Commit 1f9dc86b authored by Bernd Edlinger's avatar Bernd Edlinger
Browse files

Change DH_generate_parameters back to order 2q subgroup 



For for G=2 and 5 DH_generate_parameters will continue to generate
the order 2q subgroup for compatibility with previous versions.

For G=3 DH_generate_parameters generates an order q subgroup, but it
will not pass the check in DH_check with previous OpenSSL versions.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9820)
parent 288241b6

CHANGES

+2 −2
Original line number Original line Diff line number Diff line
@@ -50,8 +50,8 @@ 
     (CVE-2019-1552)

     (CVE-2019-1552)

     [Richard Levitte]

     [Richard Levitte]

















  *) Changed DH parameters to generate the order q subgroup instead of 2q.







  *) Changed DH_check to accept parameters with order q and 2q subgroups.











     Previously generated DH parameters are still accepted by DH_check







     With order 2q subgroups the bit 0 of the private key is not secret











     but DH_generate_key works around that by clearing bit 0 of the







     but DH_generate_key works around that by clearing bit 0 of the











     private key for those. This avoids leaking bit 0 of the private key.







     private key for those. This avoids leaking bit 0 of the private key.











     [Bernd Edlinger]







     [Bernd Edlinger]

































crypto/dh/dh_gen.c



+6
−2






























Original line number
Original line
Diff line number
Diff line








@@ -53,6 +53,10 @@ int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,









 * for 2, p mod 24 == 23







 * for 2, p mod 24 == 23











 * for 3, p mod 12 == 11







 * for 3, p mod 12 == 11











 * for 5, p mod 60 == 59







 * for 5, p mod 60 == 59














 *














 * However for compatibilty with previous versions we use:














 * for 2, p mod 24 == 11














 * for 5, p mod 60 == 23











 */







 */











static int dh_builtin_genparams(DH *ret, int prime_len, int generator,







static int dh_builtin_genparams(DH *ret, int prime_len, int generator,











                                BN_GENCB *cb)







                                BN_GENCB *cb)










@@ -83,13 +87,13 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,









    if (generator == DH_GENERATOR_2) {







    if (generator == DH_GENERATOR_2) {











        if (!BN_set_word(t1, 24))







        if (!BN_set_word(t1, 24))











            goto err;







            goto err;











        if (!BN_set_word(t2, 23))







        if (!BN_set_word(t2, 11))











            goto err;







            goto err;











        g = 2;







        g = 2;











    } else if (generator == DH_GENERATOR_5) {







    } else if (generator == DH_GENERATOR_5) {











        if (!BN_set_word(t1, 60))







        if (!BN_set_word(t1, 60))











            goto err;







            goto err;











        if (!BN_set_word(t2, 59))







        if (!BN_set_word(t2, 23))











            goto err;







            goto err;











        g = 5;







        g = 5;











    } else {







    } else {