New function DSA_dup_DH, and fixes for bugs that were found

while implementing and using it.

CHANGES

@@ -4,6 +4,27 @@
 
  Changes between 0.9.3a and 0.9.4  [xx Aug 1999]
 
+  *) New function DSA_dup_DH, which duplicates DSA parameters/keys as
+     DH parameters/keys (q is lost during that conversion, but the resulting
+     DH parameters contain its length).
+
+     For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
+     much faster than DH_generate_parameters (which creates parameters
+     where p = 2*q + 1), and also the smaller q makes DH computations
+     much more efficient (160-bit exponentiation instead of 1024-bit
+     exponentiation); so this provides a convenient way to support DHE
+     ciphersuites in SSL/TLS servers (see ssl/ssltest.c).  It is of
+     utter importance to use
+         SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
+     or
+         SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
+     when such DH parameters are used, because otherwise small subgroup
+     attacks may become possible!
+     [Bodo Moeller]
+
+  *) Avoid memory leak in i2d_DHparams.
+     [Bodo Moeller]
+
   *) Allow the -k option to be used more than once in the enc program:
      this allows the same encrypted message to be read by multiple recipients.
      [Steve Henson]

Makefile.org

@@ -180,7 +180,7 @@ all: Makefile.ssl
 	(cd $$i && echo "making all in $$i..." && \
 	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
 	done;
-	cd perl; $(PERL) Makefile.PL; make
+	# cd perl; $(PERL) Makefile.PL; make
 
 sub_all:
 	@for i in $(DIRS) ;\

STATUS

@@ -1,6 +1,6 @@
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 1999/08/05 00:15:15 $
+  ______________                           $Date: 1999/08/05 11:50:09 $
 
   DEVELOPMENT STATE
 
@@ -120,5 +120,4 @@
 
   WISHES
 
-    o Support optional q component in DH parameters to speed up
+    o 
-      SSL ciphersuites with ephemeral DH.

crypto/asn1/Makefile.ssl

@@ -346,9 +346,10 @@ d2i_dhp.o: ../../include/openssl/stack.h ../cryptlib.h
 d2i_dsap.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 d2i_dsap.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 d2i_dsap.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-d2i_dsap.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+d2i_dsap.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-d2i_dsap.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+d2i_dsap.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-d2i_dsap.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+d2i_dsap.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+d2i_dsap.o: ../../include/openssl/opensslconf.h
 d2i_dsap.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 d2i_dsap.o: ../../include/openssl/stack.h ../cryptlib.h
 d2i_pr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
@@ -402,17 +403,19 @@ d2i_r_pu.o: ../cryptlib.h
 d2i_s_pr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 d2i_s_pr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 d2i_s_pr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-d2i_s_pr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+d2i_s_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-d2i_s_pr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+d2i_s_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-d2i_s_pr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+d2i_s_pr.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+d2i_s_pr.o: ../../include/openssl/opensslconf.h
 d2i_s_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 d2i_s_pr.o: ../../include/openssl/stack.h ../cryptlib.h
 d2i_s_pu.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 d2i_s_pu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 d2i_s_pu.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-d2i_s_pu.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+d2i_s_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-d2i_s_pu.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+d2i_s_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-d2i_s_pu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+d2i_s_pu.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+d2i_s_pu.o: ../../include/openssl/opensslconf.h
 d2i_s_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 d2i_s_pu.o: ../../include/openssl/stack.h ../cryptlib.h
 evp_asn1.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
@@ -454,9 +457,9 @@ i2d_dhp.o: ../cryptlib.h
 i2d_dsap.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 i2d_dsap.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 i2d_dsap.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-i2d_dsap.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+i2d_dsap.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-i2d_dsap.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+i2d_dsap.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-i2d_dsap.o: ../../include/openssl/opensslconf.h
+i2d_dsap.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 i2d_dsap.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 i2d_dsap.o: ../../include/openssl/stack.h ../cryptlib.h
 i2d_pr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
@@ -510,17 +513,19 @@ i2d_r_pu.o: ../cryptlib.h
 i2d_s_pr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 i2d_s_pr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 i2d_s_pr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-i2d_s_pr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+i2d_s_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-i2d_s_pr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+i2d_s_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-i2d_s_pr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+i2d_s_pr.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+i2d_s_pr.o: ../../include/openssl/opensslconf.h
 i2d_s_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 i2d_s_pr.o: ../../include/openssl/stack.h ../cryptlib.h
 i2d_s_pu.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 i2d_s_pu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 i2d_s_pu.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-i2d_s_pu.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+i2d_s_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-i2d_s_pu.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+i2d_s_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-i2d_s_pu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+i2d_s_pu.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+i2d_s_pu.o: ../../include/openssl/opensslconf.h
 i2d_s_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 i2d_s_pu.o: ../../include/openssl/stack.h ../cryptlib.h
 n_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h

