diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2001-03-29 21:17:41 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2001-03-29 21:17:41 +0000 |
| commit | 2d45c002c55bc405a4ee38275443080711e9e4a0 (patch) | |
| tree | adbf413d3680b20791e35d2e0ce0061eb8390d30 | |
| parent | 2a186d5a7cbc4a70cade6f5ed45c41b1ad98fbb4 (diff) | |
prepare for rekeying: move DH code to dh.c
| -rw-r--r-- | usr.bin/ssh/dh.c | 109 | ||||
| -rw-r--r-- | usr.bin/ssh/dh.h | 10 | ||||
| -rw-r--r-- | usr.bin/ssh/kex.c | 110 | ||||
| -rw-r--r-- | usr.bin/ssh/kex.h | 7 | ||||
| -rw-r--r-- | usr.bin/ssh/lib/Makefile | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd/Makefile | 4 |
6 files changed, 122 insertions, 122 deletions
diff --git a/usr.bin/ssh/dh.c b/usr.bin/ssh/dh.c index 636758fa8bb..6c53b0038d0 100644 --- a/usr.bin/ssh/dh.c +++ b/usr.bin/ssh/dh.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: dh.c,v 1.10 2001/03/28 22:04:57 provos Exp $"); +RCSID("$OpenBSD: dh.c,v 1.11 2001/03/29 21:17:39 markus Exp $"); #include "xmalloc.h" @@ -166,3 +166,110 @@ choose_dh(int min, int wantbits, int max) return (dh_new_group(dhg.g, dhg.p)); } + +/* diffie-hellman-group1-sha1 */ + +int +dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) +{ + int i; + int n = BN_num_bits(dh_pub); + int bits_set = 0; + + if (dh_pub->neg) { + log("invalid public DH value: negativ"); + return 0; + } + for (i = 0; i <= n; i++) + if (BN_is_bit_set(dh_pub, i)) + bits_set++; + debug("bits set: %d/%d", bits_set, BN_num_bits(dh->p)); + + /* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */ + if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1)) + return 1; + log("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p)); + return 0; +} + +void +dh_gen_key(DH *dh, int need) +{ + int i, bits_set = 0, tries = 0; + + if (dh->p == NULL) + fatal("dh_gen_key: dh->p == NULL"); + if (2*need >= BN_num_bits(dh->p)) + fatal("dh_gen_key: group too small: %d (2*need %d)", + BN_num_bits(dh->p), 2*need); + do { + if (dh->priv_key != NULL) + BN_free(dh->priv_key); + dh->priv_key = BN_new(); + if (dh->priv_key == NULL) + fatal("dh_gen_key: BN_new failed"); + /* generate a 2*need bits random private exponent */ + if (!BN_rand(dh->priv_key, 2*need, 0, 0)) + fatal("dh_gen_key: BN_rand failed"); + if (DH_generate_key(dh) == 0) + fatal("DH_generate_key"); + for (i = 0; i <= BN_num_bits(dh->priv_key); i++) + if (BN_is_bit_set(dh->priv_key, i)) + bits_set++; + debug("dh_gen_key: priv key bits set: %d/%d", + bits_set, BN_num_bits(dh->priv_key)); + if (tries++ > 10) + fatal("dh_gen_key: too many bad keys: giving up"); + } while (!dh_pub_is_valid(dh, dh->pub_key)); +} + +DH * +dh_new_group_asc(const char *gen, const char *modulus) +{ + DH *dh; + int ret; + + dh = DH_new(); + if (dh == NULL) + fatal("DH_new"); + + if ((ret = BN_hex2bn(&dh->p, modulus)) < 0) + fatal("BN_hex2bn p"); + if ((ret = BN_hex2bn(&dh->g, gen)) < 0) + fatal("BN_hex2bn g"); + + return (dh); +} + +/* + * This just returns the group, we still need to generate the exchange + * value. + */ + +DH * +dh_new_group(BIGNUM *gen, BIGNUM *modulus) +{ + DH *dh; + + dh = DH_new(); + if (dh == NULL) + fatal("DH_new"); + dh->p = modulus; + dh->g = gen; + + return (dh); +} + +DH * +dh_new_group1(void) +{ + static char *gen = "2", *group1 = + "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" + "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" + "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" + "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" + "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381" + "FFFFFFFF" "FFFFFFFF"; + + return (dh_new_group_asc(gen, group1)); +} diff --git a/usr.bin/ssh/dh.h b/usr.bin/ssh/dh.h index 70b326e9fa7..13d2fa1620e 100644 --- a/usr.bin/ssh/dh.h +++ b/usr.bin/ssh/dh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.h,v 1.3 2001/03/27 17:46:49 provos Exp $ */ +/* $OpenBSD: dh.h,v 1.4 2001/03/29 21:17:39 markus Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. @@ -32,7 +32,13 @@ struct dhgroup { BIGNUM *p; }; -DH *choose_dh(int min, int nbits, int max); +DH *choose_dh(int min, int nbits, int max); +DH *dh_new_group_asc(const char *, const char *); +DH *dh_new_group(BIGNUM *, BIGNUM *); +DH *dh_new_group1(void); + +void dh_gen_key(DH *, int); +int dh_pub_is_valid(DH *dh, BIGNUM *dh_pub); #define DH_GRP_MIN 1024 #define DH_GRP_MAX 8192 diff --git a/usr.bin/ssh/kex.c b/usr.bin/ssh/kex.c index 38c813d8bcb..576d4b56e77 100644 --- a/usr.bin/ssh/kex.c +++ b/usr.bin/ssh/kex.c @@ -23,12 +23,11 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.24 2001/03/28 21:59:40 provos Exp $"); +RCSID("$OpenBSD: kex.c,v 1.25 2001/03/29 21:17:39 markus Exp $"); #include <openssl/crypto.h> #include <openssl/bio.h> #include <openssl/bn.h> -#include <openssl/dh.h> #include <openssl/pem.h> #include "ssh2.h" @@ -113,113 +112,6 @@ kex_exchange_kexinit( debug("done"); } -/* diffie-hellman-group1-sha1 */ - -int -dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) -{ - int i; - int n = BN_num_bits(dh_pub); - int bits_set = 0; - - if (dh_pub->neg) { - log("invalid public DH value: negativ"); - return 0; - } - for (i = 0; i <= n; i++) - if (BN_is_bit_set(dh_pub, i)) - bits_set++; - debug("bits set: %d/%d", bits_set, BN_num_bits(dh->p)); - - /* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */ - if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1)) - return 1; - log("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p)); - return 0; -} - -void -dh_gen_key(DH *dh, int need) -{ - int i, bits_set = 0, tries = 0; - - if (dh->p == NULL) - fatal("dh_gen_key: dh->p == NULL"); - if (2*need >= BN_num_bits(dh->p)) - fatal("dh_gen_key: group too small: %d (2*need %d)", - BN_num_bits(dh->p), 2*need); - do { - if (dh->priv_key != NULL) - BN_free(dh->priv_key); - dh->priv_key = BN_new(); - if (dh->priv_key == NULL) - fatal("dh_gen_key: BN_new failed"); - /* generate a 2*need bits random private exponent */ - if (!BN_rand(dh->priv_key, 2*need, 0, 0)) - fatal("dh_gen_key: BN_rand failed"); - if (DH_generate_key(dh) == 0) - fatal("DH_generate_key"); - for (i = 0; i <= BN_num_bits(dh->priv_key); i++) - if (BN_is_bit_set(dh->priv_key, i)) - bits_set++; - debug("dh_gen_key: priv key bits set: %d/%d", - bits_set, BN_num_bits(dh->priv_key)); - if (tries++ > 10) - fatal("dh_gen_key: too many bad keys: giving up"); - } while (!dh_pub_is_valid(dh, dh->pub_key)); -} - -DH * -dh_new_group_asc(const char *gen, const char *modulus) -{ - DH *dh; - int ret; - - dh = DH_new(); - if (dh == NULL) - fatal("DH_new"); - - if ((ret = BN_hex2bn(&dh->p, modulus)) < 0) - fatal("BN_hex2bn p"); - if ((ret = BN_hex2bn(&dh->g, gen)) < 0) - fatal("BN_hex2bn g"); - - return (dh); -} - -/* - * This just returns the group, we still need to generate the exchange - * value. - */ - -DH * -dh_new_group(BIGNUM *gen, BIGNUM *modulus) -{ - DH *dh; - - dh = DH_new(); - if (dh == NULL) - fatal("DH_new"); - dh->p = modulus; - dh->g = gen; - - return (dh); -} - -DH * -dh_new_group1(void) -{ - static char *gen = "2", *group1 = - "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" - "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" - "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" - "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" - "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381" - "FFFFFFFF" "FFFFFFFF"; - - return (dh_new_group_asc(gen, group1)); -} - #ifdef DEBUG_KEX void dump_digest(u_char *digest, int len) diff --git a/usr.bin/ssh/kex.h b/usr.bin/ssh/kex.h index 41337680a9c..4cc87d52707 100644 --- a/usr.bin/ssh/kex.h +++ b/usr.bin/ssh/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.16 2001/03/28 21:59:40 provos Exp $ */ +/* $OpenBSD: kex.h,v 1.17 2001/03/29 21:17:40 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -103,11 +103,6 @@ kex_choose_conf(char *cprop[PROPOSAL_MAX], char *sprop[PROPOSAL_MAX], int server); int kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret); void packet_set_kex(Kex *k); -int dh_pub_is_valid(DH *dh, BIGNUM *dh_pub); -DH *dh_new_group_asc(const char *, const char *); -DH *dh_new_group(BIGNUM *, BIGNUM *); -void dh_gen_key(DH *, int); -DH *dh_new_group1(void); u_char * kex_hash( diff --git a/usr.bin/ssh/lib/Makefile b/usr.bin/ssh/lib/Makefile index 439049470c6..ac05712d255 100644 --- a/usr.bin/ssh/lib/Makefile +++ b/usr.bin/ssh/lib/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.20 2001/02/11 12:59:26 markus Exp $ +# $OpenBSD: Makefile,v 1.21 2001/03/29 21:17:40 markus Exp $ .PATH: ${.CURDIR}/.. @@ -8,7 +8,7 @@ SRCS= authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \ hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \ rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \ key.c dispatch.c kex.c mac.c uuencode.c misc.c \ - cli.c rijndael.c ssh-dss.c ssh-rsa.c + cli.c rijndael.c ssh-dss.c ssh-rsa.c dh.c NOPROFILE= yes NOPIC= yes diff --git a/usr.bin/ssh/sshd/Makefile b/usr.bin/ssh/sshd/Makefile index ad5caeb0dd5..5ccce8d9fc9 100644 --- a/usr.bin/ssh/sshd/Makefile +++ b/usr.bin/ssh/sshd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.37 2001/03/04 01:46:30 djm Exp $ +# $OpenBSD: Makefile,v 1.38 2001/03/29 21:17:40 markus Exp $ .PATH: ${.CURDIR}/.. @@ -11,7 +11,7 @@ CFLAGS+=-DHAVE_LOGIN_CAP SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ sshpty.c sshlogin.c servconf.c serverloop.c \ - auth.c auth1.c auth2.c auth-options.c session.c dh.c \ + auth.c auth1.c auth2.c auth-options.c session.c \ auth-chall.c auth2-chall.c groupaccess.c .include <bsd.own.mk> # for KERBEROS and AFS |