Bug #73863 DH key generation in enterprise encryption not usable
Submitted: 9 Sep 2014 16:03 Modified: 25 Sep 2014 14:30
Reporter: Georgi Kodinov Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S1 (Critical)
Version:5.6 OS:Any
Assigned to: CPU Architecture:Any

[9 Sep 2014 16:03] Georgi Kodinov
Description:
The Diffie-Hellman functions as coded in openssl_udf are not usable.

http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange states that both parties must "agree to use a prime number p = 23 and base g = 5". In openssl this is the result of executing DH_generate_parameters().

But the current DH implementation does not store or restore these parameters across key generations so that no two generated key pairs are "compatible".

How to repeat:
see above

Suggested fix:
Add an extra optional parameter to the create_asymmetric_priv_key() function to hold the DH parameters (in the same format as e.g. generated by "openssl gendh".
Add an new function generate_dh_parameters(), taking whatever parameters are needed to successfully call DH_generate_parameters(), that will do the same as "openssl gendh".
[25 Sep 2014 14:30] Paul DuBois
Fixed in 5.6.21. Part of the Enterprise Encryption work for that release. Docs are at:

http://dev.mysql.com/doc/refman/5.6/en/enterprise-encryption.html