Bugtraq mailing list archives

Re: SSH1 key recovery patch

From: Johannes Geiger <geiger () INFORMATIK TU-MUENCHEN DE>
Date: Wed, 21 Feb 2001 11:11:29 +0000

On Tue, Feb 20, 2001 at 12:48:09PM +0100, Johannes Geiger wrote:

The following patch is UNTESTED and supplied only to make myself clear.


If anybody is interested: Thomas Themel (thanks) pointed out to me an
error in my patch. In rsaglue.c it should read of course

+  success = (value[0] == 0 && value[1] == 2);
         ^^^^^


So the complete patch reads:

--- rsaglue.c.orig      Tue Feb 20 11:20:21 2001
+++ rsaglue.c   Tue Feb 20 11:23:21 2001
@@ -238,11 +238,12 @@

 /* Decrypt input using the private key.  Output will become a 256 bit value. */

-void rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey *key)
+int rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey *key)
 {
   MP_INT aux;
   unsigned int len, i;
   unsigned char *value;
+  int success;

   rsa_private(output, input, key);

@@ -263,8 +264,7 @@
     }
   mpz_clear(&aux);

-  if (value[0] != 0 || value[1] != 2)
-    fatal("Bad result from rsa_private_decrypt");
+  success = (value[0] == 0 && value[1] == 2);

   for (i = 2; i < len && value[i]; i++)
     ;
@@ -272,6 +272,9 @@
   xfree(value);

   mpz_mod_2exp(output, output, 8 * (len - i - 1));
+
+  return success;
+
 }

 #endif /* RSAREF */
--- rsa.h.orig  Tue Feb 20 11:38:04 2001
+++ rsa.h       Tue Feb 20 12:21:50 2001
@@ -111,6 +111,6 @@
                         RandomState *state);

 /* Performs a private key decrypt operation. */
-void rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey *key);
+int rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey *key);

 #endif /* RSA_H */
--- sshd.c.orig Tue Feb 20 11:20:12 2001
+++ sshd.c      Tue Feb 20 12:43:54 2001
@@ -1553,23 +1553,29 @@
      larger modulus first). */
   if (mpz_cmp(&sensitive_data.private_key.n, &sensitive_data.host_key.n) > 0)
     {
+      int rok1, rok2;
       /* Private key has bigger modulus. */
       assert(sensitive_data.private_key.bits >=
              sensitive_data.host_key.bits + SSH_KEY_BITS_RESERVED);
-      rsa_private_decrypt(&session_key_int, &session_key_int,
-                          &sensitive_data.private_key);
-      rsa_private_decrypt(&session_key_int, &session_key_int,
-                          &sensitive_data.host_key);
+      rok1 = rsa_private_decrypt(&session_key_int, &session_key_int,
+                                &sensitive_data.private_key);
+      rok2 = rsa_private_decrypt(&session_key_int, &session_key_int,
+                                &sensitive_data.host_key);
+      if (!(rok1 && rok2))
+       fatal("Bad result from rsa_private_decrypt");
     }
   else
     {
+      int rok1, rok2;
       /* Host key has bigger modulus (or they are equal). */
       assert(sensitive_data.host_key.bits >=
              sensitive_data.private_key.bits + SSH_KEY_BITS_RESERVED);
-      rsa_private_decrypt(&session_key_int, &session_key_int,
-                          &sensitive_data.host_key);
-      rsa_private_decrypt(&session_key_int, &session_key_int,
-                          &sensitive_data.private_key);
+      rok1 = rsa_private_decrypt(&session_key_int, &session_key_int,
+                                &sensitive_data.host_key);
+      rok2 = rsa_private_decrypt(&session_key_int, &session_key_int,
+                                &sensitive_data.private_key);
+      if (!(rok1 && rok2))
+       fatal("Bad result from rsa_private_decrypt");
     }

   /* Compute session id for this session. */

Current thread:

SSH1 key recovery patch Iván Arce (Feb 13)
- Re: SSH1 key recovery patch Andrew Brown (Feb 15)
- Re: SSH1 key recovery patch Pavel Machek (Feb 19)
- Re: SSH1 key recovery patch Johannes Geiger (Feb 20)
  - Re: SSH1 key recovery patch Johannes Geiger (Feb 21)
  - Re: SSH1 key recovery patch Markus Friedl (Feb 21)
    - Message not available
    - Re: SSH1 key recovery patch Markus Friedl (Feb 22)