OpenSSL have published a security advisory. Here's how it affects BoringSSL:
| CVE | Summary | Severity in OpenSSL | Impact to BoringSSL |
|---|---|---|---|
| CVE-2023-5678 | Excessive time spent in DH check / generation with large Q parameter value | Low | Addressed in previous advisory. See below. |
This was one of the issues we discovered in the course of addressing CVE-2023-3446 and CVE-2023-3817. BoringSSL's original fix for those CVEs additionally addressed this issue in August 2023.
Per our August advisory, these issues do not impact our TLS implementation. Although the TLS 1.2 DHE construction did not correctly handle domain parameters, we removed DHE ciphers in 2017 for related reasons. They additionally do not affect callers that correctly use Diffie-Hellman with trusted domain parameters.
As only incorrect uses are impacted, BoringSSL considers these changes to be a hardening measure, not a security fix. In particular, these checks do not ensure the group is suitable for use with Diffie-Hellman—they only enforce a DoS bound. Ultimately, callers of legacy Diffie-Hellman are responsible for selecting valid domain parameters. Callers are recommended to migrate to modern primitives, such as X25519 or ECDH with P-256.
For more details, see our August advisory.