Hacker News new | ask | show | jobs
by rollcat 958 days ago
> openssh uses openssl's RSA implementation

Upstream OpenSSH uses LibreSSL, which they've forked from OpenSSL precisely because they were concerned with code quality and correctness.

I don't know whether this problem affects LibreSSL, but one of their main goals was to be less afraid of breaking the OpenSSL API to fix usability problems that lead to incorrect (insecure) code.
1 comments
tptacek 957 days ago
IIUC, the original 2001 countermeasure for this is embedded in the modexp routine, and both OpenSSL (in rsa_ossl.c) and LibreSSL libcrypto (in rsa_eay.c) have substantially the same logic.

Look for the comment:

    /*
     * 'I' and 'vrfy' aren't congruent mod n. Don't leak
     * miscalculated CRT output, just do a raw (slower)
     * mod_exp and return that instead.
     */
link
fweimer 957 days ago
Note that in the OpenSSL case at least, this check is in the default engine/plugin, not in generic code. If you load a different plugin, you only get protection if the engine/plugin implements a similar check internally.

(I expect that LibreSSL removed the plugin framework, but I haven't checked.)

link