summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--crypto/err/openssl.txt1
-rw-r--r--include/openssl/proverr.h1
-rw-r--r--providers/common/provider_err.c2
-rw-r--r--providers/implementations/exchange/dh_exch.c16
-rw-r--r--providers/implementations/exchange/ecdh_exch.c27
-rw-r--r--test/evp_test.c8
-rw-r--r--test/recipes/30-test_evp.t7
-rw-r--r--test/recipes/30-test_evp_data/evppkey_dh.txt167
-rw-r--r--test/recipes/30-test_evp_data/evppkey_ecdh.txt9
9 files changed, 232 insertions, 6 deletions
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index ee17b68405..eed0b71ada 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1007,6 +1007,7 @@ PROV_R_IN_ERROR_STATE:192:in error state
PROV_R_KEY_SETUP_FAILED:101:key setup failed
PROV_R_KEY_SIZE_TOO_SMALL:171:key size too small
PROV_R_LENGTH_TOO_LARGE:202:length too large
+PROV_R_MISMATCHING_DOMAIN_PARAMETERS:203:mismatching domain parameters
PROV_R_MISSING_CEK_ALG:144:missing cek alg
PROV_R_MISSING_CIPHER:155:missing cipher
PROV_R_MISSING_CONFIG_DATA:213:missing config data
diff --git a/include/openssl/proverr.h b/include/openssl/proverr.h
index c40815a03b..29301124ec 100644
--- a/include/openssl/proverr.h
+++ b/include/openssl/proverr.h
@@ -80,6 +80,7 @@
# define PROV_R_KEY_SETUP_FAILED 101
# define PROV_R_KEY_SIZE_TOO_SMALL 171
# define PROV_R_LENGTH_TOO_LARGE 202
+# define PROV_R_MISMATCHING_DOMAIN_PARAMETERS 203
# define PROV_R_MISSING_CEK_ALG 144
# define PROV_R_MISSING_CIPHER 155
# define PROV_R_MISSING_CONFIG_DATA 213
diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c
index dd1a98f935..8b5d0008f9 100644
--- a/providers/common/provider_err.c
+++ b/providers/common/provider_err.c
@@ -111,6 +111,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_KEY_SIZE_TOO_SMALL),
"key size too small"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_LENGTH_TOO_LARGE), "length too large"},
+ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_MISMATCHING_DOMAIN_PARAMETERS),
+ "mismatching shared parameters"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_MISSING_CEK_ALG), "missing cek alg"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_MISSING_CIPHER), "missing cipher"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_MISSING_CONFIG_DATA),
diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c
index 87eb17dd60..0ecc6c7a4c 100644
--- a/providers/implementations/exchange/dh_exch.c
+++ b/providers/implementations/exchange/dh_exch.c
@@ -108,6 +108,21 @@ static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[])
return dh_set_ctx_params(pdhctx, params) && ossl_dh_check_key(vdh);
}
+/* The 2 parties must share the same domain parameters */
+static int dh_match_params(DH *priv, DH *peer)
+{
+ int ret;
+ FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv);
+ FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer);
+
+ ret = dhparams_priv != NULL
+ && dhparams_peer != NULL
+ && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1);
+ if (!ret)
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
+ return ret;
+}
+
static int dh_set_peer(void *vpdhctx, void *vdh)
{
PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
@@ -115,6 +130,7 @@ static int dh_set_peer(void *vpdhctx, void *vdh)
if (!ossl_prov_is_running()
|| pdhctx == NULL
|| vdh == NULL
+ || !dh_match_params(vdh, pdhctx->dh)
