- markus@cvs.openbsd.org 2014/01/25 20:35:37

[kex.c] dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
2025-07-27 07:44:29 +02:00 · 2014-01-26 09:38:03 +11:00 · 2014-01-26 09:38:03 +11:00 · a92ac74104
commit a92ac74104
parent 76eea4ab4e
2 changed files with 13 additions and 11 deletions
--- a/4
+++ b/4
@ -8,6 +8,10 @@
     than 4k but also don't use the largest group size it does support as
     specified in the RFC.  Based on a patch from Petr Lautrbach at Redhat,
     reduced by me with input from Markus.  ok djm@ markus@
   - markus@cvs.openbsd.org 2014/01/25 20:35:37
     [kex.c]
     dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len)
     ok dtucker@, noted by mancha
 20130125
 - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD
--- a/kex.c
+++ b/kex.c
@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.96 2014/01/25 10:12:50 dtucker Exp $ */
+/* $OpenBSD: kex.c,v 1.97 2014/01/25 20:35:37 markus Exp $ */
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
 *
@ -509,16 +509,14 @@ kex_choose_conf(Kex *kex)
 	need = dh_need = 0;
 	for (mode = 0; mode < MODE_MAX; mode++) {
 		newkeys = kex->newkeys[mode];
-		if (need < newkeys->enc.key_len)
+		need = MAX(need, newkeys->enc.key_len);
-			need = newkeys->enc.key_len;
+		need = MAX(need, newkeys->enc.block_size);
-		if (need < newkeys->enc.block_size)
+		need = MAX(need, newkeys->enc.iv_len);
-			need = newkeys->enc.block_size;
+		need = MAX(need, newkeys->mac.key_len);
-		if (need < newkeys->enc.iv_len)
+		dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher));
-			need = newkeys->enc.iv_len;
+		dh_need = MAX(dh_need, newkeys->enc.block_size);
-		if (need < newkeys->mac.key_len)
+		dh_need = MAX(dh_need, newkeys->enc.iv_len);
-			need = newkeys->mac.key_len;
+		dh_need = MAX(dh_need, newkeys->mac.key_len);
 		if (dh_need < cipher_seclen(newkeys->enc.cipher))
 			dh_need = cipher_seclen(newkeys->enc.cipher);
 	}
 	/* XXX need runden? */
 	kex->we_need = need;