ext/key_share: check the validity of server key shares

That is, when generating the public key based on the server's
key share, ensure that the algorithms match completely with
the key shares the client initially sent. This was detected
by the updated traces for TLS1.3 fuzzying.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
index e410af03e38a5221ffd062869cc70b1e17fae361..ff8f39616e0270cebc60fcba5daea4c7a3b491a5 100644 (file)
--- a/lib/crypto-backend.h
+++ b/lib/crypto-backend.h
@@ -194,6 +194,7 @@ typedef struct {
        unsigned int pkflags; /* gnutls_pk_flag_t */
        unsigned int qbits; /* GNUTLS_PK_DH */
        gnutls_ecc_curve_t curve; /* GNUTLS_PK_EC, GNUTLS_PK_ED25519, GNUTLS_PK_GOST* */
+       gnutls_group_t dh_group; /* GNUTLS_PK_DH - used by ext/key_share */
        gnutls_gost_paramset_t gost_params; /* GNUTLS_PK_GOST_* */
        gnutls_datum_t raw_pub; /* used by x25519 */
        gnutls_datum_t raw_priv;

diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
index 98bb7291318b2db2e47ed09bae4a882bbd33f7aa..c5b104f9ac0a1b608293ef4d3313aba3d74433b2 100644 (file)
--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
@@ -153,6 +153,7 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent
                        return gnutls_assert_val(ret);
 
                session->key.kshare.dh_params.algo = group->pk;
+               session->key.kshare.dh_params.dh_group = group->id; /* no curve in FFDH, we write the group */
                session->key.kshare.dh_params.qbits = *group->q_bits;
                session->key.kshare.dh_params.params_nr = 3; /* empty q */
 
@@ -400,6 +401,9 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
 
                gnutls_pk_params_init(&pub);
 
+               if (session->key.kshare.ecdh_params.algo != group->pk || session->key.kshare.ecdh_params.curve != curve->id)
+                       return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
                if (curve->size*2+1 != data_size)
                        return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
 
@@ -428,6 +432,9 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
 
                curve = _gnutls_ecc_curve_get_params(group->curve);
 
+               if (session->key.kshare.ecdhx_params.algo != group->pk || session->key.kshare.ecdhx_params.curve != curve->id)
+                       return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
                if (curve->size != data_size)
                        return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
 
@@ -453,6 +460,9 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
        } else if (group->pk == GNUTLS_PK_DH) {
                gnutls_pk_params_st pub;
 
+               if (session->key.kshare.dh_params.algo != group->pk || session->key.kshare.dh_params.dh_group != group->id)
+                       return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
                if (data_size != group->prime->size)
                        return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);