Dubious use of BN_num_bits in sshconnect1.c

[alex at foogod.com]

On Mon, Feb 19, 2001 at 10:07:24AM -0500, Niels Provos wrote:
> You should seriously consider updating the ssh-1.2.20 server to something
> newer.

Unfortunately, the server isn't mine.  I will attempt to convince the 
administrator to upgrade (I was planning to anyway, actually)..

> You are confused.  In an N-bit RSA modulus the Nth bit is the most significant
> bit.  This is very different from an random integer taken from an N-bit range.
> OpenSSH uses BN_num_bits correctly.

Sorry about this.. as it turns out I was getting a bit muddled between n and 
e/d in the source (which is particularly embarrassing because they're 
quite clearly marked, I just wasn't paying attention).

I'll just go off and be embarrassed in a corner now. sigh..

> There is no flaw in BN_[pseudo_]rand(), there is no such bug in
> OpenSSH.  Please, if you do not understand a particular issue, you
> should not claim that somebody else is mistaken.  Why don't you look
> at the man pages the next time?

Please, if you don't look at a peice of code, you should not patronize bug 
reporters.  What I said was precisely correct, and is NOT documented in 
the manpage.  BN_rand/BN_pseudo_rand set the msb to 1 even when the "top" 
parameter is false.

But, this is an issue for another list (OpenSSL stuff).  I mentioned it here 
mainly because when this behavior is fixed it may have ramifications for 
OpenSSH code which people might like to be aware of.

-alex