From 1cb926bf361f38df8741f4494c63a0de3f2d3ae8 Mon Sep 17 00:00:00 2001
From: Tim Kosse <tim.kosse@filezilla-project.org>
Date: Fri, 21 Aug 2015 23:39:08 +0200
Subject: [PATCH] * Fix key computation if the combination of cipher and
kex-hash requires more than 2 iterations
Until now, PuTTY assumed key computation (RFC 4253 section 7.2) requires at most 2 iterations. This patch increases the limit to 4 iterations as is needed for chacha20-poly1305@openssh.com with diffie-hellman-group-exchange-sha1: ceil(512/160)==4.
This can be reproduced connecting to a recent OpenSSH using the following two lines in /etc/sshd_config:
Ciphers=chacha20-poly1305@openssh.com
KexAlgorithms=diffie-hellman-group-exchange-sha1
This bug has originally been reported at https://trac.filezilla-project.org/ticket/10633
---
ssh.c | 38 +++++++++++++++++++++++++++++---------
1 file changed, 29 insertions(+), 9 deletions(-)
diff --git a/ssh.c b/ssh.c
index 79c6ebf..b5be767 100644
|
a
|
b
|
static void ssh2_pkt_addstring_commasep(struct Packet *pkt, const char *data)
|
| 6128 | 6128 | |
| 6129 | 6129 | /* |
| 6130 | 6130 | * SSH-2 key creation method. |
| 6131 | | * (Currently assumes 2 lots of any hash are sufficient to generate |
| | 6131 | * (Currently assumes 4 lots of any hash are sufficient to generate |
| 6132 | 6132 | * keys/IVs for any cipher/MAC. SSH2_MKKEY_ITERS documents this assumption.) |
| | 6133 | * |
| | 6134 | * Example: chacha20-poly1305@openssh.com with diffie-hellman-group-exchange-sha1 requires ceil(512/160)==4 lots |
| 6133 | 6135 | */ |
| 6134 | | #define SSH2_MKKEY_ITERS (2) |
| | 6136 | #define SSH2_MKKEY_ITERS (4) |
| | 6137 | |
| | 6138 | static void ssh2_mkkey_iteration(Ssh ssh, Bignum K, unsigned char *H, |
| | 6139 | unsigned char *keyspace, int iteration) |
| | 6140 | { |
| | 6141 | const struct ssh_hash *h = ssh->kex->hash; |
| | 6142 | void *s; |
| | 6143 | int i; |
| | 6144 | s = h->init(); |
| | 6145 | if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY)) |
| | 6146 | hash_mpint(h, s, K); |
| | 6147 | h->bytes(s, H, h->hlen); |
| | 6148 | for (i = 0; i < iteration; ++i) { |
| | 6149 | h->bytes(s, keyspace + i * h->hlen, h->hlen); |
| | 6150 | } |
| | 6151 | h->final(s, keyspace + i * h->hlen); |
| | 6152 | } |
| | 6153 | |
| 6135 | 6154 | static void ssh2_mkkey(Ssh ssh, Bignum K, unsigned char *H, char chr, |
| 6136 | 6155 | unsigned char *keyspace) |
| 6137 | 6156 | { |
| | 6157 | /* See RFC 4253 section 7.2 for key computation. */ |
| 6138 | 6158 | const struct ssh_hash *h = ssh->kex->hash; |
| 6139 | 6159 | void *s; |
| | 6160 | int i; |
| | 6161 | |
| 6140 | 6162 | /* First hlen bytes. */ |
| 6141 | 6163 | s = h->init(); |
| 6142 | 6164 | if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY)) |
| … |
… |
static void ssh2_mkkey(Ssh ssh, Bignum K, unsigned char *H, char chr,
|
| 6145 | 6167 | h->bytes(s, &chr, 1); |
| 6146 | 6168 | h->bytes(s, ssh->v2_session_id, ssh->v2_session_id_len); |
| 6147 | 6169 | h->final(s, keyspace); |
| 6148 | | /* Next hlen bytes. */ |
| 6149 | | s = h->init(); |
| 6150 | | if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY)) |
| 6151 | | hash_mpint(h, s, K); |
| 6152 | | h->bytes(s, H, h->hlen); |
| 6153 | | h->bytes(s, keyspace, h->hlen); |
| 6154 | | h->final(s, keyspace + h->hlen); |
| | 6170 | |
| | 6171 | /* The remaining iterations */ |
| | 6172 | for (i = 1; i <= SSH2_MKKEY_ITERS; ++i) { |
| | 6173 | ssh2_mkkey_iteration(ssh, K, H, keyspace, i); |
| | 6174 | } |
| 6155 | 6175 | } |
| 6156 | 6176 | |
| 6157 | 6177 | /* |
