- markus@cvs.openbsd.org 2001/03/05 17:17:21

     [kex.c kex.h sshconnect2.c sshd.c]
     generate a 2*need size (~300 instead of 1024/2048) random private
     exponent during the DH key agreement. according to Niels (the great
     german advisor) this is safe since /etc/primes contains strong
     primes only.

     References:
             P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key
             agreement with short exponents, In Advances in Cryptology
             - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.

1 files changed, 22 insertions, 4 deletions

diff --git a/kex.c b/kex.c
index 1038546c..308ffb1b 100644
--- a/kex.c
+++ b/kex.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.21 2001/02/11 12:59:24 markus Exp $");
+RCSID("$OpenBSD: kex.c,v 1.22 2001/03/05 17:17:20 markus Exp $");
 
 #include <openssl/crypto.h>
 #include <openssl/bio.h>
@@ -138,15 +138,33 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
 }
 
 void
-dh_gen_key(DH *dh)
+dh_gen_key(DH *dh, int need)
 {
-	int tries = 0;
+	int i, bits_set = 0, tries = 0;
 
+	if (dh->p == NULL)
+		fatal("dh_gen_key: dh->p == NULL");
+	if (2*need >= BN_num_bits(dh->p))
+		fatal("dh_gen_key: group too small: %d (2*need %d)",
+		    BN_num_bits(dh->p), 2*need);
 	do {
+		if (dh->priv_key != NULL)
+			BN_free(dh->priv_key);
+		dh->priv_key = BN_new();
+		if (dh->priv_key == NULL)
+			fatal("dh_gen_key: BN_new failed");
+		/* generate a 2*need bits random private exponent */
+		if (!BN_rand(dh->priv_key, 2*need, 0, 0))
+			fatal("dh_gen_key: BN_rand failed");
 		if (DH_generate_key(dh) == 0)
 			fatal("DH_generate_key");
+		for (i = 0; i <= BN_num_bits(dh->priv_key); i++)
+			if (BN_is_bit_set(dh->priv_key, i))
+				bits_set++;
+		debug("dh_gen_key: priv key bits set: %d/%d",
+		    bits_set, BN_num_bits(dh->priv_key));
 		if (tries++ > 10)
-			fatal("dh_new_group1: too many bad keys: giving up");
+			fatal("dh_gen_key: too many bad keys: giving up");
 	} while (!dh_pub_is_valid(dh, dh->pub_key));
 }