From: mouring <mouring>
Date: Thu, 4 Jul 2002 00:17:33 +0000 (+0000)
Subject:    - markus@cvs.openbsd.org 2002/07/03 09:55:38
X-Git-Tag: V_3_5_P1~171
X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/commitdiff_plain/261189cc55581b8e2c45ea31c97dc4346d3dc1f7

   - markus@cvs.openbsd.org 2002/07/03 09:55:38
     [ssh-keysign.c]
     use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
     in order to avoid a possible Kocher timing attack pointed out by Charles
     Hannum; ok provos@
---

diff --git a/ChangeLog b/ChangeLog
index 4c26d664..2f9b6731 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -45,6 +45,11 @@
      [sshconnect2.c]
      for compression=yes, we fallback to no-compression if the server does
      not support compression, vice versa for compression=no. ok mouring@
+   - markus@cvs.openbsd.org 2002/07/03 09:55:38
+     [ssh-keysign.c]
+     use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
+     in order to avoid a possible Kocher timing attack pointed out by Charles
+     Hannum; ok provos@
 
 20020702
  - (djm) Use PAM_MSG_MEMBER for PAM_TEXT_INFO messages, use xmalloc & 
diff --git a/ssh-keysign.c b/ssh-keysign.c
index 6a435684..bed2b987 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -22,9 +22,11 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keysign.c,v 1.5 2002/06/26 22:27:32 markus Exp $");
+RCSID("$OpenBSD: ssh-keysign.c,v 1.6 2002/07/03 09:55:38 markus Exp $");
 
 #include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/rsa.h>
 
 #include "log.h"
 #include "key.h"
@@ -140,6 +142,7 @@ main(int argc, char **argv)
 	u_char *signature, *data;
 	char *host;
 	u_int slen, dlen;
+	u_int32_t rnd[256];
 
 	key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
 	key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
@@ -163,6 +166,9 @@ main(int argc, char **argv)
 	pw = pwcopy(pw);
 
 	SSLeay_add_all_algorithms();
+	for (i = 0; i < 256; i++)
+		rnd[i] = arc4random();
+	RAND_seed(rnd, sizeof(rnd));
 
 	found = 0;
 	for (i = 0; i < 2; i++) {
@@ -172,6 +178,13 @@ main(int argc, char **argv)
 		keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC,
 		    NULL, NULL);
 		close(key_fd[i]);
+		if (keys[i] != NULL && keys[i]->type == KEY_RSA) {
+			if (RSA_blinding_on(keys[i]->rsa, NULL) != 1) {
+				error("RSA_blinding_on failed");
+				key_free(keys[i]);
+				keys[i] = NULL;
+			}
+		}
 		if (keys[i] != NULL)
 			found = 1;
 	}