9fb40d132b
- curve25519 key exchange fix (-curve25519-6.6.1p1.patch) - patch re-ordering (-audit3-key_auth_usage-fips.patch, -audit4-kex_results-fips.patch) OBS-URL: https://build.opensuse.org/request/show/231427 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=80
62 lines
1.8 KiB
Diff
62 lines
1.8 KiB
Diff
# HG changeset patch
|
|
# Parent 5482d21e8bd06309af51dea77a5f3668859fb2a0
|
|
|
|
diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c
|
|
--- a/openssh-6.6p1/auth-rsa.c
|
|
+++ b/openssh-6.6p1/auth-rsa.c
|
|
@@ -94,16 +94,20 @@ int
|
|
auth_rsa_verify_response(Key *key, BIGNUM *challenge,
|
|
u_char response[SSH_DIGEST_MAX_LENGTH])
|
|
{
|
|
u_char buf[2 * SSH_DIGEST_MAX_LENGTH], mdbuf[SSH_DIGEST_MAX_LENGTH];
|
|
struct ssh_digest_ctx *md;
|
|
int len;
|
|
int dgst;
|
|
size_t dgst_len;
|
|
+ int rv;
|
|
+#ifdef SSH_AUDIT_EVENTS
|
|
+ char *fp;
|
|
+#endif
|
|
|
|
/* don't allow short keys */
|
|
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
|
|
error("%s: RSA modulus too small: %d < minimum %d bits",
|
|
__func__,
|
|
BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
|
|
return (0);
|
|
}
|
|
@@ -121,22 +125,28 @@ auth_rsa_verify_response(Key *key, BIGNU
|
|
if ((md = ssh_digest_start(dgst)) == NULL ||
|
|
ssh_digest_update(md, buf, 2 * dgst_len) < 0 ||
|
|
ssh_digest_update(md, session_id, dgst_len) < 0 ||
|
|
ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0)
|
|
fatal("%s: md5 failed", __func__);
|
|
ssh_digest_free(md);
|
|
|
|
/* Verify that the response is the original challenge. */
|
|
- if (timingsafe_bcmp(response, mdbuf, dgst_len) != 0) {
|
|
- /* Wrong answer. */
|
|
- return (0);
|
|
+ rv = timingsafe_bcmp(response, mdbuf, dgst_len) == 0;
|
|
+
|
|
+#ifdef SSH_AUDIT_EVENTS
|
|
+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);
|
|
+ if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {
|
|
+ debug("unsuccessful audit");
|
|
+ rv = 0;
|
|
}
|
|
- /* Correct answer. */
|
|
- return (1);
|
|
+ free(fp);
|
|
+#endif
|
|
+
|
|
+ return rv;
|
|
}
|
|
|
|
/*
|
|
* Performs the RSA authentication challenge-response dialog with the client,
|
|
* and returns true (non-zero) if the client gave the correct answer to
|
|
* our challenge; returns zero if the client gives a wrong answer.
|
|
*/
|
|
|