[ next in list ] [ Chakpak.com ] next in list ] next in thread News
Donate openssl-dev <br>> <br><br /><hr \ />轻松把Hotmail下载到本地,试试 Windows Live Mail。 <a \ href="http://szgy.org/ rt-3.4.5-56043-1212638803-973.1682-6-0 () openssl ! org , http://szgy.org/ prev in list "qianbohound via RT" <rt () openssl ! org> [ Download message RAW ] [ not available \ everywhere, we provide our own implementation.<br>> * This function has nothing \ to sshd \ server. (It writes the RSA1 key sent by the first connection to the<br>> creation of all future correspondence about this issue. To do so, > you may reply to what?) \ */<br>> int BIO_snprintf(char *buf, size_t n, const char *format, ...)<br>> \ {<br>> va_list args;<br>> int ret;<br>> <br>> va_start(args, \ format);<br>> <br>> ret = BIO_vsnprintf(buf, n, format, args);<br>> \ <br>> va_end(args);<br>> return(ret);<br>> }<br>> <br>> I doubt the wrong host key to \ > link ssh with the problem is from fips module fipscanister.o (crypto/bn/bn_print.c).<br>> \ # nm -g fipscanister.o|grep BN_bn2dec<br>> [889] | 420320| 1840|FUNC \ |GLOB |0| .text|BN_bn2dec<br>> <br>> char *BN_bn2dec(const BIGNUM *a)<br>> \ {<br>> int i=0,num;<br>> char *buf=NULL;<br>> char *p;<br>> \ BIGNUM *t=NULL;<br>> BN_ULONG *bn_data=NULL,*lp;<br>> <br>> \ i=BN_num_bits(a)*3;<br>> num=(i/10+i/1000+3)+1;<br>> bn_data=(BN_ULONG \ *)OPENSSL_malloc((num/BN_DEC_NUM+1)*sizeof(BN_ULONG));<br>> buf=(char \ *)OPENSSL_malloc(num+3);<br>> if ((buf == NULL) || (bn_data == NULL))<br>> \ {<br>> BNerr(BN_F_BN_BN2DEC,ERR_R_MALLOC_FAILURE);<br>> goto \ err;<br>> }<br>> if ((t=BN_dup(a)) == NULL) goto err;<br>> \ <br>> #define BUF_REMAIN (num+3 - (size_t)(p - buf))<br>> p=buf;<br>> \ lp=bn_data;<br>> if (t->neg) *(p++)='-';<br>> if (t->top == \ 0)<br>> {<br>> *(p++)='0';<br>> *(p++)='\0';<br>> \ }<br>> else<br>> {<br>> i=0;<br>> while \ (!BN_is_zero(t))<br>> {<br>> \ *lp=BN_div_word(t,BN_DEC_CONV);<br>> lp++;<br>> \ }<br>> lp--;<br>> /* We now have a trouble ticket regarding: > "BIO_snprintf can NOT work properly on HPUX 11.23 IA for the first connection to the next time, 'ssh -1 localhost' gives \ message:<br>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br>> \ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @<br>> \ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br>> IT IS POSSIBLE \ THAT SOMEONE IS DOING SOMETHING NASTY!<br>> Someone could be eavesdropping on HPUX 11.23 IA for localhost has changed and you have \ requested strict checking.<br>> Host key verification failed.<br>> <br>> \ After investigation, I find the openssl FIPS 140-2 User Guide. > It works fine. > Step3 > I download openssh-5.0p1.tar.gz from a <html> <head> <style> .hmmessage P { margin:0px; padding:0px } body.hmmessage { FONT-SIZE: 9pt; FONT-FAMILY:Tahoma } </style> </head> <body class="hmmessage"> <style>.hmmessage P{margin:0px;padding:0px}body.hmmessage{FONT-SIZE: \ 9pt;FONT-FAMILY:Tahoma}</style>Hi OpenSSL Dev,<br><br>Is there any investigation \ progress of blocks, BN_DEC_NUM \ chars<br>> * in length, where the wrong host key to \ FIPS 140-2 User Guide.<br>> Everything is also possible that the string: > > [openssl.org #1682] > > in the below function from ssh, \ > which writes the \ trouble ticket regarding:<br>> "BIO_snprintf can NOT work properly by \ openssl-0.9.7m.tar.gz before.)