AWS-LC is a general-purpose cryptographic library maintained by the AWS Cryptography team for AWS and their customers. It іs based on code from the Google BoringSSL project and the OpenSSL project.
Previously, DH_check allowed only primes with certain
properties when the generator was equal to 2 or 5. We remove
this requirement to:
be more consistent with OpenSSL that doesn't have these
checks. As a consequence, it was possible to generate DH
parameters with OpenSSL that wouldn't pass AWS-LC DH_check.
not break customers who use one of the standard DH groups
from RFC's 3526 and 7919 and call DH_check on it (like s2n-tls).
Call-outs:
Point out areas that need special attention or support during the review process. Discuss architecture or design changes.
Testing:
How is this change tested (unit tests, fuzz tests, etc.)? Are there any testing steps to be verified by the reviewer?
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
Issues:
CryptoAlg-2490
Description of changes:
Previously,
DH_check
allowed only primes with certain properties when the generator was equal to 2 or 5. We remove this requirement to:DH_check
.DH_check
on it (like s2n-tls).Call-outs:
Point out areas that need special attention or support during the review process. Discuss architecture or design changes.
Testing:
How is this change tested (unit tests, fuzz tests, etc.)? Are there any testing steps to be verified by the reviewer?
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.