Bug 1540

Summary:

Incorrect hash in SSH_MSG_KEX_DH_GEX_REPLY

Product:

Portable OpenSSH

Reporter:

John Smith <john.smith>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

minor

CC:

djm

Priority:

Version:

5.1p1

Hardware:

Other

OS:

Linux

Bug Depends on:

Bug Blocks:

1481

Attachments:

Description	Flags
stash original values for use in hash	none

Description John Smith 2008-11-24 03:35:33 AEDT

Observed in openssh-5.1p1.tar.gz.

This is a theoretical bug based on my reading of RFC 4419, and
implemented in kexgexs.c.

RFC 4419 addresses the Diffie Helman exchange.  RFC 4419, section 3,
requires a hash to be calculated over several items including

  uint32  min, minimal size in bits of an acceptable group
  uint32  n, preferred size in bits of the group the server will send
  uint32  max, maximal size in bits of an acceptable group

The min, n and max values have been previously sent from the client to
server in a SSH_MSG_KEY_DH_GEX_REQUEST message.

The corresponding section of code is in function
kexgex_server in kexgexs.c:

   case SSH2_MSG_KEX_DH_GEX_REQUEST:
        debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
        min = packet_get_int();
        nbits = packet_get_int();
        max = packet_get_int();
        min = MAX(DH_GRP_MIN, min);
        max = MIN(DH_GRP_MAX, max);
        break;


The bug is that, if the client sends values of 512 and 8192 for min
and max in the SSH_MSG_KEY_DH_GEX_REQUEST message, then the client
will expect the server to use these same values when calculating the
hash.  But the server will actually use DH_GRP_MIN for min,
which have the value 1024.



There is a related problem: (based of a review of kexgexs.c) If the
client specifies (in the SSH_MSG_KEY_DH_GEX_REQUEST message)
  min        512
  nbits      768
  max       8192
then the client will expect the server to reply with a 
suitable group. Actual behaviour is that:

   min will be increased to DH_GRP_MIN = 1024

and then nbits will be smaller than min, which will trigger

   if (max < min || nbits < min || max < nbits)
        fatal("DH_GEX_REQUEST, bad parameters: %d !< %d !< %d",
              min, nbits, max);

Comment 1 Damien Miller 2008-12-08 09:48:19 AEDT

Created attachment 1585 [details]
stash original values for use in hash

This patch keeps a copy of the original values that the client sent and uses them for the consistency check and hash calculation. The actual selection of a group is still made with the cleaned-up values.

Comment 2 Damien Miller 2008-12-08 09:48:50 AEDT

put this on the list for openssh-5.2

Comment 3 Damien Miller 2009-01-02 08:18:33 AEDT

patch applied - this will be in openssh-5.2. Thanks for the report.

Comment 4 Damien Miller 2009-02-23 13:36:41 AEDT

Close bugs fixed/reviewed for openssh-5.2 release