diff options
| author | Tomas Mraz <tomas@openssl.org> | 2022-06-06 10:22:00 +0200 |
|---|---|---|
| committer | Hugo Landau <hlandau@openssl.org> | 2022-07-18 08:06:17 +0100 |
| commit | ddb13b283be84d771deba1e964610b1670641f03 (patch) | |
| tree | bb021170034f9fcbafbbfd8e46a48b7884aa3d9d /crypto/dh | |
| parent | 358103b4a651ab3f392f088d86cd30469dccce2e (diff) | |
| download | openssl-new-ddb13b283be84d771deba1e964610b1670641f03.tar.gz | |
Use as small dh key size as possible to support the security
Longer private key sizes unnecessarily raise the cycles needed to
compute the shared secret without any increase of the real security.
We use minimum key sizes as defined in RFC7919.
For arbitrary parameters we cannot know whether they are safe
primes (we could test but that would be too inefficient) we have
to keep generating large keys.
However we now set a small dh->length when we are generating safe prime
parameters because we know it is safe to use small keys with them.
That means users need to regenerate the parameters if they
want to take the performance advantage of small private key.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18480)
Diffstat (limited to 'crypto/dh')
| -rw-r--r-- | crypto/dh/dh_gen.c | 4 | ||||
| -rw-r--r-- | crypto/dh/dh_group_params.c | 5 |
2 files changed, 7 insertions, 2 deletions
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c index 66d1f94bc0..628410c0d3 100644 --- a/crypto/dh/dh_gen.c +++ b/crypto/dh/dh_gen.c @@ -28,6 +28,7 @@ #include <openssl/bn.h> #include <openssl/sha.h> #include "crypto/dh.h" +#include "crypto/security_bits.h" #include "dh_local.h" #ifndef FIPS_MODULE @@ -219,6 +220,9 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, goto err; if (!BN_set_word(ret->params.g, g)) goto err; + /* We are using safe prime p, set key length equivalent to RFC 7919 */ + ret->length = (2 * ossl_ifc_ffc_compute_security_bits(prime_len) + + 24) / 25 * 25; ret->dirty_cnt++; ok = 1; err: diff --git a/crypto/dh/dh_group_params.c b/crypto/dh/dh_group_params.c index 3f843fe956..460bd8f009 100644 --- a/crypto/dh/dh_group_params.c +++ b/crypto/dh/dh_group_params.c @@ -31,7 +31,7 @@ static DH *dh_param_init(OSSL_LIB_CTX *libctx, const DH_NAMED_GROUP *group) if (dh == NULL) return NULL; - ossl_ffc_named_group_set_pqg(&dh->params, group); + ossl_ffc_named_group_set(&dh->params, group); dh->params.nid = ossl_ffc_named_group_get_uid(group); dh->dirty_cnt++; return dh; @@ -72,8 +72,9 @@ void ossl_dh_cache_named_group(DH *dh) dh->params.g)) != NULL) { if (dh->params.q == NULL) dh->params.q = (BIGNUM *)ossl_ffc_named_group_get_q(group); - /* cache the nid */ + /* cache the nid and default key length */ dh->params.nid = ossl_ffc_named_group_get_uid(group); + dh->params.keylength = ossl_ffc_named_group_get_keylength(group); dh->dirty_cnt++; } } |