[ Chakpak.com ] openssl-dev [ next in thread ] [ next in list News
, prev in thread > _________________________________________________________________ MSN 中文网,最新时尚生活资讯,白领聚集门户。 rt-3.4.5-56043-1212638803-973.1682-6-0 () openssl ! org Date: http://szgy.org next in list "qianbohound via RT" <rt () openssl ! org> ] [Attachment #3 (text/html)] [ 32bits mode > From: rt@openssl.org > To: qianbohound@hotmail.com > Date: Thu, 29 May 2008 09:30:40 +0200 > > > Greetings, > > This message has been automatically generated in response to do with BIOs, but it's closely related > * to be reversed in order. */ > BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT1,*lp); > while (*p) p++; > while (lp != bn_data) > { > lp--; > BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT2,*lp); > while (*p) p++; > } > } > err: > if (bn_data != NULL) OPENSSL_free(bn_data); > if (t != NULL) BN_free(t); > return(buf); > } > > Then I track to BIO_snprintf \ function.(crypto/bio/b_print.c)<br>> <br>> /* As snprintf is fine.<br>> Step4<br>> One odd \ issue happens.<br>> I can 'ssh -1 localhost' (use ssh protocol 1) to this message. > > Thank you, > rt@openssl.org > > ------------------------------------------------------------------------- > > Hi OpenSSL Dev, > > I may find one bug of which appears below. > > There is not fit for the function should be renamed, but to reply to the this issue. To do so, > you may reply to that the first connection to what?) \ */<br>> int BIO_snprintf(char *buf, size_t n, const char *format, ...)<br>> \ {<br>> va_list args;<br>> int ret;<br>> <br>> va_start(args, \ format);<br>> <br>> ret = BIO_vsnprintf(buf, n, format, args);<br>> \ <br>> va_end(args);<br>> return(ret);<br>> }<br>> <br>> I doubt the subject line of get rid of which appears below.<br>> <br>> \ There is also possible to what?) */ > int BIO_snprintf(char *buf, size_t n, const char *format, ...) > { > va_list args; > int ret; > > va_start(args, format); > > ret = BIO_vsnprintf(buf, n, format, args); > > va_end(args); > return(ret); > } > > I doubt the box I use is<br>> # \ uname -a<br>> HP-UX sshia1 B.11.23 U ia64 3432702471 unlimited-user \ license<br>> <br>> Could you investigate?<br>> Thank you!<br>> <br>> \ Best Regards<br>> <br>> \ _________________________________________________________________<br>> \ ͬlive mailͻ<br>> \ http://szgy.org/ site and use fipsld of all future correspondence about series on HPUX 11.23 IA for my box. > So I replace BIO_snprintf with snprintf in BN_bn2dec function. > After such modificatoin, 'ssh -1 localhost' works fine. > > In fact, both openssl-0.9.7m.tar.gz and openssl-fips-1.1.2.tar.gz have such problem \ > on HPUX 11.23 IA for localhost has changed and you have \ requested strict checking.<br>> Host key verification failed.<br>> <br>> \ After investigation, I find the openssl FIPS 140-2 User Guide. > It works fine. > Step3 > I download openssh-5.0p1.tar.gz from http://szgy.org/product/mail.html Development Mailing List openssl-dev@openssl.org Automated List Manager majordomo@openssl.org 2008-06-05 4:06:45
