Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 91a55f28f35431f9000b95815c343b5a18fda712 / . / dh.c
blob: d943ca1e1bc2112e2d099fa88235e80266c78ce4 [file] [log] [blame]
Damien Miller8ed4de82011-12-19 10:52:50 +1100[diff] [blame]1/* $OpenBSD: dh.c,v 1.49 2011/12/07 05:44:38 djm Exp $ */
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]2/*
3 * Copyright (c) 2000 Niels Provos. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#include "includes.h"
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]27
Damien Miller8dbffe72006-08-05 11:02:17 +1000[diff] [blame]28#include <sys/param.h>
29
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]30#include <openssl/bn.h>
31#include <openssl/dh.h>
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]32
Damien Millerded319c2006-09-01 15:38:36 +1000[diff] [blame]33#include <stdarg.h>
Damien Millera7a73ee2006-08-05 11:37:59 +1000[diff] [blame]34#include <stdio.h>
Damien Millere7a1e5c2006-08-05 11:34:19 +1000[diff] [blame]35#include <stdlib.h>
Damien Millere3476ed2006-07-24 14:13:33 +1000[diff] [blame]36#include <string.h>
37
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]38#include "dh.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]39#include "pathnames.h"
40#include "log.h"
41#include "misc.h"
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]42
Ben Lindstrombba81212001-06-25 05:01:22 +0000[diff] [blame]43static int
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]44parse_prime(int linenum, char *line, struct dhgroup *dhg)
45{
46 char *cp, *arg;
47 char *strsize, *gen, *prime;
Damien Miller5a73c1a2006-03-31 23:09:41 +1100[diff] [blame]48 const char *errstr = NULL;
Damien Miller2e9cf492008-06-29 22:47:04 +1000[diff] [blame]49 long long n;
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]50
51 cp = line;
Damien Miller928b2362006-03-26 13:53:32 +1100[diff] [blame]52 if ((arg = strdelim(&cp)) == NULL)
53 return 0;
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]54 /* Ignore leading whitespace */
55 if (*arg == '\0')
56 arg = strdelim(&cp);
Ben Lindstrom04f9af72002-07-04 00:03:56 +0000[diff] [blame]57 if (!arg || !*arg || *arg == '#')
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]58 return 0;
59
60 /* time */
61 if (cp == NULL || *arg == '\0')
62 goto fail;
63 arg = strsep(&cp, " "); /* type */
64 if (cp == NULL || *arg == '\0')
65 goto fail;
Damien Miller2e9cf492008-06-29 22:47:04 +1000[diff] [blame]66 /* Ensure this is a safe prime */
67 n = strtonum(arg, 0, 5, &errstr);
68 if (errstr != NULL || n != MODULI_TYPE_SAFE)
69 goto fail;
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]70 arg = strsep(&cp, " "); /* tests */
71 if (cp == NULL || *arg == '\0')
72 goto fail;
Damien Miller2e9cf492008-06-29 22:47:04 +1000[diff] [blame]73 /* Ensure prime has been tested and is not composite */
74 n = strtonum(arg, 0, 0x1f, &errstr);
75 if (errstr != NULL ||
76 (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE))
77 goto fail;
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]78 arg = strsep(&cp, " "); /* tries */
79 if (cp == NULL || *arg == '\0')
80 goto fail;
Damien Miller2e9cf492008-06-29 22:47:04 +1000[diff] [blame]81 n = strtonum(arg, 0, 1<<30, &errstr);
82 if (errstr != NULL || n == 0)
83 goto fail;
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]84 strsize = strsep(&cp, " "); /* size */
85 if (cp == NULL || *strsize == '\0' ||
Darren Tucker759cb2a2009-10-07 09:01:50 +1100[diff] [blame]86 (dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
Damien Miller5a73c1a2006-03-31 23:09:41 +1100[diff] [blame]87 errstr)
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]88 goto fail;
Ben Lindstromdf221392001-03-29 00:36:16 +0000[diff] [blame]89 /* The whole group is one bit larger */
90 dhg->size++;
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]91 gen = strsep(&cp, " "); /* gen */
