dh-gex: Verify received primes in FIPS mode to match one of the known groups

Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
author: Jakub Jelen <jjelen@redhat.com> 2019-03-25 16:42:19 +0100
committer: Andreas Schneider <asn@cryptomilk.org> 2019-04-29 13:18:09 +0200
commit: 104c696bca84525de1ad98fac5287f473bc1ed1e (patch)
tree: f0492f75f0ad3d9cab7e296aff7ec35bc2154d8b /src/dh.c
parent: e4465073527b12b8efef338b212b78e3434959ee (diff)
download: libssh-104c696bca84525de1ad98fac5287f473bc1ed1e.tar.gz
libssh-104c696bca84525de1ad98fac5287f473bc1ed1e.tar.xz
libssh-104c696bca84525de1ad98fac5287f473bc1ed1e.zip
1 files changed, 27 insertions, 0 deletions
diff --git a/src/dh.c b/src/dh.c
index e6c2cfd9..10830441 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -590,6 +590,33 @@ int ssh_fallback_group(uint32_t pmax,
  * @{
  */
 
+bool ssh_dh_is_known_group(bignum modulus, bignum generator)
+{
+    int cmp, bits;
+    bignum m = NULL;
+
+    bits = bignum_num_bits(modulus);
+    if (bits < 3072) {
+        m = ssh_dh_group14;
+    } else if (bits < 6144) {
+        m = ssh_dh_group16;
+    } else {
+        m = ssh_dh_group18;
+    }
+
+    cmp = bignum_cmp(m, modulus);
+    if (cmp != 0) {
+        return false;
+    }
+
+    cmp = bignum_cmp(ssh_dh_generator, generator);
+    if (cmp != 0) {
+        return false;
+    }
+
+    SSH_LOG(SSH_LOG_TRACE, "The received primes in FIPS are known");
+    return true;
+}
 
 ssh_key ssh_dh_get_current_server_publickey(ssh_session session)
 {
author	Jakub Jelen <jjelen@redhat.com>	2019-03-25 16:42:19 +0100
committer	Andreas Schneider <asn@cryptomilk.org>	2019-04-29 13:18:09 +0200
commit	104c696bca84525de1ad98fac5287f473bc1ed1e (patch)
tree	f0492f75f0ad3d9cab7e296aff7ec35bc2154d8b /src/dh.c
parent	e4465073527b12b8efef338b212b78e3434959ee (diff)
download	libssh-104c696bca84525de1ad98fac5287f473bc1ed1e.tar.gz libssh-104c696bca84525de1ad98fac5287f473bc1ed1e.tar.xz libssh-104c696bca84525de1ad98fac5287f473bc1ed1e.zip