Modify our DH kex to generate a private component that is twice the size of the hash that a given algorithm produces, with a minimum of 1024 bits.

Fixes issue #304.

Avoid using TryParse in diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1.
Improve test coverage.

Author: drieseng

src/Renci.SshNet.Tests/Classes/Security/KeyExchangeDiffieHellmanGroup14Sha1Test.cs

@@ -1,13 +1,60 @@
 using Microsoft.VisualStudio.TestTools.UnitTesting;
+using Renci.SshNet.Common;
+using Renci.SshNet.Security;
 using Renci.SshNet.Tests.Common;
 
 namespace Renci.SshNet.Tests.Classes.Security
 {
-    /// <summary>
-    /// Represents "diffie-hellman-group14-sha1" algorithm implementation.
-    /// </summary>
     [TestClass]
     public class KeyExchangeDiffieHellmanGroup14Sha1Test : TestBase
     {
+        private static readonly byte[] SecondOkleyGroup =
+            {
+                0x00,
+                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f, 0xda, 0xa2,
+                0x21, 0x68, 0xc2, 0x34, 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1,
+                0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, 0x02, 0x0b, 0xbe, 0xa6,
+                0x3b, 0x13, 0x9b, 0x22, 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd,
+                0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d,
+                0xf2, 0x5f, 0x14, 0x37, 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45,
+                0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, 0xf4, 0x4c, 0x42, 0xe9,
+                0xa6, 0x37, 0xed, 0x6b, 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed,
+                0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5, 0xae, 0x9f, 0x24, 0x11,
+                0x7c, 0x4b, 0x1f, 0xe6, 0x49, 0x28, 0x66, 0x51, 0xec, 0xe4, 0x5b, 0x3d,
+                0xc2, 0x00, 0x7c, 0xb8, 0xa1, 0x63, 0xbf, 0x05, 0x98, 0xda, 0x48, 0x36,
+                0x1c, 0x55, 0xd3, 0x9a, 0x69, 0x16, 0x3f, 0xa8, 0xfd, 0x24, 0xcf, 0x5f,
+                0x83, 0x65, 0x5d, 0x23, 0xdc, 0xa3, 0xad, 0x96, 0x1c, 0x62, 0xf3, 0x56,
+                0x20, 0x85, 0x52, 0xbb, 0x9e, 0xd5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6d,
+                0x67, 0x0c, 0x35, 0x4e, 0x4a, 0xbc, 0x98, 0x04, 0xf1, 0x74, 0x6c, 0x08,
+                0xca, 0x18, 0x21, 0x7c, 0x32, 0x90, 0x5e, 0x46, 0x2e, 0x36, 0xce, 0x3b,
+                0xe3, 0x9e, 0x77, 0x2c, 0x18, 0x0e, 0x86, 0x03, 0x9b, 0x27, 0x83, 0xa2,
+                0xec, 0x07, 0xa2, 0x8f, 0xb5, 0xc5, 0x5d, 0xf0, 0x6f, 0x4c, 0x52, 0xc9,
+                0xde, 0x2b, 0xcb, 0xf6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7c,
+                0xea, 0x95, 0x6a, 0xe5, 0x15, 0xd2, 0x26, 0x18, 0x98, 0xfa, 0x05, 0x10,
+                0x15, 0x72, 0x8e, 0x5a, 0x8a, 0xac, 0xaa, 0x68, 0xff, 0xff, 0xff, 0xff,
+                0xff, 0xff, 0xff, 0xff
+            };
+
+        private KeyExchangeDiffieHellmanGroup14Sha1 _group14;
+
+        protected override void OnInit()
+        {
+            base.OnInit();
+
+            _group14 = new KeyExchangeDiffieHellmanGroup14Sha1();
+        }
+
+        [TestMethod]
+        public void GroupPrimeShouldBeSecondOakleyGroup()
+        {
+            var bytes = _group14.GroupPrime.ToByteArray().Reverse();
+            Assert.IsTrue(SecondOkleyGroup.IsEqualTo(bytes));
+        }
+
+        [TestMethod]
+        public void NameShouldBeDiffieHellmanGroup14Sha1()
+        {
+            Assert.AreEqual("diffie-hellman-group14-sha1", _group14.Name);
+        }
     }
 }

src/Renci.SshNet.Tests/Classes/Security/KeyExchangeDiffieHellmanGroup1Sha1Test.cs

@@ -5,48 +5,47 @@
 
 namespace Renci.SshNet.Tests.Classes.Security
 {
-    /// <summary>
-    ///This is a test class for KeyExchangeDiffieHellmanGroup1Sha1Test and is intended
-    ///to contain all KeyExchangeDiffieHellmanGroup1Sha1Test Unit Tests
-    ///</summary>
     [TestClass]
     public class KeyExchangeDiffieHellmanGroup1Sha1Test : TestBase
     {
-        /// <summary>
-        ///A test for KeyExchangeDiffieHellmanGroup1Sha1 Constructor
-        ///</summary>
-        [TestMethod]
-        [Ignore] // placeholder for actual test
-        public void KeyExchangeDiffieHellmanGroup1Sha1ConstructorTest()
+        private static readonly byte[] SecondOkleyGroup =
+            {
+                0x00,
+                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f, 0xda, 0xa2,
+                0x21, 0x68, 0xc2, 0x34, 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1,
+                0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, 0x02, 0x0b, 0xbe, 0xa6,
+                0x3b, 0x13, 0x9b, 0x22, 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd,
+                0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d,
+                0xf2, 0x5f, 0x14, 0x37, 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45,
+                0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, 0xf4, 0x4c, 0x42, 0xe9,
+                0xa6, 0x37, 0xed, 0x6b, 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed,
+                0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5, 0xae, 0x9f, 0x24, 0x11,
+                0x7c, 0x4b, 0x1f, 0xe6, 0x49, 0x28, 0x66, 0x51, 0xec, 0xe6, 0x53, 0x81,
+                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+            };
+
+        private KeyExchangeDiffieHellmanGroup1Sha1 _group1;
+
+        protected override void OnInit()
         {
-            KeyExchangeDiffieHellmanGroup1Sha1 target = new KeyExchangeDiffieHellmanGroup1Sha1();
-            Assert.Inconclusive("TODO: Implement code to verify target");
+            base.OnInit();
+
+            _group1 = new KeyExchangeDiffieHellmanGroup1Sha1();
         }
 
-        /// <summary>
-        ///A test for GroupPrime
-        ///</summary>
         [TestMethod]
-        [Ignore] // placeholder for actual test
-        public void GroupPrimeTest()
+        public void GroupPrimeShouldBeSecondOakleyGroup()
         {
-            KeyExchangeDiffieHellmanGroup1Sha1 target = new KeyExchangeDiffieHellmanGroup1Sha1(); // TODO: Initialize to an appropriate value
-            BigInteger actual;
-            actual = target.GroupPrime;
-            Assert.Inconclusive("Verify the correctness of this test method.");
+            var bytes = _group1.GroupPrime.ToByteArray().Reverse();
+            Assert.IsTrue(SecondOkleyGroup.IsEqualTo(bytes));
+
+            SecondOkleyGroup.Reverse().DebugPrint();
         }
 
-        /// <summary>
-        ///A test for Name
-        ///</summary>
         [TestMethod]
-        [Ignore] // placeholder for actual test
-        public void NameTest()
+        public void NameShouldBeDiffieHellmanGroup1Sha1()
         {
-            KeyExchangeDiffieHellmanGroup1Sha1 target = new KeyExchangeDiffieHellmanGroup1Sha1(); // TODO: Initialize to an appropriate value
-            string actual;
-            actual = target.Name;
-            Assert.Inconclusive("Verify the correctness of this test method.");
+            Assert.AreEqual("diffie-hellman-group1-sha1", _group1.Name);
         }
     }
-}
+}

src/Renci.SshNet/Renci.SshNet.csproj

@@ -47,6 +47,7 @@
   <ItemGroup>
     <Reference Include="System" />
     <Reference Include="System.Core" />
+    <Reference Include="System.Numerics" />
     <Reference Include="System.Xml" />
   </ItemGroup>
   <ItemGroup>

src/Renci.SshNet/Security/KeyExchangeDiffieHellman.cs

@@ -8,7 +8,7 @@ namespace Renci.SshNet.Security
     /// <summary>
     /// Represents base class for Diffie Hellman key exchange algorithm
     /// </summary>
-    public abstract class KeyExchangeDiffieHellman : KeyExchange
+    internal abstract class KeyExchangeDiffieHellman : KeyExchange
     {
         /// <summary>
         /// Specifies key exchange group number.
@@ -43,7 +43,7 @@ public abstract class KeyExchangeDiffieHellman : KeyExchange
         /// <summary>
         /// Specifies random generated number.
         /// </summary>
-        protected BigInteger _randomValue;
+        protected BigInteger _privateExponent;
 
