missing HAVE_EVP_RIPEMD160 breaks ssh client

Petr Lautrbach plautrba at redhat.com
Wed Jul 16 23:05:53 EST 2014 

On Wed, Jul 16, 2014 at 09:18:02AM +1000, Damien Miller wrote:
> On Tue, 15 Jul 2014, Petr Lautrbach wrote:
> 
> > Hello,
> > 
> > I've updated sources but forgot to recreate configure so I've ended without
> > #define HAVE_EVP_RIPEMD160 1
> > 
> > and ssh client ended with:
> > 
> > OpenSSH_6.7p1, OpenSSL 1.0.1h-fips 5 Jun 2014
> > debug1: Reading configuration data ssh.config
> > main: mux digest failed
> > 
> > The problem was that ssh_digest_by_alg() couldn't verify alg with an index bigger than 1 since
> > the line with SSH_DIGEST_RIPEMD160 wasn't compiled in and all indexes in the ssh_digest digests array
> > was lowered by one.
> > 
> > /* NB. Indexed directly by algorithm number */
> > const struct ssh_digest digests[] = {
> > 	{ SSH_DIGEST_MD5,	"MD5",	 	16,	EVP_md5 },
> > #ifdef HAVE_EVP_RIPEMD160 /* XXX replace with local if missing */
> > 	{ SSH_DIGEST_RIPEMD160,	"RIPEMD160",	20,	EVP_ripemd160 },
> > #endif
> > 	{ SSH_DIGEST_SHA1,	"SHA1",	 	20,	EVP_sha1 },
> > ...
> 
> Try this:

It works, thanks.

Petr


> Index: digest-openssl.c
> ===================================================================
> RCS file: /var/cvs/openssh/digest-openssl.c,v
> retrieving revision 1.5
> diff -u -p -r1.5 digest-openssl.c
> --- digest-openssl.c	3 Jul 2014 11:23:25 -0000	1.5
> +++ digest-openssl.c	15 Jul 2014 23:16:30 -0000
> @@ -30,6 +30,15 @@
>  #include "digest.h"
>  #include "ssherr.h"
>  
> +#ifndef HAVE_EVP_RIPEMD160
> +# define EVP_ripemd160 NULL
> +#endif /* HAVE_EVP_RIPEMD160 */
> +#ifndef HAVE_EVP_SHA256
> +# define EVP_sha256 NULL
> +# define EVP_sha384 NULL
> +# define EVP_sha512 NULL
> +#endif /* HAVE_EVP_SHA256 */
> +
>  struct ssh_digest_ctx {
>  	int alg;
>  	EVP_MD_CTX mdctx;
> @@ -45,15 +54,11 @@ struct ssh_digest {
>  /* NB. Indexed directly by algorithm number */
>  const struct ssh_digest digests[] = {
>  	{ SSH_DIGEST_MD5,	"MD5",	 	16,	EVP_md5 },
> -#ifdef HAVE_EVP_RIPEMD160 /* XXX replace with local if missing */
>  	{ SSH_DIGEST_RIPEMD160,	"RIPEMD160",	20,	EVP_ripemd160 },
> -#endif
>  	{ SSH_DIGEST_SHA1,	"SHA1",	 	20,	EVP_sha1 },
> -#ifdef HAVE_EVP_SHA256 /* XXX replace with local if missing */
>  	{ SSH_DIGEST_SHA256,	"SHA256", 	32,	EVP_sha256 },
>  	{ SSH_DIGEST_SHA384,	"SHA384",	48,	EVP_sha384 },
>  	{ SSH_DIGEST_SHA512,	"SHA512", 	64,	EVP_sha512 },
> -#endif
>  	{ -1,			NULL,		0,	NULL },
>  };
>  
> @@ -63,6 +68,8 @@ ssh_digest_by_alg(int alg)
>  	if (alg < 0 || alg >= SSH_DIGEST_MAX)
>  		return NULL;
>  	if (digests[alg].id != alg) /* sanity */
> +		return NULL;
> +	if (digests[alg].mdfunc == NULL)
>  		return NULL;
>  	return &(digests[alg]);
>  }

More information about the openssh-unix-dev mailing list