[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 0/2] Fix 'first_kex_packet_follows' for Dropbear


Attached are a couple of patches which fix 'first_kex_packet_follows' processing,
based against master@a4cecf59d568d2b987c16a1209e357d0153a0216.  The recent fixes
with CVE-2015-3145 exposed these two bugs observable when testing with dropbear

In the first bug, ensure to return SSH_OK when we ignore a KEXDH_INIT packet
due to a wrong client guess.  Previously the code here was checking its end
return value to the uninitialized 'rc' local -- the bug was exposed with the
CVE fix at bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe.

The second fix updates the 'first_kex_packet_follows' checking to consider
*also* the host key type at hand in addition to the kex algorithm which was
already being checked.

Before these changes I'm able to observe failures between dropbear clients
libssh server; after, things are working again for me.


Jon Simons (2):
  server: return SSH_OK for ignored SSH_MSG_KEXDH_INIT case
  kex: also compare host keys for 'first_kex_packet_follows'

 src/kex.c    | 44 +++++++++++++++++++++++---------------------
 src/server.c |  1 +
 2 files changed, 24 insertions(+), 21 deletions(-)


Archive administrator: postmaster@lists.cynapses.org