=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshconnect.c,v retrieving revision 1.24 retrieving revision 1.25 diff -u -r1.24 -r1.25 --- src/usr.bin/ssh/sshconnect.c 1999/10/27 16:37:46 1.24 +++ src/usr.bin/ssh/sshconnect.c 1999/11/02 19:42:36 1.25 @@ -15,7 +15,7 @@ */ #include "includes.h" -RCSID("$Id: sshconnect.c,v 1.24 1999/10/27 16:37:46 deraadt Exp $"); +RCSID("$Id: sshconnect.c,v 1.25 1999/11/02 19:42:36 markus Exp $"); #include #include "xmalloc.h" @@ -449,7 +449,10 @@ /* Compute the response. */ /* The response is MD5 of decrypted challenge plus session id. */ len = BN_num_bytes(challenge); - assert(len <= sizeof(buf) && len); + if (len <= 0 || len > sizeof(buf)) + packet_disconnect("respond_to_rsa_challenge: bad challenge length %d", + len); + memset(buf, 0, sizeof(buf)); BN_bn2bin(challenge, buf + sizeof(buf) - len); MD5_Init(&md); @@ -1290,8 +1293,14 @@ if (BN_cmp(public_key->n, host_key->n) < 0) { /* Public key has smaller modulus. */ - assert(BN_num_bits(host_key->n) >= - BN_num_bits(public_key->n) + SSH_KEY_BITS_RESERVED); + if (BN_num_bits(host_key->n) < + BN_num_bits(public_key->n) + SSH_KEY_BITS_RESERVED) { + fatal("respond_to_rsa_challenge: host_key %d < public_key %d + " + "SSH_KEY_BITS_RESERVED %d", + BN_num_bits(host_key->n), + BN_num_bits(public_key->n), + SSH_KEY_BITS_RESERVED); + } rsa_public_encrypt(key, key, public_key); rsa_public_encrypt(key, key, host_key); @@ -1299,8 +1308,14 @@ else { /* Host key has smaller modulus (or they are equal). */ - assert(BN_num_bits(public_key->n) >= - BN_num_bits(host_key->n) + SSH_KEY_BITS_RESERVED); + if (BN_num_bits(public_key->n) < + BN_num_bits(host_key->n) + SSH_KEY_BITS_RESERVED) { + fatal("respond_to_rsa_challenge: public_key %d < host_key %d + " + "SSH_KEY_BITS_RESERVED %d", + BN_num_bits(public_key->n), + BN_num_bits(host_key->n), + SSH_KEY_BITS_RESERVED); + } rsa_public_encrypt(key, key, host_key); rsa_public_encrypt(key, key, public_key);