|| !DH_up_ref(vdh))
return 0;
DH_free(pdhctx->dhpeer);
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
index 63bcf4e50c..ba2b493a76 100644
--- a/providers/implementations/exchange/ecdh_exch.c
+++ b/providers/implementations/exchange/ecdh_exch.c
@@ -117,6 +117,28 @@ int ecdh_init(void *vpecdhctx, void *vecdh, const OSSL_PARAM params[])
}
static
+int ecdh_match_params(const EC_KEY *priv, const EC_KEY *peer)
+{
+ int ret;
+ BN_CTX *ctx = NULL;
+ const EC_GROUP *group_priv = EC_KEY_get0_group(priv);
+ const EC_GROUP *group_peer = EC_KEY_get0_group(peer);
+
+ ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(priv));
+ if (ctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ ret = group_priv != NULL
+ && group_peer != NULL
+ && EC_GROUP_cmp(group_priv, group_peer, ctx) == 0;
+ if (!ret)
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
+ BN_CTX_free(ctx);
+ return ret;
+}
+
+static
int ecdh_set_peer(void *vpecdhctx, void *vecdh)
{
PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
@@ -124,11 +146,14 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh)
if (!ossl_prov_is_running()
|| pecdhctx == NULL
|| vecdh == NULL
+ || !ecdh_match_params(pecdhctx->k, vecdh)
+ || !ossl_ec_check_key(vecdh, 1)
|| !EC_KEY_up_ref(vecdh))
return 0;
+
EC_KEY_free(pecdhctx->peerk);
pecdhctx->peerk = vecdh;
- return ossl_ec_check_key(vecdh, 1);
+ return 1;
}
static
diff --git a/test/evp_test.c b/test/evp_test.c
index efcf4c5fee..a7a3cc4bb3 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -1627,12 +1627,16 @@ static int pderive_test_parse(EVP_TEST *t,
const char *keyword, const char *value)
{
PKEY_DATA *kdata = t->data;
+ int validate = 0;
- if (strcmp(keyword, "PeerKey") == 0) {
+ if (strcmp(keyword, "PeerKeyValidate") == 0)
+ validate = 1;
+
+ if (validate || strcmp(keyword, "PeerKey") == 0) {
EVP_PKEY *peer;
if (find_key(&peer, value, public_keys) == 0)
return -1;
- if (EVP_PKEY_derive_set_peer_ex(kdata->ctx, peer, 0) <= 0) {
+ if (EVP_PKEY_derive_set_peer_ex(kdata->ctx, peer, validate) <= 0) {
t->err = "DERIVE_SET_PEER_ERROR";
return 1;
}
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
index 6a1bf664a4..87bb501095 100644
--- a/test/recipes/30-test_evp.t
+++ b/test/recipes/30-test_evp.t
@@ -56,7 +56,10 @@ my @files = qw(
evppkey_rsa_common.txt
evprand.txt
);
-push @files, qw(evppkey_ffdhe.txt) unless $no_dh;
+push @files, qw(
+ evppkey_ffdhe.txt
+ evppkey_dh.txt
+ ) unless $no_dh;
push @files, qw(evppkey_dsa.txt) unless $no_dsa;
push @files, qw(evppkey_ecx.txt) unless $no_ec;
push @files, qw(
@@ -65,7 +68,7 @@ push @files, qw(
evppkey_ecdsa.txt
evppkey_kas.txt
evppkey_mismatch.txt
- ) unless $no_ec || $no_gost;
+ ) unless $no_ec || $no_gost;
# A list of tests that only run with the default provider
# (i.e. The algorithms are not present in the fips provider)
diff --git a/test/recipes/30-test_evp_data/evppkey_dh.txt b/test/recipes/30-test_evp_data/evppkey_dh.txt
new file mode 100644
index 0000000000..d6d9f39afc
--- /dev/null
+++ b/test/recipes/30-test_evp_data/evppkey_dh.txt
@@ -0,0 +1,167 @@
+#
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+# Tests start with one of these keywords
+# Cipher Decrypt Derive Digest Encoding KDF MAC PBE
+# PrivPubKeyPair Sign Verify VerifyRecover
+# and continue until a blank line. Lines starting with a pound sign are ignored.
+
+Title = DH tests (with random keys)
+
+PrivateKey=ALICE_dh2048
+-----BEGIN PRIVATE KEY-----
+MIICJgIBADCCARcGCSqGSIb3DQEDATCCAQgCggEBAIkq4hnfaUGeltLDB1eo3SWH
+Mm9pJsCYb2E/gCXNgTWQBKebkg4ZXzEYUng889PfzNpxmDinl/H4WoBmoM/hJasJ
+2PElcKejIAnYUi0SHHDkYKOJMo0W5H8fHcRk893vR0kllO+hP0e1Gur02TsdEF7w
+bIPc+VV/7bMg9VxhQh9+ESeYgQXn/n3NSniUkO5aCjyzGy6Ex2/9dc+Xg6C08YJD
+cerI660enEe0NaI50N1W65bbxdl3d6vHT9CGteXYiIuj0I5CG7CwnU2WV42we/Uw
+YSq/6DfU93y5LSBZuOif8iLpGXfgE7TCAeY3H+WBAu43+gWz6xNKtbF0RMmT2VcC
+AQIEggEEAoIBAH+HysSpzn94mlyNeevhb29SFyu3/maES+JRlVuHvpVOcHCrGR5J
+fbXWiWnn03geb1hC9HIta6l9YKwWGQYLmVu/0bRedYeqC1JfgEvwYrZME9FO+AqQ
+4CpXcG/mSGtHoMPtcsUakpprNxoh3xwI+GAfSDK1lW/aA0R/A7jNCV9+lmYJAJL6
+5FJvhBAODSf7JUetlWvhwDBnvram7jRGJtlvpiwmmfk+Kb4AA1ZQMIHTnPNNPLJh
+NTtqELKjk3i3xxlLLlWJEbF+ZAuseDPZITtwMr4fhoeKegez+lucu6uoMm7Wek7F
+G0Ne0unywftCLUrmQ/Lboqaqvlv3PAFRaLs=
+-----END PRIVATE KEY-----
+
+PublicKey=ALICE_dh2048_pub
+-----BEGIN PUBLIC KEY-----
+MIICJDCCARcGCSqGSIb3DQEDATCCAQgCggEBAIkq4hnfaUGeltLDB1eo3SWHMm9p
+JsCYb2E/gCXNgTWQBKebkg4ZXzEYUng889PfzNpxmDinl/H4WoBmoM/hJasJ2PEl
+cKejIAnYUi0SHHDkYKOJMo0W5H8fHcRk893vR0kllO+hP0e1Gur02TsdEF7wbIPc
++VV/7bMg9VxhQh9+ESeYgQXn/n3NSniUkO5aCjyzGy6Ex2/9dc+Xg6C08YJDcerI
+660enEe0NaI50N1W65bbxdl3d6vHT9CGteXYiIuj0I5CG7CwnU2WV42we/UwYSq/
+6DfU93y5LSBZuOif8iLpGXfgE7TCAeY3H+WBAu43+gWz6xNKtbF0RMmT2VcCAQID
+ggEFAAKCAQBT3K38hHa4aWKerb3st8S8Jy/abEwn3kRnLtWins75l9K4YDnIKHV9
+/zTO0a75SxhvDDQqRiekw99Gel1zkxdo1/OJOTJs2KJ6Itedn3bU4p7k2599xstL
+02OHWzvu4J9LQXZ0NVnhX3RzhJH/ZMZAchIVx4joRmaY7fGCXwYGsfrq7lrhYOwp
+SSALvTdiNJLGm8nSOPXRWnAarTJfBhH/A38OsBY8a3bMHAlxigZWKtzY8GFIPh6O
+Xu/+5iasto/aUiK6Oshcf7t4la3TY6GAbPz9SyPETV2jRn2+ujrkFON8I1wuz9ud
+9d5iI/cRcKKrtLdIPGc7uqGy2V2qIp3v
+-----END PUBLIC KEY-----
+
+PrivateKey=BOB_dh2048
+-----BEGIN PRIVATE KEY-----
+MIICJgIBADCCARcGCSqGSIb3DQEDATCCAQgCggEBAIkq4hnfaUGeltLDB1eo3SWH
+Mm9pJsCYb2E/gCXNgTWQBKebkg4ZXzEYUng889PfzNpxmDinl/H4WoBmoM/hJasJ
+2PElcKejIAnYUi0SHHDkYKOJMo0W5H8fHcRk893vR0kllO+hP0e1Gur02TsdEF7w
+bIPc+VV/7bMg9VxhQh9+ESeYgQXn/n3NSniUkO5aCjyzGy6Ex2/9dc+Xg6C08YJD
+cerI660enEe0NaI50N1W65bbxdl3d6vHT9CGteXYiIuj0I5CG7CwnU2WV42we/Uw
+YSq/6DfU93y5LSBZuOif8iLpGXfgE7TCAeY3H+WBAu43+gWz6xNKtbF0RMmT2VcC
+AQIEggEEAoIBAE3A6u2we1mxSxDLkiakPs2zZqfhb2ejP2TvuA4DX/+knqrJRK7s
+TqKBz80CvR7QA5CL4r/5BWJrmFet7cmF6Eh4PXE+sNswevV2C16btzAbGSGzSR5u
