1 files changed, 55 insertions, 78 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 0c217d6d3e..e9ea6b141c 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.126 2021/11/29 16:03:56 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.127 2021/12/04 14:03:22 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1309,43 +1309,38 @@ ssl3_send_server_done(SSL *s)
 static int
 ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
 {
-        DH *dh = NULL, *dhp;
+        DH *dh = NULL;
        int al;
+        if ((dh = DH_new()) == NULL)
+                goto err;
        if (s->cert->dh_tmp_auto != 0) {
-                if ((dhp = ssl_get_auto_dh(s)) == NULL) {
+                size_t key_bits;
+                if ((key_bits = ssl_dhe_params_auto_key_bits(s)) == 0) {
                        al = SSL_AD_INTERNAL_ERROR;
                        SSLerror(s, ERR_R_INTERNAL_ERROR);
                        goto fatal_err;
                }
-        } else
-                dhp = s->cert->dh_tmp;
-        if (dhp == NULL && s->cert->dh_tmp_cb != NULL)
+                if (!ssl_kex_generate_dhe_params_auto(dh, key_bits))
-                dhp = s->cert->dh_tmp_cb(s, 0,
+                        goto err;
-                    SSL_C_PKEYLENGTH(S3I(s)->hs.cipher));
+        } else {
+                DH *dh_params = s->cert->dh_tmp;
-        if (dhp == NULL) {
+                if (dh_params == NULL && s->cert->dh_tmp_cb != NULL)
-                al = SSL_AD_HANDSHAKE_FAILURE;
+                        dh_params = s->cert->dh_tmp_cb(s, 0,
-                SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
+                            SSL_C_PKEYLENGTH(S3I(s)->hs.cipher));
-                goto fatal_err;
-        }
-        if (S3I(s)->tmp.dh != NULL) {
+                if (dh_params == NULL) {
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
+                        al = SSL_AD_HANDSHAKE_FAILURE;
-                goto err;
+                        SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
-        }
+                        goto fatal_err;
+                }
-        if (s->cert->dh_tmp_auto != 0) {
+                if (!ssl_kex_generate_dhe(dh, dh_params))
-                dh = dhp;
+                        goto err;
-        } else if ((dh = DHparams_dup(dhp)) == NULL) {
-                SSLerror(s, ERR_R_DH_LIB);
-                goto err;
-        }
-        S3I(s)->tmp.dh = dh;
-        if (!DH_generate_key(dh)) {
-                SSLerror(s, ERR_R_DH_LIB);
-                goto err;
        }
        if (!ssl_kex_params_dhe(dh, cbb))
@@ -1353,12 +1348,20 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
        if (!ssl_kex_public_dhe(dh, cbb))
                goto err;
-        return (1);
+        if (S3I(s)->tmp.dh != NULL) {
+                SSLerror(s, ERR_R_INTERNAL_ERROR);
+                goto err;
+        }
+        S3I(s)->tmp.dh = dh;
+        return 1;
 fatal_err:
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
-        return (-1);
+        DH_free(dh);
+        return -1;
 }
 static int
@@ -1787,53 +1790,35 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
 static int
 ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
 {
-        int key_size = 0;
+        DH *dh_clnt = NULL;
-        int key_is_invalid, key_len, al;
+        DH *dh_srvr;
-        unsigned char *key = NULL;
+        int invalid_key;
-        BIGNUM *bn = NULL;
+        uint8_t *key = NULL;
-        CBS dh_Yc;
+        size_t key_len = 0;
-        DH *dh;
+        int ret = -1;
-        if (!CBS_get_u16_length_prefixed(cbs, &dh_Yc))
-                goto decode_err;
-        if (CBS_len(cbs) != 0)
-                goto decode_err;
-        if (S3I(s)->tmp.dh == NULL) {
+        if ((dh_srvr = S3I(s)->tmp.dh) == NULL) {
-                al = SSL_AD_HANDSHAKE_FAILURE;
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
                SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
-                goto fatal_err;
+                goto err;
        }
-        dh = S3I(s)->tmp.dh;
