2 files changed, 9 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index e296e0441..5e9a177d9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -14,6 +14,10 @@
     [serverloop.c]
     tighten check for -R0:... forwarding: only allow dynamic allocation
     if want_reply is set in the packet
+   - djm@cvs.openbsd.org 2009/02/12 03:26:22
+     [monitor.c]
+     some paranoia: check that the serialised key is really KEY_RSA before
+     diddling its internals
 20090212
 - (djm) [sshpty.c] bz#1419: OSX uses cloning ptys that automagically
@@ -5140,5 +5144,5 @@
   OpenServer 6 and add osr5bigcrypt support so when someone migrates
   passwords between UnixWare and OpenServer they will still work. OK dtucker@
-$Id: ChangeLog,v 1.5188 2009/02/14 05:33:09 djm Exp $
+$Id: ChangeLog,v 1.5189 2009/02/14 05:33:31 djm Exp $
diff --git a/monitor.c b/monitor.c
index 39deedc8f..f57e74ba5 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.100 2008/11/04 08:22:13 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.101 2009/02/12 03:26:22 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1500,7 +1500,9 @@ mm_answer_rsa_challenge(int sock, Buffer *m)
                fatal("%s: key type mismatch", __func__);
        if ((key = key_from_blob(blob, blen)) == NULL)
                fatal("%s: received bad key", __func__);
+        if (key->type != KEY_RSA)
+                fatal("%s: received bad key type %d", __func__, key->type);
+        key->type = KEY_RSA1;
        if (ssh1_challenge)
                BN_clear_free(ssh1_challenge);
        ssh1_challenge = auth_rsa_generate_challenge(key);

diff --git a/ChangeLog b/ChangeLog index e296e0441..5e9a177d9 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -14,6 +14,10 @@
14	[serverloop.c]	14	[serverloop.c]
15	tighten check for -R0:... forwarding: only allow dynamic allocation	15	tighten check for -R0:... forwarding: only allow dynamic allocation
16	if want_reply is set in the packet	16	if want_reply is set in the packet
		17	- djm@cvs.openbsd.org 2009/02/12 03:26:22
		18	[monitor.c]
		19	some paranoia: check that the serialised key is really KEY_RSA before
		20	diddling its internals
17		21
18	20090212	22	20090212
19	- (djm) [sshpty.c] bz#1419: OSX uses cloning ptys that automagically	23	- (djm) [sshpty.c] bz#1419: OSX uses cloning ptys that automagically
@@ -5140,5 +5144,5 @@
5140	OpenServer 6 and add osr5bigcrypt support so when someone migrates	5144	OpenServer 6 and add osr5bigcrypt support so when someone migrates
5141	passwords between UnixWare and OpenServer they will still work. OK dtucker@	5145	passwords between UnixWare and OpenServer they will still work. OK dtucker@
5142		5146
5143	$Id: ChangeLog,v 1.5188 2009/02/14 05:33:09 djm Exp $	5147	$Id: ChangeLog,v 1.5189 2009/02/14 05:33:31 djm Exp $
5144		5148


diff --git a/monitor.c b/monitor.c index 39deedc8f..f57e74ba5 100644 --- a/monitor.c +++ b/monitor.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: monitor.c,v 1.100 2008/11/04 08:22:13 djm Exp $ */	1	/* $OpenBSD: monitor.c,v 1.101 2009/02/12 03:26:22 djm Exp $ */
2	/*	2	/*
3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>	3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>
4	* Copyright 2002 Markus Friedl <markus@openbsd.org>	4	* Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1500,7 +1500,9 @@ mm_answer_rsa_challenge(int sock, Buffer *m)
1500	fatal("%s: key type mismatch", __func__);	1500	fatal("%s: key type mismatch", __func__);
1501	if ((key = key_from_blob(blob, blen)) == NULL)	1501	if ((key = key_from_blob(blob, blen)) == NULL)
1502	fatal("%s: received bad key", __func__);	1502	fatal("%s: received bad key", __func__);
1503		1503	if (key->type != KEY_RSA)
		1504	fatal("%s: received bad key type %d", __func__, key->type);
		1505	key->type = KEY_RSA1;
1504	if (ssh1_challenge)	1506	if (ssh1_challenge)
1505	BN_clear_free(ssh1_challenge);	1507	BN_clear_free(ssh1_challenge);
1506	ssh1_challenge = auth_rsa_generate_challenge(key);	1508	ssh1_challenge = auth_rsa_generate_challenge(key);