+bu6vv06Ah1rPrHrv+UjvRe2bxR/Z/PavbI71aQ+lqDkGKC/Uyr3u+PFLRwos2HfK
+nEX/qfnqo3N3YsPFvLidkbSJOkq6CayLT4ycTRdPxTVKELfanSEeenKJ9rKTiPdz
+3y0ycyyh0kAKs2bBViq3UlVRE3kdNAQ3nCpRl9O52hCsA+BMmnAHEW8z81lEZugN
+9X4uLV3XuflMrKxBGxfiCEVGcvnjpBTZXas=
+-----END PRIVATE KEY-----
+
+PublicKey=BOB_dh2048_pub
+-----BEGIN PUBLIC KEY-----
+MIICJDCCARcGCSqGSIb3DQEDATCCAQgCggEBAIkq4hnfaUGeltLDB1eo3SWHMm9p
+JsCYb2E/gCXNgTWQBKebkg4ZXzEYUng889PfzNpxmDinl/H4WoBmoM/hJasJ2PEl
+cKejIAnYUi0SHHDkYKOJMo0W5H8fHcRk893vR0kllO+hP0e1Gur02TsdEF7wbIPc
++VV/7bMg9VxhQh9+ESeYgQXn/n3NSniUkO5aCjyzGy6Ex2/9dc+Xg6C08YJDcerI
+660enEe0NaI50N1W65bbxdl3d6vHT9CGteXYiIuj0I5CG7CwnU2WV42we/UwYSq/
+6DfU93y5LSBZuOif8iLpGXfgE7TCAeY3H+WBAu43+gWz6xNKtbF0RMmT2VcCAQID
+ggEFAAKCAQAJ1Ko5/dRMpowe/7k1T+11ZNszNMEbKtXGq9KsZAqSFp6h8on/kCFe
+3/SK520B/cDIjLV0W4q33iimSmG/TjwLG0jpsIKwxbzIfxjs4e1Y4pPaKfbKuCcK
+BBu8Thz2brhTxooU4CPVBJerX3mJX6hbAPAl0XcIScZPcyYYHkvthjZvO0djEn1z
+inhUQ37JKc74+56w/nUDjDiDFZMnwkPCtkdzLsbWW+Mu1Ysd1qQyb1XcNfkO0d/t
+rX00AaHwYqM7uM4slSqZhCi2w4zVvwP0BPD/TrPAjEFYEk0l2eNxBBmW5Mlss2Od
+wtMjfaolhtG/beqmAneP14mCEM4lwH4a
+-----END PUBLIC KEY-----
+
+PrivateKey=BOB_dh2048_different_pg
+-----BEGIN PRIVATE KEY-----
+MIICJgIBADCCARcGCSqGSIb3DQEDATCCAQgCggEBAM/ZBdjCzvFon8sEMWEXQ4vw
+bFV3VCq3nhCuHSLb/ZsHIuKFy/ma173ttMdN1qSOL2XJazi8l+4whU0Wga8FticR
+z9U0t8ExC+0f90QRXsjXGSuDFJY6i5m6YL/xZf09g7522RqNwt4WWACgKrG7g31b
++43eXosvv5okgw5gmMrlGNZYaqnn094Ifu0UhUro6vXmlcfhnv1JpASNmxNmzrQJ
+TE8W5miG5c1+6MQJdmSVKEitdUX202mRukj2Nzq16e6iOGmGMTWYGV+sK/Hnh+BD
+hPVIqLWW5Wfz3y5ysCsGmSKuS9bssZXWmlwRiNp/NqliyzBznG168VoKMlDQxG8C
+AQIEggEEAoIBAHLPQHe9mySBSeNAqUMzKAXgxhPYPl9zC7QiyxwGiZcu/4IQ8Elr
+cyRhMuJBbu0T6NNruG2zUzDFWp/0dPGWq7YiOauau5iYCpKt4KZgiELDEwZqlxF+
+wXKXxSw3rJVemZyYuLmRzmUMcvBr5ZspdxsDRipN9mHSGTtQNGAiSPXB4P/bkaSW
+YELavS+cHZfH4nE7DAP8b8dEID81xBLGEKAyUilDE2Nv4PamhCU5GmVSv2HXVSdI
+bGlj1BpvrfJyuK5EyyOqMKvwXiEQweqrVICGNtQQs+bmNpaVBCu/xRomWn5YZkqc
+YjQBeOQwrhEFzbFwWi8vai9HB85tBLKEMiE=
+-----END PRIVATE KEY-----
+
+PublicKey=BOB_dh2048_different_pg_pub
+-----BEGIN PUBLIC KEY-----
+MIICJTCCARcGCSqGSIb3DQEDATCCAQgCggEBAM/ZBdjCzvFon8sEMWEXQ4vwbFV3
+VCq3nhCuHSLb/ZsHIuKFy/ma173ttMdN1qSOL2XJazi8l+4whU0Wga8FticRz9U0
+t8ExC+0f90QRXsjXGSuDFJY6i5m6YL/xZf09g7522RqNwt4WWACgKrG7g31b+43e
+Xosvv5okgw5gmMrlGNZYaqnn094Ifu0UhUro6vXmlcfhnv1JpASNmxNmzrQJTE8W
