh, CBB *cbb);
 int ssl_kex_peer_params_dhe(DH *dh, CBS *cbs, int *invalid_params);
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 0c217d6d3e..e9ea6b141c 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.126 2021/11/29 16:03:56 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.127 2021/12/04 14:03:22 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1309,43 +1309,38 @@ ssl3_send_server_done(SSL *s)
 static int
 ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
 {
-        DH *dh = NULL, *dhp;
+        DH *dh = NULL;
        int al;
+        if ((dh = DH_new()) == NULL)
+                goto err;
        if (s->cert->dh_tmp_auto != 0) {
-                if ((dhp = ssl_get_auto_dh(s)) == NULL) {
+                size_t key_bits;
+                if ((key_bits = ssl_dhe_params_auto_key_bits(s)) == 0) {
                        al = SSL_AD_INTERNAL_ERROR;
                        SSLerror(s, ERR_R_INTERNAL_ERROR);
                        goto fatal_err;
                }
-        } else
-                dhp = s->cert->dh_tmp;
-        if (dhp == NULL && s->cert->dh_tmp_cb != NULL)
+                if (!ssl_kex_generate_dhe_params_auto(dh, key_bits))
-                dhp = s->cert->dh_tmp_cb(s, 0,
+                        goto err;
-                    SSL_C_PKEYLENGTH(S3I(s)->hs.cipher));
+        } else {
+                DH *dh_params = s->cert->dh_tmp;
-        if (dhp == NULL) {
+                if (dh_params == NULL && s->cert->dh_tmp_cb != NULL)
-                al = SSL_AD_HANDSHAKE_FAILURE;
+                        dh_params = s->cert->dh_tmp_cb(s, 0,
-                SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
+                            SSL_C_PKEYLENGTH(S3I(s)->hs.cipher));
-                goto fatal_err;
-        }
-        if (S3I(s)->tmp.dh != NULL) {
+                if (dh_params == NULL) {
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
+                        al = SSL_AD_HANDSHAKE_FAILURE;
-                goto err;
+                        SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
-        }
+                        goto fatal_err;
+                }
-        if (s->cert->dh_tmp_auto != 0) {
+                if (!ssl_kex_generate_dhe(dh, dh_params))
-                dh = dhp;
+                        goto err;
-        } else if ((dh = DHparams_dup(dhp)) == NULL) {
-                SSLerror(s, ERR_R_DH_LIB);
-                goto err;
-        }
-        S3I(s)->tmp.dh = dh;
-        if (!DH_generate_key(dh)) {
-                SSLerror(s, ERR_R_DH_LIB);
-                goto err;
        }
        if (!ssl_kex_params_dhe(dh, cbb))
@@ -1353,12 +1348,20 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
        if (!ssl_kex_public_dhe(dh, cbb))
                goto err;
-        return (1);
+        if (S3I(s)->tmp.dh != NULL) {
+                SSLerror(s, ERR_R_INTERNAL_ERROR);
+                goto err;
+        }
+        S3I(s)->tmp.dh = dh;
+        return 1;
 fatal_err:
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
-        return (-1);
+        DH_free(dh);
+        return -1;
 }
 static int
@@ -1787,53 +1790,35 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
 static int
 ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
 {
-        int key_size = 0;
+        DH *dh_clnt = NULL;
-        int key_is_invalid, key_len, al;
+        DH *dh_srvr;
-        unsigned char *key = NULL;
+        int invalid_key;
-        BIGNUM *bn = NULL;
+        uint8_t *key = NULL;
-        CBS dh_Yc;
+        size_t key_len = 0;
-        DH *dh;
+        int ret = -1;
-        if (!CBS_get_u16_length_prefixed(cbs, &dh_Yc))
-                goto decode_err;
-        if (CBS_len(cbs) != 0)
-                goto decode_err;
-        if (S3I(s)->tmp.dh == NULL) {
+        if ((dh_srvr = S3I(s)->tmp.dh) == NULL) {
-                al = SSL_AD_HANDSHAKE_FAILURE;
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
                SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
-                goto fatal_err;
+                goto err;
        }
-        dh = S3I(s)->tmp.dh;
-        if ((bn = BN_bin2bn(CBS_data(&dh_Yc), CBS_len(&dh_Yc), NULL)) == NULL) {
+        if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL)
-                SSLerror(s, SSL_R_BN_LIB);
                goto err;
-        }
-        if ((key_size = DH_size(dh)) <= 0) {
+        if (!ssl_kex_peer_public_dhe(dh_clnt, cbs, &invalid_key)) {
-                SSLerror(s, ERR_R_DH_LIB);
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+                SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
                goto err;
        }
-        if ((key = malloc(key_size)) == NULL) {
+        if (invalid_key) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+                SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
                goto err;
        }
-        if (!DH_check_pub_key(dh, bn, &key_is_invalid)) {
-                al = SSL_AD_INTERNAL_ERROR;
+        if (!ssl_kex_derive_dhe(dh_srvr, dh_clnt, &key, &key_len))
-                SSLerror(s, ERR_R_DH_LIB);
+                goto err;
-                goto fatal_err;
-        }
-        if (key_is_invalid) {
-                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerror(s, ERR_R_DH_LIB);
-                goto fatal_err;
-        }
-        if ((key_len = DH_compute_key(key, bn, dh)) <= 0) {
-                al = SSL_AD_INTERNAL_ERROR;
-                SSLerror(s, ERR_R_DH_LIB);
-                goto fatal_err;
-        }
        if (!tls12_derive_master_secret(s, key, key_len))
                goto err;
@@ -1841,21 +1826,13 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
        DH_free(S3I(s)->tmp.dh);
        S3I(s)->tmp.dh = NULL;
-        freezero(key, key_size);
+        ret = 1;
-        BN_clear_free(bn);
-        return (1);
- decode_err:
-        al = SSL_AD_DECODE_ERROR;
-        SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
- fatal_err:
-        ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
-        freezero(key, key_size);
+        freezero(key, key_len);
-        BN_clear_free(bn);
+        DH_free(dh_clnt);
-        return (-1);
+        return ret;
 }
 static int
author	jsing <>	2021-12-04 14:03:22 +0000
committer	jsing <>	2021-12-04 14:03:22 +0000
commit	553bc9b478f48580c6c51ddaa65c906cac0ee4e7 (patch)
tree	eaa42a538f5b252c276e4477b5f4bd6b0fd7a981
