Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:Update
openssh
openssh-7.2p2-disable_short_DH_parameters.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssh-7.2p2-disable_short_DH_parameters.patch of Package openssh
From 9dcba0f6e85b57a4bbbc6f7e89a566c002f6a5c6 Mon Sep 17 00:00:00 2001 From: Old openssh patches <pcerny@suse.com> Date: Tue, 25 Oct 2022 18:53:20 +0200 Subject: [PATCH] openssh-7.2p2-disable_short_DH_parameters # HG changeset patch # Parent 7b5f436e0026923299fdd1994f8da8fd9948be7c Raise minimal size of DH group parameters to 2048 bits like upstream did in 7.2. 1024b values are believed to be in breaking range for state adversaries and the default moduli shipped with openssh have been around long enough to make it more likely for them to be broken. Also provide an option that allows the client to accept shorter (RFC4419 compliant) parameters. CVE-2015-4000 (LOGJAM) bsc#932483 --- dh.c | 2 ++ dh.h | 1 + kexgexc.c | 11 ++++++++++- kexgexs.c | 13 +++++++++++-- readconf.c | 20 +++++++++++++++++++- readconf.h | 1 + servconf.c | 21 ++++++++++++++++++++- servconf.h | 1 + ssh_config | 5 +++++ ssh_config.0 | 17 +++++++++++++++++ ssh_config.5 | 16 ++++++++++++++++ sshd_config | 5 +++++ sshd_config.0 | 17 +++++++++++++++++ sshd_config.5 | 16 ++++++++++++++++ 14 files changed, 141 insertions(+), 5 deletions(-) diff --git a/dh.c b/dh.c index 4c639acc..351c79ce 100644 --- a/dh.c +++ b/dh.c @@ -42,6 +42,8 @@ #include "misc.h" #include "ssherr.h" +int dh_grp_min = DH_GRP_MIN; + static int parse_prime(int linenum, char *line, struct dhgroup *dhg) { diff --git a/dh.h b/dh.h index e191cfd8..c65f0c45 100644 --- a/dh.h +++ b/dh.h @@ -48,6 +48,7 @@ u_int dh_estimate(int); * Max value from RFC4419. * Miniumum increased in light of DH precomputation attacks. */ +#define DH_GRP_MIN_RFC 1024 #define DH_GRP_MIN 2048 #define DH_GRP_MAX 8192 diff --git a/kexgexc.c b/kexgexc.c index 71ff1335..c35215b8 100644 --- a/kexgexc.c +++ b/kexgexc.c @@ -51,6 +51,9 @@ #include "ssherr.h" #include "sshbuf.h" +/* import from dh.c */ +extern int dh_grp_min; + static int input_kex_dh_gex_group(int, u_int32_t, void *); static int input_kex_dh_gex_reply(int, u_int32_t, void *); @@ -63,7 +66,7 @@ kexgex_client(struct ssh *ssh) nbits = dh_estimate(kex->dh_need * 8); - kex->min = DH_GRP_MIN; + kex->min = dh_grp_min; kex->max = DH_GRP_MAX; kex->nbits = nbits; if (datafellows & SSH_BUG_DHGEX_LARGE) @@ -109,6 +112,12 @@ input_kex_dh_gex_group(int type, u_int32_t seq, void *ctxt) goto out; if ((bits = BN_num_bits(p)) < 0 || (u_int)bits < kex->min || (u_int)bits > kex->max) { + if ((u_int)bits < kex->min && (u_int)bits >= DH_GRP_MIN_RFC) + logit("DH parameter offered by the server (%d bits) " + "is considered insecure. " + "You can lower the accepted the minimum " + "via the KexDHMin option.", + bits); r = SSH_ERR_DH_GEX_OUT_OF_RANGE; goto out; } diff --git a/kexgexs.c b/kexgexs.c index 8c5adf7e..4bfcd74a 100644 --- a/kexgexs.c +++ b/kexgexs.c @@ -54,6 +54,9 @@ #include "ssherr.h" #include "sshbuf.h" +/* import from dh.c */ +extern int dh_grp_min; + static int input_kex_dh_gex_request(int, u_int32_t, void *); static int input_kex_dh_gex_init(int, u_int32_t, void *); @@ -83,13 +86,19 @@ input_kex_dh_gex_request(int type, u_int32_t seq, void *ctxt) kex->nbits = nbits; kex->min = min; kex->max = max; - min = MAX(DH_GRP_MIN, min); + min = MAX(dh_grp_min, min); max = MIN(DH_GRP_MAX, max); - nbits = MAX(DH_GRP_MIN, nbits); + nbits = MAX(dh_grp_min, nbits); nbits = MIN(DH_GRP_MAX, nbits); if (kex->max < kex->min || kex->nbits < kex->min || kex->max < kex->nbits) { + if (kex->nbits < kex->min && kex->nbits >= DH_GRP_MIN_RFC) + logit("DH parameter requested by the client (%d bits) " + "is considered insecure. " + "You can lower the accepted minimum " + "via the KexDHMin option.", + kex->nbits); r = SSH_ERR_DH_GEX_OUT_OF_RANGE; goto out; } diff --git a/readconf.c b/readconf.c index 69d4553a..3f6d28b0 100644 --- a/readconf.c +++ b/readconf.c @@ -61,6 +61,7 @@ #include "uidswap.h" #include "myproposal.h" #include "digest.h" +#include "dh.h" /* Format of the configuration file: @@ -153,7 +154,8 @@ typedef enum { oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, + oKexAlgorithms, oKexDHMin, + oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, @@ -265,6 +267,7 @@ static struct { { "visualhostkey", oVisualHostKey }, { "useroaming", oDeprecated }, { "kexalgorithms", oKexAlgorithms }, + { "kexdhmin", oKexDHMin }, { "ipqos", oIPQoS }, { "requesttty", oRequestTTY }, { "proxyusefdpass", oProxyUseFdpass }, @@ -285,6 +288,9 @@ static struct { { NULL, oBadOption } }; +/* import from dh.c */ +extern int dh_grp_min; + /* * Adds a local TCP/IP port forward to options. Never returns if there is an * error. @@ -1162,6 +1168,10 @@ parse_int: