xref: /freebsd/crypto/openssh/dh.c (revision eb9da1ada8b6b2c74378a5c17029ec5a7fb199e6)
1 /* $OpenBSD: dh.c,v 1.57 2015/05/27 23:39:18 dtucker Exp $ */
2 /*
3  * Copyright (c) 2000 Niels Provos.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include "includes.h"
27 
28 #include <sys/param.h>	/* MIN */
29 
30 #include <openssl/bn.h>
31 #include <openssl/dh.h>
32 
33 #include <stdarg.h>
34 #include <stdio.h>
35 #include <stdlib.h>
36 #include <string.h>
37 #include <limits.h>
38 
39 #include "dh.h"
40 #include "pathnames.h"
41 #include "log.h"
42 #include "misc.h"
43 #include "ssherr.h"
44 
45 static int
46 parse_prime(int linenum, char *line, struct dhgroup *dhg)
47 {
48 	char *cp, *arg;
49 	char *strsize, *gen, *prime;
50 	const char *errstr = NULL;
51 	long long n;
52 
53 	dhg->p = dhg->g = NULL;
54 	cp = line;
55 	if ((arg = strdelim(&cp)) == NULL)
56 		return 0;
57 	/* Ignore leading whitespace */
58 	if (*arg == '\0')
59 		arg = strdelim(&cp);
60 	if (!arg || !*arg || *arg == '#')
61 		return 0;
62 
63 	/* time */
64 	if (cp == NULL || *arg == '\0')
65 		goto truncated;
66 	arg = strsep(&cp, " "); /* type */
67 	if (cp == NULL || *arg == '\0')
68 		goto truncated;
69 	/* Ensure this is a safe prime */
70 	n = strtonum(arg, 0, 5, &errstr);
71 	if (errstr != NULL || n != MODULI_TYPE_SAFE) {
72 		error("moduli:%d: type is not %d", linenum, MODULI_TYPE_SAFE);
73 		goto fail;
74 	}
75 	arg = strsep(&cp, " "); /* tests */
76 	if (cp == NULL || *arg == '\0')
77 		goto truncated;
78 	/* Ensure prime has been tested and is not composite */
79 	n = strtonum(arg, 0, 0x1f, &errstr);
80 	if (errstr != NULL ||
81 	    (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) {
82 		error("moduli:%d: invalid moduli tests flag", linenum);
83 		goto fail;
84 	}
85 	arg = strsep(&cp, " "); /* tries */
86 	if (cp == NULL || *arg == '\0')
87 		goto truncated;
88 	n = strtonum(arg, 0, 1<<30, &errstr);
89 	if (errstr != NULL || n == 0) {
90 		error("moduli:%d: invalid primality trial count", linenum);
91 		goto fail;
92 	}
93 	strsize = strsep(&cp, " "); /* size */
94 	if (cp == NULL || *strsize == '\0' ||
95 	    (dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
96 	    errstr) {
97 		error("moduli:%d: invalid prime length", linenum);
98 		goto fail;
99 	}
100 	/* The whole group is one bit larger */
101 	dhg->size++;
102 	gen = strsep(&cp, " "); /* gen */
103 	if (cp == NULL || *gen == '\0')
104 		goto truncated;
105 	prime = strsep(&cp, " "); /* prime */
106 	if (cp != NULL || *prime == '\0') {
107  truncated:
108 		error("moduli:%d: truncated", linenum);
109 		goto fail;
110 	}
111 
112 	if ((dhg->g = BN_new()) == NULL ||
113 	    (dhg->p = BN_new()) == NULL) {
114 		error("parse_prime: BN_new failed");
115 		goto fail;
116 	}
117 	if (BN_hex2bn(&dhg->g, gen) == 0) {
118 		error("moduli:%d: could not parse generator value", linenum);
119 		goto fail;
120 	}
121 	if (BN_hex2bn(&dhg->p, prime) == 0) {
122 		error("moduli:%d: could not parse prime value", linenum);
123 		goto fail;
124 	}
125 	if (BN_num_bits(dhg->p) != dhg->size) {
126 		error("moduli:%d: prime has wrong size: actual %d listed %d",
127 		    linenum, BN_num_bits(dhg->p), dhg->size - 1);
128 		goto fail;
129 	}
130 	if (BN_cmp(dhg->g, BN_value_one()) <= 0) {
131 		error("moduli:%d: generator is invalid", linenum);
132 		goto fail;
133 	}
134 	return 1;
135 
136  fail:
137 	if (dhg->g != NULL)
138 		BN_clear_free(dhg->g);
139 	if (dhg->p != NULL)
140 		BN_clear_free(dhg->p);
141 	dhg->g = dhg->p = NULL;
142 	return 0;
143 }
144 
145 DH *
146 choose_dh(int min, int wantbits, int max)
147 {
148 	FILE *f;
149 	char line[4096];
