From 9ae09e0aa079c7494a68e87a7f54ca318e08d50a Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 14 Jul 2023 09:56:13 +0100
Subject: [PATCH] fixup! Fix DH_check() excessive time with over sized modulus

---
 crypto/dh/dh_check.c | 4 +++-
 include/openssl/dh.h | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index c2a5c041a8096d..98014593b6debe 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -153,8 +153,10 @@ int DH_check(const DH *dh, int *ret)
         return 1;
 
     /* Don't do any checks at all with an excessively large modulus */
-    if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS)
+    if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
         return 0;
+    }
 
     if (!DH_check_params(dh, ret))
         return 0;
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index 5dc7b46cf3bff2..da6e7b06c879a8 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -95,7 +95,7 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
 #   define OPENSSL_DH_MAX_MODULUS_BITS        10000
 #  endif
 
-#  ifndef OPENSSL_DH_MAX_CHECK_MODULUS_BITS
+#  ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
 #   define OPENSSL_DH_CHECK_MAX_MODULUS_BITS  32768
 #  endif