};
const static struct ssh_kex *kex_algs[] = {
-#ifdef DO_DIFFIE_HELLMAN_GEX
&ssh_diffiehellman_gex,
-#endif
&ssh_diffiehellman };
const static struct ssh_signkey *hostkey_algs[] = { &ssh_rsa, &ssh_dss };
*/
static int do_ssh2_transport(unsigned char *in, int inlen, int ispkt)
{
- static int i, j, len, nbits;
+ static int i, j, len, nbits, pbits;
static char *str;
static Bignum p, g, e, f, K;
static int kex_init_value, kex_reply_value;
}
/*
+ * Work out the number of bits of key we will need from the key
+ * exchange. We start with the maximum key length of either
+ * cipher...
+ */
+ {
+ int csbits, scbits;
+
+ csbits = cscipher_tobe->keylen;
+ scbits = sccipher_tobe->keylen;
+ nbits = (csbits > scbits ? csbits : scbits);
+ }
+ /* The keys only have 160-bit entropy, since they're based on
+ * a SHA-1 hash. So cap the key size at 160 bits. */
+ if (nbits > 160) nbits = 160;
+
+ /*
* If we're doing Diffie-Hellman group exchange, start by
* requesting a group.
*/
if (kex == &ssh_diffiehellman_gex) {
- int csbits, scbits;
-
logevent("Doing Diffie-Hellman group exchange");
/*
- * Work out number of bits. We start with the maximum key
- * length of either cipher...
- */
- csbits = cscipher_tobe->keylen;
- scbits = sccipher_tobe->keylen;
- nbits = (csbits > scbits ? csbits : scbits);
- /* The keys only have 160-bit entropy, since they're based on
- * a SHA-1 hash. So cap the key size at 160 bits. */
- if (nbits > 160) nbits = 160;
- /*
- * ... and then work out how big a DH group we will need to
- * allow that much data.
- */
- nbits = 512 << ((nbits-1) / 64);
+ * Work out how big a DH group we will need to allow that
+ * much data.
+ */
+ pbits = 512 << ((nbits-1) / 64);
ssh2_pkt_init(SSH2_MSG_KEX_DH_GEX_REQUEST);
- ssh2_pkt_adduint32(nbits);
+ ssh2_pkt_adduint32(pbits);
ssh2_pkt_send();
crWaitUntil(ispkt);
/*
* Now generate and send e for Diffie-Hellman.
*/
- e = dh_create_e();
+ e = dh_create_e(nbits*2);
ssh2_pkt_init(kex_init_value);
ssh2_pkt_addmp(e);
ssh2_pkt_send();
sha_string(&exhash, hostkeydata, hostkeylen);
if (kex == &ssh_diffiehellman_gex) {
- sha_uint32(&exhash, nbits);
+ sha_uint32(&exhash, pbits);
sha_mpint(&exhash, p);
sha_mpint(&exhash, g);
}
/*
* DH stage 1: invent a number x between 1 and q, and compute e =
* g^x mod p. Return e.
+ *
+ * If `nbits' is greater than zero, it is used as an upper limit
+ * for the number of bits in x. This is safe provided that (a) you
+ * use twice as many bits in x as the number of bits you expect to
+ * use in your session key, and (b) the DH group is a safe prime
+ * (which SSH demands that it must be).
+ *
+ * P. C. van Oorschot, M. J. Wiener
+ * "On Diffie-Hellman Key Agreement with Short Exponents".
+ * Advances in Cryptology: Proceedings of Eurocrypt '96
+ * Springer-Verlag, May 1996.
*/
-Bignum dh_create_e(void) {
+Bignum dh_create_e(int nbits) {
int i;
int nbytes;
* with qmask.
*/
if (x) freebn(x);
- ssh1_write_bignum(buf, qmask);
- for (i = 2; i < nbytes; i++)
- buf[i] &= random_byte();
- ssh1_read_bignum(buf, &x);
+ if (nbits == 0 || nbits > ssh1_bignum_bitcount(qmask)) {
+ ssh1_write_bignum(buf, qmask);
+ for (i = 2; i < nbytes; i++)
+ buf[i] &= random_byte();
+ ssh1_read_bignum(buf, &x);
+ } else {
+ int b, nb;
+ x = bn_power_2(nbits);
+ nb = 0;
+ for (i = 0; i < nbits; i++) {
+ if (nb == 0) {
+ nb = 8;
+ b = random_byte();
+ }
+ bignum_set_bit(x, i, b & 1);
+ b >>= 1;
+ nb--;
+ }
+ }
} while (bignum_cmp(x, One) <= 0 || bignum_cmp(x, q) >= 0);
/*
* DH stage 2: given a number f, compute K = f^x mod p.
*/
Bignum dh_find_K(Bignum f) {
- return modpow(f, x, p);
+ Bignum ret;
+ ret = modpow(f, x, p);
+ return ret;
}