         /// <summary>
         /// Specifies host key data.
@@ -55,6 +55,14 @@ public abstract class KeyExchangeDiffieHellman : KeyExchange
         /// </summary>
         protected byte[] _signature;
 
+        /// <summary>
+        /// Gets the size, in bits, of the computed hash code.
+        /// </summary>
+        /// <value>
+        /// The size, in bits, of the computed hash code.
+        /// </value>
+        protected abstract int HashSize { get; }
+
         /// <summary>
         /// Validates the exchange hash.
         /// </summary>
@@ -102,14 +110,16 @@ protected void PopulateClientExchangeValue()
             if (_prime.IsZero)
                 throw new ArgumentNullException("_prime");
 
-            var bitLength = _prime.BitLength;
+            // generate private component that is twice the hash size (RFC 4419) with a minimum
+            // of 1024 bits (whatever is less)
+            var privateComponentSize = Math.Max(HashSize * 2, 1024);
 
             do
             {
-                _randomValue = BigInteger.Random(bitLength);
-
-                _clientExchangeValue = BigInteger.ModPow(_group, _randomValue, _prime);
-
+                // create private component
+                _privateExponent = BigInteger.Random(privateComponentSize);
+                // generate public component
+                _clientExchangeValue = BigInteger.ModPow(_group, _privateExponent, _prime);
             } while (_clientExchangeValue < 1 || _clientExchangeValue > (_prime - 1));
         }
 
@@ -123,7 +133,7 @@ protected virtual void HandleServerDhReply(byte[] hostKey, BigInteger serverExch
         {
             _serverExchangeValue = serverExchangeValue;
             _hostKey = hostKey;
-            SharedKey = BigInteger.ModPow(serverExchangeValue, _randomValue, _prime);
+            SharedKey = BigInteger.ModPow(serverExchangeValue, _privateExponent, _prime);
             _signature = signature;
         }
     }

src/Renci.SshNet/Security/KeyExchangeDiffieHellmanGroup14Sha1.cs

@@ -1,5 +1,4 @@
 using Renci.SshNet.Common;
-using System.Globalization;
 