-        if ((bn = BN_bin2bn(CBS_data(&dh_Yc), CBS_len(&dh_Yc), NULL)) == NULL) {
+        if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL)
-                SSLerror(s, SSL_R_BN_LIB);
                goto err;
-        }
-        if ((key_size = DH_size(dh)) <= 0) {
+        if (!ssl_kex_peer_public_dhe(dh_clnt, cbs, &invalid_key)) {
-                SSLerror(s, ERR_R_DH_LIB);
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+                SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
                goto err;
        }
-        if ((key = malloc(key_size)) == NULL) {
+        if (invalid_key) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+                SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
                goto err;
        }
-        if (!DH_check_pub_key(dh, bn, &key_is_invalid)) {
-                al = SSL_AD_INTERNAL_ERROR;
+        if (!ssl_kex_derive_dhe(dh_srvr, dh_clnt, &key, &key_len))
-                SSLerror(s, ERR_R_DH_LIB);
+                goto err;
-                goto fatal_err;
-        }
-        if (key_is_invalid) {
-                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerror(s, ERR_R_DH_LIB);
-                goto fatal_err;
-        }
-        if ((key_len = DH_compute_key(key, bn, dh)) <= 0) {
-                al = SSL_AD_INTERNAL_ERROR;
-                SSLerror(s, ERR_R_DH_LIB);
-                goto fatal_err;
-        }
        if (!tls12_derive_master_secret(s, key, key_len))
                goto err;
@@ -1841,21 +1826,13 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
        DH_free(S3I(s)->tmp.dh);
        S3I(s)->tmp.dh = NULL;
-        freezero(key, key_size);
+        ret = 1;
-        BN_clear_free(bn);
-        return (1);
- decode_err:
-        al = SSL_AD_DECODE_ERROR;
-        SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
- fatal_err:
-        ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
-        freezero(key, key_size);
+        freezero(key, key_len);
-        BN_clear_free(bn);
+        DH_free(dh_clnt);
-        return (-1);
+        return ret;
 }
 static int

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 0c217d6d3e..e9ea6b141c 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.126 2021/11/29 16:03:56 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.127 2021/12/04 14:03:22 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1309,43 +1309,38 @@ ssl3_send_server_done(SSL *s)
1309	static int	1309	static int
1310	ssl3_send_server_kex_dhe(SSL s, CBB cbb)	1310	ssl3_send_server_kex_dhe(SSL s, CBB cbb)
1311	{	1311	{
1312	DH dh = NULL, dhp;	1312	DH *dh = NULL;
1313	int al;	1313	int al;
1314		1314
		1315	if ((dh = DH_new()) == NULL)
		1316	goto err;
		1317
1315	if (s->cert->dh_tmp_auto != 0) {	1318	if (s->cert->dh_tmp_auto != 0) {
1316	if ((dhp = ssl_get_auto_dh(s)) == NULL) {	1319	size_t key_bits;
		1320
		1321	if ((key_bits = ssl_dhe_params_auto_key_bits(s)) == 0) {
1317	al = SSL_AD_INTERNAL_ERROR;	1322	al = SSL_AD_INTERNAL_ERROR;
1318	SSLerror(s, ERR_R_INTERNAL_ERROR);	1323	SSLerror(s, ERR_R_INTERNAL_ERROR);
1319	goto fatal_err;	1324	goto fatal_err;
1320	}	1325	}
1321	} else
1322	dhp = s->cert->dh_tmp;
1323		1326
1324	if (dhp == NULL && s->cert->dh_tmp_cb != NULL)	1327	if (!ssl_kex_generate_dhe_params_auto(dh, key_bits))
1325	dhp = s->cert->dh_tmp_cb(s, 0,	1328	goto err;
1326	SSL_C_PKEYLENGTH(S3I(s)->hs.cipher));	1329	} else {
		1330	DH *dh_params = s->cert->dh_tmp;
1327		1331
1328	if (dhp == NULL) {	1332	if (dh_params == NULL && s->cert->dh_tmp_cb != NULL)
1329	al = SSL_AD_HANDSHAKE_FAILURE;	1333	dh_params = s->cert->dh_tmp_cb(s, 0,
1330	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);	1334	SSL_C_PKEYLENGTH(S3I(s)->hs.cipher));
1331	goto fatal_err;
1332	}
1333		1335
1334	if (S3I(s)->tmp.dh != NULL) {	1336	if (dh_params == NULL) {
1335	SSLerror(s, ERR_R_INTERNAL_ERROR);	1337	al = SSL_AD_HANDSHAKE_FAILURE;
1336	goto err;	1338	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1337	}	1339	goto fatal_err;
		1340	}
1338		1341
1339	if (s->cert->dh_tmp_auto != 0) {	1342	if (!ssl_kex_generate_dhe(dh, dh_params))
