summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakub Jelen <jjelen@redhat.com>2019-03-21 14:56:16 +0100
committerAndreas Schneider <asn@cryptomilk.org>2019-04-29 13:18:09 +0200
commit67beaf363fc16be235edf9cbf2f580f7906ef99c (patch)
tree4466d334e5420bb094a022b000b23e5b37779df0
parent4012338862daf70a815e2970a1ff69844f842185 (diff)
downloadlibssh-67beaf363fc16be235edf9cbf2f580f7906ef99c.tar.gz
libssh-67beaf363fc16be235edf9cbf2f580f7906ef99c.tar.xz
libssh-67beaf363fc16be235edf9cbf2f580f7906ef99c.zip
dh-gex: Fall back to known primes when the moduli file is not readable
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r--include/libssh/dh.h1
-rw-r--r--src/dh-gex.c2
-rw-r--r--src/dh.c27
3 files changed, 29 insertions, 1 deletions
diff --git a/include/libssh/dh.h b/include/libssh/dh.h
index 0d6720ee..02c99760 100644
--- a/include/libssh/dh.h
+++ b/include/libssh/dh.h
@@ -67,5 +67,6 @@ int ssh_client_dh_init(ssh_session session);
void ssh_server_dh_init(ssh_session session);
#endif /* WITH_SERVER */
int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet);
+int ssh_fallback_group(uint32_t pmax, bignum *p, bignum *g);
#endif /* DH_H_ */
diff --git a/src/dh-gex.c b/src/dh-gex.c
index 7c5eb94e..1a4c3395 100644
--- a/src/dh-gex.c
+++ b/src/dh-gex.c
@@ -479,7 +479,7 @@ static int ssh_retrieve_dhgroup(uint32_t pmin,
SSH_LOG(SSH_LOG_WARNING,
"Unable to open moduli file: %s",
strerror(errno));
- return SSH_ERROR;
+ return ssh_fallback_group(pmax, p, g);
}
*size = 0;
diff --git a/src/dh.c b/src/dh.c
index bf52b498..e6c2cfd9 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -555,6 +555,33 @@ static SSH_PACKET_CALLBACK(ssh_packet_server_dh_init){
return SSH_PACKET_USED;
}
+/** @internal
+ * @brief Choose a fallback group for the DH Group exchange if the
+ * moduli file is not readable
+ * @param[in] pmax maximum requestsd group size
+ * @param[out] modulus
+ * @param[out] generator
+ * @returns SSH_OK on success, SSH_ERROR otherwise
+ */
+int ssh_fallback_group(uint32_t pmax,
+ bignum *modulus,
+ bignum *generator)
+{
+ *modulus = NULL;
+ *generator = NULL;
+
+ if (pmax < 3072) {
+ *modulus = ssh_dh_group14;
+ } else if (pmax < 6144) {
+ *modulus = ssh_dh_group16;
+ } else {
+ *modulus = ssh_dh_group18;
+ }
+ *generator = ssh_dh_generator;
+
+ return SSH_OK;
+}
+
#endif /* WITH_SERVER */
/**