thr3ads.net - openssh bugs - [Bug 2588] When no MAC is specified in config the server offers non-existing hmac-sha2* without openssl [Jan 2020]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.mindrot.org

2020-Jan-26 00:07 UTC

[Bug 2588] When no MAC is specified in config the server offers non-existing hmac-sha2* without openssl

https://bugzilla.mindrot.org/show_bug.cgi?id=2588

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #18 from Darren Tucker <dtucker at dtucker.net> ---
The #ifdef maze in myproposal.h was becoming increasingly problematic,
so we finally moved the filtering to runtime and deleted all the
ifdefs:

https://github.com/openssh/openssh-portable/commit/c4b3a128954ee1b7fbcbda167baf8aca1a3d1c84

which should prevent this class of bug in future.

We also added a regression test that has ssh parse its default config
to ensure that it's usable
(https://github.com/openssh/openssh-portable/blob/master/regress/sshcfgparse.sh)
and enabled the internal SHA2 functions for these MACs in the
--without-openssl case so the advertised ones do indeed work:

$ ./configure --without-openssl && make && ./ssh -F/dev/null -G
localhost | grep "macs "
[...]
macs
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

$ nm ssh | grep -i sha512
000000000004db40 T crypto_hash_sha512
0000000000067740 T SHA512Final
00000000000663c0 T SHA512Init
0000000000097300 r sha512_initial_hash_value
0000000000067550 T SHA512Pad
0000000000066430 T SHA512Transform
0000000000067300 T SHA512Update

$ for i in `./ssh -F/dev/null -G localhost | awk '/macs /{print $2}' |
tr , ' '`; do echo $i; ./ssh -omacs=$i localhost true; done
umac-64-etm at openssh.com
umac-128-etm at openssh.com
hmac-sha2-256-etm at openssh.com
hmac-sha2-512-etm at openssh.com
hmac-sha1-etm at openssh.com
umac-64 at openssh.com
umac-128 at openssh.com
hmac-sha2-256
hmac-sha2-512
hmac-sha1

Thanks for the report.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

openssh bugs - Jan 2020 - [Bug 2588] When no MAC is specified in config the server offers non-existing hmac-sha2* without openssl

[Bug 2588] When no MAC is specified in config the server offers non-existing hmac-sha2* without openssl