Patch to workaround host key size mismatch bug in old SSH sshd

[Dave Dykstra]

Markus,

Do you want to include this patch before the next release?

I checked the current CVS and the code around the patch hasn't appeared
to change so the patch should still apply cleanly.

- Dave Dykstra

On Thu, Jul 05, 2001 at 10:59:25AM -0500, Dave Dykstra wrote:
> Below is a patch against the current OpenBSD OpenSSH CVS to workaround a
> behavior I have observed when converting from SSH 1.2.27 to OpenSSH while
> using the same old RSA1 host key for protocol 1.  In several cases I saw
> that old SSH sshd reported a host key size of 1024 bits when OpenSSH saw it
> as 1023 bits.  Without the patch, when OpenSSH's ssh client connects to an
> old SSH sshd it warns that the server lies about the size, and when an old
> SSH ssh client connects to an OpenSSH sshd it reports the dreaded "WARNING:
> HOST IDENTIFICATION HAS CHANGED! IT IS POSSIBLE THAT SOMEONE IS DOING
> SOMETHING NASTY!"   An OpenSSH ssh client conveniently ignores the key size
> in ~/.ssh/authorized_keys (in a kind of convoluted way, I might add) so it
> doesn't care that the key size reported by OpenSSH sshd is 1023 even if
> authorized_keys says it's 1024.
> 
> A pleasant side effect of this patch is that compat.c no longer prints the
> disconcerting debug message "no match" when communicating with SSH 1.2.23
> through 1.2.31.
> 
> - Dave Dykstra
> 
> 
> --- compat.h.O	Thu Jul  5 10:49:47 2001
> +++ compat.h	Thu Jul  5 10:50:04 2001
> @@ -50,6 +50,7 @@
>  #define SSH_BUG_HBSERVICE	0x00010000
>  #define SSH_BUG_OPENFAILURE	0x00020000
>  #define SSH_BUG_DERIVEKEY	0x00040000
> +#define SSH_BUG_SERVERLIESSIZE	0x00080000
>  
>  void     enable_compat13(void);
>  void     enable_compat20(void);
> --- compat.c.O	Thu Jul  5 10:49:21 2001
> +++ compat.c	Thu Jul  5 10:49:27 2001
> @@ -105,6 +105,8 @@
>  		{ "^1\\.7 SecureFX",	SSH_OLD_SESSIONID },
>  		{ "^1\\.2\\.1[89]",	SSH_BUG_IGNOREMSG },
>  		{ "^1\\.2\\.2[012]",	SSH_BUG_IGNOREMSG },
> +		{ "^1\\.2\\.2[3-9]",	SSH_BUG_SERVERLIESSIZE },
> +		{ "^1\\.2\\.3[0-1]",	SSH_BUG_SERVERLIESSIZE },
>  		{ "^1\\.3\\.2",		SSH_BUG_IGNOREMSG },	/* f-secure */
>  		{ "^SSH Compatible Server",			/* Netscreen */
>  					SSH_BUG_PASSWORDPAD },
> --- sshconnect1.c.O	Thu Jul  5 10:49:13 2001
> +++ sshconnect1.c	Thu Jul  5 10:49:28 2001
> @@ -37,6 +37,7 @@
>  #include "packet.h"
>  #include "mpaux.h"
>  #include "uidswap.h"
> +#include "compat.h"
>  #include "log.h"
>  #include "readconf.h"
>  #include "key.h"
> @@ -960,7 +961,8 @@
>  	sum_len += clen;
>  
>  	rbits = BN_num_bits(host_key->n);
> -	if (bits != rbits) {
> +	if (bits != rbits &&
> +	    !((datafellows & SSH_BUG_SERVERLIESSIZE) && (rbits + 1 == bits))) {
>  		log("Warning: Server lies about size of server host key: "
>  		    "actual size is %d bits vs. announced %d.", rbits, bits);
>  		log("Warning: This may be due to an old implementation of ssh.");
> --- sshd.c.O	Thu Jul  5 10:49:10 2001
> +++ sshd.c	Thu Jul  5 10:49:27 2001
> @@ -1217,7 +1217,12 @@
>  	packet_put_bignum(sensitive_data.server_key->rsa->n);
>  
>  	/* Store our public host RSA key. */
> -	packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
> +	len = BN_num_bits(sensitive_data.ssh1_host_key->rsa->n);
> +	if ((datafellows & SSH_BUG_SERVERLIESSIZE) && (len & 1)) {
> +	    /* old ssh client expects even number for host key */
> +	    len += 1;
> +	}
> +	packet_put_int(len);
>  	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);
>  	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);
>