Apply upstream-recommended patch to fix bignum encoding for curve25519-sha256@libssh.org, fixing occasional key exchange failures.

author: Colin Watson <cjwatson@debian.org> 2014-04-21 21:24:52 +0100
committer: Colin Watson <cjwatson@debian.org> 2014-04-21 21:28:19 +0100
commit: 7cc2be72098d7b3384daf09d85d9969d9da0420e (patch)
tree: c762cfc9b928dc4b8dc41399308e3552b1e6a5ca
parent: c730d55d220e15fb7bc6b9b56633541e97817175 (diff)
parent: 02883061577ec43ff8d0e8f0cf486bc5131db507 (diff)
10 files changed, 194 insertions, 5 deletions
diff --git a/bufaux.c b/bufaux.c
index e24b5fc0a..f6a6f2ab2 100644
--- a/bufaux.c
+++ b/bufaux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
        if (l > 8 * 1024)
                fatal("%s: length %u too long", __func__, l);
+        /* Skip leading zero bytes */
+        for (; l > 0 && *s == 0; l--, s++)
+                ;
        p = buf = xmalloc(l + 1);
        /*
         * If most significant bit is set then prepend a zero byte to
diff --git a/compat.c b/compat.c
index 9d9fabef3..2709dc5cf 100644
--- a/compat.c
+++ b/compat.c
@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
                { "Sun_SSH_1.0*",       SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
                { "OpenSSH_4*",         0 },
                { "OpenSSH_5*",         SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
+                { "OpenSSH_6.6.1*",     SSH_NEW_OPENSSH},
+                { "OpenSSH_6.5*,"
+                  "OpenSSH_6.6*",       SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
                { "OpenSSH*",           SSH_NEW_OPENSSH },
                { "*MindTerm*",         0 },
                { "2.1.0*",             SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
        return cipher_prop;
 }
 char *
 compat_pkalg_proposal(char *pkalg_prop)
 {
@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
        return pkalg_prop;
 }
+char *
+compat_kex_proposal(char *kex_prop)
+{
+        if (!(datafellows & SSH_BUG_CURVE25519PAD))
+                return kex_prop;
+        debug2("%s: original KEX proposal: %s", __func__, kex_prop);
+        kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
+        debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
+        if (*kex_prop == '\0')
+                fatal("No supported key exchange algorithms found");
+        return kex_prop;
+}
diff --git a/compat.h b/compat.h
index b174fa171..a6c3f3d7a 100644
--- a/compat.h
+++ b/compat.h
@@ -59,6 +59,7 @@
 #define SSH_BUG_RFWD_ADDR       0x02000000
 #define SSH_NEW_OPENSSH         0x04000000
 #define SSH_BUG_DYNAMIC_RPORT   0x08000000
+#define SSH_BUG_CURVE25519PAD   0x10000000
 void     enable_compat13(void);
 void     enable_compat20(void);
@@ -66,6 +67,7 @@ void     compat_datafellows(const char *);
 int      proto_spec(const char *);
 char    *compat_cipher_proposal(char *);
 char    *compat_pkalg_proposal(char *);
+char    *compat_kex_proposal(char *);
 extern int compat13;
 extern int compat20;
diff --git a/debian/.git-dpm b/debian/.git-dpm
index db6725726..696b3a3d3 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-08a63152deb5deda168aaef870bdb9f56425acb3
+02883061577ec43ff8d0e8f0cf486bc5131db507
-08a63152deb5deda168aaef870bdb9f56425acb3
+02883061577ec43ff8d0e8f0cf486bc5131db507
 796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7
 796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7
 openssh_6.6p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index d8634f3ab..4187e72e2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ openssh (1:6.6p1-4) UNRELEASED; urgency=medium
  * Debconf translations:
    - Spanish (thanks, Matías Bellone; closes: #744867).
+  * Apply upstream-recommended patch to fix bignum encoding for
+    curve25519-sha256@libssh.org, fixing occasional key exchange failures.
