Ubuntu
openssh package

  1. Bug #1287222
  2. Comment #19

Comment 19 for bug 1287222

Revision history for this message
In , Florian (florian-redhat-bugs) wrote :

The SSH server code in Peter Gutmann's cryptlib ignores the minimum value in the SSH2_MSG_KEX_DH_GEX_REQUEST message and unconditionally uses the requested value. Group sizes are limited to CRYPT_MAX_PKCSIZE aka 4096 bits:

        status = length = \
                readHSPacketSSH2( sessionInfoPtr, SSH_MSG_KEXDH_GEX_REQUEST_OLD,
                                                  ID_SIZE + UINT32_SIZE );
        if( cryptStatusError( status ) )
                return( status );
        sMemConnect( &stream, sessionInfoPtr->receiveBuffer, length );
        streamBookmarkSet( &stream, keyexInfoLength );
        if( sessionInfoPtr->sessionSSH->packetType == SSH_MSG_KEXDH_GEX_REQUEST_NEW )
                {
                /* It's a { min_length, length, max_length } sequence, save a copy
                   and get the length value */
                readUint32( &stream );
                keySize = readUint32( &stream );
                status = readUint32( &stream );
                }
        else
                {
                /* It's a straight length, save a copy and get the length value */
                status = keySize = readUint32( &stream );
                }
        if( !cryptStatusError( status ) )
                status = streamBookmarkComplete( &stream, &keyexInfoPtr,
                                                                                 &keyexInfoLength, keyexInfoLength );
        sMemDisconnect( &stream );
        if( cryptStatusError( status ) )
                {
                retExt( status,
                                ( status, SESSION_ERRINFO,
                                  "Invalid ephemeral DH key data request packet" ) );
                }
        ANALYSER_HINT( keyexInfoPtr != NULL );
        if( keySize < bytesToBits( MIN_PKCSIZE ) || \
                keySize > bytesToBits( CRYPT_MAX_PKCSIZE ) )
                {
                retExt( CRYPT_ERROR_BADDATA,
                                ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO,
                                  "Client requested invalid ephemeral DH key size %d bits, "
                                  "should be %d...%d", keySize,
                                  bytesToBits( MIN_PKCSIZE ),
                                  bytesToBits( CRYPT_MAX_PKCSIZE ) ) );
                }