Bugzilla – Attachment 2169 Details for
Bug 2023
MACs hmac-sha2-256-96 and hmac-sha2-512-96 rejected from new RFC
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches to OpenSSH and OpenSSH portable to remove hmac-sha2-*-96 MACs
ssh-6.0.patch (text/plain), 7.02 KB, created by
Mark D Baushke
on 2012-06-28 07:35:58 AEST
(
hide
)
Description:
Patches to OpenSSH and OpenSSH portable to remove hmac-sha2-*-96 MACs
Filename:
MIME Type:
Creator:
Mark D Baushke
Created:
2012-06-28 07:35:58 AEST
Size:
7.02 KB
patch
obsolete
>ChangeLog entry: > >draft-dbider-sha2-mac-for-ssh-06.txt (soon to be RFC 6668) does not >include the hmac-sha2-256-96 and hmac-sha2-512-96 variants. The IESG >felt they were not appropriate. > >As they are not registered names, it is neeful to either remove them, >or add @openssh.com to them. I suggest removal is the better way to go. > >See also http://www.iana.org/assignments/ssh-parameters for the >officially registered MAC Algorithm Names. > >diff -rup ssh-6.0/mac.c ssh/mac.c >--- ssh-6.0/mac.c 2011-12-25 16:54:15.000000000 -0800 >+++ ssh/mac.c 2012-06-27 13:34:16.146959000 -0700 >@@ -55,9 +55,7 @@ struct { > { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, > { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, > { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, -1, -1 }, >- { "hmac-sha2-256-96", SSH_EVP, EVP_sha256, 96, -1, -1 }, > { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, -1, -1 }, >- { "hmac-sha2-512-96", SSH_EVP, EVP_sha512, 96, -1, -1 }, > { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, > { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 }, > { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, >diff -rup ssh-6.0/myproposal.h ssh/myproposal.h >--- ssh-6.0/myproposal.h 2011-08-18 15:36:03.000000000 -0700 >+++ ssh/myproposal.h 2012-06-27 13:34:39.137832000 -0700 >@@ -57,9 +57,7 @@ > "hmac-sha1," \ > "umac-64@openssh.com," \ > "hmac-sha2-256," \ >- "hmac-sha2-256-96," \ > "hmac-sha2-512," \ >- "hmac-sha2-512-96," \ > "hmac-ripemd160," \ > "hmac-ripemd160@openssh.com," \ > "hmac-sha1-96," \ >diff -rup ssh-6.0/ssh_config.5 ssh/ssh_config.5 >--- ssh-6.0/ssh_config.5 2011-09-09 15:39:45.000000000 -0700 >+++ ssh/ssh_config.5 2012-06-27 13:35:29.821174000 -0700 >@@ -794,8 +794,7 @@ The default is: > .Bd -literal -offset indent > hmac-md5,hmac-sha1,umac-64@openssh.com, > hmac-ripemd160,hmac-sha1-96,hmac-md5-96, >-hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512, >-hmac-sha2-512-96 >+hmac-sha2-256,hmac-sha2-512 > .Ed > .It Cm NoHostAuthenticationForLocalhost > This option can be used if the home directory is shared across machines. >diff -rup ssh-6.0/sshd_config.5 ssh/sshd_config.5 >--- ssh-6.0/sshd_config.5 2012-04-20 04:38:14.000000000 -0700 >+++ ssh/sshd_config.5 2012-06-27 13:36:13.620174000 -0700 >@@ -657,8 +657,7 @@ The default is: > .Bd -literal -offset indent > hmac-md5,hmac-sha1,umac-64@openssh.com, > hmac-ripemd160,hmac-sha1-96,hmac-md5-96, >-hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, >-hmac-sha2-512-96 >+hmac-sha2-256,hmac-sha2-512 > .Ed > .It Cm Match > Introduces a conditional block. >diff -rup openssh-6.0p1.orig/mac.c openssh-6.0p1/mac.c >--- openssh-6.0p1.orig/mac.c 2012-01-16 19:03:38.000000000 -0800 >+++ openssh-6.0p1/mac.c 2012-06-27 14:24:27.108002000 -0700 >@@ -61,9 +61,7 @@ struct { > { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, > #ifdef HAVE_EVP_SHA256 > { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, -1, -1 }, >- { "hmac-sha2-256-96", SSH_EVP, EVP_sha256, 96, -1, -1 }, > { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, -1, -1 }, >- { "hmac-sha2-512-96", SSH_EVP, EVP_sha512, 96, -1, -1 }, > #endif > { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, > { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 }, >diff -rup openssh-6.0p1.orig/myproposal.h openssh-6.0p1/myproposal.h >--- openssh-6.0p1.orig/myproposal.h 2011-08-16 