Dubious use of BN_num_bits in sshconnect1.c (resend)

Niels Provos provos at citi.umich.edu
Tue Feb 20 02:10:43 EST 2001


------- Forwarded Message

Subject: Re: Dubious use of BN_num_bits in sshconnect1.c 
From: Niels Provos <provos at citi.umich.edu>
In-Reply-To: alex at foogod.com, Sun, 18 Feb 2001 19:38:56 PST
To: alex at foogod.com
Cc: openssh-unix-dev at mindrot.org
Date: Mon, 19 Feb 2001 10:07:24 -0500
Sender: provos at citi.umich.edu

Hi Alex,

there is no problem in OpenSSH.

In message <20010218193856.D22936 at draco.foogod.com>, alex at foogod.com writes:
>Hiho...
>I have recently encountered problems using OpenSSH 2.3.0p1 to connect to a SSH
>1.2.20 server, with messages such as the following:
You should seriously consider updating the ssh-1.2.20 server to something
newer.

>received in sshconnect1.c.  The problem is that BN_num_bits does not return 
>the number of significant bits of a given bignum, but rather the position of 
>the most significant 1 bit, which is not necessarily the same thing.
This is not a problem.  This is how BN_num_bits wors and how it is
supposed to be use.

>It is perfectly possible (and as demonstrated, does occur) for the remote end 
>to generate an N-bit public key where the most significant bit is zero.
You are confused.  In an N-bit RSA modulus the Nth bit is the most significant
bit.  This is very different from an random integer taken from an N-bit range.
OpenSSH uses BN_num_bits correctly.


>(this brings up a related flaw in the BN_rand/BN_pseudo_rand (which is the 
>reason this bug doesn't show up with OpenSSH servers) in that when called to 
>generate an N-bit (pseudo)random number, these functions actually return N-1 
>bits of random data, with the msb set to 1, instead of the N random bits 
>promised, but that's a side issue)
There is no flaw in BN_[pseudo_]rand(), there is no such bug in
OpenSSH.  Please, if you do not understand a particular issue, you
should not claim that somebody else is mistaken.  Why don't you look
at the man pages the next time?

        int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);

        int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
[...]

       If top is true, the two most significant bits of the number
       will be set to 1, so that the product of two such random
       numbers will always have 2*bits length.  If bottom is
       true, the number will be odd.

Niels.
------- End of Forwarded Message






More information about the openssh-unix-dev mailing list