enable hmac-sha2-256, hmac-sha2-512 MAC algorithms

Attached are debdiffs for trusty and utopic/vivid.

I have uploaded patched packages to my PPA:

https://launchpad.net/~a7x/+archive/ubuntu/bug1409798

The attachment "debdiff for trusty" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Thanks for the patch!
Sponsored for Vivid with a minimal change in the version. Please test after it becomes available in the archive.
After this we can push it into Utopic/Trusty following the SRU process:
https://wiki.ubuntu.com/StableReleaseUpdates
--chris

This bug was fixed in the package dropbear - 2014.65-1ubuntu2

---------------
dropbear (2014.65-1ubuntu2) vivid; urgency=medium

  * Enable hmac-sha2-256 and hmac-sha2-512 MAC algorithms (LP: #1409798)
 -- Richard Hansen <email address hidden> Wed, 04 Feb 2015 16:11:03 -0600

They're enabled by default in 2015.67

Cheers,
Matt

On 7 February 2015 7:03:43 pm AWST, Richard Hansen <email address hidden> wrote:
>** Description changed:
>
>+ [Impact]
>+
> Since version 2013.56, dropbear has supported the hmac-sha2-256 and
> hmac-sha2-512 MAC algorithms, but they are disabled by default.
> According to the dropbear changelog, enabling them is a matter of
> uncommenting the following two lines in options.h:
>
>- /*#define DROPBEAR_SHA2_256_HMAC*/
>- /*#define DROPBEAR_SHA2_512_HMAC*/
>+     /*#define DROPBEAR_SHA2_256_HMAC*/
>+     /*#define DROPBEAR_SHA2_512_HMAC*/
>
> Due to recent NSA revelations, some people are recommending users
> disable certain algorithms. If the recommendations at
> <https://stribika.github.io/2015/01/04/secure-secure-shell.html> are
>followed, there are no MAC algorithms left that dropbear supports
>unless
> hmac-sha2-256 and hmac-sha2-512 are enabled.
>+
>+ [Test Case]
>+
>+ Setup steps:
>+ 1. install dropbear and openssh-client:
>+ sudo apt-get install dropbear openssh-client
>+ 2. if you have openssh-server installed, stop it:
>+ sudo service ssh stop
>+ 3. make sure that the dropbear service is enabled by editing
>+ /etc/default/dropbear and setting the NO_START variable to 0
>like
>+ this:
>+ NO_START=0
>+ 4. start the dropbear service:
>+ sudo service dropbear start
>+
>+ Test steps:
>+ 5. try the hmac-sha2-256 MAC:
>+ ssh -o UserKnownHostsFile=/dev/null \
>+ -o MACs=hmac-sha2-256 localhost
>+ 6. try the hmac-sha2-512 MAC:
>+ ssh -o UserKnownHostsFile=/dev/null \
>+ -o MACs=hmac-sha2-512 localhost
>+
>+ Cleanup steps:
>+ 7. stop the dropbear service:
>+ sudo service dropbear stop
>+ 8. if you edited /etc/default/dropbear to enable the dropbear
>+ service, disable it again by editing /etc/default/dropbear and
>+ setting the NO_START variable to 1 like this:
>+ NO_START=1
>+ 9. if you stopped the OpenSSH server, restart it:
>+ sudo service ssh start
>+
>+ [Regression Potential]
>+
>+ * Due to being disabled by default upstream, the implementations of
>+ the new MAC algorithms are probably not as well tested as the old
>+ MAC algorithms. This may increase the likelihood of
>compatibility
>+ or security bugs.
>+ * SSH clients are likely to prefer the new MAC algorithms over the
>+ old MAC algorithms. If either the client or server has an
>+ implementation bug, the ability to connect may be impaired unless
>+ the user configures the client to disallow the new algorithms or
>+ prefer the old algorithms (e.g., via the ssh_config "MACs"
>+ directive in OpenSSH).
>+ * The new MAC algorithms may negatively impact performance.
>
>--
>You received this bug notification because you are subscribed to
>dropbear in Ubuntu.
>https://bugs.launchpad.net/bugs/1409798
>
>Title:
> enable hmac-sha2-256, hmac-sha2-512 MAC algorithms
>
>To manage notifications about this bug go to:
>https://bugs.launchpad.net/ubuntu/+source/dropbear/+bug/1409798/+subscriptions

> They're enabled by default in 2015.67

Great! I updated the description.

Attached is an updated debdiff for trusty, identical to the tip commit on the lp:~a7x/ubuntu/trusty/dropbear/bug1409798 bzr branch.

Attached is an updated debdiff for utopic, identical to the tip commit on the lp:~a7x/ubuntu/utopic/dropbear/bug1409798 bzr branch.

I've uploaded this to the Trusty and Utopic SRU queues.

Hello Richard, or anyone else affected,

Accepted dropbear into utopic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dropbear/2014.65-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Richard, or anyone else affected,

Accepted dropbear into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dropbear/2013.60-1ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I added a plain verification-done tag in case there are scripts/queries that won't find this bug without it.

This bug was fixed in the package dropbear - 2014.65-1ubuntu1.1

---------------
dropbear (2014.65-1ubuntu1.1) utopic; urgency=medium

  * Enable hmac-sha2-256 and hmac-sha2-512 MAC algorithms (LP: #1409798)
 -- Richard Hansen <email address hidden> Wed, 04 Feb 2015 16:11:03 -0600

The verification of the Stable Release Update for dropbear has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package dropbear - 2013.60-1ubuntu2.1

---------------
dropbear (2013.60-1ubuntu2.1) trusty; urgency=medium

  * Enable hmac-sha2-256 and hmac-sha2-512 MAC algorithms (LP: #1409798)
 -- Richard Hansen <email address hidden> Wed, 04 Feb 2015 16:11:03 -0600