[openssl] master update
shane.lontis at oracle.com
shane.lontis at oracle.com
Wed Apr 14 06:03:46 UTC 2021
The branch master has been updated
via 46eee7104d77f9d303e06a398febdc60fd014d33 (commit)
from 0d5bbaaae2c65ddf7a30596b61617304e0950d9c (commit)
- Log -----------------------------------------------------------------
commit 46eee7104d77f9d303e06a398febdc60fd014d33
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Mon Apr 12 09:06:24 2021 +1000
Add domain parameter match check for DH and ECDH key exchange.
Fixes #14808
Validation checks were moved into EVP_PKEY_derive_set_peer() which broke
an external negative test. Originally the old code was semi working by checking the peers public key was in the range of other parties p. It was not actually ever
checking that the domain parameters were consistent between the 2
parties. It now checks the parameters match as well as validating the
peers public key.
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14823)
-----------------------------------------------------------------------
Summary of changes:
crypto/err/openssl.txt | 1 +
include/openssl/proverr.h | 1 +
providers/common/provider_err.c | 2 +
providers/implementations/exchange/dh_exch.c | 16 +++
providers/implementations/exchange/ecdh_exch.c | 27 +++-
test/evp_test.c | 8 +-
test/recipes/30-test_evp.t | 7 +-
test/recipes/30-test_evp_data/evppkey_dh.txt | 167 +++++++++++++++++++++++++
test/recipes/30-test_evp_data/evppkey_ecdh.txt | 9 +-
9 files changed, 232 insertions(+), 6 deletions(-)
create mode 100644 test/recipes/30-test_evp_data/evppkey_dh.txt
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index ee17b68405..eed0b71ada 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1007,6 +1007,7 @@ PROV_R_IN_ERROR_STATE:192:in error state
PROV_R_KEY_SETUP_FAILED:101:key setup failed
PROV_R_KEY_SIZE_TOO_SMALL:171:key size too small
PROV_R_LENGTH_TOO_LARGE:202:length too large
+PROV_R_MISMATCHING_DOMAIN_PARAMETERS:203:mismatching domain parameters
PROV_R_MISSING_CEK_ALG:144:missing cek alg
PROV_R_MISSING_CIPHER:155:missing cipher
PROV_R_MISSING_CONFIG_DATA:213:missing config data
diff --git a/include/openssl/proverr.h b/include/openssl/proverr.h
index c40815a03b..29301124ec 100644
--- a/include/openssl/proverr.h
+++ b/include/openssl/proverr.h
@@ -80,6 +80,7 @@
# define PROV_R_KEY_SETUP_FAILED 101
# define PROV_R_KEY_SIZE_TOO_SMALL 171
# define PROV_R_LENGTH_TOO_LARGE 202
+# define PROV_R_MISMATCHING_DOMAIN_PARAMETERS 203
# define PROV_R_MISSING_CEK_ALG 144
# define PROV_R_MISSING_CIPHER 155
# define PROV_R_MISSING_CONFIG_DATA 213
diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c
index dd1a98f935..8b5d0008f9 100644
--- a/providers/common/provider_err.c
+++ b/providers/common/provider_err.c
@@ -111,6 +111,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_KEY_SIZE_TOO_SMALL),
"key size too small"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_LENGTH_TOO_LARGE), "length too large"},
+ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_MISMATCHING_DOMAIN_PARAMETERS),
+ "mismatching shared parameters"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_MISSING_CEK_ALG), "missing cek alg"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_MISSING_CIPHER), "missing cipher"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_MISSING_CONFIG_DATA),
diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c
index 87eb17dd60..0ecc6c7a4c 100644
--- a/providers/implementations/exchange/dh_exch.c
+++ b/providers/implementations/exchange/dh_exch.c
@@ -108,6 +108,21 @@ static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[])
return dh_set_ctx_params(pdhctx, params) && ossl_dh_check_key(vdh);
}
+/* The 2 parties must share the same domain parameters */
+static int dh_match_params(DH *priv, DH *peer)
+{
+ int ret;
+ FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv);
+ FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer);
+
+ ret = dhparams_priv != NULL
+ && dhparams_peer != NULL
+ && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1);
+ if (!ret)
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
+ return ret;
+}
+
static int dh_set_peer(void *vpdhctx, void *vdh)
{
PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
@@ -115,6 +130,7 @@ static int dh_set_peer(void *vpdhctx, void *vdh)
if (!ossl_prov_is_running()
|| pdhctx == NULL
|| vdh == NULL
+ || !dh_match_params(vdh, pdhctx->dh)
|| !DH_up_ref(vdh))
return 0;
DH_free(pdhctx->dhpeer);
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
index 63bcf4e50c..ba2b493a76 100644
--- a/providers/implementations/exchange/ecdh_exch.c
+++ b/providers/implementations/exchange/ecdh_exch.c
@@ -116,6 +116,28 @@ int ecdh_init(void *vpecdhctx, void *vecdh, const OSSL_PARAM params[])
&& ossl_ec_check_key(vecdh, 1);
}
+static
+int ecdh_match_params(const EC_KEY *priv, const EC_KEY *peer)
+{
+ int ret;
+ BN_CTX *ctx = NULL;
+ const EC_GROUP *group_priv = EC_KEY_get0_group(priv);
+ const EC_GROUP *group_peer = EC_KEY_get0_group(peer);
+
+ ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(priv));
+ if (ctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ ret = group_priv != NULL
+ && group_peer != NULL
+ && EC_GROUP_cmp(group_priv, group_peer, ctx) == 0;
+ if (!ret)
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
+ BN_CTX_free(ctx);
+ return ret;
+}
+
static
int ecdh_set_peer(void *vpecdhctx, void *vecdh)
{
@@ -124,11 +146,14 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh)
if (!ossl_prov_is_running()
|| pecdhctx == NULL
|| vecdh == NULL
+ || !ecdh_match_params(pecdhctx->k, vecdh)
+ || !ossl_ec_check_key(vecdh, 1)
|| !EC_KEY_up_ref(vecdh))
return 0;
+
EC_KEY_free(pecdhctx->peerk);
pecdhctx->peerk = vecdh;
- return ossl_ec_check_key(vecdh, 1);
+ return 1;
}
static
diff --git a/test/evp_test.c b/test/evp_test.c
index efcf4c5fee..a7a3cc4bb3 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -1627,12 +1627,16 @@ static int pderive_test_parse(EVP_TEST *t,
const char *keyword, const char *value)
{
PKEY_DATA *kdata = t->data;
+ int validate = 0;
- if (strcmp(keyword, "PeerKey") == 0) {
+ if (strcmp(keyword, "PeerKeyValidate") == 0)
+ validate = 1;
+
+ if (validate || strcmp(keyword, "PeerKey") == 0) {
EVP_PKEY *peer;
if (find_key(&peer, value, public_keys) == 0)
return -1;
- if (EVP_PKEY_derive_set_peer_ex(kdata->ctx, peer, 0) <= 0) {
+ if (EVP_PKEY_derive_set_peer_ex(kdata->ctx, peer, validate) <= 0) {
t->err = "DERIVE_SET_PEER_ERROR";
return 1;
}
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
index 6a1bf664a4..87bb501095 100644
--- a/test/recipes/30-test_evp.t
+++ b/test/recipes/30-test_evp.t
@@ -56,7 +56,10 @@ my @files = qw(
evppkey_rsa_common.txt
evprand.txt
);
-push @files, qw(evppkey_ffdhe.txt) unless $no_dh;
+push @files, qw(
+ evppkey_ffdhe.txt
+ evppkey_dh.txt
+ ) unless $no_dh;
push @files, qw(evppkey_dsa.txt) unless $no_dsa;
push @files, qw(evppkey_ecx.txt) unless $no_ec;
push @files, qw(
@@ -65,7 +68,7 @@ push @files, qw(
evppkey_ecdsa.txt
evppkey_kas.txt
evppkey_mismatch.txt
- ) unless $no_ec || $no_gost;
+ ) unless $no_ec || $no_gost;
# A list of tests that only run with the default provider
# (i.e. The algorithms are not present in the fips provider)
diff --git a/test/recipes/30-test_evp_data/evppkey_dh.txt b/test/recipes/30-test_evp_data/evppkey_dh.txt
new file mode 100644
index 0000000000..d6d9f39afc
--- /dev/null
+++ b/test/recipes/30-test_evp_data/evppkey_dh.txt
@@ -0,0 +1,167 @@
+#
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+# Tests start with one of these keywords
+# Cipher Decrypt Derive Digest Encoding KDF MAC PBE
+# PrivPubKeyPair Sign Verify VerifyRecover
+# and continue until a blank line. Lines starting with a pound sign are ignored.
