Add TLS::Policy::minimum_dh_group_size, default 1024. Send an

insufficient_security alert if the server tries to give us a DH group smaller than that. Also check to make sure the key isn't obviously bogus (<=1 || >= p-1), though as the key is purely ephemeral it doesn't seem like a small subgroup attack would provide much advantage anyway.
author: lloyd <[email protected]> 2012-06-25 17:21:21 +0000
committer: lloyd <[email protected]> 2012-06-25 17:21:21 +0000
commit: 0b817481d04aa9585c056d10ab55d2f2df42816d (patch)
tree: 9ecc697ec6677358ae41094bc8593cd5a42a873e /src/tls/c_kex.cpp
parent: fd289ebe6dd7e4bafd6e5ca1c76d7075960847cc (diff)
1 files changed, 18 insertions, 2 deletions
diff --git a/src/tls/c_kex.cpp b/src/tls/c_kex.cpp
index a173b18ad..54c5af5c3 100644
--- a/src/tls/c_kex.cpp
+++ b/src/tls/c_kex.cpp
@@ -49,6 +49,7 @@ secure_vector<byte> strip_leading_zeros(const secure_vector<byte>& input)
 */
 Client_Key_Exchange::Client_Key_Exchange(Record_Writer& writer,
                                          Handshake_State* state,
+                                         const Policy& policy,
                                          Credentials_Manager& creds,
                                          const std::vector<X509_Certificate>& peer_certs,
                                          const std::string& hostname,
@@ -111,6 +112,23 @@ Client_Key_Exchange::Client_Key_Exchange(Record_Writer& writer,
          if(reader.remaining_bytes())
             throw Decoding_Error("Bad params size for DH key exchange");
 
+         if(p.bits() < policy.minimum_dh_group_size())
+            throw TLS_Exception(Alert::INSUFFICIENT_SECURITY,
+                                "Server sent DH group of " +
+                                std::to_string(p.bits()) +
+                                " bits, policy requires at least " +
+                                std::to_string(policy.minimum_dh_group_size()));
+
+         /*
+         * A basic check for key validity. As we do not know q here we
+         * cannot check that Y is in the right subgroup. However since
+         * our key is ephemeral there does not seem to be any
+         * advantage to bogus keys anyway.
+         */
+         if(Y <= 1 || Y >= p - 1)
+            throw TLS_Exception(Alert::INSUFFICIENT_SECURITY,
+                                "Server sent bad DH key for DHE exchange");
+
          DL_Group group(p, g);
 
          if(!group.verify_group(rng, true))
@@ -118,8 +136,6 @@ Client_Key_Exchange::Client_Key_Exchange(Record_Writer& writer,
 
          DH_PublicKey counterparty_key(group, Y);
 
-         // FIXME Check that public key is residue?
-
          DH_PrivateKey priv_key(rng, group);
 
          PK_Key_Agreement ka(priv_key, "Raw");
author	lloyd <[email protected]>	2012-06-25 17:21:21 +0000
committer	lloyd <[email protected]>	2012-06-25 17:21:21 +0000
commit	0b817481d04aa9585c056d10ab55d2f2df42816d (patch)
tree	9ecc697ec6677358ae41094bc8593cd5a42a873e /src/tls/c_kex.cpp
parent	fd289ebe6dd7e4bafd6e5ca1c76d7075960847cc (diff)