From d7ffbea9130e3b8899440dc3cc98f5e830168421 Mon Sep 17 00:00:00 2001 From: brent s Date: Sat, 3 Jul 2021 03:58:06 -0400 Subject: [PATCH] need to finish dh stuff still. --- README.md | 27 ++++++++++++++++++--------- dh/README | 11 ++++++++--- dh/const.go | 39 ++++++++++++++++++++++++++++++++++----- dh/func_gen.go | 2 ++ dh/func_utils.go | 2 ++ 5 files changed, 64 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 642472f..ea3212a 100644 --- a/README.md +++ b/README.md @@ -33,17 +33,19 @@ the default configuration and keys used may not be the strongest they can be (an This software will harden your OpenSSH security as much as possible to currently known weaknesses. ## How? -This program will generate/replace: +This program will generate/modify and replace: - * your hostkeys (typically `/etc/ssh/ssh_host_*_key*`) - * the client keys (`~/.ssh/id_*`) for the running user - * your `sshd` (server) configuration (typically `/etc/ssh/sshd_config`) - * your system-wide `ssh` (client) configuration (typically `/etc/ssh/ssh_config`) - * the `ssh` (client) configuration for the running user (`~/.ssh/config`) - * the SSH DH parameters (typically `/etc/ssh/moduli`) + * Your hostkeys (typically `/etc/ssh/ssh_host_*_key*`) + * The client keys (`~/.ssh/id_*`) for the running user + * Your `sshd` (server) configuration (typically `/etc/ssh/sshd_config`) + * Your system-wide `ssh` (client) configuration (typically `/etc/ssh/ssh_config`) + * The `ssh` (client) configuration for the running user (`~/.ssh/config`) + * The SSH DH parameters (typically `/etc/ssh/moduli`) with much stronger implementations from typical/upstream defaults. +Any and all pre-existing files are backed up before being replaced. + It takes the recommendations from _[Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)_ (and perhaps other sources) and automatically applies them. @@ -67,11 +69,18 @@ running already). ## FAQ ### Why a binary? -I originally wrote this as a python script. However, some machines don't have the python +I originally wrote this as a Python script. However, some machines don't have the Python interpreter installed and due to the lack of low-level access, I ended up making a lot of calls to the shell anyways. -I wrote it in Golang so the source would be easily read for auditing purposes. +I wrote it in Golang because: + +* The source would be easily read for auditing purposes +* Golang is, admittedly, incredibly faster at some tasks than Python +* Multiprocessing/multithreading is *incredibly* more simple in Golang than Python +* Building widely-deployable binaries is easier in Golang than C or C++ + +As much as I like Python, Golang should offer significant improvements. ### How can I contact you? You can either [file a bug](https://bugs.square-r00t.net/index.php?do=newtask&project=15) diff --git a/dh/README b/dh/README index 32ec7e1..4b2a9fe 100644 --- a/dh/README +++ b/dh/README @@ -1,6 +1,11 @@ -The functions found in this sub-component are ported almost directly from the -openssh-portable[0]'s `moduli.c`[1] code (with, of course, changes made where -appropriate to match and take advantage of Golang). +THIS SUBMODULE IS INCOMPLETE. DO NOT USE IT. +It technically is not necessary as upstream offers generated parameters. +Theoretically as long as we filter anything 2048 bits and lower, it should be fine. + +The functions, etc. (even a significant amount of the comments) found in this +sub-component are ported almost directly from the openssh-portable[0]'s +`moduli.c`[1] code (with, of course, changes made where appropriate to match +and take advantage of Golang and its patterns). The OpenBSD and OpenSSH(-portable) teams have my gratitude. diff --git a/dh/const.go b/dh/const.go index 6934771..913c996 100644 --- a/dh/const.go +++ b/dh/const.go @@ -1,5 +1,9 @@ package dh +import ( + "math/big" +) + const ( // QSizeMinimum Specifies the number of the most significant bit (0 to M). // WARNING: internally, usually 1 to N. @@ -7,9 +11,9 @@ const ( // Prime sieving constants // Assuming 8 bit bytes and 32 bit words. - ShiftBit = 3 - ShiftByte = 2 - ShiftWord = ShiftBit + ShiftByte + ShiftBit = 3 + ShiftByte = 2 + ShiftWord = ShiftBit + ShiftByte ShiftMegabyte = 20 ShiftMegaWord = ShiftMegabyte - ShiftBit @@ -25,8 +29,33 @@ const ( // Ensure enough bit space for testing 2*q. TestMaximum = uint32(1) << 16 TestMinimum = QSizeMinimum + 1 // (uint32(1) << (ShiftWord - TestPower)) - TestPower = 3 // 2**n, n < ShiftWord + TestPower = 3 // 2**n, n < ShiftWord + // Minimum number of primality tests to perform + TrialMinimum = 4 ) -var ( +type ( + + /* + Sieving data (XXX - move to struct) + */ + + // sieve 2**16 + TinySieve *uint32 + tinybits uint32 + + // sieve 2**30 in 2**16 parts + SmallSieve *uint32 + smallbits uint32 + smallbase uint32 + + // sieve relative to the initial value + LargeSieve *uint32 + largewords uint32 + largetries uint32 + largenumbers uint32 + largebits uint32 // Megabytes.. + largememory uint32 // "" + + largebase big.Int ) diff --git a/dh/func_gen.go b/dh/func_gen.go index 3315756..f9cf9ac 100644 --- a/dh/func_gen.go +++ b/dh/func_gen.go @@ -34,3 +34,5 @@ package dh And that's why I'm a sad panda and porting moduli.c to native Golang. */ + +func SieveLarge() diff --git a/dh/func_utils.go b/dh/func_utils.go index c88f509..e31d8c4 100644 --- a/dh/func_utils.go +++ b/dh/func_utils.go @@ -50,3 +50,5 @@ func BitTest(a []uint32, n uint32) (i uint32) { return } + +// The qfileout function is replaced by a moduli.Entry method Write.