3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
210 lines
7.1 KiB
Diff
210 lines
7.1 KiB
Diff
Index: deattack.c
|
|
===================================================================
|
|
RCS file: /usr2/ncvs/src/crypto/openssh/deattack.c,v
|
|
retrieving revision 1.1.1.1.2.1
|
|
diff -u -r1.1.1.1.2.1 deattack.c
|
|
--- deattack.c 2000/10/28 23:00:48 1.1.1.1.2.1
|
|
+++ deattack.c 2001/02/13 00:28:07
|
|
@@ -85,7 +85,7 @@
|
|
detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV)
|
|
{
|
|
static u_int16_t *h = (u_int16_t *) NULL;
|
|
- static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
|
|
+ static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
|
|
register u_int32_t i, j;
|
|
u_int32_t l;
|
|
register unsigned char *c;
|
|
Index: rsa.c
|
|
===================================================================
|
|
RCS file: /usr2/ncvs/src/crypto/openssh/rsa.c,v
|
|
retrieving revision 1.1.1.1.2.4
|
|
diff -u -r1.1.1.1.2.4 rsa.c
|
|
--- rsa.c 2000/10/28 23:00:49 1.1.1.1.2.4
|
|
+++ rsa.c 2001/02/13 00:28:47
|
|
@@ -161,7 +161,7 @@
|
|
xfree(inbuf);
|
|
}
|
|
|
|
-void
|
|
+int
|
|
rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key)
|
|
{
|
|
unsigned char *inbuf, *outbuf;
|
|
@@ -175,15 +175,16 @@
|
|
BN_bn2bin(in, inbuf);
|
|
|
|
if ((len = RSA_private_decrypt(ilen, inbuf, outbuf, key,
|
|
- RSA_PKCS1_PADDING)) <= 0)
|
|
- fatal("rsa_private_decrypt() failed.");
|
|
-
|
|
- BN_bin2bn(outbuf, len, out);
|
|
-
|
|
+ RSA_PKCS1_PADDING)) <= 0) {
|
|
+ error("rsa_private_decrypt() failed");
|
|
+ } else {
|
|
+ BN_bin2bn(outbuf, len, out);
|
|
+ }
|
|
memset(outbuf, 0, olen);
|
|
memset(inbuf, 0, ilen);
|
|
xfree(outbuf);
|
|
xfree(inbuf);
|
|
+ return len;
|
|
}
|
|
|
|
/* Set whether to output verbose messages during key generation. */
|
|
Index: rsa.h
|
|
===================================================================
|
|
RCS file: /usr2/ncvs/src/crypto/openssh/rsa.h,v
|
|
retrieving revision 1.2.2.2
|
|
diff -u -r1.2.2.2 rsa.h
|
|
--- rsa.h 2000/10/28 23:00:49 1.2.2.2
|
|
+++ rsa.h 2001/02/13 00:28:09
|
|
@@ -32,6 +32,6 @@
|
|
int rsa_alive __P((void));
|
|
|
|
void rsa_public_encrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
|
|
-void rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
|
|
+int rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
|
|
|
|
#endif /* RSA_H */
|
|
Index: ssh-agent.c
|
|
===================================================================
|
|
RCS file: /usr2/ncvs/src/crypto/openssh/ssh-agent.c,v
|
|
retrieving revision 1.2.2.3
|
|
diff -u -r1.2.2.3 ssh-agent.c
|
|
--- ssh-agent.c 2000/10/28 23:00:49 1.2.2.3
|
|
+++ ssh-agent.c 2001/02/13 00:28:09
|
|
@@ -191,7 +191,8 @@
|
|
private = lookup_private_key(key, NULL, 1);
|
|
if (private != NULL) {
|
|
/* Decrypt the challenge using the private key. */
|
|
- rsa_private_decrypt(challenge, challenge, private->rsa);
|
|
+ if (rsa_private_decrypt(challenge, challenge, private->rsa) <= 0)
|
|
+ goto failure;
|
|
|
|
/* The response is MD5 of decrypted challenge plus session id. */
|
|
len = BN_num_bytes(challenge);
|
|
Index: sshconnect1.c
|
|
===================================================================
|
|
RCS file: /usr2/ncvs/src/crypto/openssh/sshconnect1.c,v
|
|
retrieving revision 1.2.2.2
|
|
diff -u -r1.2.2.2 sshconnect1.c
|
|
--- sshconnect1.c 2000/10/28 23:00:51 1.2.2.2
|
|
+++ sshconnect1.c 2001/02/13 00:28:09
|
|
@@ -153,14 +153,17 @@
|
|
int i, len;
|
|
|
|
/* Decrypt the challenge using the private key. */
|
|
- rsa_private_decrypt(challenge, challenge, prv);
|
|
+ /* XXX think about Bleichenbacher, too */
|
|
+ if (rsa_private_decrypt(challenge, challenge, prv) <= 0)
|
|
+ packet_disconnect(
|
|
+ "respond_to_rsa_challenge: rsa_private_decrypt failed");
|
|
|
|
/* Compute the response. */
|
|
/* The response is MD5 of decrypted challenge plus session id. */
|
|
len = BN_num_bytes(challenge);
|
|
if (len <= 0 || len > sizeof(buf))
|
|
- packet_disconnect("respond_to_rsa_challenge: bad challenge length %d",
|
|
- len);
|
|
+ packet_disconnect(
|
|
+ "respond_to_rsa_challenge: bad challenge length %d", len);
|
|
|
|
memset(buf, 0, sizeof(buf));
|
|
BN_bn2bin(challenge, buf + sizeof(buf) - len);
|
|
Index: sshd.c
|
|
===================================================================
|
|
RCS file: /usr2/ncvs/src/crypto/openssh/sshd.c,v
|
|
retrieving revision 1.6.2.3
|
|
diff -u -r1.6.2.3 sshd.c
|
|
--- sshd.c 2000/10/28 23:00:51 1.6.2.3
|
|
+++ sshd.c 2001/02/13 00:28:09
|
|
@@ -1149,6 +1149,7 @@
|
|
{
|
|
int i, len;
|
|
int plen, slen;
|
|
+ int rsafail = 0;
|
|
BIGNUM *session_key_int;
|
|
unsigned char session_key[SSH_SESSION_KEY_LENGTH];
|
|
unsigned char cookie[8];
|
|
@@ -1270,7 +1271,7 @@
|
|
* with larger modulus first).
