问题描述
根据该文档: https://wiki.openssl.org/index.php/Diffie_Hellman#Using_the_Low_Level_APIs
使用Diffie Hellman的低级API(需要执行组密钥协议).
Using the Low level API's for Diffie Hellman (need to perform a group Key agreement).
为简单起见,我需要为Diffie Hellman p
和g
值提供固定值,现在我使用函数DH_generate_parameters_ex
,但是使用这些选项的任何解决方案都可能会增加通信开销,并且和g
为Diffie Hellman提供了良好的安全性.
For simplicity I need to provide fixed values for Diffie Hellman p
and g
values for now I use the function DH_generate_parameters_ex
but any solution using these options may add a communication overhead and there are fixed values for p
and g
for Diffie Hellman offering good security.
因此,使用基于配置的方法约定,如何设置固定值,尤其是此 RFC中指定的值实时生成opensl的openssl低级api fore吗?
So using the approach convention over configuration, how I can set fixed values especially the ones specified in this RFC to openssl low-level api fore diffie hellman instyead of generating ones on the fly?
PS我使用的是OpenSSL版本1.0.2g.
PS I use the OpenSSL version 1.0.2g.
推荐答案
根据素数. openssl.org/docs/man1.1.0/man3/DH_get_1024_160.html"rel =" nofollow noreferrer>此手册页(如果在1.1.0+上,也应该在您的系统上使用这些名称)–实际上在代码中回到1.0.0之前,但是没有BN_
前缀(尽管在bn.h
标头中)并且以前没有记录. (在1.1.0+中,如果设置了兼容性,则还会对旧名称进行#define.)
The (outer) primes for the RFC3526 and RFC2409 groups are builtin, per this man page (should also be on your system under those names if 1.1.0+) -- they are actually in the code back to before 1.0.0 but without the BN_
prefix (though in the bn.h
header) and previously undocumented. (In 1.1.0+ the old names are additionally #define'd if compatibility is set.)
AFAICS,您必须自己添加生成器,例如:
AFAICS you must add the generator yourself, something like:
DH *dh = DH_new(); BIGNUM *two = BN_new();
if( !dh || !two ) /* error */;
BN_set_word(two,2);
// corrected AGAIN!
DH_set0_pqg (dh, BN_dup(BN_get_rfc3526_prime_2048(NULL)), NULL, two);
// added: below 1.1.0 many API structs were not opaque, just
dh->p = BN_dup(/*not BN_*/ get_rfc3526_prime_2048(NULL));
dh->g = two;
// leave q as unspecified
注意RFC5114 modp参数可以以DH*
格式预先构建,但仅在1.1.0+中可用.
Note RFC5114 modp parameters are available prebuilt in DH*
form but only in 1.1.0+.
这篇关于OpenSSL使用固定值生成Diffie Hellman密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!