diff options
author | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2019-09-09 09:59:54 +0200 |
---|---|---|
committer | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2019-09-09 13:58:03 +0200 |
commit | 1f9dc86b557dd259b636882836885d8e6714735e (patch) | |
tree | 3dec63052947cdde532395d915b47e2fb0ee541a | |
parent | 288241b6bf1ba4f07e06e83bbfdaf06f521d598b (diff) |
Change DH_generate_parameters back to order 2q subgroup
For for G=2 and 5 DH_generate_parameters will continue to generate
the order 2q subgroup for compatibility with previous versions.
For G=3 DH_generate_parameters generates an order q subgroup, but it
will not pass the check in DH_check with previous OpenSSL versions.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9820)
-rw-r--r-- | CHANGES | 4 | ||||
-rw-r--r-- | crypto/dh/dh_gen.c | 8 |
2 files changed, 8 insertions, 4 deletions
@@ -50,8 +50,8 @@ (CVE-2019-1552) [Richard Levitte] - *) Changed DH parameters to generate the order q subgroup instead of 2q. - Previously generated DH parameters are still accepted by DH_check + *) Changed DH_check to accept parameters with order q and 2q subgroups. + With order 2q subgroups the bit 0 of the private key is not secret but DH_generate_key works around that by clearing bit 0 of the private key for those. This avoids leaking bit 0 of the private key. [Bernd Edlinger] diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c index 1262d4e155..d293835eb2 100644 --- a/crypto/dh/dh_gen.c +++ b/crypto/dh/dh_gen.c @@ -53,6 +53,10 @@ int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, * for 2, p mod 24 == 23 * for 3, p mod 12 == 11 * for 5, p mod 60 == 59 + * + * However for compatibilty with previous versions we use: + * for 2, p mod 24 == 11 + * for 5, p mod 60 == 23 */ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb) @@ -83,13 +87,13 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, if (generator == DH_GENERATOR_2) { if (!BN_set_word(t1, 24)) goto err; - if (!BN_set_word(t2, 23)) + if (!BN_set_word(t2, 11)) goto err; g = 2; } else if (generator == DH_GENERATOR_5) { if (!BN_set_word(t1, 60)) goto err; - if (!BN_set_word(t2, 59)) + if (!BN_set_word(t2, 23)) goto err; g = 5; } else { |