_wrap_nettle_pk_derive: reject values of public key that are over the prime

That is do not canonicalise the value we get from the network, but
rather check it for validity. This saves a modular reduction on handshake
and performs a sanity check on the peer's (client) parameters.
Reported by Hubert Kario.

Resolves #84

1 files changed, 4 insertions, 10 deletions

diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 4ed1791ecf..f6dc7399e0 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -220,23 +220,17 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 
-		ret = _gnutls_mpi_modm(ff, f, prime);
+		ret = _gnutls_mpi_add_ui(ff, f, 1);
 		if (ret < 0) {
 			gnutls_assert();
 			goto dh_cleanup;
 		}
 
-		ret = _gnutls_mpi_add_ui(ff, ff, 1);
-		if (ret < 0) {
-			gnutls_assert();
-			goto dh_cleanup;
-		}
-
-		/* check if f==0,1,p-1. 
-		 * or (ff=f+1) equivalently ff==1,2,p */
+		/* check if f==0,1, or f >= p-1. 
+		 * or (ff=f+1) equivalently ff==1,2, ff >= p */
 		if ((_gnutls_mpi_cmp_ui(ff, 2) == 0)
 		    || (_gnutls_mpi_cmp_ui(ff, 1) == 0)
-		    || (_gnutls_mpi_cmp(ff, prime) == 0)) {
+		    || (_gnutls_mpi_cmp(ff, prime) >= 0)) {
 			gnutls_assert();
 			ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
 			goto dh_cleanup;