Don't preserve existing keys in DH_generate_key.

diff --git a/CHANGES b/CHANGES
index 8cbb473650a80035353cc68479667a0220b383ef..feeb46e9b286ca54d6e54a3a7de4d5557963007a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -12,6 +12,37 @@
          *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
          +) applies to 0.9.7 only
 
          *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
          +) applies to 0.9.7 only
 

+  *) In crypto/dh/dh_key.c, change generate_key() (the default
+     implementation of DH_generate_key()) so that a new key is
+     generated each time DH_generate_key() is used on a DH object.
+
+     Previously, DH_generate_key() did not change existing keys
+     -- but ssl/s3_srvr.c always expected it to do so (in effect,
+     SSL_OP_SINGLE_DH_USE was ignored in servers reusing the same SSL
+     object for multiple connections; however, each new SSL object
+     created from an SSL_CTX got its own key).
+     [Bodo Moeller]
+
+  *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
+     dh->length and always used
+
+          BN_rand_range(priv_key, dh->p).
+
+     BN_rand_range() is not necessary for Diffie-Hellman, and this
+     specific range makes Diffie-Hellman unnecessarily inefficient if
+     dh->length (recommended exponent length) is much smaller than the
+     length of dh->p.  We could use BN_rand_range() if the order of
+     the subgroup was stored in the DH structure, but we only have
+     dh->length.
+
+     So switch back to
+
+          BN_rand(priv_key, l, ...)
+
+     where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
+     otherwise.
+     [Bodo Moeller]
+

   *) In
 
           RSA_eay_public_encrypt
   *) In
 
           RSA_eay_public_encrypt

diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 91af882e43356860459ddd4a91e6025c405b74c2..718a9a481e7e8d4c1bab3e1127ad6dd052af15e4 100644 (file)
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -101,6 +101,7 @@ const DH_METHOD *DH_OpenSSL(void)
 static int generate_key(DH *dh)
        {
        int ok=0;
 static int generate_key(DH *dh)
        {
        int ok=0;

+       unsigned l;

        BN_CTX *ctx;
        BN_MONT_CTX *mont;
        BIGNUM *pub_key=NULL,*priv_key=NULL;
        BN_CTX *ctx;
        BN_MONT_CTX *mont;
        BIGNUM *pub_key=NULL,*priv_key=NULL;


@@ -112,9 +113,6 @@ static int generate_key(DH *dh)
                {
                priv_key=BN_new();
                if (priv_key == NULL) goto err;
                {
                priv_key=BN_new();
                if (priv_key == NULL) goto err;

-               do
-                       if (!BN_rand_range(priv_key, dh->p)) goto err;
-               while (BN_is_zero(priv_key));

                }
        else
                priv_key=dh->priv_key;
                }
        else
                priv_key=dh->priv_key;


@@ -135,9 +133,15 @@ static int generate_key(DH *dh)
                }
        mont=(BN_MONT_CTX *)dh->method_mont_p;
 
                }
        mont=(BN_MONT_CTX *)dh->method_mont_p;
 

-       if (!ENGINE_get_DH(dh->engine)->bn_mod_exp(dh, pub_key, dh->g,
-                               priv_key,dh->p,ctx,mont))
-               goto err;
+       l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */
+
+       do
+               {
+               if (!BN_rand(priv_key, l, 0, 0)) goto err;
+               if (!ENGINE_get_DH(dh->engine)->bn_mod_exp(dh, pub_key, dh->g,
+                       priv_key,dh->p,ctx,mont)) goto err;
+               }
+       while (BN_is_one(priv_key));

                
        dh->pub_key=pub_key;
        dh->priv_key=priv_key;
                
        dh->pub_key=pub_key;
        dh->priv_key=priv_key;

diff --git a/doc/crypto/DH_generate_key.pod b/doc/crypto/DH_generate_key.pod
index 920995b2e5aa5eede09bf46eeb9ad6c8b4613d83..d376dc9f2fe0d92ae66471ce23d9dfc173ea5561 100644 (file)
--- a/doc/crypto/DH_generate_key.pod
+++ b/doc/crypto/DH_generate_key.pod
@@ -21,9 +21,8 @@ value to compute the shared key.
 
 DH_generate_key() expects B<dh> to contain the shared parameters
 B<dh-E<gt>p> and B<dh-E<gt>g>. It generates a random private DH value
 
 DH_generate_key() expects B<dh> to contain the shared parameters
 B<dh-E<gt>p> and B<dh-E<gt>g>. It generates a random private DH value

-unless B<dh-E<gt>priv_key> is already set, and computes the
-corresponding public value B<dh-E<gt>pub_key>, which can then be
-published.
+B<dh-E<gt>priv_key>, and it computes the corresponding public value
+B<dh-E<gt>pub_key>, which can then be published.

 
 DH_compute_key() computes the shared secret from the private DH value
 in B<dh> and the other party's public value in B<pub_key> and stores
 
 DH_compute_key() computes the shared secret from the private DH value
 in B<dh> and the other party's public value in B<pub_key> and stores


@@ -46,5 +45,7 @@ L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)>
 
 DH_generate_key() and DH_compute_key() are available in all versions
 of SSLeay and OpenSSL.
 
 DH_generate_key() and DH_compute_key() are available in all versions
 of SSLeay and OpenSSL.

+Up to version 0.9.6b, DH_generate_key() would not generate a new
+key if B<dh-E<gt>priv_key> was already set.

 
 =cut
 
 =cut