 -- Colin Watson <cjwatson@debian.org>  Tue, 15 Apr 2014 17:27:21 +0100
diff --git a/debian/patches/curve25519-sha256-bignum-encoding.patch b/debian/patches/curve25519-sha256-bignum-encoding.patch
new file mode 100644
index 000000000..ccb66048d
--- /dev/null
+++ b/debian/patches/curve25519-sha256-bignum-encoding.patch
@@ -0,0 +1,161 @@
+From 02883061577ec43ff8d0e8f0cf486bc5131db507 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Sun, 20 Apr 2014 13:47:45 +1000
+Subject: bad bignum encoding for curve25519-sha256@libssh.org
+Hi,
+So I screwed up when writing the support for the curve25519 KEX method
+that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
+leading zero bytes where they should have been skipped. The impact of
+this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
+peer that implements curve25519-sha256@libssh.org properly about 0.2%
+of the time (one in every 512ish connections).
+We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
+key exchange for previous versions, but I'd recommend distributors
+of OpenSSH apply this patch so the affected code doesn't become
+too entrenched in LTS releases.
+The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
+to distinguish itself from the incorrect versions so the compatibility
+code to disable the affected KEX isn't activated.
+I've committed this on the 6.6 branch too.
+Apologies for the hassle.
+-d
+Origin: upstream, https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html
+Forwarded: not-needed
+Last-Update: 2014-04-21
+Patch-Name: curve25519-sha256-bignum-encoding.patch
+---
+ bufaux.c      |  5 ++++-
+ compat.c      | 17 ++++++++++++++++-
+ compat.h      |  2 ++
+ sshconnect2.c |  2 ++
+ sshd.c        |  3 +++
+ version.h     |  2 +-
+ 6 files changed, 28 insertions(+), 3 deletions(-)
+diff --git a/bufaux.c b/bufaux.c
+index e24b5fc..f6a6f2a 100644
+--- a/bufaux.c
+++ b/bufaux.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
+ 
+        if (l > 8 * 1024)
+                fatal("%s: length %u too long", __func__, l);
+       /* Skip leading zero bytes */
+       for (; l > 0 && *s == 0; l--, s++)
+               ;
+        p = buf = xmalloc(l + 1);
+        /*
+         * If most significant bit is set then prepend a zero byte to
+diff --git a/compat.c b/compat.c
+index 9d9fabe..2709dc5 100644
+--- a/compat.c
+++ b/compat.c
+@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
+                { "Sun_SSH_1.0*",       SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
+                { "OpenSSH_4*",         0 },
+                { "OpenSSH_5*",         SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
+               { "OpenSSH_6.6.1*",     SSH_NEW_OPENSSH},
+               { "OpenSSH_6.5*,"
+                 "OpenSSH_6.6*",       SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
+                { "OpenSSH*",           SSH_NEW_OPENSSH },
+                { "*MindTerm*",         0 },
+                { "2.1.0*",             SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
+        return cipher_prop;
+ }
+ 
+-
+ char *
+ compat_pkalg_proposal(char *pkalg_prop)
+ {
+@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
+        return pkalg_prop;
+ }
+ 
+char *
+compat_kex_proposal(char *kex_prop)
+{
+       if (!(datafellows & SSH_BUG_CURVE25519PAD))
+               return kex_prop;
+       debug2("%s: original KEX proposal: %s", __func__, kex_prop);
+       kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
+       debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
+       if (*kex_prop == '\0')
+               fatal("No supported key exchange algorithms found");
+       return kex_prop;
+}
+
+diff --git a/compat.h b/compat.h
+index b174fa1..a6c3f3d 100644
+--- a/compat.h
+++ b/compat.h
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR      0x02000000
+ #define SSH_NEW_OPENSSH                0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT  0x08000000
+#define SSH_BUG_CURVE25519PAD  0x10000000
+ 
+ void     enable_compat13(void);
+ void     enable_compat20(void);
+@@ -66,6 +67,7 @@ void     compat_datafellows(const char *);
+ int     proto_spec(const char *);
+ char   *compat_cipher_proposal(char *);
+ char   *compat_pkalg_proposal(char *);
+char   *compat_kex_proposal(char *);
+ 
+ extern int compat13;
+ extern int compat20;
