~ubuntu-branches/debian/stretch/dropbear/stretch

Viewing changes to dss.c

Committer: Package Import Robot
Author(s): Gerrit Pape, Matt Johnston, Gerrit Pape
Date: 2013-10-25 15:00:48 UTC
mfrom: (1.4.6)
Revision ID: package-import@ubuntu.com-20131025150048-3jq765x96xayk392

Tags: 2013.60-1

http://bugs.debian.org/692653

[ Matt Johnston ]
* New upstream release.

[ Gerrit Pape ]
* debian/diff/0004-cve-2013-4421.diff, 0005-user-disclosure.diff:
remove; fixed upstream.
* debian/dropbear.postinst: don't fail if initramfs-tools it not
installed (closes: #692653).

files added:
configure.ac

dropbearconvert.1

dropbearkey.1

files removed:
cli-algo.c

cli-service.c

configure.in

debian/diff/0004-cve-2013-4421.diff

debian/diff/0005-user-disclosure.diff

dropbearkey.8

svr-algo.c

files modified:
.hg_archival.txt

.hgsigs

.hgtags

CHANGES

LICENSE

MULTI

Makefile.in

README

agentfwd.h

algo.h

auth.h

bignum.h

buffer.c

channel.h

circbuffer.c

cli-agentfwd.c

cli-auth.c

cli-authpubkey.c

cli-chansession.c

cli-kex.c

cli-main.c

cli-runopts.c

cli-session.c

common-algo.c

common-channel.c

common-kex.c

common-runopts.c

common-session.c

compat.c

config.guess

config.h.in

config.sub

configure

dbclient.1

dbmulti.c

dbutil.c

dbutil.h

debian/changelog

debian/diff/0001-dbclient.1-dbclient-uses-compression-if-compiled-with.diff

debian/diff/0002-dropbearkey.8-mention-y-option-add-example.diff

debian/diff/0003-options.h-use-usr-bin-xauth-instead-of-usr-bin-X11-xa.diff

debian/dropbear.postinst

debian/rules

debug.h

dropbear.8

dropbearkey.c

dss.c

includes.h

kex.h

libtomcrypt/src/headers/tomcrypt_custom.h

libtommath/Makefile.in

loginrec.c

options.h

packet.c

process-packet.c

queue.c

queue.h

random.c

random.h

rsa.c

runopts.h

scp.c

scpmisc.c

service.h

session.h

signkey.c

sshpty.c

svr-auth.c

svr-authpam.c

svr-authpasswd.c

svr-authpubkeyoptions.c

svr-chansession.c

svr-kex.c

svr-main.c

svr-runopts.c

svr-session.c

svr-tcpfwd.c

svr-x11fwd.c

sysoptions.h

tcp-accept.c

tcpfwd.h

termcodes.c

Show diffs side-by-side

added added

removed removed

dss.c

101

/* Clear and free the memory used by a public or private key */

102

void dss_key_free(dropbear_dss_key *key) {

103

104

TRACE(("enter dsa_key_free"))

104

TRACE2(("enter dsa_key_free"))

105

if (key == NULL) {

106

TRACE(("enter dsa_key_free: key == NULL"))

106

TRACE2(("enter dsa_key_free: key == NULL"))

107

return;

108

}

109

if (key->p) {

127

m_free(key->x);

128

}

129

m_free(key);

130

TRACE(("leave dsa_key_free"))

130

TRACE2(("leave dsa_key_free"))

131

}

132

133

/* put the dss public key into the buffer in the required format:

258

}

259

#endif /* DROPBEAR_SIGNKEY_VERIFY */

260

261

#ifdef DSS_PROTOK

262

/* convert an unsigned mp into an array of bytes, malloced.

263

* This array must be freed after use, len contains the length of the array,

264

* if len != NULL */

265

static unsigned char* mptobytes(mp_int *mp, int *len) {

266

267

unsigned char* ret;

268

int size;

269

270

size = mp_unsigned_bin_size(mp);

271

ret = m_malloc(size);

272

if (mp_to_unsigned_bin(mp, ret) != MP_OKAY) {

273

dropbear_exit("Mem alloc error");

274

}

275

if (len != NULL) {

276

*len = size;

277

}

278

return ret;

279

}

280

#endif

281

282

261

/* Sign the data presented with key, writing the signature contents

283

* to the buffer

284

285

* When DSS_PROTOK is #defined:

286

* The alternate k generation method is based on the method used in PuTTY.

287

* In particular to avoid being vulnerable to attacks using flaws in random

288

* generation of k, we use the following:

289

290

* proto_k = SHA512 ( SHA512(x) || SHA160(message) )

291

* k = proto_k mod q

292

293

* Now we aren't relying on the random number generation to protect the private

294

* key x, which is a long term secret */

262

* to the buffer */

295

263

void buf_put_dss_sign(buffer* buf, dropbear_dss_key *key, const unsigned char* data,

296

264

unsigned int len) {

297

265

298

266

unsigned char msghash[SHA1_HASH_SIZE];

299

267

unsigned int writelen;

300

268

unsigned int i;

301

#ifdef DSS_PROTOK

302

unsigned char privkeyhash[SHA512_HASH_SIZE];

303

unsigned char *privkeytmp;

304

unsigned char proto_k[SHA512_HASH_SIZE];

305

DEF_MP_INT(dss_protok);

306

#endif

307

269

DEF_MP_INT(dss_k);

308

270

DEF_MP_INT(dss_m);

309

271

DEF_MP_INT(dss_temp1);

322

284

323

285

m_mp_init_multi(&dss_k, &dss_temp1, &dss_temp2, &dss_r, &dss_s,

324

286

&dss_m, NULL);

325

#ifdef DSS_PROTOK

326

/* hash the privkey */

327

privkeytmp = mptobytes(key->x, &i);

328

sha512_init(&hs);

329

sha512_process(&hs, "the quick brown fox jumped over the lazy dog", 44);

330

sha512_process(&hs, privkeytmp, i);

331

sha512_done(&hs, privkeyhash);

332

m_burn(privkeytmp, i);

333

m_free(privkeytmp);

334

335

/* calculate proto_k */

336

sha512_init(&hs);

337

sha512_process(&hs, privkeyhash, SHA512_HASH_SIZE);

338

sha512_process(&hs, msghash, SHA1_HASH_SIZE);

339

sha512_done(&hs, proto_k);

340

341

/* generate k */

342

m_mp_init(&dss_protok);

343

bytes_to_mp(&dss_protok, proto_k, SHA512_HASH_SIZE);

344

if (mp_mod(&dss_protok, key->q, &dss_k) != MP_OKAY) {

345

dropbear_exit("DSS error");

346

}

347

mp_clear(&dss_protok);

348

m_burn(proto_k, SHA512_HASH_SIZE);

349

#else /* DSS_PROTOK not defined*/

287

/* the random number generator's input has included the private key which

288

* avoids DSS's problem of private key exposure due to low entropy */

350

289

gen_random_mpint(key->q, &dss_k);

351

#endif

352

290

353

291

/* now generate the actual signature */

354

292

bytes_to_mp(&dss_m, msghash, SHA1_HASH_SIZE);

Older »