[or-cvs] get rid of nick"s crazy voodoo dh checking.

Tue Dec 6 23:09:47 UTC 2005

Update of /home2/or/cvsroot/tor/src/common
In directory moria:/home/arma/work/onion/cvs/tor/src/common

Modified Files:
	crypto.c 
Log Message:
get rid of nick's crazy voodoo dh checking.


Index: crypto.c
===================================================================
RCS file: /home2/or/cvsroot/tor/src/common/crypto.c,v
retrieving revision 1.179
retrieving revision 1.180
diff -u -d -r1.179 -r1.180

--- crypto.c	30 Nov 2005 22:19:02 -0000	1.179
+++ crypto.c	6 Dec 2005 23:09:44 -0000	1.180
@@ -1436,60 +1436,28 @@
 }
 
 /** Check for bad diffie-hellman public keys (g^x).  Return 0 if the key is
- * okay, or -1 if it's bad.
+ * okay (in the subgroup [2,p-2]), or -1 if it's bad.
  * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
  */
 static int
 tor_check_dh_key(BIGNUM *bn)
 {
-  /* There are about 2^116 ways to have a 1024-bit key with <= 16 bits set,
-   * and similarly for <= 16 bits unset.  This is negligible compared to the
-   * 2^1024 entry keyspace. */
-#define MIN_DIFFERING_BITS 16
-  /* This covers another 2^25 keys, which is still negligible. */
-#define MIN_DIST_FROM_EDGE (1<<24)
-  /* XXXX Note that this is basically voodoo.  Really, we only care about 0,
-   * 1, and p-1.  The "number of bits set" business is inherited from some
-   * dire warnings in the OpenSSH comments.  Real Cryptographers assure us
-   * that these dire warnings are misplaced.
-   *
-   * Still, it can't hurt. -NM We will likely remove all the crud from this
-   * function in a future version, though. -RD
-   */
-  int i, n_bits, n_set;
-  BIGNUM *x = NULL;
+  BIGNUM *x;
   char *s;
   tor_assert(bn);
   x = BN_new();
+  tor_assert(x);
   if (!dh_param_p)
     init_dh_param();
-  if (bn->neg) {
-    warn(LD_CRYPTO, "Rejecting DH key < 0");
-    return -1;
-  }
-  if (BN_cmp(bn, dh_param_p)>=0) {
-    warn(LD_CRYPTO, "Rejecting DH key >= p");
-    return -1;
-  }
-  n_bits = BN_num_bits(bn);
-  n_set = 0;
-  for (i=0; i <= n_bits; ++i) {
-    if (BN_is_bit_set(bn, i))
-      ++n_set;
-  }
-  if (n_set < MIN_DIFFERING_BITS || n_set >= n_bits-MIN_DIFFERING_BITS) {
-    warn(LD_CRYPTO, "Too few/many bits in DH key (%d)", n_set);
-    goto err;
-  }
-  BN_set_word(x, MIN_DIST_FROM_EDGE);
+  BN_set_word(x, 1);
   if (BN_cmp(bn,x)<=0) {
-    warn(LD_CRYPTO, "DH key is too close to 0");
+    warn(LD_CRYPTO, "DH key must be at least 2.");
     goto err;
   }
   BN_copy(x,dh_param_p);
-  BN_sub_word(x, MIN_DIST_FROM_EDGE);
+  BN_sub_word(x, 1);
   if (BN_cmp(bn,x)>=0) {
-    warn(LD_CRYPTO, "DH key is too close to p");
+    warn(LD_CRYPTO, "DH key must be at most p-2.");
     goto err;
   }
   BN_free(x);
@@ -1497,7 +1465,7 @@
  err:
   BN_free(x);
   s = BN_bn2hex(bn);
-  warn(LD_CRYPTO, "Rejecting invalid DH key [%s]", s);
+  warn(LD_CRYPTO, "Rejecting insecure DH key [%s]", s);
   OPENSSL_free(s);
   return -1;
 }

