- djm@cvs.openbsd.org 2008/06/26 09:19:40

     [dh.c dh.h moduli.c]
     when loading moduli from /etc/moduli in sshd(8), check that they
     are of the expected "safe prime" structure and have had
     appropriate primality tests performed;
     feedback and ok dtucker@

1 files changed, 16 insertions, 33 deletions

diff --git a/moduli.c b/moduli.c
index 8fa545daf..f737cb3f5 100644
--- a/moduli.c
+++ b/moduli.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: moduli.c,v 1.20 2007/02/24 03:30:11 ray Exp $ */
+/* $OpenBSD: moduli.c,v 1.21 2008/06/26 09:19:40 djm Exp $ */
 /*
  * Copyright 1994 Phil Karn <karn@qualcomm.com>
  * Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
@@ -42,6 +42,7 @@
 #include <sys/types.h>
 
 #include <openssl/bn.h>
+#include <openssl/dh.h>
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -50,6 +51,7 @@
 #include <time.h>
 
 #include "xmalloc.h"
+#include "dh.h"
 #include "log.h"
 
 /*
@@ -59,27 +61,6 @@
 /* need line long enough for largest moduli plus headers */
 #define QLINESIZE		(100+8192)
 
-/* Type: decimal.
- * Specifies the internal structure of the prime modulus.
- */
-#define QTYPE_UNKNOWN		(0)
-#define QTYPE_UNSTRUCTURED	(1)
-#define QTYPE_SAFE		(2)
-#define QTYPE_SCHNORR		(3)
-#define QTYPE_SOPHIE_GERMAIN	(4)
-#define QTYPE_STRONG		(5)
-
-/* Tests: decimal (bit field).
- * Specifies the methods used in checking for primality.
- * Usually, more than one test is used.
- */
-#define QTEST_UNTESTED		(0x00)
-#define QTEST_COMPOSITE		(0x01)
-#define QTEST_SIEVE		(0x02)
-#define QTEST_MILLER_RABIN	(0x04)
-#define QTEST_JACOBI		(0x08)
-#define QTEST_ELLIPTIC		(0x10)
-
 /*
  * Size: decimal.
  * Specifies the number of the most significant bit (0 to M).
@@ -434,8 +415,9 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
 			fatal("BN_set_word failed");
 		if (BN_add(q, q, largebase) == 0)
 			fatal("BN_add failed");
-		if (qfileout(out, QTYPE_SOPHIE_GERMAIN, QTEST_SIEVE,
-		    largetries, (power - 1) /* MSB */, (0), q) == -1) {
+		if (qfileout(out, MODULI_TYPE_SOPHIE_GERMAIN,
+		    MODULI_TESTS_SIEVE, largetries,
+		    (power - 1) /* MSB */, (0), q) == -1) {
 			ret = -1;
 			break;
 		}
@@ -507,7 +489,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
 		/* tests */
 		in_tests = strtoul(cp, &cp, 10);
 
-		if (in_tests & QTEST_COMPOSITE) {
+		if (in_tests & MODULI_TESTS_COMPOSITE) {
 			debug2("%10u: known composite", count_in);
 			continue;
 		}
@@ -526,7 +508,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
 
 		/* modulus (hex) */
 		switch (in_type) {
-		case QTYPE_SOPHIE_GERMAIN:
+		case MODULI_TYPE_SOPHIE_GERMAIN:
 			debug2("%10u: (%u) Sophie-Germain", count_in, in_type);
 			a = q;
 			if (BN_hex2bn(&a, cp) == 0)
@@ -539,11 +521,11 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
 			in_size += 1;
 			generator_known = 0;
 			break;
-		case QTYPE_UNSTRUCTURED:
-		case QTYPE_SAFE:
-		case QTYPE_SCHNORR:
-		case QTYPE_STRONG:
-		case QTYPE_UNKNOWN:
+		case MODULI_TYPE_UNSTRUCTURED:
+		case MODULI_TYPE_SAFE:
+		case MODULI_TYPE_SCHNORR:
+		case MODULI_TYPE_STRONG:
+		case MODULI_TYPE_UNKNOWN:
 			debug2("%10u: (%u)", count_in, in_type);
 			a = p;
 			if (BN_hex2bn(&a, cp) == 0)
@@ -570,7 +552,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
 			continue;
 		}
 
-		if (in_tests & QTEST_MILLER_RABIN)
+		if (in_tests & MODULI_TESTS_MILLER_RABIN)
 			in_tries += trials;
 		else
 			in_tries = trials;
@@ -644,7 +626,8 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
 		}
 		debug("%10u: q is almost certainly prime", count_in);
 
-		if (qfileout(out, QTYPE_SAFE, (in_tests | QTEST_MILLER_RABIN),
+		if (qfileout(out, MODULI_TYPE_SAFE,
+		    in_tests | MODULI_TESTS_MILLER_RABIN,
 		    in_tries, in_size, generator_known, p)) {
 			res = -1;
 			break;