5 files changed, 43 insertions, 14 deletions
diff --git a/ChangeLog b/ChangeLog
index 7a1c09426..20f63aa3d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,6 +13,17 @@
   - deraadt@cvs.openbsd.org 2001/03/05 16:07:15
     [sshd.8]
     detail default hmac setup too
+   - markus@cvs.openbsd.org 2001/03/05 17:17:21
+     [kex.c kex.h sshconnect2.c sshd.c]
+     generate a 2*need size (~300 instead of 1024/2048) random private
+     exponent during the DH key agreement. according to Niels (the great
+     german advisor) this is safe since /etc/primes contains strong
+     primes only.
+     References:
+             P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key
+             agreement with short exponents, In Advances in Cryptology
+             - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
 20010305
 - (bal) CVS ID touch up on sshpty.[ch] and sshlogin.[ch]
@@ -4384,4 +4395,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1
-$Id: ChangeLog,v 1.912 2001/03/06 01:06:58 mouring Exp $
+$Id: ChangeLog,v 1.913 2001/03/06 01:09:20 mouring Exp $
diff --git a/kex.c b/kex.c
index 1038546ca..308ffb1b6 100644
--- a/kex.c
+++ b/kex.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.21 2001/02/11 12:59:24 markus Exp $");
+RCSID("$OpenBSD: kex.c,v 1.22 2001/03/05 17:17:20 markus Exp $");
 #include <openssl/crypto.h>
 #include <openssl/bio.h>
@@ -138,15 +138,33 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
 }
 void
-dh_gen_key(DH *dh)
+dh_gen_key(DH *dh, int need)
 {
-        int tries = 0;
+        int i, bits_set = 0, tries = 0;
+        if (dh->p == NULL)
+                fatal("dh_gen_key: dh->p == NULL");
+        if (2*need >= BN_num_bits(dh->p))
+                fatal("dh_gen_key: group too small: %d (2*need %d)",
+                    BN_num_bits(dh->p), 2*need);
        do {
+                if (dh->priv_key != NULL)
+                        BN_free(dh->priv_key);
+                dh->priv_key = BN_new();
+                if (dh->priv_key == NULL)
+                        fatal("dh_gen_key: BN_new failed");
+                /* generate a 2*need bits random private exponent */
+                if (!BN_rand(dh->priv_key, 2*need, 0, 0))
+                        fatal("dh_gen_key: BN_rand failed");
                if (DH_generate_key(dh) == 0)
                        fatal("DH_generate_key");
+                for (i = 0; i <= BN_num_bits(dh->priv_key); i++)
+                        if (BN_is_bit_set(dh->priv_key, i))
+                                bits_set++;
+                debug("dh_gen_key: priv key bits set: %d/%d",
+                    bits_set, BN_num_bits(dh->priv_key));
                if (tries++ > 10)
-                        fatal("dh_new_group1: too many bad keys: giving up");
+                        fatal("dh_gen_key: too many bad keys: giving up");
        } while (!dh_pub_is_valid(dh, dh->pub_key));
 }
diff --git a/kex.h b/kex.h
index 90496fbdf..5004699d9 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: kex.h,v 1.14 2001/02/11 12:59:24 markus Exp $ */
+/*      $OpenBSD: kex.h,v 1.15 2001/03/05 17:17:20 markus Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -106,7 +106,7 @@ void	packet_set_kex(Kex *k);
 int     dh_pub_is_valid(DH *dh, BIGNUM *dh_pub);
 DH      *dh_new_group_asc(const char *, const char *);
 DH      *dh_new_group(BIGNUM *, BIGNUM *);
-void    dh_gen_key(DH *);
+void    dh_gen_key(DH *, int);
 DH      *dh_new_group1(void);
 u_char *
diff --git a/sshconnect2.c b/sshconnect2.c
index 8b523232f..0baecf0a5 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.49 2001/02/28 09:57:07 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.50 2001/03/05 17:17:21 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@@ -171,7 +171,7 @@ ssh_dh1_client(Kex *kex, char *host, struct sockaddr *hostaddr,
        debug("Sending SSH2_MSG_KEXDH_INIT.");
        /* generate and send 'e', client DH public key */
        dh = dh_new_group1();
-        dh_gen_key(dh);
+        dh_gen_key(dh, kex->we_need * 8);
        packet_start(SSH2_MSG_KEXDH_INIT);
        packet_put_bignum2(dh->pub_key);
        packet_send();
@@ -316,7 +316,7 @@ ssh_dhgex_client(Kex *kex, char *host, struct sockaddr *hostaddr,
        u_char *kbuf;
        u_char *hash;
-        nbits = dh_estimate(kex->enc[MODE_OUT].cipher->key_len * 8);
+        nbits = dh_estimate(kex->we_need * 8);
        debug("Sending SSH2_MSG_KEX_DH_GEX_REQUEST.");
        packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
@@ -342,7 +342,7 @@ ssh_dhgex_client(Kex *kex, char *host, struct sockaddr *hostaddr,
        packet_get_bignum2(g, &dlen);
        dh = dh_new_group(g, p);
-        dh_gen_key(dh);
+        dh_gen_key(dh, kex->we_need * 8);
 #ifdef DEBUG_KEXDH
        fprintf(stderr, "\np= ");
diff --git a/sshd.c b/sshd.c
index 838ac0d73..fcb06e0d5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -40,7 +40,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.172 2001/03/04 17:42:28 millert Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.173 2001/03/05 17:17:21 markus Exp $");
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -1519,7 +1519,7 @@ ssh_dh1_server(Kex *kex, Buffer *client_kexinit, Buffer *server_kexinit)
 /* KEXDH */
        /* generate DH key */
        dh = dh_new_group1();                   /* XXX depends on 'kex' */
-        dh_gen_key(dh);
+        dh_gen_key(dh, kex->we_need * 8);
        debug("Wait SSH2_MSG_KEXDH_INIT.");
        packet_read_expect(&payload_len, SSH2_MSG_KEXDH_INIT);
@@ -1662,7 +1662,7 @@ ssh_dhgex_server(Kex *kex, Buffer *client_kexinit, Buffer *server_kexinit)
        /* Compute our exchange value in parallel with the client */
-        dh_gen_key(dh);
+        dh_gen_key(dh, kex->we_need * 8);
        debug("Wait SSH2_MSG_KEX_DH_GEX_INIT.");
        packet_read_expect(&payload_len, SSH2_MSG_KEX_DH_GEX_INIT);