150 	int best, bestcount, which;
151 	int linenum;
152 	struct dhgroup dhg;
153 
154 	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
155 	    (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
156 		logit("WARNING: %s does not exist, using fixed modulus",
157 		    _PATH_DH_MODULI);
158 		return (dh_new_group_fallback(max));
159 	}
160 
161 	linenum = 0;
162 	best = bestcount = 0;
163 	while (fgets(line, sizeof(line), f)) {
164 		linenum++;
165 		if (!parse_prime(linenum, line, &dhg))
166 			continue;
167 		BN_clear_free(dhg.g);
168 		BN_clear_free(dhg.p);
169 
170 		if (dhg.size > max || dhg.size < min)
171 			continue;
172 
173 		if ((dhg.size > wantbits && dhg.size < best) ||
174 		    (dhg.size > best && best < wantbits)) {
175 			best = dhg.size;
176 			bestcount = 0;
177 		}
178 		if (dhg.size == best)
179 			bestcount++;
180 	}
181 	rewind(f);
182 
183 	if (bestcount == 0) {
184 		fclose(f);
185 		logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
186 		return (dh_new_group_fallback(max));
187 	}
188 
189 	linenum = 0;
190 	which = arc4random_uniform(bestcount);
191 	while (fgets(line, sizeof(line), f)) {
192 		if (!parse_prime(linenum, line, &dhg))
193 			continue;
194 		if ((dhg.size > max || dhg.size < min) ||
195 		    dhg.size != best ||
196 		    linenum++ != which) {
197 			BN_clear_free(dhg.g);
198 			BN_clear_free(dhg.p);
199 			continue;
200 		}
201 		break;
202 	}
203 	fclose(f);
204 	if (linenum != which+1) {
205 		logit("WARNING: line %d disappeared in %s, giving up",
206 		    which, _PATH_DH_PRIMES);
207 		return (dh_new_group_fallback(max));
208 	}
209 
210 	return (dh_new_group(dhg.g, dhg.p));
211 }
212 
213 /* diffie-hellman-groupN-sha1 */
214 
215 int
216 dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
217 {
218 	int i;
219 	int n = BN_num_bits(dh_pub);
220 	int bits_set = 0;
221 	BIGNUM *tmp;
222 
223 	if (dh_pub->neg) {
224 		logit("invalid public DH value: negative");
225 		return 0;
226 	}
227 	if (BN_cmp(dh_pub, BN_value_one()) != 1) {	/* pub_exp <= 1 */
228 		logit("invalid public DH value: <= 1");
229 		return 0;
230 	}
231 
232 	if ((tmp = BN_new()) == NULL) {
233 		error("%s: BN_new failed", __func__);
234 		return 0;
235 	}
236 	if (!BN_sub(tmp, dh->p, BN_value_one()) ||
237 	    BN_cmp(dh_pub, tmp) != -1) {		/* pub_exp > p-2 */
238 		BN_clear_free(tmp);
239 		logit("invalid public DH value: >= p-1");
240 		return 0;
241 	}
242 	BN_clear_free(tmp);
243 
244 	for (i = 0; i <= n; i++)
245 		if (BN_is_bit_set(dh_pub, i))
246 			bits_set++;
247 	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
248 
249 	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
250 	if (bits_set > 1)
251 		return 1;
252 
253 	logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
254 	return 0;
255 }
256 
257 int
258 dh_gen_key(DH *dh, int need)
259 {
260 	int pbits;
261 
262 	if (need < 0 || dh->p == NULL ||
263 	    (pbits = BN_num_bits(dh->p)) <= 0 ||
264 	    need > INT_MAX / 2 || 2 * need > pbits)
265 		return SSH_ERR_INVALID_ARGUMENT;
266 	dh->length = MIN(need * 2, pbits - 1);
267 	if (DH_generate_key(dh) == 0 ||
268 	    !dh_pub_is_valid(dh, dh->pub_key)) {
269 		BN_clear_free(dh->priv_key);
270 		return SSH_ERR_LIBCRYPTO_ERROR;
271 	}
272 	return 0;
273 }
274 
275 DH *
276 dh_new_group_asc(const char *gen, const char *modulus)
277 {
278 	DH *dh;
279 
280 	if ((dh = DH_new()) == NULL)
281 		return NULL;
282 	if (BN_hex2bn(&dh->p, modulus) == 0 ||
283 	    BN_hex2bn(&dh->g, gen) == 0) {
284 		DH_free(dh);
285 		return NULL;
286 	}
287 	return (dh);
288 }
289 
290 /*
291  * This just returns the group, we still need to generate the exchange
292  * value.
