diff options
author | Damien Miller <djm@mindrot.org> | 2013-11-21 14:12:23 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2013-11-21 14:12:23 +1100 |
commit | 0fde8acdad78a4d20cadae974376cc0165f645ee (patch) | |
tree | 6e6aa82b73163bcb412920050d98f82ca9f4e86e /dh.c | |
parent | fdb2306acdc3eb2bc46b6dfdaaf6005c650af22a (diff) |
- djm@cvs.openbsd.org 2013/11/21 00:45:44
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
[chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
[dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
[ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
cipher "chacha20-poly1305@openssh.com" that combines Daniel
Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS:
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
but differs in layout used for the MAC calculation and the use of a
second ChaCha20 instance to separately encrypt packet lengths.
Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
ok markus@ naddy@
Diffstat (limited to 'dh.c')
-rw-r--r-- | dh.c | 38 |
1 files changed, 12 insertions, 26 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: dh.c,v 1.52 2013/10/08 11:42:13 dtucker Exp $ */ | 1 | /* $OpenBSD: dh.c,v 1.53 2013/11/21 00:45:44 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Niels Provos. All rights reserved. | 3 | * Copyright (c) 2000 Niels Provos. All rights reserved. |
4 | * | 4 | * |
@@ -254,33 +254,19 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) | |||
254 | void | 254 | void |
255 | dh_gen_key(DH *dh, int need) | 255 | dh_gen_key(DH *dh, int need) |
256 | { | 256 | { |
257 | int i, bits_set, tries = 0; | 257 | int pbits; |
258 | 258 | ||
259 | if (need < 0) | 259 | if (need <= 0) |
260 | fatal("dh_gen_key: need < 0"); | 260 | fatal("%s: need <= 0", __func__); |
261 | if (dh->p == NULL) | 261 | if (dh->p == NULL) |
262 | fatal("dh_gen_key: dh->p == NULL"); | 262 | fatal("%s: dh->p == NULL", __func__); |
263 | if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p)) | 263 | if ((pbits = BN_num_bits(dh->p)) <= 0) |
264 | fatal("dh_gen_key: group too small: %d (2*need %d)", | 264 | fatal("%s: bits(p) <= 0", __func__); |
265 | BN_num_bits(dh->p), 2*need); | 265 | dh->length = MIN(need * 2, pbits - 1); |
266 | do { | 266 | if (DH_generate_key(dh) == 0) |
267 | if (dh->priv_key != NULL) | 267 | fatal("%s: key generation failed", __func__); |
268 | BN_clear_free(dh->priv_key); | 268 | if (!dh_pub_is_valid(dh, dh->pub_key)) |
269 | if ((dh->priv_key = BN_new()) == NULL) | 269 | fatal("%s: generated invalid key", __func__); |
270 | fatal("dh_gen_key: BN_new failed"); | ||
271 | /* generate a 2*need bits random private exponent */ | ||
272 | if (!BN_rand(dh->priv_key, 2*need, 0, 0)) | ||
273 | fatal("dh_gen_key: BN_rand failed"); | ||
274 | if (DH_generate_key(dh) == 0) | ||
275 | fatal("DH_generate_key"); | ||
276 | for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++) | ||
277 | if (BN_is_bit_set(dh->priv_key, i)) | ||
278 | bits_set++; | ||
279 | debug2("dh_gen_key: priv key bits set: %d/%d", | ||
280 | bits_set, BN_num_bits(dh->priv_key)); | ||
281 | if (tries++ > 10) | ||
282 | fatal("dh_gen_key: too many bad keys: giving up"); | ||
283 | } while (!dh_pub_is_valid(dh, dh->pub_key)); | ||
284 | } | 270 | } |
285 | 271 | ||
286 | DH * | 272 | DH * |