parent	7747938abe289fe6b8f9dd672e16cfcfcbdf8c95 (diff)
download	openbsd-553bc9b478f48580c6c51ddaa65c906cac0ee4e7.tar.gz openbsd-553bc9b478f48580c6c51ddaa65c906cac0ee4e7.tar.bz2 openbsd-553bc9b478f48580c6c51ddaa65c906cac0ee4e7.zip

diff --git a/src/lib/libssl/ssl_kex.c b/src/lib/libssl/ssl_kex.c index 639981bec9..78b528b168 100644 --- a/src/lib/libssl/ssl_kex.c +++ b/src/lib/libssl/ssl_kex.c
@@ -1,6 +1,6 @@
1	/* $OpenBSD: ssl_kex.c,v 1.7 2021/12/04 13:50:35 jsing Exp $ */	1	/* $OpenBSD: ssl_kex.c,v 1.8 2021/12/04 14:03:22 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
4	*	4	*
5	* Permission to use, copy, modify, and distribute this software for any	5	* Permission to use, copy, modify, and distribute this software for any
6	* purpose with or without fee is hereby granted, provided that the above	6	* purpose with or without fee is hereby granted, provided that the above
@@ -17,6 +17,7 @@
17		17
18	#include <stdlib.h>	18	#include <stdlib.h>
19		19
		20	#include <openssl/bn.h>
20	#include <openssl/dh.h>	21	#include <openssl/dh.h>
21	#include <openssl/ec.h>	22	#include <openssl/ec.h>
22	#include <openssl/ecdh.h>	23	#include <openssl/ecdh.h>
@@ -40,7 +41,50 @@ ssl_kex_generate_dhe(DH dh, DH dh_params)
40		41
41	if (!DH_set0_pqg(dh, p, NULL, g))	42	if (!DH_set0_pqg(dh, p, NULL, g))
42	goto err;	43	goto err;
		44	p = NULL;
		45	g = NULL;
		46
		47	if (!DH_generate_key(dh))
		48	goto err;
		49
		50	ret = 1;
		51
		52	err:
		53	BN_free(p);
		54	BN_free(g);
		55
		56	return ret;
		57	}
43		58
		59	int
		60	ssl_kex_generate_dhe_params_auto(DH *dh, size_t key_bits)
		61	{
		62	BIGNUM p = NULL, g = NULL;
		63	int ret = 0;
		64
		65	if (key_bits >= 8192)
		66	p = get_rfc3526_prime_8192(NULL);
		67	else if (key_bits >= 4096)
		68	p = get_rfc3526_prime_4096(NULL);
		69	else if (key_bits >= 3072)
		70	p = get_rfc3526_prime_3072(NULL);
		71	else if (key_bits >= 2048)
		72	p = get_rfc3526_prime_2048(NULL);
		73	else if (key_bits >= 1536)
		74	p = get_rfc3526_prime_1536(NULL);
		75	else
		76	p = get_rfc2409_prime_1024(NULL);
		77
		78	if (p == NULL)
		79	goto err;
		80
		81	if ((g = BN_new()) == NULL)
		82	goto err;
		83	if (!BN_set_word(g, 2))
		84	goto err;
		85
		86	if (!DH_set0_pqg(dh, p, NULL, g))
		87	goto err;
44	p = NULL;	88	p = NULL;
45	g = NULL;	89	g = NULL;
46		90


diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 662013378e..a0d3d05775 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.279 2021/11/14 22:31:29 tb Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.280 2021/12/04 14:03:22 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -147,7 +147,6 @@
147	#include <limits.h>	147	#include <limits.h>
148	#include <stdio.h>	148	#include <stdio.h>
149		149
150	#include <openssl/bn.h>
151	#include <openssl/dh.h>	150	#include <openssl/dh.h>
152	#include <openssl/lhash.h>	151	#include <openssl/lhash.h>
153	#include <openssl/objects.h>	152	#include <openssl/objects.h>
@@ -2319,54 +2318,29 @@ ssl_get_sign_pkey(SSL s, const SSL_CIPHER cipher, const EVP_MD **pmd,
2319	return (pkey);	2318	return (pkey);
2320	}	2319	}
2321		2320
2322	DH *	2321	size_t
2323	ssl_get_auto_dh(SSL *s)	2322	ssl_dhe_params_auto_key_bits(SSL *s)
2324	{	2323	{
2325	CERT_PKEY *cpk;	2324	CERT_PKEY *cpk;
2326	int keylen;	2325	int key_bits;