+
+Title = DH tests (with random keys)
+
+PrivateKey=ALICE_dh2048
+-----BEGIN PRIVATE KEY-----
+MIICJgIBADCCARcGCSqGSIb3DQEDATCCAQgCggEBAIkq4hnfaUGeltLDB1eo3SWH
+Mm9pJsCYb2E/gCXNgTWQBKebkg4ZXzEYUng889PfzNpxmDinl/H4WoBmoM/hJasJ
+2PElcKejIAnYUi0SHHDkYKOJMo0W5H8fHcRk893vR0kllO+hP0e1Gur02TsdEF7w
+bIPc+VV/7bMg9VxhQh9+ESeYgQXn/n3NSniUkO5aCjyzGy6Ex2/9dc+Xg6C08YJD
+cerI660enEe0NaI50N1W65bbxdl3d6vHT9CGteXYiIuj0I5CG7CwnU2WV42we/Uw
+YSq/6DfU93y5LSBZuOif8iLpGXfgE7TCAeY3H+WBAu43+gWz6xNKtbF0RMmT2VcC
+AQIEggEEAoIBAH+HysSpzn94mlyNeevhb29SFyu3/maES+JRlVuHvpVOcHCrGR5J
+fbXWiWnn03geb1hC9HIta6l9YKwWGQYLmVu/0bRedYeqC1JfgEvwYrZME9FO+AqQ
+4CpXcG/mSGtHoMPtcsUakpprNxoh3xwI+GAfSDK1lW/aA0R/A7jNCV9+lmYJAJL6
+5FJvhBAODSf7JUetlWvhwDBnvram7jRGJtlvpiwmmfk+Kb4AA1ZQMIHTnPNNPLJh
+NTtqELKjk3i3xxlLLlWJEbF+ZAuseDPZITtwMr4fhoeKegez+lucu6uoMm7Wek7F
+G0Ne0unywftCLUrmQ/Lboqaqvlv3PAFRaLs=
+-----END PRIVATE KEY-----
+
+PublicKey=ALICE_dh2048_pub
+-----BEGIN PUBLIC KEY-----
+MIICJDCCARcGCSqGSIb3DQEDATCCAQgCggEBAIkq4hnfaUGeltLDB1eo3SWHMm9p
+JsCYb2E/gCXNgTWQBKebkg4ZXzEYUng889PfzNpxmDinl/H4WoBmoM/hJasJ2PEl
+cKejIAnYUi0SHHDkYKOJMo0W5H8fHcRk893vR0kllO+hP0e1Gur02TsdEF7wbIPc
++VV/7bMg9VxhQh9+ESeYgQXn/n3NSniUkO5aCjyzGy6Ex2/9dc+Xg6C08YJDcerI
+660enEe0NaI50N1W65bbxdl3d6vHT9CGteXYiIuj0I5CG7CwnU2WV42we/UwYSq/
+6DfU93y5LSBZuOif8iLpGXfgE7TCAeY3H+WBAu43+gWz6xNKtbF0RMmT2VcCAQID
+ggEFAAKCAQBT3K38hHa4aWKerb3st8S8Jy/abEwn3kRnLtWins75l9K4YDnIKHV9
+/zTO0a75SxhvDDQqRiekw99Gel1zkxdo1/OJOTJs2KJ6Itedn3bU4p7k2599xstL
+02OHWzvu4J9LQXZ0NVnhX3RzhJH/ZMZAchIVx4joRmaY7fGCXwYGsfrq7lrhYOwp
+SSALvTdiNJLGm8nSOPXRWnAarTJfBhH/A38OsBY8a3bMHAlxigZWKtzY8GFIPh6O
+Xu/+5iasto/aUiK6Oshcf7t4la3TY6GAbPz9SyPETV2jRn2+ujrkFON8I1wuz9ud
+9d5iI/cRcKKrtLdIPGc7uqGy2V2qIp3v
+-----END PUBLIC KEY-----
+
+PrivateKey=BOB_dh2048
+-----BEGIN PRIVATE KEY-----
+MIICJgIBADCCARcGCSqGSIb3DQEDATCCAQgCggEBAIkq4hnfaUGeltLDB1eo3SWH
