Merge pull request #6334 from SparkiDev/openssl_ec_set_priv_key_check

OpenSSL EC API: fix setting private key

src/pk.c

@@ -12753,7 +12753,7 @@ WOLFSSL_BIGNUM *wolfSSL_EC_KEY_get0_private_key(const WOLFSSL_EC_KEY *key)
  * @return  0 on failure.
  */
 int wolfSSL_EC_KEY_set_private_key(WOLFSSL_EC_KEY *key,
-                                   const WOLFSSL_BIGNUM *priv_key)
+    const WOLFSSL_BIGNUM *priv_key)
 {
     int ret = 1;
 
@@ -12765,6 +12765,13 @@ int wolfSSL_EC_KEY_set_private_key(WOLFSSL_EC_KEY *key,
         ret = 0;
     }
 
+    /* Check for obvious invalid values. */
+    if (wolfSSL_BN_is_negative(priv_key) || wolfSSL_BN_is_zero(priv_key) ||
+            wolfSSL_BN_is_one(priv_key)) {
+        WOLFSSL_MSG("Invalid private key value");
+        ret = 0;
+    }
+
     if (ret == 1) {
         /* Free key if previously set. */
         if (key->priv_key != NULL) {

tests/api.c

@@ -59993,8 +59993,8 @@ static int test_wolfSSL_EC_KEY_private_key(void)
     AssertNotNull(key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
     AssertNotNull(priv = wolfSSL_BN_new());
     AssertNotNull(priv2 = wolfSSL_BN_new());
-    AssertIntNE(BN_set_word(priv, 1), 0);
-    AssertIntNE(BN_set_word(priv2, 1), 0);
+    AssertIntNE(BN_set_word(priv, 2), 0);
+    AssertIntNE(BN_set_word(priv2, 2), 0);
 
     AssertNull(wolfSSL_EC_KEY_get0_private_key(NULL));
     /* No private key set. */