New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix dh_rfc5114 option in genpkey. #14883
Conversation
285657e
to
31df095
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just minor nits, otherwise I like this very much.
Fixes openssl#14145 Fixes openssl#13956 Fixes openssl#13952 Fixes openssl#13871 Fixes openssl#14054 Fixes openssl#14444 Updated documentation for app to indicate what options are available for DH and DHX keys. DH and DHX now have different keymanager gen_set_params() methods. Added CHANGES entry to indicate the breaking change.
Quite a few changes in the last 3 commits - had to rebase to update the commit message.. |
This errors in the setparams if bad parameters are passed in. If we dont do this then potentially it would do something different from what was expected. |
The CI failures are relevatnt. |
(Except for the external-tests, that is a different thing) |
@@ -113,9 +113,7 @@ const DH_NAMED_GROUP *ossl_ffc_numbers_to_dh_named_group(const BIGNUM *p, | |||
if (BN_cmp(p, dh_named_groups[i].p) == 0 | |||
&& BN_cmp(g, dh_named_groups[i].g) == 0 | |||
/* Verify q is correct if it exists */ | |||
&& ((q != NULL && BN_cmp(q, dh_named_groups[i].q) == 0) | |||
/* Do not match RFC 5114 groups without q */ | |||
|| (q == NULL && dh_named_groups[i].uid > 3))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NOTE - this line was a hack to fix a decoder test issue - the root cause was fixed so this is no longer needed. This allows RFC5114 to be able to be loaded correctly as a named group. (The original problem was that the DH asn1 callback was not setting the nid - but it was for DHX asn1)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few more minor nits otherwise LGTM
NITS addressed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work!
This pull request is ready to merge |
Fix dh_rfc5114 option in genpkey. Fixes #14145 Fixes #13956 Fixes #13952 Fixes #13871 Fixes #14054 Fixes #14444 Updated documentation for app to indicate what options are available for DH and DHX keys. DH and DHX now have different keymanager gen_set_params() methods. Added CHANGES entry to indicate the breaking change. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #14883)
Merged to master. I've added a new title line of the commit message as the original one did not really cover all the change. Thank you for the contribution, Shane! |
Updated documentation for app to indicate what options are available for
DH and DHX keys. Added CHANGES entry to indicate the breaking change.
Checklist