From 0b817481d04aa9585c056d10ab55d2f2df42816d Mon Sep 17 00:00:00 2001
From: lloyd <lloyd@randombit.net>
Date: Mon, 25 Jun 2012 17:21:21 +0000
Subject: Add TLS::Policy::minimum_dh_group_size, default 1024. Send an
 insufficient_security alert if the server tries to give us a DH group smaller
 than that. Also check to make sure the key isn't obviously bogus (<=1 || >=
 p-1), though as the key is purely ephemeral it doesn't seem like a small
 subgroup attack would provide much advantage anyway.

---
 src/tls/c_kex.cpp | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

(limited to 'src/tls/c_kex.cpp')

diff --git a/src/tls/c_kex.cpp b/src/tls/c_kex.cpp
index a173b18ad..54c5af5c3 100644
--- a/src/tls/c_kex.cpp
+++ b/src/tls/c_kex.cpp
@@ -49,6 +49,7 @@ secure_vector<byte> strip_leading_zeros(const secure_vector<byte>& input)
 */
 Client_Key_Exchange::Client_Key_Exchange(Record_Writer& writer,
                                          Handshake_State* state,
+                                         const Policy& policy,
                                          Credentials_Manager& creds,
                                          const std::vector<X509_Certificate>& peer_certs,
                                          const std::string& hostname,
@@ -111,6 +112,23 @@ Client_Key_Exchange::Client_Key_Exchange(Record_Writer& writer,
          if(reader.remaining_bytes())
             throw Decoding_Error("Bad params size for DH key exchange");
 
+         if(p.bits() < policy.minimum_dh_group_size())
+            throw TLS_Exception(Alert::INSUFFICIENT_SECURITY,
+                                "Server sent DH group of " +
+                                std::to_string(p.bits()) +
+                                " bits, policy requires at least " +
+                                std::to_string(policy.minimum_dh_group_size()));
+
+         /*
+         * A basic check for key validity. As we do not know q here we
+         * cannot check that Y is in the right subgroup. However since
+         * our key is ephemeral there does not seem to be any
+         * advantage to bogus keys anyway.
+         */
+         if(Y <= 1 || Y >= p - 1)
+            throw TLS_Exception(Alert::INSUFFICIENT_SECURITY,
+                                "Server sent bad DH key for DHE exchange");
+
          DL_Group group(p, g);
 
          if(!group.verify_group(rng, true))
@@ -118,8 +136,6 @@ Client_Key_Exchange::Client_Key_Exchange(Record_Writer& writer,
 
          DH_PublicKey counterparty_key(group, Y);
 
-         // FIXME Check that public key is residue?
-
          DH_PrivateKey priv_key(rng, group);
 
          PK_Key_Agreement ka(priv_key, "Raw");
-- 
cgit v1.2.3