d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Patches backported from later development version of OpenSSH which prevent

Browse Source 
(instead of just mitigating through connection limits) the Bleichenbacher
attack which can lead to guessing of the server key (not host key) by
regenerating it when an RSA failure is detected.

Reviewed by:	rwatson
This commit is contained in:
Kris Kennaway 2001-02-12 06:44:51 +00:00
parent f1a87e83ee
commit a09221f83c
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=72397
5 changed files with 53 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
crypto/openssh/rsa.c
View File

@ -161,7 +161,7 @@ rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key)
xfree(inbuf);
}
void
int
rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key)
{
unsigned char *inbuf, *outbuf;
@ -175,15 +175,16 @@ rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key)
BN_bn2bin(in, inbuf);
if ((len = RSA_private_decrypt(ilen, inbuf, outbuf, key,
RSA_PKCS1_PADDING)) <= 0)
fatal("rsa_private_decrypt() failed.");
BN_bin2bn(outbuf, len, out);
RSA_PKCS1_PADDING)) <= 0) {
error("rsa_private_decrypt() failed");
} else {
BN_bin2bn(outbuf, len, out);
}
memset(outbuf, 0, olen);
memset(inbuf, 0, ilen);
xfree(outbuf);
xfree(inbuf);
return len;
}
/* Set whether to output verbose messages during key generation. */

2
crypto/openssh/rsa.h
View File

@ -32,6 +32,6 @@ void rsa_set_verbose __P((int verbose));
int rsa_alive __P((void));
void rsa_public_encrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
void rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
int rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
#endif /* RSA_H */

3
crypto/openssh/ssh-agent.c
View File

@ -194,7 +194,8 @@ process_authentication_challenge1(SocketEntry *e)
private = lookup_private_key(key, NULL, 1);
if (private != NULL) {
/* Decrypt the challenge using the private key. */
rsa_private_decrypt(challenge, challenge, private->rsa);
if (rsa_private_decrypt(challenge, challenge, private->rsa) <= 0)
goto failure;
/* The response is MD5 of decrypted challenge plus session id. */
len = BN_num_bytes(challenge);

9
crypto/openssh/sshconnect1.c
View File

@ -152,14 +152,17 @@ respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
int i, len;
/* Decrypt the challenge using the private key. */
rsa_private_decrypt(challenge, challenge, prv);
/* XXX think about Bleichenbacher, too */
if (rsa_private_decrypt(challenge, challenge, prv) <= 0)
packet_disconnect(
"respond_to_rsa_challenge: rsa_private_decrypt failed");
/* Compute the response. */
/* The response is MD5 of decrypted challenge plus session id. */
len = BN_num_bytes(challenge);
if (len <= 0 || len > sizeof(buf))
packet_disconnect("respond_to_rsa_challenge: bad challenge length %d",
len);
packet_disconnect(
"respond_to_rsa_challenge: bad challenge length %d", len);
memset(buf, 0, sizeof(buf));
BN_bn2bin(challenge, buf + sizeof(buf) - len);

54
crypto/openssh/sshd.c
View File

@ -1108,6 +1108,7 @@ do_ssh1_kex()
{
int i, len;
int plen, slen;
int rsafail = 0;
BIGNUM *session_key_int;
unsigned char session_key[SSH_SESSION_KEY_LENGTH];
unsigned char cookie[8];
@ -1229,7 +1230,7 @@ do_ssh1_kex()
* with larger modulus first).
*/
if (BN_cmp(sensitive_data.private_key->n, sensitive_data.host_key->n) > 0) {
/* Private key has bigger modulus. */
/* Server key has bigger modulus. */
if (BN_num_bits(sensitive_data.private_key->n) <
BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) {
fatal("do_connection: %s: private_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
@ -1238,10 +1239,12 @@ do_ssh1_kex()
BN_num_bits(sensitive_data.host_key->n),
SSH_KEY_BITS_RESERVED);
}
rsa_private_decrypt(session_key_int, session_key_int,
sensitive_data.private_key);
rsa_private_decrypt(session_key_int, session_key_int,
sensitive_data.host_key);
if (rsa_private_decrypt(session_key_int, session_key_int,
sensitive_data.private_key) <= 0)
rsafail++;
if (rsa_private_decrypt(session_key_int, session_key_int,
sensitive_data.host_key) <= 0)
rsafail++;
} else {
/* Host key has bigger modulus (or they are equal). */
if (BN_num_bits(sensitive_data.host_key->n) <
@ -1252,10 +1255,12 @@ do_ssh1_kex()
BN_num_bits(sensitive_data.private_key->n),
SSH_KEY_BITS_RESERVED);
}
rsa_private_decrypt(session_key_int, session_key_int,
sensitive_data.host_key);
rsa_private_decrypt(session_key_int, session_key_int,
sensitive_data.private_key);
if (rsa_private_decrypt(session_key_int, session_key_int,
sensitive_data.host_key) < 0)
rsafail++;
if (rsa_private_decrypt(session_key_int, session_key_int,
sensitive_data.private_key) < 0)
rsafail++;
}
compute_session_id(session_id, cookie,
@ -1270,14 +1275,29 @@ do_ssh1_kex()
* least significant 256 bits of the integer; the first byte of the
* key is in the highest bits.
*/
BN_mask_bits(session_key_int, sizeof(session_key) * 8);
len = BN_num_bytes(session_key_int);
if (len < 0 || len > sizeof(session_key))
fatal("do_connection: bad len from %s: session_key_int %d > sizeof(session_key) %d",
get_remote_ipaddr(),
len, sizeof(session_key));
memset(session_key, 0, sizeof(session_key));
BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len);
if (!rsafail) {
BN_mask_bits(session_key_int, sizeof(session_key) * 8);
len = BN_num_bytes(session_key_int);
if (len < 0 || len > sizeof(session_key)) {
error("do_connection: bad session key len from %s: "
"session_key_int %d > sizeof(session_key) %d",
get_remote_ipaddr(), len, sizeof(session_key));
rsafail++;
} else {
memset(session_key, 0, sizeof(session_key));
BN_bn2bin(session_key_int,
session_key + sizeof(session_key) - len);
}
}
if (rsafail) {
log("do_connection: generating a fake encryption key");
for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
if (i % 4 == 0)
rand = arc4random();
session_key[i] = rand & 0xff;
rand >>= 8;
}
}
/* Destroy the decrypted integer. It is no longer needed. */
BN_clear_free(session_key_int);