CVE-2011-1945
Hi all.
Recently I started to recheck usability of ssh keys and found that ECDSA
keys are already available. I've tried to make one and it points me
about key bit length. Reading about this on
http://en.wikipedia.org/wiki/Elliptic_Curve_DSA
I also noticed that a timing attack is possible against OpenSSL. Quick
checking the code shows that we haven't integrated the fix yet as
current revision of
http://svnweb.freebsd.org/base/stable/9/crypto/openssl/crypto/ecdsa/ecs_ossl.c?revision=225736&view=markup
http://svnweb.freebsd.org/base/head/crypto/openssl/crypto/ecdsa/ecs_ossl.c?revision=225736&view=markup
misses the fix from:
http://cvs.openssl.org/chngview?cn=20892
And after latest OpenSSH import by des:
http://svnweb.freebsd.org/base?view=revision&revision=221420
we are automatically creating (and using?) private ECDSA key:
http://svnweb.freebsd.org/base/stable/9/etc/rc.d/sshd?r1=221419&r2=221420&
Am I missing something?
--
Sphinx of black quartz judge my vow.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"