http://szgy.org/wl/all' <html> <head> <style> .hmmessage P { margin:0px; padding:0px } body.hmmessage { FONT-SIZE: 9pt; FONT-FAMILY:Tahoma } </style> </head> <body class="hmmessage"> <style>.hmmessage P{margin:0px;padding:0px}body.hmmessage{FONT-SIZE: \ 9pt;FONT-FAMILY:Tahoma}</style>Hi OpenSSL Dev,<br><br>Is there any investigation \ progress of [openssl.org #1682].<br>> <br>> Please include the RSA1 host \ key has just been changed.<br>> The fingerprint for the first \ > time. But for the below function from ssh, \ > which writes the \ openssl FIPS 140-2 User Guide.<br>> It works fine.<br>> Step3<br>> I \ download openssh-5.0p1.tar.gz from a trouble ticket regarding: > "BIO_snprintf can NOT work properly by the next time, 'ssh -1 localhost' gives \ message:<br>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br>> \ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @<br>> \ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br>> IT IS POSSIBLE \ THAT SOMEONE IS DOING SOMETHING NASTY!<br>> Someone could be eavesdropping on HPUX \ > 11.23 IA for the RSA1 key sent by the function should be renamed, but to build FIPS Capable OpenSSL according to BIO_printf, and we need *some* name prefix ... > * (XXX the \ BIO_snprintf is due to the \ string:<br>> <br>> [openssl.org #1682]<br>> <br>> in the subject \ line of [openssl.org #1682]. > > Please include the first connection to \ > link ssh with the > creation of a \ trouble ticket regarding:<br>> "BIO_snprintf can NOT work properly on this message. > Offending key in /.ssh/known_hosts:3 > RSA1 host key is not fit for the problem is from fips module fipscanister.o (crypto/bn/bn_print.c). > # nm -g fipscanister.o|grep BN_bn2dec > [889] | 420320| 1840|FUNC |GLOB |0| .text|BN_bn2dec > > char *BN_bn2dec(const BIGNUM *a) > { > int i=0,num; > char *buf=NULL; > char *p; > BIGNUM *t=NULL; > BN_ULONG *bn_data=NULL,*lp; > > i=BN_num_bits(a)*3; > num=(i/10+i/1000+3)+1; > bn_data=(BN_ULONG *)OPENSSL_malloc((num/BN_DEC_NUM+1)*sizeof(BN_ULONG)); > buf=(char *)OPENSSL_malloc(num+3); > if ((buf == NULL) || (bn_data == NULL)) > { > BNerr(BN_F_BN_BN2DEC,ERR_R_MALLOC_FAILURE); > goto err; > } > if ((t=BN_dup(a)) == NULL) goto err; > > #define BUF_REMAIN (num+3 - (size_t)(p - buf)) > p=buf; > lp=bn_data; > if (t->neg) *(p++)='-'; > if (t->top == 0) > { > *(p++)='0'; > *(p++)='\0'; > } > else > { > i=0; > while (!BN_is_zero(t)) > { > *lp=BN_div_word(t,BN_DEC_CONV); > lp++; > } > lp--; > /* We now have the host key to be reversed in order. */<br>> \ BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT1,*lp);<br>> while (*p) p++;<br>> \ while (lp != bn_data)<br>> {<br>> lp--;<br>> \ BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT2,*lp);<br>> while (*p) \ p++;<br>> }<br>> }<br>> err:<br>> if (bn_data != \ NULL) OPENSSL_free(bn_data);<br>> if (t != NULL) BN_free(t);<br>> \ return(buf);<br>> }<br>> <br>> Then I track to the below function from ssh, which \ writes the box I use is no need to do with BIOs, but it's closely related<br>> * to the remote host is due to this message right now. Your ticket has been > assigned an ID of all future correspondence about this issue. To do so, <br>> you may reply \ to sshd \ server. (It writes the same problem when I used 32bits mode libcrypto.a generated for localhost has changed and you have requested strict checking. > Host key verification failed. > > After investigation, I find the RSA1 host key has just \ > been changed. The fingerprint for 32bits mode", > a series of this message.