diff options
Diffstat (limited to 'dh.c')
| -rw-r--r-- | dh.c | 53 |
1 files changed, 21 insertions, 32 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dh.c,v 1.51 2013/07/02 12:31:43 markus Exp $ */ | 1 | /* $OpenBSD: dh.c,v 1.53 2013/11/21 00:45:44 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Niels Provos. All rights reserved. | 3 | * Copyright (c) 2000 Niels Provos. All rights reserved. |
| 4 | * | 4 | * |
| @@ -254,33 +254,19 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) | |||
| 254 | void | 254 | void |
| 255 | dh_gen_key(DH *dh, int need) | 255 | dh_gen_key(DH *dh, int need) |
| 256 | { | 256 | { |
| 257 | int i, bits_set, tries = 0; | 257 | int pbits; |
| 258 | 258 | ||
| 259 | if (need < 0) | 259 | if (need <= 0) |
| 260 | fatal("dh_gen_key: need < 0"); | 260 | fatal("%s: need <= 0", __func__); |
| 261 | if (dh->p == NULL) | 261 | if (dh->p == NULL) |
| 262 | fatal("dh_gen_key: dh->p == NULL"); | 262 | fatal("%s: dh->p == NULL", __func__); |
| 263 | if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p)) | 263 | if ((pbits = BN_num_bits(dh->p)) <= 0) |
| 264 | fatal("dh_gen_key: group too small: %d (2*need %d)", | 264 | fatal("%s: bits(p) <= 0", __func__); |
| 265 | BN_num_bits(dh->p), 2*need); | 265 | dh->length = MIN(need * 2, pbits - 1); |
| 266 | do { | 266 | if (DH_generate_key(dh) == 0) |
| 267 | if (dh->priv_key != NULL) | 267 | fatal("%s: key generation failed", __func__); |
| 268 | BN_clear_free(dh->priv_key); | 268 | if (!dh_pub_is_valid(dh, dh->pub_key)) |
| 269 | if ((dh->priv_key = BN_new()) == NULL) | 269 | fatal("%s: generated invalid key", __func__); |
| 270 | fatal("dh_gen_key: BN_new failed"); | ||
| 271 | /* generate a 2*need bits random private exponent */ | ||
| 272 | if (!BN_rand(dh->priv_key, 2*need, 0, 0)) | ||
| 273 | fatal("dh_gen_key: BN_rand failed"); | ||
| 274 | if (DH_generate_key(dh) == 0) | ||
| 275 | fatal("DH_generate_key"); | ||
| 276 | for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++) | ||
| 277 | if (BN_is_bit_set(dh->priv_key, i)) | ||
| 278 | bits_set++; | ||
| 279 | debug2("dh_gen_key: priv key bits set: %d/%d", | ||
| 280 | bits_set, BN_num_bits(dh->priv_key)); | ||
| 281 | if (tries++ > 10) | ||
| 282 | fatal("dh_gen_key: too many bad keys: giving up"); | ||
| 283 | } while (!dh_pub_is_valid(dh, dh->pub_key)); | ||
| 284 | } | 270 | } |
| 285 | 271 | ||
| 286 | DH * | 272 | DH * |
| @@ -352,17 +338,20 @@ dh_new_group14(void) | |||
| 352 | 338 | ||
| 353 | /* | 339 | /* |
| 354 | * Estimates the group order for a Diffie-Hellman group that has an | 340 | * Estimates the group order for a Diffie-Hellman group that has an |
| 355 | * attack complexity approximately the same as O(2**bits). Estimate | 341 | * attack complexity approximately the same as O(2**bits). |
| 356 | * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3))) | 342 | * Values from NIST Special Publication 800-57: Recommendation for Key |
| 343 | * Management Part 1 (rev 3) limited by the recommended maximum value | ||
| 344 | * from RFC4419 section 3. | ||
| 357 | */ | 345 | */ |
| 358 | 346 | ||
| 359 | int | 347 | int |
| 360 | dh_estimate(int bits) | 348 | dh_estimate(int bits) |
| 361 | { | 349 | { |
| 362 | 350 | if (bits <= 112) | |
| 351 | return 2048; | ||
| 363 | if (bits <= 128) | 352 | if (bits <= 128) |
| 364 | return (1024); /* O(2**86) */ | 353 | return 3072; |
| 365 | if (bits <= 192) | 354 | if (bits <= 192) |
| 366 | return (2048); /* O(2**116) */ | 355 | return 7680; |
| 367 | return (4096); /* O(2**156) */ | 356 | return 8192; |
| 368 | } | 357 | } |