Overview

File openssl-CVE-2023-5678.patch of Package compat-openssl098.31475

From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Fri, 20 Oct 2023 09:18:19 +0200
Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet

We already check for an excessively large P in DH_generate_key(), but not in
DH_check_pub_key(), and none of them check for an excessively large Q.

This change adds all the missing excessive size checks of P and Q.

It's to be noted that behaviours surrounding excessively sized P and Q
differ.  DH_check() raises an error on the excessively sized P, but only
sets a flag for the excessively sized Q.  This behaviour is mimicked in
DH_check_pub_key().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22518)

(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
---
 crypto/dh/dh_check.c    | 12 ++++++++++++
 crypto/dh/dh_err.c      |  3 ++-
 crypto/dh/dh_key.c      | 12 ++++++++++++
 crypto/err/openssl.txt  |  1 +
 include/crypto/dherr.h  |  2 +-
 include/openssl/dh.h    |  6 +++---
 include/openssl/dherr.h |  3 ++-
 7 files changed, 33 insertions(+), 6 deletions(-)

Index: openssl-0.9.8j/crypto/dh/dh.h
===================================================================
--- openssl-0.9.8j.orig/crypto/dh/dh.h
+++ openssl-0.9.8j/crypto/dh/dh.h
@@ -153,10 +153,13 @@ struct dh_st
 #define DH_CHECK_P_NOT_SAFE_PRIME	0x02
 #define DH_UNABLE_TO_CHECK_GENERATOR	0x04
 #define DH_NOT_SUITABLE_GENERATOR	0x08
+#define DH_CHECK_INVALID_Q_VALUE	0x20 /* +DH_check_pub_key */
+#define DH_MODULUS_TOO_LARGE		0x100 /* +DH_check_pub_key */
 
 /* DH_check_pub_key error codes */
 #define DH_CHECK_PUBKEY_TOO_SMALL	0x01
 #define DH_CHECK_PUBKEY_TOO_LARGE	0x02
+#define DH_CHECK_PUBKEY_INVALID		0x04
 
 /* primes p where (p-1)/2 is prime too are called "safe"; we define
    this for backward compatibility: */
@@ -229,6 +232,7 @@ void ERR_load_DH_strings(void);
 #define DH_F_DHPARAMS_PRINT_FP				 101
 #define DH_F_DH_BUILTIN_GENPARAMS			 106
 #define DH_F_DH_CHECK					 126
+#define DH_F_DH_CHECK_PUB_KEY				 128
 #define DH_F_DH_COMPUTE_KEY				 107
 #define DH_F_DH_GENERATE_KEY				 108
 #define DH_F_DH_GENERATE_PARAMETERS			 109
@@ -242,6 +246,7 @@ void ERR_load_DH_strings(void);
 #define DH_R_KEY_SIZE_TOO_SMALL				 104
 #define DH_R_MODULUS_TOO_LARGE				 103
 #define DH_R_NO_PRIVATE_VALUE				 100
+#define DH_R_Q_TOO_LARGE				 130
 
 #ifdef  __cplusplus
 }
Index: openssl-0.9.8j/crypto/dh/dh_check.c
===================================================================
--- openssl-0.9.8j.orig/crypto/dh/dh_check.c
+++ openssl-0.9.8j/crypto/dh/dh_check.c
@@ -133,6 +133,18 @@ int DH_check_pub_key(const DH *dh, const
 	int ok=0;
 	BIGNUM *q=NULL;
 
+	/* Don't do any checks at all with an excessively large modulus */
+	if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+		DHerr(DH_F_DH_CHECK_PUB_KEY, DH_R_MODULUS_TOO_LARGE);
+		*ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
+		return 0;
+	}
+
+	if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) {
+		*ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
+		return 1;
+	}
+
 	*ret=0;
 	q=BN_new();
 	if (q == NULL) goto err;
Index: openssl-0.9.8j/crypto/dh/dh_err.c
===================================================================
--- openssl-0.9.8j.orig/crypto/dh/dh_err.c
+++ openssl-0.9.8j/crypto/dh/dh_err.c
@@ -75,6 +75,7 @@ static ERR_STRING_DATA DH_str_functs[]=
 {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP),	"DHparams_print_fp"},
 {ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS),	"DH_BUILTIN_GENPARAMS"},
 {ERR_FUNC(DH_F_DH_CHECK),		"DH_check"},
+{ERR_FUNC(DH_F_DH_CHECK_PUB_KEY), "DH_check_pub_key"},
 {ERR_FUNC(DH_F_DH_COMPUTE_KEY),	"DH_compute_key"},
 {ERR_FUNC(DH_F_DH_GENERATE_KEY),	"DH_generate_key"},
 {ERR_FUNC(DH_F_DH_GENERATE_PARAMETERS),	"DH_generate_parameters"},
@@ -91,6 +92,7 @@ static ERR_STRING_DATA DH_str_reasons[]=
 {ERR_REASON(DH_R_KEY_SIZE_TOO_SMALL)     ,"key size too small"},
 {ERR_REASON(DH_R_MODULUS_TOO_LARGE)      ,"modulus too large"},
 {ERR_REASON(DH_R_NO_PRIVATE_VALUE)       ,"no private value"},
+{ERR_REASON(DH_R_Q_TOO_LARGE)            ,"q too large"},
 {0,NULL}
 	};
 
Index: openssl-0.9.8j/crypto/dh/dh_key.c
===================================================================
--- openssl-0.9.8j.orig/crypto/dh/dh_key.c
+++ openssl-0.9.8j/crypto/dh/dh_key.c
@@ -80,6 +80,12 @@ int DH_generate_key(DH *dh)
 
 int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 	{
+	if (dh->q != NULL
+			&& BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+			DHerr(DH_F_DH_COMPUTE_KEY, DH_R_Q_TOO_LARGE);
+		return 0;
+	}
+
 	return dh->meth->compute_key(key, pub_key, dh);
 	}
 
@@ -186,6 +192,12 @@ static int compute_key(unsigned char *ke
 	int ret= -1;
         int check_result;
 
+	if (dh->q != NULL
+		&& BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+		DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE);
+		goto err;
+	}
+
 	if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS)
 		{
 		DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE);
openSUSE Build Service is sponsored by
Places