use different values for DH for Cisco servers (#1026430)
This commit is contained in:
parent
823364a11e
commit
08fe9e8e47
70
openssh-6.6.1p1-cisco-dh-keys.patch
Normal file
70
openssh-6.6.1p1-cisco-dh-keys.patch
Normal file
@ -0,0 +1,70 @@
|
||||
diff --git a/compat.c b/compat.c
|
||||
index 2709dc5..7412a54 100644
|
||||
--- a/compat.c
|
||||
+++ b/compat.c
|
||||
@@ -167,6 +167,7 @@ compat_datafellows(const char *version)
|
||||
SSH_BUG_SCANNER },
|
||||
{ "Probe-*",
|
||||
SSH_BUG_PROBE },
|
||||
+ { "Cisco-*", SSH_BUG_MAX4096DH },
|
||||
{ NULL, 0 }
|
||||
};
|
||||
|
||||
diff --git a/compat.h b/compat.h
|
||||
index a6c3f3d..d8def7d 100644
|
||||
--- a/compat.h
|
||||
+++ b/compat.h
|
||||
@@ -60,6 +60,7 @@
|
||||
#define SSH_NEW_OPENSSH 0x04000000
|
||||
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
|
||||
#define SSH_BUG_CURVE25519PAD 0x10000000
|
||||
+#define SSH_BUG_MAX4096DH 0x20000000
|
||||
|
||||
void enable_compat13(void);
|
||||
void enable_compat20(void);
|
||||
diff --git a/kexgexc.c b/kexgexc.c
|
||||
index 355b7ba..0a91bdd 100644
|
||||
--- a/kexgexc.c
|
||||
+++ b/kexgexc.c
|
||||
@@ -58,20 +58,37 @@ kexgex_client(Kex *kex)
|
||||
int min, max, nbits;
|
||||
DH *dh;
|
||||
|
||||
+ min = DH_GRP_MIN;
|
||||
+ max = DH_GRP_MAX;
|
||||
+
|
||||
+ /* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
|
||||
+ * We need to also ensure that min < nbits < max */
|
||||
+
|
||||
+ if (datafellows & SSH_BUG_MAX4096DH) {
|
||||
+ /* The largest min for these servers is 4096 */
|
||||
+ min = MIN(min, 4096);
|
||||
+ }
|
||||
+
|
||||
nbits = dh_estimate(kex->dh_need * 8);
|
||||
+ nbits = MIN(nbits, max);
|
||||
+ nbits = MAX(nbits, min);
|
||||
+
|
||||
+ if (datafellows & SSH_BUG_MAX4096DH) {
|
||||
+ /* Cannot have a nbits > 4096 for these servers */
|
||||
+ nbits = MIN(nbits, 4096);
|
||||
+ /* nbits has to be powers of two */
|
||||
+ if (nbits == 3072)
|
||||
+ nbits = 4096;
|
||||
+ }
|
||||
|
||||
if (datafellows & SSH_OLD_DHGEX) {
|
||||
/* Old GEX request */
|
||||
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
|
||||
packet_put_int(nbits);
|
||||
- min = DH_GRP_MIN;
|
||||
- max = DH_GRP_MAX;
|
||||
|
||||
debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
|
||||
} else {
|
||||
/* New GEX request */
|
||||
- min = DH_GRP_MIN;
|
||||
- max = DH_GRP_MAX;
|
||||
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
|
||||
packet_put_int(min);
|
||||
packet_put_int(nbits);
|
@ -325,22 +325,15 @@ index 355b7ba..427e11f 100644
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/dh.h>
|
||||
@@ -64,13 +66,13 @@ kexgex_client(Kex *kex)
|
||||
/* Old GEX request */
|
||||
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
|
||||
packet_put_int(nbits);
|
||||
@@ -58,7 +60,7 @@ kexgex_client(Kex *kex)
|
||||
int min, max, nbits;
|
||||
DH *dh;
|
||||
|
||||
- min = DH_GRP_MIN;
|
||||
+ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
||||
max = DH_GRP_MAX;
|
||||
|
||||
debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
|
||||
} else {
|
||||
/* New GEX request */
|
||||
- min = DH_GRP_MIN;
|
||||
+ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
||||
max = DH_GRP_MAX;
|
||||
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
|
||||
packet_put_int(min);
|
||||
/* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
|
||||
diff --git a/kexgexs.c b/kexgexs.c
|
||||
index 770ad28..9d4fc6d 100644
|
||||
--- a/kexgexs.c
|
||||
|
@ -209,7 +209,8 @@ Patch914: openssh-6.6.1p1-servconf-parser.patch
|
||||
Patch915: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
|
||||
# privsep_preauth: use SELinux context from selinux-policy (#1008580)
|
||||
Patch916: openssh-6.6.1p1-selinux-contexts.patch
|
||||
|
||||
# use different values for DH for Cisco servers (#1026430)
|
||||
Patch917: openssh-6.6.1p1-cisco-dh-keys.patch
|
||||
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
@ -419,6 +420,7 @@ popd
|
||||
%patch914 -p1 -b .servconf
|
||||
%patch915 -p1 -b .SIGXFSZ
|
||||
%patch916 -p1 -b .contexts
|
||||
%patch917 -p1 -b .cisco-dh
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch700 -p1 -b .fips
|
||||
|
Loading…
Reference in New Issue
Block a user