summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjsing <>2016-11-03 13:20:35 +0000
committerjsing <>2016-11-03 13:20:35 +0000
commit05002f727738ee445b4a9367f51474995302c6a6 (patch)
tree5b417d1c2f9c5d6a82db5c2eea35891d0444346c /src
parentd029f353a03a06a76323b928825612cff8bfef8f (diff)
downloadopenbsd-05002f727738ee445b4a9367f51474995302c6a6.tar.gz
openbsd-05002f727738ee445b4a9367f51474995302c6a6.tar.bz2
openbsd-05002f727738ee445b4a9367f51474995302c6a6.zip
Split ssl3_get_key_exchange() into separate functions for DHE/ECDHE.
ok beck@ (who was struggling to keep lunch down while reviewing the diff)
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/s3_clnt.c461
1 files changed, 256 insertions, 205 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index d7cd37dec8..e9db8e27c2 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.139 2016/10/19 16:38:40 jsing Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.140 2016/11/03 13:20:35 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1091,6 +1091,246 @@ err:
1091 return (ret); 1091 return (ret);
1092} 1092}
1093 1093
1094static int
1095ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
1096{
1097 BN_CTX *bn_ctx = NULL;
1098 SESS_CERT *sc = NULL;
1099 DH *dh = NULL;
1100 int al, i, param_len;
1101 unsigned char *p;
1102 long alg_a, n;
1103
1104 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1105 n = *nn;
1106 p = *pp;
1107 sc = s->session->sess_cert;
1108
1109 if ((dh = DH_new()) == NULL) {
1110 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_DH_LIB);
1111 goto err;
1112 }
1113 if (2 > n)
1114 goto truncated;
1115 n2s(p, i);
1116 param_len = i + 2;
1117 if (param_len > n) {
1118 al = SSL_AD_DECODE_ERROR;
1119 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_LENGTH);
1120 goto f_err;
1121 }
1122 if (!(dh->p = BN_bin2bn(p, i, NULL))) {
1123 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1124 goto err;
1125 }
1126 p += i;
1127
1128 if (param_len + 2 > n)
1129 goto truncated;
1130 n2s(p, i);
1131 param_len += i + 2;
1132 if (param_len > n) {
1133 al = SSL_AD_DECODE_ERROR;
1134 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_LENGTH);
1135 goto f_err;
1136 }
1137 if (!(dh->g = BN_bin2bn(p, i, NULL))) {
1138 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1139 goto err;
1140 }
1141 p += i;
1142
1143 if (param_len + 2 > n)
1144 goto truncated;
1145 n2s(p, i);
1146 param_len += i + 2;
1147 if (param_len > n) {
1148 al = SSL_AD_DECODE_ERROR;
1149 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1150 SSL_R_BAD_DH_PUB_KEY_LENGTH);
1151 goto f_err;
1152 }
1153 if (!(dh->pub_key = BN_bin2bn(p, i, NULL))) {
1154 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1155 goto err;
1156 }
1157 p += i;
1158 n -= param_len;
1159
1160 /*
1161 * Check the strength of the DH key just constructed.
1162 * Discard keys weaker than 1024 bits.
1163 */
1164 if (DH_size(dh) < 1024 / 8) {
1165 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_LENGTH);
1166 goto err;
1167 }
1168
1169 if (alg_a & SSL_aRSA)
1170 *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1171 else if (alg_a & SSL_aDSS)
1172 *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1173 else
1174 /* XXX - Anonymous DH, so no certificate or pkey. */
1175 *pkey = NULL;
1176
1177 sc->peer_dh_tmp = dh;
1178
1179 *nn = n;
1180 *pp = p;
1181
1182 return (1);
1183
1184 truncated:
1185 al = SSL_AD_DECODE_ERROR;
1186 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
1187
1188 f_err:
1189 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1190
1191 err:
1192 DH_free(dh);
1193 BN_CTX_free(bn_ctx);
1194
1195 return (-1);
1196}
1197
1198static int
1199ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
1200{
1201 EC_POINT *srvr_ecpoint = NULL;
1202 EC_KEY *ecdh = NULL;
1203 BN_CTX *bn_ctx = NULL;
1204 const EC_GROUP *group;
1205 EC_GROUP *ngroup;
1206 SESS_CERT *sc;
1207 unsigned char *p;
1208 int al, param_len;
1209 long alg_a, n;
1210 int curve_nid = 0;
1211 int encoded_pt_len = 0;
1212
1213 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1214 n = *nn;
1215 p = *pp;
1216 sc = s->session->sess_cert;
1217
1218 if ((ecdh = EC_KEY_new()) == NULL) {
1219 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1220 goto err;
1221 }
1222
1223 /*
1224 * Extract elliptic curve parameters and the server's ephemeral ECDH
1225 * public key. Keep accumulating lengths of various components in
1226 * param_len and make sure it never exceeds n.
