Skip to content

Commit

Permalink
fixup! Fix DH_check() excessive time with over sized modulus
Browse files Browse the repository at this point in the history
  • Loading branch information
@mattcaswell
mattcaswell committed Jul 14, 2023
1 parent 08c4533 commit 443d636
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 2 deletions.
4 changes: 3 additions & 1 deletion crypto/dh/dh_check.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,8 +153,10 @@ int DH_check(const DH *dh, int *ret)
return 1;

/* Don't do any checks at all with an excessively large modulus */
if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS)
if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
return 0;
}

if (!DH_check_params(dh, ret))
return 0;
Expand Down
2 changes: 1 addition & 1 deletion include/openssl/dh.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
# define OPENSSL_DH_MAX_MODULUS_BITS 10000
# endif

# ifndef OPENSSL_DH_MAX_CHECK_MODULUS_BITS
# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
# endif

Expand Down

0 comments on commit 443d636

Please sign in to comment.