diff options
-rw-r--r-- | ChangeLog | 13 | ||||
-rw-r--r-- | kex.c | 26 | ||||
-rw-r--r-- | kex.h | 4 | ||||
-rw-r--r-- | sshconnect2.c | 8 | ||||
-rw-r--r-- | sshd.c | 6 |
5 files changed, 43 insertions, 14 deletions
@@ -13,6 +13,17 @@ | |||
13 | - deraadt@cvs.openbsd.org 2001/03/05 16:07:15 | 13 | - deraadt@cvs.openbsd.org 2001/03/05 16:07:15 |
14 | [sshd.8] | 14 | [sshd.8] |
15 | detail default hmac setup too | 15 | detail default hmac setup too |
16 | - markus@cvs.openbsd.org 2001/03/05 17:17:21 | ||
17 | [kex.c kex.h sshconnect2.c sshd.c] | ||
18 | generate a 2*need size (~300 instead of 1024/2048) random private | ||
19 | exponent during the DH key agreement. according to Niels (the great | ||
20 | german advisor) this is safe since /etc/primes contains strong | ||
21 | primes only. | ||
22 | |||
23 | References: | ||
24 | P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key | ||
25 | agreement with short exponents, In Advances in Cryptology | ||
26 | - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343. | ||
16 | 27 | ||
17 | 20010305 | 28 | 20010305 |
18 | - (bal) CVS ID touch up on sshpty.[ch] and sshlogin.[ch] | 29 | - (bal) CVS ID touch up on sshpty.[ch] and sshlogin.[ch] |
@@ -4384,4 +4395,4 @@ | |||
4384 | - Wrote replacements for strlcpy and mkdtemp | 4395 | - Wrote replacements for strlcpy and mkdtemp |
4385 | - Released 1.0pre1 | 4396 | - Released 1.0pre1 |
4386 | 4397 | ||
4387 | $Id: ChangeLog,v 1.912 2001/03/06 01:06:58 mouring Exp $ | 4398 | $Id: ChangeLog,v 1.913 2001/03/06 01:09:20 mouring Exp $ |
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: kex.c,v 1.21 2001/02/11 12:59:24 markus Exp $"); | 26 | RCSID("$OpenBSD: kex.c,v 1.22 2001/03/05 17:17:20 markus Exp $"); |
27 | 27 | ||
28 | #include <openssl/crypto.h> | 28 | #include <openssl/crypto.h> |
29 | #include <openssl/bio.h> | 29 | #include <openssl/bio.h> |
@@ -138,15 +138,33 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) | |||
138 | } | 138 | } |
139 | 139 | ||
140 | void | 140 | void |
141 | dh_gen_key(DH *dh) | 141 | dh_gen_key(DH *dh, int need) |
142 | { | 142 | { |
143 | int tries = 0; | 143 | int i, bits_set = 0, tries = 0; |
144 | 144 | ||
145 | if (dh->p == NULL) | ||
146 | fatal("dh_gen_key: dh->p == NULL"); | ||
147 | if (2*need >= BN_num_bits(dh->p)) | ||
148 | fatal("dh_gen_key: group too small: %d (2*need %d)", | ||
149 | BN_num_bits(dh->p), 2*need); | ||
145 | do { | 150 | do { |
151 | if (dh->priv_key != NULL) | ||
152 | BN_free(dh->priv_key); | ||
153 | dh->priv_key = BN_new(); | ||
154 | if (dh->priv_key == NULL) | ||
155 | fatal("dh_gen_key: BN_new failed"); | ||
156 | /* generate a 2*need bits random private exponent */ | ||
157 | if (!BN_rand(dh->priv_key, 2*need, 0, 0)) | ||
158 | fatal("dh_gen_key: BN_rand failed"); | ||
146 | if (DH_generate_key(dh) == 0) | 159 | if (DH_generate_key(dh) == 0) |
147 | fatal("DH_generate_key"); | 160 | fatal("DH_generate_key"); |
161 | for (i = 0; i <= BN_num_bits(dh->priv_key); i++) | ||
162 | if (BN_is_bit_set(dh->priv_key, i)) | ||
163 | bits_set++; | ||
164 | debug("dh_gen_key: priv key bits set: %d/%d", | ||
165 | bits_set, BN_num_bits(dh->priv_key)); | ||
148 | if (tries++ > 10) | 166 | if (tries++ > 10) |
149 | fatal("dh_new_group1: too many bad keys: giving up"); | 167 | fatal("dh_gen_key: too many bad keys: giving up"); |
150 | } while (!dh_pub_is_valid(dh, dh->pub_key)); | 168 | } while (!dh_pub_is_valid(dh, dh->pub_key)); |
151 | } | 169 | } |
152 | 170 | ||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kex.h,v 1.14 2001/02/11 12:59:24 markus Exp $ */ | 1 | /* $OpenBSD: kex.h,v 1.15 2001/03/05 17:17:20 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
@@ -106,7 +106,7 @@ void packet_set_kex(Kex *k); | |||
106 | int dh_pub_is_valid(DH *dh, BIGNUM *dh_pub); | 106 | int dh_pub_is_valid(DH *dh, BIGNUM *dh_pub); |
107 | DH *dh_new_group_asc(const char *, const char *); | 107 | DH *dh_new_group_asc(const char *, const char *); |
108 | DH *dh_new_group(BIGNUM *, BIGNUM *); | 108 | DH *dh_new_group(BIGNUM *, BIGNUM *); |
109 | void dh_gen_key(DH *); | 109 | void dh_gen_key(DH *, int); |
110 | DH *dh_new_group1(void); | 110 | DH *dh_new_group1(void); |
111 | 111 | ||
112 | u_char * | 112 | u_char * |
diff --git a/sshconnect2.c b/sshconnect2.c index 8b523232f..0baecf0a5 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: sshconnect2.c,v 1.49 2001/02/28 09:57:07 markus Exp $"); | 26 | RCSID("$OpenBSD: sshconnect2.c,v 1.50 2001/03/05 17:17:21 markus Exp $"); |
27 | 27 | ||
28 | #include <openssl/bn.h> | 28 | #include <openssl/bn.h> |
29 | #include <openssl/md5.h> | 29 | #include <openssl/md5.h> |
@@ -171,7 +171,7 @@ ssh_dh1_client(Kex *kex, char *host, struct sockaddr *hostaddr, | |||
171 | debug("Sending SSH2_MSG_KEXDH_INIT."); | 171 | debug("Sending SSH2_MSG_KEXDH_INIT."); |
172 | /* generate and send 'e', client DH public key */ | 172 | /* generate and send 'e', client DH public key */ |
173 | dh = dh_new_group1(); | 173 | dh = dh_new_group1(); |
174 | dh_gen_key(dh); | 174 | dh_gen_key(dh, kex->we_need * 8); |
175 | packet_start(SSH2_MSG_KEXDH_INIT); | 175 | packet_start(SSH2_MSG_KEXDH_INIT); |
176 | packet_put_bignum2(dh->pub_key); | 176 | packet_put_bignum2(dh->pub_key); |
177 | packet_send(); | 177 | packet_send(); |
@@ -316,7 +316,7 @@ ssh_dhgex_client(Kex *kex, char *host, struct sockaddr *hostaddr, | |||
316 | u_char *kbuf; | 316 | u_char *kbuf; |
317 | u_char *hash; | 317 | u_char *hash; |
318 | 318 | ||
319 | nbits = dh_estimate(kex->enc[MODE_OUT].cipher->key_len * 8); | 319 | nbits = dh_estimate(kex->we_need * 8); |
320 | 320 | ||
321 | debug("Sending SSH2_MSG_KEX_DH_GEX_REQUEST."); | 321 | debug("Sending SSH2_MSG_KEX_DH_GEX_REQUEST."); |
322 | packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); | 322 | packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); |
@@ -342,7 +342,7 @@ ssh_dhgex_client(Kex *kex, char *host, struct sockaddr *hostaddr, | |||
342 | packet_get_bignum2(g, &dlen); | 342 | packet_get_bignum2(g, &dlen); |
343 | dh = dh_new_group(g, p); | 343 | dh = dh_new_group(g, p); |
344 | 344 | ||
345 | dh_gen_key(dh); | 345 | dh_gen_key(dh, kex->we_need * 8); |
346 | 346 | ||
347 | #ifdef DEBUG_KEXDH | 347 | #ifdef DEBUG_KEXDH |
348 | fprintf(stderr, "\np= "); | 348 | fprintf(stderr, "\np= "); |
@@ -40,7 +40,7 @@ | |||
40 | */ | 40 | */ |
41 | 41 | ||
42 | #include "includes.h" | 42 | #include "includes.h" |
43 | RCSID("$OpenBSD: sshd.c,v 1.172 2001/03/04 17:42:28 millert Exp $"); | 43 | RCSID("$OpenBSD: sshd.c,v 1.173 2001/03/05 17:17:21 markus Exp $"); |
44 | 44 | ||
45 | #include <openssl/dh.h> | 45 | #include <openssl/dh.h> |
46 | #include <openssl/bn.h> | 46 | #include <openssl/bn.h> |
@@ -1519,7 +1519,7 @@ ssh_dh1_server(Kex *kex, Buffer *client_kexinit, Buffer *server_kexinit) | |||
1519 | /* KEXDH */ | 1519 | /* KEXDH */ |
1520 | /* generate DH key */ | 1520 | /* generate DH key */ |
1521 | dh = dh_new_group1(); /* XXX depends on 'kex' */ | 1521 | dh = dh_new_group1(); /* XXX depends on 'kex' */ |
1522 | dh_gen_key(dh); | 1522 | dh_gen_key(dh, kex->we_need * 8); |
1523 | 1523 | ||
1524 | debug("Wait SSH2_MSG_KEXDH_INIT."); | 1524 | debug("Wait SSH2_MSG_KEXDH_INIT."); |
1525 | packet_read_expect(&payload_len, SSH2_MSG_KEXDH_INIT); | 1525 | packet_read_expect(&payload_len, SSH2_MSG_KEXDH_INIT); |
@@ -1662,7 +1662,7 @@ ssh_dhgex_server(Kex *kex, Buffer *client_kexinit, Buffer *server_kexinit) | |||
1662 | 1662 | ||
1663 | /* Compute our exchange value in parallel with the client */ | 1663 | /* Compute our exchange value in parallel with the client */ |
1664 | 1664 | ||
1665 | dh_gen_key(dh); | 1665 | dh_gen_key(dh, kex->we_need * 8); |
1666 | 1666 | ||
1667 | debug("Wait SSH2_MSG_KEX_DH_GEX_INIT."); | 1667 | debug("Wait SSH2_MSG_KEX_DH_GEX_INIT."); |
1668 | packet_read_expect(&payload_len, SSH2_MSG_KEX_DH_GEX_INIT); | 1668 | packet_read_expect(&payload_len, SSH2_MSG_KEX_DH_GEX_INIT); |