In the "INSTALL" file of the portible 3.1p1. It says you will need: "OpenSSL 0.9.5a or greater:" On Linux and FreeBSD, I cannot get it to compile with SSL lower than 0.9.6
*** Bug 139 has been marked as a duplicate of this bug. ***
Documentation has been corrected. Yes 0.9.6 is required at this time.
does this patch help http://bugzilla.mindrot.org/showattachment.cgi?attach_id=32
Markus, Your patch did allow us to compile with OpenSSL 0.9.5a.
... but apparently breaks ssh1 compatibility (or something miscompiled to do so: $ ssh -v -1 bar.chm.bnl.gov OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f [ ... ] debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.1p1 [ ... ] debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. Disconnecting: Corrupted check bytes on input. debug1: Calling cleanup 0x8060fb8(0x0)
what happens if you additionally replace cipher_init from cipher.c with void cipher_init(CipherContext *cc, Cipher *cipher, const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, int encrypt) { static int dowarn = 1; EVP_CIPHER *type; int klen; if (cipher->number == SSH_CIPHER_DES) { if (dowarn) { error("Warning: use of DES is strongly discouraged " "due to cryptographic weaknesses"); dowarn = 0; } if (keylen > 8) keylen = 8; } cc->plaintext = (cipher->number == SSH_CIPHER_NONE); if (keylen < cipher->key_len) fatal("cipher_init: key length %d is insufficient for %s.", keylen, cipher->name); if (iv != NULL && ivlen < cipher->block_size) fatal("cipher_init: iv length %d is insufficient for %s.", ivlen, cipher->name); cc->cipher = cipher; type = (*cipher->evptype)(); if (type->key_len < cipher->key_len) type->key_len = cipher->key_len; EVP_CIPHER_CTX_init(&cc->evp); EVP_CipherInit(&cc->evp, type, (u_char *)key, (u_char *)iv, (encrypt == CIPHER_ENCRYPT)); }
*** Bug 154 has been marked as a duplicate of this bug. ***
the cipher_init change does not help the problem debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. Disconnecting: Corrupted check bytes on input. debug1: Calling cleanup 0x8063550(0x0) still throwing an error on any ssh1 connection
this should help for 3des/ssh1 http://bugzilla.mindrot.org/showattachment.cgi?attach_id=35
With http://bugzilla.mindrot.org/showattachment.cgi?attach_id=35 applied I get exactly the same failure as with the earlier patch: host1$ ./ssh -v -1 host2 [stuff elided] debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. Disconnecting: Corrupted check bytes on input. debug1: Calling cleanup 0x8063930(0x0) I am running Red Hat 6.2 with all current updates.
http://bugzilla.mindrot.org/showattachment.cgi?attach_id=37 ^^ this works for me with 3des-ssh1 and aes256-cbc (as used by PUTTY)
Yup, that makes 3des with protocol 1 work. Thanks! "blowfish" is still broken, though. Any chance of fixing it, too? We have some automated scripts here which specify Blowfish for speed. Yes, we should migrate to protocol 2 and AES. But not this weekend :-).
*** Bug 169 has been marked as a duplicate of this bug. ***
http://bugzilla.mindrot.org/showattachment.cgi?attach_id=37 - how do i apply that? if i simply replace cipher.c with it, i get this error: # make install (cd openbsd-compat && make) gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/opt -DSSHDIR=\"/opt/etc\" -D_PATH_SSH_PROGRAM=\"/opt/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/opt/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/var/run\" -DSSH_RAND_HELPER=\"/opt/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c cipher.c cipher.c:74: unterminated comment make: *** [cipher.o] Error 1 make: *** Waiting for unfinished jobs.... make[1]: Entering directory `/home/software/install/openssh-3.1p1/openbsd-compat' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/home/software/install/openssh-3.1p1/openbsd-compat'
thanks, that solved the problem with "make install" for me on RedHat 6.2
In the previous episode (16.03.2002, 13:47:51), Pat said: > > http://bugzilla.mindrot.org/showattachment.cgi?attach_id=37 - how do i > apply > > that? > > You use the "patch" utility. Something like this: > > cd /usr/local/src/openssh-3.1p1 > patch -p0 < ../patch.txt > > - Pat > thanks, that solved the problem with "make install" for me on RedHat 6.2
*** Bug 186 has been marked as a duplicate of this bug. ***
This should be fixed in the CVS tree. If this is still an issue please reopen before OpenSSH 3.2 goes gold.
blowfish w/ ssh1 could still be broken. please check.
As far as I can tell, blowfish is indeed broken in ssh1. [eds@ike eds]$ ssh -v -1 postal OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f ... snip some output ... debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.1p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'postal' is known and matches the RSA1 host key. debug1: Found key in /home/eds/.ssh/known_hosts:25 debug1: Encryption type: blowfish debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. Disconnecting: Corrupted check bytes on input. debug1: Calling cleanup 0x8062778(0x0)
I can confirm that blowfish + ssh1 + OpenSSL 0.9.5a is still broken with this most recent patch. I suggest reopening this bug ticket or creating a new one, unless there are no plans to fix this.
*** Bug 232 has been marked as a duplicate of this bug. ***
can anyone look into ssh1+bf+old-openssl?
*** Bug 242 has been marked as a duplicate of this bug. ***
Created attachment 121 [details] Patch for openssh 3.4p1, which corrects problems with blowfish + ssh1 + OpenSSL 0.9.5a
Patch applied - thanks
Mass change of RESOLVED bugs to CLOSED
Created attachment 875 [details] 12