From dd422639afefbdd1c562b922f2188cd570eef264 Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@0xbadc0de.be>
Date: Tue, 9 Feb 2016 15:09:27 +0100
Subject: [PATCH] dh: Fix CVE-2016-0739

Due to a byte/bit confusion, the DH secret was too short. This file was
completely reworked and will be commited in a future version.

Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/dh.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/dh.c b/src/dh.c
index 9b9d203..a60cb6d 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -237,15 +237,16 @@ void ssh_print_hexa(const char *descr, const unsigned char *what, size_t len) {
 }
 
 int dh_generate_x(ssh_session session) {
+  int keysize = 1023;
   session->next_crypto->x = bignum_new();
   if (session->next_crypto->x == NULL) {
     return -1;
   }
 
 #ifdef HAVE_LIBGCRYPT
-  bignum_rand(session->next_crypto->x, 128);
+  bignum_rand(session->next_crypto->x, keysize);
 #elif defined HAVE_LIBCRYPTO
-  bignum_rand(session->next_crypto->x, 128, 0, -1);
+  bignum_rand(session->next_crypto->x, keysize, -1, 0);
 #endif
 
   /* not harder than this */
@@ -258,15 +259,16 @@ int dh_generate_x(ssh_session session) {
 
 /* used by server */
 int dh_generate_y(ssh_session session) {
-    session->next_crypto->y = bignum_new();
+  int keysize = 1023;
+  session->next_crypto->y = bignum_new();
   if (session->next_crypto->y == NULL) {
     return -1;
   }
 
 #ifdef HAVE_LIBGCRYPT
-  bignum_rand(session->next_crypto->y, 128);
+  bignum_rand(session->next_crypto->y, keysize);
 #elif defined HAVE_LIBCRYPTO
-  bignum_rand(session->next_crypto->y, 128, 0, -1);
+  bignum_rand(session->next_crypto->y, keysize, -1, 0);
 #endif
 
   /* not harder than this */
-- 
2.5.0

