]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
limit the size of the DH exponent
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 25 Dec 2013 15:30:11 +0000 (16:30 +0100)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 25 Dec 2013 15:30:11 +0000 (16:30 +0100)
lib/nettle/pk.c

index 286592240adc179e5ed88221e0b93b75ded46c8f..82670f69bf412b483dba9a83b15dcffab96c0e76 100644 (file)
@@ -168,6 +168,11 @@ ecc_shared_secret(struct ecc_scalar *private_key,
 }
 
 #define MAX_DH_BITS DEFAULT_MAX_VERIFY_BITS
+/* This is used when we have no idea on the structure
+ * of p-1 used by the peer. It is still a conservative
+ * choice, but small than what we've been using before.
+ */
+#define DH_EXPONENT_SIZE (2*_gnutls_pk_bits_to_subgroup_bits(GNUTLS_SEC_PARAM_HIGH))
 
 /* This is used for DH or ECDH key derivation. In DH for example
  * it is given the peers Y and our x, and calculates Y^x 
@@ -905,11 +910,12 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
                                        nettle_mpz_random(x, NULL, rnd_func, r);
                                        mpz_add_ui(x, x, 1);
                                } else {
+                                       unsigned size = mpz_sizeinbase(pub.p, 2);
                                        if (level == 0)
-                                               level = mpz_sizeinbase(pub.p, 2);
+                                               level = MIN(size, DH_EXPONENT_SIZE);
                                        nettle_mpz_random_size(x, NULL, rnd_func, level);
 
-                                       if (level >= mpz_sizeinbase(pub.p, 2))
+                                       if (level >= size)
                                                mpz_mod(x, x, pub.p);
                                }