1From 91ddeba0f2269b017dc06c46c993a788974b1aa5 Mon Sep 17 00:00:00 2001 2From: Tomas Mraz <tomas@openssl.org> 3Date: Fri, 21 Jul 2023 11:39:41 +0200 4Subject: [PATCH] DH_check(): Do not try checking q properties if it is 5 obviously invalid 6 7If |q| >= |p| then the q value is obviously wrong as q 8is supposed to be a prime divisor of p-1. 9 10We check if p is overly large so this added test implies that 11q is not large either when performing subsequent tests using that 12q value. 13 14Otherwise if it is too large these additional checks of the q value 15such as the primality test can then trigger DoS by doing overly long 16computations. 17 18Fixes CVE-2023-3817 19 20Reviewed-by: Paul Dale <pauli@openssl.org> 21Reviewed-by: Matt Caswell <matt@openssl.org> 22(Merged from https://github.com/openssl/openssl/pull/21551) 23--- 24 crypto/dh/dh_check.c | 11 +++++++++-- 25 1 file changed, 9 insertions(+), 2 deletions(-) 26 27diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c 28index 2001d2e7cb..9ae96991eb 100644 29--- a/crypto/dh/dh_check.c 30+++ b/crypto/dh/dh_check.c 31@@ -97,7 +97,7 @@ int DH_check_ex(const DH *dh) 32 33 int DH_check(const DH *dh, int *ret) 34 { 35- int ok = 0, r; 36+ int ok = 0, r, q_good = 0; 37 BN_CTX *ctx = NULL; 38 BIGNUM *t1 = NULL, *t2 = NULL; 39 40@@ -120,7 +120,14 @@ int DH_check(const DH *dh, int *ret) 41 if (t2 == NULL) 42 goto err; 43 44- if (dh->q) { 45+ if (dh->q != NULL) { 46+ if (BN_ucmp(dh->p, dh->q) > 0) 47+ q_good = 1; 48+ else 49+ *ret |= DH_CHECK_INVALID_Q_VALUE; 50+ } 51+ 52+ if (q_good) { 53 if (BN_cmp(dh->g, BN_value_one()) <= 0) 54 *ret |= DH_NOT_SUITABLE_GENERATOR; 55 else if (BN_cmp(dh->g, dh->p) >= 0) 56-- 572.34.1