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 66cb035..1a4e551 100644
+--- a/sshconnect2.c
+++ b/sshconnect2.c
+@@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+        }
+        if (options.kex_algorithms != NULL)
+                myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+       myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+           myproposal[PROPOSAL_KEX_ALGS]);
+ 
+ #ifdef GSSAPI
+        /* If we've got GSSAPI algorithms, then we also support the
+diff --git a/sshd.c b/sshd.c
+index 0964491..fe78d7b 100644
+--- a/sshd.c
+++ b/sshd.c
+@@ -2534,6 +2534,9 @@ do_ssh2_kex(void)
+        if (options.kex_algorithms != NULL)
+                myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+ 
+       myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+           myproposal[PROPOSAL_KEX_ALGS]);
+
+        if (options.rekey_limit || options.rekey_interval)
+                packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+                    (time_t)options.rekey_interval);
+diff --git a/version.h b/version.h
+index a97c337..0659576 100644
+--- a/version.h
+++ b/version.h
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+ 
+-#define SSH_VERSION    "OpenSSH_6.6"
+#define SSH_VERSION    "OpenSSH_6.6.1"
+ 
+ #define SSH_PORTABLE   "p1"
+ #define SSH_RELEASE_MINIMUM    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/series b/debian/patches/series
index de7c9902d..c554b34ca 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,3 +27,4 @@ gnome-ssh-askpass2-icon.patch
 sigstop.patch
 debian-config.patch
 sshfp_with_server_cert_upstr
+curve25519-sha256-bignum-encoding.patch
diff --git a/sshconnect2.c b/sshconnect2.c
index 66cb03527..1a4e55179 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
        }
        if (options.kex_algorithms != NULL)
                myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+        myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+            myproposal[PROPOSAL_KEX_ALGS]);
 #ifdef GSSAPI
        /* If we've got GSSAPI algorithms, then we also support the
diff --git a/sshd.c b/sshd.c
index 09644914c..fe78d7b66 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2534,6 +2534,9 @@ do_ssh2_kex(void)
        if (options.kex_algorithms != NULL)
                myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+        myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+            myproposal[PROPOSAL_KEX_ALGS]);
        if (options.rekey_limit || options.rekey_interval)
                packet_set_rekey_limits((u_int32_t)options.rekey_limit,
                    (time_t)options.rekey_interval);
diff --git a/version.h b/version.h
index a97c337a3..065957661 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
 /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
-#define SSH_VERSION     "OpenSSH_6.6"
+#define SSH_VERSION     "OpenSSH_6.6.1"
 #define SSH_PORTABLE    "p1"
 #define SSH_RELEASE_MINIMUM     SSH_VERSION SSH_PORTABLE
author	Colin Watson <cjwatson@debian.org>	2014-04-21 21:24:52 +0100
committer	Colin Watson <cjwatson@debian.org>	2014-04-21 21:28:19 +0100
commit	7cc2be72098d7b3384daf09d85d9969d9da0420e (patch)
tree	c762cfc9b928dc4b8dc41399308e3552b1e6a5ca
parent	c730d55d220e15fb7bc6b9b56633541e97817175 (diff)
parent	02883061577ec43ff8d0e8f0cf486bc5131db507 (diff)

diff --git a/bufaux.c b/bufaux.c index e24b5fc0a..f6a6f2ab2 100644 --- a/bufaux.c +++ b/bufaux.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */	1	/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer buffer, const u_char s, u_int l)
372		372
373	if (l > 8 * 1024)	373	if (l > 8 * 1024)
374	fatal("%s: length %u too long", __func__, l);	374	fatal("%s: length %u too long", __func__, l);
		375	/* Skip leading zero bytes */
		376	for (; l > 0 && *s == 0; l--, s++)
		377	;
375	p = buf = xmalloc(l + 1);	378	p = buf = xmalloc(l + 1);
376	/*	379	/*
377	* If most significant bit is set then prepend a zero byte to	380	* If most significant bit is set then prepend a zero byte to


diff --git a/compat.c b/compat.c index 9d9fabef3..2709dc5cf 100644 --- a/compat.c +++ b/compat.c
@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
95	{ "Sun_SSH_1.0*", SSH_BUG_NOREKEY\|SSH_BUG_EXTEOF},	95	{ "Sun_SSH_1.0*", SSH_BUG_NOREKEY\|SSH_BUG_EXTEOF},
96	{ "OpenSSH_4*", 0 },	96	{ "OpenSSH_4*", 0 },
