Subject: Re: [SECURITY ADVISORY] Truncated Difffie-Hellman secret length

Re: [SECURITY ADVISORY] Truncated Difffie-Hellman secret length

From: George Garner (online) <>
Date: Tue, 23 Feb 2016 21:41:15 -0500

Yes, diffie_hellman_sha1() has the same problem. Looking at the code, I
see a number of other problems:

1. _libssh2_bn_ctx_new(), _libssh2_bn_init() and
_libssh2_bn_init_from_bin() can fail if there are insufficient resources to
allocate the _libssh2_bn_ctx and _libssh2_bn structures but you don't test
the return value for NULL. One place where the error might be detected is
where you call _libssh2_bn_rand, but you ignore the return value from

2. The name group_order appears to be misleading as it suggest a
relationship with the Diffie-Hellman group concept. In fact, it appears
to be the length of p in bytes that is read from a SSH packet.

3. Where is the p_len/group_order parameter validated? In
kex_method_diffie_hellman_group_exchange_sha256_key_exchange it is
converted from network byte order and accepted at face value. What happens
if a malicious packet is received with a bogus value for p_len?

Received on 2016-02-24