From: mouring Date: Tue, 6 Mar 2001 01:09:20 +0000 (+0000) Subject: - markus@cvs.openbsd.org 2001/03/05 17:17:21 X-Git-Tag: V_2_5_2_P1~82 X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/commitdiff_plain/7de5b06b215e8f3dc6c491c9b89bae4b5152fdf9 - markus@cvs.openbsd.org 2001/03/05 17:17:21 [kex.c kex.h sshconnect2.c sshd.c] generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only. References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343. --- diff --git a/ChangeLog b/ChangeLog index f7dd5b9f..56a546fd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,17 @@ - deraadt@cvs.openbsd.org 2001/03/05 16:07:15 [sshd.8] detail default hmac setup too + - markus@cvs.openbsd.org 2001/03/05 17:17:21 + [kex.c kex.h sshconnect2.c sshd.c] + generate a 2*need size (~300 instead of 1024/2048) random private + exponent during the DH key agreement. according to Niels (the great + german advisor) this is safe since /etc/primes contains strong + primes only. + + References: + P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key + agreement with short exponents, In Advances in Cryptology + - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343. 20010305 - (bal) CVS ID touch up on sshpty.[ch] and sshlogin.[ch] diff --git a/kex.c b/kex.c index 1038546c..308ffb1b 100644 --- a/kex.c +++ b/kex.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.21 2001/02/11 12:59:24 markus Exp $"); +RCSID("$OpenBSD: kex.c,v 1.22 2001/03/05 17:17:20 markus Exp $"); #include #include @@ -138,15 +138,33 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) } void -dh_gen_key(DH *dh) +dh_gen_key(DH *dh, int need) { - int tries = 0; + int i, bits_set = 0, tries = 0; + if (dh->p == NULL) + fatal("dh_gen_key: dh->p == NULL"); + if (2*need >= BN_num_bits(dh->p)) + fatal("dh_gen_key: group too small: %d (2*need %d)", + BN_num_bits(dh->p), 2*need); do { + if (dh->priv_key != NULL) + BN_free(dh->priv_key); + dh->priv_key = BN_new(); + if (dh->priv_key == NULL) + fatal("dh_gen_key: BN_new failed"); + /* generate a 2*need bits random private exponent */ + if (!BN_rand(dh->priv_key, 2*need, 0, 0)) + fatal("dh_gen_key: BN_rand failed"); if (DH_generate_key(dh) == 0) fatal("DH_generate_key"); + for (i = 0; i <= BN_num_bits(dh->priv_key); i++) + if (BN_is_bit_set(dh->priv_key, i)) + bits_set++; + debug("dh_gen_key: priv key bits set: %d/%d", + bits_set, BN_num_bits(dh->priv_key)); if (tries++ > 10) - fatal("dh_new_group1: too many bad keys: giving up"); + fatal("dh_gen_key: too many bad keys: giving up"); } while (!dh_pub_is_valid(dh, dh->pub_key)); } diff --git a/kex.h b/kex.h index 90496fbd..5004699d 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.14 2001/02/11 12:59:24 markus Exp $ */ +/* $OpenBSD: kex.h,v 1.15 2001/03/05 17:17:20 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -106,7 +106,7 @@ void packet_set_kex(Kex *k); int dh_pub_is_valid(DH *dh, BIGNUM *dh_pub); DH *dh_new_group_asc(const char *, const char *); DH *dh_new_group(BIGNUM *, BIGNUM *); -void dh_gen_key(DH *); +void dh_gen_key(DH *, int); DH *dh_new_group1(void); u_char * diff --git a/sshconnect2.c b/sshconnect2.c index 8b523232..0baecf0a 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.49 2001/02/28 09:57:07 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.50 2001/03/05 17:17:21 markus Exp $"); #include #include @@ -171,7 +171,7 @@ ssh_dh1_client(Kex *kex, char *host, struct sockaddr *hostaddr, debug("Sending SSH2_MSG_KEXDH_INIT."); /* generate and send 'e', client DH public key */ dh = dh_new_group1(); - dh_gen_key(dh); + dh_gen_key(dh, kex->we_need * 8); packet_start(SSH2_MSG_KEXDH_INIT); packet_put_bignum2(dh->pub_key); packet_send(); @@ -316,7 +316,7 @@ ssh_dhgex_client(Kex *kex, char *host, struct sockaddr *hostaddr, u_char *kbuf; u_char *hash; - nbits = dh_estimate(kex->enc[MODE_OUT].cipher->key_len * 8); + nbits = dh_estimate(kex->we_need * 8); debug("Sending SSH2_MSG_KEX_DH_GEX_REQUEST."); packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); @@ -342,7 +342,7 @@ ssh_dhgex_client(Kex *kex, char *host, struct sockaddr *hostaddr, packet_get_bignum2(g, &dlen); dh = dh_new_group(g, p); - dh_gen_key(dh); + dh_gen_key(dh, kex->we_need * 8); #ifdef DEBUG_KEXDH fprintf(stderr, "\np= "); diff --git a/sshd.c b/sshd.c index 838ac0d7..fcb06e0d 100644 --- a/sshd.c +++ b/sshd.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.172 2001/03/04 17:42:28 millert Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.173 2001/03/05 17:17:21 markus Exp $"); #include #include @@ -1519,7 +1519,7 @@ ssh_dh1_server(Kex *kex, Buffer *client_kexinit, Buffer *server_kexinit) /* KEXDH */ /* generate DH key */ dh = dh_new_group1(); /* XXX depends on 'kex' */ - dh_gen_key(dh); + dh_gen_key(dh, kex->we_need * 8); debug("Wait SSH2_MSG_KEXDH_INIT."); packet_read_expect(&payload_len, SSH2_MSG_KEXDH_INIT); @@ -1662,7 +1662,7 @@ ssh_dhgex_server(Kex *kex, Buffer *client_kexinit, Buffer *server_kexinit) /* Compute our exchange value in parallel with the client */ - dh_gen_key(dh); + dh_gen_key(dh, kex->we_need * 8); debug("Wait SSH2_MSG_KEX_DH_GEX_INIT."); packet_read_expect(&payload_len, SSH2_MSG_KEX_DH_GEX_INIT);