+Mm9pJsCYb2E/gCXNgTWQBKebkg4ZXzEYUng889PfzNpxmDinl/H4WoBmoM/hJasJ
+2PElcKejIAnYUi0SHHDkYKOJMo0W5H8fHcRk893vR0kllO+hP0e1Gur02TsdEF7w
+bIPc+VV/7bMg9VxhQh9+ESeYgQXn/n3NSniUkO5aCjyzGy6Ex2/9dc+Xg6C08YJD
+cerI660enEe0NaI50N1W65bbxdl3d6vHT9CGteXYiIuj0I5CG7CwnU2WV42we/Uw
+YSq/6DfU93y5LSBZuOif8iLpGXfgE7TCAeY3H+WBAu43+gWz6xNKtbF0RMmT2VcC
+AQIEggEEAoIBAE3A6u2we1mxSxDLkiakPs2zZqfhb2ejP2TvuA4DX/+knqrJRK7s
+TqKBz80CvR7QA5CL4r/5BWJrmFet7cmF6Eh4PXE+sNswevV2C16btzAbGSGzSR5u
+bu6vv06Ah1rPrHrv+UjvRe2bxR/Z/PavbI71aQ+lqDkGKC/Uyr3u+PFLRwos2HfK
+nEX/qfnqo3N3YsPFvLidkbSJOkq6CayLT4ycTRdPxTVKELfanSEeenKJ9rKTiPdz
+3y0ycyyh0kAKs2bBViq3UlVRE3kdNAQ3nCpRl9O52hCsA+BMmnAHEW8z81lEZugN
+9X4uLV3XuflMrKxBGxfiCEVGcvnjpBTZXas=
+-----END PRIVATE KEY-----
+
+PublicKey=BOB_dh2048_pub
+-----BEGIN PUBLIC KEY-----
+MIICJDCCARcGCSqGSIb3DQEDATCCAQgCggEBAIkq4hnfaUGeltLDB1eo3SWHMm9p
+JsCYb2E/gCXNgTWQBKebkg4ZXzEYUng889PfzNpxmDinl/H4WoBmoM/hJasJ2PEl
+cKejIAnYUi0SHHDkYKOJMo0W5H8fHcRk893vR0kllO+hP0e1Gur02TsdEF7wbIPc
++VV/7bMg9VxhQh9+ESeYgQXn/n3NSniUkO5aCjyzGy6Ex2/9dc+Xg6C08YJDcerI
+660enEe0NaI50N1W65bbxdl3d6vHT9CGteXYiIuj0I5CG7CwnU2WV42we/UwYSq/
+6DfU93y5LSBZuOif8iLpGXfgE7TCAeY3H+WBAu43+gWz6xNKtbF0RMmT2VcCAQID
+ggEFAAKCAQAJ1Ko5/dRMpowe/7k1T+11ZNszNMEbKtXGq9KsZAqSFp6h8on/kCFe
+3/SK520B/cDIjLV0W4q33iimSmG/TjwLG0jpsIKwxbzIfxjs4e1Y4pPaKfbKuCcK
+BBu8Thz2brhTxooU4CPVBJerX3mJX6hbAPAl0XcIScZPcyYYHkvthjZvO0djEn1z
+inhUQ37JKc74+56w/nUDjDiDFZMnwkPCtkdzLsbWW+Mu1Ysd1qQyb1XcNfkO0d/t
+rX00AaHwYqM7uM4slSqZhCi2w4zVvwP0BPD/TrPAjEFYEk0l2eNxBBmW5Mlss2Od
+wtMjfaolhtG/beqmAneP14mCEM4lwH4a
+-----END PUBLIC KEY-----
+
+PrivateKey=BOB_dh2048_different_pg
+-----BEGIN PRIVATE KEY-----
+MIICJgIBADCCARcGCSqGSIb3DQEDATCCAQgCggEBAM/ZBdjCzvFon8sEMWEXQ4vw
+bFV3VCq3nhCuHSLb/ZsHIuKFy/ma173ttMdN1qSOL2XJazi8l+4whU0Wga8FticR
+z9U0t8ExC+0f90QRXsjXGSuDFJY6i5m6YL/xZf09g7522RqNwt4WWACgKrG7g31b
