[openssl] OpenSSL_1_1_1-stable update

bernd.edlinger at hotmail.de bernd.edlinger at hotmail.de
Mon Sep 9 12:03:35 UTC 2019 

The branch OpenSSL_1_1_1-stable has been updated
       via  1f9dc86b557dd259b636882836885d8e6714735e (commit)
      from  288241b6bf1ba4f07e06e83bbfdaf06f521d598b (commit)


- Log -----------------------------------------------------------------
commit 1f9dc86b557dd259b636882836885d8e6714735e
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date:   Mon Sep 9 09:59:54 2019 +0200

    Change DH_generate_parameters back to order 2q subgroup
    
    For for G=2 and 5 DH_generate_parameters will continue to generate
    the order 2q subgroup for compatibility with previous versions.
    
    For G=3 DH_generate_parameters generates an order q subgroup, but it
    will not pass the check in DH_check with previous OpenSSL versions.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/9820)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES            | 4 ++--
 crypto/dh/dh_gen.c | 8 ++++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index f422f5025e..1b9299fba7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -50,8 +50,8 @@
      (CVE-2019-1552)
      [Richard Levitte]
 
-  *) Changed DH parameters to generate the order q subgroup instead of 2q.
-     Previously generated DH parameters are still accepted by DH_check
+  *) Changed DH_check to accept parameters with order q and 2q subgroups.
+     With order 2q subgroups the bit 0 of the private key is not secret
      but DH_generate_key works around that by clearing bit 0 of the
      private key for those. This avoids leaking bit 0 of the private key.
      [Bernd Edlinger]
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
index 1262d4e155..d293835eb2 100644
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -53,6 +53,10 @@ int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,
  * for 2, p mod 24 == 23
  * for 3, p mod 12 == 11
  * for 5, p mod 60 == 59
+ *
+ * However for compatibilty with previous versions we use:
+ * for 2, p mod 24 == 11
+ * for 5, p mod 60 == 23
  */
 static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
                                 BN_GENCB *cb)
@@ -83,13 +87,13 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
     if (generator == DH_GENERATOR_2) {
         if (!BN_set_word(t1, 24))
             goto err;
-        if (!BN_set_word(t2, 23))
+        if (!BN_set_word(t2, 11))
             goto err;
         g = 2;
     } else if (generator == DH_GENERATOR_5) {
         if (!BN_set_word(t1, 60))
             goto err;
-        if (!BN_set_word(t2, 59))
+        if (!BN_set_word(t2, 23))
             goto err;
         g = 5;
     } else {

More information about the openssl-commits mailing list