From d82854999516046122501b2e145099740ed0284f Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Thu, 7 Feb 2019 20:04:17 +0000
Subject: [PATCH] RSA kex: enforce the minimum key length.

I completely forgot to check that the server had actually sent a key
of at least MINKLEN bits, as RFC 4432 clearly says that it MUST.
Without this restriction, not only can a server trick the client into
using a shared secret with inadequate entropy, but it can send a key
so short that the client attempts to generate a secret integer of
negative length, with integer-overflowing results.
---
 ssh2kex-client.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/ssh2kex-client.c b/ssh2kex-client.c
index 10129a20..4b21b0b6 100644
--- a/ssh2kex-client.c
+++ b/ssh2kex-client.c
@@ -554,7 +554,21 @@ void ssh2kex_coroutine(struct ssh2_transport_state *s, bool *aborted)
          */
         {
             int klen = ssh_rsakex_klen(s->rsa_kex_key);
+
+            const struct ssh_rsa_kex_extra *extra =
+                (const struct ssh_rsa_kex_extra *)s->kex_alg->extra;
+            if (klen < extra->minklen) {
+                ssh_proto_error(s->ppl.ssh, "Server sent %d-bit RSA key, "
+                                "less than the minimum size %d for %s "
+                                "key exchange", klen, extra->minklen,
+                                s->kex_alg->name);
+                *aborted = true;
+                return;
+            }
+
             int nbits = klen - (2*s->kex_alg->hash->hlen*8 + 49);
+            assert(nbits > 0);
+
             strbuf *buf, *outstr;
 
             mp_int *tmp = mp_random_bits(nbits - 1);