|
Dear openssl team, While migrating from 1.0.2 to 3.0, we found that DH_generate_key() has be deprecated. And as per the man page, it is advised to use
EVP_PKEY_derive_init &
EVP_PKEY_derive our application creates a new DH and using DH_generate_key() creates pub_key/priv_key and uses it. how can we replace this exactly with EVP. And please suggest what EVP API’s should we use to generate pub/priv keys ? Application code dh = DH_new(); dh->p = BN_bin2bn(modSize, octet_len, NULL); dh->g = BN_bin2bn(H235Bits_generator, H235Bits_generator_len / 8, NULL); if ( ! DH_generate_key(dh) ) { return FAILURE; } n = (unsigned) BN_num_bytes(dh->pub_key); BN_bn2bin(dh->pub_key, p); n = (unsigned) BN_num_bytes(dh->priv_key); Instead above logic can we do this ? is derive generated pub/priv keys ?
The man page in section 7 (EVP_PKEY_DH) has examples for generating using safe primes or using probable primes. Seems better since you don’t have to use the BN API anymore, but a little more complicated because you
have to call OSSL_PARAM_construct_xxx for parameters and assign them to an array. From there, you can use EVP_PKEY_derive_init, EVP_PKEY_derive_set_peer, and EVP_PKEY_derive to get your shared secret. See apps/speed.c in the OSSL3 source code for an example. Look for the text EVP_PKEY_DH |