1227 */
1228
1229 /*
1230 * XXX: For now we only support named (not generic) curves
1231 * and the ECParameters in this case is just three bytes.
1232 */
1233 param_len = 3;
1234 if (param_len > n) {
1235 al = SSL_AD_DECODE_ERROR;
1236 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1237 goto f_err;
1238 }
1239
1240 /*
1241 * Check curve is one of our preferences, if not server has
1242 * sent an invalid curve.
1243 */
1244 if (tls1_check_curve(s, p, param_len) != 1) {
1245 al = SSL_AD_DECODE_ERROR;
1246 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_CURVE);
1247 goto f_err;
1248 }
1249
1250 if ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0) {
1251 al = SSL_AD_INTERNAL_ERROR;
1252 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1253 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1254 goto f_err;
1255 }
1256
1257 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1258 if (ngroup == NULL) {
1259 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
1260 goto err;
1261 }
1262 if (EC_KEY_set_group(ecdh, ngroup) == 0) {
1263 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
1264 goto err;
1265 }
1266 EC_GROUP_free(ngroup);
1267
1268 group = EC_KEY_get0_group(ecdh);
1269
1270 p += 3;
1271
1272 /* Next, get the encoded ECPoint */
1273 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1274 ((bn_ctx = BN_CTX_new()) == NULL)) {
1275 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1276 goto err;
1277 }
1278
1279 if (param_len + 1 > n)
1280 goto truncated;
1281 encoded_pt_len = *p;
1282 /* length of encoded point */
1283 p += 1;
1284 param_len += (1 + encoded_pt_len);
1285 if ((param_len > n) || (EC_POINT_oct2point(group, srvr_ecpoint,
1286 p, encoded_pt_len, bn_ctx) == 0)) {
1287 al = SSL_AD_DECODE_ERROR;
1288 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_ECPOINT);
1289 goto f_err;
1290 }
1291
1292 n -= param_len;
1293 p += encoded_pt_len;
1294
1295 /*
1296 * The ECC/TLS specification does not mention the use of DSA to sign
1297 * ECParameters in the server key exchange message. We do support RSA
1298 * and ECDSA.
1299 */
1300 if (alg_a & SSL_aRSA)
1301 *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1302 else if (alg_a & SSL_aECDSA)
1303 *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_ECC].x509);
1304 else
1305 /* XXX - Anonymous ECDH, so no certificate or pkey. */
1306 *pkey = NULL;
1307
1308 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1309 sc->peer_ecdh_tmp = ecdh;
1310
1311 BN_CTX_free(bn_ctx);
1312 EC_POINT_free(srvr_ecpoint);
1313
1314 *nn = n;
1315 *pp = p;
1316
1317 return (1);
1318
1319 truncated:
1320 al = SSL_AD_DECODE_ERROR;
1321 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
1322
1323 f_err:
1324 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1325
1326 err:
1327 BN_CTX_free(bn_ctx);
1328 EC_POINT_free(srvr_ecpoint);
1329 EC_KEY_free(ecdh);
1330
1331 return (-1);
1332}
1333
1094int 1334int
1095ssl3_get_key_exchange(SSL *s) 1335ssl3_get_key_exchange(SSL *s)
1096{ 1336{
@@ -1102,12 +1342,6 @@ ssl3_get_key_exchange(SSL *s)
1102 EVP_PKEY *pkey = NULL; 1342 EVP_PKEY *pkey = NULL;
1103 const EVP_MD *md = NULL; 1343 const EVP_MD *md = NULL;
1104 RSA *rsa = NULL; 1344 RSA *rsa = NULL;
1105 DH *dh = NULL;
1106 EC_KEY *ecdh = NULL;
1107 BN_CTX *bn_ctx = NULL;
1108 EC_POINT *srvr_ecpoint = NULL;
1109 int curve_nid = 0;
1110 int encoded_pt_len = 0;
1111 1345
1112 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1346 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1113 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1347 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
@@ -1153,206 +1387,21 @@ ssl3_get_key_exchange(SSL *s)
1153 } 1387 }
1154 1388
1155 param = p = (unsigned char *)s->init_msg; 1389 param = p = (unsigned char *)s->init_msg;
1156 param_len = 0; 1390 param_len = n;
1157 1391
1158 if (alg_k & SSL_kDHE) { 1392 if (alg_k & SSL_kDHE) {
1159 if ((dh = DH_new()) == NULL) { 1393 if (ssl3_get_server_kex_dhe(s, &pkey, &p, &n) != 1)
1160 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1161 ERR_R_DH_LIB);
1162 goto err;
1163 }
1164 if (2 > n)
1165 goto truncated;
1166 n2s(p, i);
1167 param_len = i + 2;
1168 if (param_len > n) {
1169 al = SSL_AD_DECODE_ERROR;
1170 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1171 SSL_R_BAD_DH_P_LENGTH);
1172 goto f_err;
1173 }
1174 if (!(dh->p = BN_bin2bn(p, i, NULL))) {
1175 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1176 ERR_R_BN_LIB);
1177 goto err;
1178 }
1179 p += i;
1180
1181 if (param_len + 2 > n)
1182 goto truncated;
1183 n2s(p, i);
1184 param_len += i + 2;
1185 if (param_len > n) {
1186 al = SSL_AD_DECODE_ERROR;
1187 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1188 SSL_R_BAD_DH_G_LENGTH);
1189 goto f_err;
1190 }
1191 if (!(dh->g = BN_bin2bn(p, i, NULL))) {
1192 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1193 ERR_R_BN_LIB);
1194 goto err; 1394 goto err;
1195 }
1196 p += i;
1197
1198 if (param_len + 2 > n)
1199 goto truncated;
1200 n2s(p, i);
1201 param_len += i + 2;
1202 if (param_len > n) {
1203 al = SSL_AD_DECODE_ERROR;
1204 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1205 SSL_R_BAD_DH_PUB_KEY_LENGTH);
1206 goto f_err;
1207 }
1208 if (!(dh->pub_key = BN_bin2bn(p, i, NULL))) {
1209 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1210 ERR_R_BN_LIB);
1211 goto err;
1212 }
1213 p += i;
1214 n -= param_len;
1215
1216 /*
1217 * Check the strength of the DH key just constructed.
1218 * Discard keys weaker than 1024 bits.
1219 */
1220
1221 if (DH_size(dh) < 1024 / 8) {
1222 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1223 SSL_R_BAD_DH_P_LENGTH);
1224 goto err;
1225 }
1226
1227 if (alg_a & SSL_aRSA)
1228 pkey = X509_get_pubkey(
1229 s->session->sess_cert->peer_pkeys[
1230 SSL_PKEY_RSA_ENC].x509);
1231 else if (alg_a & SSL_aDSS)
1232 pkey = X509_get_pubkey(
1233 s->session->sess_cert->peer_pkeys[
1234 SSL_PKEY_DSA_SIGN].x509);
1235 /* else anonymous DH, so no certificate or pkey. */
1236
1237 s->session->sess_cert->peer_dh_tmp = dh;
1238 dh = NULL;
1239 } else if (alg_k & SSL_kECDHE) { 1395 } else if (alg_k & SSL_kECDHE) {
1240 const EC_GROUP *group; 1396 if (ssl3_get_server_kex_ecdhe(s, &pkey, &p, &n) != 1)
1241 EC_GROUP *ngroup;
1242
1243 if ((ecdh = EC_KEY_new()) == NULL) {
1244 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1245 ERR_R_MALLOC_FAILURE);
1246 goto err;
1247 }
1248
1249 /*
1250 * Extract elliptic curve parameters and the
1251 * server's ephemeral ECDH public key.
1252 * Keep accumulating lengths of various components in
1253 * param_len and make sure it never exceeds n.
1254 */
1255
1256 /*
1257 * XXX: For now we only support named (not generic) curves
1258 * and the ECParameters in this case is just three bytes.
1259 */
1260 param_len = 3;
1261 if (param_len > n) {
1262 al = SSL_AD_DECODE_ERROR;
1263 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1264 SSL_R_LENGTH_TOO_SHORT);
1265 goto f_err;
1266 }
1267
1268 /*
1269 * Check curve is one of our preferences, if not server has
1270 * sent an invalid curve.
1271 */
1272 if (tls1_check_curve(s, p, param_len) != 1) {
1273 al = SSL_AD_DECODE_ERROR;
1274 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_CURVE);
1275 goto f_err;
1276 }
1277
1278 if ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0) {
1279 al = SSL_AD_INTERNAL_ERROR;
1280 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1281 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1282 goto f_err;
1283 }
1284
1285 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1286 if (ngroup == NULL) {
1287 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1288 ERR_R_EC_LIB);
1289 goto err;
1290 }
1291 if (EC_KEY_set_group(ecdh, ngroup) == 0) {
1292 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1293 ERR_R_EC_LIB);
1294 goto err;
1295 }
1296 EC_GROUP_free(ngroup);
1297
1298 group = EC_KEY_get0_group(ecdh);
1299
1300 p += 3;
1301
1302 /* Next, get the encoded ECPoint */
1303 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1304 ((bn_ctx = BN_CTX_new()) == NULL)) {
1305 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1306 ERR_R_MALLOC_FAILURE);
1307 goto err; 1397 goto err;
1308 } 1398 } else if (alg_k != 0) {
1309
1310 if (param_len + 1 > n)
1311 goto truncated;
1312 encoded_pt_len = *p;
1313 /* length of encoded point */
1314 p += 1;
1315 param_len += (1 + encoded_pt_len);
1316 if ((param_len > n) || (EC_POINT_oct2point(group, srvr_ecpoint,
1317 p, encoded_pt_len, bn_ctx) == 0)) {
1318 al = SSL_AD_DECODE_ERROR;
1319 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1320 SSL_R_BAD_ECPOINT);
1321 goto f_err;
1322 }
1323
1324 n -= param_len;
1325 p += encoded_pt_len;
1326
1327 /*
1328 * The ECC/TLS specification does not mention the use
1329 * of DSA to sign ECParameters in the server key
1330 * exchange message. We do support RSA and ECDSA.
1331 */
1332 if (alg_a & SSL_aRSA)
1333 pkey = X509_get_pubkey(
1334 s->session->sess_cert->peer_pkeys[
1335 SSL_PKEY_RSA_ENC].x509);
1336 else if (alg_a & SSL_aECDSA)
1337 pkey = X509_get_pubkey(
1338 s->session->sess_cert->peer_pkeys[
1339 SSL_PKEY_ECC].x509);
1340 /* Else anonymous ECDH, so no certificate or pkey. */
1341 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1342 s->session->sess_cert->peer_ecdh_tmp = ecdh;
1343 ecdh = NULL;
1344 BN_CTX_free(bn_ctx);
1345 bn_ctx = NULL;
1346 EC_POINT_free(srvr_ecpoint);
1347 srvr_ecpoint = NULL;
1348 } else if (alg_k) {
1349 al = SSL_AD_UNEXPECTED_MESSAGE; 1399 al = SSL_AD_UNEXPECTED_MESSAGE;
1350 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1400 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
1351 SSL_R_UNEXPECTED_MESSAGE);
1352 goto f_err; 1401 goto f_err;
1353 } 1402 }
1354 1403
1355 /* p points to the next byte, there are 'n' bytes left */ 1404 param_len = param_len - n;
1356 1405
1357 /* if it was signed, check the signature */ 1406 /* if it was signed, check the signature */
1358 if (pkey != NULL) { 1407 if (pkey != NULL) {
@@ -1471,23 +1520,25 @@ ssl3_get_key_exchange(SSL *s)
1471 goto f_err; 1520 goto f_err;
1472 } 1521 }
1473 } 1522 }
1523
1474 EVP_PKEY_free(pkey); 1524 EVP_PKEY_free(pkey);
1475 EVP_MD_CTX_cleanup(&md_ctx); 1525 EVP_MD_CTX_cleanup(&md_ctx);
1526
1476 return (1); 1527 return (1);
1477truncated: 1528
1529 truncated:
1478 /* wrong packet length */ 1530 /* wrong packet length */
1479 al = SSL_AD_DECODE_ERROR; 1531 al = SSL_AD_DECODE_ERROR;
1480 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH); 1532 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
1481f_err: 1533
1534 f_err:
1482 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1535 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1483err: 1536
1537 err:
1484 EVP_PKEY_free(pkey); 1538 EVP_PKEY_free(pkey);
1485 RSA_free(rsa); 1539 RSA_free(rsa);
1486 DH_free(dh);
1487 BN_CTX_free(bn_ctx);
1488 EC_POINT_free(srvr_ecpoint);
1489 EC_KEY_free(ecdh);
1490 EVP_MD_CTX_cleanup(&md_ctx); 1540 EVP_MD_CTX_cleanup(&md_ctx);
1541
1491 return (-1); 1542 return (-1);
1492} 1543}
1493 1544
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 15:02:44 +0000