92 if (cp == NULL || *gen == '\0')
93 goto fail;
94 prime = strsep(&cp, " "); /* prime */
95 if (cp != NULL || *prime == '\0')
96 goto fail;
97
Damien Millerda755162002-01-22 23:09:22 +1100[diff] [blame]98 if ((dhg->g = BN_new()) == NULL)
99 fatal("parse_prime: BN_new failed");
100 if ((dhg->p = BN_new()) == NULL)
101 fatal("parse_prime: BN_new failed");
Ben Lindstrom206941f2001-04-15 14:27:16 +0000[diff] [blame]102 if (BN_hex2bn(&dhg->g, gen) == 0)
Damien Miller23e526e2001-03-30 10:47:43 +1000[diff] [blame]103 goto failclean;
104
Ben Lindstrom206941f2001-04-15 14:27:16 +0000[diff] [blame]105 if (BN_hex2bn(&dhg->p, prime) == 0)
Damien Miller23e526e2001-03-30 10:47:43 +1000[diff] [blame]106 goto failclean;
107
108 if (BN_num_bits(dhg->p) != dhg->size)
109 goto failclean;
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]110
Darren Tuckerfc113c92004-02-29 20:12:33 +1100[diff] [blame]111 if (BN_is_zero(dhg->g) || BN_is_one(dhg->g))
112 goto failclean;
113
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]114 return (1);
Damien Miller23e526e2001-03-30 10:47:43 +1000[diff] [blame]115
116 failclean:
Damien Miller9ef95dd2002-01-22 23:10:33 +1100[diff] [blame]117 BN_clear_free(dhg->g);
118 BN_clear_free(dhg->p);
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]119 fail:
Ben Lindstrom6df8ef42001-03-05 07:47:23 +0000[diff] [blame]120 error("Bad prime description in line %d", linenum);
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]121 return (0);
122}
123
124DH *
Ben Lindstromdf221392001-03-29 00:36:16 +0000[diff] [blame]125choose_dh(int min, int wantbits, int max)
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]126{
127 FILE *f;
Darren Tuckerc56c7ef2004-02-29 20:13:34 +1100[diff] [blame]128 char line[4096];
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]129 int best, bestcount, which;
130 int linenum;
131 struct dhgroup dhg;
132
Ben Lindstrom93a29e02001-06-25 04:13:25 +0000[diff] [blame]133 if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
134 (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
Damien Millerf675fc42004-06-15 10:30:09 +1000[diff] [blame]135 logit("WARNING: %s does not exist, using fixed modulus",
136 _PATH_DH_MODULI);
137 return (dh_new_group14());
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]138 }
139
140 linenum = 0;
141 best = bestcount = 0;
142 while (fgets(line, sizeof(line), f)) {
143 linenum++;
144 if (!parse_prime(linenum, line, &dhg))
145 continue;
Damien Miller9ef95dd2002-01-22 23:10:33 +1100[diff] [blame]146 BN_clear_free(dhg.g);
147 BN_clear_free(dhg.p);
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]148
Ben Lindstromdf221392001-03-29 00:36:16 +0000[diff] [blame]149 if (dhg.size > max || dhg.size < min)
150 continue;
151
152 if ((dhg.size > wantbits && dhg.size < best) ||
153 (dhg.size > best && best < wantbits)) {
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]154 best = dhg.size;
155 bestcount = 0;
156 }
157 if (dhg.size == best)
158 bestcount++;
159 }
Ben Lindstromaf738802001-06-25 04:18:59 +0000[diff] [blame]160 rewind(f);
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]161
162 if (bestcount == 0) {
Ben Lindstromaf738802001-06-25 04:18:59 +0000[diff] [blame]163 fclose(f);
Damien Miller996acd22003-04-09 20:59:48 +1000[diff] [blame]164 logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
Darren Tucker9a2bd112004-08-12 22:40:59 +1000[diff] [blame]165 return (dh_new_group14());
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]166 }
167
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]168 linenum = 0;
Damien Miller354c48c2008-05-19 14:50:00 +1000[diff] [blame]169 which = arc4random_uniform(bestcount);
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]170 while (fgets(line, sizeof(line), f)) {
171 if (!parse_prime(linenum, line, &dhg))
