mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-10 09:58:01 +00:00
When encrypting packet length with ChaCha20, treat sequence number as 32 bits.
While ChaCha20 takes a 64-bit nonce, SSH-2 defines the message sequence number to wrap at 2^32 and OpenSSH stores it in a u_int32_t, so the upper 32 bits should always be zero. PuTTY was getting this wrong, and either using an incorrect nonce or causing GCC to complain about an invalid shift, depending on the size of "unsigned long". Now I think it gets it right.
This commit is contained in:
parent
0bd014e456
commit
307aaccc59
6
sshccp.c
6
sshccp.c
@ -1290,7 +1290,11 @@ static void ccp_length_op(struct ccp_context *ctx, unsigned char *blk, int len,
|
|||||||
unsigned long seq)
|
unsigned long seq)
|
||||||
{
|
{
|
||||||
unsigned char iv[8];
|
unsigned char iv[8];
|
||||||
PUT_32BIT_LSB_FIRST(iv, seq >> 32);
|
/*
|
||||||
|
* According to RFC 4253 (section 6.4), the packet sequence number wraps
|
||||||
|
* at 2^32, so its 32 high-order bits will always be zero.
|
||||||
|
*/
|
||||||
|
PUT_32BIT_LSB_FIRST(iv, 0);
|
||||||
PUT_32BIT_LSB_FIRST(iv + 4, seq);
|
PUT_32BIT_LSB_FIRST(iv + 4, seq);
|
||||||
chacha20_iv(&ctx->a_cipher, iv);
|
chacha20_iv(&ctx->a_cipher, iv);
|
||||||
chacha20_iv(&ctx->b_cipher, iv);
|
chacha20_iv(&ctx->b_cipher, iv);
|
||||||
|
Loading…
Reference in New Issue
Block a user