From 46eee7104d77f9d303e06a398febdc60fd014d33 Mon Sep 17 00:00:00 2001
From: Shane Lontis <shane.lontis@oracle.com>
Date: Mon, 12 Apr 2021 09:06:24 +1000
Subject: Add domain parameter match check for DH and ECDH key exchange.

Fixes #14808

Validation checks were moved into EVP_PKEY_derive_set_peer() which broke
an external negative test. Originally the old code was semi working by checking the peers public key was in the range of other parties p. It was not actually ever
checking that the domain parameters were consistent between the 2
parties. It now checks the parameters match as well as validating the
peers public key.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14823)
---
 crypto/err/openssl.txt | 1 +
 1 file changed, 1 insertion(+)

(limited to 'crypto')

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index ee17b68405..eed0b71ada 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1007,6 +1007,7 @@ PROV_R_IN_ERROR_STATE:192:in error state
 PROV_R_KEY_SETUP_FAILED:101:key setup failed
 PROV_R_KEY_SIZE_TOO_SMALL:171:key size too small
 PROV_R_LENGTH_TOO_LARGE:202:length too large
+PROV_R_MISMATCHING_DOMAIN_PARAMETERS:203:mismatching domain parameters
 PROV_R_MISSING_CEK_ALG:144:missing cek alg
 PROV_R_MISSING_CIPHER:155:missing cipher
 PROV_R_MISSING_CONFIG_DATA:213:missing config data
-- 
cgit v1.2.3