2327	DH *dhp;
2328		2326
2329	if (s->cert->dh_tmp_auto == 2) {	2327	if (s->cert->dh_tmp_auto == 2) {
2330	keylen = 1024;	2328	key_bits = 1024;
2331	} else if (S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL) {	2329	} else if (S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL) {
2332	keylen = 1024;	2330	key_bits = 1024;
2333	if (S3I(s)->hs.cipher->strength_bits == 256)	2331	if (S3I(s)->hs.cipher->strength_bits == 256)
2334	keylen = 3072;	2332	key_bits = 3072;
2335	} else {	2333	} else {
2336	if ((cpk = ssl_get_server_send_pkey(s)) == NULL)	2334	if ((cpk = ssl_get_server_send_pkey(s)) == NULL)
2337	return (NULL);	2335	return 0;
2338	if (cpk->privatekey == NULL \|\|	2336	if (cpk->privatekey == NULL \|\|
2339	EVP_PKEY_get0_RSA(cpk->privatekey) == NULL)	2337	EVP_PKEY_get0_RSA(cpk->privatekey) == NULL)
2340	return (NULL);	2338	return 0;
2341	if ((keylen = EVP_PKEY_bits(cpk->privatekey)) <= 0)	2339	if ((key_bits = EVP_PKEY_bits(cpk->privatekey)) <= 0)
2342	return (NULL);	2340	return 0;
2343	}	2341	}
2344		2342
2345	if ((dhp = DH_new()) == NULL)	2343	return key_bits;
2346	return (NULL);
2347
2348	dhp->g = BN_new();
2349	if (dhp->g != NULL)
2350	BN_set_word(dhp->g, 2);
2351
2352	if (keylen >= 8192)
2353	dhp->p = get_rfc3526_prime_8192(NULL);
2354	else if (keylen >= 4096)
2355	dhp->p = get_rfc3526_prime_4096(NULL);
2356	else if (keylen >= 3072)
2357	dhp->p = get_rfc3526_prime_3072(NULL);
2358	else if (keylen >= 2048)
2359	dhp->p = get_rfc3526_prime_2048(NULL);
2360	else if (keylen >= 1536)
2361	dhp->p = get_rfc3526_prime_1536(NULL);
2362	else
2363	dhp->p = get_rfc2409_prime_1024(NULL);
2364
2365	if (dhp->p == NULL \|\| dhp->g == NULL) {
2366	DH_free(dhp);
2367	return (NULL);
2368	}
2369	return (dhp);
2370	}	2344	}
2371		2345
2372	static int	2346	static int


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 0051989ea0..d53c9ec273 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.371 2021/12/04 13:50:35 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.372 2021/12/04 14:03:22 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1343,7 +1343,7 @@ int ssl_undefined_const_function(const SSL *s);
1343	CERT_PKEY ssl_get_server_send_pkey(const SSL s);	1343	CERT_PKEY ssl_get_server_send_pkey(const SSL s);
1344	EVP_PKEY ssl_get_sign_pkey(SSL s, const SSL_CIPHER c, const EVP_MD *pmd,	1344	EVP_PKEY ssl_get_sign_pkey(SSL s, const SSL_CIPHER c, const EVP_MD *pmd,
1345	const struct ssl_sigalg **sap);	1345	const struct ssl_sigalg **sap);
1346	DH ssl_get_auto_dh(SSL s);	1346	size_t ssl_dhe_params_auto_key_bits(SSL *s);
1347	int ssl_cert_type(X509 x, EVP_PKEY pkey);	1347	int ssl_cert_type(X509 x, EVP_PKEY pkey);
1348	void ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher);	1348	void ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher);
1349	STACK_OF(SSL_CIPHER) ssl_get_ciphers_by_id(SSL s);	1349	STACK_OF(SSL_CIPHER) ssl_get_ciphers_by_id(SSL s);
@@ -1448,6 +1448,7 @@ int ssl3_get_client_key_exchange(SSL *s);
1448	int ssl3_get_cert_verify(SSL *s);	1448	int ssl3_get_cert_verify(SSL *s);
1449		1449
1450	int ssl_kex_generate_dhe(DH dh, DH dh_params);	1450	int ssl_kex_generate_dhe(DH dh, DH dh_params);
		1451	int ssl_kex_generate_dhe_params_auto(DH *dh, size_t key_len);
