From: Bernd Edlinger Date: Sat, 21 Jun 2025 10:53:56 +0000 (+0200) Subject: DH private key size was one bit too large X-Git-Tag: openssl-3.0.18~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bde5b413a79c774882103718fbed4c3474abf3d4;p=thirdparty%2Fopenssl.git DH private key size was one bit too large In the case when no q parameter was given, the function generate_key in dh_key.c did create one bit too much, so the priv_key value was exceeding the DH group size q = (p-1)/2. When the length is used in this case the limit is also one bit too high, but for backward compatibility this limit was left as is, instead we have to silently reduce the value by one. Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27870) (cherry picked from commit d6510d99ae4a8a23f54fdfb1473af6a920da8345) --- diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index afc49f5cdc8..6a640fc5c79 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -263,7 +263,7 @@ static int generate_key(DH *dh) int ok = 0; int generate_new_key = 0; #ifndef FIPS_MODULE - unsigned l; + int l; #endif BN_CTX *ctx = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; @@ -323,11 +323,13 @@ static int generate_key(DH *dh) goto err; #else if (dh->params.q == NULL) { - /* secret exponent length, must satisfy 2^(l-1) <= p */ - if (dh->length != 0 - && dh->length >= BN_num_bits(dh->params.p)) + /* secret exponent length, must satisfy 2^l < (p-1)/2 */ + l = BN_num_bits(dh->params.p); + if (dh->length >= l) goto err; - l = dh->length ? dh->length : BN_num_bits(dh->params.p) - 1; + l -= 2; + if (dh->length != 0 && dh->length < l) + l = dh->length; if (!BN_priv_rand_ex(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY, 0, ctx)) goto err;