97	{ "OpenSSH_5*", SSH_NEW_OPENSSH\|SSH_BUG_DYNAMIC_RPORT},	97	{ "OpenSSH_5*", SSH_NEW_OPENSSH\|SSH_BUG_DYNAMIC_RPORT},
		98	{ "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
		99	{ "OpenSSH_6.5*,"
		100	"OpenSSH_6.6*", SSH_NEW_OPENSSH\|SSH_BUG_CURVE25519PAD},
98	{ "OpenSSH*", SSH_NEW_OPENSSH },	101	{ "OpenSSH*", SSH_NEW_OPENSSH },
99	{ "MindTerm", 0 },	102	{ "MindTerm", 0 },
100	{ "2.1.0*", SSH_BUG_SIGBLOB\|SSH_BUG_HMAC\|	103	{ "2.1.0*", SSH_BUG_SIGBLOB\|SSH_BUG_HMAC\|
@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
251	return cipher_prop;	254	return cipher_prop;
252	}	255	}
253		256
254
255	char *	257	char *
256	compat_pkalg_proposal(char *pkalg_prop)	258	compat_pkalg_proposal(char *pkalg_prop)
257	{	259	{
@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
265	return pkalg_prop;	267	return pkalg_prop;
266	}	268	}
267		269
		270	char *
		271	compat_kex_proposal(char *kex_prop)
		272	{
		273	if (!(datafellows & SSH_BUG_CURVE25519PAD))
		274	return kex_prop;
		275	debug2("%s: original KEX proposal: %s", __func__, kex_prop);
		276	kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
		277	debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
		278	if (*kex_prop == '\0')
		279	fatal("No supported key exchange algorithms found");
		280	return kex_prop;
		281	}
		282


diff --git a/compat.h b/compat.h index b174fa171..a6c3f3d7a 100644 --- a/compat.h +++ b/compat.h
@@ -59,6 +59,7 @@
59	#define SSH_BUG_RFWD_ADDR 0x02000000	59	#define SSH_BUG_RFWD_ADDR 0x02000000
60	#define SSH_NEW_OPENSSH 0x04000000	60	#define SSH_NEW_OPENSSH 0x04000000
61	#define SSH_BUG_DYNAMIC_RPORT 0x08000000	61	#define SSH_BUG_DYNAMIC_RPORT 0x08000000
		62	#define SSH_BUG_CURVE25519PAD 0x10000000
62		63
63	void enable_compat13(void);	64	void enable_compat13(void);
64	void enable_compat20(void);	65	void enable_compat20(void);
@@ -66,6 +67,7 @@ void compat_datafellows(const char *);
66	int proto_spec(const char *);	67	int proto_spec(const char *);
67	char compat_cipher_proposal(char );	68	char compat_cipher_proposal(char );
68	char compat_pkalg_proposal(char );	69	char compat_pkalg_proposal(char );
		70	char compat_kex_proposal(char );
69		71
70	extern int compat13;	72	extern int compat13;
71	extern int compat20;	73	extern int compat20;


diff --git a/debian/.git-dpm b/debian/.git-dpm index db6725726..696b3a3d3 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	08a63152deb5deda168aaef870bdb9f56425acb3	2	02883061577ec43ff8d0e8f0cf486bc5131db507
3	08a63152deb5deda168aaef870bdb9f56425acb3	3	02883061577ec43ff8d0e8f0cf486bc5131db507
4	796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7	4	796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7
5	796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7	5	796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7
6	openssh_6.6p1.orig.tar.gz	6	openssh_6.6p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index d8634f3ab..4187e72e2 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -2,6 +2,8 @@ openssh (1:6.6p1-4) UNRELEASED; urgency=medium
2		2
3	* Debconf translations:	3	* Debconf translations:
4	- Spanish (thanks, Matías Bellone; closes: #744867).	4	- Spanish (thanks, Matías Bellone; closes: #744867).
		5	* Apply upstream-recommended patch to fix bignum encoding for
		6	curve25519-sha256@libssh.org, fixing occasional key exchange failures.
5		7
6	-- Colin Watson <cjwatson@debian.org> Tue, 15 Apr 2014 17:27:21 +0100	8	-- Colin Watson <cjwatson@debian.org> Tue, 15 Apr 2014 17:27:21 +0100
7		9


diff --git a/debian/patches/curve25519-sha256-bignum-encoding.patch b/debian/patches/curve25519-sha256-bignum-encoding.patch new file mode 100644 index 000000000..ccb66048d --- /dev/null +++ b/debian/patches/curve25519-sha256-bignum-encoding.patch
@@ -0,0 +1,161 @@
		1	From 02883061577ec43ff8d0e8f0cf486bc5131db507 Mon Sep 17 00:00:00 2001
		2	From: Damien Miller <djm@mindrot.org>
		3	Date: Sun, 20 Apr 2014 13:47:45 +1000
		4	Subject: bad bignum encoding for curve25519-sha256@libssh.org
		5
		6	Hi,
		7
		8	So I screwed up when writing the support for the curve25519 KEX method
		9	that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
		10	leading zero bytes where they should have been skipped. The impact of
		11	this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
		12	peer that implements curve25519-sha256@libssh.org properly about 0.2%
		13	of the time (one in every 512ish connections).
