projects / u / mdw / putty / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Run entire source base through GNU indent to tidy up the varying
[u/mdw/putty] / sshdh.c
1 #include "ssh.h"
2
3 const struct ssh_kex ssh_diffiehellman = {
4 "diffie-hellman-group1-sha1"
5 };
6
7 const struct ssh_kex ssh_diffiehellman_gex = {
8 "diffie-hellman-group-exchange-sha1"
9 };
10
11 /*
12 * The prime p used in the key exchange.
13 */
14 static unsigned char P[] = {
15 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
16 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
17 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
18 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
19 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
20 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
21 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
22 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
23 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
24 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE6, 0x53, 0x81,
25 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
26 };
27
28 /*
29 * The generator g = 2.
30 */
31 static unsigned char G[] = { 2 };
32
33 /*
34 * Variables.
35 */
36 static Bignum x, e, p, q, qmask, g;
37 static int need_to_free_pg;
38
39 /*
40 * Common DH initialisation.
41 */
42 static void dh_init(void)
43 {
44 q = bignum_rshift(p, 1);
45 qmask = bignum_bitmask(q);
46 }
47
48 /*
49 * Initialise DH for the standard group1.
50 */
51 void dh_setup_group1(void)
52 {
53 p = bignum_from_bytes(P, sizeof(P));
54 g = bignum_from_bytes(G, sizeof(G));
55 dh_init();
56 }
57
58 /*
59 * Initialise DH for an alternative group.
60 */
61 void dh_setup_group(Bignum pval, Bignum gval)
62 {
63 p = copybn(pval);
64 g = copybn(gval);
65 dh_init();
66 }
67
68 /*
69 * Clean up.
70 */
71 void dh_cleanup(void)
72 {
73 freebn(p);
74 freebn(g);
75 freebn(q);
76 freebn(qmask);
77 }
78
79 /*
80 * DH stage 1: invent a number x between 1 and q, and compute e =
81 * g^x mod p. Return e.
82 *
83 * If `nbits' is greater than zero, it is used as an upper limit
84 * for the number of bits in x. This is safe provided that (a) you
85 * use twice as many bits in x as the number of bits you expect to
86 * use in your session key, and (b) the DH group is a safe prime
87 * (which SSH demands that it must be).
88 *
89 * P. C. van Oorschot, M. J. Wiener
90 * "On Diffie-Hellman Key Agreement with Short Exponents".
91 * Advances in Cryptology: Proceedings of Eurocrypt '96
92 * Springer-Verlag, May 1996.
93 */
94 Bignum dh_create_e(int nbits)
95 {
96 int i;
97
98 int nbytes;
99 unsigned char *buf;
100
101 nbytes = ssh1_bignum_length(qmask);
102 buf = smalloc(nbytes);
103
104 do {
105 /*
106 * Create a potential x, by ANDing a string of random bytes
107 * with qmask.
108 */
109 if (x)
110 freebn(x);
111 if (nbits == 0 || nbits > bignum_bitcount(qmask)) {
112 ssh1_write_bignum(buf, qmask);
113 for (i = 2; i < nbytes; i++)
114 buf[i] &= random_byte();
115 ssh1_read_bignum(buf, &x);
116 } else {
117 int b, nb;
118 x = bn_power_2(nbits);
119 nb = 0;
120 for (i = 0; i < nbits; i++) {
121 if (nb == 0) {
122 nb = 8;
123 b = random_byte();
124 }
125 bignum_set_bit(x, i, b & 1);
126 b >>= 1;
127 nb--;
128 }
129 }
130 } while (bignum_cmp(x, One) <= 0 || bignum_cmp(x, q) >= 0);
131
132 /*
133 * Done. Now compute e = g^x mod p.
134 */
135 e = modpow(g, x, p);
136
137 return e;
138 }
139
140 /*
141 * DH stage 2: given a number f, compute K = f^x mod p.
142 */
143 Bignum dh_find_K(Bignum f)
144 {
145 Bignum ret;
146 ret = modpow(f, x, p);
147 return ret;
148 }
Local modifications for Simon Tatham's `PuTTY' SSH client and terminal emulator