1 From 517a7737dccb9837b4d9d751e64ae7b60948ef2e Mon Sep 17 00:00:00 2001
2 From: Tomas Mraz <tomas@openssl.org>
3 Date: Wed, 2 Feb 2022 17:47:26 +0100
4 Subject: [PATCH] Replace size check with more meaningful pubkey check
6 It does not make sense to check the size because this
7 function can be used in other contexts than in TLS-1.3 and
8 the value might not be padded to the size of p.
10 However it makes sense to do the partial pubkey check because
11 there is no valid reason having the pubkey value outside the
12 1 < pubkey < p-1 bounds.
16 crypto/dh/dh_key.c | 11 ++++-------
17 1 file changed, 4 insertions(+), 7 deletions(-)
19 diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
20 index 6b8cd550f25f..c78ed618bf83 100644
21 --- a/crypto/dh/dh_key.c
22 +++ b/crypto/dh/dh_key.c
23 @@ -375,20 +375,17 @@ int ossl_dh_buf2key(DH *dh, const unsigned char *buf, size_t len)
24 int err_reason = DH_R_BN_ERROR;
25 BIGNUM *pubkey = NULL;
30 if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL)
32 DH_get0_pqg(dh, &p, NULL, NULL);
33 - if (p == NULL || (p_size = BN_num_bytes(p)) == 0) {
34 + if (p == NULL || BN_num_bytes(p) == 0) {
35 err_reason = DH_R_NO_PARAMETERS_SET;
39 - * As per Section 4.2.8.1 of RFC 8446 fail if DHE's
40 - * public key is of size not equal to size of p
42 - if (BN_is_zero(pubkey) || p_size != len) {
43 + /* Prevent small subgroup attacks per RFC 8446 Section 4.2.8.1 */
44 + if (!ossl_dh_check_pub_key_partial(dh, pubkey, &ret)) {
45 err_reason = DH_R_INVALID_PUBKEY;