Bug 2588

Summary: When no MAC is specified in config the server offers non-existing hmac-sha2* without openssl
Product: Portable OpenSSH Reporter: Ashley <openssh>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: normal CC: dtucker
Priority: P5    
Version: -current   
Hardware: amd64   
OS: Linux   
Bug Depends on:    
Bug Blocks: 3079    
Attachments:
Description Flags
Patch that fixes reported macs none

Description Ashley 2016-06-14 15:04:18 AEST 
Created attachment 2829 [details]
Patch that fixes reported macs

Hi,
When we omit a Mac from the config file, the sshd reports all these Macs, which are not even available:

umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

but when we try to specify for example hmac-sha2-256, then this happens:
sshd_config line 108: Bad SSH2 mac spec 'hmac-sha2-256'.

We compiled it --without-openssl and -static

We use SSHv2 so it does not overly matter. 

I think the problem comes from this:

myproposal.h contains #define KEX_SERVER_MAC without #ifdef for HAVE_EVP_SHA256  unlike in mac.c source file.

Now if I dump the config it is trying to launch by default, I get this
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

if I however specify EXACTLY this list in the config file, it fails (bad mac spec)

if I remove both hmac-sha2-512* and hmac-sha2-256* it starts up again.

I have included a patch that fixes this, provided I found the correct root cause.

And yes, HAVE_EVP_SHA256 is not defined in config.h

Best Regards,
Ashley
Comment 1 Darren Tucker 2016-06-14 15:49:52 AEST 
That'll probably fix this particular case but the #ifdef mess is fragile.  I'd like to filter the lists at runtime and simplify the ifdef maze (see bug#2466).
Comment 2 Darren Tucker 2016-06-15 09:18:46 AEST 
Stick this one on the list for 7.3.  I'd still rather do the aforementioned less fragile change, but if we don't get that one we should at least get this.
Comment 3 Damien Miller 2016-07-22 14:10:55 AEST 
retarget unfinished bugs to next release
Comment 4 Damien Miller 2016-07-22 14:14:39 AEST 
retarget unfinished bugs to next release
Comment 5 Damien Miller 2016-07-22 14:15:43 AEST 
retarget unfinished bugs to next release
Comment 6 Damien Miller 2016-07-22 14:17:16 AEST 
retarget unfinished bugs to next release
Comment 7 Damien Miller 2016-12-16 14:31:30 AEDT 
OpenSSH 7.4 release is closing; punt the bugs to 7.5
Comment 8 Damien Miller 2017-06-30 13:43:07 AEST 
Move incomplete bugs to openssh-7.6 target since 7.5 shipped a while back.

To calibrate expectations, there's little chance all of these are going to make 7.6.
Comment 9 Damien Miller 2017-06-30 13:44:26 AEST 
remove 7.5 target
Comment 10 Damien Miller 2018-04-06 13:12:18 AEST 
Move to OpenSSH 7.8 tracking bug
Comment 11 Damien Miller 2018-08-10 11:38:03 AEST 
Retarget remaining bugs planned for 7.8 release to 7.9
Comment 12 Damien Miller 2018-08-10 11:38:23 AEST 
Retarget remaining bugs planned for 7.8 release to 7.9
Comment 13 Damien Miller 2018-10-19 17:13:39 AEDT 
Retarget unfinished bugs to OpenSSH 8.0
Comment 14 Damien Miller 2018-10-19 17:14:46 AEDT 
Retarget unfinished bugs to OpenSSH 8.0
Comment 15 Damien Miller 2018-10-19 17:15:44 AEDT 
Retarget unfinished bugs to OpenSSH 8.0
Comment 16 Damien Miller 2019-04-03 10:10:31 AEDT 
Retarget outstanding bugs at next release
Comment 17 Damien Miller 2019-10-09 15:07:27 AEDT 
Retarget these bugs to 8.2 release
Comment 18 Darren Tucker 2020-01-26 11:07:09 AEDT 
The #ifdef maze in myproposal.h was becoming increasingly problematic, so we finally moved the filtering to runtime and deleted all the ifdefs:

https://github.com/openssh/openssh-portable/commit/c4b3a128954ee1b7fbcbda167baf8aca1a3d1c84

which should prevent this class of bug in future.

We also added a regression test that has ssh parse its default config to ensure that it's usable (https://github.com/openssh/openssh-portable/blob/master/regress/sshcfgparse.sh) and enabled the internal SHA2 functions for these MACs in the --without-openssl case so the advertised ones do indeed work:

$ ./configure --without-openssl && make && ./ssh -F/dev/null -G localhost | grep "macs "
[...]
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

$ nm ssh | grep -i sha512
000000000004db40 T crypto_hash_sha512
0000000000067740 T SHA512Final
00000000000663c0 T SHA512Init
0000000000097300 r sha512_initial_hash_value
0000000000067550 T SHA512Pad
0000000000066430 T SHA512Transform
0000000000067300 T SHA512Update

$ for i in `./ssh -F/dev/null -G localhost | awk '/macs /{print $2}' | tr , ' '`; do echo $i; ./ssh -omacs=$i localhost true; done
umac-64-etm@openssh.com
umac-128-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-sha1-etm@openssh.com
umac-64@openssh.com
umac-128@openssh.com
hmac-sha2-256
hmac-sha2-512
hmac-sha1

Thanks for the report.
Comment 19 Damien Miller 2021-03-04 09:51:42 AEDT 
close bugs that were resolved in OpenSSH 8.5 release cycle