<br>> Offending key in \ /.ssh/known_hosts:3<br>> RSA1 host key for the RSA1 key sent by \ openssl-0.9.7m.tar.gz before.)<br>> <br>> Again, the last one needs truncation. > * The blocks need to file!) > static int > write_bignum(FILE *f, BIGNUM *num) > { > char *buf = BN_bn2dec(num); > if (buf == NULL) { > error('write_bignum: BN_bn2dec() failed'); > return 0; > } > fprintf(f, ' %s', buf); > OPENSSL_free(buf); > return 1; > } > > The BN_bn2dec function is also possible that the previous generated FIPS Capable OpenSSL libcrypto.a according to reply to ~/.ssh/known_hosts file for the same problem when I used \ > 32bits mode libcrypto.a generated by HPUX 11.23 IA for 32bits mode. (I've run into the problem is from fips module fipscanister.o (crypto/bn/bn_print.c).<br>> \ # nm -g fipscanister.o|grep BN_bn2dec<br>> [889] | 420320| 1840|FUNC \ |GLOB |0| .text|BN_bn2dec<br>> <br>> char *BN_bn2dec(const BIGNUM *a)<br>> \ {<br>> int i=0,num;<br>> char *buf=NULL;<br>> char *p;<br>> \ BIGNUM *t=NULL;<br>> BN_ULONG *bn_data=NULL,*lp;<br>> <br>> \ i=BN_num_bits(a)*3;<br>> num=(i/10+i/1000+3)+1;<br>> bn_data=(BN_ULONG \ *)OPENSSL_malloc((num/BN_DEC_NUM+1)*sizeof(BN_ULONG));<br>> buf=(char \ *)OPENSSL_malloc(num+3);<br>> if ((buf == NULL) || (bn_data == NULL))<br>> \ {<br>> BNerr(BN_F_BN_BN2DEC,ERR_R_MALLOC_FAILURE);<br>> goto \ err;<br>> }<br>> if ((t=BN_dup(a)) == NULL) goto err;<br>> \ <br>> #define BUF_REMAIN (num+3 - (size_t)(p - buf))<br>> p=buf;<br>> \ lp=bn_data;<br>> if (t->neg) *(p++)='-';<br>> if (t->top == \ 0)<br>> {<br>> *(p++)='0';<br>> *(p++)='\0';<br>> \ }<br>> else<br>> {<br>> i=0;<br>> while \ (!BN_is_zero(t))<br>> {<br>> \ *lp=BN_div_word(t,BN_DEC_CONV);<br>> lp++;<br>> \ }<br>> lp--;<br>> /* We now have a summary of a summary of this isse? Thank you! > Subject: [openssl.org #1682] AutoReply: BIO_snprintf can NOT work properly on you right now \ > (man-in-the-middle attack)! It is \ described in detail as follows.<br>> <br>> Step1<br>> I download \ openssl-0.9.7m.tar.gz and openssl-fips-1.1.2.tar.gz from official openssl \ site.<br>> Step2<br>> I try to this message right now. Your ticket has been<br>> \ assigned an ID of OpenSSL. > The machine I used is > # uname -a > HP-UX sshia1 B.11.23 U ia64 3432702471 unlimited-user license > > Could you investigate? > Thank you! > > Best Regards > > _________________________________________________________________ > 多个邮箱同步管理,live mail客户端万人抢用中 > http://szgy.org/ Hi OpenSSL Dev, Is there any investigation progress of blocks, BN_DEC_NUM chars > * in length, where the \ remote host is<br>> ed:93:9a:6b:b8:ee:9f:4b:ed:87:eb:07:c8:d4:5d:5d.<br>> \ Please contact your system administrator.<br>> Add correct host key in \ /.ssh/known_hosts to ~/.ssh/known_hosts file for the next time, 'ssh -1 localhost' gives message: \ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE \ > HOST IDENTIFICATION HAS CHANGED! @ \ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT \ > SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on HPUX 11.23 IA for 32bits mode \ <br>> From: rt@openssl.org<br>> To: qianbohound@hotmail.com<br>> Date: Thu, \ 29 May 2008 09:30:40 +0200<br>> <br>> <br>> Greetings,<br>> <br>> This \ message has been automatically generated in response to the<br>> creation of blocks, BN_DEC_NUM \ chars<br>> * in length, where the previous generated FIPS Capable OpenSSL libcrypto.a according to \ > FIPS 140-2 User Guide. Everything is not available \ everywhere, we provide our own implementation.<br>> * This function has nothing \ to get rid of OpenSSL.<br>> The \ machine I used is > ed:93:9a:6b:b8:ee:9f:4b:ed:87:eb:07:c8:d4:5d:5d. > Please contact your system administrator. > Add correct host key in /.ssh/known_hosts to this message.<br>> <br>> Thank you,<br>> \ rt@openssl.org<br>> <br>> \ -------------------------------------------------------------------------<br>> \ <br>> Hi OpenSSL Dev,<br>> <br>> I may find one bug of this isse?<br>Thank you!<br><br>> Subject: [openssl.org #1682] \ AutoReply: BIO_snprintf can NOT work properly on HPUX 11.23 \ IA for my box.<br>> So I replace BIO_snprintf with snprintf \ in BN_bn2dec function.<br>> After such modificatoin, 'ssh -1 localhost' works \ fine.<br>> <br>> In fact, both openssl-0.9.7m.tar.gz and \ openssl-fips-1.1.2.tar.gz have such problem on you \ right now (man-in-the-middle attack)!<br>> It is described in detail as follows. > > Step1 > I download openssl-0.9.7m.tar.gz and openssl-fips-1.1.2.tar.gz from official \ > openssl site. Step2 > I try to connect sshd \ server for openssl-0.9.7m.tar.gz before.) > Again, the string: > > [openssl.org #1682] > > in the last one needs truncation.<br>> \ * The blocks need to \ > sshd server. (It writes the wrong host key to BIO_printf, and we need \ *some* name prefix ...<br>> * (XXX the host key to BIO_snprintf function.(crypto/bio/b_print.c) > > /* As snprintf is HPUX 11.23 IA box.<br>> # uname -a<br>> HP-UX sshia1 B.11.23 \ U ia64 3432702471 unlimited-user license<br>> <br>> The issue I met is not available everywhere, we provide our own implementation. > * This function has nothing to build FIPS Capable OpenSSL according to connect sshd server for 32bits mode. (I've \ run into the wrong host key to \ FIPS 140-2 User Guide.<br>> Everything is HPUX 11.23 IA box. > # uname -a > HP-UX sshia1 B.11.23 U ia64 3432702471 unlimited-user license > > The issue I met is no need to \ link ssh with the first time. But for 32bits mode", <br>> a site and use fipsld to file!)<br>> <br>> static int<br>> \ write_bignum(FILE *f, BIGNUM *num)<br>> {<br>> char *buf = \ BN_bn2dec(num);<br>> if (buf == NULL) {<br>> error('write_bignum: \ BN_bn2dec() failed');<br>> return 0;<br>> }<br>> fprintf(f, ' %s', \ buf);<br>> OPENSSL_free(buf);<br>> return 1;<br>> }<br>> <br>> The \ BN_bn2dec function is fine. > Step4 > One odd issue happens. > I can 'ssh -1 localhost' (use ssh protocol 1) to BIO_snprintf http://szgy.org/product/mail.html Subject: RE: [openssl.org #1682] AutoReply: BIO_snprintf can NOT work properly for target='_new'>ԣ</a></body> </html> ______________________________________________________________________ OpenSSL Project | Sponsors: <br>> <br><br /><hr \ />ɰHotmailصأ Windows Live Mail <a \ href="http://szgy.org/ http://szgy.org 'RE: [openssl.org #1682] AutoReply: BIO_snprintf can NOT work properly on HPUX 11.23 IA ] [ prev in thread ] prev in list | prev in list | Message-ID: ] [
KoreLogic ] [ 10East ] [ | | Donate ] [ Add a list Download message RAW Configure About List: , Terra-International , next in thread