diff options
| -rw-r--r-- | ChangeLog | 13 | ||||
| -rw-r--r-- | kex.c | 26 | ||||
| -rw-r--r-- | kex.h | 4 | ||||
| -rw-r--r-- | sshconnect2.c | 8 | ||||
| -rw-r--r-- | sshd.c | 6 |
5 files changed, 43 insertions, 14 deletions
@@ -13,6 +13,17 @@ - deraadt@cvs.openbsd.org 2001/03/05 16:07:15 [sshd.8] detail default hmac setup too + - markus@cvs.openbsd.org 2001/03/05 17:17:21 + [kex.c kex.h sshconnect2.c sshd.c] + generate a 2*need size (~300 instead of 1024/2048) random private + exponent during the DH key agreement. according to Niels (the great + german advisor) this is safe since /etc/primes contains strong + primes only. + + References: + P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key + agreement with short exponents, In Advances in Cryptology + - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343. 20010305 - (bal) CVS ID touch up on sshpty.[ch] and sshlogin.[ch] @@ -4384,4 +4395,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.912 2001/03/06 01:06:58 mouring Exp $ +$Id: ChangeLog,v 1.913 2001/03/06 01:09:20 mouring Exp $ @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.21 2001/02/11 12:59:24 markus Exp $"); +RCSID("$OpenBSD: kex.c,v 1.22 2001/03/05 17:17:20 markus Exp $"); #include <openssl/crypto.h> #include <openssl/bio.h> @@ -138,15 +138,33 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) } void -dh_gen_key(DH *dh) +dh_gen_key(DH *dh, int need) { - int tries = 0; + int i, bits_set = 0, tries = 0; + if (dh->p == NULL) + fatal("dh_gen_key: dh->p == NULL"); + if (2*need >= BN_num_bits(dh->p)) + fatal("dh_gen_key: group too small: %d (2*need %d)", + BN_num_bits(dh->p), 2*need); do { + if (dh->priv_key != NULL) + BN_free(dh->priv_key); + dh->priv_key = BN_new(); + if (dh->priv_key == NULL) + fatal("dh_gen_key: BN_new failed"); + /* generate a 2*need bits random private exponent */ + if (!BN_rand(dh->priv_key, 2*need, 0, 0)) + fatal("dh_gen_key: BN_rand failed"); if (DH_generate_key(dh) == 0) fatal("DH_generate_key"); + for (i = 0; i <= BN_num_bits(dh->priv_key); i++) + if (BN_is_bit_set(dh->priv_key, i)) + bits_set++; + debug("dh_gen_key: priv key bits set: %d/%d", + bits_set, BN_num_bits(dh->priv_key)); if (tries++ > 10) - fatal("dh_new_group1: too many bad keys: giving up"); + fatal("dh_gen_key: too many bad keys: giving up"); } while (!dh_pub_is_valid(dh, dh->pub_key)); } @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.14 2001/02/11 12:59:24 markus Exp $ */ +/* $OpenBSD: kex.h,v 1.15 2001/03/05 17:17:20 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -106,7 +106,7 @@ void packet_set_kex(Kex *k); int dh_pub_is_valid(DH *dh, BIGNUM *dh_pub); DH *dh_new_group_asc(const char *, const char *); DH *dh_new_group(BIGNUM *, BIGNUM *); -void dh_gen_key(DH *); +void dh_gen_key(DH *, int); DH *dh_new_group1(void); u_char * diff --git a/sshconnect2.c b/sshconnect2.c index 8b523232..0baecf0a 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.49 2001/02/28 09:57:07 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.50 2001/03/05 17:17:21 markus Exp $"); #include <openssl/bn.h> #include <openssl/md5.h> @@ -171,7 +171,7 @@ ssh_dh1_client(Kex *kex, char *host, struct sockaddr *hostaddr, debug("Sending SSH2_MSG_KEXDH_INIT."); /* generate and send 'e', client DH public key */ dh = dh_new_group1(); - dh_gen_key(dh); + dh_gen_key(dh, kex->we_need * 8); packet_start(SSH2_MSG_KEXDH_INIT); packet_put_bignum2(dh->pub_key); packet_send(); @@ -316,7 +316,7 @@ ssh_dhgex_client(Kex *kex, char *host, struct sockaddr *hostaddr, u_char *kbuf; u_char *hash; - nbits = dh_estimate(kex->enc[MODE_OUT].cipher->key_len * 8); + nbits = dh_estimate(kex->we_need * 8); debug("Sending SSH2_MSG_KEX_DH_GEX_REQUEST."); packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); @@ -342,7 +342,7 @@ ssh_dhgex_client(Kex *kex, char *host, struct sockaddr *hostaddr, packet_get_bignum2(g, &dlen); dh = dh_new_group(g, p); - dh_gen_key(dh); + dh_gen_key(dh, kex->we_need * 8); #ifdef DEBUG_KEXDH fprintf(stderr, "\np= "); @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.172 2001/03/04 17:42:28 millert Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.173 2001/03/05 17:17:21 markus Exp $"); #include <openssl/dh.h> #include <openssl/bn.h> @@ -1519,7 +1519,7 @@ ssh_dh1_server(Kex *kex, Buffer *client_kexinit, Buffer *server_kexinit) /* KEXDH */ /* generate DH key */ dh = dh_new_group1(); /* XXX depends on 'kex' */ - dh_gen_key(dh); + dh_gen_key(dh, kex->we_need * 8); debug("Wait SSH2_MSG_KEXDH_INIT."); packet_read_expect(&payload_len, SSH2_MSG_KEXDH_INIT); @@ -1662,7 +1662,7 @@ ssh_dhgex_server(Kex *kex, Buffer *client_kexinit, Buffer *server_kexinit) /* Compute our exchange value in parallel with the client */ - dh_gen_key(dh); + dh_gen_key(dh, kex->we_need * 8); debug("Wait SSH2_MSG_KEX_DH_GEX_INIT."); packet_read_expect(&payload_len, SSH2_MSG_KEX_DH_GEX_INIT); |