From 08fe9e8e477fcaa5ea9231cb5df516bcaeea4e06 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 1 Dec 2014 16:48:15 +0100 Subject: [PATCH] use different values for DH for Cisco servers (#1026430) --- openssh-6.6.1p1-cisco-dh-keys.patch | 70 +++++++++++++++++++++++++++++ openssh-6.6p1-fips.patch | 23 ++++------ openssh.spec | 4 +- 3 files changed, 81 insertions(+), 16 deletions(-) create mode 100644 openssh-6.6.1p1-cisco-dh-keys.patch diff --git a/openssh-6.6.1p1-cisco-dh-keys.patch b/openssh-6.6.1p1-cisco-dh-keys.patch new file mode 100644 index 0000000..0763b10 --- /dev/null +++ b/openssh-6.6.1p1-cisco-dh-keys.patch @@ -0,0 +1,70 @@ +diff --git a/compat.c b/compat.c +index 2709dc5..7412a54 100644 +--- a/compat.c ++++ b/compat.c +@@ -167,6 +167,7 @@ compat_datafellows(const char *version) + SSH_BUG_SCANNER }, + { "Probe-*", + SSH_BUG_PROBE }, ++ { "Cisco-*", SSH_BUG_MAX4096DH }, + { NULL, 0 } + }; + +diff --git a/compat.h b/compat.h +index a6c3f3d..d8def7d 100644 +--- a/compat.h ++++ b/compat.h +@@ -60,6 +60,7 @@ + #define SSH_NEW_OPENSSH 0x04000000 + #define SSH_BUG_DYNAMIC_RPORT 0x08000000 + #define SSH_BUG_CURVE25519PAD 0x10000000 ++#define SSH_BUG_MAX4096DH 0x20000000 + + void enable_compat13(void); + void enable_compat20(void); +diff --git a/kexgexc.c b/kexgexc.c +index 355b7ba..0a91bdd 100644 +--- a/kexgexc.c ++++ b/kexgexc.c +@@ -58,20 +58,37 @@ kexgex_client(Kex *kex) + int min, max, nbits; + DH *dh; + ++ min = DH_GRP_MIN; ++ max = DH_GRP_MAX; ++ ++ /* Servers with MAX4096DH need a preferred size (nbits) <= 4096. ++ * We need to also ensure that min < nbits < max */ ++ ++ if (datafellows & SSH_BUG_MAX4096DH) { ++ /* The largest min for these servers is 4096 */ ++ min = MIN(min, 4096); ++ } ++ + nbits = dh_estimate(kex->dh_need * 8); ++ nbits = MIN(nbits, max); ++ nbits = MAX(nbits, min); ++ ++ if (datafellows & SSH_BUG_MAX4096DH) { ++ /* Cannot have a nbits > 4096 for these servers */ ++ nbits = MIN(nbits, 4096); ++ /* nbits has to be powers of two */ ++ if (nbits == 3072) ++ nbits = 4096; ++ } + + if (datafellows & SSH_OLD_DHGEX) { + /* Old GEX request */ + packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD); + packet_put_int(nbits); +- min = DH_GRP_MIN; +- max = DH_GRP_MAX; + + debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits); + } else { + /* New GEX request */ +- min = DH_GRP_MIN; +- max = DH_GRP_MAX; + packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); + packet_put_int(min); + packet_put_int(nbits); diff --git a/openssh-6.6p1-fips.patch b/openssh-6.6p1-fips.patch index 9227b37..f97e2ba 100644 --- a/openssh-6.6p1-fips.patch +++ b/openssh-6.6p1-fips.patch @@ -325,22 +325,15 @@ index 355b7ba..427e11f 100644 #include #include -@@ -64,13 +66,13 @@ kexgex_client(Kex *kex) - /* Old GEX request */ - packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD); - packet_put_int(nbits); -- min = DH_GRP_MIN; -+ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN; - max = DH_GRP_MAX; +@@ -58,7 +60,7 @@ kexgex_client(Kex *kex) + int min, max, nbits; + DH *dh; - debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits); - } else { - /* New GEX request */ -- min = DH_GRP_MIN; -+ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN; - max = DH_GRP_MAX; - packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); - packet_put_int(min); +- min = DH_GRP_MIN; ++ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN; + max = DH_GRP_MAX; + + /* Servers with MAX4096DH need a preferred size (nbits) <= 4096. diff --git a/kexgexs.c b/kexgexs.c index 770ad28..9d4fc6d 100644 --- a/kexgexs.c diff --git a/openssh.spec b/openssh.spec index 871e3a8..a0d8b88 100644 --- a/openssh.spec +++ b/openssh.spec @@ -209,7 +209,8 @@ Patch914: openssh-6.6.1p1-servconf-parser.patch Patch915: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch # privsep_preauth: use SELinux context from selinux-policy (#1008580) Patch916: openssh-6.6.1p1-selinux-contexts.patch - +# use different values for DH for Cisco servers (#1026430) +Patch917: openssh-6.6.1p1-cisco-dh-keys.patch License: BSD Group: Applications/Internet @@ -419,6 +420,7 @@ popd %patch914 -p1 -b .servconf %patch915 -p1 -b .SIGXFSZ %patch916 -p1 -b .contexts +%patch917 -p1 -b .cisco-dh %patch200 -p1 -b .audit %patch700 -p1 -b .fips