2006-08-05 04:39:39 +02:00
|
|
|
/* $OpenBSD: dh.c,v 1.42 2006/08/03 03:34:42 deraadt Exp $ */
|
2000-10-14 07:23:11 +02:00
|
|
|
/*
|
|
|
|
|
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "includes.h"
|
|
|
|
|
|
2006-08-05 03:02:17 +02:00
|
|
|
#include <sys/param.h>
|
|
|
|
|
|
2000-10-14 07:23:11 +02:00
|
|
|
#include <openssl/bn.h>
|
|
|
|
|
#include <openssl/dh.h>
|
|
|
|
|
|
2006-09-01 07:38:36 +02:00
|
|
|
#include <stdarg.h>
|
2006-08-05 03:37:59 +02:00
|
|
|
#include <stdio.h>
|
2006-08-05 03:34:19 +02:00
|
|
|
#include <stdlib.h>
|
2006-07-24 06:13:33 +02:00
|
|
|
#include <string.h>
|
|
|
|
|
|
2000-10-14 07:23:11 +02:00
|
|
|
#include "dh.h"
|
2001-01-22 06:34:40 +01:00
|
|
|
#include "pathnames.h"
|
|
|
|
|
#include "log.h"
|
|
|
|
|
#include "misc.h"
|
2000-10-14 07:23:11 +02:00
|
|
|
|
2001-06-25 07:01:22 +02:00
|
|
|
static int
|
2000-10-14 07:23:11 +02:00
|
|
|
parse_prime(int linenum, char *line, struct dhgroup *dhg)
|
|
|
|
|
{
|
|
|
|
|
char *cp, *arg;
|
|
|
|
|
char *strsize, *gen, *prime;
|
2006-03-31 14:09:41 +02:00
|
|
|
const char *errstr = NULL;
|
2000-10-14 07:23:11 +02:00
|
|
|
|
|
|
|
|
cp = line;
|
2006-03-26 04:53:32 +02:00
|
|
|
if ((arg = strdelim(&cp)) == NULL)
|
|
|
|
|
return 0;
|
2000-10-14 07:23:11 +02:00
|
|
|
/* Ignore leading whitespace */
|
|
|
|
|
if (*arg == '\0')
|
|
|
|
|
arg = strdelim(&cp);
|
2002-07-04 02:03:56 +02:00
|
|
|
if (!arg || !*arg || *arg == '#')
|
2000-10-14 07:23:11 +02:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/* time */
|
|
|
|
|
if (cp == NULL || *arg == '\0')
|
|
|
|
|
goto fail;
|
|
|
|
|
arg = strsep(&cp, " "); /* type */
|
|
|
|
|
if (cp == NULL || *arg == '\0')
|
|
|
|
|
goto fail;
|
|
|
|
|
arg = strsep(&cp, " "); /* tests */
|
|
|
|
|
if (cp == NULL || *arg == '\0')
|
|
|
|
|
goto fail;
|
|
|
|
|
arg = strsep(&cp, " "); /* tries */
|
|
|
|
|
if (cp == NULL || *arg == '\0')
|
|
|
|
|
goto fail;
|
|
|
|
|
strsize = strsep(&cp, " "); /* size */
|
|
|
|
|
if (cp == NULL || *strsize == '\0' ||
|
2006-03-31 14:09:41 +02:00
|
|
|
(dhg->size = (u_int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
|
|
|
|
|
errstr)
|
2000-10-14 07:23:11 +02:00
|
|
|
goto fail;
|
2001-03-29 02:36:16 +02:00
|
|
|
/* The whole group is one bit larger */
|
|
|
|
|
dhg->size++;
|
2000-10-14 07:23:11 +02:00
|
|
|
gen = strsep(&cp, " "); /* gen */
|
|
|
|
|
if (cp == NULL || *gen == '\0')
|
|
|
|
|
goto fail;
|
|
|
|
|
prime = strsep(&cp, " "); /* prime */
|
|
|
|
|
if (cp != NULL || *prime == '\0')
|
|
|
|
|
goto fail;
|
|
|
|
|
|
2002-01-22 13:09:22 +01:00
|
|
|
if ((dhg->g = BN_new()) == NULL)
|
|
|
|
|
fatal("parse_prime: BN_new failed");
|
|
|
|
|
if ((dhg->p = BN_new()) == NULL)
|
|
|
|
|
fatal("parse_prime: BN_new failed");
|
2001-04-15 16:27:16 +02:00
|
|
|
if (BN_hex2bn(&dhg->g, gen) == 0)
|
2001-03-30 02:47:43 +02:00
|
|
|
goto failclean;
|
|
|
|
|
|
2001-04-15 16:27:16 +02:00
|
|
|
if (BN_hex2bn(&dhg->p, prime) == 0)
|
2001-03-30 02:47:43 +02:00
|
|
|
goto failclean;
|
|
|
|
|
|
|
|
|
|
if (BN_num_bits(dhg->p) != dhg->size)
|
|
|
|
|
goto failclean;
|
2000-10-14 07:23:11 +02:00
|
|
|
|
2004-02-29 10:12:33 +01:00
