diff --git a/openssh-6.6.1p1-cisco-dh-keys.patch b/openssh-6.6.1p1-cisco-dh-keys.patch deleted file mode 100644 index 6890c05..0000000 --- a/openssh-6.6.1p1-cisco-dh-keys.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff -up openssh-6.8p1/compat.c.cisco-dh openssh-6.8p1/compat.c ---- openssh-6.8p1/compat.c.cisco-dh 2015-03-17 06:49:20.000000000 +0100 -+++ openssh-6.8p1/compat.c 2015-03-19 12:57:58.862606969 +0100 -@@ -167,6 +167,7 @@ compat_datafellows(const char *version) - SSH_BUG_SCANNER }, - { "Probe-*", - SSH_BUG_PROBE }, -+ { "Cisco-*", SSH_BUG_MAX4096DH }, - { NULL, 0 } - }; - -diff -up openssh-6.8p1/compat.h.cisco-dh openssh-6.8p1/compat.h ---- openssh-6.8p1/compat.h.cisco-dh 2015-03-17 06:49:20.000000000 +0100 -+++ openssh-6.8p1/compat.h 2015-03-19 12:57:58.862606969 +0100 -@@ -60,6 +60,7 @@ - #define SSH_NEW_OPENSSH 0x04000000 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000 - #define SSH_BUG_CURVE25519PAD 0x10000000 -+#define SSH_BUG_MAX4096DH 0x20000000 - - void enable_compat13(void); - void enable_compat20(void); -diff -up openssh-6.8p1/kexgexc.c.cisco-dh openssh-6.8p1/kexgexc.c ---- openssh-6.8p1/kexgexc.c.cisco-dh 2015-03-19 12:57:58.862606969 +0100 -+++ openssh-6.8p1/kexgexc.c 2015-03-19 13:11:52.320519969 +0100 -@@ -64,8 +64,27 @@ kexgex_client(struct ssh *ssh) - - kex->min = DH_GRP_MIN; - kex->max = DH_GRP_MAX; -+ -+ /* Servers with MAX4096DH need a preferred size (nbits) <= 4096. -+ * We need to also ensure that min < nbits < max */ -+ -+ if (datafellows & SSH_BUG_MAX4096DH) { -+ /* The largest min for these servers is 4096 */ -+ kex->min = MIN(kex->min, 4096); -+ } -+ - kex->nbits = nbits; -- if (ssh->compat & SSH_OLD_DHGEX) { -+ kex->nbits = MIN(nbits, kex->max); -+ kex->nbits = MAX(nbits, kex->min); -+ -+ if (ssh->compat & SSH_BUG_MAX4096DH) { -+ /* Cannot have a nbits > 4096 for these servers */ -+ kex->nbits = MIN(kex->nbits, 4096); -+ /* nbits has to be powers of two */ -+ if (kex->nbits == 3072) -+ kex->nbits = 4096; -+ } -+ if (ssh->compat & SSH_OLD_DHGEX) { /* Old GEX request */ - /* Old GEX request */ - if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)) - != 0 || diff --git a/openssh.spec b/openssh.spec index a4fb7ad..a84b40d 100644 --- a/openssh.spec +++ b/openssh.spec @@ -193,8 +193,6 @@ Patch901: openssh-6.6p1-kuserok.patch Patch906: openssh-6.4p1-fromto-remote.patch # privsep_preauth: use SELinux context from selinux-policy (#1008580) Patch916: openssh-6.6.1p1-selinux-contexts.patch -# use different values for DH for Cisco servers (#1026430) -Patch917: openssh-6.6.1p1-cisco-dh-keys.patch # log via monitor in chroots without /dev/log (#2681) Patch918: openssh-6.6.1p1-log-in-chroot.patch # scp file into non-existing directory (#1142223) @@ -428,7 +426,6 @@ popd %patch901 -p1 -b .kuserok %patch906 -p1 -b .fromto-remote %patch916 -p1 -b .contexts -#%patch917 -p1 -b .cisco-dh # investigate %patch918 -p1 -b .log-in-chroot %patch919 -p1 -b .scp %patch920 -p1 -b .config