++43eXosvv5okgw5gmMrlGNZYaqnn094Ifu0UhUro6vXmlcfhnv1JpASNmxNmzrQJ
+TE8W5miG5c1+6MQJdmSVKEitdUX202mRukj2Nzq16e6iOGmGMTWYGV+sK/Hnh+BD
+hPVIqLWW5Wfz3y5ysCsGmSKuS9bssZXWmlwRiNp/NqliyzBznG168VoKMlDQxG8C
+AQIEggEEAoIBAHLPQHe9mySBSeNAqUMzKAXgxhPYPl9zC7QiyxwGiZcu/4IQ8Elr
+cyRhMuJBbu0T6NNruG2zUzDFWp/0dPGWq7YiOauau5iYCpKt4KZgiELDEwZqlxF+
+wXKXxSw3rJVemZyYuLmRzmUMcvBr5ZspdxsDRipN9mHSGTtQNGAiSPXB4P/bkaSW
+YELavS+cHZfH4nE7DAP8b8dEID81xBLGEKAyUilDE2Nv4PamhCU5GmVSv2HXVSdI
+bGlj1BpvrfJyuK5EyyOqMKvwXiEQweqrVICGNtQQs+bmNpaVBCu/xRomWn5YZkqc
+YjQBeOQwrhEFzbFwWi8vai9HB85tBLKEMiE=
+-----END PRIVATE KEY-----
+
+PublicKey=BOB_dh2048_different_pg_pub
+-----BEGIN PUBLIC KEY-----
+MIICJTCCARcGCSqGSIb3DQEDATCCAQgCggEBAM/ZBdjCzvFon8sEMWEXQ4vwbFV3
+VCq3nhCuHSLb/ZsHIuKFy/ma173ttMdN1qSOL2XJazi8l+4whU0Wga8FticRz9U0
+t8ExC+0f90QRXsjXGSuDFJY6i5m6YL/xZf09g7522RqNwt4WWACgKrG7g31b+43e
+Xosvv5okgw5gmMrlGNZYaqnn094Ifu0UhUro6vXmlcfhnv1JpASNmxNmzrQJTE8W
+5miG5c1+6MQJdmSVKEitdUX202mRukj2Nzq16e6iOGmGMTWYGV+sK/Hnh+BDhPVI
+qLWW5Wfz3y5ysCsGmSKuS9bssZXWmlwRiNp/NqliyzBznG168VoKMlDQxG8CAQID
+ggEGAAKCAQEAr5J9x7z9FWCQ27LF3pzTR+4ZdOKJJpg1qD8Vp78sg6VkoZLl+j57
+uTQVgWlCEQr5tOVCBA+F0i3DCVGpE0ExkO/lVYjf6+mwTsyZWZj6IKkxpxwm9CIR
+NshubotT9vagLxdRM9jepmt6A8Q2MfI1xm4yrYLZ0xQpNPT6076a+3gl6UysaDv8
+wpryAiQdIexC1jz4Z7yIAND3PHWFAiAIOdipIMmuvJz2exgP1KsYTZFjJUTMBZxN
+fSO65JSqf6LoQ91cB5RtgwD2pjehoAl2wumjdMcdNJyYIPvcTd1BFMjUmR3vJe/n
+di2IvD9wSm5tY542PWcf/7GV0bMbnykaPQ==
+-----END PUBLIC KEY-----
+
+PublicKey=BOB_dh2048_badpub_toolarge
+-----BEGIN PUBLIC KEY-----
+MIICJTCCARcGCSqGSIb3DQEDATCCAQgCggEBAIkq4hnfaUGeltLDB1eo3SWHMm9p
+JsCYb2E/gCXNgTWQBKebkg4ZXzEYUng889PfzNpxmDinl/H4WoBmoM/hJasJ2PEl
+cKejIAnYUi0SHHDkYKOJMo0W5H8fHcRk893vR0kllO+hP0e1Gur02TsdEF7wbIPc
++VV/7bMg9VxhQh9+ESeYgQXn/n3NSniUkO5aCjyzGy6Ex2/9dc+Xg6C08YJDcerI
+660enEe0NaI50N1W65bbxdl3d6vHT9CGteXYiIuj0I5CG7CwnU2WV42we/UwYSq/
