openssh unix dev - Jul 2000 - ``portability'' patch for OpenSSH S/Key support

More specifically, the hashing functions in most operating systems will
be provided by OpenSSL, rather than libc. OpenSSL does not have SHA1_End
but since it is used only for generating fake challenges, the impact of
changing it to SHA1_Final should be small.

A more general solution would be to have configure.in test for sha1.h,
openssl/sha.h, and SHA1_End. configure.in should also add auth-skey.o to
SSHDOBJS in Makefile if S/Key is enabled; my patch below does not cover
those issues. Perhaps another time.

If any GNU/Linux admins want to play with S/Key, I have some patches on
the OpenBSD versions at http://ftp.m.org.nz/users/cky/patches/skey/ (or,
of course, ftp://...).

Enjoy!
	---Chris K.

			*	*	*

--- auth-skey.c	Thu Jun 22 23:32:31 2000
+++ auth-skey.c	Sun Jul  2 15:17:47 2000
@@ -4,7 +4,7 @@
 
 #include "ssh.h"
 #include "packet.h"
-#include <sha1.h>
+#include <openssl/sha.h>
 
 /* from %OpenBSD: skeylogin.c,v 1.32 1999/08/16 14:46:56 millert Exp % */
 
@@ -74,7 +74,6 @@
 	size_t secretlen = 0;
 	SHA_CTX ctx;
 	char *p, *u;
-	char md[SHA_DIGEST_LENGTH];
 
 	/*
 	 * Base first 4 chars of seed on hostname.
@@ -99,7 +98,7 @@
 
 		SHA1_Init(&ctx);
 		SHA1_Update(&ctx, username, strlen(username));
-		SHA1_End(&ctx, up);
+		SHA1_Final(up, &ctx);
 
 		/* Collapse the hash */
 		ptr = hash_collapse(up);
@@ -133,7 +132,7 @@
 		SHA1_Init(&ctx);
 		SHA1_Update(&ctx, secret, secretlen);
 		SHA1_Update(&ctx, username, strlen(username));
-		SHA1_End(&ctx, up);
+		SHA1_Final(up, &ctx);
 		
 		/* Zero out */
 		memset(secret, 0, secretlen);
@@ -141,7 +140,7 @@
 		/* Now hash the hash */
 		SHA1_Init(&ctx);
 		SHA1_Update(&ctx, up, strlen(up));
-		SHA1_End(&ctx, up);
+		SHA1_Final(up, &ctx);
 		
 		ptr = hash_collapse(up + 4);
 		

-- 
 Chris, the Young One |_ If Robert Di Niro assassinates Walter Slezak,
  Auckland, New Zealand |_ will Jodie Foster marry Bonzo??
http://cloud9.hedgee.com/ |_

On Sun, 2 Jul 2000, Chris, the Young One wrote:
> More specifically, the hashing functions in most operating systems will
> be provided by OpenSSL, rather than libc. OpenSSL does not have SHA1_End
> but since it is used only for generating fake challenges, the impact of
> changing it to SHA1_Final should be small.
Thanks, patch applied.
> A more general solution would be to have configure.in test for sha1.h,
> openssl/sha.h, and SHA1_End. configure.in should also add auth-skey.o to
> SSHDOBJS in Makefile if S/Key is enabled; my patch below does not cover
> those issues. Perhaps another time.
SHA1 is SHA1 :) We are linking against OpenSSL, so we might as well 
use their routines.
> If any GNU/Linux admins want to play with S/Key, I have some patches on
> the OpenBSD versions at http://ftp.m.org.nz/users/cky/patches/skey/ (or,
> of course, ftp://...).
Do you intend to roll your patches into a tarball with a Makefile, etc?
It would be great to be able to point people to a ported version
of OpenBSD's S/Key libs.

-d

-- 
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)

Damien Miller writes:
! SKey support has never been removed, most of the code is now in auth*.c

Actually, the ChangeLog in 20000501 says

   [auth2.c]
   - disable kerb,s/key in ssh2

So if you want to use S/Key you have to use SSH1 mode. Another reason I
still use SSH1 is because I don't know how to use ssh-agent with SSH2.

	---Chris K.
-- 
 Chris, the Young One |_ You know it's going to be a bad day when you
  Auckland, New Zealand |_ want to put on the clothes you wore home from
http://cloud9.hedgee.com/ |_ the party and there aren't any.