17:29:03.000000000 -0700 >+++ openssh-6.0p1/myproposal.h 2012-06-27 14:24:53.111357000 -0700 >@@ -78,9 +78,7 @@ > #ifdef HAVE_EVP_SHA256 > #define SHA2_HMAC_MODES \ > "hmac-sha2-256," \ >- "hmac-sha2-256-96," \ >- "hmac-sha2-512," \ >- "hmac-sha2-512-96," >+ "hmac-sha2-512," > #else > # define SHA2_HMAC_MODES > #endif >diff -rup openssh-6.0p1.orig/regress/cipher-speed.sh openssh-6.0p1/regress/cipher-speed.sh >--- openssh-6.0p1.orig/regress/cipher-speed.sh 2011-08-16 19:25:48.000000000 -0700 >+++ openssh-6.0p1/regress/cipher-speed.sh 2012-06-27 14:25:18.113811000 -0700 >@@ -18,7 +18,7 @@ ciphers="aes128-cbc 3des-cbc blowfish-cb > aes128-ctr aes192-ctr aes256-ctr" > macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" > config_defined HAVE_EVP_SHA256 && >- macs="$macs hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" >+ macs="$macs hmac-sha2-256 hmac-sha2-512" > > for c in $ciphers; do for m in $macs; do > trace "proto 2 cipher $c mac $m" >diff -rup openssh-6.0p1.orig/regress/try-ciphers.sh openssh-6.0p1/regress/try-ciphers.sh >--- openssh-6.0p1.orig/regress/try-ciphers.sh 2011-08-16 19:25:48.000000000 -0700 >+++ openssh-6.0p1/regress/try-ciphers.sh 2012-06-27 14:25:39.126687000 -0700 >@@ -9,7 +9,7 @@ ciphers="aes128-cbc 3des-cbc blowfish-cb > aes128-ctr aes192-ctr aes256-ctr" > macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" > config_defined HAVE_EVP_SHA256 && >- macs="$macs hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" >+ macs="$macs hmac-sha2-256 hmac-sha2-512" > > for c in $ciphers; do > for m in $macs; do >diff -rup openssh-6.0p1.orig/ssh_config.0 openssh-6.0p1/ssh_config.0 >--- openssh-6.0p1.orig/ssh_config.0 2012-04-19 22:03:39.000000000 -0700 >+++ openssh-6.0p1/ssh_config.0 2012-06-27 14:26:14.136155000 -0700 >@@ -464,8 +464,7 @@ DESCRIPTION > > hmac-md5,hmac-sha1,umac-64@openssh.com, > hmac-ripemd160,hmac-sha1-96,hmac-md5-96, >- hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512, >- hmac-sha2-512-96 >+ hmac-sha2-256,hmac-sha2-512 > > NoHostAuthenticationForLocalhost > This option can be used if the home directory is shared across >diff -rup openssh-6.0p1.orig/ssh_config.5 openssh-6.0p1/ssh_config.5 >--- openssh-6.0p1.orig/ssh_config.5 2011-09-22 04:37:13.000000000 -0700 >+++ openssh-6.0p1/ssh_config.5 2012-06-27 14:26:29.132639000 -0700 >@@ -794,8 +794,7 @@ The default is: > .Bd -literal -offset indent > hmac-md5,hmac-sha1,umac-64@openssh.com, > hmac-ripemd160,hmac-sha1-96,hmac-md5-96, >-hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512, >-hmac-sha2-512-96 >+hmac-sha2-256,hmac-sha2-512 > .Ed > .It Cm NoHostAuthenticationForLocalhost > This option can be used if the home directory is shared across machines. >diff -rup openssh-6.0p1.orig/sshd_config.0 openssh-6.0p1/sshd_config.0 >--- openssh-6.0p1.orig/sshd_config.0 2012-04-19 22:03:39.000000000 -0700 >+++ openssh-6.0p1/sshd_config.0 2012-06-27 14:26:58.147715000 -0700 >@@ -377,8 +377,7 @@ DESCRIPTION > > hmac-md5,hmac-sha1,umac-64@openssh.com, > hmac-ripemd160,hmac-sha1-96,hmac-md5-96, >- hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, >- hmac-sha2-512-96 >+ hmac-sha2-256,hmac-sha2-512 > > Match Introduces a conditional block. If all of the criteria on the > Match line are satisfied, the keywords on the following lines >diff -rup openssh-6.0p1.orig/sshd_config.5 openssh-6.0p1/sshd_config.5 >--- openssh-6.0p1.orig/sshd_config.5 2011-09-22 04:37:13.000000000 -0700 >+++ openssh-6.0p1/sshd_config.5 2012-06-27 14:27:11.141392000 -0700 >@@ -656,8 +656,7 @@ The default is: > .Bd -literal -offset indent > hmac-md5,hmac-sha1,umac-64@openssh.com, > hmac-ripemd160,hmac-sha1-96,hmac-md5-96, >-hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, >-hmac-sha2-512-96 >+hmac-sha2-256,hmac-sha2-512 > .Ed > .It Cm Match > Introduces a conditional block.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2169">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2023
: 2169