aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAris Adamantiadis <aris@0xbadc0de.be>2016-02-09 15:09:27 +0100
committerAndreas Schneider <asn@cryptomilk.org>2016-02-23 08:17:43 +0100
commitf8d0026c65fc8a55748ae481758e2cf376c26c86 (patch)
treecb678aa20a0d2a864dd6de1b59247a928bd91112
parent6b608e70ee61919f5cc23af5072bc7d3cc44c787 (diff)
downloadlibssh-f8d0026c65fc8a55748ae481758e2cf376c26c86.tar.gz
libssh-f8d0026c65fc8a55748ae481758e2cf376c26c86.tar.xz
libssh-f8d0026c65fc8a55748ae481758e2cf376c26c86.zip
dh: Fix CVE-2016-0739
Due to a byte/bit confusion, the DH secret was too short. This file was completely reworked and will be commited in a future version. Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r--src/dh.c22
1 files changed, 17 insertions, 5 deletions
diff --git a/src/dh.c b/src/dh.c
index e489a1d5..d27b66eb 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -227,15 +227,21 @@ void ssh_crypto_finalize(void) {
}
int dh_generate_x(ssh_session session) {
+ int keysize;
+ if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
+ keysize = 1023;
+ } else {
+ keysize = 2047;
+ }
session->next_crypto->x = bignum_new();
if (session->next_crypto->x == NULL) {
return -1;
}
#ifdef HAVE_LIBGCRYPT
- bignum_rand(session->next_crypto->x, 128);
+ bignum_rand(session->next_crypto->x, keysize);
#elif defined HAVE_LIBCRYPTO
- bignum_rand(session->next_crypto->x, 128, 0, -1);
+ bignum_rand(session->next_crypto->x, keysize, -1, 0);
#endif
/* not harder than this */
@@ -248,15 +254,21 @@ int dh_generate_x(ssh_session session) {
/* used by server */
int dh_generate_y(ssh_session session) {
- session->next_crypto->y = bignum_new();
+ int keysize;
+ if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
+ keysize = 1023;
+ } else {
+ keysize = 2047;
+ }
+ session->next_crypto->y = bignum_new();
if (session->next_crypto->y == NULL) {
return -1;
}
#ifdef HAVE_LIBGCRYPT
- bignum_rand(session->next_crypto->y, 128);
+ bignum_rand(session->next_crypto->y, keysize);
#elif defined HAVE_LIBCRYPTO
- bignum_rand(session->next_crypto->y, 128, 0, -1);
+ bignum_rand(session->next_crypto->y, keysize, -1, 0);
#endif
/* not harder than this */