Ticket #10633: 0001-Fix-key-computation-if-the-combination-of-cipher-and.patch

File 0001-Fix-key-computation-if-the-combination-of-cipher-and.patch, 2.9 KB (added by Tim Kosse, 6 years ago)

Patch submitted upstream

  • ssh.c

    From 1cb926bf361f38df8741f4494c63a0de3f2d3ae8 Mon Sep 17 00:00:00 2001
    From: Tim Kosse <tim.kosse@filezilla-project.org>
    Date: Fri, 21 Aug 2015 23:39:08 +0200
    Subject: [PATCH] * Fix key computation if the combination of cipher and
     kex-hash requires more than 2 iterations
    
    Until now, PuTTY assumed key computation (RFC 4253 section 7.2) requires at most 2 iterations. This patch increases the limit to 4 iterations as is needed for chacha20-poly1305@openssh.com with diffie-hellman-group-exchange-sha1: ceil(512/160)==4.
    
    This can be reproduced connecting to a recent OpenSSH using the following two lines in /etc/sshd_config:
    Ciphers=chacha20-poly1305@openssh.com
    KexAlgorithms=diffie-hellman-group-exchange-sha1
    
    This bug has originally been reported at https://trac.filezilla-project.org/ticket/10633
    ---
     ssh.c | 38 +++++++++++++++++++++++++++++---------
     1 file changed, 29 insertions(+), 9 deletions(-)
    
    diff --git a/ssh.c b/ssh.c
    index 79c6ebf..b5be767 100644
    a b static void ssh2_pkt_addstring_commasep(struct Packet *pkt, const char *data)  
    61286128
    61296129/*
    61306130 * SSH-2 key creation method.
    6131  * (Currently assumes 2 lots of any hash are sufficient to generate
     6131 * (Currently assumes 4 lots of any hash are sufficient to generate
    61326132 * keys/IVs for any cipher/MAC. SSH2_MKKEY_ITERS documents this assumption.)
     6133 *
     6134 * Example: chacha20-poly1305@openssh.com with diffie-hellman-group-exchange-sha1 requires ceil(512/160)==4 lots
    61336135 */
    6134 #define SSH2_MKKEY_ITERS (2)
     6136#define SSH2_MKKEY_ITERS (4)
     6137
     6138static void ssh2_mkkey_iteration(Ssh ssh, Bignum K, unsigned char *H,
     6139                                 unsigned char *keyspace, int iteration)
     6140{
     6141    const struct ssh_hash *h = ssh->kex->hash;
     6142    void *s;
     6143    int i;
     6144    s = h->init();
     6145    if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
     6146    hash_mpint(h, s, K);
     6147    h->bytes(s, H, h->hlen);
     6148    for (i = 0; i < iteration; ++i) {
     6149    h->bytes(s, keyspace + i * h->hlen, h->hlen);
     6150    }
     6151    h->final(s, keyspace + i * h->hlen);
     6152}
     6153
    61356154static void ssh2_mkkey(Ssh ssh, Bignum K, unsigned char *H, char chr,
    61366155               unsigned char *keyspace)
    61376156{
     6157    /* See RFC 4253 section 7.2 for key computation. */
    61386158    const struct ssh_hash *h = ssh->kex->hash;
    61396159    void *s;
     6160    int i;
     6161
    61406162    /* First hlen bytes. */
    61416163    s = h->init();
    61426164    if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
    static void ssh2_mkkey(Ssh ssh, Bignum K, unsigned char *H, char chr,  
    61456167    h->bytes(s, &chr, 1);
    61466168    h->bytes(s, ssh->v2_session_id, ssh->v2_session_id_len);
    61476169    h->final(s, keyspace);
    6148     /* Next hlen bytes. */
    6149     s = h->init();
    6150     if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
    6151     hash_mpint(h, s, K);
    6152     h->bytes(s, H, h->hlen);
    6153     h->bytes(s, keyspace, h->hlen);
    6154     h->final(s, keyspace + h->hlen);
     6170
     6171    /* The remaining iterations */
     6172    for (i = 1; i <= SSH2_MKKEY_ITERS; ++i) {
     6173    ssh2_mkkey_iteration(ssh, K, H, keyspace, i);
     6174    }
    61556175}
    61566176
    61576177/*