Subject: Re: bin/35965 (SSHD doesn't work under protocol 1)
To: Ben Harris <bjh21@NetBSD.org>
From: Kazushi (Jam) Marukawa <jam@pobox.com>
List: netbsd-bugs
Date: 03/11/2007 01:15:23
   On Mar 10, 20:14, Kazushi (Jam) Marukawa wrote:
   > Subject: Re: bin/35965 (SSHD doesn't work under protocol 1)
   >    On Mar 10, 10:40, Ben Harris wrote:
   >    > Subject: bin/35965 (SSHD doesn't work under protocol 1)
   >    > Given the messages about "set keylen", I suspect (but haven't checked) 
   >    > that this is a manifestation of a bug in OpenSSL 0.9.8e, which breaks 
   >    > certain ciphers in OpenSSH <= 4.5p1.  See
   >    > <http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/
   >    > ssh2-aesctr-openssh.html> and
   >    > <http://bugzilla.mindrot.org/show_bug.cgi?id=1291>.
   > 
   > Not sure about this.  Maybe this is the reason of my
   > problem.
   > 
   > How can I retrieve the version number of ssh from NetBSD's
   > /usr/src stuff?  Thanks.

Ok.  This is the reason of my problem.  Many thanks.
EVP_CIPHER_CTX_key_length function was coded wrongly as
described in the web page Ben showed.

 http://bugzilla.mindrot.org/show_bug.cgi?id=1291

I hand modified function as described in comment #4 in that
page.  New sshd with modified openssl worked fine.

Protocol 1 is not secure enough like John described.
However, it is still used by users.  It is not possible to
deny them.  I need protocol 1.


How to fix (by hand):
  For OpenSSL 0.9.8e only.  This will be fixed in the next release.

  Open /usr/src/crypto/dist/openssl/crypto/evp/evp_lib.c
  Find a function named EVP_CIPHER_CTX_key_length
  Modified it as follow.

int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx)
        {
        return ctx->key_len;
        }

  Compile userland and install it.

Regards,
-- Kazushi