ECDH, early capabilities, etc.

Mark Wooding mdw at
Sat Apr 29 13:00:48 BST 2017

Ian Jackson <ijackson at> writes:

> How about this:
>  #define CAPAB_EXPLICIT_TRANSFORM_DH      0x00001000
>  #define CAPAB_BIT_TRADZP           10
>  #define CAPAB_BIT_X448             11
>  #define CAPAB_BIT_X25519           12
> EXPLICIT_TRANSFORM_DH means that all supported key agreement schemes
> and transforms are explicitly advertised by a capability bit
> somewhere, and abolishes the MASK.
> Rules for interpreting the field:
>        0     0000        ANCIENT + TRADZP only
>        0     nonzero     specified transforms; TRADZP only for DH
>        1     irrelevant  specified transforms and DH groups only
>                          (mediumly-old clients will think this means
>                          specified transforms but just TRADZP for DH)
> If we run out of bits in the old MASK, we can now extend it because
> EXPLICIT means we don't have to keep to the bottom 15.
> Or do you think that's all too fiddly ?

It's a little fiddly, but I don't think it's too bad.

One thing: it seems odd that that a bit is doing double duty as the
EXPLICIT flag and signalling X25519.  Should EXPLICIT have been
0x000080000 instead?

> The dh public value could be not hex for the new groups.

Hmm.  I'll 

> The message type code field is 32 bits.  I see nothing wrong with
> #define LABEL_MSG3TER 0x23030323.

OK.  I'll do it that way then.  But I think I'm going to add some macros
for dissecting MSG3 variant labels into base type and variant codes,
because otherwise /next/ time around `unpick_msg' will be rather ugly.

> The hexification could be moved to the trad Zp group code.

The hexification is already there.  The sticking point is really that
the API between DH groups and the network protocol involves a
null-terminated string.  Let me have a play...

> Sounds like good progress!

I've made new test machinery, and the new algorithms pass.  I did have a
problem on 64-bit targets, which I tracked down to a bug in one of my
macros exposed by different type selection in Secnet, so that's a fix
which has gone upstream.

I appear to be incapable of sitting down and just making a single change
to a program, so 16 commits so far.  My (very much rewinding) branch is
`mdw/xdh', in

The sooner I hear about problems, the easier they are to fix, so I'd be
interested in comments anyone might have.

-- [mdw]

More information about the sgo-software-discuss mailing list