diff --git a/doc/TODO b/doc/TODO index 1179475d21..73203aa312 100644 --- a/doc/TODO +++ b/doc/TODO @@ -54,9 +54,9 @@ SPEC!! D Non-clique topologies - Consider taking the master out of the loop? . Directory servers D Automated reputation management -NICK - Include key in source; sign directories +NICK . Include key in source; sign directories - Add versions to code -NICK - Have directories list recommended-versions +NICK . Have directories list recommended-versions - Quit if running the wrong version - Command-line option to override quit . Add more information to directory server entries @@ -131,7 +131,7 @@ NICK . OS X o incremental path building - transition circuit-level sendmes to hop-level sendmes - implement truncate, truncated -NICK - move from 192byte DH to 128byte DH, so it isn't so damn slow + o move from 192byte DH to 128byte DH, so it isn't so damn slow - exiting from not-last hop - OP logic to decide to extend/truncate a path - make sure exiting from the not-last hop works diff --git a/src/common/crypto.c b/src/common/crypto.c index ad05b2666c..df25563211 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -695,6 +695,7 @@ static void init_dh_param() { g = BN_new(); assert(p && g); +#if 0 /* This is from draft-ietf-ipsec-ike-modp-groups-05.txt. It's a safe prime, and supposedly it equals: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 } @@ -708,6 +709,18 @@ static void init_dh_param() { "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" "83655D23DCA3AD961C62F356208552BB9ED529077096966D" "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"); +#endif + + /* This is from rfc2409, section 6.2. It's a safe prime, and + supposedly it equals: + 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }. + */ + r = BN_hex2bn(&p, + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" + "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B" + "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9" + "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6" + "49286651ECE65381FFFFFFFFFFFFFFFF"); assert(r); r = BN_set_word(g, 2); diff --git a/src/common/crypto.h b/src/common/crypto.h index d5cfdb55e1..81a7ca16f0 100644 --- a/src/common/crypto.h +++ b/src/common/crypto.h @@ -72,7 +72,8 @@ int base64_decode(char *dest, int destlen, char *src, int srclen); /* Key negotiation */ typedef struct crypto_dh_env_st crypto_dh_env_t; -#define CRYPTO_DH_SIZE (1536 / 8) +/* #define CRYPTO_DH_SIZE (1536 / 8) */ +#define CRYPTO_DH_SIZE (1024 / 8) crypto_dh_env_t *crypto_dh_new(); int crypto_dh_get_bytes(crypto_dh_env_t *dh); int crypto_dh_get_public(crypto_dh_env_t *dh, char *pubkey_out, diff --git a/src/or/or.h b/src/or/or.h index fd289c3b77..fac26daac6 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -354,8 +354,8 @@ struct crypt_path_t { }; -#define DH_KEY_LEN 192 -#define DH_ONIONSKIN_LEN 208 +#define DH_KEY_LEN CRYPTO_DH_SIZE +#define DH_ONIONSKIN_LEN DH_KEY_LEN+16 typedef struct crypt_path_t crypt_path_t; diff --git a/src/or/test.c b/src/or/test.c index c288f2b718..45a1bcf2e8 100644 --- a/src/or/test.c +++ b/src/or/test.c @@ -631,7 +631,6 @@ main(int c, char**v) { log(LOG_ERR,NULL); /* make logging quieter */ setup_directory(); -#if 0 puts("========================== Buffers ========================="); test_buffers(); puts("========================== Crypto =========================="); @@ -641,7 +640,6 @@ main(int c, char**v) { test_util(); puts("\n========================= Onion Skins ====================="); test_onion_handshake(); -#endif puts("\n========================= Directory Formats ==============="); test_dir_format(); puts("");