+5miG5c1+6MQJdmSVKEitdUX202mRukj2Nzq16e6iOGmGMTWYGV+sK/Hnh+BDhPVI
+qLWW5Wfz3y5ysCsGmSKuS9bssZXWmlwRiNp/NqliyzBznG168VoKMlDQxG8CAQID
+ggEGAAKCAQEAr5J9x7z9FWCQ27LF3pzTR+4ZdOKJJpg1qD8Vp78sg6VkoZLl+j57
+uTQVgWlCEQr5tOVCBA+F0i3DCVGpE0ExkO/lVYjf6+mwTsyZWZj6IKkxpxwm9CIR
+NshubotT9vagLxdRM9jepmt6A8Q2MfI1xm4yrYLZ0xQpNPT6076a+3gl6UysaDv8
+wpryAiQdIexC1jz4Z7yIAND3PHWFAiAIOdipIMmuvJz2exgP1KsYTZFjJUTMBZxN
+fSO65JSqf6LoQ91cB5RtgwD2pjehoAl2wumjdMcdNJyYIPvcTd1BFMjUmR3vJe/n
+di2IvD9wSm5tY542PWcf/7GV0bMbnykaPQ==
+-----END PUBLIC KEY-----
+
+PublicKey=BOB_dh2048_badpub_toolarge
+-----BEGIN PUBLIC KEY-----
+MIICJTCCARcGCSqGSIb3DQEDATCCAQgCggEBAIkq4hnfaUGeltLDB1eo3SWHMm9p
+JsCYb2E/gCXNgTWQBKebkg4ZXzEYUng889PfzNpxmDinl/H4WoBmoM/hJasJ2PEl
+cKejIAnYUi0SHHDkYKOJMo0W5H8fHcRk893vR0kllO+hP0e1Gur02TsdEF7wbIPc
++VV/7bMg9VxhQh9+ESeYgQXn/n3NSniUkO5aCjyzGy6Ex2/9dc+Xg6C08YJDcerI
+660enEe0NaI50N1W65bbxdl3d6vHT9CGteXYiIuj0I5CG7CwnU2WV42we/UwYSq/
+6DfU93y5LSBZuOif8iLpGXfgE7TCAeY3H+WBAu43+gWz6xNKtbF0RMmT2VcCAQID
+ggEGAAKCAQEAiSriGd9pQZ6W0sMHV6jdJYcyb2kmwJhvYT+AJc2BNZAEp5uSDhlf
+MRhSeDzz09/M2nGYOKeX8fhagGagz+ElqwnY8SVwp6MgCdhSLRIccORgo4kyjRbk
+fx8dxGTz3e9HSSWU76E/R7Ua6vTZOx0QXvBsg9z5VX/tsyD1XGFCH34RJ5iBBef+
+fc1KeJSQ7loKPLMbLoTHb/11z5eDoLTxgkNx6sjrrR6cR7Q1ojnQ3VbrltvF2Xd3
+q8dP0Ia15diIi6PQjkIbsLCdTZZXjbB79TBhKr/oN9T3fLktIFm46J/yIukZd+AT
+tMIB5jcf5YEC7jf6BbPrE0q1sXREyZPZVg==
+-----END PUBLIC KEY-----
+
+PublicKey=BOB_dh2048_badpub_toosmall
+-----BEGIN PUBLIC KEY-----
+MIIBITCCARcGCSqGSIb3DQEDATCCAQgCggEBAIkq4hnfaUGeltLDB1eo3SWHMm9p
+JsCYb2E/gCXNgTWQBKebkg4ZXzEYUng889PfzNpxmDinl/H4WoBmoM/hJasJ2PEl
+cKejIAnYUi0SHHDkYKOJMo0W5H8fHcRk893vR0kllO+hP0e1Gur02TsdEF7wbIPc
++VV/7bMg9VxhQh9+ESeYgQXn/n3NSniUkO5aCjyzGy6Ex2/9dc+Xg6C08YJDcerI
+660enEe0NaI50N1W65bbxdl3d6vHT9CGteXYiIuj0I5CG7CwnU2WV42we/UwYSq/
+6DfU93y5LSBZuOif8iLpGXfgE7TCAeY3H+WBAu43+gWz6xNKtbF0RMmT2VcCAQID
+BAACAQE=
+-----END PUBLIC KEY-----
+
+# DH Alice with Bob peer
+Availablein = default
+Derive=ALICE_dh2048
+PeerKeyValidate=BOB_dh2048_pub
+SharedSecret=28f1f890a14899b5fb600dc43ef28cdc065535bc5ee2b3e08ebb53f7ee93618f3471c0696bce289c3839ae6ced374a799c61d76cb9c60ecdc3bd75ac4ed9f060fcfa972a5ce899ff17120ce70e35d720797a62d2b3d724b9d21b9dc0f4f4ec1cbf4730d57955dc1be53210e3d10ed3e78a96914e0a201e0cc0d75744e2d8f6ed8a301bca465d4d1a518a5cda8219bdf562796842bd6a839369b5cacc77e44a9ac8475d50df6d7bddfb661241c566acd025642bc6b1bbcecb1c1e5a1429c9df552ad6a39194074b21f4e890bd79e934150850561932fee3c44ccf0e8bcd22df2f9cafad2e2f19364344fe588523a9da8545081c2118fd6b8c0e12ede6b9f5f258
