[19313] in bugtraq
Re: SSH1 key recovery patch
daemon@ATHENA.MIT.EDU (Johannes Geiger)
Wed Feb 21 12:41:28 2001
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010221104800.C335@mailspies>
Date: Wed, 21 Feb 2001 11:11:29 +0000
Reply-To: Johannes Geiger <geiger@INFORMATIK.TU-MUENCHEN.DE>
From: Johannes Geiger <geiger@INFORMATIK.TU-MUENCHEN.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010220124809.G4017@mailspies>; from
geiger@sunspies8.informatik.tu-muenchen.de on Tue, Feb 20,
2001 at 12:48:09PM +0100
On Tue, Feb 20, 2001 at 12:48:09PM +0100, Johannes Geiger wrote:
> The following patch is UNTESTED and supplied only to make myself clear.
If anybody is interested: Thomas Themel (thanks) pointed out to me an
error in my patch. In rsaglue.c it should read of course
+ success = (value[0] == 0 && value[1] == 2);
^^^^^
So the complete patch reads:
--- rsaglue.c.orig Tue Feb 20 11:20:21 2001
+++ rsaglue.c Tue Feb 20 11:23:21 2001
@@ -238,11 +238,12 @@
/* Decrypt input using the private key. Output will become a 256 bit value. */
-void rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey *key)
+int rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey *key)
{
MP_INT aux;
unsigned int len, i;
unsigned char *value;
+ int success;
rsa_private(output, input, key);
@@ -263,8 +264,7 @@
}
mpz_clear(&aux);
- if (value[0] != 0 || value[1] != 2)
- fatal("Bad result from rsa_private_decrypt");
+ success = (value[0] == 0 && value[1] == 2);
for (i = 2; i < len && value[i]; i++)
;
@@ -272,6 +272,9 @@
xfree(value);
mpz_mod_2exp(output, output, 8 * (len - i - 1));
+
+ return success;
+
}
#endif /* RSAREF */
--- rsa.h.orig Tue Feb 20 11:38:04 2001
+++ rsa.h Tue Feb 20 12:21:50 2001
@@ -111,6 +111,6 @@
RandomState *state);
/* Performs a private key decrypt operation. */
-void rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey *key);
+int rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey *key);
#endif /* RSA_H */
--- sshd.c.orig Tue Feb 20 11:20:12 2001
+++ sshd.c Tue Feb 20 12:43:54 2001
@@ -1553,23 +1553,29 @@
larger modulus first). */
if (mpz_cmp(&sensitive_data.private_key.n, &sensitive_data.host_key.n) > 0)
{
+ int rok1, rok2;
/* Private key has bigger modulus. */
assert(sensitive_data.private_key.bits >=
sensitive_data.host_key.bits + SSH_KEY_BITS_RESERVED);
- rsa_private_decrypt(&session_key_int, &session_key_int,
- &sensitive_data.private_key);
- rsa_private_decrypt(&session_key_int, &session_key_int,
- &sensitive_data.host_key);
+ rok1 = rsa_private_decrypt(&session_key_int, &session_key_int,
+ &sensitive_data.private_key);
+ rok2 = rsa_private_decrypt(&session_key_int, &session_key_int,
+ &sensitive_data.host_key);
+ if (!(rok1 && rok2))
+ fatal("Bad result from rsa_private_decrypt");
}
else
{
+ int rok1, rok2;
/* Host key has bigger modulus (or they are equal). */
assert(sensitive_data.host_key.bits >=
sensitive_data.private_key.bits + SSH_KEY_BITS_RESERVED);
- rsa_private_decrypt(&session_key_int, &session_key_int,
- &sensitive_data.host_key);
- rsa_private_decrypt(&session_key_int, &session_key_int,
- &sensitive_data.private_key);
+ rok1 = rsa_private_decrypt(&session_key_int, &session_key_int,
+ &sensitive_data.host_key);
+ rok2 = rsa_private_decrypt(&session_key_int, &session_key_int,
+ &sensitive_data.private_key);
+ if (!(rok1 && rok2))
+ fatal("Bad result from rsa_private_decrypt");
}
/* Compute session id for this session. */
