Change DH_generate_parameters back to order 2q subgroup

For for G=2 and 5 DH_generate_parameters will continue to generate the order 2q subgroup for compatibility with previous versions. For G=3 DH_generate_parameters generates an order q subgroup, but it will not pass the check in DH_check with previous OpenSSL versions. Reviewed-by: N Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9820)

Change DH_generate_parameters back to order 2q subgroup
For for G=2 and 5 DH_generate_parameters will continue to generate the order 2q subgroup for compatibility with previous versions. For G=3 DH_generate_parameters generates an order q subgroup, but it will not pass the check in DH_check with previous OpenSSL versions. Reviewed-by: N Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9820)
1f9dc86b · Bernd Edlinger · 288241b6 · 1f9dc86b · 1f9dc86b
隐藏空白更改
内联并排

Showing with 8 addition and 4 deletion

CHANGES CHANGES +2 -2

crypto/dh/dh_gen.c crypto/dh/dh_gen.c +6 -2

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -50,8 +50,8 @@
     (CVE-2019-1552)
     [Richard Levitte]

-  *) Changed DH parameters to generate the order q subgroup instead of 2q.
-     Previously generated DH parameters are still accepted by DH_check
+  *) Changed DH_check to accept parameters with order q and 2q subgroups.
+     With order 2q subgroups the bit 0 of the private key is not secret
     but DH_generate_key works around that by clearing bit 0 of the
     private key for those. This avoids leaking bit 0 of the private key.
     [Bernd Edlinger]

--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -53,6 +53,10 @@ int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,
 * for 2, p mod 24 == 23
 * for 3, p mod 12 == 11
 * for 5, p mod 60 == 59
+ *
+ * However for compatibilty with previous versions we use:
+ * for 2, p mod 24 == 11
+ * for 5, p mod 60 == 23
 */
 static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
                                BN_GENCB *cb)
@@ -83,13 +87,13 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
    if (generator == DH_GENERATOR_2) {
        if (!BN_set_word(t1, 24))
            goto err;
-        if (!BN_set_word(t2, 23))
+        if (!BN_set_word(t2, 11))
            goto err;
        g = 2;
    } else if (generator == DH_GENERATOR_5) {
        if (!BN_set_word(t1, 60))
            goto err;
-        if (!BN_set_word(t2, 59))
+        if (!BN_set_word(t2, 23))
            goto err;
        g = 5;
    } else {