Enforce a minimum DH modulus size of 512 bits

[extended tests] Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9437)
author: Bernd Edlinger <bernd.edlinger@hotmail.de> 2019-07-22 22:50:19 +0200
committer: Bernd Edlinger <bernd.edlinger@hotmail.de> 2019-07-24 14:44:08 +0200
commit: 6de1fe90860ddfe768864838637f681537f3f108 (patch)
tree: eb7dc66acc7eef6124922ad47edfdd168bd1eb19 /crypto/dh
parent: 8b84b075ff065554c0cdd1086950f1a8614d93a4 (diff)
download: openssl-6de1fe90860ddfe768864838637f681537f3f108.zip
openssl-6de1fe90860ddfe768864838637f681537f3f108.tar.gz
openssl-6de1fe90860ddfe768864838637f681537f3f108.tar.bz2
4 files changed, 23 insertions, 0 deletions
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
index cbde260..69f1452 100644
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -41,6 +41,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEYS_NOT_SET), "keys not set"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_MISSING_PUBKEY), "missing pubkey"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "modulus too large"},
+    {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_SMALL), "modulus too small"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_NOT_SUITABLE_GENERATOR),
     "not suitable generator"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PARAMETERS_SET), "no parameters set"},
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
index 6e98b59..76d6ad0 100644
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -61,6 +61,16 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
     int g, ok = -1;
     BN_CTX *ctx = NULL;
 
+    if (prime_len > OPENSSL_DH_MAX_MODULUS_BITS) {
+        DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_MODULUS_TOO_LARGE);
+        return 0;
+    }
+
+    if (prime_len < DH_MIN_MODULUS_BITS) {
+        DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_MODULUS_TOO_SMALL);
+        return 0;
+    }
+
     ctx = BN_CTX_new();
     if (ctx == NULL)
         goto err;
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 0d6b04d..8731cc2 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -87,6 +87,11 @@ static int generate_key(DH *dh)
         return 0;
     }
 
+    if (BN_num_bits(dh->p) < DH_MIN_MODULUS_BITS) {
+        DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_SMALL);
+        return 0;
+    }
+
     ctx = BN_CTX_new();
     if (ctx == NULL)
         goto err;
@@ -181,6 +186,11 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
         goto err;
     }
 
+    if (BN_num_bits(dh->p) < DH_MIN_MODULUS_BITS) {
+        DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_SMALL);
+        return 0;
+    }
+
     ctx = BN_CTX_new();
     if (ctx == NULL)
         goto err;
diff --git a/crypto/dh/dh_locl.h b/crypto/dh/dh_locl.h
index f0247b8..a9041e9 100644
--- a/crypto/dh/dh_locl.h
+++ b/crypto/dh/dh_locl.h
@@ -10,6 +10,8 @@
 #include <openssl/dh.h>
 #include "internal/refcount.h"
 
+#define DH_MIN_MODULUS_BITS     512
+
 struct dh_st {
     /*
      * This first argument is used to pick up errors when a DH is passed
author	Bernd Edlinger <bernd.edlinger@hotmail.de>	2019-07-22 22:50:19 +0200
committer	Bernd Edlinger <bernd.edlinger@hotmail.de>	2019-07-24 14:44:08 +0200
commit	6de1fe90860ddfe768864838637f681537f3f108 (patch)
tree	eb7dc66acc7eef6124922ad47edfdd168bd1eb19 /crypto/dh
parent	8b84b075ff065554c0cdd1086950f1a8614d93a4 (diff)
download	openssl-6de1fe90860ddfe768864838637f681537f3f108.zip openssl-6de1fe90860ddfe768864838637f681537f3f108.tar.gz openssl-6de1fe90860ddfe768864838637f681537f3f108.tar.bz2