From 91ddeba0f2269b017dc06c46c993a788974b1aa5 Mon Sep 17 00:00:00 2001

From: Tomas Mraz <tomas@openssl.org>

Date: Fri, 21 Jul 2023 11:39:41 +0200

Subject: [PATCH 198/200] DH_check(): Do not try checking q properties if it is

 obviously invalid

​

If  |q| >= |p| then the q value is obviously wrong as q

is supposed to be a prime divisor of p-1.

​

We check if p is overly large so this added test implies that

q is not large either when performing subsequent tests using that

q value.

​

Otherwise if it is too large these additional checks of the q value

such as the primality test can then trigger DoS by doing overly long

computations.

​

Fixes CVE-2023-3817

​

Reviewed-by: Paul Dale <pauli@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>

(Merged from https://github.com/openssl/openssl/pull/21551)

​

Index: openssl-1.1.1l/crypto/dh/dh_check.c

===================================================================

--- openssl-1.1.1l.orig/crypto/dh/dh_check.c

+++ openssl-1.1.1l/crypto/dh/dh_check.c

@@ -105,7 +105,7 @@ int DH_check_ex(const DH *dh)

 /* Note: according to documentation - this only checks the params */

 int DH_check(const DH *dh, int *ret)

 {

-    int ok = 0, r;

+    int ok = 0, r, q_good = 0;

     BN_CTX *ctx = NULL;

     BIGNUM *t1 = NULL, *t2 = NULL;

@@ -130,7 +130,14 @@ int DH_check(const DH *dh, int *ret)

     if (t2 == NULL)

         goto err;

-    if (dh->q) {

+    if (dh->q != NULL) {

+        if (BN_ucmp(dh->p, dh->q) > 0)

+            q_good = 1;

+        else

+            *ret |= DH_CHECK_INVALID_Q_VALUE;

+    }

+

+    if (q_good) {

         if (BN_cmp(dh->g, BN_value_one()) <= 0)

             *ret |= DH_NOT_SUITABLE_GENERATOR;

         else if (BN_cmp(dh->g, dh->p) >= 0)

From 34d0f5cb93680a5286d1eb59125631ec8fd6dc81 Mon Sep 17 00:00:00 2001

From: Tomas Mraz <tomas@openssl.org>

Date: Tue, 25 Jul 2023 15:56:53 +0200

Subject: [PATCH] dhtest.c: Add test of DH_check() with q = p + 1

​

This must fail with DH_CHECK_INVALID_Q_VALUE and

with DH_CHECK_Q_NOT_PRIME unset.

​

Reviewed-by: Paul Dale <pauli@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>

(Merged from https://github.com/openssl/openssl/pull/21551)

---

 test/dhtest.c | 12 ++++++++++++

 1 file changed, 12 insertions(+)

​

diff --git a/test/dhtest.c b/test/dhtest.c

index 00b3c471015d..d7e10ebda9b5 100644

--- a/test/dhtest.c

+++ b/test/dhtest.c

@@ -123,6 +123,15 @@ static int dh_test(void)

     /* check whether the public key was calculated correctly */

     TEST_uint_eq(BN_get_word(pub_key2), 3331L);

+    if (!TEST_ptr(BN_copy(q, p)) || !TEST_true(BN_add(q, q, BN_value_one())))

+        goto err3;

+

+    if (!TEST_true(DH_check(dh, &i)))

+        goto err3;

+    if (!TEST_true(i & DH_CHECK_INVALID_Q_VALUE)

+        || !TEST_false(i & DH_CHECK_Q_NOT_PRIME))

+        goto err3;

+

     /* Modulus of size: dh check max modulus bits + 1 */

     if (!TEST_true(BN_set_word(p, 1))

             || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))

@@ -134,6 +143,9 @@ static int dh_test(void)

     if (!TEST_false(DH_check(dh, &i)))

         goto err3;

+    /* We'll have a stale error on the queue from the above test so clear it */

+    ERR_clear_error();

+

     /*

      * II) key generation

      */

​