Change DH parameters to generate the order q subgroup instead of 2q

This avoids leaking bit 0 of the private key. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/9363)
author: Bernd Edlinger <bernd.edlinger@hotmail.de> 2019-07-10 15:52:36 +0200
committer: Bernd Edlinger <bernd.edlinger@hotmail.de> 2019-07-22 20:03:27 +0200
commit: a38c878c2e5e05016bc9faa8d0828eb96efba1c2 (patch)
tree: 18485904f5e8438f97b9a4f0bac4292b527255a7 /CHANGES
parent: d4c69c69d171edb17b4d609c15891a9599809ed0 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index e517aceba9..0ad7ac8d2e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,12 @@
 
  Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
 
+  *) Changed DH parameters to generate the order q subgroup instead of 2q.
+     Previously generated DH parameters are still accepted by DH_check
+     but DH_generate_key works around that by clearing bit 0 of the
+     private key for those. This avoids leaking bit 0 of the private key.
+     [Bernd Edlinger]
+
   *) Added a new FUNCerr() macro that takes a function name.
      The macro SYSerr() is deprecated.
      [Rich Salz]
author	Bernd Edlinger <bernd.edlinger@hotmail.de>	2019-07-10 15:52:36 +0200
committer	Bernd Edlinger <bernd.edlinger@hotmail.de>	2019-07-22 20:03:27 +0200
commit	a38c878c2e5e05016bc9faa8d0828eb96efba1c2 (patch)
tree	18485904f5e8438f97b9a4f0bac4292b527255a7 /CHANGES
parent	d4c69c69d171edb17b4d609c15891a9599809ed0 (diff)