Fix GSSAPI Key Exchange for older clients (#1323622)

Failed with older clients, because server was doing signature over
different data than the verifying client. It was caused by bump of
minimal DH groups offered by server and a bug in code, which was
using max(client_min, server_min) instead of client_min as proposed
by RFC4462.
This commit is contained in:
Jakub Jelen 2016-04-05 16:13:17 +02:00
parent bda184b249
commit fc0cf7f8d5

View File

@ -2739,3 +2739,41 @@ diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h
KEY_UNSPEC
};
diff --git a/kexgsss.c b/kexgsss.c
index b2f9658..2d33ff7 100644
--- a/kexgsss.c
+++ b/kexgsss.c
@@ -69,6 +69,7 @@ kexgss_server(struct ssh *ssh)
u_char *kbuf;
DH *dh;
int min = -1, max = -1, nbits = -1;
+ int cmin = -1, cmax = -1; /* client proposal */
BIGNUM *shared_secret = NULL;
BIGNUM *dh_client_pub = NULL;
int type = 0;
@@ -107,11 +108,12 @@ kexgss_server(struct ssh *ssh)
case KEX_GSS_GEX_SHA1:
debug("Doing group exchange");
packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
- min = packet_get_int();
+ /* store client proposal to provide valid signature */
+ cmin = packet_get_int();
nbits = packet_get_int();
- max = packet_get_int();
- min = MAX(DH_GRP_MIN, min);
- max = MIN(DH_GRP_MAX, max);
+ cmax = packet_get_int();
+ min = MAX(DH_GRP_MIN, cmin);
+ max = MIN(DH_GRP_MAX, cmax);
packet_check_eom();
if (max < min || nbits < min || max < nbits)
fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
@@ -234,7 +236,7 @@ kexgss_server(struct ssh *ssh)
buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
NULL, 0,
- min, nbits, max,
+ cmin, nbits, cmax,
dh->p, dh->g,
dh_client_pub,
dh->pub_key,