| Summary: | Incorrect OpenSSL version requirment? | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Weldon Godfrey <weldon> | ||||||
| Component: | Miscellaneous | Assignee: | OpenSSH Bugzilla mailing list <openssh-bugs> | ||||||
| Status: | CLOSED FIXED | ||||||||
| Severity: | major | CC: | boyland, davidj, general_anders, hatlas, malcolm.locke, patl, vjo, wzeikat | ||||||
| Priority: | P2 | ||||||||
| Version: | -current | ||||||||
| Hardware: | All | ||||||||
| OS: | All | ||||||||
| Attachments: |
|
||||||||
|
Description
Weldon Godfrey
2002-03-08 03:47:23 AEDT
*** Bug 139 has been marked as a duplicate of this bug. *** Documentation has been corrected. Yes 0.9.6 is required at this time. Documentation has been corrected. Yes 0.9.6 is required at this time. does this patch help http://bugzilla.mindrot.org/showattachment.cgi?attach_id=32 Markus, Your patch did allow us to compile with OpenSSL 0.9.5a. ... but apparently breaks ssh1 compatibility (or something miscompiled to do so: $ ssh -v -1 bar.chm.bnl.gov OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f [ ... ] debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.1p1 [ ... ] debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. Disconnecting: Corrupted check bytes on input. debug1: Calling cleanup 0x8060fb8(0x0) what happens if you additionally replace
cipher_init from cipher.c with
void
cipher_init(CipherContext *cc, Cipher *cipher,
const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
int encrypt)
{
static int dowarn = 1;
EVP_CIPHER *type;
int klen;
if (cipher->number == SSH_CIPHER_DES) {
if (dowarn) {
error("Warning: use of DES is strongly discouraged "
"due to cryptographic weaknesses");
dowarn = 0;
}
if (keylen > 8)
keylen = 8;
}
cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
if (keylen < cipher->key_len)
fatal("cipher_init: key length %d is insufficient for %s.",
keylen, cipher->name);
if (iv != NULL && ivlen < cipher->block_size)
fatal("cipher_init: iv length %d is insufficient for %s.",
ivlen, cipher->name);
cc->cipher = cipher;
type = (*cipher->evptype)();
if (type->key_len < cipher->key_len)
type->key_len = cipher->key_len;
EVP_CIPHER_CTX_init(&cc->evp);
EVP_CipherInit(&cc->evp, type, (u_char *)key, (u_char *)iv,
(encrypt == CIPHER_ENCRYPT));
}
*** Bug 154 has been marked as a duplicate of this bug. *** the cipher_init change does not help the problem debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. Disconnecting: Corrupted check bytes on input. debug1: Calling cleanup 0x8063550(0x0) still throwing an error on any ssh1 connection this should help for 3des/ssh1 http://bugzilla.mindrot.org/showattachment.cgi?attach_id=35 With http://bugzilla.mindrot.org/showattachment.cgi?attach_id=35 applied I get exactly the same failure as with the earlier patch: host1$ ./ssh -v -1 host2 [stuff elided] debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. Disconnecting: Corrupted check bytes on input. debug1: Calling cleanup 0x8063930(0x0) I am running Red Hat 6.2 with all current updates. http://bugzilla.mindrot.org/showattachment.cgi?attach_id=37 ^^ this works for me with 3des-ssh1 and aes256-cbc (as used by PUTTY) Yup, that makes 3des with protocol 1 work. Thanks! "blowfish" is still broken, though. Any chance of fixing it, too? We have some automated scripts here which specify Blowfish for speed. Yes, we should migrate to protocol 2 and AES. But not this weekend :-). *** Bug 169 has been marked as a duplicate of this bug. *** http://bugzilla.mindrot.org/showattachment.cgi?attach_id=37 - how do i apply that? if i simply replace cipher.c with it, i get this error: # make install (cd openbsd-compat && make) gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/opt -DSSHDIR=\"/opt/etc\" -D_PATH_SSH_PROGRAM=\"/opt/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/opt/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/var/run\" -DSSH_RAND_HELPER=\"/opt/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c cipher.c cipher.c:74: unterminated comment make: *** [cipher.o] Error 1 make: *** Waiting for unfinished jobs.... make[1]: Entering directory `/home/software/install/openssh-3.1p1/openbsd-compat' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/home/software/install/openssh-3.1p1/openbsd-compat' thanks, that solved the problem with "make install" for me on RedHat 6.2 In the previous episode (16.03.2002, 13:47:51), Pat said:
> > http://bugzilla.mindrot.org/showattachment.cgi?attach_id=37 - how do i
> apply
> > that?
>
> You use the "patch" utility. Something like this:
>
> cd /usr/local/src/openssh-3.1p1
> patch -p0 < ../patch.txt
>
> - Pat
>
thanks, that solved the problem with "make install" for me on RedHat 6.2
*** Bug 186 has been marked as a duplicate of this bug. *** This should be fixed in the CVS tree. If this is still an issue please reopen before OpenSSH 3.2 goes gold. blowfish w/ ssh1 could still be broken. please check. As far as I can tell, blowfish is indeed broken in ssh1. [eds@ike eds]$ ssh -v -1 postal OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f ... snip some output ... debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.1p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'postal' is known and matches the RSA1 host key. debug1: Found key in /home/eds/.ssh/known_hosts:25 debug1: Encryption type: blowfish debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. Disconnecting: Corrupted check bytes on input. debug1: Calling cleanup 0x8062778(0x0) I can confirm that blowfish + ssh1 + OpenSSL 0.9.5a is still broken with this most recent patch. I suggest reopening this bug ticket or creating a new one, unless there are no plans to fix this. *** Bug 232 has been marked as a duplicate of this bug. *** can anyone look into ssh1+bf+old-openssl? *** Bug 242 has been marked as a duplicate of this bug. *** Created attachment 121 [details]
Patch for openssh 3.4p1, which corrects problems with blowfish + ssh1 + OpenSSL 0.9.5a
Patch applied - thanks Mass change of RESOLVED bugs to CLOSED Created attachment 875 [details]
12
|