1451	int ssl_kex_params_dhe(DH dh, CBB cbb);	1452	int ssl_kex_params_dhe(DH dh, CBB cbb);
1452	int ssl_kex_public_dhe(DH dh, CBB cbb);	1453	int ssl_kex_public_dhe(DH dh, CBB cbb);
1453	int ssl_kex_peer_params_dhe(DH dh, CBS cbs, int *invalid_params);	1454	int ssl_kex_peer_params_dhe(DH dh, CBS cbs, int *invalid_params);


diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 0c217d6d3e..e9ea6b141c 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.126 2021/11/29 16:03:56 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.127 2021/12/04 14:03:22 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1309,43 +1309,38 @@ ssl3_send_server_done(SSL *s)
1309	static int	1309	static int
1310	ssl3_send_server_kex_dhe(SSL s, CBB cbb)	1310	ssl3_send_server_kex_dhe(SSL s, CBB cbb)
1311	{	1311	{
1312	DH dh = NULL, dhp;	1312	DH *dh = NULL;
1313	int al;	1313	int al;
1314		1314
		1315	if ((dh = DH_new()) == NULL)
		1316	goto err;
		1317
1315	if (s->cert->dh_tmp_auto != 0) {	1318	if (s->cert->dh_tmp_auto != 0) {
1316	if ((dhp = ssl_get_auto_dh(s)) == NULL) {	1319	size_t key_bits;
		1320
		1321	if ((key_bits = ssl_dhe_params_auto_key_bits(s)) == 0) {
1317	al = SSL_AD_INTERNAL_ERROR;	1322	al = SSL_AD_INTERNAL_ERROR;
1318	SSLerror(s, ERR_R_INTERNAL_ERROR);	1323	SSLerror(s, ERR_R_INTERNAL_ERROR);
1319	goto fatal_err;	1324	goto fatal_err;
1320	}	1325	}
1321	} else
1322	dhp = s->cert->dh_tmp;
1323		1326
1324	if (dhp == NULL && s->cert->dh_tmp_cb != NULL)	1327	if (!ssl_kex_generate_dhe_params_auto(dh, key_bits))
1325	dhp = s->cert->dh_tmp_cb(s, 0,	1328	goto err;
1326	SSL_C_PKEYLENGTH(S3I(s)->hs.cipher));	1329	} else {
		1330	DH *dh_params = s->cert->dh_tmp;
1327		1331
1328	if (dhp == NULL) {	1332	if (dh_params == NULL && s->cert->dh_tmp_cb != NULL)
1329	al = SSL_AD_HANDSHAKE_FAILURE;	1333	dh_params = s->cert->dh_tmp_cb(s, 0,
1330	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);	1334	SSL_C_PKEYLENGTH(S3I(s)->hs.cipher));
1331	goto fatal_err;
1332	}
1333		1335
1334	if (S3I(s)->tmp.dh != NULL) {	1336	if (dh_params == NULL) {
1335	SSLerror(s, ERR_R_INTERNAL_ERROR);	1337	al = SSL_AD_HANDSHAKE_FAILURE;
1336	goto err;	1338	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1337	}	1339	goto fatal_err;
		1340	}
1338		1341
1339	if (s->cert->dh_tmp_auto != 0) {	1342	if (!ssl_kex_generate_dhe(dh, dh_params))
1340	dh = dhp;	1343	goto err;
1341	} else if ((dh = DHparams_dup(dhp)) == NULL) {
1342	SSLerror(s, ERR_R_DH_LIB);
1343	goto err;
1344	}
1345	S3I(s)->tmp.dh = dh;
1346	if (!DH_generate_key(dh)) {
1347	SSLerror(s, ERR_R_DH_LIB);
1348	goto err;
1349	}	1344	}
1350		1345
1351	if (!ssl_kex_params_dhe(dh, cbb))	1346	if (!ssl_kex_params_dhe(dh, cbb))
@@ -1353,12 +1348,20 @@ ssl3_send_server_kex_dhe(SSL s, CBB cbb)
1353	if (!ssl_kex_public_dhe(dh, cbb))	1348	if (!ssl_kex_public_dhe(dh, cbb))
1354	goto err;	1349	goto err;
1355		1350
1356	return (1);	1351	if (S3I(s)->tmp.dh != NULL) {
		1352	SSLerror(s, ERR_R_INTERNAL_ERROR);
		1353	goto err;
		1354	}
		1355	S3I(s)->tmp.dh = dh;
		1356
		1357	return 1;
1357		1358
1358	fatal_err:	1359	fatal_err:
1359	ssl3_send_alert(s, SSL3_AL_FATAL, al);	1360	ssl3_send_alert(s, SSL3_AL_FATAL, al);
1360	err:	1361	err:
1361	return (-1);	1362	DH_free(dh);