 namespace Renci.SshNet.Security
 {
@@ -8,7 +7,35 @@ namespace Renci.SshNet.Security
     /// </summary>
     internal class KeyExchangeDiffieHellmanGroup14Sha1 : KeyExchangeDiffieHellmanGroupSha1
     {
-        private const string SecondOkleyGroup = "00FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF";
+        /// <summary>
+        /// https://tools.ietf.org/html/rfc2409#section-6.2
+        /// </summary>
+        private static readonly byte[] SecondOkleyGroupReversed =
+            {
+                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x68, 0xaa, 0xac, 0x8a,
+                0x5a, 0x8e, 0x72, 0x15, 0x10, 0x05, 0xfa, 0x98, 0x18, 0x26, 0xd2, 0x15,
+                0xe5, 0x6a, 0x95, 0xea, 0x7c, 0x49, 0x95, 0x39, 0x18, 0x17, 0x58, 0x95,
+                0xf6, 0xcb, 0x2b, 0xde, 0xc9, 0x52, 0x4c, 0x6f, 0xf0, 0x5d, 0xc5, 0xb5,
+                0x8f, 0xa2, 0x07, 0xec, 0xa2, 0x83, 0x27, 0x9b, 0x03, 0x86, 0x0e, 0x18,
+                0x2c, 0x77, 0x9e, 0xe3, 0x3b, 0xce, 0x36, 0x2e, 0x46, 0x5e, 0x90, 0x32,
+                0x7c, 0x21, 0x18, 0xca, 0x08, 0x6c, 0x74, 0xf1, 0x04, 0x98, 0xbc, 0x4a,
+                0x4e, 0x35, 0x0c, 0x67, 0x6d, 0x96, 0x96, 0x70, 0x07, 0x29, 0xd5, 0x9e,
+                0xbb, 0x52, 0x85, 0x20, 0x56, 0xf3, 0x62, 0x1c, 0x96, 0xad, 0xa3, 0xdc,
+                0x23, 0x5d, 0x65, 0x83, 0x5f, 0xcf, 0x24, 0xfd, 0xa8, 0x3f, 0x16, 0x69,
+                0x9a, 0xd3, 0x55, 0x1c, 0x36, 0x48, 0xda, 0x98, 0x05, 0xbf, 0x63, 0xa1,
+                0xb8, 0x7c, 0x00, 0xc2, 0x3d, 0x5b, 0xe4, 0xec, 0x51, 0x66, 0x28, 0x49,
+                0xe6, 0x1f, 0x4b, 0x7c, 0x11, 0x24, 0x9f, 0xae, 0xa5, 0x9f, 0x89, 0x5a,
+                0xfb, 0x6b, 0x38, 0xee, 0xed, 0xb7, 0x06, 0xf4, 0xb6, 0x5c, 0xff, 0x0b,
+                0x6b, 0xed, 0x37, 0xa6, 0xe9, 0x42, 0x4c, 0xf4, 0xc6, 0x7e, 0x5e, 0x62,
+                0x76, 0xb5, 0x85, 0xe4, 0x45, 0xc2, 0x51, 0x6d, 0x6d, 0x35, 0xe1, 0x4f,
+                0x37, 0x14, 0x5f, 0xf2, 0x6d, 0x0a, 0x2b, 0x30, 0x1b, 0x43, 0x3a, 0xcd,
+                0xb3, 0x19, 0x95, 0xef, 0xdd, 0x04, 0x34, 0x8e, 0x79, 0x08, 0x4a, 0x51,
+                0x22, 0x9b, 0x13, 0x3b, 0xa6, 0xbe, 0x0b, 0x02, 0x74, 0xcc, 0x67, 0x8a,
+                0x08, 0x4e, 0x02, 0x29, 0xd1, 0x1c, 0xdc, 0x80, 0x8b, 0x62, 0xc6, 0xc4,
+                0x34, 0xc2, 0x68, 0x21, 0xa2, 0xda, 0x0f, 0xc9, 0xff, 0xff, 0xff, 0xff,
+                0xff, 0xff, 0xff, 0xff,
+                0x00
+            };
 
         /// <summary>
         /// Gets algorithm name.
@@ -28,10 +55,8 @@ public override BigInteger GroupPrime
         {
             get
             {
-                BigInteger prime;
-                BigInteger.TryParse(SecondOkleyGroup, NumberStyles.AllowHexSpecifier, NumberFormatInfo.CurrentInfo, out prime);
-                return prime;
+                return new BigInteger(SecondOkleyGroupReversed);
             }
         }
     }
-}
+}

src/Renci.SshNet/Security/KeyExchangeDiffieHellmanGroup1Sha1.cs

@@ -1,14 +1,27 @@
 using Renci.SshNet.Common;
-using System.Globalization;
 
 namespace Renci.SshNet.Security
 {
     /// <summary>
     /// Represents "diffie-hellman-group1-sha1" algorithm implementation.
     /// </summary>
-    public class KeyExchangeDiffieHellmanGroup1Sha1 : KeyExchangeDiffieHellmanGroupSha1
+    internal class KeyExchangeDiffieHellmanGroup1Sha1 : KeyExchangeDiffieHellmanGroupSha1
     {
-        private const string SecondOkleyGroup = @"00FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF";
+        private static readonly byte[] SecondOkleyGroupReversed =
+            {
+                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x81, 0x53, 0xe6, 0xec,
+                0x51, 0x66, 0x28, 0x49, 0xe6, 0x1f, 0x4b, 0x7c, 0x11, 0x24, 0x9f, 0xae,
+                0xa5, 0x9f, 0x89, 0x5a, 0xfb, 0x6b, 0x38, 0xee, 0xed, 0xb7, 0x06, 0xf4,
+                0xb6, 0x5c, 0xff, 0x0b, 0x6b, 0xed, 0x37, 0xa6, 0xe9, 0x42, 0x4c, 0xf4,
+                0xc6, 0x7e, 0x5e, 0x62, 0x76, 0xb5, 0x85, 0xe4, 0x45, 0xc2, 0x51, 0x6d,
+                0x6d, 0x35, 0xe1, 0x4f, 0x37, 0x14, 0x5f, 0xf2, 0x6d, 0x0a, 0x2b, 0x30,
+                0x1b, 0x43, 0x3a, 0xcd, 0xb3, 0x19, 0x95, 0xef, 0xdd, 0x04, 0x34, 0x8e,
+                0x79, 0x08, 0x4a, 0x51, 0x22, 0x9b, 0x13, 0x3b, 0xa6, 0xbe, 0x0b, 0x02,
+                0x74, 0xcc, 0x67, 0x8a, 0x08, 0x4e, 0x02, 0x29, 0xd1, 0x1c, 0xdc, 0x80,
+                0x8b, 0x62, 0xc6, 0xc4, 0x34, 0xc2, 0x68, 0x21, 0xa2, 0xda, 0x0f, 0xc9,
+                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+                0x00
+            };
 
