The fix for this issue adds an additional check where a "q" parameter isĪvailable (as is the case in X9.42 based parameters). It is believed that many popularĪpplications do set this option and would therefore not be at risk. Reuses the same private DH exponent for the life of the server process and OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in Reusing the private DH exponent or it's using a static DH ciphersuite. This could be used to discover a TLS server's private DH exponent if it's Handshakes in which the peer uses the same private DH exponent. This attack requires that the attacker complete multiple Not "safe" then an attacker could use this fact to find a peer's privateĭH exponent. Where anĪpplication is using DH configured with parameters based on primes that are The primes used in such files may not be "safe". Generating X9.42 style parameter files such as those required for RFC 5114 More recently (in version 1.0.2) support was provided for Historically OpenSSL only ever generated DH parameters based on "safe" Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. Some of those checks use the supplied modulus value even if it has already been found to be too large.Ī new limit has been added to DH_check of 32,768 bits. However the DH_check() function checks numerous aspects of the key or Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. One of those checks confirms that the modulus ("p" parameter) is not too large. The function DH_check() performs various checks on DH parameters. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped.įix DH_check() excessive time with over sized modulus: A correct q value, if present, cannot be larger than the modulus parameter, thus it is unnecessary to perform these checks if q is larger than p. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. Fix excessive time spent checking DH q parameter value: The function DH_check() performs various checks on DH parameters.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |