37 lines
1.6 KiB
Go
37 lines
1.6 KiB
Go
/*
|
|
SSHSecure - a program to harden OpenSSH from defaults
|
|
Copyright (C) 2020 Brent Saner
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
package dh
|
|
|
|
/*
|
|
OpenSSH does prime generation and primality checking a *little* weird.
|
|
|
|
The seemingly go-to package for DH parameter generation in Golang, github.com/Luzifer/go-dhparam,
|
|
does implement safety checking in a way I believe to be safe (with the huge caveat that I am nowhere
|
|
near a professional, expert, guru, etc. in mathematics, cryptography, or the like).
|
|
|
|
However, it is incompatible with OpenSSH's methodology for DH parameter generation.
|
|
|
|
1.) First, primes are generated via the Sieve of Eratosthenes.
|
|
a.) They must also be Sophie Germain primes (where p is selected prime, 2p+1 is also prime).
|
|
2.) Then they are filtered via Probabilistic Miller-Rabin primality tests (on both q and p, where q is (p-1)/2).
|
|
3.) OpenSSH fully supports generators of 2, 3, and 5 whereas go-dhparam only fully supports 2 and 5.
|
|
|
|
And that's why I'm a sad panda and porting moduli.c to native Golang.
|
|
*/
|