Re: ssh2 rc4 key

Tue, 22 Dec 1998 05:58:53 -0500 

On 22 Dec 1998, Niels [ISO-8859-1] Möller wrote:

> Balazs Scheidler <[EMAIL PROTECTED]> writes:
> 
> > Niels advised me to check both key-set functions (in ssh2 and lshd) The
> > funny thing is that the client side (ssh2) uses a key with all zeroes:
> > 
> > Breakpoint 1, arcfour_init (context=0x80d3b38, key=0x80c0774 "",
> > keylen=16,
> >     for_encryption=0) at arcfour.c:34
> > 34        ArcfourContext *ctx = context;
> > (gdb) x/16xb key
> > 0x80c0774:      0x00    0x00    0x00    0x00    0x00    0x00    0x00
> > 0x00
> > 0x80c077c:      0x00    0x00    0x00    0x00    0x00    0x00    0x00
> > 0x00
> > 
> > strange, isn't it?
> 
> Ooops. Definitely strange. Could you check if there are any more calls
> to arcfour_init; there should be at least two, for the recieve and
> send streams. There could well be more than two calls, if arcfour is
> used to generate pseudorandom padding or something like that.

yes, it's called twice, and everything is zero at each invocation.

> 
> Backtraces from the calls to arcfour_init may also give some more
> clues about what sshd2 is doing. 

here's the backtrace:

Breakpoint 1, arcfour_init (context=0x80ce518, key=0x80c0708 "", keylen=16, 
    for_encryption=1) at arcfour.c:34
34        ArcfourContext *ctx = context;
(gdb) bt
#0  arcfour_init (context=0x80ce518, key=0x80c0708 "", keylen=16, 
    for_encryption=1) at arcfour.c:34
#1  0x80705f3 in ssh_cipher_allocate_internal (name=0x80ce018 "arcfour", 
    key=0x80c0708 "", keylen=16, for_encryption=1, cipher=0x80c07dc, expand=0, 
    test_weak_keys=0) at genciph.c:452
#2  0x8070660 in ssh_cipher_allocate (name=0x80ce018 "arcfour", 
    key=0x80c0708 "", keylen=16, for_encryption=1, cipher=0x80c07dc)
    at genciph.c:475
#3  0x808391e in ssh_tr_set_keys (tr=0x80c0540, info=0x80c06fc, 
    granularityp=0x80c07e8, is_outgoing=1, cipherp=0x80c07dc, macp=0x80c07ec, 
    compressionp=0x80c07f4) at trcommon.c:1433
#4  0x8083f68 in ssh_tr_input_kex2 (tr=0x80c0540) at trcommon.c:1629
#5  0x8085119 in ssh_tr_process_input (tr=0x80c0540) at trcommon.c:2118
#6  0x8085679 in ssh_tr_callback (notification=SSH_STREAM_INPUT_AVAILABLE, 
    context=0x80c0540) at trcommon.c:2336
#7  0x8061265 in ssh_stream_internal_callback (
    notification=SSH_STREAM_INPUT_AVAILABLE, context=0x80c0020)
    at sshstream.c:61
#8  0x805e558 in ssh_stream_fd_callback (events=1, context=0x80bffd0)
    at sshunixfdstream.c:118
#9  0x805e1f2 in ssh_event_loop_run () at sshunixeloop.c:761
#10 0x804c4bc in main (argc=7, argv=0xbffffca4) at ssh2.c:972
(gdb) q



--- Bazsi

Reply via email to