         /// <summary>
         /// Gets algorithm name.
@@ -28,9 +41,7 @@ public override BigInteger GroupPrime
         {
             get
             {
-                BigInteger prime;
-                BigInteger.TryParse(SecondOkleyGroup, NumberStyles.AllowHexSpecifier, NumberFormatInfo.CurrentInfo, out prime);
-                return prime;
+                return new BigInteger(SecondOkleyGroupReversed);
             }
         }
     }

src/Renci.SshNet/Security/KeyExchangeDiffieHellmanGroupExchangeSha1.cs

@@ -3,7 +3,7 @@
     /// <summary>
     /// Represents "diffie-hellman-group-exchange-sha1" algorithm implementation.
     /// </summary>
-    public class KeyExchangeDiffieHellmanGroupExchangeSha1 : KeyExchangeDiffieHellmanGroupExchangeShaBase
+    internal class KeyExchangeDiffieHellmanGroupExchangeSha1 : KeyExchangeDiffieHellmanGroupExchangeShaBase
     {
         /// <summary>
         /// Gets algorithm name.
@@ -12,5 +12,16 @@ public override string Name
         {
             get { return "diffie-hellman-group-exchange-sha1"; }
         }
+
+        /// <summary>
+        /// Gets the size, in bits, of the computed hash code.
+        /// </summary>
+        /// <value>
+        /// The size, in bits, of the computed hash code.
+        /// </value>
+        protected override int HashSize
+        {
+            get { return 160; }
+        }
     }
 }

src/Renci.SshNet/Security/KeyExchangeDiffieHellmanGroupExchangeSha256.cs

@@ -5,7 +5,7 @@ namespace Renci.SshNet.Security
     /// <summary>
     /// Represents "diffie-hellman-group-exchange-sha256" algorithm implementation.
     /// </summary>
-    public class KeyExchangeDiffieHellmanGroupExchangeSha256 : KeyExchangeDiffieHellmanGroupExchangeShaBase
+    internal class KeyExchangeDiffieHellmanGroupExchangeSha256 : KeyExchangeDiffieHellmanGroupExchangeShaBase
     {
         /// <summary>
         /// Gets algorithm name.
@@ -15,6 +15,17 @@ public override string Name
             get { return "diffie-hellman-group-exchange-sha256"; }
         }
 
+        /// <summary>
+        /// Gets the size, in bits, of the computed hash code.
+        /// </summary>
+        /// <value>
+        /// The size, in bits, of the computed hash code.
+        /// </value>
+        protected override int HashSize
+        {
+            get { return 256; }
+        }
+
         /// <summary>
         /// Hashes the specified data bytes.
         /// </summary>

src/Renci.SshNet/Security/KeyExchangeDiffieHellmanGroupExchangeShaBase.cs

@@ -1,12 +1,11 @@
-using Renci.SshNet.Messages;
-using Renci.SshNet.Messages.Transport;
+using Renci.SshNet.Messages.Transport;
 
 namespace Renci.SshNet.Security
 {
     /// <summary>
     /// Base class for "diffie-hellman-group-exchange" algorithms.
     /// </summary>
-    public abstract class KeyExchangeDiffieHellmanGroupExchangeShaBase : KeyExchangeDiffieHellman
+    internal abstract class KeyExchangeDiffieHellmanGroupExchangeShaBase : KeyExchangeDiffieHellman
     {
         private const int MinimumGroupSize = 1024;
         private const int PreferredGroupSize = 1024;