crypto/asn1/i2d_dhp.c

@@ -94,7 +94,12 @@ int i2d_DHparams(DH *a, unsigned char **pp)
 		}
 
 	t=ASN1_object_size(1,tot,V_ASN1_SEQUENCE);
-	if (pp == NULL) return(t);
+	if (pp == NULL)
+		{
+		if (num[2] != NULL)
+			BN_free(num[2]);
+		return(t);
+		}
 
 	p= *pp;
 	ASN1_put_object(&p,1,tot,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);

crypto/dh/dh_gen.c

@@ -92,6 +92,7 @@ DH *DH_generate_parameters(int prime_len, int generator,
 	BN_CTX *ctx=NULL;
 
 	ret=DH_new();
+	if (ret == NULL) goto err;
 	ctx=BN_CTX_new();
 	if (ctx == NULL) goto err;
 	t1= &(ctx->bn[0]);

crypto/dsa/Makefile.ssl

@@ -81,47 +81,53 @@ clean:
 dsa_asn1.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 dsa_asn1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_asn1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dsa_asn1.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+dsa_asn1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_asn1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_asn1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-dsa_asn1.o: ../../include/openssl/opensslconf.h
+dsa_asn1.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 dsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 dsa_asn1.o: ../../include/openssl/stack.h ../cryptlib.h
-dsa_err.o: ../../include/openssl/bn.h ../../include/openssl/dsa.h
+dsa_err.o: ../../include/openssl/bn.h ../../include/openssl/dh.h
-dsa_err.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+dsa_err.o: ../../include/openssl/dsa.h ../../include/openssl/err.h
+dsa_err.o: ../../include/openssl/opensslconf.h
 dsa_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dsa_gen.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+dsa_gen.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_gen.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_gen.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-dsa_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dsa_gen.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-dsa_gen.o: ../../include/openssl/rand.h ../../include/openssl/sha.h
+dsa_gen.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-dsa_gen.o: ../../include/openssl/stack.h ../cryptlib.h
+dsa_gen.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+dsa_gen.o: ../cryptlib.h
 dsa_key.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dsa_key.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+dsa_key.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_key.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_key.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-dsa_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dsa_key.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-dsa_key.o: ../../include/openssl/rand.h ../../include/openssl/sha.h
+dsa_key.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-dsa_key.o: ../../include/openssl/stack.h ../cryptlib.h
+dsa_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+dsa_key.o: ../cryptlib.h
 dsa_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 dsa_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-dsa_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h
+dsa_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-dsa_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dsa_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-dsa_lib.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+dsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-dsa_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+dsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dsa_lib.o: ../../include/openssl/stack.h ../cryptlib.h
+dsa_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_lib.o: ../cryptlib.h
 dsa_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 dsa_sign.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-dsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h
+dsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-dsa_sign.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_sign.o: ../../include/openssl/opensslconf.h
 dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
 dsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 dsa_sign.o: ../cryptlib.h
 dsa_vrf.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 dsa_vrf.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_vrf.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dsa_vrf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+dsa_vrf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_vrf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_vrf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-dsa_vrf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dsa_vrf.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-dsa_vrf.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+dsa_vrf.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-dsa_vrf.o: ../../include/openssl/stack.h ../cryptlib.h
+dsa_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_vrf.o: ../cryptlib.h

crypto/dsa/dsa.h

@@ -74,6 +74,9 @@ extern "C" {
 #endif
 
 #include <openssl/bn.h>
+#ifndef NO_DH
+# include <openssl/dh.h>
+#endif
 
 #define DSA_FLAG_CACHE_MONT_P	0x01
 
@@ -162,6 +165,12 @@ int	DSA_print_fp(FILE *bp, DSA *x, int off);
 
 int DSA_is_prime(BIGNUM *q,void (*callback)(),char *cb_arg);
 
+#ifndef NO_DH
+/* Convert DSA structure (key or just parameters) into DH structure
+ * (be careful to avoid small subgroup attacks when using this!) */
+DH *DSA_dup_DH(DSA *r);
+#endif
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.

