diff options
Diffstat (limited to 'dh.c')
-rw-r--r-- | dh.c | 53 |
1 files changed, 21 insertions, 32 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: dh.c,v 1.51 2013/07/02 12:31:43 markus Exp $ */ | 1 | /* $OpenBSD: dh.c,v 1.53 2013/11/21 00:45:44 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Niels Provos. All rights reserved. | 3 | * Copyright (c) 2000 Niels Provos. All rights reserved. |
4 | * | 4 | * |
@@ -254,33 +254,19 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) | |||
254 | void | 254 | void |
255 | dh_gen_key(DH *dh, int need) | 255 | dh_gen_key(DH *dh, int need) |
256 | { | 256 | { |
257 | int i, bits_set, tries = 0; | 257 | int pbits; |
258 | 258 | ||
259 | if (need < 0) | 259 | if (need <= 0) |
260 | fatal("dh_gen_key: need < 0"); | 260 | fatal("%s: need <= 0", __func__); |
261 | if (dh->p == NULL) | 261 | if (dh->p == NULL) |
262 | fatal("dh_gen_key: dh->p == NULL"); | 262 | fatal("%s: dh->p == NULL", __func__); |
263 | if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p)) | 263 | if ((pbits = BN_num_bits(dh->p)) <= 0) |
264 | fatal("dh_gen_key: group too small: %d (2*need %d)", | 264 | fatal("%s: bits(p) <= 0", __func__); |
265 | BN_num_bits(dh->p), 2*need); | 265 | dh->length = MIN(need * 2, pbits - 1); |
266 | do { | 266 | if (DH_generate_key(dh) == 0) |
267 | if (dh->priv_key != NULL) | 267 | fatal("%s: key generation failed", __func__); |
268 | BN_clear_free(dh->priv_key); | 268 | if (!dh_pub_is_valid(dh, dh->pub_key)) |
269 | if ((dh->priv_key = BN_new()) == NULL) | 269 | fatal("%s: generated invalid key", __func__); |
270 | fatal("dh_gen_key: BN_new failed"); | ||
271 | /* generate a 2*need bits random private exponent */ | ||
272 | if (!BN_rand(dh->priv_key, 2*need, 0, 0)) | ||
273 | fatal("dh_gen_key: BN_rand failed"); | ||
274 | if (DH_generate_key(dh) == 0) | ||
275 | fatal("DH_generate_key"); | ||
276 | for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++) | ||
277 | if (BN_is_bit_set(dh->priv_key, i)) | ||
278 | bits_set++; | ||
279 | debug2("dh_gen_key: priv key bits set: %d/%d", | ||
280 | bits_set, BN_num_bits(dh->priv_key)); | ||
281 | if (tries++ > 10) | ||
282 | fatal("dh_gen_key: too many bad keys: giving up"); | ||
283 | } while (!dh_pub_is_valid(dh, dh->pub_key)); | ||
284 | } | 270 | } |
285 | 271 | ||
286 | DH * | 272 | DH * |
@@ -352,17 +338,20 @@ dh_new_group14(void) | |||
352 | 338 | ||
353 | /* | 339 | /* |
354 | * Estimates the group order for a Diffie-Hellman group that has an | 340 | * Estimates the group order for a Diffie-Hellman group that has an |
355 | * attack complexity approximately the same as O(2**bits). Estimate | 341 | * attack complexity approximately the same as O(2**bits). |
356 | * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3))) | 342 | * Values from NIST Special Publication 800-57: Recommendation for Key |
343 | * Management Part 1 (rev 3) limited by the recommended maximum value | ||
344 | * from RFC4419 section 3. | ||
357 | */ | 345 | */ |
358 | 346 | ||
359 | int | 347 | int |
360 | dh_estimate(int bits) | 348 | dh_estimate(int bits) |
361 | { | 349 | { |
362 | 350 | if (bits <= 112) | |
351 | return 2048; | ||
363 | if (bits <= 128) | 352 | if (bits <= 128) |
364 | return (1024); /* O(2**86) */ | 353 | return 3072; |
365 | if (bits <= 192) | 354 | if (bits <= 192) |
366 | return (2048); /* O(2**116) */ | 355 | return 7680; |
367 | return (4096); /* O(2**156) */ | 356 | return 8192; |
368 | } | 357 | } |