Bugzilla – Attachment 1585 Details for
Bug 1540
Incorrect hash in SSH_MSG_KEX_DH_GEX_REPLY
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
stash original values for use in hash
dhgex-correct-hash.diff (text/plain), 2.30 KB, created by
Damien Miller
on 2008-12-08 09:48:19 AEDT
(
hide
)
Description:
stash original values for use in hash
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2008-12-08 09:48:19 AEDT
Size:
2.30 KB
patch
obsolete
>Index: kexgexs.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/kexgexs.c,v >retrieving revision 1.10 >diff -u -p -r1.10 kexgexs.c >--- kexgexs.c 6 Nov 2006 21:25:28 -0000 1.10 >+++ kexgexs.c 7 Dec 2008 22:46:37 -0000 >@@ -53,7 +53,8 @@ kexgex_server(Kex *kex) > DH *dh; > u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; > u_int sbloblen, klen, slen, hashlen; >- int min = -1, max = -1, nbits = -1, type, kout; >+ int omin = -1, min = -1, omax = -1, max = -1, onbits = -1, nbits = -1; >+ int type, kout; > > if (kex->load_host_key == NULL) > fatal("Cannot load hostkey"); >@@ -65,27 +66,29 @@ kexgex_server(Kex *kex) > switch (type) { > case SSH2_MSG_KEX_DH_GEX_REQUEST: > debug("SSH2_MSG_KEX_DH_GEX_REQUEST received"); >- min = packet_get_int(); >- nbits = packet_get_int(); >- max = packet_get_int(); >+ omin = min = packet_get_int(); >+ onbits = nbits = packet_get_int(); >+ omax = max = packet_get_int(); > min = MAX(DH_GRP_MIN, min); > max = MIN(DH_GRP_MAX, max); >+ nbits = MAX(DH_GRP_MIN, nbits); >+ nbits = MIN(DH_GRP_MAX, nbits); > break; > case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD: > debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received"); >- nbits = packet_get_int(); >- min = DH_GRP_MIN; >- max = DH_GRP_MAX; >+ onbits = nbits = packet_get_int(); > /* unused for old GEX */ >+ omin = min = DH_GRP_MIN; >+ omax = max = DH_GRP_MAX; > break; > default: > fatal("protocol error during kex, no DH_GEX_REQUEST: %d", type); > } > packet_check_eom(); > >- if (max < min || nbits < min || max < nbits) >+ if (omax < omin || onbits < omin || omax < onbits) > fatal("DH_GEX_REQUEST, bad parameters: %d !< %d !< %d", >- min, nbits, max); >+ omin, onbits, omax); > > /* Contact privileged parent */ > dh = PRIVSEP(choose_dh(min, nbits, max)); >@@ -146,7 +149,7 @@ kexgex_server(Kex *kex) > key_to_blob(server_host_key, &server_host_key_blob, &sbloblen); > > if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD) >- min = max = -1; >+ omin = min = omax = max = -1; > > /* calc H */ > kexgex_hash( >@@ -156,7 +159,7 @@ kexgex_server(Kex *kex) > buffer_ptr(&kex->peer), buffer_len(&kex->peer), > buffer_ptr(&kex->my), buffer_len(&kex->my), > server_host_key_blob, sbloblen, >- min, nbits, max, >+ omin, onbits, omax, > dh->p, dh->g, > dh_client_pub, > dh->pub_key,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1585">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1540
: 1585