Tighten validation of DH values. Odds of x==0 being generated are

improbable, roughly 2**-1023 Regression in 0.49
author: Matt Johnston <matt@ucc.asn.au> 2015-02-10 21:46:19 +0800
committer: Matt Johnston <matt@ucc.asn.au> 2015-02-10 21:46:19 +0800
commit: c44a78a2e66b666696a944a389c00b1cf0fa49ca (patch)
tree: 40edf0fdbc11eae88e4bf2eba3d4be53be086b41
parent: b6685bf806b1cf58f194d56261b29db0f235d33b (diff)
4 files changed, 15 insertions, 11 deletions
diff --git a/common-kex.c b/common-kex.c
index 7d93708..f355560 100644
--- a/common-kex.c
+++ b/common-kex.c
@@ -629,16 +629,20 @@ void free_kexdh_param(struct kex_dh_param *param)
 void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them,
 		sign_key *hostkey) {
 
-	mp_int dh_p;
+	DEF_MP_INT(dh_p);
+	DEF_MP_INT(dh_p_min1);
 	mp_int *dh_e = NULL, *dh_f = NULL;
 
-	/* read the prime and generator*/
-	m_mp_init(&dh_p);
+	m_mp_init_multi(&dh_p, &dh_p_min1, NULL);
 	load_dh_p(&dh_p);
 
-	/* Check that dh_pub_them (dh_e or dh_f) is in the range [1, p-1] */
-	if (mp_cmp(dh_pub_them, &dh_p) != MP_LT 
-			|| mp_cmp_d(dh_pub_them, 0) != MP_GT) {
+	if (mp_sub_d(&dh_p, 1, &dh_p_min1) != MP_OKAY) { 
+		dropbear_exit("Diffie-Hellman error");
+	}
+
+	/* Check that dh_pub_them (dh_e or dh_f) is in the range [2, p-2] */
+	if (mp_cmp(dh_pub_them, &dh_p_min1) != MP_LT 
+			|| mp_cmp_d(dh_pub_them, 1) != MP_GT) {
 		dropbear_exit("Diffie-Hellman error");
 	}
 	
@@ -649,7 +653,7 @@ void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them,
 	}
 
 	/* clear no longer needed vars */
-	mp_clear_multi(&dh_p, NULL);
+	mp_clear_multi(&dh_p, &dh_p_min1, NULL);
 
 	/* From here on, the code needs to work with the _same_ vars on each side,
 	 * not vice-versaing for client/server */
diff --git a/dbrandom.c b/dbrandom.c
index e2f55c2..cf280f4 100644
--- a/dbrandom.c
+++ b/dbrandom.c
@@ -306,7 +306,7 @@ void gen_random_mpint(mp_int *max, mp_int *rand) {
 
 		/* keep regenerating until we get one satisfying
 		 * 0 < rand < max    */
-	} while (mp_cmp(rand, max) != MP_LT);
+	} while (!(mp_cmp(rand, max) == MP_LT && mp_cmp_d(rand, 0) == MP_GT));
 	m_burn(randbuf, len);
 	m_free(randbuf);
 }
diff --git a/debug.h b/debug.h
index 289c577..be09865 100644
--- a/debug.h
+++ b/debug.h
@@ -39,7 +39,7 @@
  * Caution: Don't use this in an unfriendly environment (ie unfirewalled),
  * since the printing may not sanitise strings etc. This will add a reasonable
  * amount to your executable size. */
-/* #define DEBUG_TRACE */
+#define DEBUG_TRACE
 
 /* All functions writing to the cleartext payload buffer call
  * CHECKCLEARTOWRITE() before writing. This is only really useful if you're
diff --git a/options.h b/options.h
index 6339b0a..5c86834 100644
--- a/options.h
+++ b/options.h
@@ -95,8 +95,8 @@ much traffic. */
 #define DROPBEAR_AES256
 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
 /*#define DROPBEAR_BLOWFISH*/
-/*#define DROPBEAR_TWOFISH256*/
-/*#define DROPBEAR_TWOFISH128*/
+#define DROPBEAR_TWOFISH256
+#define DROPBEAR_TWOFISH128
 
 /* Enable CBC mode for ciphers. This has security issues though
  * is the most compatible with older SSH implementations */
author	Matt Johnston <matt@ucc.asn.au>	2015-02-10 21:46:19 +0800
committer	Matt Johnston <matt@ucc.asn.au>	2015-02-10 21:46:19 +0800
commit	c44a78a2e66b666696a944a389c00b1cf0fa49ca (patch)
tree	40edf0fdbc11eae88e4bf2eba3d4be53be086b41
parent	b6685bf806b1cf58f194d56261b29db0f235d33b (diff)