From 4791e79b8803924b28c19af4d4036ad85335110d Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 7 Jul 2023 14:39:48 +0100 Subject: [PATCH] Add a test for CVE-2023-3446 Confirm that the only errors DH_check() finds with DH parameters with an excessively long modulus is that the modulus is too large. We should not be performing time consuming checks using that modulus. Reviewed-by: Paul Dale Reviewed-by: Tom Cosgrove Reviewed-by: Bernd Edlinger Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21451) (cherry picked from commit ede782b4c8868d1f09c9cd237f82b6f35b7dba8b) --- test/dhtest.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/test/dhtest.c b/test/dhtest.c index 7b587f3cfa8f..f8dd8f3aa722 100644 --- a/test/dhtest.c +++ b/test/dhtest.c @@ -73,7 +73,7 @@ static int dh_test(void) goto err1; /* check fails, because p is way too small */ - if (!DH_check(dh, &i)) + if (!TEST_true(DH_check(dh, &i))) goto err2; i ^= DH_MODULUS_TOO_SMALL; if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) @@ -124,6 +124,17 @@ static int dh_test(void) /* We'll have a stale error on the queue from the above test so clear it */ ERR_clear_error(); + /* Modulus of size: dh check max modulus bits + 1 */ + if (!TEST_true(BN_set_word(p, 1)) + || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS))) + goto err3; + + /* + * We expect no checks at all for an excessively large modulus + */ + if (!TEST_false(DH_check(dh, &i))) + goto err3; + /* * II) key generation */ @@ -138,7 +149,7 @@ static int dh_test(void) goto err3; /* ... and check whether it is valid */ - if (!DH_check(a, &i)) + if (!TEST_true(DH_check(a, &i))) goto err3; if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)