		14
		15	We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
		16	key exchange for previous versions, but I'd recommend distributors
		17	of OpenSSH apply this patch so the affected code doesn't become
		18	too entrenched in LTS releases.
		19
		20	The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
		21	to distinguish itself from the incorrect versions so the compatibility
		22	code to disable the affected KEX isn't activated.
		23
		24	I've committed this on the 6.6 branch too.
		25
		26	Apologies for the hassle.
		27
		28	-d
		29
		30	Origin: upstream, https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html
		31	Forwarded: not-needed
		32	Last-Update: 2014-04-21
		33
		34	Patch-Name: curve25519-sha256-bignum-encoding.patch
		35	---
		36	bufaux.c \| 5 ++++-
		37	compat.c \| 17 ++++++++++++++++-
		38	compat.h \| 2 ++
		39	sshconnect2.c \| 2 ++
		40	sshd.c \| 3 +++
		41	version.h \| 2 +-
		42	6 files changed, 28 insertions(+), 3 deletions(-)
		43
		44	diff --git a/bufaux.c b/bufaux.c
		45	index e24b5fc..f6a6f2a 100644
		46	--- a/bufaux.c
		47	+++ b/bufaux.c
		48	@@ -1,4 +1,4 @@
		49	-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
		50	+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
		51	/*
		52	* Author: Tatu Ylonen <ylo@cs.hut.fi>
		53	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
		54	@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer buffer, const u_char s, u_int l)
		55
		56	if (l > 8 * 1024)
		57	fatal("%s: length %u too long", __func__, l);
		58	+ /* Skip leading zero bytes */
		59	+ for (; l > 0 && *s == 0; l--, s++)
		60	+ ;
		61	p = buf = xmalloc(l + 1);
		62	/*
		63	* If most significant bit is set then prepend a zero byte to
		64	diff --git a/compat.c b/compat.c
		65	index 9d9fabe..2709dc5 100644
		66	--- a/compat.c
		67	+++ b/compat.c
		68	@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
		69	{ "Sun_SSH_1.0*", SSH_BUG_NOREKEY\|SSH_BUG_EXTEOF},
		70	{ "OpenSSH_4*", 0 },
		71	{ "OpenSSH_5*", SSH_NEW_OPENSSH\|SSH_BUG_DYNAMIC_RPORT},
		72	+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
		73	+ { "OpenSSH_6.5*,"
		74	+ "OpenSSH_6.6*", SSH_NEW_OPENSSH\|SSH_BUG_CURVE25519PAD},
		75	{ "OpenSSH*", SSH_NEW_OPENSSH },
		76	{ "MindTerm", 0 },
		77	{ "2.1.0*", SSH_BUG_SIGBLOB\|SSH_BUG_HMAC\|
		78	@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
		79	return cipher_prop;
		80	}
		81
		82	-
		83	char *
		84	compat_pkalg_proposal(char *pkalg_prop)
		85	{
		86	@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
		87	return pkalg_prop;
		88	}
		89
		90	+char *
		91	+compat_kex_proposal(char *kex_prop)
		92	+{
		93	+ if (!(datafellows & SSH_BUG_CURVE25519PAD))
		94	+ return kex_prop;
		95	+ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
		96	+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
		97	+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
		98	+ if (*kex_prop == '\0')
		99	+ fatal("No supported key exchange algorithms found");
		100	+ return kex_prop;
		101	+}
		102	+
		103	diff --git a/compat.h b/compat.h
		104	index b174fa1..a6c3f3d 100644
		105	--- a/compat.h
		106	+++ b/compat.h
		107	@@ -59,6 +59,7 @@
		108	#define SSH_BUG_RFWD_ADDR 0x02000000
		109	#define SSH_NEW_OPENSSH 0x04000000
		110	#define SSH_BUG_DYNAMIC_RPORT 0x08000000
		111	+#define SSH_BUG_CURVE25519PAD 0x10000000
		112
		113	void enable_compat13(void);
		114	void enable_compat20(void);
		115	@@ -66,6 +67,7 @@ void compat_datafellows(const char *);
		116	int proto_spec(const char *);
		117	char compat_cipher_proposal(char );
		118	char compat_pkalg_proposal(char );
		119	+char compat_kex_proposal(char );
		120
		121	extern int compat13;
		122	extern int compat20;
		123	diff --git a/sshconnect2.c b/sshconnect2.c
