Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
I couldn't seem to edit the description, so I'll describe the problem here (from openssh-7.1p1-1.fc24.src.rpm): The problem is that a signature error occurs when a client with a minimum DH key size < 2048 connects to a server that has FIPS enabled, and uses any of the variable diffie-hellman kex modes. The signature failure is due to the fact that the hashed and signed kex->min value is overwritten with the minimum of the server, while the computation on the client uses its own value. Removing this particular diff solves the problem: -- openssh-7.0p1/kexgexs.c.fips 2015-08-11 10:57:29.000000000 +0200 +++ openssh-7.0p1/kexgexs.c 2015-08-19 12:36:51.151412892 +0200 @@ -81,11 +81,11 @@ input_kex_dh_gex_request(int type, u_int (r = sshpkt_get_end(ssh)) != 0) goto out; kex->nbits = nbits; - kex->min = min; + kex->min = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN; minimum.
Why are you filling bug on RHEL6, when you post a patch for Fedora Rawhide? Do you have FIPS enabled on Fedora or RHEL6? Can you provide example how to reproduce your problem or some verbose logs how to achieve your described behaviour? Just tested with my installation and I don't see this issue.
Sorry, this is the first bug report I've filed. If there's a bug tracking site for Fedora, I'll file the bug there. I have two old ssh client programs, 4.3p2 and 5.9p2, and both exhibit the problem. What I'm running is basically openssh 7.1p1 with just the FIPS patch applied to it. Enabling FIPS on the server sshd, and not on the client side causes the behavior. If the setting of kex->min is the same in Red Hat as it is in Fedora, then the bug will be there.
One further clarification: this happens when the key-exchange selected is one of the variable diffie-hellman choices, namely diffie-hellman-group-exchange-sha256 or diffie-hellman-group-exchange-sha1. The client has to be old enough to not have support for ecdh, or have those turned off. That can be forced by adding: KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1 to ssh_config. That will also cause the failure to occur even with a newer ssh.
Moving to Fedora. After reading your comments once more and some old commits, I see there was mistake during the rebase to openssh-6.8 which was removing SSH2_MSG_KEX_DH_GEX_REQUEST_OLD compatibility. Your patch is correct and I will update openssh early. Thanks for the report.
openssh-7.1p1-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-8774808146
openssh-7.1p1-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update openssh' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-8774808146
openssh-7.1p1-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.