- markus@cvs.openbsd.org 2002/07/03 09:55:38

     [ssh-keysign.c]
     use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
     in order to avoid a possible Kocher timing attack pointed out by Charles
     Hannum; ok provos@

1 files changed, 14 insertions, 1 deletions

diff --git a/ssh-keysign.c b/ssh-keysign.c
index 6a435684b..bed2b9874 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -22,9 +22,11 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keysign.c,v 1.5 2002/06/26 22:27:32 markus Exp $");
+RCSID("$OpenBSD: ssh-keysign.c,v 1.6 2002/07/03 09:55:38 markus Exp $");
 
 #include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/rsa.h>
 
 #include "log.h"
 #include "key.h"
@@ -140,6 +142,7 @@ main(int argc, char **argv)
         u_char *signature, *data;
         char *host;
         u_int slen, dlen;
+        u_int32_t rnd[256];
 
         key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
         key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
@@ -163,6 +166,9 @@ main(int argc, char **argv)
         pw = pwcopy(pw);
 
         SSLeay_add_all_algorithms();
+        for (i = 0; i < 256; i++)
+                rnd[i] = arc4random();
+        RAND_seed(rnd, sizeof(rnd));
 
         found = 0;
         for (i = 0; i < 2; i++) {
@@ -172,6 +178,13 @@ main(int argc, char **argv)
                 keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC,
                     NULL, NULL);
                 close(key_fd[i]);
+                if (keys[i] != NULL && keys[i]->type == KEY_RSA) {
+                        if (RSA_blinding_on(keys[i]->rsa, NULL) != 1) {
+                                error("RSA_blinding_on failed");
+                                key_free(keys[i]);
+                                keys[i] = NULL;
+                        }
+                }
                 if (keys[i] != NULL)
                         found = 1;
         }