		1363
		1364	return -1;
1362	}	1365	}
1363		1366
1364	static int	1367	static int
@@ -1787,53 +1790,35 @@ ssl3_get_client_kex_rsa(SSL s, CBS cbs)
1787	static int	1790	static int
1788	ssl3_get_client_kex_dhe(SSL s, CBS cbs)	1791	ssl3_get_client_kex_dhe(SSL s, CBS cbs)
1789	{	1792	{
1790	int key_size = 0;	1793	DH *dh_clnt = NULL;
1791	int key_is_invalid, key_len, al;	1794	DH *dh_srvr;
1792	unsigned char *key = NULL;	1795	int invalid_key;
1793	BIGNUM *bn = NULL;	1796	uint8_t *key = NULL;
1794	CBS dh_Yc;	1797	size_t key_len = 0;
1795	DH *dh;	1798	int ret = -1;
1796
1797	if (!CBS_get_u16_length_prefixed(cbs, &dh_Yc))
1798	goto decode_err;
1799	if (CBS_len(cbs) != 0)
1800	goto decode_err;
1801		1799
1802	if (S3I(s)->tmp.dh == NULL) {	1800	if ((dh_srvr = S3I(s)->tmp.dh) == NULL) {
1803	al = SSL_AD_HANDSHAKE_FAILURE;	1801	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1804	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);	1802	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1805	goto fatal_err;	1803	goto err;
1806	}	1804	}
1807	dh = S3I(s)->tmp.dh;
1808		1805
1809	if ((bn = BN_bin2bn(CBS_data(&dh_Yc), CBS_len(&dh_Yc), NULL)) == NULL) {	1806	if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL)
1810	SSLerror(s, SSL_R_BN_LIB);
1811	goto err;	1807	goto err;
1812	}
1813		1808
1814	if ((key_size = DH_size(dh)) <= 0) {	1809	if (!ssl_kex_peer_public_dhe(dh_clnt, cbs, &invalid_key)) {
1815	SSLerror(s, ERR_R_DH_LIB);	1810	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
		1811	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1816	goto err;	1812	goto err;
1817	}	1813	}
1818	if ((key = malloc(key_size)) == NULL) {	1814	if (invalid_key) {
1819	SSLerror(s, ERR_R_MALLOC_FAILURE);	1815	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
		1816	SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1820	goto err;	1817	goto err;
1821	}	1818	}
1822	if (!DH_check_pub_key(dh, bn, &key_is_invalid)) {	1819
1823	al = SSL_AD_INTERNAL_ERROR;	1820	if (!ssl_kex_derive_dhe(dh_srvr, dh_clnt, &key, &key_len))
1824	SSLerror(s, ERR_R_DH_LIB);	1821	goto err;
1825	goto fatal_err;
1826	}
1827	if (key_is_invalid) {
1828	al = SSL_AD_ILLEGAL_PARAMETER;
1829	SSLerror(s, ERR_R_DH_LIB);
1830	goto fatal_err;
1831	}
1832	if ((key_len = DH_compute_key(key, bn, dh)) <= 0) {
1833	al = SSL_AD_INTERNAL_ERROR;
1834	SSLerror(s, ERR_R_DH_LIB);
1835	goto fatal_err;
1836	}
1837		1822
1838	if (!tls12_derive_master_secret(s, key, key_len))	1823	if (!tls12_derive_master_secret(s, key, key_len))
1839	goto err;	1824	goto err;
@@ -1841,21 +1826,13 @@ ssl3_get_client_kex_dhe(SSL s, CBS cbs)
1841	DH_free(S3I(s)->tmp.dh);	1826	DH_free(S3I(s)->tmp.dh);
1842	S3I(s)->tmp.dh = NULL;	1827	S3I(s)->tmp.dh = NULL;
1843		1828
1844	freezero(key, key_size);	1829	ret = 1;
1845	BN_clear_free(bn);
1846
1847	return (1);
1848		1830
1849	decode_err:
1850	al = SSL_AD_DECODE_ERROR;
1851	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1852	fatal_err:
1853	ssl3_send_alert(s, SSL3_AL_FATAL, al);
1854	err:	1831	err:
1855	freezero(key, key_size);	1832	freezero(key, key_len);
1856	BN_clear_free(bn);	1833	DH_free(dh_clnt);
1857		1834
1858	return (-1);	1835	return ret;
1859	}	1836	}
1860		1837
1861	static int	1838	static int