The private key length is supposed to be a user settable parameter.
We do check if it's set or not, and if not, we do apply defaults.
Fixes #12071
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13140)
ret = ossl_ffc_params_fromdata(ffc, params);
if (ret)
- dh_cache_named_group(dh); /* This increments dh->dirt_cnt */
+ dh_cache_named_group(dh); /* This increments dh->dirty_cnt */
return ret;
}
goto err;
#else
if (dh->params.q == NULL) {
- /* secret exponent length */
+ /* secret exponent length, must satisfy 2^(l-1) <= p */
+ if (dh->length != 0
+ && dh->length >= BN_num_bits(dh->params.p))
+ goto err;
l = dh->length ? dh->length : BN_num_bits(dh->params.p) - 1;
if (!BN_priv_rand_ex(priv_key, l, BN_RAND_TOP_ONE,
BN_RAND_BOTTOM_ANY, ctx))
ossl_ffc_params_set0_pqg(&dh->params, p, q, g);
dh_cache_named_group(dh);
- if (q != NULL)
- dh->length = BN_num_bits(q);
- /*
- * Check if this is a named group. If it finds a named group then the
- * 'q' and 'length' value are either already set or are set by the
- * call.
- */
- if (DH_get_nid(dh) == NID_undef) {
- /* If its not a named group then set the 'length' if q is not NULL */
- if (q != NULL)
- dh->length = BN_num_bits(q);
- }
dh->dirty_cnt++;
return 1;
}
if (priv_key != NULL) {
BN_clear_free(dh->priv_key);
dh->priv_key = priv_key;
- dh->length = BN_num_bits(priv_key);
}
dh->dirty_cnt++;