Change DH parameters to generate the order q subgroup instead of 2q

This avoids leaking bit 0 of the private key. Backport-of: #9363 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/9435)
author: Bernd Edlinger <bernd.edlinger@hotmail.de> 2019-07-10 15:52:36 +0200
committer: Bernd Edlinger <bernd.edlinger@hotmail.de> 2019-07-24 14:59:52 +0200
commit: ddd16c2fe988ed9fdd5118c2f2617745438fd675 (patch)
tree: 08eb4554b256062b40bbc9885edf2153c2b87fcf /CHANGES
parent: 8e747338593f3bafe9798226cddf4edf36bc2de9 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 09c17f70f4..47ea8e0978 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,12 @@
 
  Changes between 1.1.1c and 1.1.1d [xx XXX xxxx]
 
+  *) Changed DH parameters to generate the order q subgroup instead of 2q.
+     Previously generated DH parameters are still accepted by DH_check
+     but DH_generate_key works around that by clearing bit 0 of the
+     private key for those. This avoids leaking bit 0 of the private key.
+     [Bernd Edlinger]
+
   *) Revert the DEVRANDOM_WAIT feature for Linux systems
 
      The DEVRANDOM_WAIT feature added a select() call to wait for the
author	Bernd Edlinger <bernd.edlinger@hotmail.de>	2019-07-10 15:52:36 +0200
committer	Bernd Edlinger <bernd.edlinger@hotmail.de>	2019-07-24 14:59:52 +0200
commit	ddd16c2fe988ed9fdd5118c2f2617745438fd675 (patch)
tree	08eb4554b256062b40bbc9885edf2153c2b87fcf /CHANGES
parent	8e747338593f3bafe9798226cddf4edf36bc2de9 (diff)