openssh bugs - Nov 2008 - [Bug 1540] New: Incorrect hash in SSH_MSG_KEX_DH_GEX_REPLY

https://bugzilla.mindrot.org/show_bug.cgi?id=1540

           Summary: Incorrect hash in SSH_MSG_KEX_DH_GEX_REPLY
           Product: Portable OpenSSH
           Version: 5.1p1
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: john.smith at arrows.demon.co.uk


Observed in openssh-5.1p1.tar.gz.

This is a theoretical bug based on my reading of RFC 4419, and
implemented in kexgexs.c.

RFC 4419 addresses the Diffie Helman exchange.  RFC 4419, section 3,
requires a hash to be calculated over several items including

  uint32  min, minimal size in bits of an acceptable group
  uint32  n, preferred size in bits of the group the server will send
  uint32  max, maximal size in bits of an acceptable group

The min, n and max values have been previously sent from the client to
server in a SSH_MSG_KEY_DH_GEX_REQUEST message.

The corresponding section of code is in function
kexgex_server in kexgexs.c:

   case SSH2_MSG_KEX_DH_GEX_REQUEST:
        debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
        min = packet_get_int();
        nbits = packet_get_int();
        max = packet_get_int();
        min = MAX(DH_GRP_MIN, min);
        max = MIN(DH_GRP_MAX, max);
        break;


The bug is that, if the client sends values of 512 and 8192 for min
and max in the SSH_MSG_KEY_DH_GEX_REQUEST message, then the client
will expect the server to use these same values when calculating the
hash.  But the server will actually use DH_GRP_MIN for min,
which have the value 1024.



There is a related problem: (based of a review of kexgexs.c) If the
client specifies (in the SSH_MSG_KEY_DH_GEX_REQUEST message)
  min        512
  nbits      768
  max       8192
then the client will expect the server to reply with a 
suitable group. Actual behaviour is that:

   min will be increased to DH_GRP_MIN = 1024

and then nbits will be smaller than min, which will trigger

   if (max < min || nbits < min || max < nbits)
        fatal("DH_GEX_REQUEST, bad parameters: %d !< %d !< %d",
              min, nbits, max);

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1540





--- Comment #1 from Damien Miller <djm at mindrot.org>  2008-12-08
09:48:19 ---
Created an attachment (id=1585)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1585)
stash original values for use in hash

This patch keeps a copy of the original values that the client sent and
uses them for the consistency check and hash calculation. The actual
selection of a group is still made with the cleaned-up values.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1540


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |minor
                 CC|                            |djm at mindrot.org
             Blocks|                            |1481




--- Comment #2 from Damien Miller <djm at mindrot.org>  2008-12-08
09:48:50 ---
put this on the list for openssh-5.2

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1540


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




--- Comment #3 from Damien Miller <djm at mindrot.org>  2009-01-02
08:18:33 ---
patch applied - this will be in openssh-5.2. Thanks for the report.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1540


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED




--- Comment #4 from Damien Miller <djm at mindrot.org>  2009-02-23
13:36:41 ---
Close bugs fixed/reviewed for openssh-5.2 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.