From e454a3934c287aede194cac49c8934f04bf6a04f Mon Sep 17 00:00:00 2001
From: Shane Lontis <shane.lontis@oracle.com>
Date: Mon, 29 Mar 2021 13:38:00 +1000
Subject: Add a range check (from SP800-56Ar3) to DH key derivation.

Fixes #14401

Note that this moves the public key check out of DH compute_key() since
key validation does not belong inside this primitive..
The check has been moved to the EVP_PKEY_derive_set_peer() function so that
it generally applies to all exchange operations.. Use EVP_PKEY_derive_set_peer_ex()
to disable this behaviour.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14717)
---
 CHANGES.md | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'CHANGES.md')

diff --git a/CHANGES.md b/CHANGES.md
index 10c471ab1b..54fc6855f0 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -23,6 +23,14 @@ OpenSSL 3.0
 
 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
 
+ * A public key check is now performed during EVP_PKEY_derive_set_peer().
+   Previously DH was internally doing this during EVP_PKEY_derive().
+   To disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0). This
+   may mean that an error can occur in EVP_PKEY_derive_set_peer() rather than
+   during EVP_PKEY_derive().
+
+   *Shane Lontis*
+
  * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for
    more key types including RSA, DSA, ED25519, X25519, ED448 and X448.
    Previously (in 1.1.1) they would return -2. For key types that do not have
-- 
cgit v1.2.3