CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/01/23 01:21:52
Modified files:
lib/libcrypto/dh: dh_check.c
Log message:
Scapy special for DH_check()
The latest release of Scapy calls DH_check() on all the well-known
Diffie-Hellman parameters for RFCs 2409, 3526, and 7919. It does this
via pyca/cryptography at startup. Every single time. This is obviously
very expensive, due to our 64 MR rounds (which are complete overkill
now that we have BPSW). Instead of pondering the ideal number of rounds
for BPSW with FFDH, simply skip the check if the parameter matches a
well-known prime. These are known to be safe primes, so we can skip
those super-expensive and pointless checks without any risk.
This is only done for the public dh->p parameter. It could be further
optimized, but with the follow-up commit adding the RFC 7919 primes this
reduces the startup time to what it was before Scapy 2.7.0: < 1s.
Reverting from 64 MR rounds to BN_check_primes rounds, we would still
have ~8s startup time without this optimization, which isn't great for
an interactive tool.
Clearly, it's not entirely our fault, it's also Scapy and cryptography
that do something ... suboptimal, but I think we're better off if
DH_check() isn't a complete DoS vector. If you're using non-standard
parameters with FFDH, you deserve it.
We could consider adding a flag for non-well-known p and thus making
DH_check() indicate failure for candidate primes larger than, say, 4k.
https://github.com/pyca/cryptography/issues/14048
ok beck kenjiro
