FW: seeking info on source of DH key requirements

[Wall, Stephen]

Can anyone tell me what the source (RFC, NIST, FIPS, whatever) of this test in diffie-hellman key generation (dh_key.c) is?

 

        /* Is it an approved safe prime ?*/

        if (DH_get_nid(dh) != NID_undef) {

            int max_strength =

                    ossl_ifc_ffc_compute_security_bits(BN_num_bits(dh->params.p));

 

            if (dh->params.q == NULL

                || dh->length > BN_num_bits(dh->params.q))

                goto err;

 

https://github.com/openssl/openssl/blob/d88c43a64408616572941e5d0b127194d80f562f/crypto/dh/dh_key.c#L318

 

We’re having an issue connecting via SSH to a vendor device, and I’ve tracked it to `dh->length` being 512 when `dh->params.q` is 256.  I’d like to have some document to point the vendor if possible.

 

Thank you much.

 

--

Stephen Wall

Senior Staff Software Engineer

585.924.7550

 

REDCOM Laboratories, Inc.

Research, Engineering, & Development in Communications

One Redcom Center, Victor, NY 14564-0995

[Viktor Dukhovni]

On Wed, Sep 17, 2025 at 02:34:07PM +0000, Wall, Stephen wrote:

> Can anyone tell me what the source (RFC, NIST, FIPS, whatever) of this
> test in diffie-hellman key generation (dh_key.c) is?
>
> /* Is it an approved safe prime ?*/
> if (DH_get_nid(dh) != NID_undef) {
> int max_strength =
> ossl_ifc_ffc_compute_security_bits(BN_num_bits(dh->params.p));
>
> if (dh->params.q == NULL
> || dh->length > BN_num_bits(dh->params.q))
> goto err;
>
> https://github.com/openssl/openssl/blob/d88c43a64408616572941e5d0b127194d80f562f/crypto/dh/dh_key.c#L318

For any DH group with an explicit 'q' parameter, the private key is an
element of [1, q-1], so its bit count (dh->length) is at most the bit
count of `q`.

This report is rather skimpy. Which specific group is this (pleaes
report the group name. And make an effort to find out where dh->length
was set to its unexpectedly larger value.

What protocol is this? TLS, SSH, something else?

--
Viktor.