From 2d757eadd0d1d30886c776d3343c6922a3302f44 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Wed, 9 Nov 2022 09:55:16 +1000
Subject: [PATCH] DH: fix when using SP

The agreed secret must not be 0 or 1 by SP800-56A, 5.7.1.1.
Check done when not using SP.
Add check to SP calling code.
---
 wolfcrypt/src/dh.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c
index bf54ecc58..18b24bc85 100644
--- a/wolfcrypt/src/dh.c
+++ b/wolfcrypt/src/dh.c
@@ -2037,6 +2037,11 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz,
 
         RESTORE_VECTOR_REGISTERS();
 
+        /* make sure agree is > 1 (SP800-56A, 5.7.1.1) */
+        if ((*agreeSz == 0) || ((*agreeSz == 1) && (agree[0] == 1))) {
+            ret = MP_VAL;
+        }
+
     #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
     #if !defined(WOLFSSL_SP_MATH)
         XFREE(z, key->heap, DYNAMIC_TYPE_DH);
@@ -2064,6 +2069,11 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz,
 
         RESTORE_VECTOR_REGISTERS();
 
+        /* make sure agree is > 1 (SP800-56A, 5.7.1.1) */
+        if ((*agreeSz == 0) || ((*agreeSz == 1) && (agree[0] == 1))) {
+            ret = MP_VAL;
+        }
+
     #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
     #if !defined(WOLFSSL_SP_MATH)
         XFREE(z, key->heap, DYNAMIC_TYPE_DH);
@@ -2091,6 +2101,11 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz,
 
         RESTORE_VECTOR_REGISTERS();
 
+        /* make sure agree is > 1 (SP800-56A, 5.7.1.1) */
+        if ((*agreeSz == 0) || ((*agreeSz == 1) && (agree[0] == 1))) {
+            ret = MP_VAL;
+        }
+
     #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
     #if !defined(WOLFSSL_SP_MATH)
         XFREE(z, key->heap, DYNAMIC_TYPE_DH);