Rekey regression test: How is GCM magical?
Damien Miller
djm at mindrot.org
Mon Nov 18 10:09:43 EST 2013
On Sat, 16 Nov 2013, Christian Weisgerber wrote:
> Markus Friedl:
>
> > > (chacha20-poly1305 doesn't work with diffie-hellman-group1-sha1
> > > because the latter can't provide the required 512 bits of key
> > > material.)
> >
> > why should it not work? in this case the key gets expanded,
> > even if the security margin of the kex is smaller.
>
> Well, it doesn't.
>
> $ ssh -c chacha20-poly1305 at openssh.com -oKexAlgorithms=diffie-hellman-group1-sha1 localhost
> dh_gen_key: group too small: 1024 (2*need 1024)
I think that check is incorrect (and could be simplified):
Index: dh.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/dh.c,v
retrieving revision 1.52
diff -u -p -r1.52 dh.c
--- dh.c 8 Oct 2013 11:42:13 -0000 1.52
+++ dh.c 17 Nov 2013 23:08:38 -0000
@@ -257,7 +257,7 @@ dh_gen_key(DH *dh, int need)
fatal("dh_gen_key: need < 0");
if (dh->p == NULL)
fatal("dh_gen_key: dh->p == NULL");
- if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))
+ if (need > BN_num_bits(dh->p) / 2)
fatal("dh_gen_key: group too small: %d (2*need %d)",
BN_num_bits(dh->p), 2*need);
do {
More information about the openssh-unix-dev
mailing list