mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-10 01:48:00 +00:00
Add validation of remote keys in ECC Diffie-Hellman.
In both the Weierstrass and Montgomery forms, we now check that the provided curve point isn't a silly one, like the identity or a torsion point, which will give little or no variation in the possible outputs of key exchange.
This commit is contained in:
parent
5fbd294c20
commit
b9d0371c47
21
sshecc.c
21
sshecc.c
@ -1329,6 +1329,12 @@ static mp_int *ssh_ecdhkex_w_getkey(ecdh_key *dh, ptrlen remoteKey)
|
||||
if (!remote_p)
|
||||
return NULL;
|
||||
|
||||
if (ecc_weierstrass_is_identity(remote_p)) {
|
||||
/* Not a sensible Diffie-Hellman input value */
|
||||
ecc_weierstrass_point_free(remote_p);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
WeierstrassPoint *p = ecc_weierstrass_multiply(remote_p, dh->private);
|
||||
|
||||
mp_int *x;
|
||||
@ -1343,6 +1349,21 @@ static mp_int *ssh_ecdhkex_w_getkey(ecdh_key *dh, ptrlen remoteKey)
|
||||
static mp_int *ssh_ecdhkex_m_getkey(ecdh_key *dh, ptrlen remoteKey)
|
||||
{
|
||||
mp_int *remote_x = mp_from_bytes_le(remoteKey);
|
||||
if (mp_eq_integer(remote_x, 0)) {
|
||||
/*
|
||||
* The libssh spec for Curve25519 key exchange says that
|
||||
* 'every possible public key maps to a valid ECC Point' and
|
||||
* therefore no validation needs to be done on the server's
|
||||
* provided x-coordinate. However, I don't believe it: an
|
||||
* x-coordinate of zero doesn't work sensibly, because you end
|
||||
* up dividing by zero in the doubling formula
|
||||
* (x+1)^2(x-1)^2/(4(x^3+ax^2+x)). (Put another way, although
|
||||
* that point P is not the _identity_ of the curve, it is a
|
||||
* torsion point such that 2P is the identity.)
|
||||
*/
|
||||
mp_free(remote_x);
|
||||
return NULL;
|
||||
}
|
||||
MontgomeryPoint *remote_p = ecc_montgomery_point_new(
|
||||
dh->curve->m.mc, remote_x);
|
||||
mp_free(remote_x);
|
||||
|
Loading…
Reference in New Issue
Block a user