diff options
| author | Damien Miller <djm@mindrot.org> | 2010-08-03 16:04:03 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2010-08-03 16:04:03 +1000 |
| commit | 4e8285e31248f7306e4b1d299d186b277c69d00f (patch) | |
| tree | a125cd04039373a4bcd802132ce381e99011f92f | |
| parent | 844cccfc1ae3bde48aa481bb8522d482fc8e7a0e (diff) | |
- djm@cvs.openbsd.org 2010/07/16 14:07:35
[ssh-rsa.c]
more timing paranoia - compare all parts of the expected decrypted
data before returning. AFAIK not exploitable in the SSH protocol.
"groovy" deraadt@
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | ssh-rsa.c | 10 |
2 files changed, 11 insertions, 4 deletions
| @@ -6,6 +6,11 @@ | |||
| 6 | - djm@cvs.openbsd.org 2010/07/16 04:45:30 | 6 | - djm@cvs.openbsd.org 2010/07/16 04:45:30 |
| 7 | [ssh-keygen.c] | 7 | [ssh-keygen.c] |
| 8 | avoid bogus compiler warning | 8 | avoid bogus compiler warning |
| 9 | - djm@cvs.openbsd.org 2010/07/16 14:07:35 | ||
| 10 | [ssh-rsa.c] | ||
| 11 | more timing paranoia - compare all parts of the expected decrypted | ||
| 12 | data before returning. AFAIK not exploitable in the SSH protocol. | ||
| 13 | "groovy" deraadt@ | ||
| 9 | 14 | ||
| 10 | 20100819 | 15 | 20100819 |
| 11 | - (dtucker) [contrib/ssh-copy-ud.1] Bug #1786: update ssh-copy-id.1 with more | 16 | - (dtucker) [contrib/ssh-copy-ud.1] Bug #1786: update ssh-copy-id.1 with more |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-rsa.c,v 1.43 2010/07/13 23:13:16 djm Exp $ */ | 1 | /* $OpenBSD: ssh-rsa.c,v 1.44 2010/07/16 14:07:35 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org> | 3 | * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org> |
| 4 | * | 4 | * |
| @@ -211,7 +211,7 @@ openssh_RSA_verify(int type, u_char *hash, u_int hashlen, | |||
| 211 | u_char *sigbuf, u_int siglen, RSA *rsa) | 211 | u_char *sigbuf, u_int siglen, RSA *rsa) |
| 212 | { | 212 | { |
| 213 | u_int ret, rsasize, oidlen = 0, hlen = 0; | 213 | u_int ret, rsasize, oidlen = 0, hlen = 0; |
| 214 | int len; | 214 | int len, oidmatch, hashmatch; |
| 215 | const u_char *oid = NULL; | 215 | const u_char *oid = NULL; |
| 216 | u_char *decrypted = NULL; | 216 | u_char *decrypted = NULL; |
| 217 | 217 | ||
| @@ -250,11 +250,13 @@ openssh_RSA_verify(int type, u_char *hash, u_int hashlen, | |||
| 250 | error("bad decrypted len: %d != %d + %d", len, hlen, oidlen); | 250 | error("bad decrypted len: %d != %d + %d", len, hlen, oidlen); |
| 251 | goto done; | 251 | goto done; |
| 252 | } | 252 | } |
| 253 | if (timingsafe_bcmp(decrypted, oid, oidlen) != 0) { | 253 | oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0; |
| 254 | hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0; | ||
| 255 | if (!oidmatch) { | ||
| 254 | error("oid mismatch"); | 256 | error("oid mismatch"); |
| 255 | goto done; | 257 | goto done; |
| 256 | } | 258 | } |
| 257 | if (timingsafe_bcmp(decrypted + oidlen, hash, hlen) != 0) { | 259 | if (!hashmatch) { |
| 258 | error("hash mismatch"); | 260 | error("hash mismatch"); |
| 259 | goto done; | 261 | goto done; |
| 260 | } | 262 | } |