diff options
author | des <des@FreeBSD.org> | 2016-02-07 11:38:54 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2016-02-07 11:38:54 +0000 |
commit | 5a18868b2d506b9e2254047d8d9fb9df5b2a8ae0 (patch) | |
tree | 4db6899304517c45f13302b0b11d3144c257dada /crypto/openssh/dh.c | |
parent | c76cb9755e8e722ba04e0c26cf28ecc0adeb52de (diff) | |
download | FreeBSD-src-5a18868b2d506b9e2254047d8d9fb9df5b2a8ae0.zip FreeBSD-src-5a18868b2d506b9e2254047d8d9fb9df5b2a8ae0.tar.gz |
MFH (r265214, r294333, r294407, r294467): misc prop fixes
MFH (r285975, r287143): register mergeinfo for security fixes
MFH (r294497, r294498, r295139): internal documentation
MFH (r294328): upgrade to openssh 6.7p1, re-add libwrap
MFH (r294332): upgrade to openssh 6.8p1
MFH (r294367): update pam_ssh for api changes
MFH (r294909): switch usedns back on
MFH (r294336): upgrade to openssh 6.9p1
MFH (r294495): re-enable dsa keys
MFH (r294464): upgrade to openssh 7.0p1
MFH (r294496): upgrade to openssh 7.1p2
Approved by: re (gjb)
Relnotes: yes
Diffstat (limited to 'crypto/openssh/dh.c')
-rw-r--r-- | crypto/openssh/dh.c | 105 |
1 files changed, 73 insertions, 32 deletions
diff --git a/crypto/openssh/dh.c b/crypto/openssh/dh.c index 3331cda..4c639ac 100644 --- a/crypto/openssh/dh.c +++ b/crypto/openssh/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.53 2013/11/21 00:45:44 djm Exp $ */ +/* $OpenBSD: dh.c,v 1.57 2015/05/27 23:39:18 dtucker Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * @@ -25,7 +25,7 @@ #include "includes.h" -#include <sys/param.h> +#include <sys/param.h> /* MIN */ #include <openssl/bn.h> #include <openssl/dh.h> @@ -34,11 +34,13 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <limits.h> #include "dh.h" #include "pathnames.h" #include "log.h" #include "misc.h" +#include "ssherr.h" static int parse_prime(int linenum, char *line, struct dhgroup *dhg) @@ -107,10 +109,11 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg) goto fail; } - if ((dhg->g = BN_new()) == NULL) - fatal("parse_prime: BN_new failed"); - if ((dhg->p = BN_new()) == NULL) - fatal("parse_prime: BN_new failed"); + if ((dhg->g = BN_new()) == NULL || + (dhg->p = BN_new()) == NULL) { + error("parse_prime: BN_new failed"); + goto fail; + } if (BN_hex2bn(&dhg->g, gen) == 0) { error("moduli:%d: could not parse generator value", linenum); goto fail; @@ -128,7 +131,6 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg) error("moduli:%d: generator is invalid", linenum); goto fail; } - return 1; fail: @@ -137,7 +139,6 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg) if (dhg->p != NULL) BN_clear_free(dhg->p); dhg->g = dhg->p = NULL; - error("Bad prime description in line %d", linenum); return 0; } @@ -154,7 +155,7 @@ choose_dh(int min, int wantbits, int max) (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) { logit("WARNING: %s does not exist, using fixed modulus", _PATH_DH_MODULI); - return (dh_new_group14()); + return (dh_new_group_fallback(max)); } linenum = 0; @@ -182,7 +183,7 @@ choose_dh(int min, int wantbits, int max) if (bestcount == 0) { fclose(f); logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES); - return (dh_new_group14()); + return (dh_new_group_fallback(max)); } linenum = 0; @@ -200,9 +201,11 @@ choose_dh(int min, int wantbits, int max) break; } fclose(f); - if (linenum != which+1) - fatal("WARNING: line %d disappeared in %s, giving up", + if (linenum != which+1) { + logit("WARNING: line %d disappeared in %s, giving up", which, _PATH_DH_PRIMES); + return (dh_new_group_fallback(max)); + } return (dh_new_group(dhg.g, dhg.p)); } @@ -251,22 +254,22 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) return 0; } -void +int dh_gen_key(DH *dh, int need) { int pbits; - if (need <= 0) - fatal("%s: need <= 0", __func__); - if (dh->p == NULL) - fatal("%s: dh->p == NULL", __func__); - if ((pbits = BN_num_bits(dh->p)) <= 0) - fatal("%s: bits(p) <= 0", __func__); + if (need < 0 || dh->p == NULL || + (pbits = BN_num_bits(dh->p)) <= 0 || + need > INT_MAX / 2 || 2 * need > pbits) + return SSH_ERR_INVALID_ARGUMENT; dh->length = MIN(need * 2, pbits - 1); - if (DH_generate_key(dh) == 0) - fatal("%s: key generation failed", __func__); - if (!dh_pub_is_valid(dh, dh->pub_key)) - fatal("%s: generated invalid key", __func__); + if (DH_generate_key(dh) == 0 || + !dh_pub_is_valid(dh, dh->pub_key)) { + BN_clear_free(dh->priv_key); + return SSH_ERR_LIBCRYPTO_ERROR; + } + return 0; } DH * @@ -275,13 +278,12 @@ dh_new_group_asc(const char *gen, const char *modulus) DH *dh; if ((dh = DH_new()) == NULL) - fatal("dh_new_group_asc: DH_new"); - - if (BN_hex2bn(&dh->p, modulus) == 0) - fatal("BN_hex2bn p"); - if (BN_hex2bn(&dh->g, gen) == 0) - fatal("BN_hex2bn g"); - + return NULL; + if (BN_hex2bn(&dh->p, modulus) == 0 || + BN_hex2bn(&dh->g, gen) == 0) { + DH_free(dh); + return NULL; + } return (dh); } @@ -296,7 +298,7 @@ dh_new_group(BIGNUM *gen, BIGNUM *modulus) DH *dh; if ((dh = DH_new()) == NULL) - fatal("dh_new_group: DH_new"); + return NULL; dh->p = modulus; dh->g = gen; @@ -337,6 +339,45 @@ dh_new_group14(void) } /* + * 4k bit fallback group used by DH-GEX if moduli file cannot be read. + * Source: MODP group 16 from RFC3526. + */ +DH * +dh_new_group_fallback(int max) +{ + static char *gen = "2", *group16 = + "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" + "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" + "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" + "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" + "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D" + "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F" + "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D" + "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B" + "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9" + "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510" + "15728E5A" "8AAAC42D" "AD33170D" "04507A33" "A85521AB" "DF1CBA64" + "ECFB8504" "58DBEF0A" "8AEA7157" "5D060C7D" "B3970F85" "A6E1E4C7" + "ABF5AE8C" "DB0933D7" "1E8C94E0" "4A25619D" "CEE3D226" "1AD2EE6B" + "F12FFA06" "D98A0864" "D8760273" "3EC86A64" "521F2B18" "177B200C" + "BBE11757" "7A615D6C" "770988C0" "BAD946E2" "08E24FA0" "74E5AB31" + "43DB5BFC" "E0FD108E" "4B82D120" "A9210801" "1A723C12" "A787E6D7" + "88719A10" "BDBA5B26" "99C32718" "6AF4E23C" "1A946834" "B6150BDA" + "2583E9CA" "2AD44CE8" "DBBBC2DB" "04DE8EF9" "2E8EFC14" "1FBECAA6" + "287C5947" "4E6BC05D" "99B2964F" "A090C3A2" "233BA186" "515BE7ED" + "1F612970" "CEE2D7AF" "B81BDD76" "2170481C" "D0069127" "D5B05AA9" + "93B4EA98" "8D8FDDC1" "86FFB7DC" "90A6C08F" "4DF435C9" "34063199" + "FFFFFFFF" "FFFFFFFF"; + + if (max < 4096) { + debug3("requested max size %d, using 2k bit group 14", max); + return dh_new_group14(); + } + debug3("using 4k bit group 16"); + return (dh_new_group_asc(gen, group16)); +} + +/* * Estimates the group order for a Diffie-Hellman group that has an * attack complexity approximately the same as O(2**bits). * Values from NIST Special Publication 800-57: Recommendation for Key @@ -344,7 +385,7 @@ dh_new_group14(void) * from RFC4419 section 3. */ -int +u_int dh_estimate(int bits) { if (bits <= 112) |