# HG changeset patch # User Matt Johnston # Date 1423575979 -28800 # Node ID a1e79ffa58622691f860ea796ec8fe51b7a272be # Parent ffd2359564b0ef17a33b957feecbfef7b8edef7a Tighten validation of DH values. Odds of x==0 being generated are improbable, roughly 2**-1023 Regression in 0.49 diff -r ffd2359564b0 -r a1e79ffa5862 common-kex.c --- a/common-kex.c Wed Feb 04 22:12:06 2015 +0800 +++ b/common-kex.c Tue Feb 10 21:46:19 2015 +0800 @@ -629,16 +629,20 @@ void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them, sign_key *hostkey) { - mp_int dh_p; + DEF_MP_INT(dh_p); + DEF_MP_INT(dh_p_min1); mp_int *dh_e = NULL, *dh_f = NULL; - /* read the prime and generator*/ - m_mp_init(&dh_p); + m_mp_init_multi(&dh_p, &dh_p_min1, NULL); load_dh_p(&dh_p); - /* Check that dh_pub_them (dh_e or dh_f) is in the range [1, p-1] */ - if (mp_cmp(dh_pub_them, &dh_p) != MP_LT - || mp_cmp_d(dh_pub_them, 0) != MP_GT) { + if (mp_sub_d(&dh_p, 1, &dh_p_min1) != MP_OKAY) { + dropbear_exit("Diffie-Hellman error"); + } + + /* Check that dh_pub_them (dh_e or dh_f) is in the range [2, p-2] */ + if (mp_cmp(dh_pub_them, &dh_p_min1) != MP_LT + || mp_cmp_d(dh_pub_them, 1) != MP_GT) { dropbear_exit("Diffie-Hellman error"); } @@ -649,7 +653,7 @@ } /* clear no longer needed vars */ - mp_clear_multi(&dh_p, NULL); + mp_clear_multi(&dh_p, &dh_p_min1, NULL); /* From here on, the code needs to work with the _same_ vars on each side, * not vice-versaing for client/server */ diff -r ffd2359564b0 -r a1e79ffa5862 dbrandom.c --- a/dbrandom.c Wed Feb 04 22:12:06 2015 +0800 +++ b/dbrandom.c Tue Feb 10 21:46:19 2015 +0800 @@ -306,7 +306,7 @@ /* keep regenerating until we get one satisfying * 0 < rand < max */ - } while (mp_cmp(rand, max) != MP_LT); + } while (!(mp_cmp(rand, max) == MP_LT && mp_cmp_d(rand, 0) == MP_GT)); m_burn(randbuf, len); m_free(randbuf); } diff -r ffd2359564b0 -r a1e79ffa5862 debug.h --- a/debug.h Wed Feb 04 22:12:06 2015 +0800 +++ b/debug.h Tue Feb 10 21:46:19 2015 +0800 @@ -39,7 +39,7 @@ * Caution: Don't use this in an unfriendly environment (ie unfirewalled), * since the printing may not sanitise strings etc. This will add a reasonable * amount to your executable size. */ -/* #define DEBUG_TRACE */ +#define DEBUG_TRACE /* All functions writing to the cleartext payload buffer call * CHECKCLEARTOWRITE() before writing. This is only really useful if you're diff -r ffd2359564b0 -r a1e79ffa5862 options.h --- a/options.h Wed Feb 04 22:12:06 2015 +0800 +++ b/options.h Tue Feb 10 21:46:19 2015 +0800 @@ -95,8 +95,8 @@ #define DROPBEAR_AES256 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ /*#define DROPBEAR_BLOWFISH*/ -/*#define DROPBEAR_TWOFISH256*/ -/*#define DROPBEAR_TWOFISH128*/ +#define DROPBEAR_TWOFISH256 +#define DROPBEAR_TWOFISH128 /* Enable CBC mode for ciphers. This has security issues though * is the most compatible with older SSH implementations */