From: simon <simon@cda61777-01e9-0310-a592-d414129be87e>
Date: Sun, 18 Aug 2002 09:27:15 +0000 (+0000)
Subject: Add BUG_SSH2_DERIVEKEY, present (according to OpenSSH) in ssh.com
X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/commitdiff_plain/088bde77a60867dec8e24141abce80d74711bfae?hp=717dc4839a39d4235793d152f39fd24e9be9d12b

Add BUG_SSH2_DERIVEKEY, present (according to OpenSSH) in ssh.com
versions 2.0.*, and causing the shared secret not to be included in
key derivation hashes. (This doesn't quite cause a blatant security
hole because the session ID - _derived_ from the shared secret - is
still included.)


git-svn-id: svn://svn.tartarus.org/sgt/putty@1853 cda61777-01e9-0310-a592-d414129be87e
---

diff --git a/ssh.c b/ssh.c
index acc4598b..19c93df4 100644
--- a/ssh.c
+++ b/ssh.c
@@ -182,6 +182,7 @@ static const char *const ssh2_disconnect_reasons[] = {
 #define BUG_NEEDS_SSH1_PLAIN_PASSWORD        	  4
 #define BUG_CHOKES_ON_RSA	        	  8
 #define BUG_SSH2_RSA_PADDING	        	 16
+#define BUG_SSH2_DERIVEKEY                       32
 
 static int ssh_pkt_ctx = 0;
 
@@ -1701,6 +1702,16 @@ static void ssh_detect_bugs(char *vstring)
 	logevent("We believe remote version has SSH2 HMAC bug");
     }
 
+    if (!strncmp(imp, "2.0.", 4)) {
+	/*
+	 * These versions have the key-derivation bug (failing to
+	 * include the literal shared secret in the hashes that
+	 * generate the keys).
+	 */
+	ssh_remote_bugs |= BUG_SSH2_DERIVEKEY;
+	logevent("We believe remote version has SSH2 key-derivation bug");
+    }
+
     if ((!strncmp(imp, "OpenSSH_2.", 10) && imp[10]>='5' && imp[10]<='9') ||
 	(!strncmp(imp, "OpenSSH_3.", 10) && imp[10]>='0' && imp[10]<='2')) {
 	/*
@@ -3497,14 +3508,16 @@ static void ssh2_mkkey(Bignum K, char *H, char *sessid, char chr,
     SHA_State s;
     /* First 20 bytes. */
     SHA_Init(&s);
-    sha_mpint(&s, K);
+    if (!(ssh_remote_bugs & BUG_SSH2_DERIVEKEY))
+	sha_mpint(&s, K);
     SHA_Bytes(&s, H, 20);
     SHA_Bytes(&s, &chr, 1);
     SHA_Bytes(&s, sessid, 20);
     SHA_Final(&s, keyspace);
     /* Next 20 bytes. */
     SHA_Init(&s);
-    sha_mpint(&s, K);
+    if (!(ssh_remote_bugs & BUG_SSH2_DERIVEKEY))
+	sha_mpint(&s, K);
     SHA_Bytes(&s, H, 20);
     SHA_Bytes(&s, keyspace, 20);
     SHA_Final(&s, keyspace + 20);