From a92ac7410475fbb00383c7402aa954dc0a75ae19 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 26 Jan 2014 09:38:03 +1100 Subject: [PATCH] - markus@cvs.openbsd.org 2014/01/25 20:35:37 [kex.c] dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha --- ChangeLog | 4 ++++ kex.c | 20 +++++++++----------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 64da7a475..384c0712c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@ + - markus@cvs.openbsd.org 2014/01/25 20:35:37 + [kex.c] + dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) + ok dtucker@, noted by mancha 20130125 - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD diff --git a/kex.c b/kex.c index 39d16f8e3..616484b85 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.96 2014/01/25 10:12:50 dtucker Exp $ */ +/* $OpenBSD: kex.c,v 1.97 2014/01/25 20:35:37 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -509,16 +509,14 @@ kex_choose_conf(Kex *kex) need = dh_need = 0; for (mode = 0; mode < MODE_MAX; mode++) { newkeys = kex->newkeys[mode]; - if (need < newkeys->enc.key_len) - need = newkeys->enc.key_len; - if (need < newkeys->enc.block_size) - need = newkeys->enc.block_size; - if (need < newkeys->enc.iv_len) - need = newkeys->enc.iv_len; - if (need < newkeys->mac.key_len) - need = newkeys->mac.key_len; - if (dh_need < cipher_seclen(newkeys->enc.cipher)) - dh_need = cipher_seclen(newkeys->enc.cipher); + need = MAX(need, newkeys->enc.key_len); + need = MAX(need, newkeys->enc.block_size); + need = MAX(need, newkeys->enc.iv_len); + need = MAX(need, newkeys->mac.key_len); + dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher)); + dh_need = MAX(dh_need, newkeys->enc.block_size); + dh_need = MAX(dh_need, newkeys->enc.iv_len); + dh_need = MAX(dh_need, newkeys->mac.key_len); } /* XXX need runden? */ kex->we_need = need;