[Bug 2366] ssh-keygen doesn't correctly decode new format GCM-encrypted keys
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Apr 25 13:29:30 AEST 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2366
--- Comment #4 from Ron Frederick <ronf at timeheart.net> ---
The bug I found actually wasn't related to the additional authenticated
data. For this particular case of using the cipher to encrypt an
OpenSSH format private key, the additional data is empty in fact.
The bug here had to do with the length of the data passed to the
cipher_crypt() call when decrypting the key. Instead of passing in the
length of the encrypted data, the code is passing in the length of the
encrypted data plus the length of the MAC which is placed after it.
However, the MAC is not encrypted, since the keys are following the
"encrypt then MAC" approach.
The fix is to pass in the proper encrypted length, after validating
that there are enough bytes in the buffer to hold both this encrypted
data and a trailing MAC of the expected size.
There was also a bug when consuming the data later than only
encrypted_len bytes were consumed, even though it attempted to decrypt
more bytes than that. The correct thing here would be to consume
encrypted_len bytes plus the length of the MAC, and then check to make
sure that no bytes beyond that were remaining in the buffer.
The patch I've attached here addresses all of these issues. Only the
decrypt code needed any changes. The encrypt function was fine as-is.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list