diff options
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | dh.c | 28 | ||||
-rw-r--r-- | dh.h | 3 | ||||
-rw-r--r-- | kex.c | 4 | ||||
-rw-r--r-- | kex.h | 4 | ||||
-rw-r--r-- | kexdhc.c | 13 | ||||
-rw-r--r-- | kexdhs.c | 13 | ||||
-rw-r--r-- | monitor.c | 3 | ||||
-rw-r--r-- | myproposal.h | 6 | ||||
-rw-r--r-- | ssh-keyscan.c | 3 | ||||
-rw-r--r-- | sshconnect2.c | 3 | ||||
-rw-r--r-- | sshd.c | 3 |
12 files changed, 72 insertions, 18 deletions
@@ -15,6 +15,11 @@ - pedro@cvs.openbsd.org 2004/06/03 12:22:20 [sftp-client.c sftp.c] initialize pointers, ok markus@ + - djm@cvs.openbsd.org 2004/06/13 12:53:24 + [dh.c dh.h kex.c kex.h kexdhc.c kexdhs.c monitor.c myproposal.h] + [ssh-keyscan.c sshconnect2.c sshd.c] + implement diffie-hellman-group14-sha1 kex method (trivial extension to + existing diffie-hellman-group1-sha1); ok markus@ 20040603 - (dtucker) [auth-pam.c] Don't use pam_* namespace for sshd's PAM functions. @@ -1199,4 +1204,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3379 2004/06/15 00:28:56 djm Exp $ +$Id: ChangeLog,v 1.3380 2004/06/15 00:30:09 djm Exp $ @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: dh.c,v 1.29 2004/02/27 22:49:27 dtucker Exp $"); +RCSID("$OpenBSD: dh.c,v 1.30 2004/06/13 12:53:24 djm Exp $"); #include "xmalloc.h" @@ -115,8 +115,9 @@ choose_dh(int min, int wantbits, int max) if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL && (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) { - logit("WARNING: %s does not exist, using old modulus", _PATH_DH_MODULI); - return (dh_new_group1()); + logit("WARNING: %s does not exist, using fixed modulus", + _PATH_DH_MODULI); + return (dh_new_group14()); } linenum = 0; @@ -169,7 +170,7 @@ choose_dh(int min, int wantbits, int max) return (dh_new_group(dhg.g, dhg.p)); } -/* diffie-hellman-group1-sha1 */ +/* diffie-hellman-groupN-sha1 */ int dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) @@ -272,6 +273,25 @@ dh_new_group1(void) return (dh_new_group_asc(gen, group1)); } +DH * +dh_new_group14(void) +{ + static char *gen = "2", *group14 = + "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" + "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" + "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" + "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" + "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D" + "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F" + "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D" + "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B" + "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9" + "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510" + "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF"; + + return (dh_new_group_asc(gen, group14)); +} + /* * Estimates the group order for a Diffie-Hellman group that has an * attack complexity approximately the same as O(2**bits). Estimate @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.h,v 1.7 2001/06/26 17:27:23 markus Exp $ */ +/* $OpenBSD: dh.h,v 1.8 2004/06/13 12:53:24 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. @@ -36,6 +36,7 @@ DH *choose_dh(int, int, int); DH *dh_new_group_asc(const char *, const char *); DH *dh_new_group(BIGNUM *, BIGNUM *); DH *dh_new_group1(void); +DH *dh_new_group14(void); void dh_gen_key(DH *, int); int dh_pub_is_valid(DH *, BIGNUM *); @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.58 2004/05/09 01:26:48 djm Exp $"); +RCSID("$OpenBSD: kex.c,v 1.59 2004/06/13 12:53:24 djm Exp $"); #include <openssl/crypto.h> @@ -293,6 +293,8 @@ choose_kex(Kex *k, char *client, char *server) fatal("no kex alg"); if (strcmp(k->name, KEX_DH1) == 0) { k->kex_type = KEX_DH_GRP1_SHA1; + } else if (strcmp(k->name, KEX_DH14) == 0) { + k->kex_type = KEX_DH_GRP14_SHA1; } else if (strcmp(k->name, KEX_DHGEX) == 0) { k->kex_type = KEX_DH_GEX_SHA1; } else @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.34 2004/05/21 08:43:03 markus Exp $ */ +/* $OpenBSD: kex.h,v 1.35 2004/06/13 12:53:24 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -32,6 +32,7 @@ #include "key.h" #define KEX_DH1 "diffie-hellman-group1-sha1" +#define KEX_DH14 "diffie-hellman-group14-sha1" #define KEX_DHGEX "diffie-hellman-group-exchange-sha1" enum kex_init_proposals { @@ -56,6 +57,7 @@ enum kex_modes { enum kex_exchange { KEX_DH_GRP1_SHA1, + KEX_DH_GRP14_SHA1, KEX_DH_GEX_SHA1, KEX_MAX }; @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kexdhc.c,v 1.1 2003/02/16 17:09:57 markus Exp $"); +RCSID("$OpenBSD: kexdhc.c,v 1.2 2004/06/13 12:53:24 djm Exp $"); #include "xmalloc.h" #include "key.h" @@ -44,7 +44,16 @@ kexdh_client(Kex *kex) u_int klen, kout, slen, sbloblen; /* generate and send 'e', client DH public key */ - dh = dh_new_group1(); + switch (kex->kex_type) { + case KEX_DH_GRP1_SHA1: + dh = dh_new_group1(); + break; + case KEX_DH_GRP14_SHA1: + dh = dh_new_group14(); + break; + default: + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); + } dh_gen_key(dh, kex->we_need * 8); packet_start(SSH2_MSG_KEXDH_INIT); packet_put_bignum2(dh->pub_key); @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kexdhs.c,v 1.1 2003/02/16 17:09:57 markus Exp $"); +RCSID("$OpenBSD: kexdhs.c,v 1.2 2004/06/13 12:53:24 djm Exp $"); #include "xmalloc.h" #include "key.h" @@ -45,7 +45,16 @@ kexdh_server(Kex *kex) u_int slen; /* generate server DH public key */ - dh = dh_new_group1(); + switch (kex->kex_type) { + case KEX_DH_GRP1_SHA1: + dh = dh_new_group1(); + break; + case KEX_DH_GRP14_SHA1: + dh = dh_new_group14(); + break; + default: + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); + } dh_gen_key(dh, kex->we_need * 8); debug("expecting SSH2_MSG_KEXDH_INIT"); @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.57 2004/05/11 19:01:43 deraadt Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.58 2004/06/13 12:53:24 djm Exp $"); #include <openssl/dh.h> @@ -1546,6 +1546,7 @@ mm_get_kex(Buffer *m) fatal("mm_get_get: internal error: bad session id"); kex->we_need = buffer_get_int(m); kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; + kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->server = 1; kex->hostkey_type = buffer_get_int(m); diff --git a/myproposal.h b/myproposal.h index 8b431d9d..228ed688 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.15 2003/05/17 04:27:52 markus Exp $ */ +/* $OpenBSD: myproposal.h,v 1.16 2004/06/13 12:53:24 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -23,7 +23,9 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#define KEX_DEFAULT_KEX "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" +#define KEX_DEFAULT_KEX "diffie-hellman-group-exchange-sha1," \ + "diffie-hellman-group14-sha1," \ + "diffie-hellman-group1-sha1" #define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss" #define KEX_DEFAULT_ENCRYPT \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \ diff --git a/ssh-keyscan.c b/ssh-keyscan.c index 266b23cb..c4a2414b 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -7,7 +7,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keyscan.c,v 1.47 2004/03/08 09:38:05 djm Exp $"); +RCSID("$OpenBSD: ssh-keyscan.c,v 1.48 2004/06/13 12:53:24 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -349,6 +349,7 @@ keygrab_ssh2(con *c) "ssh-dss": "ssh-rsa"; c->c_kex = kex_setup(myproposal); c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client; + c->c_kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; c->c_kex->verify_host_key = hostjump; diff --git a/sshconnect2.c b/sshconnect2.c index 06d88428..68d56d02 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.137 2004/05/08 00:21:31 djm Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.138 2004/06/13 12:53:24 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -120,6 +120,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) /* start key exchange */ kex = kex_setup(myproposal); kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client; + kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.291 2004/05/09 01:19:28 djm Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.292 2004/06/13 12:53:24 djm Exp $"); #include <openssl/dh.h> #include <openssl/bn.h> @@ -1774,6 +1774,7 @@ do_ssh2_kex(void) /* start key exchange */ kex = kex_setup(myproposal); kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; + kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->server = 1; kex->client_version_string=client_version_string; |