		124	index 66cb035..1a4e551 100644
		125	--- a/sshconnect2.c
		126	+++ b/sshconnect2.c
		127	@@ -220,6 +220,8 @@ ssh_kex2(char host, struct sockaddr hostaddr, u_short port)
		128	}
		129	if (options.kex_algorithms != NULL)
		130	myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
		131	+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
		132	+ myproposal[PROPOSAL_KEX_ALGS]);
		133
		134	#ifdef GSSAPI
		135	/* If we've got GSSAPI algorithms, then we also support the
		136	diff --git a/sshd.c b/sshd.c
		137	index 0964491..fe78d7b 100644
		138	--- a/sshd.c
		139	+++ b/sshd.c
		140	@@ -2534,6 +2534,9 @@ do_ssh2_kex(void)
		141	if (options.kex_algorithms != NULL)
		142	myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
		143
		144	+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
		145	+ myproposal[PROPOSAL_KEX_ALGS]);
		146	+
		147	if (options.rekey_limit \|\| options.rekey_interval)
		148	packet_set_rekey_limits((u_int32_t)options.rekey_limit,
		149	(time_t)options.rekey_interval);
		150	diff --git a/version.h b/version.h
		151	index a97c337..0659576 100644
		152	--- a/version.h
		153	+++ b/version.h
		154	@@ -1,6 +1,6 @@
		155	/* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
		156
		157	-#define SSH_VERSION "OpenSSH_6.6"
		158	+#define SSH_VERSION "OpenSSH_6.6.1"
		159
		160	#define SSH_PORTABLE "p1"
		161	#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE


diff --git a/debian/patches/series b/debian/patches/series index de7c9902d..c554b34ca 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -27,3 +27,4 @@ gnome-ssh-askpass2-icon.patch
27	sigstop.patch	27	sigstop.patch
28	debian-config.patch	28	debian-config.patch
29	sshfp_with_server_cert_upstr	29	sshfp_with_server_cert_upstr
		30	curve25519-sha256-bignum-encoding.patch


diff --git a/sshconnect2.c b/sshconnect2.c index 66cb03527..1a4e55179 100644 --- a/sshconnect2.c +++ b/sshconnect2.c
@@ -220,6 +220,8 @@ ssh_kex2(char host, struct sockaddr hostaddr, u_short port)
220	}	220	}
221	if (options.kex_algorithms != NULL)	221	if (options.kex_algorithms != NULL)
222	myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;	222	myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
		223	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
		224	myproposal[PROPOSAL_KEX_ALGS]);
223		225
224	#ifdef GSSAPI	226	#ifdef GSSAPI
225	/* If we've got GSSAPI algorithms, then we also support the	227	/* If we've got GSSAPI algorithms, then we also support the


diff --git a/sshd.c b/sshd.c index 09644914c..fe78d7b66 100644 --- a/sshd.c +++ b/sshd.c
@@ -2534,6 +2534,9 @@ do_ssh2_kex(void)
2534	if (options.kex_algorithms != NULL)	2534	if (options.kex_algorithms != NULL)
2535	myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;	2535	myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
2536		2536
		2537	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
		2538	myproposal[PROPOSAL_KEX_ALGS]);
		2539
2537	if (options.rekey_limit \|\| options.rekey_interval)	2540	if (options.rekey_limit \|\| options.rekey_interval)
2538	packet_set_rekey_limits((u_int32_t)options.rekey_limit,	2541	packet_set_rekey_limits((u_int32_t)options.rekey_limit,
2539	(time_t)options.rekey_interval);	2542	(time_t)options.rekey_interval);


diff --git a/version.h b/version.h index a97c337a3..065957661 100644 --- a/version.h +++ b/version.h
@@ -1,6 +1,6 @@
1	/* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */	1	/* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
2		2
3	#define SSH_VERSION "OpenSSH_6.6"	3	#define SSH_VERSION "OpenSSH_6.6.1"
4		4
5	#define SSH_PORTABLE "p1"	5	#define SSH_PORTABLE "p1"
6	#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE	6	#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE