From fc0cf7f8d565c49309e1265c3fa45ba2b76708dc Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Apr 06 2016 10:53:37 +0000 Subject: Fix GSSAPI Key Exchange for older clients (#1323622) Failed with older clients, because server was doing signature over different data than the verifying client. It was caused by bump of minimal DH groups offered by server and a bug in code, which was using max(client_min, server_min) instead of client_min as proposed by RFC4462. --- diff --git a/openssh-7.2p1-gsskex.patch b/openssh-7.2p1-gsskex.patch index ab08b96..4544c54 100644 --- a/openssh-7.2p1-gsskex.patch +++ b/openssh-7.2p1-gsskex.patch @@ -2739,3 +2739,41 @@ diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h KEY_UNSPEC }; +diff --git a/kexgsss.c b/kexgsss.c +index b2f9658..2d33ff7 100644 +--- a/kexgsss.c ++++ b/kexgsss.c +@@ -69,6 +69,7 @@ kexgss_server(struct ssh *ssh) + u_char *kbuf; + DH *dh; + int min = -1, max = -1, nbits = -1; ++ int cmin = -1, cmax = -1; /* client proposal */ + BIGNUM *shared_secret = NULL; + BIGNUM *dh_client_pub = NULL; + int type = 0; +@@ -107,11 +108,12 @@ kexgss_server(struct ssh *ssh) + case KEX_GSS_GEX_SHA1: + debug("Doing group exchange"); + packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ); +- min = packet_get_int(); ++ /* store client proposal to provide valid signature */ ++ cmin = packet_get_int(); + nbits = packet_get_int(); +- max = packet_get_int(); +- min = MAX(DH_GRP_MIN, min); +- max = MIN(DH_GRP_MAX, max); ++ cmax = packet_get_int(); ++ min = MAX(DH_GRP_MIN, cmin); ++ max = MIN(DH_GRP_MAX, cmax); + packet_check_eom(); + if (max < min || nbits < min || max < nbits) + fatal("GSS_GEX, bad parameters: %d !< %d !< %d", +@@ -234,7 +236,7 @@ kexgss_server(struct ssh *ssh) + buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), + buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), + NULL, 0, +- min, nbits, max, ++ cmin, nbits, cmax, + dh->p, dh->g, + dh_client_pub, + dh->pub_key,