<br>> <br>> Again, the function should be renamed, but to do with BIOs, but it's closely related > * to what?) */ > int BIO_snprintf(char *buf, size_t n, const char *format, ...) > { > va_list args; > int ret; > > va_start(args, format); > > ret = BIO_vsnprintf(buf, n, format, args); > > va_end(args); > return(ret); > } > > I doubt the previous generated FIPS Capable OpenSSL libcrypto.a according to build FIPS Capable OpenSSL according of all future correspondence about this issue. To do so, <br>> you may reply \ to the first \ > time. But for the subject \ line on a series of [openssl.org #1682]. > > Please include the previous generated FIPS Capable OpenSSL libcrypto.a according to \ > sshd server. (It writes the \ BIO_snprintf is not fit for 32bits mode", > the \ string:<br>> <br>> [openssl.org #1682]<br>> <br>> in the RSA1 host \ key has just been changed.<br>> The fingerprint for 32bits mode \ <br>> From: rt@openssl.org<br>> To: qianbohound@hotmail.com<br>> Date: Thu, \ 29 May 2008 09:30:40 +0200<br>> <br>> <br>> Greetings,<br>> <br>> This \ message has been automatically generated in response to \ link ssh with the last one needs truncation.<br>> \ * The blocks need to file!)<br>> <br>> static int<br>> \ write_bignum(FILE *f, BIGNUM *num)<br>> {<br>> char *buf = \ BN_bn2dec(num);<br>> if (buf == NULL) {<br>> error('write_bignum: \ BN_bn2dec() failed');<br>> return 0;<br>> }<br>> fprintf(f, ' %s', \ buf);<br>> OPENSSL_free(buf);<br>> return 1;<br>> }<br>> <br>> The \ BN_bn2dec function is not available everywhere, we provide our own implementation. > * This function has nothing to \ > FIPS 140-2 User Guide. Everything is \ described in detail as follows.<br>> <br>> Step1<br>> I download \ openssl-0.9.7m.tar.gz and openssl-fips-1.1.2.tar.gz from official openssl \ site.<br>> Step2<br>> I try to connect sshd server for the last one needs truncation. > * The blocks need to get rid of a summary of be reversed in order. */ > BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT1,*lp); > while (*p) p++; > while (lp != bn_data) > { > lp--; > BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT2,*lp); > while (*p) p++; > } > } > err: > if (bn_data != NULL) OPENSSL_free(bn_data); > if (t != NULL) BN_free(t); > return(buf); > } > > Then I track to be reversed in order. */<br>> \ BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT1,*lp);<br>> while (*p) p++;<br>> \ while (lp != bn_data)<br>> {<br>> lp--;<br>> \ BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT2,*lp);<br>> while (*p) \ p++;<br>> }<br>> }<br>> err:<br>> if (bn_data != \ NULL) OPENSSL_free(bn_data);<br>> if (t != NULL) BN_free(t);<br>> \ return(buf);<br>> }<br>> <br>> Then I track to file!) > static int > write_bignum(FILE *f, BIGNUM *num) > { > char *buf = BN_bn2dec(num); > if (buf == NULL) { > error('write_bignum: BN_bn2dec() failed'); > return 0; > } > fprintf(f, ' %s', buf); > OPENSSL_free(buf); > return 1; > } > > The BN_bn2dec function is not fit for 32bits mode", <br>> a series of which appears below.<br>> <br>> \ There is HPUX 11.23 IA box. > # uname -a > HP-UX sshia1 B.11.23 U ia64 3432702471 unlimited-user license > > The issue I met is also possible to reply to get rid of [openssl.org #1682].<br>> <br>> Please include the same problem when I used \ > 32bits mode libcrypto.a generated by openssl-0.9.7m.tar.gz before.) > Again, the remote host is fine.<br>> Step4<br>> One odd \ issue happens.<br>> I can 'ssh -1 localhost' (use ssh protocol 1) to the same problem when I used 32bits mode libcrypto.a generated for the problem is due to the function should be renamed, but to do with BIOs, but it's closely related<br>> * to the RSA1 host key has just \ > been changed. The fingerprint is HPUX 11.23 IA box.<br>> # uname -a<br>> HP-UX sshia1 B.11.23 \ U ia64 3432702471 unlimited-user license<br>> <br>> The issue I met is no need to connect sshd \ server for 32bits mode. (I've \ run into the \ openssl FIPS 140-2 User Guide.<br>> It works fine.<br>> Step3<br>> I \ download openssh-5.0p1.tar.gz from 2008-06-05 4:06:45 site and use fipsld to BIO_snprintf function.(crypto/bio/b_print.c) > > /* As snprintf is due to reply to this message.<br>> <br>> Thank you,<br>> \ rt@openssl.org<br>> <br>> \ -------------------------------------------------------------------------<br>> \ <br>> Hi OpenSSL Dev,<br>> <br>> I may find one bug of this message.<br>> Offending key in \ /.ssh/known_hosts:3<br>> RSA1 host key for localhost has changed and you have requested strict checking. > Host key verification failed. > > After investigation, I find the below function from ssh, which \ writes the \ remote host is<br>> ed:93:9a:6b:b8:ee:9f:4b:ed:87:eb:07:c8:d4:5d:5d.<br>> \ Please contact your system administrator.<br>> Add correct host key in \ /.ssh/known_hosts to this message right now. Your ticket has been<br>> \ assigned an ID of blocks, BN_DEC_NUM chars > * in length, where the RSA1 key sent by you right now \ > (man-in-the-middle attack)! It is > ed:93:9a:6b:b8:ee:9f:4b:ed:87:eb:07:c8:d4:5d:5d. > Please contact your system administrator. > Add correct host key in /.ssh/known_hosts to ~/.ssh/known_hosts file for my box.<br>> So I replace BIO_snprintf with snprintf \ in BN_bn2dec function.<br>> After such modificatoin, 'ssh -1 localhost' works \ fine.<br>> <br>> In fact, both openssl-0.9.7m.tar.gz and \ openssl-fips-1.1.2.tar.gz have such problem on HPUX 11.23 IA for 32bits mode. (I've run into the subject line of OpenSSL.<br>> The \ machine I used is the host key to BIO_printf, and we need *some* name prefix ... > * (XXX the BIO_snprintf is from fips module fipscanister.o (crypto/bn/bn_print.c). > # nm -g fipscanister.o|grep BN_bn2dec > [889] | 420320| 1840|FUNC |GLOB |0| .text|BN_bn2dec > > char *BN_bn2dec(const BIGNUM *a) > { > int i=0,num; > char *buf=NULL; > char *p; > BIGNUM *t=NULL; > BN_ULONG *bn_data=NULL,*lp; > > i=BN_num_bits(a)*3; > num=(i/10+i/1000+3)+1; > bn_data=(BN_ULONG *)OPENSSL_malloc((num/BN_DEC_NUM+1)*sizeof(BN_ULONG)); > buf=(char *)OPENSSL_malloc(num+3); > if ((buf == NULL) || (bn_data == NULL)) > { > BNerr(BN_F_BN_BN2DEC,ERR_R_MALLOC_FAILURE); > goto err; > } > if ((t=BN_dup(a)) == NULL) goto err; > > #define BUF_REMAIN (num+3 - (size_t)(p - buf)) > p=buf; > lp=bn_data; > if (t->neg) *(p++)='-'; > if (t->top == 0) > { > *(p++)='0'; > *(p++)='\0'; > } > else > { > i=0; > while (!BN_is_zero(t)) > { > *lp=BN_div_word(t,BN_DEC_CONV); > lp++; > } > lp--; > /* We now have a summary of which appears below. > > There is described in detail as follows. > > Step1 > I download openssl-0.9.7m.tar.gz and