X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/3709bfe9981af43e3cd491c37d300b57e5b26d50..32874aeac8dacbca26663777b39a79efc5d8dc4b:/sshdh.c

diff --git a/sshdh.c b/sshdh.c
index 35e66907..edd05b68 100644
--- a/sshdh.c
+++ b/sshdh.c
@@ -1,9 +1,13 @@
 #include "ssh.h"
 
-struct ssh_kex ssh_diffiehellman = {
+const struct ssh_kex ssh_diffiehellman = {
     "diffie-hellman-group1-sha1"
 };
 
+const struct ssh_kex ssh_diffiehellman_gex = {
+    "diffie-hellman-group-exchange-sha1"
+};
+
 /*
  * The prime p used in the key exchange. 
  */
@@ -35,7 +39,8 @@ static int need_to_free_pg;
 /*
  * Common DH initialisation.
  */
-static void dh_init(void) {
+static void dh_init(void)
+{
     q = bignum_rshift(p, 1);
     qmask = bignum_bitmask(q);
 }
@@ -43,16 +48,28 @@ static void dh_init(void) {
 /*
  * Initialise DH for the standard group1.
  */
-void dh_setup_group1(void) {
+void dh_setup_group1(void)
+{
     p = bignum_from_bytes(P, sizeof(P));
     g = bignum_from_bytes(G, sizeof(G));
     dh_init();
 }
 
 /*
+ * Initialise DH for an alternative group.
+ */
+void dh_setup_group(Bignum pval, Bignum gval)
+{
+    p = copybn(pval);
+    g = copybn(gval);
+    dh_init();
+}
+
+/*
  * Clean up.
  */
-void dh_cleanup(void) {
+void dh_cleanup(void)
+{
     freebn(p);
     freebn(g);
     freebn(q);
@@ -62,8 +79,20 @@ void dh_cleanup(void) {
 /*
  * DH stage 1: invent a number x between 1 and q, and compute e =
  * g^x mod p. Return e.
+ * 
+ * If `nbits' is greater than zero, it is used as an upper limit
+ * for the number of bits in x. This is safe provided that (a) you
+ * use twice as many bits in x as the number of bits you expect to
+ * use in your session key, and (b) the DH group is a safe prime
+ * (which SSH demands that it must be).
+ * 
+ * P. C. van Oorschot, M. J. Wiener
+ * "On Diffie-Hellman Key Agreement with Short Exponents".
+ * Advances in Cryptology: Proceedings of Eurocrypt '96
+ * Springer-Verlag, May 1996.
  */
-Bignum dh_create_e(void) {
+Bignum dh_create_e(int nbits)
+{
     int i;
 
     int nbytes;
@@ -77,11 +106,27 @@ Bignum dh_create_e(void) {
 	 * Create a potential x, by ANDing a string of random bytes
 	 * with qmask.
 	 */
-        if (x) freebn(x);
-        ssh1_write_bignum(buf, qmask);
-	for (i = 2; i < nbytes; i++)
-            buf[i] &= random_byte();
-        ssh1_read_bignum(buf, &x);
+	if (x)
+	    freebn(x);
+	if (nbits == 0 || nbits > bignum_bitcount(qmask)) {
+	    ssh1_write_bignum(buf, qmask);
+	    for (i = 2; i < nbytes; i++)
+		buf[i] &= random_byte();
+	    ssh1_read_bignum(buf, &x);
+	} else {
+	    int b, nb;
+	    x = bn_power_2(nbits);
+	    nb = 0;
+	    for (i = 0; i < nbits; i++) {
+		if (nb == 0) {
+		    nb = 8;
+		    b = random_byte();
+		}
+		bignum_set_bit(x, i, b & 1);
+		b >>= 1;
+		nb--;
+	    }
+	}
     } while (bignum_cmp(x, One) <= 0 || bignum_cmp(x, q) >= 0);
 
     /*
@@ -95,6 +140,9 @@ Bignum dh_create_e(void) {
 /*
  * DH stage 2: given a number f, compute K = f^x mod p.
  */
-Bignum dh_find_K(Bignum f) {
-    return modpow(f, x, p);
+Bignum dh_find_K(Bignum f)
+{
+    Bignum ret;
+    ret = modpow(f, x, p);
+    return ret;
 }