Loading CHANGES +31 −0 Original line number Diff line number Diff line Loading @@ -12,6 +12,37 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only *) In crypto/dh/dh_key.c, change generate_key() (the default implementation of DH_generate_key()) so that a new key is generated each time DH_generate_key() is used on a DH object. Previously, DH_generate_key() did not change existing keys -- but ssl/s3_srvr.c always expected it to do so (in effect, SSL_OP_SINGLE_DH_USE was ignored in servers reusing the same SSL object for multiple connections; however, each new SSL object created from an SSL_CTX got its own key). [Bodo Moeller] *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored dh->length and always used BN_rand_range(priv_key, dh->p). BN_rand_range() is not necessary for Diffie-Hellman, and this specific range makes Diffie-Hellman unnecessarily inefficient if dh->length (recommended exponent length) is much smaller than the length of dh->p. We could use BN_rand_range() if the order of the subgroup was stored in the DH structure, but we only have dh->length. So switch back to BN_rand(priv_key, l, ...) where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1 otherwise. [Bodo Moeller] *) In RSA_eay_public_encrypt Loading crypto/dh/dh_key.c +10 −6 Original line number Diff line number Diff line Loading @@ -101,6 +101,7 @@ const DH_METHOD *DH_OpenSSL(void) static int generate_key(DH *dh) { int ok=0; unsigned l; BN_CTX *ctx; BN_MONT_CTX *mont; BIGNUM *pub_key=NULL,*priv_key=NULL; Loading @@ -112,9 +113,6 @@ static int generate_key(DH *dh) { priv_key=BN_new(); if (priv_key == NULL) goto err; do if (!BN_rand_range(priv_key, dh->p)) goto err; while (BN_is_zero(priv_key)); } else priv_key=dh->priv_key; Loading @@ -135,9 +133,15 @@ static int generate_key(DH *dh) } mont=(BN_MONT_CTX *)dh->method_mont_p; l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */ do { if (!BN_rand(priv_key, l, 0, 0)) goto err; if (!ENGINE_get_DH(dh->engine)->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,ctx,mont)) goto err; priv_key,dh->p,ctx,mont)) goto err; } while (BN_is_one(priv_key)); dh->pub_key=pub_key; dh->priv_key=priv_key; Loading doc/crypto/DH_generate_key.pod +4 −3 Original line number Diff line number Diff line Loading @@ -21,9 +21,8 @@ value to compute the shared key. DH_generate_key() expects B<dh> to contain the shared parameters B<dh-E<gt>p> and B<dh-E<gt>g>. It generates a random private DH value unless B<dh-E<gt>priv_key> is already set, and computes the corresponding public value B<dh-E<gt>pub_key>, which can then be published. B<dh-E<gt>priv_key>, and it computes the corresponding public value B<dh-E<gt>pub_key>, which can then be published. DH_compute_key() computes the shared secret from the private DH value in B<dh> and the other party's public value in B<pub_key> and stores Loading @@ -46,5 +45,7 @@ L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)> DH_generate_key() and DH_compute_key() are available in all versions of SSLeay and OpenSSL. Up to version 0.9.6b, DH_generate_key() would not generate a new key if B<dh-E<gt>priv_key> was already set. =cut Loading
CHANGES +31 −0 Original line number Diff line number Diff line Loading @@ -12,6 +12,37 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only *) In crypto/dh/dh_key.c, change generate_key() (the default implementation of DH_generate_key()) so that a new key is generated each time DH_generate_key() is used on a DH object. Previously, DH_generate_key() did not change existing keys -- but ssl/s3_srvr.c always expected it to do so (in effect, SSL_OP_SINGLE_DH_USE was ignored in servers reusing the same SSL object for multiple connections; however, each new SSL object created from an SSL_CTX got its own key). [Bodo Moeller] *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored dh->length and always used BN_rand_range(priv_key, dh->p). BN_rand_range() is not necessary for Diffie-Hellman, and this specific range makes Diffie-Hellman unnecessarily inefficient if dh->length (recommended exponent length) is much smaller than the length of dh->p. We could use BN_rand_range() if the order of the subgroup was stored in the DH structure, but we only have dh->length. So switch back to BN_rand(priv_key, l, ...) where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1 otherwise. [Bodo Moeller] *) In RSA_eay_public_encrypt Loading
crypto/dh/dh_key.c +10 −6 Original line number Diff line number Diff line Loading @@ -101,6 +101,7 @@ const DH_METHOD *DH_OpenSSL(void) static int generate_key(DH *dh) { int ok=0; unsigned l; BN_CTX *ctx; BN_MONT_CTX *mont; BIGNUM *pub_key=NULL,*priv_key=NULL; Loading @@ -112,9 +113,6 @@ static int generate_key(DH *dh) { priv_key=BN_new(); if (priv_key == NULL) goto err; do if (!BN_rand_range(priv_key, dh->p)) goto err; while (BN_is_zero(priv_key)); } else priv_key=dh->priv_key; Loading @@ -135,9 +133,15 @@ static int generate_key(DH *dh) } mont=(BN_MONT_CTX *)dh->method_mont_p; l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */ do { if (!BN_rand(priv_key, l, 0, 0)) goto err; if (!ENGINE_get_DH(dh->engine)->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,ctx,mont)) goto err; priv_key,dh->p,ctx,mont)) goto err; } while (BN_is_one(priv_key)); dh->pub_key=pub_key; dh->priv_key=priv_key; Loading
doc/crypto/DH_generate_key.pod +4 −3 Original line number Diff line number Diff line Loading @@ -21,9 +21,8 @@ value to compute the shared key. DH_generate_key() expects B<dh> to contain the shared parameters B<dh-E<gt>p> and B<dh-E<gt>g>. It generates a random private DH value unless B<dh-E<gt>priv_key> is already set, and computes the corresponding public value B<dh-E<gt>pub_key>, which can then be published. B<dh-E<gt>priv_key>, and it computes the corresponding public value B<dh-E<gt>pub_key>, which can then be published. DH_compute_key() computes the shared secret from the private DH value in B<dh> and the other party's public value in B<pub_key> and stores Loading @@ -46,5 +45,7 @@ L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)> DH_generate_key() and DH_compute_key() are available in all versions of SSLeay and OpenSSL. Up to version 0.9.6b, DH_generate_key() would not generate a new key if B<dh-E<gt>priv_key> was already set. =cut
