Make DH_check_pub_key() and DH_generate_key() safer yet

We already check for an excessively large P in DH_generate_key(), but not in DH_check_pub_key(), and none of them check for an excessively large Q. This change adds all the missing excessive size checks of P and Q. It's to be noted that behaviours surrounding excessively sized P and Q differ. DH_check() raises an error on the excessively sized P, but only sets a flag for the excessively sized Q. This behaviour is mimicked in DH_check_pub_key(). Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22518) (cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
author: Richard Levitte <levitte@openssl.org> 2023-10-20 09:18:19 +0200
committer: Hugo Landau <hlandau@openssl.org> 2023-11-06 07:54:30 +0000
commit: db925ae2e65d0d925adef429afc37f75bd1c2017 (patch)
tree: 724a7427ca1edc0cb5e065cd8065aec6a1299ad3 /crypto/err
parent: b37871cd0a4290cbaba9464856a7f17f26d1c30a (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index e51504b7ab..36de321b74 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
 DH_R_NO_PRIVATE_VALUE:100:no private value
 DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
 DH_R_PEER_KEY_ERROR:111:peer key error
+DH_R_Q_TOO_LARGE:130:q too large
 DH_R_SHARED_INFO_ERROR:113:shared info error
 DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
 DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
author	Richard Levitte <levitte@openssl.org>	2023-10-20 09:18:19 +0200
committer	Hugo Landau <hlandau@openssl.org>	2023-11-06 07:54:30 +0000
commit	db925ae2e65d0d925adef429afc37f75bd1c2017 (patch)
tree	724a7427ca1edc0cb5e065cd8065aec6a1299ad3 /crypto/err
parent	b37871cd0a4290cbaba9464856a7f17f26d1c30a (diff)