-/* $OpenBSD: dh.c,v 1.47 2008/06/26 09:19:39 djm Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
*
*/
#include "includes.h"
+RCSID("$OpenBSD: dh.c,v 1.17 2001/06/23 15:12:18 itojun Exp $");
-#include <sys/param.h>
+#include "xmalloc.h"
#include <openssl/bn.h>
#include <openssl/dh.h>
+#include <openssl/evp.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
+#include "buffer.h"
+#include "cipher.h"
+#include "kex.h"
#include "dh.h"
#include "pathnames.h"
#include "log.h"
{
char *cp, *arg;
char *strsize, *gen, *prime;
- const char *errstr = NULL;
- long long n;
cp = line;
- if ((arg = strdelim(&cp)) == NULL)
- return 0;
+ arg = strdelim(&cp);
/* Ignore leading whitespace */
if (*arg == '\0')
arg = strdelim(&cp);
- if (!arg || !*arg || *arg == '#')
+ if (!*arg || *arg == '#')
return 0;
/* time */
arg = strsep(&cp, " "); /* type */
if (cp == NULL || *arg == '\0')
goto fail;
- /* Ensure this is a safe prime */
- n = strtonum(arg, 0, 5, &errstr);
- if (errstr != NULL || n != MODULI_TYPE_SAFE)
- goto fail;
arg = strsep(&cp, " "); /* tests */
if (cp == NULL || *arg == '\0')
goto fail;
- /* Ensure prime has been tested and is not composite */
- n = strtonum(arg, 0, 0x1f, &errstr);
- if (errstr != NULL ||
- (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE))
- goto fail;
arg = strsep(&cp, " "); /* tries */
if (cp == NULL || *arg == '\0')
goto fail;
- n = strtonum(arg, 0, 1<<30, &errstr);
- if (errstr != NULL || n == 0)
- goto fail;
strsize = strsep(&cp, " "); /* size */
if (cp == NULL || *strsize == '\0' ||
- (dhg->size = (u_int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
- errstr)
+ (dhg->size = atoi(strsize)) == 0)
goto fail;
/* The whole group is one bit larger */
dhg->size++;
if (cp != NULL || *prime == '\0')
goto fail;
- if ((dhg->g = BN_new()) == NULL)
- fatal("parse_prime: BN_new failed");
- if ((dhg->p = BN_new()) == NULL)
- fatal("parse_prime: BN_new failed");
+ dhg->g = BN_new();
+ dhg->p = BN_new();
if (BN_hex2bn(&dhg->g, gen) == 0)
goto failclean;
if (BN_num_bits(dhg->p) != dhg->size)
goto failclean;
- if (BN_is_zero(dhg->g) || BN_is_one(dhg->g))
- goto failclean;
-
return (1);
failclean:
- BN_clear_free(dhg->g);
- BN_clear_free(dhg->p);
+ BN_free(dhg->g);
+ BN_free(dhg->p);
fail:
error("Bad prime description in line %d", linenum);
return (0);
choose_dh(int min, int wantbits, int max)
{
FILE *f;
- char line[4096];
+ char line[2048];
int best, bestcount, which;
int linenum;
struct dhgroup dhg;
if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
(f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
- logit("WARNING: %s does not exist, using fixed modulus",
- _PATH_DH_MODULI);
- return (dh_new_group14());
+ log("WARNING: %s does not exist, using old modulus", _PATH_DH_MODULI);
+ return (dh_new_group1());
}
linenum = 0;
linenum++;
if (!parse_prime(linenum, line, &dhg))
continue;
- BN_clear_free(dhg.g);
- BN_clear_free(dhg.p);
+ BN_free(dhg.g);
+ BN_free(dhg.p);
if (dhg.size > max || dhg.size < min)
continue;
if (bestcount == 0) {
fclose(f);
- logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
- return (dh_new_group14());
+ log("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
+ return (NULL);
}
linenum = 0;
- which = arc4random_uniform(bestcount);
+ which = arc4random() % bestcount;
while (fgets(line, sizeof(line), f)) {
if (!parse_prime(linenum, line, &dhg))
continue;
if ((dhg.size > max || dhg.size < min) ||
dhg.size != best ||
linenum++ != which) {
- BN_clear_free(dhg.g);
- BN_clear_free(dhg.p);
+ BN_free(dhg.g);
+ BN_free(dhg.p);
continue;
}
break;
return (dh_new_group(dhg.g, dhg.p));
}
-/* diffie-hellman-groupN-sha1 */
+/* diffie-hellman-group1-sha1 */
int
dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
int i;
int n = BN_num_bits(dh_pub);
int bits_set = 0;
- BIGNUM *tmp;
if (dh_pub->neg) {
- logit("invalid public DH value: negative");
- return 0;
- }
- if (BN_cmp(dh_pub, BN_value_one()) != 1) { /* pub_exp <= 1 */
- logit("invalid public DH value: <= 1");
- return 0;
- }
-
- if ((tmp = BN_new()) == NULL) {
- error("%s: BN_new failed", __func__);
+ log("invalid public DH value: negativ");
return 0;
}
- if (!BN_sub(tmp, dh->p, BN_value_one()) ||
- BN_cmp(dh_pub, tmp) != -1) { /* pub_exp > p-2 */
- BN_clear_free(tmp);
- logit("invalid public DH value: >= p-1");
- return 0;
- }
- BN_clear_free(tmp);
-
for (i = 0; i <= n; i++)
if (BN_is_bit_set(dh_pub, i))
bits_set++;
- debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
+ debug("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
- if (bits_set > 1)
+ if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
return 1;
-
- logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
+ log("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
return 0;
}
void
dh_gen_key(DH *dh, int need)
{
- int i, bits_set, tries = 0;
+ int i, bits_set = 0, tries = 0;
if (dh->p == NULL)
fatal("dh_gen_key: dh->p == NULL");
- if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))
+ if (2*need >= BN_num_bits(dh->p))
fatal("dh_gen_key: group too small: %d (2*need %d)",
BN_num_bits(dh->p), 2*need);
do {
if (dh->priv_key != NULL)
- BN_clear_free(dh->priv_key);
- if ((dh->priv_key = BN_new()) == NULL)
+ BN_free(dh->priv_key);
+ dh->priv_key = BN_new();
+ if (dh->priv_key == NULL)
fatal("dh_gen_key: BN_new failed");
/* generate a 2*need bits random private exponent */
if (!BN_rand(dh->priv_key, 2*need, 0, 0))
fatal("dh_gen_key: BN_rand failed");
if (DH_generate_key(dh) == 0)
fatal("DH_generate_key");
- for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
+ for (i = 0; i <= BN_num_bits(dh->priv_key); i++)
if (BN_is_bit_set(dh->priv_key, i))
bits_set++;
- debug2("dh_gen_key: priv key bits set: %d/%d",
+ debug("dh_gen_key: priv key bits set: %d/%d",
bits_set, BN_num_bits(dh->priv_key));
if (tries++ > 10)
fatal("dh_gen_key: too many bad keys: giving up");
{
DH *dh;
- if ((dh = DH_new()) == NULL)
- fatal("dh_new_group_asc: DH_new");
+ dh = DH_new();
+ if (dh == NULL)
+ fatal("DH_new");
if (BN_hex2bn(&dh->p, modulus) == 0)
fatal("BN_hex2bn p");
{
DH *dh;
- if ((dh = DH_new()) == NULL)
- fatal("dh_new_group: DH_new");
+ dh = DH_new();
+ if (dh == NULL)
+ fatal("DH_new");
dh->p = modulus;
dh->g = gen;
return (dh_new_group_asc(gen, group1));
}
-DH *
-dh_new_group14(void)
-{
- static char *gen = "2", *group14 =
- "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
- "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
- "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
- "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
- "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
- "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
- "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
- "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
- "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
- "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
- "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";
-
- return (dh_new_group_asc(gen, group14));
-}
-
/*
* Estimates the group order for a Diffie-Hellman group that has an
* attack complexity approximately the same as O(2**bits). Estimate
dh_estimate(int bits)
{
- if (bits <= 128)
+ if (bits < 64)
+ return (512); /* O(2**63) */
+ if (bits < 128)
return (1024); /* O(2**86) */
- if (bits <= 192)
+ if (bits < 192)
return (2048); /* O(2**116) */
return (4096); /* O(2**156) */
}