similar to: OpenSSL 1.1.0 support

On 11/02/2016 01:43 AM, Colin Watson wrote: > On Sun, Sep 18, 2016 at 08:22:31PM +0200, Kurt Roeckx wrote: >> Attached is a patch that add supports for building against OpenSSL >> 1.1.0. I also made a github pull request for it at: >> https://github.com/openssh/openssh-portable/pull/48 > Hi, > > Debian unstable now has OpenSSL 1.1.0 as the default, so I'll have to

Hello, I am working on a bounds checking gcc(based on Richard Jones work) with a low enough overhead that will make it acceptable in production code. And i obtained openssh-3.2.2p1 with the view of testing the effectiveness of my code detecting the recently reported vunerability,but my code fails on with an error report of a use of memcpy with overlapping source and destination regions. I have

On Thu, Sep 21, 2017 at 02:22:10AM -0500, Zev Weiss wrote: > test_kex: regress/unittests/kex/test_kex.c:91 test #1 "sshkey_generate" > ASSERT_INT_EQ(sshkey_generate(keytype, bits, &private), 0) failed: > sshkey_generate(keytype, bits, &private) = -56 That error code is: $ grep -- -56 ssherr.h #define SSH_ERR_KEY_LENGTH -56 Unfortunately there's lots of

Hi, more or less a year ago Kurt Roeckx provided an initial port towards the OpenSSL 1.1 API [0]. The patch has been left untouched [1] and it has been complained about a missing compat layer of the new vs the old API within the OpenSSL library [2]. This is how I reconstructed the situation as of today and I am not aware of any progress in regard to the newer library within the OpenSSH project.

Am I the only person to be seeing this log message from sshd: fatal: cipher_init: EVP_CipherInit: set key failed for aes128-cbc [preauth] ? (security/openssh-portable, with HPN patches and MIT Kerberos, although Kerberos is not actually configured on this server.) A work-around is to disable aes128-cbc in sshd_config, but it would be nice not to have my logs spammed with this. Currently

Hi OpenSSH team, I find a url http://www.gossamer-threads.com/lists/openssh/dev/42808?do=post_view_threaded#42808, which provides unofficial patch for FIPS Capable OpenSSH. I try it and it seems working for some cases. (BTW, I also find that aes128-ctr, aes192-ctr and aes256-ctr ciphers can't work in FIPS mode properly. The fips mode sshd debug info is as following.

Hello, quoted patch free's cipher_data malloc'd in calls to EVP_CipherInit() in ssh1_3des_init(), at least linked with openssl >= 0.9.7. It does not appear to me (superficial scan) that there is any harm in calling the _cleanup routine with earlier openssl. fwiw :laird --- openssh-3.7.1p2/cipher-3des1.c Tue Sep 23 05:24:21 2003 +++ src37m/cipher-3des1.c Mon Dec 15

Add support to load additional certificates for already loaded private keys. Useful if the private key is on a PKCS#11 hardware token. The private keys inside ssh-agent are now using a refcount to share the private parts between "Identities". The reason for this change was that the PKCS#11 code might have redirected ("wrap") the RSA functions to a hardware token. We don't

Package: xen-3.0 Version: 3.0.4-1-1 Severity: important Hi, Your package is trying to build 32 bit binaries on amd64, and fails with the following error: /usr/include/gnu/stubs.h:7:27: error: gnu/stubs-32.h: No such file or directory If you want to build 32 bit binaries on 64 bit arches, you need to build depend on gcc-multilib on those arches. Kurt

We want to have the same files on multiple sites, of which one act as master. If the file changes on 1 site it should be moved to the master, and then from the master to the other sites. That part shouldn't be that hard to do, but what also should happen is that if a file is deleted or added on one site it should get removed or added on the sites too. And afaik, I can't currently do

Hi OpenSSh Developer, Currently, I can make openssh-5.0p1 working in FIPS mode. The detail steps I did are as follows. 1) Build FIPS OpenSSL according to FIPS User Guide(http://www.openssl.org/docs/fips/) on HP-UX PA 11.23 box. FIPS object module is generated by compiling openssl-fips-1.1.2. FIPS OpenSSL is built by openssl-0.9.7m, which is passed fips option for Configure step. 2) Modify

Hi all. Solaris 10's default libcrypto does not have support for AES 192 and 256 bit functions. The attached patch, against -current, and based partially on an earlier one by djm, will use OpenSSH's builtin rijndael code for all AES crypto functions and thus will allow it to build and function on Solaris 10 without the extra crypto packages (SUNWcry, SUNWcryr) or a locally built OpenSSL.

On Fri, 2019-07-12 at 15:54 +1000, Damien Miller wrote: > On Thu, 17 Jan 2019, Yuriy M. Kaminskiy wrote: > > > On some cpu's optimized chacha implementation in openssl (1.1.0+) > > is > > notably faster (and on others it is just faster) than generic C > > implementation in openssh. > > > > Sadly, openssl's chacha20-poly1305

On Thu, Oct 11, 2018 at 10:41 AM Damien Miller <djm at mindrot.org> wrote: > On Wed, 10 Oct 2018, Adam Eijdenberg wrote: > > We see this error on the client side: > > > > debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> > > ... > > debug1: Offering public key: RSA-CERT SHA256:xxx /path/to/key > > debug1: send_pubkey_test: no

When compiling the software it breaks with an error on the cipher.c file. Lot's of warnings and error of undeclared stuff. Snippet follows: gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/ssl/include -Iyes -I/usr/local/include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"

On Thu, 11 Oct 2018, Adam Eijdenberg wrote: > On Thu, Oct 11, 2018 at 12:13 PM Damien Miller <djm at mindrot.org> wrote: > > Could you try this? > > > > diff --git a/sshconnect2.c b/sshconnect2.c > > index f104408..1d2906f 100644 > > --- a/sshconnect2.c > > +++ b/sshconnect2.c > > @@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const

On Thu, 11 Oct 2018, Damien Miller wrote: > On Thu, 11 Oct 2018, Adam Eijdenberg wrote: > > > Thanks for looking into. I wasn't able to get the patch to apply > > cleanly to the portable source for whatever reason, so I manually made > > the changes and got a little further. I now get past the "no mutual > > signature algorithm" client message, and get

Hi, I have not found any way to use a Certificate with ssh-agent when my Key is stored on a pkcs11 device. I can add my key with ssh-add -s /usr/local/lib/opensc-pkcs11.so but ssh-add -s /usr/local/lib/opensc-pkcs11.so ~/.ssh/mykey-cert.pub does not add the certificate to my agent. As far as I undestand, in ssh-add.c line 580 if (pkcs11provider != NULL) { if (update_card(agent_fd,

Hi Wayne, I just got this bug report about rsync 3.0.2 reproducibly crashing, together with a backtrace and a patch; very helpful :-) (Please preserve 477931-forwarded@bugs.debian.org in the CC so that you response is archived in the Debian BTS, thanks.) Paul Slootman On Fri 25 Apr 2008, Kurt Roeckx wrote: > Subject: Bug#477931: rsync: Segfaults syncing the linux kernel archive. > From:

http://bugzilla.mindrot.org/show_bug.cgi?id=867 Summary: configure fails to find res_query/dn_expand on Linux amd64 Product: Portable OpenSSH Version: 3.8.1p1 Platform: Other URL: http://bugs.debian.org/242462 OS/Version: Linux Status: NEW Severity: normal Priority: P2