1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 01:02:24 +00:00

RSA kex: enforce the minimum key length.

I completely forgot to check that the server had actually sent a key
of at least MINKLEN bits, as RFC 4432 clearly says that it MUST.
Without this restriction, not only can a server trick the client into
using a shared secret with inadequate entropy, but it can send a key
so short that the client attempts to generate a secret integer of
negative length, with integer-overflowing results.
This commit is contained in:
Simon Tatham 2019-02-07 20:04:17 +00:00
parent 5c926d9ea4
commit d828549995

View File

@ -554,7 +554,21 @@ void ssh2kex_coroutine(struct ssh2_transport_state *s, bool *aborted)
*/
{
int klen = ssh_rsakex_klen(s->rsa_kex_key);
const struct ssh_rsa_kex_extra *extra =
(const struct ssh_rsa_kex_extra *)s->kex_alg->extra;
if (klen < extra->minklen) {
ssh_proto_error(s->ppl.ssh, "Server sent %d-bit RSA key, "
"less than the minimum size %d for %s "
"key exchange", klen, extra->minklen,
s->kex_alg->name);
*aborted = true;
return;
}
int nbits = klen - (2*s->kex_alg->hash->hlen*8 + 49);
assert(nbits > 0);
strbuf *buf, *outstr;
mp_int *tmp = mp_random_bits(nbits - 1);