upstream commit

Add a stronger (4k bit) fallback group that sshd can use when the moduli file is missing or broken, sourced from RFC3526. bz#2302, ok markus@ (earlier version), djm@ Upstream-ID: b635215746a25a829d117673d5e5a76d4baee7f4
author: dtucker@openbsd.org <dtucker@openbsd.org> 2015-05-27 23:39:18 +0000
committer: Damien Miller <djm@mindrot.org> 2015-05-28 13:53:13 +1000
commit: 40f64292b907afd0a674fdbf3e4c2356d17a7d68 (patch)
tree: b1bc6d972fd8cd1ad234468a30cd5c92ea2fd174 /dh.c
parent: 5ab7d5fa03ad55bc438fab45dfb3aeb30a3c237a (diff)
1 files changed, 43 insertions, 4 deletions
diff --git a/dh.c b/dh.c
index 1e5388d7f..4c639acc3 100644
--- a/dh.c
+++ b/dh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.c,v 1.56 2015/03/26 06:59:28 djm Exp $ */
+/* $OpenBSD: dh.c,v 1.57 2015/05/27 23:39:18 dtucker Exp $ */
 /*
 * Copyright (c) 2000 Niels Provos.  All rights reserved.
 *
@@ -155,7 +155,7 @@ choose_dh(int min, int wantbits, int max)
            (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
                logit("WARNING: %s does not exist, using fixed modulus",
                    _PATH_DH_MODULI);
-                return (dh_new_group14());
+                return (dh_new_group_fallback(max));
        }
        linenum = 0;
@@ -183,7 +183,7 @@ choose_dh(int min, int wantbits, int max)
        if (bestcount == 0) {
                fclose(f);
                logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
-                return (dh_new_group14());
+                return (dh_new_group_fallback(max));
        }
        linenum = 0;
@@ -204,7 +204,7 @@ choose_dh(int min, int wantbits, int max)
        if (linenum != which+1) {
                logit("WARNING: line %d disappeared in %s, giving up",
                    which, _PATH_DH_PRIMES);
-                return (dh_new_group14());
+                return (dh_new_group_fallback(max));
        }
        return (dh_new_group(dhg.g, dhg.p));
@@ -339,6 +339,45 @@ dh_new_group14(void)
 }
 /*
+ * 4k bit fallback group used by DH-GEX if moduli file cannot be read.
+ * Source: MODP group 16 from RFC3526.
+ */
+DH *
+dh_new_group_fallback(int max)
+{
+        static char *gen = "2", *group16 =
+            "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
+            "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
+            "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
+            "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
+            "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
+            "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
+            "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
+            "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
+            "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
+            "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
+            "15728E5A" "8AAAC42D" "AD33170D" "04507A33" "A85521AB" "DF1CBA64"
+            "ECFB8504" "58DBEF0A" "8AEA7157" "5D060C7D" "B3970F85" "A6E1E4C7"
+            "ABF5AE8C" "DB0933D7" "1E8C94E0" "4A25619D" "CEE3D226" "1AD2EE6B"
+            "F12FFA06" "D98A0864" "D8760273" "3EC86A64" "521F2B18" "177B200C"
+            "BBE11757" "7A615D6C" "770988C0" "BAD946E2" "08E24FA0" "74E5AB31"
+            "43DB5BFC" "E0FD108E" "4B82D120" "A9210801" "1A723C12" "A787E6D7"
+            "88719A10" "BDBA5B26" "99C32718" "6AF4E23C" "1A946834" "B6150BDA"
+            "2583E9CA" "2AD44CE8" "DBBBC2DB" "04DE8EF9" "2E8EFC14" "1FBECAA6"
+            "287C5947" "4E6BC05D" "99B2964F" "A090C3A2" "233BA186" "515BE7ED"
+            "1F612970" "CEE2D7AF" "B81BDD76" "2170481C" "D0069127" "D5B05AA9"
+            "93B4EA98" "8D8FDDC1" "86FFB7DC" "90A6C08F" "4DF435C9" "34063199"
+            "FFFFFFFF" "FFFFFFFF";
+        if (max < 4096) {
+                debug3("requested max size %d, using 2k bit group 14", max);
+                return dh_new_group14();
+        }
+        debug3("using 4k bit group 16");
+        return (dh_new_group_asc(gen, group16));
+}
+/*
 * Estimates the group order for a Diffie-Hellman group that has an
 * attack complexity approximately the same as O(2**bits).
