----- Forwarded message from Balazs Scheidler <[EMAIL PROTECTED]> -----
Date: Sun, 11 Jul 1999 02:33:04 +0200
From: Balazs Scheidler <[EMAIL PROTECTED]>
To: Niels M�ller <[EMAIL PROTECTED]>
Subject: Re: lsh-0.1.3 and ssh-2.0.13
On Sat, Jul 10, 1999 at 12:13:15AM +0200, Niels M�ller wrote:
> Brian Ryner <[EMAIL PROTECTED]> writes:
>
> > Ok, here is the debug output.
>
> Thanks.
>
> It seems that my first guess was wrong... The interesting part of the
> log is
>
> : 0x00000230: 4616622c54b80603b640340000002839
> ^^^^^^^^
> : 0x00000240: 01e466a46e8906d0d83b5c02ad0598eb
> : 0x00000250: c6c1166a92896ccb45486f09fe083052
> : 0x00000260: cd39dd34ca5115
> :
> : handle_connection: Received packet of type 31 (SSH_MSG_KEXDH_REPLY)
>
> The part marked with ^ is the length field for the signature blob.
> Thus, the length field is definitely included. So it seems there's
> either a bug in lsh's ssh2 workaround, or some more general
> incompatibility in the signature process or in the hashing of the DH
> values.
>
> To resolve this, I'm afraid reading the ssh2 source code is a must.
At first sight, it seems that the workaround version checking has problems,
and the workaround is not invoked, here's the test routine:
static int invoke_ssh2_dsa_kludge_p(struct lsh_string *s)
{
/* FIXME: Improve the version string test. */
return( (s->length >= 15)
&& !memcmp(s, "SSH-1.99-2.0.11", 15));
}
The first problem is that a fixed version number is tested (2.0.11) so
obviously the test is not used for versions other that 2.0.11, the second
problem is that instead of s, s->data should be checked.
Yes another problem is, client_keyexchange.c:154
if (hostkey_algorithm_atom != ATOM_SSH_DSS
#if DATAFELLOWS_SSH2_SSH_DSA_KLUDGE
&& hostkey_algorithm_atom != ATOM_SSH_DSS_KLUDGE
#endif
)
fatal("Internal error\n");
Originally the check for ATOM_SSH_DSS_KLUDGE was not there.
And the last problem I encountered was not as easy to solve, since it
required some reorganization in the code. fake_host_db object (in lsh.c)
which will once become the public key verifier routine, unconditionally
created a dsa verifier. in client_keyexchange.c, above make_dh_client, there
was a FIXME saying that instead of a simple verifier class, it should take a
mapping between algorithms->verifiers, and use this mapping. I quickly
implemented this.
And the last problem. ssh2 2.0.13 & 2.0.12 includes only the length of the
whole signature blob, and it is parsed by dh_process_server_msg(), so no
need to care about that length field within the signature checker. After
removing the check for the length, the signature itself is formally
accepted, but the values do not match.
You can find my patches attached to this mail. It still doesn't work, but
got one step nearer to functionality.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
url: http://www.balabit.hu/pgpkey.txt
diff -urN --exclude-from=diff-exclude lsh-0.1.3/aclocal.m4 lsh-0.1.3.bazsi/aclocal.m4
--- lsh-0.1.3/aclocal.m4 Thu Jul 1 20:24:58 1999
+++ lsh-0.1.3.bazsi/aclocal.m4 Sun Jul 11 02:08:30 1999
@@ -1,4 +1,4 @@
-dnl aclocal.m4 generated automatically by aclocal 1.4a
+dnl aclocal.m4 generated automatically by aclocal 1.4
dnl Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
dnl This file is free software; the Free Software Foundation
@@ -21,8 +21,6 @@
AC_DEFUN(AM_INIT_AUTOMAKE,
[AC_REQUIRE([AC_PROG_INSTALL])
-dnl We require 2.13 because we rely on SHELL being computed by configure.
-AC_PREREQ([2.13])
PACKAGE=[$1]
AC_SUBST(PACKAGE)
VERSION=[$2]
diff -urN --exclude-from=diff-exclude lsh-0.1.3/src/client_keyexchange.c
lsh-0.1.3.bazsi/src/client_keyexchange.c
--- lsh-0.1.3/src/client_keyexchange.c Sat May 22 16:36:25 1999
+++ lsh-0.1.3.bazsi/src/client_keyexchange.c Sun Jul 11 01:39:21 1999
@@ -43,7 +43,7 @@
(super keyexchange_algorithm)
(vars
(dh object diffie_hellman_method)
- (verifier object lookup_verifier)))
+ (verifiers object alist)))
*/
/* Handler for the kex_dh_reply message */
@@ -150,14 +150,18 @@
CHECK_SUBTYPE(signature_algorithm, ignored);
/* FIXME: Use this value to choose a verifier function */
- if (hostkey_algorithm_atom != ATOM_SSH_DSS)
+ if (hostkey_algorithm_atom != ATOM_SSH_DSS
+#if DATAFELLOWS_SSH2_SSH_DSA_KLUDGE
+ && hostkey_algorithm_atom != ATOM_SSH_DSS_KLUDGE
+#endif
+ )
fatal("Internal error\n");
/* Initialize */
dh->super.handler = do_handle_dh_reply;
init_diffie_hellman_instance(closure->dh, &dh->dh, connection);
- dh->verifier = closure->verifier;
+ dh->verifier = ALIST_GET(closure->verifiers, hostkey_algorithm_atom);
dh->install = make_install_new_keys(0, algorithms);
/* Send client's message */
@@ -174,15 +178,9 @@
return res | LSH_OK | LSH_GOON;
}
-
-/* FIXME: This assumes that there's only one hostkey-algorithm. To
- * fix, this constructor should take a mapping
- * algorithm->verifier-function. The init-method should use this
- * mapping to find an appropriate verifier function. */
-
struct keyexchange_algorithm *
make_dh_client(struct diffie_hellman_method *dh,
- struct lookup_verifier *verifier)
+ struct alist *verifiers)
{
NEW(dh_client_exchange, self);
@@ -190,7 +188,7 @@
self->super.init = do_init_client_dh;
self->dh = dh;
- self->verifier = verifier;
+ self->verifiers = verifiers;
return &self->super;
}
diff -urN --exclude-from=diff-exclude lsh-0.1.3/src/client_keyexchange.h
lsh-0.1.3.bazsi/src/client_keyexchange.h
--- lsh-0.1.3/src/client_keyexchange.h Sat May 22 16:36:27 1999
+++ lsh-0.1.3.bazsi/src/client_keyexchange.h Sun Jul 11 01:39:51 1999
@@ -50,7 +50,7 @@
struct keyexchange_algorithm *
make_dh_client(struct diffie_hellman_method *dh,
- struct lookup_verifier *verifier);
+ struct alist *verifiers);
struct install_keys *make_client_install_keys(struct object_list *algorithms);
diff -urN --exclude-from=diff-exclude lsh-0.1.3/src/dsa.c lsh-0.1.3.bazsi/src/dsa.c
--- lsh-0.1.3/src/dsa.c Mon Jun 14 02:19:41 1999
+++ lsh-0.1.3.bazsi/src/dsa.c Sun Jul 11 02:25:43 1999
@@ -204,7 +204,7 @@
/* Build signature */
buf_length = dsa_blob_length(r, s);
/* NOTE: This includes one legth field. Is that right? */
- signature = ssh_format("%r", buf_length * 2, &p);
+ signature = ssh_format("%lr", buf_length * 2, &p);
dsa_blob_write(r, s, buf_length, p);
mpz_clear(r);
@@ -395,14 +395,18 @@
simple_buffer_init(&buffer, signature_length, signature_data);
/* NOTE: This includes one legth field. Is that right? */
+#if 0
if (!(parse_string(&buffer, &buf_length, &buf)
&& !(buf_length % 2)) )
return 0;
+#endif
+ if (signature_length % 2)
+ return 0;
