89 lines
2.6 KiB
Go
89 lines
2.6 KiB
Go
/*
|
|
SSHSecure - a program to harden OpenSSH from defaults
|
|
Copyright (C) 2020 Brent Saner
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
package moduli
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
`github.com/Luzifer/go-dhparam`
|
|
"r00t2.io/sshsecure/sharedconsts"
|
|
)
|
|
|
|
// Misc
|
|
const (
|
|
// Where to find an up-to-date copy of the upstream moduli and its SHA3-512 (NIST) checksum.
|
|
// pregenURL string = "https://anongit.mindrot.org/openssh.git/plain/moduli"
|
|
pregenURL string = "https://raw.githubusercontent.com/openssh/openssh-portable/master/moduli"
|
|
// This is the best way I could think of to verify integrity, since the file itself doesn't have a signature or anything like that.
|
|
pregenCksum string = "106EDB19A936608D065D2E8E81F7BDE7" +
|
|
"434AF80EF81102E9440B99ACB98FBEF8" +
|
|
"CC2F4B6BFD76828337BDB1F2CF34D859" +
|
|
"045285DCE6B0DE7D7D93A9EE61F8CC96"
|
|
// The tag name to use for struct tags (marshal/unmarshaling)
|
|
parseTag string = "sshmoduli"
|
|
// The recommended minimum moduli to have available.
|
|
recMinMod int = 400
|
|
// The minimum bits for filtering. It's generally bits - 1
|
|
minBits uint16 = 4096
|
|
)
|
|
|
|
// Generation iterables.
|
|
var (
|
|
genBits = []uint16{
|
|
4096,
|
|
6144,
|
|
7680,
|
|
8192,
|
|
}
|
|
genGenerators = []dhparam.Generator{
|
|
dhparam.GeneratorTwo,
|
|
dhparam.GeneratorFive,
|
|
}
|
|
)
|
|
|
|
// The header line on the /etc/ssh/moduli file.
|
|
var header = string(
|
|
fmt.Sprintf(
|
|
"# %v\n"+
|
|
"# Time Type Tests Tries Size Generator Modulus\n", sharedconsts.IDCmnt,
|
|
),
|
|
)
|
|
|
|
// For parsing/rendering /etc/ssh/moduli
|
|
const (
|
|
// Golang has no strftime formatting codes. It operates on *display of a specific time*.
|
|
// What a dumb language.
|
|
timeFormat string = "20060102150405" // %Y%m%d%H%M%S
|
|
)
|
|
|
|
// For validation. TODO.
|
|
var (
|
|
validTypes = []uint8{
|
|
0, // Unknown, not tested
|
|
2, // "Safe" prime; (p-1)/2 is also prime.
|
|
4, // Sophie Germain; 2p+1 is also prime.
|
|
}
|
|
validTests = []byte{
|
|
0x00, // Not tested.
|
|
0x01, // Composite number - not prime.
|
|
0x02, // Sieve of Eratosthenes.
|
|
0x04, // Probabilistic Miller-Rabin primality tests.
|
|
}
|
|
)
|