On Sat, 16 Nov 2013, Christian Weisgerber wrote:
> Markus Friedl:
>
> > > (chacha20-poly1305 doesn''t work with
diffie-hellman-group1-sha1
> > > because the latter can''t provide the required 512 bits
of key
> > > material.)
> >
> > why should it not work? in this case the key gets expanded,
> > even if the security margin of the kex is smaller.
>
> Well, it doesn''t.
>
> $ ssh -c chacha20-poly1305@openssh.com
-oKexAlgorithms=diffie-hellman-group1-sha1 localhost
> dh_gen_key: group too small: 1024 (2*need 1024)
I think that check is incorrect (and could be simplified):
Index: dh.c
==================================================================RCS file:
/cvs/src/usr.bin/ssh/dh.c,v
retrieving revision 1.52
diff -u -p -r1.52 dh.c
--- dh.c 8 Oct 2013 11:42:13 -0000 1.52
+++ dh.c 17 Nov 2013 23:08:38 -0000
@@ -257,7 +257,7 @@ dh_gen_key(DH *dh, int need)
fatal("dh_gen_key: need < 0");
if (dh->p == NULL)
fatal("dh_gen_key: dh->p == NULL");
- if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))
+ if (need > BN_num_bits(dh->p) / 2)
fatal("dh_gen_key: group too small: %d (2*need %d)",
BN_num_bits(dh->p), 2*need);
do {