nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 09:12:24 +00:00
Code Issues Projects Releases Wiki Activity

RSA kex: enforce the minimum key length.

Browse Source 
I completely forgot to check that the server had actually sent a key
of at least MINKLEN bits, as RFC 4432 clearly says that it MUST.
Without this restriction, not only can a server trick the client into
using a shared secret with inadequate entropy, but it can send a key
so short that the client attempts to generate a secret integer of
negative length, with integer-overflowing results.
This commit is contained in:
Simon Tatham 2019-02-07 20:04:17 +00:00
parent 5c926d9ea4
commit d828549995
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ssh2kex-client.c
View File

@ -554,7 +554,21 @@ void ssh2kex_coroutine(struct ssh2_transport_state *s, bool *aborted)
*/ */
{ {
int klen = ssh_rsakex_klen(s->rsa_kex_key); int klen = ssh_rsakex_klen(s->rsa_kex_key);
const struct ssh_rsa_kex_extra *extra =
(const struct ssh_rsa_kex_extra *)s->kex_alg->extra;
if (klen < extra->minklen) {
ssh_proto_error(s->ppl.ssh, "Server sent %d-bit RSA key, "
"less than the minimum size %d for %s "
"key exchange", klen, extra->minklen,
s->kex_alg->name);
*aborted = true;
return;
}
int nbits = klen - (2*s->kex_alg->hash->hlen*8 + 49); int nbits = klen - (2*s->kex_alg->hash->hlen*8 + 49);
assert(nbits > 0);
strbuf *buf, *outstr; strbuf *buf, *outstr;
mp_int *tmp = mp_random_bits(nbits - 1); mp_int *tmp = mp_random_bits(nbits - 1);