- markus@cvs.openbsd.org 2001/03/27 10:57:00

     [compat.c compat.h ssh-rsa.c]
     some older systems use NID_md5 instead of NID_sha1 for RSASSA-PKCS1-v1_5
     signatures in SSH protocol 2, ok djm@

diff --git a/ChangeLog b/ChangeLog
index f1aa183deea05bce938e3dc1771e421566cf0031..57dba9a8cc7fa870b7c322e161c208257f144d1f 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,10 @@
    - markus@cvs.openbsd.org 2001/03/27 10:34:08
      [ssh-rsa.c sshd.c]
      use EVP_get_digestbynid, reorder some calls and fix missing free.
+   - markus@cvs.openbsd.org 2001/03/27 10:57:00
+     [compat.c compat.h ssh-rsa.c]
+     some older systems use NID_md5 instead of NID_sha1 for RSASSA-PKCS1-v1_5
+     signatures in SSH protocol 2, ok djm@
 
 20010328
  - (djm) Reorder tests and library inclusion for Krb4/AFS to try to 

diff --git a/compat.c b/compat.c
index 705121c3a05aac30c97855d31d51d026a0d6aac1..98372e202ff21bdbd5802d756edfc678b9b7fb7b 100644 (file)
--- a/compat.c
+++ b/compat.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: compat.c,v 1.40 2001/03/23 11:04:06 djm Exp $");
+RCSID("$OpenBSD: compat.c,v 1.41 2001/03/27 10:57:00 markus Exp $");
 
 #ifdef HAVE_LIBPCRE
 #  include <pcreposix.h>
@@ -75,18 +75,22 @@ compat_datafellows(const char *version)
                { "^OpenSSH",           0 },
                { "MindTerm",           0 },
                { "^2\\.1\\.0",         SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
-                                       SSH_OLD_SESSIONID|SSH_BUG_DEBUG },
+                                       SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
+                                       SSH_BUG_RSASIGMD5 },
                { "^2\\.1 ",            SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
-                                       SSH_OLD_SESSIONID|SSH_BUG_DEBUG },
+                                       SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
+                                       SSH_BUG_RSASIGMD5 },
                { "^2\\.0\\.1[3-9]",    SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
                                        SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
                                        SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
-                                       SSH_BUG_PKOK },
+                                       SSH_BUG_PKOK|SSH_BUG_RSASIGMD5 },
                { "^2\\.0\\.",          SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
                                        SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
                                        SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
-                                       SSH_BUG_PKAUTH|SSH_BUG_PKOK },
-               { "^2\\.[23]\\.0",      SSH_BUG_HMAC },
+                                       SSH_BUG_PKAUTH|SSH_BUG_PKOK|
+                                       SSH_BUG_RSASIGMD5 },
+               { "^2\\.[23]\\.0",      SSH_BUG_HMAC|SSH_BUG_RSASIGMD5 },
+               { "^2\\.3\\.",          SSH_BUG_RSASIGMD5 },
                { "^2\\.[2-9]\\.",      0 },
                { "^2\\.4$",            SSH_OLD_SESSIONID },    /* Van Dyke */
                { "^3\\.0 SecureCRT",   SSH_OLD_SESSIONID },

diff --git a/compat.h b/compat.h
index 707726fa9934ef6a84887067f211997edebaef23..03f236117f31da5c07b6f006aee037f03d2310a3 100644 (file)
--- a/compat.h
+++ b/compat.h
@@ -21,7 +21,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-/* RCSID("$OpenBSD: compat.h,v 1.19 2001/03/23 11:04:06 djm Exp $"); */
+/* RCSID("$OpenBSD: compat.h,v 1.20 2001/03/27 10:57:00 markus Exp $"); */
 
 #ifndef COMPAT_H
 #define COMPAT_H
@@ -44,6 +44,7 @@
 #define SSH_BUG_PASSWORDPAD    0x0400
 #define SSH_BUG_SCANNER                0x0800
 #define SSH_BUG_BIGENDIANAES   0x1000
+#define SSH_BUG_RSASIGMD5      0x2000
 
 void    enable_compat13(void);
 void    enable_compat20(void);

diff --git a/ssh-rsa.c b/ssh-rsa.c
index a2153bd1ad5ffcfcc1af176cb7e43d6f93a20f41..b502ddb6e0dcf8e2476222da78e5e7f71efde60c 100644 (file)
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-rsa.c,v 1.7 2001/03/27 10:34:08 markus Exp $");
+RCSID("$OpenBSD: ssh-rsa.c,v 1.8 2001/03/27 10:57:00 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -34,6 +34,7 @@ RCSID("$OpenBSD: ssh-rsa.c,v 1.7 2001/03/27 10:34:08 markus Exp $");
 #include "bufaux.h"
 #include "key.h"
 #include "ssh-rsa.h"
+#include "compat.h"
 
 /* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
 int
@@ -53,7 +54,7 @@ ssh_rsa_sign(
                error("ssh_rsa_sign: no RSA key");
                return -1;
        }
-       nid = NID_sha1;
+       nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
        if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
                error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid);
                return -1;
@@ -147,7 +148,7 @@ ssh_rsa_verify(
                error("ssh_rsa_verify: remaining bytes in signature %d", rlen);
                return -1;
        }
-       nid = NID_sha1;
+       nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
        if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
                xfree(sigblob);
                error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid);