+++ /dev/null
-This means that the oracle is not completely closed, but you
-need about 2^23 connections (this is not possible because of
-OpenSSH's MaxStartups option) if you want to know whether it's a
-fake or a real encryption key.
-
-Because of this problem future OpenSSH releases will include the
-following change: The faked session keys is not 'random' but
-depends on the values sent by the attacker:
-
- dig1 = md5(cookie|session_key_int);
- dig2 = md5(dig1|cookie|session_key_int);
- fake_session_key = dig1|dig2;
-
-where the 'cookie' is a re-generated at the same time as
-the server key:
-
-Index: sshd.c
-===================================================================
-RCS file: /home/markus/cvs/ssh/sshd.c,v
-retrieving revision 1.168
-diff -u -r1.168 sshd.c
---- sshd.c 2001/02/19 23:09:05 1.168
-+++ sshd.c 2001/02/20 23:40:17
-@@ -145,6 +145,7 @@
- Key **host_keys; /* all private host keys */
- int have_ssh1_key;
- int have_ssh2_key;
-+ u_char ssh1_cookie[SSH_SESSION_KEY_LENGTH];
- } sensitive_data;
-
- /*
-@@ -265,13 +266,23 @@
- void
- generate_empheral_server_key(void)
- {
-+ u_int32_t rand = 0;
-+ int i;
-+
- log("Generating %s%d bit RSA key.", sensitive_data.server_key ? "new " : "",
- options.server_key_bits);
- if (sensitive_data.server_key != NULL)
- key_free(sensitive_data.server_key);
- sensitive_data.server_key = key_generate(KEY_RSA1, options.server_key_bits);
-- arc4random_stir();
- log("RSA key generation complete.");
-+
-+ for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
-+ if (i % 4 == 0)
-+ rand = arc4random();
-+ sensitive_data.ssh1_cookie[i] = rand & 0xff;
-+ rand >>= 8;
-+ }
-+ arc4random_stir();
- }
-
- void
-@@ -429,6 +440,7 @@
- }
- }
- sensitive_data.ssh1_host_key = NULL;
-+ memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH);
- }
- Key *
- load_private_key_autodetect(const char *filename)
-@@ -1319,9 +1331,6 @@
- sensitive_data.ssh1_host_key->rsa->n,
- sensitive_data.server_key->rsa->n);
-
-- /* Destroy the private and public keys. They will no longer be needed. */
-- destroy_sensitive_data();
--
- /*
- * Extract session key from the decrypted integer. The key is in the
- * least significant 256 bits of the integer; the first byte of the
-@@ -1342,14 +1351,27 @@
- }
- }
- if (rsafail) {
-+ int bytes = BN_num_bytes(session_key_int);
-+ char *buf = xmalloc(bytes);
-+ MD5_CTX md;
-+
- log("do_connection: generating a fake encryption key");
-- for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
-- if (i % 4 == 0)
-- rand = arc4random();
-- session_key[i] = rand & 0xff;
-- rand >>= 8;
-- }
-+ BN_bn2bin(session_key_int, buf);
-+ MD5_Init(&md);
-+ MD5_Update(&md, buf, bytes);
-+ MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
-+ MD5_Final(session_key, &md);
-+ MD5_Init(&md);
-+ MD5_Update(&md, session_key, 16);
-+ MD5_Update(&md, buf, bytes);
-+ MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
-+ MD5_Final(session_key + 16, &md);
-+ memset(buf, 0, bytes);
-+ xfree(buf);
- }
-+ /* Destroy the private and public keys. They will no longer be needed. */
-+ destroy_sensitive_data();
-+
- /* Destroy the decrypted integer. It is no longer needed. */
- BN_clear_free(session_key_int);