DH group selection for SHA2-512 bit HMAC.

Nickolay nickolay at antlogic.com.ua
Fri May 31 23:37:32 EST 2013


Hi. I've got the following problem with our SSH client library:
- client connects to OpenSSH 5.9+ server and they choose hmac-sha2-512 
with diffie-hellman-group-exchange-sha256.
- client sends MSG_KEX_DH_GEX_REQUEST DH group request with parameters 
(1024, 1024, 8192).
I.e. minimum and preferred group size is 1024-bit,
- OpenSSH server in kexgexs.c:kexgex_server processes this message and 
selects 1024-bit group, sending it back to client.
- however, later,  when it goes to shared secret generation, in 
dh.c:dh_gen_key code checks group size to be
2 * need >= BN_num_bits(dh->p), where need is set to 512 bit (by the 
size of HMAC, i assume ), producing the error fatal("dh_gen_key: group 
too small: %d (2*need %d)".

So, I think it would be more logical to check 'need' parameter somewhere 
during group selection.
Or am I missing something?
Thanks!

--
  Nickolay Olshevsky, AntLogic
  Email: nickolay at antlogic.com.ua
  http://antlogic.com.ua/



More information about the openssh-unix-dev mailing list