diff options
author | Bodo Möller <bodo@openssl.org> | 2001-07-25 17:20:34 +0000 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 2001-07-25 17:20:34 +0000 |
commit | 6aecef815c3c989f6fa2a7b6edf2984e76306622 (patch) | |
tree | 8bd689efdda456f6f0844f4c34c23a75c1df8285 /CHANGES | |
parent | daba492c3a461bbcc0df69d609124936a19205f6 (diff) |
Don't preserve existing keys in DH_generate_key.
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 31 |
1 files changed, 31 insertions, 0 deletions
@@ -12,6 +12,37 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only + *) In crypto/dh/dh_key.c, change generate_key() (the default + implementation of DH_generate_key()) so that a new key is + generated each time DH_generate_key() is used on a DH object. + + Previously, DH_generate_key() did not change existing keys + -- but ssl/s3_srvr.c always expected it to do so (in effect, + SSL_OP_SINGLE_DH_USE was ignored in servers reusing the same SSL + object for multiple connections; however, each new SSL object + created from an SSL_CTX got its own key). + [Bodo Moeller] + + *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored + dh->length and always used + + BN_rand_range(priv_key, dh->p). + + BN_rand_range() is not necessary for Diffie-Hellman, and this + specific range makes Diffie-Hellman unnecessarily inefficient if + dh->length (recommended exponent length) is much smaller than the + length of dh->p. We could use BN_rand_range() if the order of + the subgroup was stored in the DH structure, but we only have + dh->length. + + So switch back to + + BN_rand(priv_key, l, ...) + + where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1 + otherwise. + [Bodo Moeller] + *) In RSA_eay_public_encrypt |