openssh bugs - Dec 2015 - [Bug 2515] New: Implement diffie-hellman-group{14,15,16)-sha256

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

            Bug ID: 2515
           Summary: Implement diffie-hellman-group{14,15,16)-sha256
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: ASSIGNED
          Severity: enhancement
          Priority: P3
         Component: ssh
          Assignee: dtucker at zip.com.au
          Reporter: dtucker at zip.com.au
            Blocks: 2451

The IETF ssh working group has proposed adding MODP groups 15 and 16
with SHA256 and deprecating group14-sha1 (we're already doing the
latter).

https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2/


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2451
[Bug 2451] Bugs intended to be fixed in 7.2
-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
Created attachment 2766
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2766&action=edit
add diffie-hellman-group{14,15,16}-sha256

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2766|0                           |1
        is obsolete|                            |

--- Comment #2 from Darren Tucker <dtucker at zip.com.au> ---
Created attachment 2767
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2767&action=edit
add diffie-hellman-group{14,15,16}-sha256

Add missing change to ssh_api.c, from Mark D. Baushke.

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

Matt Johnston <matt at ucc.asn.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |matt at ucc.asn.au

--- Comment #3 from Matt Johnston <matt at ucc.asn.au> ---
This is still hashing with sha1, see kex_dh_hash() - it doesn't use
hash_alg.

I've patched Dropbear for group14-sha256,
https://secure.ucc.asn.au/hg/dropbear/rev/d2f9ef67af15

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

--- Comment #4 from Darren Tucker <dtucker at zip.com.au> ---
Created attachment 2768
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2768&action=edit
add diffie-hellman-group{14,15,16}-sha256
> This is still hashing with sha1, see kex_dh_hash() - it doesn't use
hash_alg.
Well, that's not cool :-)

djm implemented the code to fix this which is included in the updated
patch.

With this change, openssh client interops with the dropbear server. 
dbclient doesn't work (the openssh server kills the connection claiming
a negative bignum) but it also worked with an unmodified
openssh-current with group14-sha1 (dbclient claims "Bad hostkey
signature").  I don't know where the problem is though.

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

--- Comment #5 from Matt Johnston <matt at ucc.asn.au> ---
Created attachment 2769
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2769&action=edit
Fix first_kex_follows

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

--- Comment #6 from Matt Johnston <matt at ucc.asn.au> ---
The Dropbear client failure was because it's sending first_kex_follows
so OpenSSH parsed the first (should be discarded) kexdhinit packet.

It looks like that broke in
https://github.com/openssh/openssh-portable/commit/57d10cbe861a235dd269c74fb2fe248469ecee9d
in January :-\ 

Patch attached.

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
Bah, breaking first-kex-follows was my fault. Fix committed and will be
in OpenSSH 7.2

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2767|0                           |1
        is obsolete|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

--- Comment #8 from Damien Miller <djm at mindrot.org> ---
Retarget to openssh-7.3

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2543


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2543
[Bug 2543] Tracking bug for OpenSSH 7.3 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|2451                        |

--- Comment #9 from Damien Miller <djm at mindrot.org> ---
Retarget to openssh-7.3


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2451
[Bug 2451] Bugs intended to be fixed in 7.2
-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2768|0                           |1
        is obsolete|                            |
                 CC|                            |dtucker at zip.com.au
   Attachment #2808|                            |ok?(dtucker at zip.com.au)
              Flags|                            |

--- Comment #10 from Damien Miller <djm at mindrot.org> ---
Created attachment 2808
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2808&action=edit
update to draft-ietf-curdle-ssh-kex-sha2-03 prefer groups 14, 16, 18

This updates Darren's diff to draft-ietf-curdle-ssh-kex-sha2-03,
specifically changing the hash for the group16 KEX to SHA512. This diff
also removes group 15 instead of group 18, so the groups supported are:

diffie-hellman-group14-sha256 - 2048 bit
diffie-hellman-group16-sha512 - 4096 bit
diffie-hellman-group18-sha512 - 8192 bit

IMO the powers of two are a bit cleaner than the intermediate ones. 

Finally, this tweaks the fallback group logic to choose the next larger
group a bit sooner and to consider the 8192 bit fixed group.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

--- Comment #11 from Damien Miller <djm at mindrot.org> ---
Thanks Mark and Darren - patch applied. This will be in OpenSSH 7.3. 

commit 0e8eeec8e75f6d0eaf33317376f773160018a9c7
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon May 2 10:26:04 2016 +0000

    upstream commit

    add support for additional fixed DH groups from
     draft-ietf-curdle-ssh-kex-sha2-03

    diffie-hellman-group14-sha256 (2K group)
    diffie-hellman-group16-sha512 (4K group)
    diffie-hellman-group18-sha512 (8K group)

    based on patch from Mark D. Baushke and Darren Tucker
    ok markus@

    Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f

commit 67f1459efd2e85bf03d032539283fa8107218936
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon May 2 09:52:00 2016 +0000

    upstream commit

    unit and regress tests for SHA256/512; ok markus

    Upstream-Regress-ID: a0cd1a92dc824067076a5fcef83c18df9b0bf2c6

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #12 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2515

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2808|ok?(dtucker at dtucker.net)    |
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.