options->kex_algorithms = xstrdup(arg); break; + case oKexDHMin: + intptr = &options->kex_dhmin; + goto parse_int; + case oHostKeyAlgorithms: charptr = &options->hostkeyalgorithms; parse_keytypes: @@ -1669,6 +1679,7 @@ initialize_options(Options * options) options->ciphers = NULL; options->macs = NULL; options->kex_algorithms = NULL; + options->kex_dhmin = -1; options->hostkeyalgorithms = NULL; options->protocol = SSH_PROTO_UNKNOWN; options->num_identity_files = 0; @@ -1810,6 +1821,13 @@ fill_default_options(Options * options) /* Selected in ssh_login(). */ if (options->cipher == -1) options->cipher = SSH_CIPHER_NOT_SET; + if (options->kex_dhmin == -1) + options->kex_dhmin = DH_GRP_MIN_RFC; + else { + options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC); + options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX); + } + dh_grp_min = options->kex_dhmin; /* options->hostkeyalgorithms, default set in myproposals.h */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_2; diff --git a/readconf.h b/readconf.h index c84d068b..68de7768 100644 --- a/readconf.h +++ b/readconf.h @@ -74,6 +74,7 @@ typedef struct { char *macs; /* SSH2 macs in order of preference. */ char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */ char *kex_algorithms; /* SSH2 kex methods in order of preference. */ + int kex_dhmin; /* minimum bit length of the DH group parameter */ int protocol; /* Protocol in order of preference. */ char *hostname; /* Real host to connect. */ char *host_key_alias; /* hostname alias for .ssh/known_hosts */ diff --git a/servconf.c b/servconf.c index cb1d93f9..c88918f4 100644 --- a/servconf.c +++ b/servconf.c @@ -57,6 +57,10 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" +#include "dh.h" + +/* import from dh.c */ +extern int dh_grp_min; static void add_listen_addr(ServerOptions *, char *, int); static void add_one_listen_addr(ServerOptions *, char *, int); @@ -139,6 +143,7 @@ initialize_server_options(ServerOptions *options) options->ciphers = NULL; options->macs = NULL; options->kex_algorithms = NULL; + options->kex_dhmin = -1; options->protocol = SSH_PROTO_UNKNOWN; options->fwd_opts.gateway_ports = -1; options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; @@ -204,6 +209,13 @@ fill_default_server_options(ServerOptions *options) if (options->use_pam_check_locks == -1) options->use_pam_check_locks = 0; + if (options->kex_dhmin == -1) + options->kex_dhmin = DH_GRP_MIN_RFC; + else { + options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC); + options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX); + } + dh_grp_min = options->kex_dhmin; /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_2; @@ -428,7 +440,8 @@ typedef enum { sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, - sKexAlgorithms, sIPQoS, sVersionAddendum, + sKexAlgorithms, sKexDHMin, + sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, sStreamLocalBindMask, sStreamLocalBindUnlink, @@ -566,6 +579,7 @@ static struct { { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, + { "kexdhmin", sKexDHMin }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, @@ -1486,6 +1500,10 @@ process_server_config_line(ServerOptions *options, char *line, options->kex_algorithms = xstrdup(arg); break; + case sKexDHMin: + intptr = &options->kex_dhmin; + goto parse_int; + case sProtocol: intptr = &options->protocol; arg = strdelim(&cp); @@ -2252,6 +2270,7 @@ dump_config(ServerOptions *o) dump_cfg_int(sClientAliveInterval, o->client_alive_interval); dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask); + dump_cfg_int(sKexDHMin, o->kex_dhmin); /* formatted integer arguments */ dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); diff --git a/servconf.h b/servconf.h index 92f8f365..7e02dbda 100644 --- a/servconf.h +++ b/servconf.h @@ -93,6 +93,7 @@ typedef struct { char *ciphers; /* Supported SSH2 ciphers. */ char *macs; /* Supported SSH2 macs. */ char *kex_algorithms; /* SSH2 kex methods in order of preference. */ + int kex_dhmin; /* minimum bit length of the DH group parameter */ int protocol; /* Supported protocol versions. */ struct ForwardOptions fwd_opts; /* forwarding options */ SyslogFacility log_facility; /* Facility for system logging. */ diff --git a/ssh_config b/ssh_config index 195f1553..1e32413b 100644 --- a/ssh_config +++ b/ssh_config @@ -17,6 +17,11 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. +# Minimum accepted size of the DH parameter p. By default this is set to 1024 +# to maintain compatibility with RFC4419, but should be set higher. +# Upstream default is identical to setting this to 2048. +#KexDHMin 1024 + Host * # ForwardAgent no # ForwardX11 no diff --git a/ssh_config.0 b/ssh_config.0 index b823c021..f502c52a 100644 --- a/ssh_config.0 +++ b/ssh_config.0 @@ -611,6 +611,23 @@ DESCRIPTION The list of available key exchange algorithms may also be obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. + KexDHMin + Specifies the minimum accepted bit length of the DH group + parameter p. + + As per RFC4419, this is 1024 bits, however this has increasingly + been seen as insecure, which prompted the change to 2048 bits. + Setting this option allows the client to accept parameters shorter + than the current minimum, down to the RFC specified 1024 bits. + Using this option may be needed when connecting to servers that + only know short DH group parameters. + + Note, that while by default this option is set to 1024 to maintain + maximum backward compatibility, using it can severly impact + security and thus should be viewed as a temporary fix of last + resort and all efforts should be made to fix the (broken) + counterparty. + LocalCommand Specifies a command to execute on the local machine after successfully connecting to the server. The command string diff --git a/ssh_config.5 b/ssh_config.5 index 6671c605..ac3c4088 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1097,6 +1097,22 @@ option of .Xr ssh 1 with an argument of .Dq kex . +.It Cm KexDHMin +Specifies the minimum accepted bit length of the DH group +parameter p. +.Pp +As per RFC4419, this is 1024 bits, however this has increasingly +been seen as insecure, which prompted the change to 2048 bits. +Setting this option allows the client to accept parameters shorter +than the current minimum, down to the RFC specified 1024 bits. +Using this option may be needed when connecting to servers that +only know short DH group parameters. +.Pp +Note, that while by default this option is set to 1024 to maintain +maximum backward compatibility, using it can severly impact +security and thus should be viewed as a temporary fix of last +resort and all efforts should be made to fix the (broken) +counterparty. .It Cm LocalCommand Specifies a command to execute on the local machine after successfully connecting to the server. diff --git a/sshd_config b/sshd_config index b01dd4cd..9dabdf1f 100644 --- a/sshd_config +++ b/sshd_config @@ -26,6 +26,11 @@ #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key +# Minimum accepted size of the DH parameter p. By default this is set to 1024 +# to maintain compatibility with RFC4419, but should be set higher. +# Upstream default is identical to setting this to 2048. +#KexDHMin 1024 + # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 diff --git a/sshd_config.0 b/sshd_config.0 index 5d664bab..d77b993d 100644 --- a/sshd_config.0 +++ b/sshd_config.0 @@ -544,6 +544,23 @@ DESCRIPTION The list of available key exchange algorithms may also be obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. + KexDHMin + Specifies the minimum accepted bit length of the DH group + parameter p. + + As per RFC4419, this is 1024 bits, however this has increasingly + been seen as insecure, which prompted the change to 2048 bits. + Setting this option allows the server to accept parameters shorter + than the current minimum, down to the RFC specified 1024 bits. + Using this option may be needed when some of the connectiong + clients only know short DH group parameters. + + Note, that while by default this option is set to 1024 to maintain + maximum backward compatibility, using it can severly impact + security and thus should be viewed as a temporary fix of last + resort and all efforts should be made to fix the (broken) + counterparty. + KeyRegenerationInterval In protocol version 1, the ephemeral server key is automatically regenerated after this many seconds (if it has been used). The diff --git a/sshd_config.5 b/sshd_config.5 index d819d9c2..bb9c0a5b 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -900,6 +900,22 @@ option of .Xr ssh 1 with an argument of .Dq kex . +.It Cm KexDHMin +Specifies the minimum accepted bit length of the DH group +parameter p. +.Pp +As per RFC4419, this is 1024 bits, however this has increasingly +been seen as insecure, which prompted the change to 2048 bits. +Setting this option allows the server to accept parameters shorter +than the current minimum, down to the RFC specified 1024 bits. +Using this option may be needed when some of the connectiong +clients only know short DH group parameters. +.Pp +Note, that while by default this option is set to 1024 to maintain +maximum backward compatibility, using it can severly impact +security and thus should be viewed as a temporary fix of last +resort and all efforts should be made to fix the (broken) +counterparty. .It Cm KeyRegenerationInterval In protocol version 1, the ephemeral server key is automatically regenerated after this many seconds (if it has been used). -- 2.38.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor