1 files changed, 20 insertions, 64 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 6fe15dcf1d..b349f24cb0 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.119 2021/11/26 16:41:42 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.120 2021/11/29 16:00:32 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1223,46 +1223,24 @@ ssl3_get_server_certificate(SSL *s)
 static int
 ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
 {
-        CBS dhp, dhg, dhpk;
-        BN_CTX *bn_ctx = NULL;
        SESS_CERT *sc = NULL;
        DH *dh = NULL;
        long alg_a;
-        int al;
        alg_a = S3I(s)->hs.cipher->algorithm_auth;
        sc = s->session->sess_cert;
-        if ((dh = DH_new()) == NULL) {
+        if ((dh = DH_new()) == NULL)
-                SSLerror(s, ERR_R_DH_LIB);
-                goto err;
-        }
-        if (!CBS_get_u16_length_prefixed(cbs, &dhp))
-                goto decode_err;
-        if ((dh->p = BN_bin2bn(CBS_data(&dhp), CBS_len(&dhp), NULL)) == NULL) {
-                SSLerror(s, ERR_R_BN_LIB);
                goto err;
-        }
-        if (!CBS_get_u16_length_prefixed(cbs, &dhg))
+        if (!ssl_kex_peer_params_dhe(dh, cbs))
                goto decode_err;
-        if ((dh->g = BN_bin2bn(CBS_data(&dhg), CBS_len(&dhg), NULL)) == NULL) {
+        if (!ssl_kex_peer_public_dhe(dh, cbs))
-                SSLerror(s, ERR_R_BN_LIB);
-                goto err;
-        }
-        if (!CBS_get_u16_length_prefixed(cbs, &dhpk))
                goto decode_err;
-        if ((dh->pub_key = BN_bin2bn(CBS_data(&dhpk), CBS_len(&dhpk),
-            NULL)) == NULL) {
-                SSLerror(s, ERR_R_BN_LIB);
-                goto err;
-        }
        /*
         * Check the strength of the DH key just constructed.
-         * Discard keys weaker than 1024 bits.
+         * Reject keys weaker than 1024 bits.
         */
        if (DH_size(dh) < 1024 / 8) {
                SSLerror(s, SSL_R_BAD_DH_P_LENGTH);
@@ -1280,13 +1258,11 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
        return (1);
 decode_err:
-        al = SSL_AD_DECODE_ERROR;
        SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
-        ssl3_send_alert(s, SSL3_AL_FATAL, al);
+        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
 err:
        DH_free(dh);
-        BN_CTX_free(bn_ctx);
        return (-1);
 }
@@ -1988,59 +1964,38 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
 static int
 ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
 {
-        DH *dh_srvr = NULL, *dh_clnt = NULL;
+        DH *dh_clnt = NULL;
-        unsigned char *key = NULL;
+        DH *dh_srvr;
-        int key_size = 0, key_len;
+        uint8_t *key = NULL;
-        unsigned char *data;
+        size_t key_len = 0;
        int ret = -1;
-        CBB dh_Yc;
-        /* Ensure that we have an ephemeral key for DHE. */
+        /* Ensure that we have an ephemeral key from the server for DHE. */
-        if (sess_cert->peer_dh_tmp == NULL) {
+        if ((dh_srvr = sess_cert->peer_dh_tmp) == NULL) {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
                SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
                goto err;
        }
-        dh_srvr = sess_cert->peer_dh_tmp;
-        /* Generate a new random key. */
+        if ((dh_clnt = DH_new()) == NULL)
-        if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) {
-                SSLerror(s, ERR_R_DH_LIB);
                goto err;
-        }
-        if (!DH_generate_key(dh_clnt)) {
+        if (!ssl_kex_generate_dhe(dh_clnt, dh_srvr))
-                SSLerror(s, ERR_R_DH_LIB);
-                goto err;
-        }
-        if ((key_size = DH_size(dh_clnt)) <= 0) {
-                SSLerror(s, ERR_R_DH_LIB);
-                goto err;
-        }
-        if ((key = malloc(key_size)) == NULL) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
                goto err;
-        }
+        if (!ssl_kex_public_dhe(dh_clnt, cbb))
-        if ((key_len = DH_compute_key(key, dh_srvr->pub_key, dh_clnt)) <= 0) {
-                SSLerror(s, ERR_R_DH_LIB);
                goto err;
-        }
-        if (!tls12_derive_master_secret(s, key, key_len))
+        if (!ssl_kex_derive_dhe(dh_clnt, dh_srvr, &key, &key_len))
                goto err;
-        if (!CBB_add_u16_length_prefixed(cbb, &dh_Yc))
+        if (!tls12_derive_master_secret(s, key, key_len))
-                goto err;
-        if (!CBB_add_space(&dh_Yc, &data, BN_num_bytes(dh_clnt->pub_key)))
-                goto err;
-        BN_bn2bin(dh_clnt->pub_key, data);
-        if (!CBB_flush(cbb))
                goto err;
        ret = 1;
 err:
        DH_free(dh_clnt);
-        freezero(key, key_size);
+        freezero(key, key_len);
        return (ret);
 }
@@ -2072,6 +2027,7 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)
        if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len))
                goto err;
        if (!tls12_derive_master_secret(s, key, key_len))
                goto err;

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 6fe15dcf1d..b349f24cb0 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.119 2021/11/26 16:41:42 tb Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.120 2021/11/29 16:00:32 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1223,46 +1223,24 @@ ssl3_get_server_certificate(SSL *s)
1223	static int	1223	static int
1224	ssl3_get_server_kex_dhe(SSL s, EVP_PKEY pkey, CBS cbs)	1224	ssl3_get_server_kex_dhe(SSL s, EVP_PKEY pkey, CBS cbs)
1225	{	1225	{
1226	CBS dhp, dhg, dhpk;
1227	BN_CTX *bn_ctx = NULL;
1228	SESS_CERT *sc = NULL;	1226	SESS_CERT *sc = NULL;
1229	DH *dh = NULL;	1227	DH *dh = NULL;
1230	long alg_a;	1228	long alg_a;
1231	int al;
1232		1229
1233	alg_a = S3I(s)->hs.cipher->algorithm_auth;	1230	alg_a = S3I(s)->hs.cipher->algorithm_auth;
1234	sc = s->session->sess_cert;	1231	sc = s->session->sess_cert;
1235		1232
1236	if ((dh = DH_new()) == NULL) {	1233	if ((dh = DH_new()) == NULL)
1237	SSLerror(s, ERR_R_DH_LIB);
1238	goto err;
1239	}
1240
1241	if (!CBS_get_u16_length_prefixed(cbs, &dhp))
1242	goto decode_err;
1243	if ((dh->p = BN_bin2bn(CBS_data(&dhp), CBS_len(&dhp), NULL)) == NULL) {
1244	SSLerror(s, ERR_R_BN_LIB);
1245	goto err;	1234	goto err;
1246	}
1247		1235
1248	if (!CBS_get_u16_length_prefixed(cbs, &dhg))	1236	if (!ssl_kex_peer_params_dhe(dh, cbs))
1249	goto decode_err;	1237	goto decode_err;
1250	if ((dh->g = BN_bin2bn(CBS_data(&dhg), CBS_len(&dhg), NULL)) == NULL) {	1238	if (!ssl_kex_peer_public_dhe(dh, cbs))
1251	SSLerror(s, ERR_R_BN_LIB);
1252	goto err;
1253	}
1254
1255	if (!CBS_get_u16_length_prefixed(cbs, &dhpk))
1256	goto decode_err;	1239	goto decode_err;
1257	if ((dh->pub_key = BN_bin2bn(CBS_data(&dhpk), CBS_len(&dhpk),
1258	NULL)) == NULL) {
1259	SSLerror(s, ERR_R_BN_LIB);
1260	goto err;
1261	}
1262		1240
1263	/*	1241	/*
1264	* Check the strength of the DH key just constructed.	1242	* Check the strength of the DH key just constructed.
1265	* Discard keys weaker than 1024 bits.	1243	* Reject keys weaker than 1024 bits.
1266	*/	1244	*/
1267	if (DH_size(dh) < 1024 / 8) {	1245	if (DH_size(dh) < 1024 / 8) {
1268	SSLerror(s, SSL_R_BAD_DH_P_LENGTH);	1246	SSLerror(s, SSL_R_BAD_DH_P_LENGTH);
@@ -1280,13 +1258,11 @@ ssl3_get_server_kex_dhe(SSL s, EVP_PKEY pkey, CBS cbs)
1280	return (1);	1258	return (1);
1281		1259
1282	decode_err:	1260	decode_err:
1283	al = SSL_AD_DECODE_ERROR;
1284	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);	1261	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1285	ssl3_send_alert(s, SSL3_AL_FATAL, al);	1262	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1286		1263
1287	err:	1264	err:
1288	DH_free(dh);	1265	DH_free(dh);
1289	BN_CTX_free(bn_ctx);
1290		1266
1291	return (-1);	1267	return (-1);
1292	}	1268	}
@@ -1988,59 +1964,38 @@ ssl3_send_client_kex_rsa(SSL s, SESS_CERT sess_cert, CBB *cbb)
1988	static int	1964	static int
1989	ssl3_send_client_kex_dhe(SSL s, SESS_CERT sess_cert, CBB *cbb)	1965	ssl3_send_client_kex_dhe(SSL s, SESS_CERT sess_cert, CBB *cbb)
1990	{	1966	{
1991	DH dh_srvr = NULL, dh_clnt = NULL;	1967	DH *dh_clnt = NULL;
1992	unsigned char *key = NULL;	1968	DH *dh_srvr;
1993	int key_size = 0, key_len;	1969	uint8_t *key = NULL;
1994	unsigned char *data;	1970	size_t key_len = 0;
1995	int ret = -1;	1971	int ret = -1;
1996	CBB dh_Yc;
1997		1972
1998	/* Ensure that we have an ephemeral key for DHE. */	1973	/* Ensure that we have an ephemeral key from the server for DHE. */
1999	if (sess_cert->peer_dh_tmp == NULL) {	1974	if ((dh_srvr = sess_cert->peer_dh_tmp) == NULL) {
2000	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);	1975	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2001	SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);	1976	SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
2002	goto err;	1977	goto err;
2003	}	1978	}
2004	dh_srvr = sess_cert->peer_dh_tmp;
2005		1979
2006	/* Generate a new random key. */	1980	if ((dh_clnt = DH_new()) == NULL)
2007	if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) {
2008	SSLerror(s, ERR_R_DH_LIB);
2009	goto err;	1981	goto err;
2010	}	1982
2011	if (!DH_generate_key(dh_clnt)) {	1983	if (!ssl_kex_generate_dhe(dh_clnt, dh_srvr))
2012	SSLerror(s, ERR_R_DH_LIB);
2013	goto err;
2014	}
2015	if ((key_size = DH_size(dh_clnt)) <= 0) {
2016	SSLerror(s, ERR_R_DH_LIB);
2017	goto err;
2018	}
2019	if ((key = malloc(key_size)) == NULL) {
2020	SSLerror(s, ERR_R_MALLOC_FAILURE);
2021	goto err;	1984	goto err;
2022	}	1985	if (!ssl_kex_public_dhe(dh_clnt, cbb))
2023	if ((key_len = DH_compute_key(key, dh_srvr->pub_key, dh_clnt)) <= 0) {
2024	SSLerror(s, ERR_R_DH_LIB);
2025	goto err;	1986	goto err;
2026	}
2027		1987
2028	if (!tls12_derive_master_secret(s, key, key_len))	1988	if (!ssl_kex_derive_dhe(dh_clnt, dh_srvr, &key, &key_len))
2029	goto err;	1989	goto err;
2030		1990
2031	if (!CBB_add_u16_length_prefixed(cbb, &dh_Yc))	1991	if (!tls12_derive_master_secret(s, key, key_len))
2032	goto err;
2033	if (!CBB_add_space(&dh_Yc, &data, BN_num_bytes(dh_clnt->pub_key)))
2034	goto err;
2035	BN_bn2bin(dh_clnt->pub_key, data);
2036	if (!CBB_flush(cbb))
2037	goto err;	1992	goto err;
2038		1993
2039	ret = 1;	1994	ret = 1;
2040		1995
2041	err:	1996	err:
2042	DH_free(dh_clnt);	1997	DH_free(dh_clnt);
2043	freezero(key, key_size);	1998	freezero(key, key_len);
2044		1999
2045	return (ret);	2000	return (ret);
2046	}	2001	}
@@ -2072,6 +2027,7 @@ ssl3_send_client_kex_ecdhe_ecp(SSL s, SESS_CERT sc, CBB *cbb)
2072		2027
2073	if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len))	2028	if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len))
2074	goto err;	2029	goto err;
		2030
2075	if (!tls12_derive_master_secret(s, key, key_len))	2031	if (!tls12_derive_master_secret(s, key, key_len))
2076	goto err;	2032	goto err;
2077		2033