mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-21 01:15:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

dh_kmgmt.c: Avoid expensive public key validation for known safe-prime groups

Browse Source 
The partial validation is fully sufficient to check the key validity.

Thanks to Szilárd Pfeiffer for reporting the issue.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25088)
This commit is contained in:
Tomas Mraz 2024-08-05 17:54:14 +02:00
parent 7bcfb41489
commit e70e34d857
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
providers/implementations/keymgmt/dh_kmgmt.c
View File

@ -388,9 +388,11 @@ static int dh_validate_public(const DH *dh, int checktype)
if (pub_key == NULL)
return 0;
/* The partial test is only valid for named group's with q = (p - 1) / 2 */
if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
&& ossl_dh_is_named_safe_prime_group(dh))
/*
* The partial test is only valid for named group's with q = (p - 1) / 2
* but for that case it is also fully sufficient to check the key validity.
*/
if (ossl_dh_is_named_safe_prime_group(dh))
return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
return DH_check_pub_key_ex(dh, pub_key);