|
|
|
if (BN_is_zero(dhg->g) || BN_is_one(dhg->g))
|
|
|
|
|
goto failclean;
|
|
|
|
|
|
2000-10-14 07:23:11 +02:00
|
|
|
return (1);
|
2001-03-30 02:47:43 +02:00
|
|
|
|
|
|
|
|
failclean:
|
2002-01-22 13:10:33 +01:00
|
|
|
BN_clear_free(dhg->g);
|
|
|
|
|
BN_clear_free(dhg->p);
|
2000-10-14 07:23:11 +02:00
|
|
|
fail:
|
2001-03-05 08:47:23 +01:00
|
|
|
error("Bad prime description in line %d", linenum);
|
2000-10-14 07:23:11 +02:00
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DH *
|
2001-03-29 02:36:16 +02:00
|
|
|
choose_dh(int min, int wantbits, int max)
|
2000-10-14 07:23:11 +02:00
|
|
|
{
|
|
|
|
|
FILE *f;
|
2004-02-29 10:13:34 +01:00
|
|
|
char line[4096];
|
2000-10-14 07:23:11 +02:00
|
|
|
int best, bestcount, which;
|
|
|
|
|
int linenum;
|
|
|
|
|
struct dhgroup dhg;
|
|
|
|
|
|
2001-06-25 06:13:25 +02:00
|
|
|
if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
|
|
|
|
|
(f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
|
2004-06-15 02:30:09 +02:00
|
|
|
logit("WARNING: %s does not exist, using fixed modulus",
|
|
|
|
|
_PATH_DH_MODULI);
|
|
|
|
|
return (dh_new_group14());
|
2000-10-14 07:23:11 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
linenum = 0;
|
|
|
|
|
best = bestcount = 0;
|
|
|
|
|
while (fgets(line, sizeof(line), f)) {
|
|
|
|
|
linenum++;
|
|
|
|
|
if (!parse_prime(linenum, line, &dhg))
|
|
|
|
|
continue;
|
2002-01-22 13:10:33 +01:00
|
|
|
BN_clear_free(dhg.g);
|
|
|
|
|
BN_clear_free(dhg.p);
|
2000-10-14 07:23:11 +02:00
|
|
|
|
2001-03-29 02:36:16 +02:00
|
|
|
if (dhg.size > max || dhg.size < min)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if ((dhg.size > wantbits && dhg.size < best) ||
|
|
|
|
|
(dhg.size > best && best < wantbits)) {
|
2000-10-14 07:23:11 +02:00
|
|
|
best = dhg.size;
|
|
|
|
|
bestcount = 0;
|
|
|
|
|
}
|
|
|
|
|
if (dhg.size == best)
|
|
|
|
|
bestcount++;
|
|
|
|
|
}
|
2001-06-25 06:18:59 +02:00
|
|
|
rewind(f);
|
2000-10-14 07:23:11 +02:00
|
|
|
|
|
|
|
|
if (bestcount == 0) {
|
2001-06-25 06:18:59 +02:00
|
|
|
fclose(f);
|
2003-04-09 12:59:48 +02:00
|
|
|
logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
|
2004-08-12 14:40:59 +02:00
|
|
|
return (dh_new_group14());
|
2000-10-14 07:23:11 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
linenum = 0;
|
|
|
|
|
which = arc4random() % bestcount;
|
|
|
|
|
while (fgets(line, sizeof(line), f)) {
|
|
|
|
|
if (!parse_prime(linenum, line, &dhg))
|
|
|
|
|
continue;
|
2001-04-05 04:05:21 +02:00
|
|
|
if ((dhg.size > max || dhg.size < min) ||
|
|
|
|
|
dhg.size != best ||
|
|
|
|
|
linenum++ != which) {
|
2002-01-22 13:10:33 +01:00
|
|
|
BN_clear_free(dhg.g);
|
|
|
|
|
BN_clear_free(dhg.p);
|
2000-10-14 07:23:11 +02:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
fclose(f);
|
2001-04-05 04:05:21 +02:00
|
|
|
if (linenum != which+1)
|
|
|
|
|
fatal("WARNING: line %d disappeared in %s, giving up",
|
|
|
|
|
which, _PATH_DH_PRIMES);
|
2000-10-14 07:23:11 +02:00
|
|
|
|
|
|
|
|
return (dh_new_group(dhg.g, dhg.p));
|
|
|
|
|
}
|
2001-03-30 02:50:10 +02:00
|
|
|
|
2004-06-15 02:30:09 +02:00
|
|
|
/* diffie-hellman-groupN-sha1 */
|
