diff options
| author | Aris Adamantiadis <aris@0xbadc0de.be> | 2016-02-09 15:09:27 +0100 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2016-02-23 08:16:10 +0100 |
| commit | 4e6ff36a9a3aef72aa214f6fb267c28953b80060 (patch) | |
| tree | 99d52e3e02d3002dfac19d956d31a462c17c3dac | |
| parent | f8bde7156ff22f4ef08582ed877190380657010d (diff) | |
| download | libssh-4e6ff36a9a3aef72aa214f6fb267c28953b80060.tar.gz libssh-4e6ff36a9a3aef72aa214f6fb267c28953b80060.tar.xz libssh-4e6ff36a9a3aef72aa214f6fb267c28953b80060.zip | |
dh: Fix CVE-2016-0739
Due to a byte/bit confusion, the DH secret was too short. This file was
completely reworked and will be commited in a future version.
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
| -rw-r--r-- | src/dh.c | 22 |
1 files changed, 17 insertions, 5 deletions
@@ -227,15 +227,21 @@ void ssh_crypto_finalize(void) { } int ssh_dh_generate_x(ssh_session session) { + int keysize; + if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) { + keysize = 1023; + } else { + keysize = 2047; + } session->next_crypto->x = bignum_new(); if (session->next_crypto->x == NULL) { return -1; } #ifdef HAVE_LIBGCRYPT - bignum_rand(session->next_crypto->x, 128); + bignum_rand(session->next_crypto->x, keysize); #elif defined HAVE_LIBCRYPTO - bignum_rand(session->next_crypto->x, 128, 0, -1); + bignum_rand(session->next_crypto->x, keysize, -1, 0); #endif /* not harder than this */ @@ -248,15 +254,21 @@ int ssh_dh_generate_x(ssh_session session) { /* used by server */ int ssh_dh_generate_y(ssh_session session) { - session->next_crypto->y = bignum_new(); + int keysize; + if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) { + keysize = 1023; + } else { + keysize = 2047; + } + session->next_crypto->y = bignum_new(); if (session->next_crypto->y == NULL) { return -1; } #ifdef HAVE_LIBGCRYPT - bignum_rand(session->next_crypto->y, 128); + bignum_rand(session->next_crypto->y, keysize); #elif defined HAVE_LIBCRYPTO - bignum_rand(session->next_crypto->y, 128, 0, -1); + bignum_rand(session->next_crypto->y, keysize, -1, 0); #endif /* not harder than this */ |