From 272a625f1e4c554dc2df4c01d1ad8485559bb927 Mon Sep 17 00:00:00 2001
From: maoyanping <maoyanping@xfusion.com>
Date: Fri, 18 Apr 2025 15:45:29 +0800
Subject: [PATCH] backport-CVE-2024-41996
providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
@@ -387,9 +387,11 @@ static int dh_validate_public(const DH *dh, int checktype)
if (pub_key == NULL)
return 0;
- /* The partial test is only valid for named group's with q = (p - 1) / 2 */
- if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
- && ossl_dh_is_named_safe_prime_group(dh))
+ /*
+ * The partial test is only valid for named group's with q = (p - 1) / 2
+ * but for that case it is also fully sufficient to check the key validity.
+ */
+ if (ossl_dh_is_named_safe_prime_group(dh))
return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
return DH_check_pub_key_ex(dh, pub_key);
--
2.33.0
