On Mar 9 08:57, Darren Tucker wrote:
> On Fri, Mar 09, 2007 at 07:25:22AM +1100, Darren Tucker wrote:
> > Corinna Vinschen wrote:
> [...]
> > > $ ssh -1 somemachine
> > > Disconnecting: Corrupted check bytes on input.
> > > [...]
> In fact, if you're using OpenSSL 0.9.8e I suggest you apply the following
> patch to it, recompile everything and see if your problem persists.
>
> The symmetry of the problem (ie it works with itself but doesn't
> interoperate) is the same as what I saw with the AES counter-mode
> problems in OpenSSH bug #1291.
>
> That workaround above only helps for the bits of OpenSSH that use
> EVP_CIPHER_CTX_key_length, it doesn't help where OpenSSL itself uses it,
> which may be the case here. See bugzilla #1291 for details.
>
> Index: crypto/evp/evp_lib.c
> ===================================================================
> RCS file:
> /home/dtucker/src/security/openssl/cvs/openssl-cvs/openssl/crypto/evp/evp_lib.c,v
> retrieving revision 1.10.2.1
> diff -u -p -r1.10.2.1 evp_lib.c
> --- crypto/evp/evp_lib.c 29 Nov 2006 20:47:13 -0000 1.10.2.1
> +++ crypto/evp/evp_lib.c 3 Mar 2007 23:54:00 -0000
> @@ -225,7 +225,7 @@ int EVP_CIPHER_key_length(const EVP_CIPH
>
> int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx)
> {
> - return ctx->cipher->key_len;
> + return ctx->key_len;
> }
>
> int EVP_CIPHER_nid(const EVP_CIPHER *cipher)
Thanks Darren, that did it! I first tried with just adding the missing
#include to cipher-bf1.c, but that didn't help. Only by applying the
above patch to openssl-0.9.8e I could connect to the Linux box using
openssh-4.5p1 with openssl-0.9.8d.
So, the bottom line is, I have to release a patched version of openssl.
Oh well.
Thanks again,
Corinna
--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
|