2001-03-30 02:50:10 +02:00
|
|
|
|
|
|
|
|
int
|
|
|
|
|
dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
int n = BN_num_bits(dh_pub);
|
|
|
|
|
int bits_set = 0;
|
2006-05-06 09:43:33 +02:00
|
|
|
BIGNUM *tmp;
|
2001-03-30 02:50:10 +02:00
|
|
|
|
|
|
|
|
if (dh_pub->neg) {
|
2003-04-09 12:59:48 +02:00
|
|
|
logit("invalid public DH value: negativ");
|
2001-03-30 02:50:10 +02:00
|
|
|
return 0;
|
|
|
|
|
}
|
2006-05-06 09:43:33 +02:00
|
|
|
if (BN_cmp(dh_pub, BN_value_one()) != 1) { /* pub_exp <= 1 */
|
|
|
|
|
logit("invalid public DH value: <= 1");
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ((tmp = BN_new()) == NULL)
|
|
|
|
|
return (-1);
|
|
|
|
|
if (!BN_sub(tmp, dh->p, BN_value_one()) ||
|
|
|
|
|
BN_cmp(dh_pub, tmp) != -1) { /* pub_exp > p-2 */
|
|
|
|
|
BN_clear_free(tmp);
|
|
|
|
|
logit("invalid public DH value: >= p-1");
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
BN_clear_free(tmp);
|
|
|
|
|
|
2001-03-30 02:50:10 +02:00
|
|
|
for (i = 0; i <= n; i++)
|
|
|
|
|
if (BN_is_bit_set(dh_pub, i))
|
|
|
|
|
bits_set++;
|
2002-12-23 03:03:02 +01:00
|
|
|
debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
|
2001-03-30 02:50:10 +02:00
|
|
|
|
|
|
|
|
/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
|
2006-05-06 09:43:33 +02:00
|
|
|
if (bits_set > 1)
|
2001-03-30 02:50:10 +02:00
|
|
|
return 1;
|
2006-05-06 09:43:33 +02:00
|
|
|
|
2003-04-09 12:59:48 +02:00
|
|
|
logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
|
2001-03-30 02:50:10 +02:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
dh_gen_key(DH *dh, int need)
|
|
|
|
|
{
|
2004-02-29 10:15:08 +01:00
|
|
|
int i, bits_set, tries = 0;
|
2001-03-30 02:50:10 +02:00
|
|
|
|
|
|
|
|
if (dh->p == NULL)
|
|
|
|
|
fatal("dh_gen_key: dh->p == NULL");
|
2003-09-22 13:05:50 +02:00
|
|
|
if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))
|
2001-03-30 02:50:10 +02:00
|
|
|
fatal("dh_gen_key: group too small: %d (2*need %d)",
|
|
|
|
|
BN_num_bits(dh->p), 2*need);
|
|
|
|
|
do {
|
|
|
|
|
if (dh->priv_key != NULL)
|
2002-01-22 13:10:33 +01:00
|
|
|
BN_clear_free(dh->priv_key);
|
2002-01-22 13:09:22 +01:00
|
|
|
if ((dh->priv_key = BN_new()) == NULL)
|
2001-03-30 02:50:10 +02:00
|
|
|
fatal("dh_gen_key: BN_new failed");
|
|
|
|
|
/* generate a 2*need bits random private exponent */
|
2002-03-07 02:58:42 +01:00
|
|
|
if (!BN_rand(dh->priv_key, 2*need, 0, 0))
|
|
|
|
|
fatal("dh_gen_key: BN_rand failed");
|
2001-03-30 02:50:10 +02:00
|
|
|
if (DH_generate_key(dh) == 0)
|
|
|
|
|
fatal("DH_generate_key");
|
2004-02-29 10:15:08 +01:00
|
|
|
for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
|
2001-03-30 02:50:10 +02:00
|
|
|
if (BN_is_bit_set(dh->priv_key, i))
|
|
|
|
|
bits_set++;
|
2002-12-23 03:03:02 +01:00
|
|
|
debug2("dh_gen_key: priv key bits set: %d/%d",
|
2001-03-30 02:50:10 +02:00
|
|
|
bits_set, BN_num_bits(dh->priv_key));
|
|
|
|
|
if (tries++ > 10)
|
|
|
|
|
fatal("dh_gen_key: too many bad keys: giving up");
|
|
|
|
|
} while (!dh_pub_is_valid(dh, dh->pub_key));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DH *
|
|
|
|
|
dh_new_group_asc(const char *gen, const char *modulus)
|
|
|
|
|
{
|
|
|
|
|
DH *dh;
|
|
|
|
|
|
2002-01-22 13:09:22 +01:00
|
|
|
if ((dh = DH_new()) == NULL)
|
|
|
|
|
fatal("dh_new_group_asc: DH_new");
|
2001-03-30 02:50:10 +02:00
|
|
|
|
2001-04-15 16:27:16 +02:00
|
|
|
if (BN_hex2bn(&dh->p, modulus) == 0)
|
2001-03-30 02:50:10 +02:00
|
|
|
fatal("BN_hex2bn p");
|
2001-04-15 16:27:16 +02:00
|
|
|
if (BN_hex2bn(&dh->g, gen) == 0)
|
2001-03-30 02:50:10 +02:00
|
|
|
fatal("BN_hex2bn g");
|
|
|
|
|
|
|
|
|
|
return (dh);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* This just returns the group, we still need to generate the exchange
|
|
|
|
|
* value.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
DH *
|
|
|
|
|
dh_new_group(BIGNUM *gen, BIGNUM *modulus)
|
|
|
|
|
{
|
|
|
|
|
DH *dh;
|
|
|
|
|
|
2002-01-22 13:09:22 +01:00
|
|
|
if ((dh = DH_new()) == NULL)
|
|
|
|
|
fatal("dh_new_group: DH_new");
|
2001-03-30 02:50:10 +02:00
|
|
|
dh->p = modulus;
|
|
|
|
|
dh->g = gen;
|
|
|
|
|
|
|
|
|
|
return (dh);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DH *
|
|
|
|
|
dh_new_group1(void)
|
|
|
|
|
{
|
|
|
|
|
static char *gen = "2", *group1 =
|
|
|
|
|
"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
|
|
|
|
|
"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
|
|
|
|
|
"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
|
|
|
|
|
"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
|
|
|
|
|
"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
|
|
|
|
|
"FFFFFFFF" "FFFFFFFF";
|
|
|
|
|
|
|
|
|
|
return (dh_new_group_asc(gen, group1));
|
|
|
|
|
}
|
2001-04-04 03:56:17 +02:00
|
|
|
|
2004-06-15 02:30:09 +02:00
|
|
|
DH *
|
|
|
|
|
dh_new_group14(void)
|
|
|
|
|
{
|
|
|
|
|
static char *gen = "2", *group14 =
|
|
|
|
|
"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
|
|
|
|
|
"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
|
|
|
|
|
"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
|
|
|
|
|
"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
|
|
|
|
|
"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
|
|
|
|
|
"C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
|
|
|
|
|
"83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
|
|
|
|
|
"670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
|
|
|
|
|
"E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
|
|
|
|
|
"DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
|
|
|
|
|
"15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";
|
|
|
|
|
|
|
|
|
|
return (dh_new_group_asc(gen, group14));
|
|
|
|
|
}
|
|
|
|
|
|
2001-04-04 03:56:17 +02:00
|
|
|
/*
|
|
|
|
|
* Estimates the group order for a Diffie-Hellman group that has an
|
|
|
|
|
* attack complexity approximately the same as O(2**bits). Estimate
|
|
|
|
|
* with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
dh_estimate(int bits)
|
|
|
|
|
{
|
|
|
|
|
|
2003-12-17 06:33:53 +01:00
|
|
|
if (bits <= 128)
|
2001-04-04 03:56:17 +02:00
|
|
|
return (1024); /* O(2**86) */
|
2003-12-17 06:33:53 +01:00
|
|
|
if (bits <= 192)
|
2001-04-04 03:56:17 +02:00
|
|
|
return (2048); /* O(2**116) */
|
|
|
|
|
return (4096); /* O(2**156) */
|
|
|
|
|
}
|