crypto/dsa/dsa_lib.c

@@ -145,3 +145,40 @@ int DSA_size(DSA *r)
 	return(ret);
 	}
 
+#ifndef NO_DH
+DH *DSA_dup_DH(DSA *r)
+	{
+	/* DSA has p, q, g, optional pub_key, optional priv_key.
+	 * DH has p, optional length, g, optional pub_key, optional priv_key.
+	 */ 
+
+	DH *ret;
+
+	if (r == NULL)
+		goto err;
+	ret = DH_new();
+	if (ret == NULL)
+		goto err;
+	if (r->p != NULL) 
+		if ((ret->p = BN_dup(r->p)) == NULL)
+			goto err;
+	if (r->q != NULL)
+		ret->length = BN_num_bits(r->q);
+	if (r->g != NULL)
+		if ((ret->g = BN_dup(r->g)) == NULL)
+			goto err;
+	if (r->pub_key != NULL)
+		if ((ret->pub_key = BN_dup(r->pub_key)) == NULL)
+			goto err;
+	if (r->priv_key != NULL)
+		if ((ret->priv_key = BN_dup(r->priv_key)) == NULL)
+			goto err;
+
+	return ret;
+
+ err:
+	if (ret != NULL)
+		DH_free(ret);
+	return NULL;
+	}
+#endif

ssl/ssltest.c

@@ -119,6 +119,9 @@ static void sv_usage(void)
 	fprintf(stderr," -reuse        - use session-id reuse\n");
 	fprintf(stderr," -num <val>    - number of connections to perform\n");
 	fprintf(stderr," -bytes <val>  - number of bytes to swap between client/server\n");
+#if !defined NO_DH && !defined NO_DSA
+	fprintf(stderr," -dhe1024      - generate 1024 bit key for DHE\n");
+#endif
 #ifndef NO_SSL2
 	fprintf(stderr," -ssl2         - use SSLv2\n");
 #endif
@@ -156,6 +159,7 @@ int main(int argc, char *argv[])
 	int number=1,reuse=0;
 	long bytes=1L;
 	SSL_CIPHER *ciph;
+	int dhe1024 = 0;
 #ifndef NO_DH
 	DH *dh;
 #endif
@@ -180,6 +184,8 @@ int main(int argc, char *argv[])
 			debug=1;
 		else if	(strcmp(*argv,"-reuse") == 0)
 			reuse=1;
+		else if	(strcmp(*argv,"-dhe1024") == 0)
+			dhe1024=1;
 		else if	(strcmp(*argv,"-ssl2") == 0)
 			ssl2=1;
 		else if	(strcmp(*argv,"-tls1") == 0)
@@ -305,7 +311,29 @@ bad:
 		}
 
 #ifndef NO_DH
-	dh=get_dh512();
+# ifndef NO_DSA
+	if (dhe1024) 
+		{
+		DSA *dsa;
+
+		if (verbose)
+			{
+			fprintf(stdout, "Creating 1024 bit DHE parameters ...");
+			fflush(stdout);
+			}
+
+		dsa = DSA_generate_parameters(1024, NULL, 0, NULL, NULL, 0, NULL);
+		dh = DSA_dup_DH(dsa);	
+		DSA_free(dsa);
+		/* important: SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
+		SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
+
+		if (verbose)
+			fprintf(stdout, " done\n");
+		}
+	else
+# endif
+		dh=get_dh512();
 	SSL_CTX_set_tmp_dh(s_ctx,dh);
 	DH_free(dh);
 #endif

test/Makefile.ssl

@@ -327,10 +327,10 @@ dhtest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
 dhtest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 dhtest.o: ../include/openssl/stack.h
 dsatest.o: ../include/openssl/bio.h ../include/openssl/bn.h
-dsatest.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
+dsatest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
-dsatest.o: ../include/openssl/err.h ../include/openssl/opensslconf.h
+dsatest.o: ../include/openssl/dsa.h ../include/openssl/err.h
-dsatest.o: ../include/openssl/opensslv.h ../include/openssl/rand.h
+dsatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-dsatest.o: ../include/openssl/stack.h
+dsatest.o: ../include/openssl/rand.h ../include/openssl/stack.h
 exptest.o: ../include/openssl/bio.h ../include/openssl/bn.h
 exptest.o: ../include/openssl/crypto.h ../include/openssl/err.h
 exptest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h