From 6e7f68ce38130c794ec1fb8d2a6091fbe982628d Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 28 Feb 2016 22:27:00 +0000
Subject: upstream commit

rearrange DH public value tests to be a little more clear

rearrange DH private value generation to explain rationale more
clearly and include an extra sanity check.

ok deraadt

Upstream-ID: 9ad8a07e1a12684e1b329f9bd88941b249d4b2ad
---
 dh.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

(limited to 'dh.c')

diff --git a/dh.c b/dh.c
index 4c639acc3..7f68321d4 100644
--- a/dh.c
+++ b/dh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.c,v 1.57 2015/05/27 23:39:18 dtucker Exp $ */
+/* $OpenBSD: dh.c,v 1.58 2016/02/28 22:27:00 djm Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  *
@@ -246,12 +246,15 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
 			bits_set++;
 	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
 
-	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
-	if (bits_set > 1)
-		return 1;
-
-	logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
-	return 0;
+	/*
+	 * if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial
+	 */
+	if (bits_set < 4) {
+		logit("invalid public DH value (%d/%d)",
+		   bits_set, BN_num_bits(dh->p));
+		return 0;
+	}
+	return 1;
 }
 
 int
@@ -263,6 +266,12 @@ dh_gen_key(DH *dh, int need)
 	    (pbits = BN_num_bits(dh->p)) <= 0 ||
 	    need > INT_MAX / 2 || 2 * need > pbits)
 		return SSH_ERR_INVALID_ARGUMENT;
+	if (need < 256)
+		need = 256;
+	/*
+	 * Pollard Rho, Big step/Little Step attacks are O(sqrt(n)),
+	 * so double requested need here.
+	 */
 	dh->length = MIN(need * 2, pbits - 1);
 	if (DH_generate_key(dh) == 0 ||
 	    !dh_pub_is_valid(dh, dh->pub_key)) {
-- 
cgit v1.2.3