ssh-dss signatures

Sun, 21 May 2000 13:39:12 -0700 

Hi,

Sami Lehtinen notified me of a bug in LSH's implementation of ssh-dss
signatures. As I would like to have my interpretation of the spec
confirmed, and as I suspect that also openssh may have the same
problem (as it manages to interoperate with LSH), I'm writing to the
WG list.

The transport draft, draft-ietf-secsh-transport-07.txt, defines an
ssh-dss signature as

  uint32    length
  string    "ssh-dss"
  string    dss_signature_blob

The problem is the first field, which LSH omits. The signature is used
for instance inside the SSH_MSG_KEXDH_REPLY message,

  byte      SSH_MSG_KEXDH_REPLY
  string    server public host key and certificates (K_S)
  mpint     f
  string    signature of H

In LSH, this message looks something like this:

  SSH_MSG_KEXDH_REPLY (byte)
  length of host key  (uint32)
  host key data (byte array)
  length of f
  digits of f
* length of signature (i.e. all below) 
  7 (length of "ssh-dss")
  "ssh-dss" (7 bytes)
  length of signature blob (usually 40, and always even)
  r digits (usually 20 bytes)
  s digits (usually 20 bytes, but always the same length as for r)

It seems that the spec requires yet another length field at *, i.e.

  SSH_MSG_KEXDH_REPLY (byte)
  length of host key  (uint32)
  host key data (byte array)
  length of f
  digits of f
* length of all below (part of the "string    signature of H")
* length of signature (now considered part of the signature itself) 
  7 (length of "ssh-dss")
  "ssh-dss" (7 bytes)
  length of signature blob (usually 40, and always even)
  r digits (usually 20 bytes)
  s digits (usually 20 bytes, but always the same length as for r)

The extra length field is totally redundant here (and I believe it is
equally redundant in all other places where an ssh-dss signature is
used). I'm about to add it in LSH now, in order to comply with the
draft, but I would also like the WG to give some consideration to
removing the redundant length field in the definition of the ssh-dss
signature.

The practical impact of changing this in LSH is

  Compatibility with earlier LSH: spki-style signatures might work,
  but ssh-dss is broken.

  Compatibility with earlier ssh2: Not affected, as older ssh2 doesn't
  use the specified format at all.

  Compatibility with next version of ssh2: Should work fine, if only
  LSH's bug-compatibility is disabled.

  Compatibility with current openssh: Broken.

Regards,
/Niels

Reply via email to