Bugzilla – Attachment 2630 Details for
Bug 2302
with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Make the DH-GEX fallback group 4k bit.
sshd-dhgex-fallback-group.patch (text/plain), 3.57 KB, created by
Darren Tucker
on 2015-05-26 16:10:58 AEST
(
hide
)
Description:
Make the DH-GEX fallback group 4k bit.
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2015-05-26 16:10:58 AEST
Size:
3.57 KB
patch
obsolete
>Index: dh.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/dh.c,v >retrieving revision 1.56 >diff -u -p -r1.56 dh.c >--- dh.c 26 Mar 2015 06:59:28 -0000 1.56 >+++ dh.c 26 May 2015 06:05:05 -0000 >@@ -152,7 +152,7 @@ choose_dh(int min, int wantbits, int max > (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) { > logit("WARNING: %s does not exist, using fixed modulus", > _PATH_DH_MODULI); >- return (dh_new_group14()); >+ return (dh_new_group_fallback(max)); > } > > linenum = 0; >@@ -180,7 +180,7 @@ choose_dh(int min, int wantbits, int max > if (bestcount == 0) { > fclose(f); > logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES); >- return (dh_new_group14()); >+ return (dh_new_group_fallback(max)); > } > > linenum = 0; >@@ -201,7 +201,7 @@ choose_dh(int min, int wantbits, int max > if (linenum != which+1) { > logit("WARNING: line %d disappeared in %s, giving up", > which, _PATH_DH_PRIMES); >- return (dh_new_group14()); >+ return (dh_new_group_fallback(max)); > } > > return (dh_new_group(dhg.g, dhg.p)); >@@ -333,6 +333,46 @@ dh_new_group14(void) > "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF"; > > return (dh_new_group_asc(gen, group14)); >+} >+ >+/* Fallback group used by DH-GEX if moduli file cannot be read. */ >+DH * >+dh_new_group_fallback(int max) >+{ >+ static char *gen = "5", *group_fallback = >+ "DDE41D70" "21F9DF82" "40D0BD8E" "14CE1E37" "4A4FFDD0" >+ "73767E84" "C8C347B6" "F8327312" "77F9D333" "B8BC7CD9" >+ "6ED164DF" "5C6F26E4" "6E4BAF0A" "A7C87B26" "CE3E1104" >+ "2C1BDDF7" "6095E50D" "7772E5DC" "0C48EBA0" "E41EC92E" >+ "AFA655DA" "1B6C614E" "1F0F9AD8" "15BD7505" "AA9B8A26" >+ "5D13956B" "5A26141E" "E812404D" "E13B821C" "9B7BCA99" >+ "82B8CF7D" "862F8E8A" "373FEFEE" "4AE46EC2" "122519A2" >+ "AD896ED1" "8CAECEF3" "14D1B98C" "83358B6E" "9D2F3BC5" >+ "8C1688F1" "62E3CF1F" "F58E57E7" "B9E14BB3" "7C9C9E96" >+ "92E57C42" "937141C2" "26E84C35" "B42DED90" "55A7F366" >+ "A61C3CB4" "899B4992" "78ED4C72" "9CC1DE54" "827E8822" >+ "90F9FC13" "F7F1488F" "897698EA" "62A99468" "D6F3ED05" >+ "61816C39" "B8279154" "FC7A8E45" "3CCC4EB1" "ABC777A3" >+ "97B694E1" "B9866C24" "95489F94" "721A3351" "B252D05F" >+ "E6C78579" "29B34C19" "A8EB42AB" "ED88FA37" "0DABCA83" >+ "A245DC35" "CFB39982" "4D127507" "AD540054" "C647F61C" >+ "6BD11CAF" "C3FE5277" "A1014DF6" "B538BC8B" "FE009315" >+ "BCD60E02" "0DAB840B" "8A4219EB" "A4E34968" "0BC7CA3A" >+ "9BC36164" "A3D36E32" "5C530B17" "8747814F" "57589912" >+ "6B307EB6" "3F910DDE" "0F09E505" "6B2F9F7E" "230A42C1" >+ "1DDD34A9" "B23A6409" "0C2FF9C7" "F3DD696E" "6828613E" >+ "74A64CFC" "4046ECFA" "997BE849" "81430D8A" "7F8AEC63" >+ "001E50AF" "9F556567" "A0065A9A" "013A66A2" "737CEEE4" >+ "68D6A150" "02358AC6" "48D862B0" "618E6DD6" "A98BBBE9" >+ "E68174D9" "C9FE4568" "BB2D1208" "3CF6892B" "6B8D5830" >+ "7944955A" "987F3791" "775049BF"; >+ >+ if (max < 4096) { >+ debug3("requested max size %d, using Oakley group 14", max); >+ return dh_new_group14(); >+ } >+ debug3("using static 4k bit group"); >+ return (dh_new_group_asc(gen, group_fallback)); > } > > /* >Index: dh.h >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/dh.h,v >retrieving revision 1.12 >diff -u -p -r1.12 dh.h >--- dh.h 19 Jan 2015 20:16:15 -0000 1.12 >+++ dh.h 26 May 2015 06:05:05 -0000 >@@ -37,6 +37,7 @@ DH *dh_new_group_asc(const char *, const > DH *dh_new_group(BIGNUM *, BIGNUM *); > DH *dh_new_group1(void); > DH *dh_new_group14(void); >+DH *dh_new_group_fallback(int); > > int dh_gen_key(DH *, int); > int dh_pub_is_valid(DH *, BIGNUM *);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2630">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2302
:
2630
|
2631
|
2632
|
2640