- dtucker@cvs.openbsd.org 2014/01/25 10:12:50

[cipher.c cipher.h kex.c kex.h kexgexc.c] Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
author: Damien Miller <djm@mindrot.org> 2014-01-26 09:37:25 +1100
committer: Damien Miller <djm@mindrot.org> 2014-01-26 09:37:25 +1100
commit: 76eea4ab4e658670ca6e76dd1e6d17f262208b57 (patch)
tree: cf69b6a4ae613af69f6a984a68e8e1e7ee268a93
parent: 603b8f47f1cd9ed95a2017447db8e60ca6704594 (diff)
6 files changed, 32 insertions, 8 deletions
diff --git a/ChangeLog b/ChangeLog
index 44e56f4a..64da7a47 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+20130126
+ - OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2014/01/25 10:12:50
+     [cipher.c cipher.h kex.c kex.h kexgexc.c]
+     Add a special case for the DH group size for 3des-cbc, which has an
+     effective strength much lower than the key size.  This causes problems
+     with some cryptlib implementations, which don't support group sizes larger
+     than 4k but also don't use the largest group size it does support as
+     specified in the RFC.  Based on a patch from Petr Lautrbach at Redhat,
+     reduced by me with input from Markus.  ok djm@ markus@
+
 20130125
  - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD
  - (djm) [configure.ac] Do not attempt to use capsicum sandbox unless
diff --git a/cipher.c b/cipher.c
index 76e6c596..2476e653 100644
--- a/cipher.c
+++ b/cipher.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.c,v 1.93 2013/12/06 13:34:54 markus Exp $ */
+/* $OpenBSD: cipher.c,v 1.94 2014/01/25 10:12:50 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -142,6 +142,14 @@ cipher_keylen(const Cipher *c)
 }
 
 u_int
+cipher_seclen(const Cipher *c)
+{
+	if (strcmp("3des-cbc", c->name) == 0)
+		return 14;
+	return cipher_keylen(c);
+}
+
+u_int
 cipher_authlen(const Cipher *c)
 {
 	return (c->auth_len);
diff --git a/cipher.h b/cipher.h
index d7824561..133d2e73 100644
--- a/cipher.h
+++ b/cipher.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.h,v 1.43 2013/12/06 13:34:54 markus Exp $ */
+/* $OpenBSD: cipher.h,v 1.44 2014/01/25 10:12:50 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -89,6 +89,7 @@ void	 cipher_cleanup(CipherContext *);
 void	 cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
 u_int	 cipher_blocksize(const Cipher *);
 u_int	 cipher_keylen(const Cipher *);
+u_int	 cipher_seclen(const Cipher *);
 u_int	 cipher_authlen(const Cipher *);
 u_int	 cipher_ivlen(const Cipher *);
 u_int	 cipher_is_cbc(const Cipher *);
diff --git a/kex.c b/kex.c
index 7d054cdc..39d16f8e 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.95 2014/01/12 08:13:13 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.96 2014/01/25 10:12:50 dtucker Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -458,7 +458,7 @@ kex_choose_conf(Kex *kex)
 	char **my, **peer;
 	char **cprop, **sprop;
 	int nenc, nmac, ncomp;
-	u_int mode, ctos, need, authlen;
+	u_int mode, ctos, need, dh_need, authlen;
 	int first_kex_follows, type;
 
 	my   = kex_buf2prop(&kex->my, NULL);
@@ -506,7 +506,7 @@ kex_choose_conf(Kex *kex)
 	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
 	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
 	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
-	need = 0;
+	need = dh_need = 0;
 	for (mode = 0; mode < MODE_MAX; mode++) {
 		newkeys = kex->newkeys[mode];
 		if (need < newkeys->enc.key_len)
@@ -517,9 +517,12 @@ kex_choose_conf(Kex *kex)
 			need = newkeys->enc.iv_len;
 		if (need < newkeys->mac.key_len)
 			need = newkeys->mac.key_len;
+		if (dh_need < cipher_seclen(newkeys->enc.cipher))
+			dh_need = cipher_seclen(newkeys->enc.cipher);
 	}
 	/* XXX need runden? */
 	kex->we_need = need;
+	kex->dh_need = dh_need;
 
 	/* ignore the next message if the proposals do not match */
 	if (first_kex_follows && !proposals_match(my, peer) &&
diff --git a/kex.h b/kex.h
index 7e2878f7..1aa3ec26 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.60 2014/01/12 08:13:13 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.61 2014/01/25 10:12:50 dtucker Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -124,6 +124,7 @@ struct Kex {
 	u_int	session_id_len;
 	Newkeys	*newkeys[MODE_MAX];
 	u_int	we_need;
+	u_int	dh_need;
 	int	server;
 	char	*name;
 	int	hostkey_type;
diff --git a/kexgexc.c b/kexgexc.c
index a69ff270..629b5fbb 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexc.c,v 1.15 2014/01/12 08:13:13 djm Exp $ */
+/* $OpenBSD: kexgexc.c,v 1.16 2014/01/25 10:12:50 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -58,7 +58,7 @@ kexgex_client(Kex *kex)
 	int min, max, nbits;
 	DH *dh;
 
-	nbits = dh_estimate(kex->we_need * 8);
+	nbits = dh_estimate(kex->dh_need * 8);
 
 	if (datafellows & SSH_OLD_DHGEX) {
 		/* Old GEX request */
author	Damien Miller <djm@mindrot.org>	2014-01-26 09:37:25 +1100
committer	Damien Miller <djm@mindrot.org>	2014-01-26 09:37:25 +1100
commit	76eea4ab4e658670ca6e76dd1e6d17f262208b57 (patch)
tree	cf69b6a4ae613af69f6a984a68e8e1e7ee268a93
parent	603b8f47f1cd9ed95a2017447db8e60ca6704594 (diff)