1340	dh = dhp;	1343	goto err;
1341	} else if ((dh = DHparams_dup(dhp)) == NULL) {
1342	SSLerror(s, ERR_R_DH_LIB);
1343	goto err;
1344	}
1345	S3I(s)->tmp.dh = dh;
1346	if (!DH_generate_key(dh)) {
1347	SSLerror(s, ERR_R_DH_LIB);
1348	goto err;
1349	}	1344	}
1350		1345
1351	if (!ssl_kex_params_dhe(dh, cbb))	1346	if (!ssl_kex_params_dhe(dh, cbb))
@@ -1353,12 +1348,20 @@ ssl3_send_server_kex_dhe(SSL s, CBB cbb)
1353	if (!ssl_kex_public_dhe(dh, cbb))	1348	if (!ssl_kex_public_dhe(dh, cbb))
1354	goto err;	1349	goto err;
1355		1350
1356	return (1);	1351	if (S3I(s)->tmp.dh != NULL) {
		1352	SSLerror(s, ERR_R_INTERNAL_ERROR);
		1353	goto err;
		1354	}
		1355	S3I(s)->tmp.dh = dh;
		1356
		1357	return 1;
1357		1358
1358	fatal_err:	1359	fatal_err:
1359	ssl3_send_alert(s, SSL3_AL_FATAL, al);	1360	ssl3_send_alert(s, SSL3_AL_FATAL, al);
1360	err:	1361	err:
1361	return (-1);	1362	DH_free(dh);
		1363
		1364	return -1;
1362	}	1365	}
1363		1366
1364	static int	1367	static int
@@ -1787,53 +1790,35 @@ ssl3_get_client_kex_rsa(SSL s, CBS cbs)
1787	static int	1790	static int
1788	ssl3_get_client_kex_dhe(SSL s, CBS cbs)	1791	ssl3_get_client_kex_dhe(SSL s, CBS cbs)
1789	{	1792	{
1790	int key_size = 0;	1793	DH *dh_clnt = NULL;
1791	int key_is_invalid, key_len, al;	1794	DH *dh_srvr;
1792	unsigned char *key = NULL;	1795	int invalid_key;
1793	BIGNUM *bn = NULL;	1796	uint8_t *key = NULL;
1794	CBS dh_Yc;	1797	size_t key_len = 0;
1795	DH *dh;	1798	int ret = -1;
1796
1797	if (!CBS_get_u16_length_prefixed(cbs, &dh_Yc))
1798	goto decode_err;
1799	if (CBS_len(cbs) != 0)
1800	goto decode_err;
1801		1799
1802	if (S3I(s)->tmp.dh == NULL) {	1800	if ((dh_srvr = S3I(s)->tmp.dh) == NULL) {
1803	al = SSL_AD_HANDSHAKE_FAILURE;	1801	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1804	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);	1802	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1805	goto fatal_err;	1803	goto err;
1806	}	1804	}
1807	dh = S3I(s)->tmp.dh;
1808		1805
1809	if ((bn = BN_bin2bn(CBS_data(&dh_Yc), CBS_len(&dh_Yc), NULL)) == NULL) {	1806	if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL)
1810	SSLerror(s, SSL_R_BN_LIB);
1811	goto err;	1807	goto err;
1812	}
1813		1808
1814	if ((key_size = DH_size(dh)) <= 0) {	1809	if (!ssl_kex_peer_public_dhe(dh_clnt, cbs, &invalid_key)) {
1815	SSLerror(s, ERR_R_DH_LIB);	1810	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
		1811	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1816	goto err;	1812	goto err;
1817	}	1813	}
1818	if ((key = malloc(key_size)) == NULL) {	1814	if (invalid_key) {
1819	SSLerror(s, ERR_R_MALLOC_FAILURE);	1815	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
		1816	SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1820	goto err;	1817	goto err;
1821	}	1818	}
1822	if (!DH_check_pub_key(dh, bn, &key_is_invalid)) {	1819
1823	al = SSL_AD_INTERNAL_ERROR;	1820	if (!ssl_kex_derive_dhe(dh_srvr, dh_clnt, &key, &key_len))
1824	SSLerror(s, ERR_R_DH_LIB);	1821	goto err;
1825	goto fatal_err;
1826	}
1827	if (key_is_invalid) {
1828	al = SSL_AD_ILLEGAL_PARAMETER;
1829	SSLerror(s, ERR_R_DH_LIB);
1830	goto fatal_err;
1831	}
1832	if ((key_len = DH_compute_key(key, bn, dh)) <= 0) {
1833	al = SSL_AD_INTERNAL_ERROR;
1834	SSLerror(s, ERR_R_DH_LIB);
1835	goto fatal_err;
1836	}
1837		1822
1838	if (!tls12_derive_master_secret(s, key, key_len))	1823	if (!tls12_derive_master_secret(s, key, key_len))
1839	goto err;	1824	goto err;
@@ -1841,21 +1826,13 @@ ssl3_get_client_kex_dhe(SSL s, CBS cbs)
1841	DH_free(S3I(s)->tmp.dh);	1826	DH_free(S3I(s)->tmp.dh);
1842	S3I(s)->tmp.dh = NULL;	1827	S3I(s)->tmp.dh = NULL;
1843		1828
1844	freezero(key, key_size);	1829	ret = 1;
1845	BN_clear_free(bn);
1846
1847	return (1);
1848		1830
1849	decode_err:
1850	al = SSL_AD_DECODE_ERROR;
1851	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1852	fatal_err:
1853	ssl3_send_alert(s, SSL3_AL_FATAL, al);
1854	err:	1831	err:
1855	freezero(key, key_size);	1832	freezero(key, key_len);
1856	BN_clear_free(bn);	1833	DH_free(dh_clnt);
1857		1834
1858	return (-1);	1835	return ret;
1859	}	1836	}
1860		1837
1861	static int	1838	static int