Check DH public key in ssl_kex_peer_public_dhe().

Call DH_check_pub_key() after decoding the peer public key - this will be
needed for the server DHE key exchange, but also benefits the client.

ok inoguchi@ tb@

3 files changed, 22 insertions, 8 deletions

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index b349f24cb0..04b3132d35 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.120 2021/11/29 16:00:32 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.121 2021/12/04 13:15:10 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1223,6 +1223,7 @@ ssl3_get_server_certificate(SSL *s)
 static int
 ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
 {
+        int invalid_key;
         SESS_CERT *sc = NULL;
         DH *dh = NULL;
         long alg_a;
@@ -1235,7 +1236,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
 
         if (!ssl_kex_peer_params_dhe(dh, cbs))
                 goto decode_err;
-        if (!ssl_kex_peer_public_dhe(dh, cbs))
+        if (!ssl_kex_peer_public_dhe(dh, cbs, &invalid_key))
                 goto decode_err;
 
         /*
@@ -1246,6 +1247,11 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
                 SSLerror(s, SSL_R_BAD_DH_P_LENGTH);
                 goto err;
         }
+        if (invalid_key) {
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+                SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
+                goto err;
+        }
 
         if (alg_a & SSL_aRSA)
                 *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA].x509);
diff --git a/src/lib/libssl/ssl_kex.c b/src/lib/libssl/ssl_kex.c
index 9af440d827..68d83cedbe 100644
--- a/src/lib/libssl/ssl_kex.c
+++ b/src/lib/libssl/ssl_kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_kex.c,v 1.5 2021/11/30 18:17:03 tb Exp $ */
+/* $OpenBSD: ssl_kex.c,v 1.6 2021/12/04 13:15:10 jsing Exp $ */
 /*
  * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
  *
@@ -142,23 +142,31 @@ ssl_kex_peer_params_dhe(DH *dh, CBS *cbs)
 }
 
 int
-ssl_kex_peer_public_dhe(DH *dh, CBS *cbs)
+ssl_kex_peer_public_dhe(DH *dh, CBS *cbs, int *invalid_key)
 {
-        CBS dh_y;
         BIGNUM *pub_key = NULL;
+        int check_flags;
+        CBS dh_y;
         int ret = 0;
 
+        *invalid_key = 0;
+
         if (!CBS_get_u16_length_prefixed(cbs, &dh_y))
                 goto err;
+
         if ((pub_key = BN_bin2bn(CBS_data(&dh_y), CBS_len(&dh_y),
             NULL)) == NULL)
                 goto err;
 
         if (!DH_set0_key(dh, pub_key, NULL))
                 goto err;
-
         pub_key = NULL;
 
+        if (!DH_check_pub_key(dh, dh->pub_key, &check_flags))
+                goto err;
+        if (check_flags != 0)
+                *invalid_key = 1;
+
         ret = 1;
 
  err:
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 7810bcd05e..93bdd2a4fc 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.369 2021/11/29 16:00:32 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.370 2021/12/04 13:15:10 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1451,7 +1451,7 @@ int ssl_kex_generate_dhe(DH *dh, DH *dh_params);
 int ssl_kex_params_dhe(DH *dh, CBB *cbb);
 int ssl_kex_public_dhe(DH *dh, CBB *cbb);
 int ssl_kex_peer_params_dhe(DH *dh, CBS *cbs);
-int ssl_kex_peer_public_dhe(DH *dh, CBS *cbs);
+int ssl_kex_peer_public_dhe(DH *dh, CBS *cbs, int *invalid_key);
 int ssl_kex_derive_dhe(DH *dh, DH *dh_peer,
     uint8_t **shared_key, size_t *shared_key_len);