On Wed, Jul 16, 2014 at 09:18:02AM +1000, Damien Miller wrote: > On Tue, 15 Jul 2014, Petr Lautrbach wrote: > > > Hello, > > > > I've updated sources but forgot to recreate configure so I've ended without > > #define HAVE_EVP_RIPEMD160 1 > > > > and ssh client ended with: > > > > OpenSSH_6.7p1, OpenSSL 1.0.1h-fips 5 Jun 2014 > > debug1: Reading configuration data ssh.config > > main: mux digest failed > > > > The problem was that ssh_digest_by_alg() couldn't verify alg with an index bigger than 1 since > > the line with SSH_DIGEST_RIPEMD160 wasn't compiled in and all indexes in the ssh_digest digests array > > was lowered by one. > > > > /* NB. Indexed directly by algorithm number */ > > const struct ssh_digest digests[] = { > > { SSH_DIGEST_MD5, "MD5", 16, EVP_md5 }, > > #ifdef HAVE_EVP_RIPEMD160 /* XXX replace with local if missing */ > > { SSH_DIGEST_RIPEMD160, "RIPEMD160", 20, EVP_ripemd160 }, > > #endif > > { SSH_DIGEST_SHA1, "SHA1", 20, EVP_sha1 }, > > ... > > Try this: It works, thanks. Petr > Index: digest-openssl.c > =================================================================== > RCS file: /var/cvs/openssh/digest-openssl.c,v > retrieving revision 1.5 > diff -u -p -r1.5 digest-openssl.c > --- digest-openssl.c 3 Jul 2014 11:23:25 -0000 1.5 > +++ digest-openssl.c 15 Jul 2014 23:16:30 -0000 > @@ -30,6 +30,15 @@ > #include "digest.h" > #include "ssherr.h" > > +#ifndef HAVE_EVP_RIPEMD160 > +# define EVP_ripemd160 NULL > +#endif /* HAVE_EVP_RIPEMD160 */ > +#ifndef HAVE_EVP_SHA256 > +# define EVP_sha256 NULL > +# define EVP_sha384 NULL > +# define EVP_sha512 NULL > +#endif /* HAVE_EVP_SHA256 */ > + > struct ssh_digest_ctx { > int alg; > EVP_MD_CTX mdctx; > @@ -45,15 +54,11 @@ struct ssh_digest { > /* NB. Indexed directly by algorithm number */ > const struct ssh_digest digests[] = { > { SSH_DIGEST_MD5, "MD5", 16, EVP_md5 }, > -#ifdef HAVE_EVP_RIPEMD160 /* XXX replace with local if missing */ > { SSH_DIGEST_RIPEMD160, "RIPEMD160", 20, EVP_ripemd160 }, > -#endif > { SSH_DIGEST_SHA1, "SHA1", 20, EVP_sha1 }, > -#ifdef HAVE_EVP_SHA256 /* XXX replace with local if missing */ > { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 }, > { SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 }, > { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 }, > -#endif > { -1, NULL, 0, NULL }, > }; > > @@ -63,6 +68,8 @@ ssh_digest_by_alg(int alg) > if (alg < 0 || alg >= SSH_DIGEST_MAX) > return NULL; > if (digests[alg].id != alg) /* sanity */ > + return NULL; > + if (digests[alg].mdfunc == NULL) > return NULL; > return &(digests[alg]); > } _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev