When using EVP_PKEY_derive with a KDF set, a negative error from

ECDH_compute_key is silently ignored and the KDF is run on duff data

Thanks to github user tomykaira for the suggested fix.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 8d02bebddf4b69f7f260adfed4be4f498dcbd16c)

diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c
index 81ad4d499a1276651d4d66e8e4cced8d84d98b3f..e66e6908274c9a6680096f160852848b22661dda 100644 (file)
--- a/crypto/ec/ec_pmeth.c
+++ b/crypto/ec/ec_pmeth.c
@@ -244,8 +244,8 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
        outlen = *keylen;
                
        ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0);
        outlen = *keylen;
                
        ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0);

-       if (ret < 0)
-               return ret;
+       if (ret <= 0)
+               return 0;

        *keylen = ret;
        return 1;
        }
        *keylen = ret;
        return 1;
        }