Run DH_check_ex() not DH_check_params_ex() when checking params

Both DH_check_ex() and DH_check_params_ex() check the parameters.
DH_check_ex() performs a more complete check, while DH_check_params_ex()
performs a lightweight check. In 1.1.1 EVP_PKEY_param_check() would call
DH_check_ex() for DH keys. For backwards compatibility we should continue
with that behaviour.

Fixes #13501

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14146)

diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index 1d674a14bff3f3b15bc79fc1488aed659f4211a7..1691f66f4473d12543805c36506cf569ad80dd45 100644 (file)
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -378,7 +378,7 @@ static int dh_validate(const void *keydata, int selection)
         ok = 1;
 
     if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
-        ok = ok && DH_check_params_ex(dh);
+        ok = ok && DH_check_ex(dh);
 
     if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
         ok = ok && dh_validate_public(dh);