root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

DH private key size was one bit too large 

In the case when no q parameter was given,
the function generate_key in dh_key.c did create
one bit too much, so the priv_key value was exceeding
the DH group size q = (p-1)/2.
When the length is used in this case the limit is also
one bit too high, but for backward compatibility this
limit was left as is, instead we have to silently reduce
the value by one.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27870)
This commit is contained in:
Bernd Edlinger 2025-06-21 12:53:56 +02:00 committed by Tomas Mraz
parent 80c664db43
commit d6510d99ae
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
crypto/dh/dh_key.c
View File

@ -267,7 +267,7 @@ static int generate_key(DH *dh)
int ok = 0; int ok = 0;
int generate_new_key = 0; int generate_new_key = 0;
#ifndef FIPS_MODULE #ifndef FIPS_MODULE
unsigned l; int l;
#endif #endif
BN_CTX *ctx = NULL; BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL;
@ -327,11 +327,13 @@ static int generate_key(DH *dh)
goto err; goto err;
#else #else
if (dh->params.q == NULL) { if (dh->params.q == NULL) {
/* secret exponent length, must satisfy 2^(l-1) <= p */ /* secret exponent length, must satisfy 2^l < (p-1)/2 */
if (dh->length != 0 l = BN_num_bits(dh->params.p);
&& dh->length >= BN_num_bits(dh->params.p)) if (dh->length >= l)
goto err; goto err;
l = dh->length ? dh->length : BN_num_bits(dh->params.p) - 1; l -= 2;
if (dh->length != 0 && dh->length < l)
l = dh->length;
if (!BN_priv_rand_ex(priv_key, l, BN_RAND_TOP_ONE, if (!BN_priv_rand_ex(priv_key, l, BN_RAND_TOP_ONE,
BN_RAND_BOTTOM_ANY, 0, ctx)) BN_RAND_BOTTOM_ANY, 0, ctx))
goto err; goto err;