Date: Fri, 16 Dec 2011 17:01:58 +0200 From: Volodymyr Kostyrko <c.kworr@gmail.com> To: freebsd-security@freebsd.org Subject: CVE-2011-1945 Message-ID: <4EEB5D66.5090204@gmail.com>
next in thread | raw e-mail | index | archive | help
Hi all. Recently I started to recheck usability of ssh keys and found that ECDSA keys are already available. I've tried to make one and it points me about key bit length. Reading about this on http://en.wikipedia.org/wiki/Elliptic_Curve_DSA I also noticed that a timing attack is possible against OpenSSL. Quick checking the code shows that we haven't integrated the fix yet as current revision of http://svnweb.freebsd.org/base/stable/9/crypto/openssl/crypto/ecdsa/ecs_ossl.c?revision=225736&view=markup http://svnweb.freebsd.org/base/head/crypto/openssl/crypto/ecdsa/ecs_ossl.c?revision=225736&view=markup misses the fix from: http://cvs.openssl.org/chngview?cn=20892 And after latest OpenSSH import by des: http://svnweb.freebsd.org/base?view=revision&revision=221420 we are automatically creating (and using?) private ECDSA key: http://svnweb.freebsd.org/base/stable/9/etc/rc.d/sshd?r1=221419&r2=221420&; Am I missing something? -- Sphinx of black quartz judge my vow.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4EEB5D66.5090204>