/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
goto err;
}
+ if (dh->params.q != NULL
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
+ goto err;
+ }
+
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
return 0;
static int dh_init(DH *dh)
{
dh->flags |= DH_FLAG_CACHE_MONT_P;
- ossl_ffc_params_init(&dh->params);
dh->dirty_cnt++;
return 1;
}
return 0;
}
+ if (dh->params.q != NULL
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
+ return 0;
+ }
+
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
return 0;
goto err;
l = dh->length ? dh->length : BN_num_bits(dh->params.p) - 1;
if (!BN_priv_rand_ex(priv_key, l, BN_RAND_TOP_ONE,
- BN_RAND_BOTTOM_ANY, ctx))
+ BN_RAND_BOTTOM_ANY, 0, ctx))
goto err;
/*
* We handle just one known case where g is a quadratic non-residue:
int err_reason = DH_R_BN_ERROR;
BIGNUM *pubkey = NULL;
const BIGNUM *p;
- size_t p_size;
+ int ret;
if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL)
goto err;
DH_get0_pqg(dh, &p, NULL, NULL);
- if (p == NULL || (p_size = BN_num_bytes(p)) == 0) {
+ if (p == NULL || BN_num_bytes(p) == 0) {
err_reason = DH_R_NO_PARAMETERS_SET;
goto err;
}
- /*
- * As per Section 4.2.8.1 of RFC 8446 fail if DHE's
- * public key is of size not equal to size of p
- */
- if (BN_is_zero(pubkey) || p_size != len) {
+ /* Prevent small subgroup attacks per RFC 8446 Section 4.2.8.1 */
+ if (!ossl_dh_check_pub_key_partial(dh, pubkey, &ret)) {
err_reason = DH_R_INVALID_PUBKEY;
goto err;
}
projects / openssl.git / blobdiff