1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 09:12:24 +00:00

When encrypting packet length with ChaCha20, treat sequence number as 32 bits.

While ChaCha20 takes a 64-bit nonce, SSH-2 defines the message
sequence number to wrap at 2^32 and OpenSSH stores it in a u_int32_t,
so the upper 32 bits should always be zero.  PuTTY was getting this
wrong, and either using an incorrect nonce or causing GCC to complain
about an invalid shift, depending on the size of "unsigned long".  Now
I think it gets it right.
This commit is contained in:
Ben Harris 2015-06-24 21:58:11 +01:00
parent 0bd014e456
commit 307aaccc59

View File

@ -1290,7 +1290,11 @@ static void ccp_length_op(struct ccp_context *ctx, unsigned char *blk, int len,
unsigned long seq) unsigned long seq)
{ {
unsigned char iv[8]; unsigned char iv[8];
PUT_32BIT_LSB_FIRST(iv, seq >> 32); /*
* According to RFC 4253 (section 6.4), the packet sequence number wraps
* at 2^32, so its 32 high-order bits will always be zero.
*/
PUT_32BIT_LSB_FIRST(iv, 0);
PUT_32BIT_LSB_FIRST(iv + 4, seq); PUT_32BIT_LSB_FIRST(iv + 4, seq);
chacha20_iv(&ctx->a_cipher, iv); chacha20_iv(&ctx->a_cipher, iv);
chacha20_iv(&ctx->b_cipher, iv); chacha20_iv(&ctx->b_cipher, iv);