summaryrefslogtreecommitdiff
path: root/security/openssl31/files/patch-CVE-2023-3817
diff options
context:
space:
mode:
Diffstat (limited to 'security/openssl31/files/patch-CVE-2023-3817')
-rw-r--r--security/openssl31/files/patch-CVE-2023-381757
1 files changed, 0 insertions, 57 deletions
diff --git a/security/openssl31/files/patch-CVE-2023-3817 b/security/openssl31/files/patch-CVE-2023-3817
deleted file mode 100644
index cbb1a7ae0128..000000000000
--- a/security/openssl31/files/patch-CVE-2023-3817
+++ /dev/null
@@ -1,57 +0,0 @@
-From 6a1eb62c29db6cb5eec707f9338aee00f44e26f5 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Tue, 25 Jul 2023 15:22:48 +0200
-Subject: [PATCH] DH_check(): Do not try checking q properties if it is
- obviously invalid
-
-If |q| >= |p| then the q value is obviously wrong as q
-is supposed to be a prime divisor of p-1.
-
-We check if p is overly large so this added test implies that
-q is not large either when performing subsequent tests using that
-q value.
-
-Otherwise if it is too large these additional checks of the q value
-such as the primality test can then trigger DoS by doing overly long
-computations.
-
-Fixes CVE-2023-3817
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
-Reviewed-by: Todd Short <todd.short@me.com>
-(Merged from https://github.com/openssl/openssl/pull/21550)
-
-(cherry picked from commit 1c16253f3c3a8d1e25918c3f404aae6a5b0893de)
----
- crypto/dh/dh_check.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
-index aef6f9b1b77d..fbe279756954 100644
---- crypto/dh/dh_check.c.orig
-+++ crypto/dh/dh_check.c
-@@ -143,7 +143,7 @@ int DH_check(const DH *dh, int *ret)
- #ifdef FIPS_MODULE
- return DH_check_params(dh, ret);
- #else
-- int ok = 0, r;
-+ int ok = 0, r, q_good = 0;
- BN_CTX *ctx = NULL;
- BIGNUM *t1 = NULL, *t2 = NULL;
- int nid = DH_get_nid((DH *)dh);
-@@ -172,6 +172,13 @@ int DH_check(const DH *dh, int *ret)
- goto err;
-
- if (dh->params.q != NULL) {
-+ if (BN_ucmp(dh->params.p, dh->params.q) > 0)
-+ q_good = 1;
-+ else
-+ *ret |= DH_CHECK_INVALID_Q_VALUE;
-+ }
-+
-+ if (q_good) {
- if (BN_cmp(dh->params.g, BN_value_one()) <= 0)
- *ret |= DH_NOT_SUITABLE_GENERATOR;
- else if (BN_cmp(dh->params.g, dh->params.p) >= 0)
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-16 23:28:39 +0000