Hi Viktor, If you perform BN_mod_exp you will find that mathematically the public key is correct. I suppose there is a 1 in 256 chance that the high order byte would be 0, so that explains your result of it happening when you do large numbers of such operations.
BTW, you can also use BN_rand instead of RAND_bytes to avoid the conversion... Regards, Erik .................................... Erik Tkal Juniper OAC/UAC/Pulse Development -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Viktor Krikun Sent: Wednesday, March 02, 2011 6:53 AM To: openssl-users@openssl.org Subject: DH_generate_key issue Hello, guys! I'm new to OpenSSL so sorry in advance if I get something wrong. I'm using OpenSSL Diffie-Hellman key exchange in my project. In 'normal' mode it works just perfect, but during stress-testing I have discovered "strange" behavior: I sequentially start X00 DH calculations and it randomly fails to generate public key correctly. This is my test-case: START_TEST(openssl_dh_stress) { BIGNUM *g_p3072 = NULL; unsigned i; g_p3072 = BN_bin2bn(g_p3072data, sizeof(g_p3072data), NULL); for (i=0; i<400; i++) { int ssl_res; unsigned char random_bytes[64]; DH *tmp_ctx = NULL; tmp_ctx = DH_new(); ck_assert(NULL != tmp_ctx); tmp_ctx->p = BN_dup(g_p3072); tmp_ctx->g = BN_new(); BN_set_word(tmp_ctx->g, DH_GENERATOR_2); RAND_bytes(random_bytes, 256/8); tmp_ctx->priv_key = BN_bin2bn(random_bytes, 256/8, NULL); ssl_res = DH_generate_key(tmp_ctx); ck_assert_int_eq(1, ssl_res); unsigned pub_key_size = BN_num_bytes(tmp_ctx->pub_key); if (pub_key_size != 3072/8) { printf("FAILURE. DH 3K, %i-s iteration failed to compute correct PV length.\n", i); } ck_assert_int_eq(pub_key_size, 3072/8); DH_free(tmp_ctx); } } END_TEST Openssl randomly produces pub_key_size == 383 bytes, (it affect the rest the calculations later in the sources). It's not reproducible with 1, 10 or 50 iterations, but when i >= 200 it's 100% reproducible. I have briefly reviewed openssl dh key generation sources and couldn't find anything what looks strange. Empirically I discovered that the problem disappears when I comment out "RAND_bytes(random_bytes, 256/8);", but still assign private key manually to prevent OpenSSL from generating it automatically. I'm using single-thread environment. I tried different versions of OpenSSL on OSX, Linux and OpenBSD - the same behavior. Have you ever experienced with similar problem in your projects? Am I doing something wrong? Thanks in advance for for your help! -- Kind Regards, Viktor ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