172 continue;
Ben Lindstrom5ba23b32001-04-05 02:05:21 +0000[diff] [blame]173 if ((dhg.size > max || dhg.size < min) ||
174 dhg.size != best ||
175 linenum++ != which) {
Damien Miller9ef95dd2002-01-22 23:10:33 +1100[diff] [blame]176 BN_clear_free(dhg.g);
177 BN_clear_free(dhg.p);
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]178 continue;
179 }
180 break;
181 }
182 fclose(f);
Ben Lindstrom5ba23b32001-04-05 02:05:21 +0000[diff] [blame]183 if (linenum != which+1)
184 fatal("WARNING: line %d disappeared in %s, giving up",
185 which, _PATH_DH_PRIMES);
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]186
187 return (dh_new_group(dhg.g, dhg.p));
188}
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]189
Damien Millerf675fc42004-06-15 10:30:09 +1000[diff] [blame]190/* diffie-hellman-groupN-sha1 */
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]191
192int
193dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
194{
195 int i;
196 int n = BN_num_bits(dh_pub);
197 int bits_set = 0;
Darren Tucker31cde682006-05-06 17:43:33 +1000[diff] [blame]198 BIGNUM *tmp;
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]199
200 if (dh_pub->neg) {
Damien Miller603077a2007-10-26 14:25:55 +1000[diff] [blame]201 logit("invalid public DH value: negative");
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]202 return 0;
203 }
Darren Tucker31cde682006-05-06 17:43:33 +1000[diff] [blame]204 if (BN_cmp(dh_pub, BN_value_one()) != 1) { /* pub_exp <= 1 */
205 logit("invalid public DH value: <= 1");
206 return 0;
207 }
208
Damien Miller603077a2007-10-26 14:25:55 +1000[diff] [blame]209 if ((tmp = BN_new()) == NULL) {
210 error("%s: BN_new failed", __func__);
211 return 0;
212 }
Darren Tucker31cde682006-05-06 17:43:33 +1000[diff] [blame]213 if (!BN_sub(tmp, dh->p, BN_value_one()) ||
214 BN_cmp(dh_pub, tmp) != -1) { /* pub_exp > p-2 */
215 BN_clear_free(tmp);
216 logit("invalid public DH value: >= p-1");
217 return 0;
218 }
219 BN_clear_free(tmp);
220
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]221 for (i = 0; i <= n; i++)
222 if (BN_is_bit_set(dh_pub, i))
223 bits_set++;
Ben Lindstrom1f530832002-12-23 02:03:02 +0000[diff] [blame]224 debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]225
226 /* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
Darren Tucker31cde682006-05-06 17:43:33 +1000[diff] [blame]227 if (bits_set > 1)
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]228 return 1;
Darren Tucker31cde682006-05-06 17:43:33 +1000[diff] [blame]229
Damien Miller996acd22003-04-09 20:59:48 +1000[diff] [blame]230 logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]231 return 0;
232}
233
234void
235dh_gen_key(DH *dh, int need)
236{
Darren Tuckereffc84c2004-02-29 20:15:08 +1100[diff] [blame]237 int i, bits_set, tries = 0;
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]238
Damien Miller8ed4de82011-12-19 10:52:50 +1100[diff] [blame]239 if (need < 0)
240 fatal("dh_gen_key: need < 0");
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]241 if (dh->p == NULL)
242 fatal("dh_gen_key: dh->p == NULL");
Darren Tuckerc0815c92003-09-22 21:05:50 +1000[diff] [blame]243 if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]244 fatal("dh_gen_key: group too small: %d (2*need %d)",
245 BN_num_bits(dh->p), 2*need);
246 do {
247 if (dh->priv_key != NULL)
Damien Miller9ef95dd2002-01-22 23:10:33 +1100[diff] [blame]248 BN_clear_free(dh->priv_key);
Damien Millerda755162002-01-22 23:09:22 +1100[diff] [blame]249 if ((dh->priv_key = BN_new()) == NULL)
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]250 fatal("dh_gen_key: BN_new failed");
251 /* generate a 2*need bits random private exponent */
Damien Miller6d6c5d22002-03-07 12:58:42 +1100[diff] [blame]252 if (!BN_rand(dh->priv_key, 2*need, 0, 0))
253 fatal("dh_gen_key: BN_rand failed");
