Dubious use of BN_num_bits in sshconnect1.c (resend)
Niels Provos
provos at citi.umich.edu
Tue Feb 20 02:10:43 EST 2001
------- Forwarded Message
Subject: Re: Dubious use of BN_num_bits in sshconnect1.c
From: Niels Provos <provos at citi.umich.edu>
In-Reply-To: alex at foogod.com, Sun, 18 Feb 2001 19:38:56 PST
To: alex at foogod.com
Cc: openssh-unix-dev at mindrot.org
Date: Mon, 19 Feb 2001 10:07:24 -0500
Sender: provos at citi.umich.edu
Hi Alex,
there is no problem in OpenSSH.
In message <20010218193856.D22936 at draco.foogod.com>, alex at foogod.com writes:
>Hiho...
>I have recently encountered problems using OpenSSH 2.3.0p1 to connect to a SSH
>1.2.20 server, with messages such as the following:
You should seriously consider updating the ssh-1.2.20 server to something
newer.
>received in sshconnect1.c. The problem is that BN_num_bits does not return
>the number of significant bits of a given bignum, but rather the position of
>the most significant 1 bit, which is not necessarily the same thing.
This is not a problem. This is how BN_num_bits wors and how it is
supposed to be use.
>It is perfectly possible (and as demonstrated, does occur) for the remote end
>to generate an N-bit public key where the most significant bit is zero.
You are confused. In an N-bit RSA modulus the Nth bit is the most significant
bit. This is very different from an random integer taken from an N-bit range.
OpenSSH uses BN_num_bits correctly.
>(this brings up a related flaw in the BN_rand/BN_pseudo_rand (which is the
>reason this bug doesn't show up with OpenSSH servers) in that when called to
>generate an N-bit (pseudo)random number, these functions actually return N-1
>bits of random data, with the msb set to 1, instead of the N random bits
>promised, but that's a side issue)
There is no flaw in BN_[pseudo_]rand(), there is no such bug in
OpenSSH. Please, if you do not understand a particular issue, you
should not claim that somebody else is mistaken. Why don't you look
at the man pages the next time?
int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
[...]
If top is true, the two most significant bits of the number
will be set to 1, so that the product of two such random
numbers will always have 2*bits length. If bottom is
true, the number will be odd.
Niels.
------- End of Forwarded Message
More information about the openssh-unix-dev
mailing list