Fix GSSAPI Key Exchange for older clients (#1323622)

Failed with older clients, because server was doing signature over different data than the verifying client. It was caused by bump of minimal DH groups offered by server and a bug in code, which was using max(client_min, server_min) instead of client_min as proposed by RFC4462.
2016-04-05 16:13:17 +02:00 · 2016-04-05 16:13:17 +02:00 · fc0cf7f8d5
commit fc0cf7f8d5
parent bda184b249
1 changed files with 38 additions and 0 deletions
--- a/openssh-7.2p1-gsskex.patch
+++ b/openssh-7.2p1-gsskex.patch
@ -2739,3 +2739,41 @@ diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h
 	KEY_UNSPEC
 };
 
+diff --git a/kexgsss.c b/kexgsss.c
+index b2f9658..2d33ff7 100644
+--- a/kexgsss.c
+++ b/kexgsss.c
+@@ -69,6 +69,7 @@ kexgss_server(struct ssh *ssh)
+ 	u_char *kbuf;
+ 	DH *dh;
+ 	int min = -1, max = -1, nbits = -1;
+	int cmin = -1, cmax = -1; /* client proposal */
+ 	BIGNUM *shared_secret = NULL;
+ 	BIGNUM *dh_client_pub = NULL;
+ 	int type = 0;
+@@ -107,11 +108,12 @@ kexgss_server(struct ssh *ssh)
+ 	case KEX_GSS_GEX_SHA1:
+ 		debug("Doing group exchange");
+ 		packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
+-		min = packet_get_int();
+		/* store client proposal to provide valid signature */
+		cmin = packet_get_int();
+ 		nbits = packet_get_int();
+-		max = packet_get_int();
+-		min = MAX(DH_GRP_MIN, min);
+-		max = MIN(DH_GRP_MAX, max);
+		cmax = packet_get_int();
+		min = MAX(DH_GRP_MIN, cmin);
+		max = MIN(DH_GRP_MAX, cmax);
+ 		packet_check_eom();
+ 		if (max < min || nbits < min || max < nbits)
+ 			fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
+@@ -234,7 +236,7 @@ kexgss_server(struct ssh *ssh)
+ 		    buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
+ 		    buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
+ 		    NULL, 0,
+-		    min, nbits, max,
+		    cmin, nbits, cmax,
+ 		    dh->p, dh->g,
+ 		    dh_client_pub,
+ 		    dh->pub_key,