+
+# DH Bob with Alice peer
+Availablein = default
+Derive=BOB_dh2048
+PeerKeyValidate=ALICE_dh2048_pub
+SharedSecret=28f1f890a14899b5fb600dc43ef28cdc065535bc5ee2b3e08ebb53f7ee93618f3471c0696bce289c3839ae6ced374a799c61d76cb9c60ecdc3bd75ac4ed9f060fcfa972a5ce899ff17120ce70e35d720797a62d2b3d724b9d21b9dc0f4f4ec1cbf4730d57955dc1be53210e3d10ed3e78a96914e0a201e0cc0d75744e2d8f6ed8a301bca465d4d1a518a5cda8219bdf562796842bd6a839369b5cacc77e44a9ac8475d50df6d7bddfb661241c566acd025642bc6b1bbcecb1c1e5a1429c9df552ad6a39194074b21f4e890bd79e934150850561932fee3c44ccf0e8bcd22df2f9cafad2e2f19364344fe588523a9da8545081c2118fd6b8c0e12ede6b9f5f258
+
+# DH Alice with Bob peer - mismatching domain parameters
+Availablein = default
+Derive=BOB_dh2048
+PeerKeyValidate=BOB_dh2048_different_pg_pub
+Result = DERIVE_SET_PEER_ERROR
+
+# DH Alice with Bob peer - pub > p - 2
+Availablein = default
+Derive=ALICE_dh2048
+PeerKeyValidate=BOB_dh2048_badpub_toolarge
+Result = DERIVE_SET_PEER_ERROR
+
+# DH Alice with Bob peer - pub < 2 should fail
+Availablein = default
+Derive=ALICE_dh2048
+PeerKeyValidate=BOB_dh2048_badpub_toosmall
+Result = DERIVE_SET_PEER_ERROR
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdh.txt b/test/recipes/30-test_evp_data/evppkey_ecdh.txt
index c738c4aeb0..9003eb524d 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdh.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdh.txt
@@ -139,7 +139,6 @@ Ny3Ep0GVYms=
PrivPubKeyPair = BOB_secp128r1:BOB_secp128r1_PUB
-
# ECDH Alice with Bob peer
Availablein = default
@@ -3609,3 +3608,11 @@ SharedSecret=01144C7D79AE6956BC8EDB8E7C787C4521CB086FA64407F97894E5E6B2D79B04D14
Derive=SECP521R1_RFC5903-Peer
PeerKey=SECP521R1_RFC5903-PUBLIC
SharedSecret=01144C7D79AE6956BC8EDB8E7C787C4521CB086FA64407F97894E5E6B2D79B04D1427E73CA4BAA240A34786859810C06B3C715A3A8CC3151F2BEE417996D19F3DDEA
+
+Title = ECDH negative tests (with random keys)
+
+# ECDH Alice with BOB peer - mismatching curves.
+Availablein = default
+Derive=ALICE_secp112r1
+PeerKeyValidate=BOB_secp128r1_PUB
+Result = DERIVE_SET_PEER_ERROR
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-30 18:08:36 +0000