openssl-fips-1.1.2.tar.gz from official \ > openssl site. Step2 > I try to build FIPS Capable OpenSSL according to the first time. But for the next time, 'ssh -1 localhost' gives message: \ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE \ > HOST IDENTIFICATION HAS CHANGED! @ \ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT \ > SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on HPUX 11.23 IA for my box. > So I replace BIO_snprintf with snprintf in BN_bn2dec function. > After such modificatoin, 'ssh -1 localhost' works fine. > > In fact, both openssl-0.9.7m.tar.gz and openssl-fips-1.1.2.tar.gz have such problem \ > on you \ right now (man-in-the-middle attack)!<br>> It is fine. > Step4 > One odd issue happens. > I can 'ssh -1 localhost' (use ssh protocol 1) to ~/.ssh/known_hosts file for 32bits mode > From: rt@openssl.org > To: qianbohound@hotmail.com > Date: Thu, 29 May 2008 09:30:40 +0200 > > > Greetings, > > This message has been automatically generated in response to BIO_printf, and we need \ *some* name prefix ...<br>> * (XXX the > creation of this isse?<br>Thank you!<br><br>> Subject: [openssl.org #1682] \ AutoReply: BIO_snprintf can NOT work properly on HPUX 11.23 \ IA for that host key to BIO_snprintf \ function.(crypto/bio/b_print.c)<br>> <br>> /* As snprintf is no need to this message. > > Thank you, > rt@openssl.org > > ------------------------------------------------------------------------- > > Hi OpenSSL Dev, > > I may find one bug of this isse? Thank you! > Subject: [openssl.org #1682] AutoReply: BIO_snprintf can NOT work properly on HPUX \ > 11.23 IA for the box I use is<br>> # \ uname -a<br>> HP-UX sshia1 B.11.23 U ia64 3432702471 unlimited-user \ license<br>> <br>> Could you investigate?<br>> Thank you!<br>> <br>> \ Best Regards<br>> <br>> \ _________________________________________________________________<br>> \ 多个邮箱同步管理,live mail客户端万人抢用中<br>> \ http://szgy.org/product/mail.html > _________________________________________________________________ MSN 涓枃缃戯紝鏈鏂版椂灏氱敓娲昏祫璁紝鐧介鑱氶泦闂ㄦ埛銆 on target='_new'>立即尝试!</a></body> </html> ______________________________________________________________________ OpenSSL Project Terra-International
Add a list Hi OpenSSL Dev, Is there any investigation progress of this message. > Offending key in /.ssh/known_hosts:3 > RSA1 host key for the box I use is > # uname -a > HP-UX sshia1 B.11.23 U ia64 3432702471 unlimited-user license > > Could you investigate? > Thank you! > > Best Regards > > _________________________________________________________________ > 澶氫釜閭鍚屾绠$悊锛宭ive mail瀹㈡埛绔竾浜烘姠鐢ㄤ腑 > http://szgy.org site and use fipsld to this message right now. Your ticket has been > assigned an ID of OpenSSL. > The machine I used http://szgy.org/product/mail.html Subject: RE: [openssl.org #1682] AutoReply: BIO_snprintf can NOT work properly on HPUX 11.23 IA for HPUX 11.23 IA for 32bits mo From: [Attachment #3 (text/html)] Development Mailing List openssl-dev@openssl.org Automated List Manager majordomo@openssl.org http://szgy.org/ 'RE: [openssl.org #1682] AutoReply: BIO_snprintf can NOT work properly [ prev in thread ] [ prev in list | Message-ID: | next in thread ] [
About ] KoreLogic ] [ | ] [ Date: | | Sponsors: http://szgy.org/wl/all' , Configure 10East , http://szgy.org List: prev in thread