From 2c1036d8e6c80a85e878141c8827e9a4e96b33cc Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Wed, 29 Jun 2022 08:27:51 +0000
Subject: [PATCH] Check the security of DH key shares

ok beck, looks good to jsing
---
 lib/libssl/ssl_clnt.c      |  8 +++++++-
 lib/libssl/ssl_locl.h      |  3 ++-
 lib/libssl/ssl_seclevel.c  | 13 ++++++++++++-
 lib/libssl/ssl_srvr.c      |  8 +++++++-
 lib/libssl/tls_internal.h  |  3 ++-
 lib/libssl/tls_key_share.c | 13 ++++++++++++-
 6 files changed, 42 insertions(+), 6 deletions(-)

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index c509771cc3f..52911752352 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.146 2022/06/07 17:45:13 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.147 2022/06/29 08:27:51 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1248,6 +1248,12 @@ ssl3_get_server_kex_dhe(SSL *s, CBS *cbs)
 		goto err;
 	}
 
+	if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
+		SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
+		ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+		return 0;
+	}
+
 	return 1;
 
  err:
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index ed033abc913..f198c4b0353 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.398 2022/06/29 07:59:14 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.399 2022/06/29 08:27:51 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1290,6 +1290,7 @@ int ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
 int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
     void *other);
 int ssl_security(const SSL *ssl, int op, int bits, int nid, void * other);
+int ssl_security_dh(const SSL *ssl, DH *dh);
 
 int ssl_get_new_session(SSL *s, int session);
 int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block,
diff --git a/lib/libssl/ssl_seclevel.c b/lib/libssl/ssl_seclevel.c
index 6c788c205db..34cea637e0c 100644
--- a/lib/libssl/ssl_seclevel.c
+++ b/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl_seclevel.c,v 1.5 2022/06/28 20:54:16 tb Exp $ */
+/*	$OpenBSD: ssl_seclevel.c,v 1.6 2022/06/29 08:27:51 tb Exp $ */
 /*
  * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
  *
@@ -17,6 +17,7 @@
 
 #include <stddef.h>
 
+#include <openssl/dh.h>
 #include <openssl/ossl_typ.h>
 #include <openssl/ssl.h>
 #include <openssl/tls1.h>
@@ -225,3 +226,13 @@ ssl_security(const SSL *ssl, int op, int bits, int nid, void *other)
 	return ssl->cert->security_cb(ssl, NULL, op, bits, nid, other,
 	    ssl->cert->security_ex_data);
 }
+
+int
+ssl_security_dh(const SSL *ssl, DH *dh)
+{
+#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
+	return ssl_security(ssl, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh);
+#else
+	return 1;
+#endif
+}
diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index 97077a3380f..e37f9cfdb7a 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.144 2022/06/29 07:53:58 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.145 2022/06/29 08:27:51 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1355,6 +1355,12 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
 	if (!tls_key_share_public(s->s3->hs.key_share, cbb))
 		goto err;
 
+	if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
+		SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
+		ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+		return 0;
+	}
+
 	return 1;
 
  err:
diff --git a/lib/libssl/tls_internal.h b/lib/libssl/tls_internal.h
index a009635a05b..0065f0f39f7 100644
--- a/lib/libssl/tls_internal.h
+++ b/lib/libssl/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.5 2022/01/11 18:28:41 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.6 2022/06/29 08:27:51 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019, 2021 Joel Sing <jsing@openbsd.org>
  *
@@ -77,6 +77,7 @@ int tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs,
     int *decode_error, int *invalid_key);
 int tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
     size_t *shared_key_len);
+int tls_key_share_peer_security(const SSL *ssl, struct tls_key_share *ks);
 
 __END_HIDDEN_DECLS
 
diff --git a/lib/libssl/tls_key_share.c b/lib/libssl/tls_key_share.c
index e5e6c304b68..0b941d8b0d7 100644
--- a/lib/libssl/tls_key_share.c
+++ b/lib/libssl/tls_key_share.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_key_share.c,v 1.4 2022/01/11 18:28:41 jsing Exp $ */
+/* $OpenBSD: tls_key_share.c,v 1.5 2022/06/29 08:27:52 tb Exp $ */
 /*
  * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
  *
@@ -471,3 +471,14 @@ tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
 	return tls_key_share_derive_ecdhe_ecp(ks, shared_key,
 	    shared_key_len);
 }
+
+int
+tls_key_share_peer_security(const SSL *ssl, struct tls_key_share *ks)
+{
+	switch (ks->nid) {
+	case NID_dhKeyAgreement:
+		return ssl_security_dh(ssl, ks->dhe_peer);
+	default:
+		return 0;
+	}
+}
-- 
2.20.1