crypto/openssh/dh.c

193323Sed/*
193323Sed * Copyright (c) 2000 Niels Provos.  All rights reserved.
193323Sed *
193323Sed * Redistribution and use in source and binary forms, with or without
193323Sed * modification, are permitted provided that the following conditions
193323Sed * are met:
193323Sed * 1. Redistributions of source code must retain the above copyright
193323Sed *    notice, this list of conditions and the following disclaimer.
193323Sed * 2. Redistributions in binary form must reproduce the above copyright
193323Sed *    notice, this list of conditions and the following disclaimer in the
193323Sed *    documentation and/or other materials provided with the distribution.
193323Sed *
193323Sed * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
193323Sed * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
193323Sed * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
193323Sed * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
193323Sed * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
193323Sed * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
218893Sdim * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
193323Sed * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
193323Sed * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
193323Sed * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
193323Sed */
193323Sed
193323Sed#include "includes.h"
193323SedRCSID("$OpenBSD: dh.c,v 1.31 2004/08/04 10:37:52 djm Exp $");
193323Sed
193323Sed#include "xmalloc.h"
193323Sed
193323Sed#include <openssl/bn.h>
193323Sed#include <openssl/dh.h>
193323Sed#include <openssl/evp.h>
193323Sed
193323Sed#include "buffer.h"
193323Sed#include "cipher.h"
193323Sed#include "kex.h"
193323Sed#include "dh.h"
193323Sed#include "pathnames.h"
218893Sdim#include "log.h"
193323Sed#include "misc.h"
193323Sed
193323Sedstatic int
193323Sedparse_prime(int linenum, char *line, struct dhgroup *dhg)
193323Sed{
193323Sed	char *cp, *arg;
218893Sdim	char *strsize, *gen, *prime;
193323Sed
193323Sed	cp = line;
234353Sdim	arg = strdelim(&cp);
193323Sed	/* Ignore leading whitespace */
193323Sed	if (*arg == '\0')
193323Sed		arg = strdelim(&cp);
193323Sed	if (!arg || !*arg || *arg == '#')
193323Sed		return 0;
193323Sed
193323Sed	/* time */
193323Sed	if (cp == NULL || *arg == '\0')
193323Sed		goto fail;
193323Sed	arg = strsep(&cp, " "); /* type */
193323Sed	if (cp == NULL || *arg == '\0')
193323Sed		goto fail;
193323Sed	arg = strsep(&cp, " "); /* tests */
193323Sed	if (cp == NULL || *arg == '\0')
193323Sed		goto fail;
193323Sed	arg = strsep(&cp, " "); /* tries */
193323Sed	if (cp == NULL || *arg == '\0')
193323Sed		goto fail;
218893Sdim	strsize = strsep(&cp, " "); /* size */
193323Sed	if (cp == NULL || *strsize == '\0' ||
193323Sed	    (dhg->size = atoi(strsize)) == 0)
193323Sed		goto fail;
208599Srdivacky	/* The whole group is one bit larger */
193323Sed	dhg->size++;
193323Sed	gen = strsep(&cp, " "); /* gen */
193323Sed	if (cp == NULL || *gen == '\0')
193323Sed		goto fail;
198892Srdivacky	prime = strsep(&cp, " "); /* prime */
193323Sed	if (cp != NULL || *prime == '\0')
193323Sed		goto fail;
198892Srdivacky
193323Sed	if ((dhg->g = BN_new()) == NULL)
218893Sdim		fatal("parse_prime: BN_new failed");
208599Srdivacky	if ((dhg->p = BN_new()) == NULL)
193323Sed		fatal("parse_prime: BN_new failed");
193323Sed	if (BN_hex2bn(&dhg->g, gen) == 0)
193323Sed		goto failclean;
234353Sdim
193323Sed	if (BN_hex2bn(&dhg->p, prime) == 0)
193323Sed		goto failclean;
193323Sed
234353Sdim	if (BN_num_bits(dhg->p) != dhg->size)
193323Sed		goto failclean;
198892Srdivacky
193323Sed	if (BN_is_zero(dhg->g) || BN_is_one(dhg->g))
198892Srdivacky		goto failclean;
193323Sed
193323Sed	return (1);
193323Sed
193323Sed failclean:
193323Sed	BN_clear_free(dhg->g);
193323Sed	BN_clear_free(dhg->p);
193323Sed fail:
193323Sed	error("Bad prime description in line %d", linenum);
193323Sed	return (0);
193323Sed}
218893Sdim
193323SedDH *
193323Sedchoose_dh(int min, int wantbits, int max)
218893Sdim{
193323Sed	FILE *f;
193323Sed	char line[4096];
193323Sed	int best, bestcount, which;
193323Sed	int linenum;
193323Sed	struct dhgroup dhg;
193323Sed
193323Sed	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
193323Sed	    (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
208599Srdivacky		logit("WARNING: %s does not exist, using fixed modulus",
208599Srdivacky		    _PATH_DH_MODULI);
208599Srdivacky		return (dh_new_group14());
208599Srdivacky	}
210299Sed
208599Srdivacky	linenum = 0;
208599Srdivacky	best = bestcount = 0;
208599Srdivacky	while (fgets(line, sizeof(line), f)) {
208599Srdivacky		linenum++;
208599Srdivacky		if (!parse_prime(linenum, line, &dhg))
208599Srdivacky			continue;
208599Srdivacky		BN_clear_free(dhg.g);
208599Srdivacky		BN_clear_free(dhg.p);
208599Srdivacky
208599Srdivacky		if (dhg.size > max || dhg.size < min)
208599Srdivacky			continue;
208599Srdivacky
208599Srdivacky		if ((dhg.size > wantbits && dhg.size < best) ||
208599Srdivacky		    (dhg.size > best && best < wantbits)) {
208599Srdivacky			best = dhg.size;
208599Srdivacky			bestcount = 0;
208599Srdivacky		}
218893Sdim		if (dhg.size == best)
218893Sdim			bestcount++;
218893Sdim	}
218893Sdim	rewind(f);
218893Sdim
218893Sdim	if (bestcount == 0) {
218893Sdim		fclose(f);
218893Sdim		logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
218893Sdim		return (dh_new_group14());
218893Sdim	}
218893Sdim
218893Sdim	linenum = 0;
218893Sdim	which = arc4random() % bestcount;
	while (fgets(line, sizeof(line), f)) {
		if (!parse_prime(linenum, line, &dhg))
			continue;
		if ((dhg.size > max || dhg.size < min) ||
		    dhg.size != best ||
		    linenum++ != which) {
			BN_clear_free(dhg.g);
			BN_clear_free(dhg.p);
			continue;
		}
		break;
	}
	fclose(f);
	if (linenum != which+1)
		fatal("WARNING: line %d disappeared in %s, giving up",
		    which, _PATH_DH_PRIMES);

	return (dh_new_group(dhg.g, dhg.p));
}

/* diffie-hellman-groupN-sha1 */

int
dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
{
	int i;
	int n = BN_num_bits(dh_pub);
	int bits_set = 0;

	if (dh_pub->neg) {
		logit("invalid public DH value: negativ");
		return 0;
	}
	for (i = 0; i <= n; i++)
		if (BN_is_bit_set(dh_pub, i))
			bits_set++;
	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));

	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
	if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
		return 1;
	logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
	return 0;
}

void
dh_gen_key(DH *dh, int need)
{
	int i, bits_set, tries = 0;

	if (dh->p == NULL)
		fatal("dh_gen_key: dh->p == NULL");
	if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))
		fatal("dh_gen_key: group too small: %d (2*need %d)",
		    BN_num_bits(dh->p), 2*need);
	do {
		if (dh->priv_key != NULL)
			BN_clear_free(dh->priv_key);
		if ((dh->priv_key = BN_new()) == NULL)
			fatal("dh_gen_key: BN_new failed");
		/* generate a 2*need bits random private exponent */
		if (!BN_rand(dh->priv_key, 2*need, 0, 0))
			fatal("dh_gen_key: BN_rand failed");
		if (DH_generate_key(dh) == 0)
			fatal("DH_generate_key");
		for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
			if (BN_is_bit_set(dh->priv_key, i))
				bits_set++;
		debug2("dh_gen_key: priv key bits set: %d/%d",
		    bits_set, BN_num_bits(dh->priv_key));
		if (tries++ > 10)
			fatal("dh_gen_key: too many bad keys: giving up");
	} while (!dh_pub_is_valid(dh, dh->pub_key));
}

DH *
dh_new_group_asc(const char *gen, const char *modulus)
{
	DH *dh;

	if ((dh = DH_new()) == NULL)
		fatal("dh_new_group_asc: DH_new");

	if (BN_hex2bn(&dh->p, modulus) == 0)
		fatal("BN_hex2bn p");
	if (BN_hex2bn(&dh->g, gen) == 0)
		fatal("BN_hex2bn g");

	return (dh);
}

/*
 * This just returns the group, we still need to generate the exchange
 * value.
 */

DH *
dh_new_group(BIGNUM *gen, BIGNUM *modulus)
{
	DH *dh;

	if ((dh = DH_new()) == NULL)
		fatal("dh_new_group: DH_new");
	dh->p = modulus;
	dh->g = gen;

	return (dh);
}

DH *
dh_new_group1(void)
{
	static char *gen = "2", *group1 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	    "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group1));
}

DH *
dh_new_group14(void)
{
	static char *gen = "2", *group14 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	    "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group14));
}

/*
 * Estimates the group order for a Diffie-Hellman group that has an
 * attack complexity approximately the same as O(2**bits).  Estimate
 * with:  O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
 */

int
dh_estimate(int bits)
{

	if (bits <= 128)
		return (1024);	/* O(2**86) */
	if (bits <= 192)
		return (2048);	/* O(2**116) */
	return (4096);		/* O(2**156) */
}