missing HAVE_EVP_RIPEMD160 breaks ssh client

[Petr Lautrbach]

Hello,

I've updated sources but forgot to recreate configure so I've ended without
#define HAVE_EVP_RIPEMD160 1

and ssh client ended with:

OpenSSH_6.7p1, OpenSSL 1.0.1h-fips 5 Jun 2014
debug1: Reading configuration data ssh.config
main: mux digest failed

The problem was that ssh_digest_by_alg() couldn't verify alg with an index bigger than 1 since
the line with SSH_DIGEST_RIPEMD160 wasn't compiled in and all indexes in the ssh_digest digests array
was lowered by one.

/* NB. Indexed directly by algorithm number */
const struct ssh_digest digests[] = {
	{ SSH_DIGEST_MD5,	"MD5",	 	16,	EVP_md5 },
#ifdef HAVE_EVP_RIPEMD160 /* XXX replace with local if missing */
	{ SSH_DIGEST_RIPEMD160,	"RIPEMD160",	20,	EVP_ripemd160 },
#endif
	{ SSH_DIGEST_SHA1,	"SHA1",	 	20,	EVP_sha1 },
...


Would it be worth to use enum instead of defined constants for the digest type?

--- a/digest.h
+++ b/digest.h
@@ -22,13 +22,17 @@
 #define SSH_DIGEST_MAX_LENGTH  64

 /* Digest algorithms */
-#define SSH_DIGEST_MD5         0
-#define SSH_DIGEST_RIPEMD160   1
-#define SSH_DIGEST_SHA1                2
-#define SSH_DIGEST_SHA256      3
-#define SSH_DIGEST_SHA384      4
-#define SSH_DIGEST_SHA512      5
-#define SSH_DIGEST_MAX         6
+enum ssh_digest_type {
+       SSH_DIGEST_MD5,
+#ifdef HAVE_EVP_RIPEMD160 /* XXX replace with local if missing */
+       SSH_DIGEST_RIPEMD160,
+#endif
+       SSH_DIGEST_SHA1,
+       SSH_DIGEST_SHA256,
+       SSH_DIGEST_SHA384,
+       SSH_DIGEST_SHA512,
+       SSH_DIGEST_MAX
+};

 struct sshbuf;
 struct ssh_digest_ctx;



Regards,

Petr

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140715/b021796b/attachment-0001.bin>