Note that much of check_dh_key is voodoo; make x in DH be only 320 bits for DH speed improvement: this wants auditing. [We have blessing from Ian on this.] (Note that DH in SSL is not yet affected.)

svn:r5359
2024-11-27 22:03:31 +01:00 · 2005-11-11 20:18:00 +00:00 · 2005-11-11 20:18:00 +00:00 · f14743a975
commit f14743a975
parent a3c53e0af9
1 changed files with 24 additions and 0 deletions
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@ -1390,6 +1390,8 @@ crypto_dh_new(void)
  return NULL;
 }

+#define DH_PRIVATE_KEY_BITS 320
+
 /** Return the length of the DH key in <b>dh</b>, in bytes.
 */
 int
@ -1405,7 +1407,22 @@ crypto_dh_get_bytes(crypto_dh_env_t *dh)
 int
 crypto_dh_generate_public(crypto_dh_env_t *dh)
 {
+  int pk_bits = BN_num_bits(dh->dh->p);
+  if (pk_bits > DH_PRIVATE_KEY_BITS)
+    pk_bits = DH_PRIVATE_KEY_BITS;
 again:
+  if (!dh->dh->priv_key) {
+    dh->dh->priv_key = BN_new();
+    if (!dh->dh->priv_key) {
+      err(LD_MM, "Unable to allocate BN.");
+      return -1;
+    }
+  }
+  /* We generate the key ourselves so that we can get a 2-3x speedup by using
+   * a 320-bit x instead of a 1024-bit x. */
+  if (!BN_rand(dh->dh->priv_key, pk_bits, 0, 0)) {
+    crypto_log_errors(LOG_WARN, "Generating DH private key");
+  }
  if (!DH_generate_key(dh->dh)) {
    crypto_log_errors(LOG_WARN, "generating DH key");
    return -1;
@ -1462,6 +1479,13 @@ tor_check_dh_key(BIGNUM *bn)
 #define MIN_DIFFERING_BITS 16
  /* This covers another 2^25 keys, which is still negligible. */
 #define MIN_DIST_FROM_EDGE (1<<24)
+  /* XXXX Note that this is basically voodoo.  Really, we only care about 0,
+   * 1, 2, and -1.  The "number of bits set" business is inherited from some
+   * dire warnings in the OpenSSH comments.  Real Cryptographers assure us
+   * that these dire warnings are misplaced.
+   *
+   * Still, it can't hurt.
+   */
  int i, n_bits, n_set;
  BIGNUM *x = NULL;
  char *s;