missing HAVE_EVP_RIPEMD160 breaks ssh client

Damien Miller djm at mindrot.org
Wed Jul 16 09:18:02 EST 2014 

On Tue, 15 Jul 2014, Petr Lautrbach wrote:

> Hello,
> 
> I've updated sources but forgot to recreate configure so I've ended without
> #define HAVE_EVP_RIPEMD160 1
> 
> and ssh client ended with:
> 
> OpenSSH_6.7p1, OpenSSL 1.0.1h-fips 5 Jun 2014
> debug1: Reading configuration data ssh.config
> main: mux digest failed
> 
> The problem was that ssh_digest_by_alg() couldn't verify alg with an index bigger than 1 since
> the line with SSH_DIGEST_RIPEMD160 wasn't compiled in and all indexes in the ssh_digest digests array
> was lowered by one.
> 
> /* NB. Indexed directly by algorithm number */
> const struct ssh_digest digests[] = {
> 	{ SSH_DIGEST_MD5,	"MD5",	 	16,	EVP_md5 },
> #ifdef HAVE_EVP_RIPEMD160 /* XXX replace with local if missing */
> 	{ SSH_DIGEST_RIPEMD160,	"RIPEMD160",	20,	EVP_ripemd160 },
> #endif
> 	{ SSH_DIGEST_SHA1,	"SHA1",	 	20,	EVP_sha1 },
> ...

Try this:

Index: digest-openssl.c
===================================================================
RCS file: /var/cvs/openssh/digest-openssl.c,v
retrieving revision 1.5
diff -u -p -r1.5 digest-openssl.c
--- digest-openssl.c	3 Jul 2014 11:23:25 -0000	1.5
+++ digest-openssl.c	15 Jul 2014 23:16:30 -0000
@@ -30,6 +30,15 @@
 #include "digest.h"
 #include "ssherr.h"
 
+#ifndef HAVE_EVP_RIPEMD160
+# define EVP_ripemd160 NULL
+#endif /* HAVE_EVP_RIPEMD160 */
+#ifndef HAVE_EVP_SHA256
+# define EVP_sha256 NULL
+# define EVP_sha384 NULL
+# define EVP_sha512 NULL
+#endif /* HAVE_EVP_SHA256 */
+
 struct ssh_digest_ctx {
 	int alg;
 	EVP_MD_CTX mdctx;
@@ -45,15 +54,11 @@ struct ssh_digest {
 /* NB. Indexed directly by algorithm number */
 const struct ssh_digest digests[] = {
 	{ SSH_DIGEST_MD5,	"MD5",	 	16,	EVP_md5 },
-#ifdef HAVE_EVP_RIPEMD160 /* XXX replace with local if missing */
 	{ SSH_DIGEST_RIPEMD160,	"RIPEMD160",	20,	EVP_ripemd160 },
-#endif
 	{ SSH_DIGEST_SHA1,	"SHA1",	 	20,	EVP_sha1 },
-#ifdef HAVE_EVP_SHA256 /* XXX replace with local if missing */
 	{ SSH_DIGEST_SHA256,	"SHA256", 	32,	EVP_sha256 },
 	{ SSH_DIGEST_SHA384,	"SHA384",	48,	EVP_sha384 },
 	{ SSH_DIGEST_SHA512,	"SHA512", 	64,	EVP_sha512 },
-#endif
 	{ -1,			NULL,		0,	NULL },
 };
 
@@ -63,6 +68,8 @@ ssh_digest_by_alg(int alg)
 	if (alg < 0 || alg >= SSH_DIGEST_MAX)
 		return NULL;
 	if (digests[alg].id != alg) /* sanity */
+		return NULL;
+	if (digests[alg].mdfunc == NULL)
 		return NULL;
 	return &(digests[alg]);
 }

More information about the openssh-unix-dev mailing list