Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
Apq
/
winscp
spogulis no https://github.com/winscp/winscp.git
1
0
Atdalīts 0
Faili Problēmas 0 Vikivietne
Pārlūkot izejas kodu

Bug 1729: Security fixes from PuTTY 0.71 - vuln-rsa-kex-integer-overflow

https://winscp.net/tracker/1729
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-rsa-kex-integer-overflow.html
(cherry picked from commit f266907224a1f562a778faec3e81b8381bcf5ead)

Source commit: 75629af6ed1831db7bd3b4a7f6afec1a1c9bdef5
Martin Prikryl 6 gadi atpakaļ
vecāks
c4f4ac95dc
revīzija
270738d0f7
3 mainītis faili ar 19 papildinājumiem un 3 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 11 1
      source/putty/ssh.c
  2. 3 0
      source/putty/ssh.h
  3. 5 2
      source/putty/sshrsa.c

+ 11 - 1
source/putty/ssh.c
Parādīt failu 

@@ -7276,11 +7276,21 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen,
 
          */

         {

             int klen = ssh_rsakex_klen(s->rsakey);

-            int nbits = klen - (2*ssh->kex->hash->hlen*8 + 49);

+

+            int nbits;

             int i, byte = 0;

             unsigned char *kstr1, *kstr2, *outstr;

             int kstr1len, kstr2len, outstrlen;

 

+            const struct ssh_rsa_kex_extra *extra =

+                (const struct ssh_rsa_kex_extra *)ssh->kex->extra;

+            if (klen < extra->minklen) {

+                bombout(("Server sent RSA key with less bits than the minimum size for key exchange"));

+                crStopV;

+            }

+

+            nbits = klen - (2*ssh->kex->hash->hlen*8 + 49);

+

             s->K = bn_power_2(nbits - 1);

 

             for (i = 0; i < nbits; i++) {

+ 3 - 0
source/putty/ssh.h
Parādīt failu 

@@ -211,6 +211,9 @@ int detect_attack(void *handle, unsigned char *buf, uint32 len,
 
  * SSH2 RSA key exchange functions

  */

 struct ssh_hash;

+struct ssh_rsa_kex_extra {

+    int minklen;

+};

 void *ssh_rsakex_newkey(char *data, int len);

 void ssh_rsakex_freekey(void *key);

 int ssh_rsakex_klen(void *key);

+ 5 - 2
source/putty/sshrsa.c
Parādīt failu 

@@ -1059,12 +1059,15 @@ void ssh_rsakex_encrypt(const struct ssh_hash *h, unsigned char *in, int inlen,
 
      */

 }

 

+static const struct ssh_rsa_kex_extra ssh_rsa_kex_extra_sha1 = { 1024 };

+static const struct ssh_rsa_kex_extra ssh_rsa_kex_extra_sha256 = { 2048 };

+

 static const struct ssh_kex ssh_rsa_kex_sha1 = {

-    "rsa1024-sha1", NULL, KEXTYPE_RSA, &ssh_sha1, NULL,

+    "rsa1024-sha1", NULL, KEXTYPE_RSA, &ssh_sha1, &ssh_rsa_kex_extra_sha1,

 };

 

 static const struct ssh_kex ssh_rsa_kex_sha256 = {

-    "rsa2048-sha256", NULL, KEXTYPE_RSA, &ssh_sha256, NULL,

+    "rsa2048-sha256", NULL, KEXTYPE_RSA, &ssh_sha256, &ssh_rsa_kex_extra_sha256,

 };

 

 static const struct ssh_kex *const rsa_kex_list[] = {