===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/dh.c,v
retrieving revision 1.31.6.1
retrieving revision 1.32
diff -u -r1.31.6.1 -r1.32
--- src/usr.bin/ssh/dh.c	2006/10/06 03:19:32	1.31.6.1
+++ src/usr.bin/ssh/dh.c	2006/03/19 02:24:05	1.32
@@ -1,4 +1,3 @@
-/* $OpenBSD: dh.c,v 1.31.6.1 2006/10/06 03:19:32 brad Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  *
@@ -23,15 +22,18 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#include <sys/param.h>
+#include "includes.h"
+RCSID("$OpenBSD: dh.c,v 1.32 2006/03/19 02:24:05 djm Exp $");
 
+#include "xmalloc.h"
+
 #include <openssl/bn.h>
 #include <openssl/dh.h>
+#include <openssl/evp.h>
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
+#include "buffer.h"
+#include "cipher.h"
+#include "kex.h"
 #include "dh.h"
 #include "pathnames.h"
 #include "log.h"
@@ -42,7 +44,6 @@
 {
 	char *cp, *arg;
 	char *strsize, *gen, *prime;
-	const char *errstr = NULL;
 
 	cp = line;
 	if ((arg = strdelim(&cp)) == NULL)
@@ -67,8 +68,7 @@
 		goto fail;
 	strsize = strsep(&cp, " "); /* size */
 	if (cp == NULL || *strsize == '\0' ||
-	    (dhg->size = (u_int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
-	    errstr)
+	    (dhg->size = atoi(strsize)) == 0)
 		goto fail;
 	/* The whole group is one bit larger */
 	dhg->size++;
@@ -179,36 +179,19 @@
 	int i;
 	int n = BN_num_bits(dh_pub);
 	int bits_set = 0;
-	BIGNUM *tmp;
 
 	if (dh_pub->neg) {
 		logit("invalid public DH value: negativ");
 		return 0;
 	}
-	if (BN_cmp(dh_pub, BN_value_one()) != 1) {	/* pub_exp <= 1 */
-		logit("invalid public DH value: <= 1");
-		return 0;
-	}
-
-	if ((tmp = BN_new()) == NULL)
-		return (-1);
-	if (!BN_sub(tmp, dh->p, BN_value_one()) ||
-	    BN_cmp(dh_pub, tmp) != -1) {		/* pub_exp > p-2 */
-		BN_clear_free(tmp);
-		logit("invalid public DH value: >= p-1");
-		return 0;
-	}
-	BN_clear_free(tmp);
-
 	for (i = 0; i <= n; i++)
 		if (BN_is_bit_set(dh_pub, i))
 			bits_set++;
 	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
 
 	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
-	if (bits_set > 1)
+	if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
 		return 1;
-
 	logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
 	return 0;
 }