DH: stop setting the private key length arbitrarily

The private key length is supposed to be a user settable parameter.
We do check if it's set or not, and if not, we do apply defaults.

Fixes #12071

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13140)

1 files changed, 4 insertions, 1 deletions

diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 90802633a6..930b33a33b 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -277,7 +277,10 @@ static int generate_key(DH *dh)
                 goto err;
 #else
             if (dh->params.q == NULL) {
-                /* secret exponent length */
+                /* secret exponent length, must satisfy 2^(l-1) <= p */
+                if (dh->length != 0
+                    && dh->length >= BN_num_bits(dh->params.p))
+                    goto err;
                 l = dh->length ? dh->length : BN_num_bits(dh->params.p) - 1;
                 if (!BN_priv_rand_ex(priv_key, l, BN_RAND_TOP_ONE,
                                      BN_RAND_BOTTOM_ANY, ctx))