Attachment #1585 for bug #1540

View | Details | Raw Unified | Return to bug 1540
Collapse All | Expand All




	DH *dh;
	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
	u_int sbloblen, klen, slen, hashlen;
	int omin = -1, min = -1, omax = -1, max = -1, onbits = -1, nbits = -1;
	int type, kout;

	if (kex->load_host_key == NULL)
		fatal("Cannot load hostkey");

	switch (type) {
	case SSH2_MSG_KEX_DH_GEX_REQUEST:
		debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
		omin = min = packet_get_int();
		onbits = nbits = packet_get_int();
		omax = max = packet_get_int();
		min = MAX(DH_GRP_MIN, min);
		max = MIN(DH_GRP_MAX, max);
		nbits = MAX(DH_GRP_MIN, nbits);
		nbits = MIN(DH_GRP_MAX, nbits);
		break;
	case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:
		debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received");
		onbits = nbits = packet_get_int();
		min = DH_GRP_MIN;
		max = DH_GRP_MAX;
		/* unused for old GEX */
		omin = min = DH_GRP_MIN;
		omax = max = DH_GRP_MAX;
		break;
	default:
		fatal("protocol error during kex, no DH_GEX_REQUEST: %d", type);
	}
	packet_check_eom();

	if (omax < omin || onbits < omin || omax < onbits)
		fatal("DH_GEX_REQUEST, bad parameters: %d !< %d !< %d",
		    omin, onbits, omax);

	/* Contact privileged parent */
	dh = PRIVSEP(choose_dh(min, nbits, max));

	key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);

	if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
		omin = min = omax = max = -1;

	/* calc H */
	kexgex_hash(

	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
	    buffer_ptr(&kex->my), buffer_len(&kex->my),
	    server_host_key_blob, sbloblen,
	    omin, onbits, omax,
	    dh->p, dh->g,
	    dh_client_pub,
	    dh->pub_key,

Return to bug 1540

Lines 53-59 kexgex_server(Kex *kex) Link Here

(-)kexgexs.c (-11 / +14 lines)
53	DH *dh;	53	DH *dh;
54	u_char kbuf, hash, signature = NULL, server_host_key_blob = NULL;	54	u_char kbuf, hash, signature = NULL, server_host_key_blob = NULL;
55	u_int sbloblen, klen, slen, hashlen;	55	u_int sbloblen, klen, slen, hashlen;
56	int min = -1, max = -1, nbits = -1, type, kout;	56	int omin = -1, min = -1, omax = -1, max = -1, onbits = -1, nbits = -1;
		57	int type, kout;
57		58
58	if (kex->load_host_key == NULL)	59	if (kex->load_host_key == NULL)
59	fatal("Cannot load hostkey");	60	fatal("Cannot load hostkey");
Lines 65-91 kexgex_server(Kex *kex) Link Here
65	switch (type) {	66	switch (type) {
66	case SSH2_MSG_KEX_DH_GEX_REQUEST:	67	case SSH2_MSG_KEX_DH_GEX_REQUEST:
67	debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");	68	debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
68	min = packet_get_int();	69	omin = min = packet_get_int();
69	nbits = packet_get_int();	70	onbits = nbits = packet_get_int();
70	max = packet_get_int();	71	omax = max = packet_get_int();
71	min = MAX(DH_GRP_MIN, min);	72	min = MAX(DH_GRP_MIN, min);
72	max = MIN(DH_GRP_MAX, max);	73	max = MIN(DH_GRP_MAX, max);
		74	nbits = MAX(DH_GRP_MIN, nbits);
		75	nbits = MIN(DH_GRP_MAX, nbits);
73	break;	76	break;
74	case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:	77	case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:
75	debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received");	78	debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received");
76	nbits = packet_get_int();	79	onbits = nbits = packet_get_int();
77	min = DH_GRP_MIN;
78	max = DH_GRP_MAX;
79	/* unused for old GEX */	80	/* unused for old GEX */
		81	omin = min = DH_GRP_MIN;
		82	omax = max = DH_GRP_MAX;
80	break;	83	break;
81	default:	84	default:
82	fatal("protocol error during kex, no DH_GEX_REQUEST: %d", type);	85	fatal("protocol error during kex, no DH_GEX_REQUEST: %d", type);
83	}	86	}
84	packet_check_eom();	87	packet_check_eom();
85		88
86	if (max < min \|\| nbits < min \|\| max < nbits)	89	if (omax < omin \|\| onbits < omin \|\| omax < onbits)
87	fatal("DH_GEX_REQUEST, bad parameters: %d !< %d !< %d",	90	fatal("DH_GEX_REQUEST, bad parameters: %d !< %d !< %d",
88	min, nbits, max);	91	omin, onbits, omax);
89		92
90	/* Contact privileged parent */	93	/* Contact privileged parent */
91	dh = PRIVSEP(choose_dh(min, nbits, max));	94	dh = PRIVSEP(choose_dh(min, nbits, max));
Lines 146-152 kexgex_server(Kex *kex) Link Here
146	key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);	149	key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
147		150
148	if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)	151	if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
149	min = max = -1;	152	omin = min = omax = max = -1;
150		153
151	/* calc H */	154	/* calc H */
152	kexgex_hash(	155	kexgex_hash(
Lines 156-162 kexgex_server(Kex *kex) Link Here
156	buffer_ptr(&kex->peer), buffer_len(&kex->peer),	159	buffer_ptr(&kex->peer), buffer_len(&kex->peer),
157	buffer_ptr(&kex->my), buffer_len(&kex->my),	160	buffer_ptr(&kex->my), buffer_len(&kex->my),
158	server_host_key_blob, sbloblen,	161	server_host_key_blob, sbloblen,
159	min, nbits, max,	162	omin, onbits, omax,
160	dh->p, dh->g,	163	dh->p, dh->g,
161	dh_client_pub,	164	dh_client_pub,
162	dh->pub_key,	165	dh->pub_key,