|
|
*/
|
|
if (BN_cmp(sensitive_data.private_key->n, sensitive_data.host_key->n) > 0) {
|
|
- /* Private key has bigger modulus. */
|
|
+ /* Server key has bigger modulus. */
|
|
if (BN_num_bits(sensitive_data.private_key->n) <
|
|
BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) {
|
|
fatal("do_connection: %s: private_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
|
|
@@ -1279,10 +1280,12 @@
|
|
BN_num_bits(sensitive_data.host_key->n),
|
|
SSH_KEY_BITS_RESERVED);
|
|
}
|
|
- rsa_private_decrypt(session_key_int, session_key_int,
|
|
- sensitive_data.private_key);
|
|
- rsa_private_decrypt(session_key_int, session_key_int,
|
|
- sensitive_data.host_key);
|
|
+ if (rsa_private_decrypt(session_key_int, session_key_int,
|
|
+ sensitive_data.private_key) <= 0)
|
|
+ rsafail++;
|
|
+ if (rsa_private_decrypt(session_key_int, session_key_int,
|
|
+ sensitive_data.host_key) <= 0)
|
|
+ rsafail++;
|
|
} else {
|
|
/* Host key has bigger modulus (or they are equal). */
|
|
if (BN_num_bits(sensitive_data.host_key->n) <
|
|
@@ -1293,10 +1296,12 @@
|
|
BN_num_bits(sensitive_data.private_key->n),
|
|
SSH_KEY_BITS_RESERVED);
|
|
}
|
|
- rsa_private_decrypt(session_key_int, session_key_int,
|
|
- sensitive_data.host_key);
|
|
- rsa_private_decrypt(session_key_int, session_key_int,
|
|
- sensitive_data.private_key);
|
|
+ if (rsa_private_decrypt(session_key_int, session_key_int,
|
|
+ sensitive_data.host_key) < 0)
|
|
+ rsafail++;
|
|
+ if (rsa_private_decrypt(session_key_int, session_key_int,
|
|
+ sensitive_data.private_key) < 0)
|
|
+ rsafail++;
|
|
}
|
|
|
|
compute_session_id(session_id, cookie,
|
|
@@ -1311,14 +1316,29 @@
|
|
* least significant 256 bits of the integer; the first byte of the
|
|
* key is in the highest bits.
|
|
*/
|
|
- BN_mask_bits(session_key_int, sizeof(session_key) * 8);
|
|
- len = BN_num_bytes(session_key_int);
|
|
- if (len < 0 || len > sizeof(session_key))
|
|
- fatal("do_connection: bad len from %s: session_key_int %d > sizeof(session_key) %d",
|
|
- get_remote_ipaddr(),
|
|
- len, sizeof(session_key));
|
|
- memset(session_key, 0, sizeof(session_key));
|
|
- BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len);
|
|
+ if (!rsafail) {
|
|
+ BN_mask_bits(session_key_int, sizeof(session_key) * 8);
|
|
+ len = BN_num_bytes(session_key_int);
|
|
+ if (len < 0 || len > sizeof(session_key)) {
|
|
+ error("do_connection: bad session key len from %s: "
|
|
+ "session_key_int %d > sizeof(session_key) %d",
|
|
+ get_remote_ipaddr(), len, sizeof(session_key));
|
|
+ rsafail++;
|
|
+ } else {
|
|
+ memset(session_key, 0, sizeof(session_key));
|
|
+ BN_bn2bin(session_key_int,
|
|
+ session_key + sizeof(session_key) - len);
|
|
+ }
|
|
+ }
|
|
+ if (rsafail) {
|
|
+ log("do_connection: generating a fake encryption key");
|
|
+ for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
|
|
+ if (i % 4 == 0)
|
|
+ rand = arc4random();
|
|
+ session_key[i] = rand & 0xff;
|
|
+ rand >>= 8;
|
|
+ }
|
|
+ }
|
|
|
|
/* Destroy the decrypted integer. It is no longer needed. */
|
|
BN_clear_free(session_key_int);
|