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]254 if (DH_generate_key(dh) == 0)
255 fatal("DH_generate_key");
Darren Tuckereffc84c2004-02-29 20:15:08 +1100[diff] [blame]256 for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]257 if (BN_is_bit_set(dh->priv_key, i))
258 bits_set++;
Ben Lindstrom1f530832002-12-23 02:03:02 +0000[diff] [blame]259 debug2("dh_gen_key: priv key bits set: %d/%d",
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]260 bits_set, BN_num_bits(dh->priv_key));
261 if (tries++ > 10)
262 fatal("dh_gen_key: too many bad keys: giving up");
263 } while (!dh_pub_is_valid(dh, dh->pub_key));
264}
265
266DH *
267dh_new_group_asc(const char *gen, const char *modulus)
268{
269 DH *dh;
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]270
Damien Millerda755162002-01-22 23:09:22 +1100[diff] [blame]271 if ((dh = DH_new()) == NULL)
272 fatal("dh_new_group_asc: DH_new");
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]273
Darren Tuckerb0781f72006-11-08 10:01:36 +1100[diff] [blame]274 if (BN_hex2bn(&dh->p, modulus) == 0)
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]275 fatal("BN_hex2bn p");
Darren Tuckerb0781f72006-11-08 10:01:36 +1100[diff] [blame]276 if (BN_hex2bn(&dh->g, gen) == 0)
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]277 fatal("BN_hex2bn g");
278
279 return (dh);
280}
281
282/*
283 * This just returns the group, we still need to generate the exchange
284 * value.
285 */
286
287DH *
288dh_new_group(BIGNUM *gen, BIGNUM *modulus)
289{
290 DH *dh;
291
Damien Millerda755162002-01-22 23:09:22 +1100[diff] [blame]292 if ((dh = DH_new()) == NULL)
293 fatal("dh_new_group: DH_new");
Damien Miller9709f902001-03-30 10:50:10 +1000[diff] [blame]294 dh->p = modulus;
295 dh->g = gen;
296
297 return (dh);
298}
299
300DH *
301dh_new_group1(void)
302{
303 static char *gen = "2", *group1 =
304 "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
305 "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
306 "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
307 "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
308 "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
309 "FFFFFFFF" "FFFFFFFF";
310
311 return (dh_new_group_asc(gen, group1));
312}
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]313
Damien Millerf675fc42004-06-15 10:30:09 +1000[diff] [blame]314DH *
315dh_new_group14(void)
316{
317 static char *gen = "2", *group14 =
318 "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
319 "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
320 "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
321 "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
322 "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
323 "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
324 "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
325 "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
326 "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
327 "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
328 "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";
329
330 return (dh_new_group_asc(gen, group14));
331}
332
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]333/*
334 * Estimates the group order for a Diffie-Hellman group that has an
335 * attack complexity approximately the same as O(2**bits). Estimate
336 * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
337 */
338
339int
340dh_estimate(int bits)
341{
342
Damien Miller8975ddf2003-12-17 16:33:53 +1100[diff] [blame]343 if (bits <= 128)
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]344 return (1024); /* O(2**86) */
Damien Miller8975ddf2003-12-17 16:33:53 +1100[diff] [blame]345 if (bits <= 192)
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]346 return (2048); /* O(2**116) */
347 return (4096); /* O(2**156) */
348}