tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-31 01:35:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

- djm@cvs.openbsd.org 2010/09/20 04:50:53

Browse Source 
[jpake.c schnorr.c]
     check that received values are smaller than the group size in the
     disabled and unfinished J-PAKE code.
     avoids catastrophic security failure found by Sebastien Martini
This commit is contained in:
Damien Miller 2010-09-24 22:03:24 +10:00
parent 857b02e37f
commit f7540cd5c4
3 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -15,6 +15,11 @@
- djm@cvs.openbsd.org 2010/09/20 04:41:47 - djm@cvs.openbsd.org 2010/09/20 04:41:47
[ssh.c] [ssh.c]
install a SIGCHLD handler to reap expiried child process; ok markus@ install a SIGCHLD handler to reap expiried child process; ok markus@
- djm@cvs.openbsd.org 2010/09/20 04:50:53
[jpake.c schnorr.c]
check that received values are smaller than the group size in the
disabled and unfinished J-PAKE code.
avoids catastrophic security failure found by Sebastien Martini
20100910 20100910
- (dtucker) [openbsd-compat/port-linux.c] Check is_selinux_enabled for exact - (dtucker) [openbsd-compat/port-linux.c] Check is_selinux_enabled for exact

8
jpake.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: jpake.c,v 1.4 2010/07/13 23:13:16 djm Exp $ */ /* $OpenBSD: jpake.c,v 1.5 2010/09/20 04:50:53 djm Exp $ */
/* /*
* Copyright (c) 2008 Damien Miller. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved.
* *
@ -257,8 +257,12 @@ jpake_step2(struct modp_group *grp, BIGNUM *s,
/* Validate peer's step 1 values */ /* Validate peer's step 1 values */
if (BN_cmp(theirpub1, BN_value_one()) <= 0) if (BN_cmp(theirpub1, BN_value_one()) <= 0)
fatal("%s: theirpub1 <= 1", __func__); fatal("%s: theirpub1 <= 1", __func__);
if (BN_cmp(theirpub1, grp->p) >= 0)
fatal("%s: theirpub1 >= p", __func__);
if (BN_cmp(theirpub2, BN_value_one()) <= 0) if (BN_cmp(theirpub2, BN_value_one()) <= 0)
fatal("%s: theirpub2 <= 1", __func__); fatal("%s: theirpub2 <= 1", __func__);
if (BN_cmp(theirpub2, grp->p) >= 0)
fatal("%s: theirpub2 >= p", __func__);
if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub1, if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub1,
theirid, theirid_len, theirpub1_proof, theirpub1_proof_len) != 1) theirid, theirid_len, theirpub1_proof, theirpub1_proof_len) != 1)
@ -363,6 +367,8 @@ jpake_key_confirm(struct modp_group *grp, BIGNUM *s, BIGNUM *step2_val,
/* Validate step 2 values */ /* Validate step 2 values */
if (BN_cmp(step2_val, BN_value_one()) <= 0) if (BN_cmp(step2_val, BN_value_one()) <= 0)
fatal("%s: step2_val <= 1", __func__); fatal("%s: step2_val <= 1", __func__);
if (BN_cmp(step2_val, grp->p) >= 0)
fatal("%s: step2_val >= p", __func__);
/* /*
* theirpriv2_s_proof is calculated with a different generator: * theirpriv2_s_proof is calculated with a different generator:

10
schnorr.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: schnorr.c,v 1.3 2009/03/05 07:18:19 djm Exp $ */ /* $OpenBSD: schnorr.c,v 1.4 2010/09/20 04:50:53 djm Exp $ */
/* /*
* Copyright (c) 2008 Damien Miller. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved.
* *
@ -138,6 +138,10 @@ schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
error("%s: g_x < 1", __func__); error("%s: g_x < 1", __func__);
return -1; return -1;
} }
if (BN_cmp(g_x, grp_p) >= 0) {
error("%s: g_x > g", __func__);
return -1;
}
h = g_v = r = tmp = v = NULL; h = g_v = r = tmp = v = NULL;
if ((bn_ctx = BN_CTX_new()) == NULL) { if ((bn_ctx = BN_CTX_new()) == NULL) {
@ -264,6 +268,10 @@ schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
error("%s: g_x < 1", __func__); error("%s: g_x < 1", __func__);
return -1; return -1;
} }
if (BN_cmp(g_x, grp_p) >= 0) {
error("%s: g_x >= p", __func__);
return -1;
}
h = g_xh = g_r = expected = NULL; h = g_xh = g_r = expected = NULL;
if ((bn_ctx = BN_CTX_new()) == NULL) { if ((bn_ctx = BN_CTX_new()) == NULL) {