Re: DH Group Exchange Fallback

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



[+CC Loganaden Velvindron <logan@xxxxxxxxxx>] primary author of
the RFC 4419 refresh draft. The question, what should a conformant
RFC 4419 (or later) server do when the moduli requested by the
server is not available in the cached moduli file?

Joseph S Testa II <jtesta@xxxxxxxxxxxxxxxxxxxx> writes:

> On 09/24/2017 12:21 AM, Mark D. Baushke wrote:
> > I suggest you upgrade to a more recent edition of the OpenSSH software.
> > The most recent release is OpenSSH 7.5 and OpenSSH 7.6 will be released
> > very soon.
> 
> This problem is in v7.5 and v7.6.  See dh.c:436.

I agree that the current dh_new_group_fallack() is not providing
a DH group with at least max bits in it.

--- dh.c~	2017-04-02 08:46:42.000000000 -0700
+++ dh.c	2017-09-24 09:18:54.000000000 -0700
@@ -436,10 +436,10 @@
 dh_new_group_fallback(int max)
 {
 	debug3("%s: requested max size %d", __func__, max);
-	if (max < 3072) {
+	if (max <= 2048) {
 		debug3("using 2k bit group 14");
 		return dh_new_group14();
-	} else if (max < 6144) {
+	} else if (max <= 4096) {
 		debug3("using 4k bit group 16");
 		return dh_new_group16();
 	}

in this case, if you ask for a 3072-bit prime and all that the moduli
file has is 2048 bit primes, you would get a 4096-bit prime from the
server. Of course, if all that the moduli file had were 6144-bit primes
that might be the wrong thing to do as the asministrator my wish to
limit the primes being returned to 6144-bit values when anything smaller
is requested.

> However, my main point still stands.  The admin is unambiguously
> saying "ONLY use these groups", yet in some cases, the present code
> disregards this and unexpectedly does something else.

You point is fair, but you have not completely specified all of the
possible options.

> Motion to remove the group-exchange fallback mechanism entirely.

Please answer this question first:

Q1: If the moduli file is currently empty as in zero entries (apparently
the server has not yet populated it, or the administrator has truncated
the file to zero bytes). The server should do the following:

  a) Do not send the diffie-hellman-group-exchange-sha256 or
     diffie-hellman-group-exchange-sha1 option even if it is
     configured in the sshd_config file, or

  b) Send a DH group that it 'knows about' (be it group14, group16,
     group18, or some other DH group it has on hand)?

In my opinion, if the group exchange is configured in the sshd_config
file (or the default), I personally believe that if there is no entries
at all in the moduli file it should send a pre-defined DH MODP group
when there is no entry at all in the moduli file. I have no problems
with trying to send a DH moduli that closely matches the requested
value.

However, I do tend to agree with you that if there is one or more
entries in the moduli file, then one of those groups should be selected
rather than doing a fallback to a fixed group.

> P.S.  I volunteer to write the patch if this change would be accepted.

You should probably submit your bug report with your patch to the
OpenSSH bug tracking system in any case. However, I suggest you may
wish to also deal with my question above as well.

	-- Mark
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux