From owner-freebsd-bugs@FreeBSD.ORG Fri Aug 10 00:10:01 2012 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DCFF3106566C for ; Fri, 10 Aug 2012 00:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B080C8FC17 for ; Fri, 10 Aug 2012 00:10:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q7A0A1kK060466 for ; Fri, 10 Aug 2012 00:10:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q7A0A1UW060465; Fri, 10 Aug 2012 00:10:01 GMT (envelope-from gnats) Resent-Date: Fri, 10 Aug 2012 00:10:01 GMT Resent-Message-Id: <201208100010.q7A0A1UW060465@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Arthur Mesh Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 10242106566B; Fri, 10 Aug 2012 00:09:00 +0000 (UTC) (envelope-from arthurmesh@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id AC0078FC0A; Fri, 10 Aug 2012 00:08:59 +0000 (UTC) Received: by yhfs35 with SMTP id s35so1303112yhf.13 for ; Thu, 09 Aug 2012 17:08:58 -0700 (PDT) Received: by 10.66.86.166 with SMTP id q6mr2182687paz.5.1344557338368; Thu, 09 Aug 2012 17:08:58 -0700 (PDT) Received: from x96.org (x96.org. [64.85.165.177]) by mx.google.com with ESMTPS id op10sm2066639pbc.75.2012.08.09.17.08.39 (version=SSLv3 cipher=OTHER); Thu, 09 Aug 2012 17:08:40 -0700 (PDT) Message-Id: <20120810000837.GA1435@x96.org> Date: Thu, 9 Aug 2012 17:08:37 -0700 From: Arthur Mesh To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: obrien@FreeBSD.org Subject: misc/170519: OPIE doesn't properly do SHA-1 (otp-sha) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2012 00:10:02 -0000 >Number: 170519 >Category: misc >Synopsis: OPIE doesn't properly do SHA-1 (otp-sha) >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Aug 10 00:10:01 UTC 2012 >Closed-Date: >Last-Modified: >Originator: arthurmesh >Release: FreeBSD 9.0-STABLE amd64 >Organization: none >Environment: System: FreeBSD alpha 9.0-STABLE FreeBSD 9.0-STABLE #0 r235829: Wed May 23 11:03:56 PDT 2012 root@alpha:/usr/obj/usr/src/sys/GENERIC amd64 >Description: OPIE doesn't properly do SHA1. OPIE doesn't properly implement RFC 2289, see fix for more details. Quote from RFC 2289 A One-Time Password System: Appendix A: ... For historical reasons, and to promote interoperability with existing implementations, it was decided that ALL hashes incorporated into the OTP protocol MUST store the output of their hash function in LITTLE ENDIAN format BEFORE the bit folding to 64 bits occurs. This is done in the implementations of MD4 and MD5 (see references [2] and [6]), while it must be explicitly done for the implementation of SHA1 (see reference [7]). >How-To-Repeat: # SHA1 problem: # On FreeBSD9 $ echo aaaaaaaaaa | otp-sha 1 foobar Using the SHA-1 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: KERN RUSS BETH SAUL YANG GO # On OpenBSD 5.1 $ skey -sha1 -p aaaaaaaaaa 1 foobar ROWS GIBE NOTE OAF GASH HECK # Yet, MD5 works fine: # On FreeBSD9 $ echo aaaaaaaaaa | otp-md5 1 foobar Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: VETO ODIN WOO SHOD REID ROSE # On OpenBSD 5.1 # skey -md5 -p aaaaaaaaaa 1 foobar VETO ODIN WOO SHOD REID ROSE >Fix: Index: contrib/opie/libopie/hash.c =================================================================== --- contrib/opie/libopie/hash.c (revision 235829) +++ contrib/opie/libopie/hash.c (working copy) @@ -17,6 +17,8 @@ $FreeBSD$ */ +#include + #include "opie_cfg.h" #include "opie.h" @@ -32,11 +34,21 @@ switch(algorithm) { case 3: { + int i; SHA_CTX sha; UINT4 digest[5]; SHA1_Init(&sha); SHA1_Update(&sha, (unsigned char *)x, 8); SHA1_Final((unsigned char *)digest, &sha); + + /* + * RFC2289 mandates that we convert SHA1 digest from big-endian to little + * see Appendix A. + */ + for (i = 0; i < 5; i++) { + digest[i] = bswap32(digest[i]); + } + results[0] = digest[0] ^ digest[2] ^ digest[4]; results[1] = digest[1] ^ digest[3]; }; Index: contrib/opie/libopie/hashlen.c =================================================================== --- contrib/opie/libopie/hashlen.c (revision 235829) +++ contrib/opie/libopie/hashlen.c (working copy) @@ -14,6 +14,8 @@ $FreeBSD$ */ +#include + #include "opie_cfg.h" #include "opie.h" @@ -29,11 +31,20 @@ switch(algorithm) { case 3: { + int i; SHA_CTX sha; UINT4 digest[5]; SHA1_Init(&sha); SHA1_Update(&sha, (unsigned char *)in, n); SHA1_Final((unsigned char *)digest, &sha); + + /* + * RFC2289 mandates that we convert SHA1 digest from big-endian to little + * see Appendix A. + */ + for (i = 0; i < 5; i++) { + digest[i] = bswap32(digest[i]); + } results[0] = digest[0] ^ digest[2] ^ digest[4]; results[1] = digest[1] ^ digest[3]; break; >Release-Note: >Audit-Trail: >Unformatted: