Check the security of DH key shares

ok beck, looks good to jsing

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index c509771..5291175 100644 (file)
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.146 2022/06/07 17:45:13 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.147 2022/06/29 08:27:51 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1248,6 +1248,12 @@ ssl3_get_server_kex_dhe(SSL *s, CBS *cbs)
                goto err;
        }
 
+       if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
+               SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
+               ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+               return 0;
+       }
+
        return 1;
 
  err:

diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index ed033ab..f198c4b 100644 (file)
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.398 2022/06/29 07:59:14 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.399 2022/06/29 08:27:51 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1290,6 +1290,7 @@ int ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
 int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
     void *other);
 int ssl_security(const SSL *ssl, int op, int bits, int nid, void * other);
+int ssl_security_dh(const SSL *ssl, DH *dh);
 
 int ssl_get_new_session(SSL *s, int session);
 int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block,

diff --git a/lib/libssl/ssl_seclevel.c b/lib/libssl/ssl_seclevel.c
index 6c788c2..34cea63 100644 (file)
--- a/lib/libssl/ssl_seclevel.c
+++ b/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ssl_seclevel.c,v 1.5 2022/06/28 20:54:16 tb Exp $ */
+/*     $OpenBSD: ssl_seclevel.c,v 1.6 2022/06/29 08:27:51 tb Exp $ */
 /*
  * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
  *
@@ -17,6 +17,7 @@
 
 #include <stddef.h>
 
+#include <openssl/dh.h>
 #include <openssl/ossl_typ.h>
 #include <openssl/ssl.h>
 #include <openssl/tls1.h>
@@ -225,3 +226,13 @@ ssl_security(const SSL *ssl, int op, int bits, int nid, void *other)
        return ssl->cert->security_cb(ssl, NULL, op, bits, nid, other,
            ssl->cert->security_ex_data);
 }
+
+int
+ssl_security_dh(const SSL *ssl, DH *dh)
+{
+#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
+       return ssl_security(ssl, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh);
+#else
+       return 1;
+#endif
+}

diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index 97077a3..e37f9cf 100644 (file)
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.144 2022/06/29 07:53:58 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.145 2022/06/29 08:27:51 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1355,6 +1355,12 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
        if (!tls_key_share_public(s->s3->hs.key_share, cbb))
                goto err;
 
+       if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
+               SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
+               ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+               return 0;
+       }
+
        return 1;
 
  err:

diff --git a/lib/libssl/tls_internal.h b/lib/libssl/tls_internal.h
index a009635..0065f0f 100644 (file)
--- a/lib/libssl/tls_internal.h
+++ b/lib/libssl/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.5 2022/01/11 18:28:41 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.6 2022/06/29 08:27:51 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019, 2021 Joel Sing <jsing@openbsd.org>
  *
@@ -77,6 +77,7 @@ int tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs,
     int *decode_error, int *invalid_key);
 int tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
     size_t *shared_key_len);
+int tls_key_share_peer_security(const SSL *ssl, struct tls_key_share *ks);
 
 __END_HIDDEN_DECLS
 

diff --git a/lib/libssl/tls_key_share.c b/lib/libssl/tls_key_share.c
index e5e6c30..0b941d8 100644 (file)
--- a/lib/libssl/tls_key_share.c
+++ b/lib/libssl/tls_key_share.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_key_share.c,v 1.4 2022/01/11 18:28:41 jsing Exp $ */
+/* $OpenBSD: tls_key_share.c,v 1.5 2022/06/29 08:27:52 tb Exp $ */
 /*
  * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
  *
@@ -471,3 +471,14 @@ tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
        return tls_key_share_derive_ecdhe_ecp(ks, shared_key,
            shared_key_len);
 }
+
+int
+tls_key_share_peer_security(const SSL *ssl, struct tls_key_share *ks)
+{
+       switch (ks->nid) {
+       case NID_dhKeyAgreement:
+               return ssl_security_dh(ssl, ks->dhe_peer);
+       default:
+               return 0;
+       }
+}