The recently-added DH_CHECK_PUBKEY_INVALID was set to 0x3, but DH_CHECK_PUBKEY_* values are flags, so it should be 0x4 to avoid colliding with DH_CHECK_PUBKEY_TOO_SMALL (0x01) and DH_CHECK_PUBKEY_TOO_LARGE (0x02). See DH_check_pub_key's *ret |= logic.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b128abc3437600c3143cb2145185ab87ba3156a2 (Also, that code is missing malloc failure checks on BN_set_word, BN_sub_word, and BN_copy. Though I could believe the first two don't actually end up calling malloc; I didn't check.) David _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
