diff options
| author | Damien Miller <djm@mindrot.org> | 2013-11-21 14:12:23 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2013-11-21 14:12:23 +1100 |
| commit | 0fde8acdad78a4d20cadae974376cc0165f645ee (patch) | |
| tree | 6e6aa82b73163bcb412920050d98f82ca9f4e86e /dh.c | |
| parent | fdb2306acdc3eb2bc46b6dfdaaf6005c650af22a (diff) | |
- djm@cvs.openbsd.org 2013/11/21 00:45:44
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
[chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
[dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
[ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
cipher "chacha20-poly1305@openssh.com" that combines Daniel
Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS:
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
but differs in layout used for the MAC calculation and the use of a
second ChaCha20 instance to separately encrypt packet lengths.
Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
ok markus@ naddy@
Diffstat (limited to 'dh.c')
| -rw-r--r-- | dh.c | 38 |
1 files changed, 12 insertions, 26 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dh.c,v 1.52 2013/10/08 11:42:13 dtucker Exp $ */ | 1 | /* $OpenBSD: dh.c,v 1.53 2013/11/21 00:45:44 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Niels Provos. All rights reserved. | 3 | * Copyright (c) 2000 Niels Provos. All rights reserved. |
| 4 | * | 4 | * |
| @@ -254,33 +254,19 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) | |||
| 254 | void | 254 | void |
| 255 | dh_gen_key(DH *dh, int need) | 255 | dh_gen_key(DH *dh, int need) |
| 256 | { | 256 | { |
| 257 | int i, bits_set, tries = 0; | 257 | int pbits; |
| 258 | 258 | ||
| 259 | if (need < 0) | 259 | if (need <= 0) |
| 260 | fatal("dh_gen_key: need < 0"); | 260 | fatal("%s: need <= 0", __func__); |
| 261 | if (dh->p == NULL) | 261 | if (dh->p == NULL) |
| 262 | fatal("dh_gen_key: dh->p == NULL"); | 262 | fatal("%s: dh->p == NULL", __func__); |
| 263 | if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p)) | 263 | if ((pbits = BN_num_bits(dh->p)) <= 0) |
| 264 | fatal("dh_gen_key: group too small: %d (2*need %d)", | 264 | fatal("%s: bits(p) <= 0", __func__); |
| 265 | BN_num_bits(dh->p), 2*need); | 265 | dh->length = MIN(need * 2, pbits - 1); |
| 266 | do { | 266 | if (DH_generate_key(dh) == 0) |
| 267 | if (dh->priv_key != NULL) | 267 | fatal("%s: key generation failed", __func__); |
| 268 | BN_clear_free(dh->priv_key); | 268 | if (!dh_pub_is_valid(dh, dh->pub_key)) |
| 269 | if ((dh->priv_key = BN_new()) == NULL) | 269 | fatal("%s: generated invalid key", __func__); |
| 270 | fatal("dh_gen_key: BN_new failed"); | ||
| 271 | /* generate a 2*need bits random private exponent */ | ||
| 272 | if (!BN_rand(dh->priv_key, 2*need, 0, 0)) | ||
| 273 | fatal("dh_gen_key: BN_rand failed"); | ||
| 274 | if (DH_generate_key(dh) == 0) | ||
| 275 | fatal("DH_generate_key"); | ||
| 276 | for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++) | ||
| 277 | if (BN_is_bit_set(dh->priv_key, i)) | ||
| 278 | bits_set++; | ||
| 279 | debug2("dh_gen_key: priv key bits set: %d/%d", | ||
| 280 | bits_set, BN_num_bits(dh->priv_key)); | ||
| 281 | if (tries++ > 10) | ||
| 282 | fatal("dh_gen_key: too many bad keys: giving up"); | ||
| 283 | } while (!dh_pub_is_valid(dh, dh->pub_key)); | ||
| 284 | } | 270 | } |
| 285 | 271 | ||
| 286 | DH * | 272 | DH * |