- djm@cvs.openbsd.org 2010/09/09 10:45:45

     [kex.c kex.h kexecdh.c key.c key.h monitor.c ssh-ecdsa.c]
     ECDH/ECDSA compliance fix: these methods vary the hash function they use
     (SHA256/384/512) depending on the length of the curve in use. The previous
     code incorrectly used SHA256 in all cases.

     This fix will cause authentication failure when using 384 or 521-bit curve
     keys if one peer hasn't been upgraded and the other has. (256-bit curve
     keys work ok). In particular you may need to specify HostkeyAlgorithms
     when connecting to a server that has not been upgraded from an upgraded
     client.

     ok naddy@

1 files changed, 5 insertions, 5 deletions

diff --git a/kex.c b/kex.c
index abe9b9f5..7c876319 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.84 2010/08/31 11:54:45 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.85 2010/09/09 10:45:45 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -325,10 +325,10 @@ choose_kex(Kex *k, char *client, char *server)
 	} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
 		k->kex_type = KEX_DH_GEX_SHA256;
 		k->evp_md = evp_ssh_sha256();
-	} else if (strncmp(k->name, KEX_ECDH_SHA256,
-	    sizeof(KEX_ECDH_SHA256) - 1) == 0) {
-		k->kex_type = KEX_ECDH_SHA2;
-		k->evp_md = evp_ssh_sha256();
+	} else if (strncmp(k->name, KEX_ECDH_SHA2_STEM,
+	    sizeof(KEX_ECDH_SHA2_STEM) - 1) == 0) {
+ 		k->kex_type = KEX_ECDH_SHA2;
+		k->evp_md = kex_ecdh_name_to_evpmd(k->name);
 #endif
 	} else
 		fatal("bad kex alg %s", k->name);