Fix DH private key check.

A recent addition removed setting the dh private key length when
a safe prime group is used. The private key validation check was relying on this
being set for safe primes. Setting the upper bound no longer checks the
length if the value is zero.

This caused a failure in the daily build of acvp_tests.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15760)

diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 61be68bf64a2ad41c76b7650444317005abfd260..e75d20d862bdcc7e49e33af42640b28905313cbd 100644 (file)
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -262,7 +262,7 @@ int ossl_dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret)
     upper = dh->params.q;
 
     /* Is it from an approved Safe prime group ?*/
-    if (DH_get_nid((DH *)dh) != NID_undef) {
+    if (DH_get_nid((DH *)dh) != NID_undef && dh->length != 0) {
         if (!BN_lshift(two_powN, BN_value_one(), dh->length))
             goto err;
         if (BN_cmp(two_powN, dh->params.q) < 0)

diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c
index f5e0f893c18b33c48ebf7323049103edf2c8337b..7154f8c2abee77667f1995cb25dcf015b732b998 100644 (file)
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@@ -202,6 +202,7 @@ int DH_size(const DH *dh)
 int DH_security_bits(const DH *dh)
 {
     int N;
+
     if (dh->params.q != NULL)
         N = BN_num_bits(dh->params.q);
     else if (dh->length)