-
-
Notifications
You must be signed in to change notification settings - Fork 139
/
dh.go
46 lines (40 loc) · 1.56 KB
/
dh.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
package crypto
import (
"errors"
"math/big"
)
// CheckDHParams checks that g_a, g_b and g params meet key exchange conditions.
//
// https://core.telegram.org/mtproto/auth_key#dh-key-exchange-complete
func CheckDHParams(dhPrime, g, gA, gB *big.Int) error {
one := big.NewInt(1)
dhPrimeMinusOne := big.NewInt(0).Sub(dhPrime, one)
if !InRange(g, one, dhPrimeMinusOne) {
return errors.New("kex: bad g, g must be 1 < g < dh_prime - 1")
}
if !InRange(gA, one, dhPrimeMinusOne) {
return errors.New("kex: bad g_a, g_a must be 1 < g_a < dh_prime - 1")
}
if !InRange(gB, one, dhPrimeMinusOne) {
return errors.New("kex: bad g_b, g_b must be 1 < g_b < dh_prime - 1")
}
// IMPORTANT: Apart from the conditions on the Diffie-Hellman prime
// dh_prime and generator g, both sides are to check that g, g_a and
// g_b are greater than 1 and less than dh_prime - 1. We recommend
// checking that g_a and g_b are between 2^{2048-64} and
// dh_prime - 2^{2048-64} as well.
// 2^{2048-64}
safetyRangeMin := big.NewInt(0).Exp(big.NewInt(2), big.NewInt(2048-64), nil)
safetyRangeMax := big.NewInt(0).Sub(dhPrime, safetyRangeMin)
if !InRange(gA, safetyRangeMin, safetyRangeMax) {
return errors.New("kex: bad g_a, g_a must be 2^{2048-64} < g_a < dh_prime - 2^{2048-64}")
}
if !InRange(gB, safetyRangeMin, safetyRangeMax) {
return errors.New("kex: bad g_b, g_b must be 2^{2048-64} < g_b < dh_prime - 2^{2048-64}")
}
return nil
}
// InRange checks whether x is in (min, max) range, i.e. min < x < max.
func InRange(x, min, max *big.Int) bool {
return x.Cmp(min) > 0 && x.Cmp(max) < 0
}