+6DfU93y5LSBZuOif8iLpGXfgE7TCAeY3H+WBAu43+gWz6xNKtbF0RMmT2VcCAQID
+ggEGAAKCAQEAiSriGd9pQZ6W0sMHV6jdJYcyb2kmwJhvYT+AJc2BNZAEp5uSDhlf
+MRhSeDzz09/M2nGYOKeX8fhagGagz+ElqwnY8SVwp6MgCdhSLRIccORgo4kyjRbk
+fx8dxGTz3e9HSSWU76E/R7Ua6vTZOx0QXvBsg9z5VX/tsyD1XGFCH34RJ5iBBef+
+fc1KeJSQ7loKPLMbLoTHb/11z5eDoLTxgkNx6sjrrR6cR7Q1ojnQ3VbrltvF2Xd3
+q8dP0Ia15diIi6PQjkIbsLCdTZZXjbB79TBhKr/oN9T3fLktIFm46J/yIukZd+AT
+tMIB5jcf5YEC7jf6BbPrE0q1sXREyZPZVg==
+-----END PUBLIC KEY-----
+
+PublicKey=BOB_dh2048_badpub_toosmall
+-----BEGIN PUBLIC KEY-----
+MIIBITCCARcGCSqGSIb3DQEDATCCAQgCggEBAIkq4hnfaUGeltLDB1eo3SWHMm9p
+JsCYb2E/gCXNgTWQBKebkg4ZXzEYUng889PfzNpxmDinl/H4WoBmoM/hJasJ2PEl
+cKejIAnYUi0SHHDkYKOJMo0W5H8fHcRk893vR0kllO+hP0e1Gur02TsdEF7wbIPc
++VV/7bMg9VxhQh9+ESeYgQXn/n3NSniUkO5aCjyzGy6Ex2/9dc+Xg6C08YJDcerI
+660enEe0NaI50N1W65bbxdl3d6vHT9CGteXYiIuj0I5CG7CwnU2WV42we/UwYSq/
+6DfU93y5LSBZuOif8iLpGXfgE7TCAeY3H+WBAu43+gWz6xNKtbF0RMmT2VcCAQID
+BAACAQE=
+-----END PUBLIC KEY-----
+
+# DH Alice with Bob peer
+Availablein = default
+Derive=ALICE_dh2048
+PeerKeyValidate=BOB_dh2048_pub
+SharedSecret=28f1f890a14899b5fb600dc43ef28cdc065535bc5ee2b3e08ebb53f7ee93618f3471c0696bce289c3839ae6ced374a799c61d76cb9c60ecdc3bd75ac4ed9f060fcfa972a5ce899ff17120ce70e35d720797a62d2b3d724b9d21b9dc0f4f4ec1cbf4730d57955dc1be53210e3d10ed3e78a96914e0a201e0cc0d75744e2d8f6ed8a301bca465d4d1a518a5cda8219bdf562796842bd6a839369b5cacc77e44a9ac8475d50df6d7bddfb661241c566acd025642bc6b1bbcecb1c1e5a1429c9df552ad6a39194074b21f4e890bd79e934150850561932fee3c44ccf0e8bcd22df2f9cafad2e2f19364344fe588523a9da8545081c2118fd6b8c0e12ede6b9f5f258
+
+# DH Bob with Alice peer
+Availablein = default
+Derive=BOB_dh2048
+PeerKeyValidate=ALICE_dh2048_pub
