ssh: remove slow unnecessary diffie-hellman-group-exchange primality check
The existing implementation validates that the prime returned by the server is, in fact, prime, which is extremely slow, especially for large key sizes.
As other implementations, including OpenSSH, do not verify the primality of the provided parameters, this change removes that check.
Fixes golang/go#41151
Change-Id: I7539714c690f08b5792a0c540cbf46c3e81f13ba
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/252337
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Roland Shoemaker <roland@golang.org>
diff --git a/ssh/kex.go b/ssh/kex.go
index 7eedb20..766e929 100644
--- a/ssh/kex.go
+++ b/ssh/kex.go
@@ -557,8 +557,6 @@
hashFunc crypto.Hash
}
-const numMRTests = 64
-
const (
dhGroupExchangeMinimumBits = 2048
dhGroupExchangePreferredBits = 2048
@@ -602,15 +600,8 @@
gex.p = kexDHGexGroup.P
gex.g = kexDHGexGroup.G
- // Check if p is safe by verifing that p and (p-1)/2 are primes
- one := big.NewInt(1)
- var pHalf = &big.Int{}
- pHalf.Rsh(gex.p, 1)
- if !gex.p.ProbablyPrime(numMRTests) || !pHalf.ProbablyPrime(numMRTests) {
- return nil, fmt.Errorf("ssh: server provided gex p is not safe")
- }
-
// Check if g is safe by verifing that g > 1 and g < p - 1
+ one := big.NewInt(1)
var pMinusOne = &big.Int{}
pMinusOne.Sub(gex.p, one)
if gex.g.Cmp(one) != 1 && gex.g.Cmp(pMinusOne) != -1 {
@@ -618,6 +609,8 @@
}
// Send GexInit
+ var pHalf = &big.Int{}
+ pHalf.Rsh(gex.p, 1)
x, err := rand.Int(randSource, pHalf)
if err != nil {
return nil, err