293  */
294 
295 DH *
296 dh_new_group(BIGNUM *gen, BIGNUM *modulus)
297 {
298 	DH *dh;
299 
300 	if ((dh = DH_new()) == NULL)
301 		return NULL;
302 	dh->p = modulus;
303 	dh->g = gen;
304 
305 	return (dh);
306 }
307 
308 DH *
309 dh_new_group1(void)
310 {
311 	static char *gen = "2", *group1 =
312 	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
313 	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
314 	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
315 	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
316 	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
317 	    "FFFFFFFF" "FFFFFFFF";
318 
319 	return (dh_new_group_asc(gen, group1));
320 }
321 
322 DH *
323 dh_new_group14(void)
324 {
325 	static char *gen = "2", *group14 =
326 	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
327 	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
328 	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
329 	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
330 	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
331 	    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
332 	    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
333 	    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
334 	    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
335 	    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
336 	    "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";
337 
338 	return (dh_new_group_asc(gen, group14));
339 }
340 
341 /*
342  * 4k bit fallback group used by DH-GEX if moduli file cannot be read.
343  * Source: MODP group 16 from RFC3526.
344  */
345 DH *
346 dh_new_group_fallback(int max)
347 {
348 	static char *gen = "2", *group16 =
349 	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
350 	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
351 	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
352 	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
353 	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
354 	    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
355 	    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
356 	    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
357 	    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
358 	    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
359 	    "15728E5A" "8AAAC42D" "AD33170D" "04507A33" "A85521AB" "DF1CBA64"
360 	    "ECFB8504" "58DBEF0A" "8AEA7157" "5D060C7D" "B3970F85" "A6E1E4C7"
361 	    "ABF5AE8C" "DB0933D7" "1E8C94E0" "4A25619D" "CEE3D226" "1AD2EE6B"
362 	    "F12FFA06" "D98A0864" "D8760273" "3EC86A64" "521F2B18" "177B200C"
363 	    "BBE11757" "7A615D6C" "770988C0" "BAD946E2" "08E24FA0" "74E5AB31"
364 	    "43DB5BFC" "E0FD108E" "4B82D120" "A9210801" "1A723C12" "A787E6D7"
365 	    "88719A10" "BDBA5B26" "99C32718" "6AF4E23C" "1A946834" "B6150BDA"
366 	    "2583E9CA" "2AD44CE8" "DBBBC2DB" "04DE8EF9" "2E8EFC14" "1FBECAA6"
367 	    "287C5947" "4E6BC05D" "99B2964F" "A090C3A2" "233BA186" "515BE7ED"
368 	    "1F612970" "CEE2D7AF" "B81BDD76" "2170481C" "D0069127" "D5B05AA9"
369 	    "93B4EA98" "8D8FDDC1" "86FFB7DC" "90A6C08F" "4DF435C9" "34063199"
370 	    "FFFFFFFF" "FFFFFFFF";
371 
372 	if (max < 4096) {
373 		debug3("requested max size %d, using 2k bit group 14", max);
374 		return dh_new_group14();
375 	}
376 	debug3("using 4k bit group 16");
377 	return (dh_new_group_asc(gen, group16));
378 }
379 
380 /*
381  * Estimates the group order for a Diffie-Hellman group that has an
382  * attack complexity approximately the same as O(2**bits).
383  * Values from NIST Special Publication 800-57: Recommendation for Key
384  * Management Part 1 (rev 3) limited by the recommended maximum value
385  * from RFC4419 section 3.
386  */
387 
388 u_int
389 dh_estimate(int bits)
390 {
391 	if (bits <= 112)
392 		return 2048;
393 	if (bits <= 128)
394 		return 3072;
395 	if (bits <= 192)
396 		return 7680;
397 	return 8192;
398 }
399