RSA kex: enforce the minimum key length.

I completely forgot to check that the server had actually sent a key of at least MINKLEN bits, as RFC 4432 clearly says that it MUST. Without this restriction, not only can a server trick the client into using a shared secret with inadequate entropy, but it can send a key so short that the client attempts to generate a secret integer of negative length, with integer-overflowing results.
2025-01-09 17:38:00 +00:00 · 2019-02-07 20:04:17 +00:00 · 2019-02-07 20:04:17 +00:00 · d828549995
commit d828549995
parent 5c926d9ea4
1 changed files with 14 additions and 0 deletions
--- a/ssh2kex-client.c
+++ b/ssh2kex-client.c
@ -554,7 +554,21 @@ void ssh2kex_coroutine(struct ssh2_transport_state *s, bool *aborted)
         */
        {
            int klen = ssh_rsakex_klen(s->rsa_kex_key);
+
+            const struct ssh_rsa_kex_extra *extra =
+                (const struct ssh_rsa_kex_extra *)s->kex_alg->extra;
+            if (klen < extra->minklen) {
+                ssh_proto_error(s->ppl.ssh, "Server sent %d-bit RSA key, "
+                                "less than the minimum size %d for %s "
+                                "key exchange", klen, extra->minklen,
+                                s->kex_alg->name);
+                *aborted = true;
+                return;
+            }
+
            int nbits = klen - (2*s->kex_alg->hash->hlen*8 + 49);
+            assert(nbits > 0);
+
            strbuf *buf, *outstr;

            mp_int *tmp = mp_random_bits(nbits - 1);