 * Values from NIST Special Publication 800-57: Recommendation for Key
author	dtucker@openbsd.org <dtucker@openbsd.org>	2015-05-27 23:39:18 +0000
committer	Damien Miller <djm@mindrot.org>	2015-05-28 13:53:13 +1000
commit	40f64292b907afd0a674fdbf3e4c2356d17a7d68 (patch)
tree	b1bc6d972fd8cd1ad234468a30cd5c92ea2fd174 /dh.c
parent	5ab7d5fa03ad55bc438fab45dfb3aeb30a3c237a (diff)

diff --git a/dh.c b/dh.c index 1e5388d7f..4c639acc3 100644 --- a/dh.c +++ b/dh.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: dh.c,v 1.56 2015/03/26 06:59:28 djm Exp $ */	1	/* $OpenBSD: dh.c,v 1.57 2015/05/27 23:39:18 dtucker Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Niels Provos. All rights reserved.	3	* Copyright (c) 2000 Niels Provos. All rights reserved.
4	*	4	*
@@ -155,7 +155,7 @@ choose_dh(int min, int wantbits, int max)
155	(f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {	155	(f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
156	logit("WARNING: %s does not exist, using fixed modulus",	156	logit("WARNING: %s does not exist, using fixed modulus",
157	_PATH_DH_MODULI);	157	_PATH_DH_MODULI);
158	return (dh_new_group14());	158	return (dh_new_group_fallback(max));
159	}	159	}
160		160
161	linenum = 0;	161	linenum = 0;
@@ -183,7 +183,7 @@ choose_dh(int min, int wantbits, int max)
183	if (bestcount == 0) {	183	if (bestcount == 0) {
184	fclose(f);	184	fclose(f);
185	logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);	185	logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
186	return (dh_new_group14());	186	return (dh_new_group_fallback(max));
187	}	187	}
188		188
189	linenum = 0;	189	linenum = 0;
@@ -204,7 +204,7 @@ choose_dh(int min, int wantbits, int max)
204	if (linenum != which+1) {	204	if (linenum != which+1) {
205	logit("WARNING: line %d disappeared in %s, giving up",	205	logit("WARNING: line %d disappeared in %s, giving up",
206	which, _PATH_DH_PRIMES);	206	which, _PATH_DH_PRIMES);
207	return (dh_new_group14());	207	return (dh_new_group_fallback(max));
208	}	208	}
209		209
210	return (dh_new_group(dhg.g, dhg.p));	210	return (dh_new_group(dhg.g, dhg.p));
@@ -339,6 +339,45 @@ dh_new_group14(void)
339	}	339	}
340		340
341	/*	341	/*
		342	* 4k bit fallback group used by DH-GEX if moduli file cannot be read.
		343	* Source: MODP group 16 from RFC3526.
		344	*/
		345	DH *
		346	dh_new_group_fallback(int max)
		347	{
		348	static char gen = "2", group16 =
		349	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
		350	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
		351	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
		352	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
		353	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
		354	"C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
		355	"83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
		356	"670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
		357	"E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
		358	"DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
		359	"15728E5A" "8AAAC42D" "AD33170D" "04507A33" "A85521AB" "DF1CBA64"
		360	"ECFB8504" "58DBEF0A" "8AEA7157" "5D060C7D" "B3970F85" "A6E1E4C7"
		361	"ABF5AE8C" "DB0933D7" "1E8C94E0" "4A25619D" "CEE3D226" "1AD2EE6B"
		362	"F12FFA06" "D98A0864" "D8760273" "3EC86A64" "521F2B18" "177B200C"
		363	"BBE11757" "7A615D6C" "770988C0" "BAD946E2" "08E24FA0" "74E5AB31"
		364	"43DB5BFC" "E0FD108E" "4B82D120" "A9210801" "1A723C12" "A787E6D7"
		365	"88719A10" "BDBA5B26" "99C32718" "6AF4E23C" "1A946834" "B6150BDA"
		366	"2583E9CA" "2AD44CE8" "DBBBC2DB" "04DE8EF9" "2E8EFC14" "1FBECAA6"
		367	"287C5947" "4E6BC05D" "99B2964F" "A090C3A2" "233BA186" "515BE7ED"
		368	"1F612970" "CEE2D7AF" "B81BDD76" "2170481C" "D0069127" "D5B05AA9"
		369	"93B4EA98" "8D8FDDC1" "86FFB7DC" "90A6C08F" "4DF435C9" "34063199"
		370	"FFFFFFFF" "FFFFFFFF";
		371
		372	if (max < 4096) {
		373	debug3("requested max size %d, using 2k bit group 14", max);
		374	return dh_new_group14();
		375	}
		376	debug3("using 4k bit group 16");
		377	return (dh_new_group_asc(gen, group16));
		378	}
		379
		380	/*
342	* Estimates the group order for a Diffie-Hellman group that has an	381	* Estimates the group order for a Diffie-Hellman group that has an
343	* attack complexity approximately the same as O(2**bits).	382	* attack complexity approximately the same as O(2**bits).
344	* Values from NIST Special Publication 800-57: Recommendation for Key	383	* Values from NIST Special Publication 800-57: Recommendation for Key