Add domain parameter match check for DH and ECDH key exchange.

Fixes #14808

Validation checks were moved into EVP_PKEY_derive_set_peer() which broke
an external negative test. Originally the old code was semi working by checking the peers public key was in the range of other parties p. It was not actually ever
checking that the domain parameters were consistent between the 2
parties. It now checks the parameters match as well as validating the
peers public key.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14823)

1 files changed, 6 insertions, 2 deletions

diff --git a/test/evp_test.c b/test/evp_test.c
index efcf4c5fee..a7a3cc4bb3 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -1627,12 +1627,16 @@ static int pderive_test_parse(EVP_TEST *t,
                               const char *keyword, const char *value)
 {
     PKEY_DATA *kdata = t->data;
+    int validate = 0;
 
-    if (strcmp(keyword, "PeerKey") == 0) {
+    if (strcmp(keyword, "PeerKeyValidate") == 0)
+        validate = 1;
+
+    if (validate || strcmp(keyword, "PeerKey") == 0) {
         EVP_PKEY *peer;
         if (find_key(&peer, value, public_keys) == 0)
             return -1;
-        if (EVP_PKEY_derive_set_peer_ex(kdata->ctx, peer, 0) <= 0) {
+        if (EVP_PKEY_derive_set_peer_ex(kdata->ctx, peer, validate) <= 0) {
             t->err = "DERIVE_SET_PEER_ERROR";
             return 1;
         }