diff options
author | Jakub Jelen <jjelen@redhat.com> | 2019-03-25 16:42:19 +0100 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2019-04-29 13:18:09 +0200 |
commit | 104c696bca84525de1ad98fac5287f473bc1ed1e (patch) | |
tree | f0492f75f0ad3d9cab7e296aff7ec35bc2154d8b /src/dh.c | |
parent | e4465073527b12b8efef338b212b78e3434959ee (diff) | |
download | libssh-104c696bca84525de1ad98fac5287f473bc1ed1e.tar.gz libssh-104c696bca84525de1ad98fac5287f473bc1ed1e.tar.xz libssh-104c696bca84525de1ad98fac5287f473bc1ed1e.zip |
dh-gex: Verify received primes in FIPS mode to match one of the known groups
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src/dh.c')
-rw-r--r-- | src/dh.c | 27 |
1 files changed, 27 insertions, 0 deletions
@@ -590,6 +590,33 @@ int ssh_fallback_group(uint32_t pmax, * @{ */ +bool ssh_dh_is_known_group(bignum modulus, bignum generator) +{ + int cmp, bits; + bignum m = NULL; + + bits = bignum_num_bits(modulus); + if (bits < 3072) { + m = ssh_dh_group14; + } else if (bits < 6144) { + m = ssh_dh_group16; + } else { + m = ssh_dh_group18; + } + + cmp = bignum_cmp(m, modulus); + if (cmp != 0) { + return false; + } + + cmp = bignum_cmp(ssh_dh_generator, generator); + if (cmp != 0) { + return false; + } + + SSH_LOG(SSH_LOG_TRACE, "The received primes in FIPS are known"); + return true; +} ssh_key ssh_dh_get_current_server_publickey(ssh_session session) { |