mpz_init(r);
mpz_init(s);
- buf_length /= 2;
+ buf_length = signature_length / 2;
bignum_parse_u(r, buf_length, buf);
bignum_parse_u(s, buf_length, buf + buf_length);
@@ -589,6 +593,31 @@
return &dsa->super;
}
+
+#if DATAFELLOWS_SSH2_SSH_DSA_KLUDGE
+
+/* FIXME: name clash, by convention this should have been
+ make_dsa_verifier_kludge, but it has already been used above */
+
+static struct verifier *
+do_make_dsa_verifier_kludge(struct signature_algorithm *closure UNUSED,
+ UINT32 public_length,
+ UINT8 *public)
+{
+ struct verifier *dsa = make_dsa_verifier(closure, public_length, public);
+ return make_dsa_verifier_kludge(dsa);
+}
+
+struct signature_algorithm *make_dsa_kludge_algorithm(struct randomness *random)
+{
+ NEW(dsa_algorithm, dsa);
+
+ dsa->super.make_verifier = do_make_dsa_verifier_kludge;
+ dsa->random = random;
+
+ return &dsa->super;
+}
+#endif
#if 0
static struct lsh_string *dsa_public_key(struct signer *dsa)
diff -urN --exclude-from=diff-exclude lsh-0.1.3/src/keyexchange.c
lsh-0.1.3.bazsi/src/keyexchange.c
--- lsh-0.1.3/src/keyexchange.c Sat May 22 16:40:42 1999
+++ lsh-0.1.3.bazsi/src/keyexchange.c Sun Jul 11 02:22:44 1999
@@ -199,7 +199,7 @@
{
/* FIXME: Improve the version string test. */
return( (s->length >= 15)
- && !memcmp(s, "SSH-1.99-2.0.11", 15));
+ && !memcmp(s->data, "SSH-1.99-2.0.13", 15));
}
#endif DATAFELLOWS_SSH2_SSH_DSA_KLUDGE
diff -urN --exclude-from=diff-exclude lsh-0.1.3/src/lsh.c lsh-0.1.3.bazsi/src/lsh.c
--- lsh-0.1.3/src/lsh.c Wed Jun 30 22:58:15 1999
+++ lsh-0.1.3.bazsi/src/lsh.c Sun Jul 11 02:08:09 1999
@@ -246,7 +246,7 @@
struct keyexchange_algorithm *kex;
struct alist *algorithms;
struct make_kexinit *make_kexinit;
- struct lookup_verifier *lookup;
+ struct alist *lookup_table;
struct command *get_pty = NULL;
@@ -264,9 +264,15 @@
dh = make_dh1(r);
/* No randomness is needed for verifying signatures */
- lookup = make_fake_host_db(make_dsa_algorithm(NULL));
+ lookup_table = make_alist(1
+#if DATAFELLOWS_SSH2_SSH_DSA_KLUDGE
+ +1,
+ ATOM_SSH_DSS_KLUDGE,
+make_fake_host_db(make_dsa_kludge_algorithm(NULL)),
+#endif
+ ATOM_SSH_DSS, make_fake_host_db(make_dsa_algorithm(NULL)),
+ -1);
- kex = make_dh_client(dh, lookup);
+ kex = make_dh_client(dh, lookup_table);
algorithms = many_algorithms(2,
ATOM_DIFFIE_HELLMAN_GROUP1_SHA1, kex,
ATOM_SSH_DSS, make_dsa_algorithm(r),
diff -urN --exclude-from=diff-exclude lsh-0.1.3/src/publickey_crypto.h
lsh-0.1.3.bazsi/src/publickey_crypto.h
--- lsh-0.1.3/src/publickey_crypto.h Mon Jun 14 02:34:18 1999
+++ lsh-0.1.3.bazsi/src/publickey_crypto.h Sun Jul 11 01:49:16 1999
@@ -38,6 +38,7 @@
#if DATAFELLOWS_SSH2_SSH_DSA_KLUDGE
struct signer *make_dsa_signer_kludge(struct signer *dsa);
struct verifier *make_dsa_verifier_kludge(struct verifier *v);
+struct signature_algorithm *make_dsa_kludge_algorithm(struct randomness *random);
#endif
struct signer *make_dsa_signer_classic(struct signer *s);
----- End forwarded message -----
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
url: http://www.balabit.hu/pgpkey.txt