+SharedSecret=28f1f890a14899b5fb600dc43ef28cdc065535bc5ee2b3e08ebb53f7ee93618f3471c0696bce289c3839ae6ced374a799c61d76cb9c60ecdc3bd75ac4ed9f060fcfa972a5ce899ff17120ce70e35d720797a62d2b3d724b9d21b9dc0f4f4ec1cbf4730d57955dc1be53210e3d10ed3e78a96914e0a201e0cc0d75744e2d8f6ed8a301bca465d4d1a518a5cda8219bdf562796842bd6a839369b5cacc77e44a9ac8475d50df6d7bddfb661241c566acd025642bc6b1bbcecb1c1e5a1429c9df552ad6a39194074b21f4e890bd79e934150850561932fee3c44ccf0e8bcd22df2f9cafad2e2f19364344fe588523a9da8545081c2118fd6b8c0e12ede6b9f5f258
+
+# DH Alice with Bob peer - mismatching domain parameters
+Availablein = default
+Derive=BOB_dh2048
+PeerKeyValidate=BOB_dh2048_different_pg_pub
+Result = DERIVE_SET_PEER_ERROR
+
+# DH Alice with Bob peer - pub > p - 2
+Availablein = default
+Derive=ALICE_dh2048
+PeerKeyValidate=BOB_dh2048_badpub_toolarge
+Result = DERIVE_SET_PEER_ERROR
+
+# DH Alice with Bob peer - pub < 2 should fail
+Availablein = default
+Derive=ALICE_dh2048
+PeerKeyValidate=BOB_dh2048_badpub_toosmall
+Result = DERIVE_SET_PEER_ERROR
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdh.txt b/test/recipes/30-test_evp_data/evppkey_ecdh.txt
index c738c4aeb0..9003eb524d 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdh.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdh.txt
@@ -139,7 +139,6 @@ Ny3Ep0GVYms=
PrivPubKeyPair = BOB_secp128r1:BOB_secp128r1_PUB
-
# ECDH Alice with Bob peer
Availablein = default
@@ -3609,3 +3608,11 @@ SharedSecret=01144C7D79AE6956BC8EDB8E7C787C4521CB086FA64407F97894E5E6B2D79B04D14
Derive=SECP521R1_RFC5903-Peer
PeerKey=SECP521R1_RFC5903-PUBLIC
SharedSecret=01144C7D79AE6956BC8EDB8E7C787C4521CB086FA64407F97894E5E6B2D79B04D1427E73CA4BAA240A34786859810C06B3C715A3A8CC3151F2BEE417996D19F3DDEA
+
+Title = ECDH negative tests (with random keys)
+
+# ECDH Alice with BOB peer - mismatching curves.
+Availablein = default
+Derive=ALICE_secp112r1
+PeerKeyValidate=BOB_secp128r1_PUB
+Result = DERIVE_SET_PEER_ERROR
More information about the openssl-commits
mailing list