From 47a51b5a5b9a7865bc05bcc4e37792a74a28023d Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 3 Apr 2019 10:14:19 -0700 Subject: [PATCH] Server Public Key Bug Fix The callback was getting a pointer to the raw public key data in the receive buffer including the blob length, this caused the pubkey to be short in the callback. Updated the pubKey given to the callback to be the SSH encoded blob without the total size, and pass the total size in. Also, update the hash of the public key to include the size. --- src/internal.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/internal.c b/src/internal.c index f782846..71edae0 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2340,7 +2340,6 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) if (ret == WS_SUCCESS) { begin = *idx; - pubKey = buf + begin; ret = GetUint32(&pubKeySz, buf, len, &begin); if (ret == WS_SUCCESS && (pubKeySz > len - LENGTH_SZ - begin )) { ret = WS_BUFFER_E; @@ -2348,6 +2347,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) } if (ret == WS_SUCCESS) { + pubKey = buf + begin; if (ssh->ctx->publicKeyCheckCb != NULL) { WLOG(WS_LOG_DEBUG, "DKDR: Calling the public key check callback"); ret = ssh->ctx->publicKeyCheckCb(pubKey, pubKeySz, @@ -2368,14 +2368,14 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) } if (ret == WS_SUCCESS) + /* Hash in the raw public key blob from the server including its + * length which is at LENGTH_SZ offset ahead of pubKey. */ ret = wc_HashUpdate(&ssh->handshake->hash, ssh->handshake->hashId, - pubKey, pubKeySz + LENGTH_SZ); + pubKey - LENGTH_SZ, pubKeySz + LENGTH_SZ); - if (ret == WS_SUCCESS) { - pubKey = buf + begin; + if (ret == WS_SUCCESS) begin += pubKeySz; - } /* If using DH-GEX include the GEX specific values. */ if (ret == WS_SUCCESS && ssh->handshake->kexId == ID_DH_GEX_SHA256) {