diff options
| author |   tb <tb@openbsd.org> | 2020-06-01 08:04:02 +0000 |
|---|---|---|
| committer | tb <tb@openbsd.org> | 2020-06-01 08:04:02 +0000 |
| commit | fc1fe0f624281adbdd2cd084392311bf60cb9dc4 (patch) | |
| tree | 94a9e35aa6a23e49d0d31833002cdba5c9154d14 /lib/libssl/ssl_srvr.c | |
| parent | Add a mechanism to set an alert in those parts of the read half of (diff) | |
| download | wireguard-openbsd-fc1fe0f624281adbdd2cd084392311bf60cb9dc4.tar.xz wireguard-openbsd-fc1fe0f624281adbdd2cd084392311bf60cb9dc4.zip | |
Send an illegal_parameter alert if a client sends us invalid DH key
shares. Previously we would fail and just close the pipe.
Fixes the remaining failing test-dhe-rsa-key-exchange-with-bad-messages.py
tests of tlsfuzzer.
ok beck (earlier version) jsing
Diffstat (limited to 'lib/libssl/ssl_srvr.c')
| -rw-r--r-- | lib/libssl/ssl_srvr.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index fac24f4d000..15dfdc35b1c 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.77 2020/05/31 16:36:35 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.78 2020/06/01 08:04:02 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1778,7 +1778,8 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) static int ssl3_get_client_kex_dhe(SSL *s, CBS *cbs) { - int key_size = 0, key_len, al; + int key_size = 0; + int key_is_invalid, key_len, al; unsigned char *key = NULL; BIGNUM *bn = NULL; CBS dh_Yc; @@ -1809,9 +1810,20 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs) SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } + if (!DH_check_pub_key(dh, bn, &key_is_invalid)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerror(s, ERR_R_DH_LIB); + goto f_err; + } + if (key_is_invalid) { + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerror(s, ERR_R_DH_LIB); + goto f_err; + } if ((key_len = DH_compute_key(key, bn, dh)) <= 0) { + al = SSL_AD_INTERNAL_ERROR; SSLerror(s, ERR_R_DH_LIB); - goto err; + goto f_err; } s->session->master_key_length = tls1_generate_master_secret(s, |