Apply upstream-recommended patch to fix bignum encoding for curve25519-sha256@libssh.org, fixing occasional key exchange failures.

author: Colin Watson <cjwatson@debian.org> 2014-04-21 21:24:52 +0100
committer: Colin Watson <cjwatson@debian.org> 2014-04-21 21:28:19 +0100
commit: 7cc2be72098d7b3384daf09d85d9969d9da0420e (patch)
tree: c762cfc9b928dc4b8dc41399308e3552b1e6a5ca /debian/patches
parent: c730d55d220e15fb7bc6b9b56633541e97817175 (diff)
parent: 02883061577ec43ff8d0e8f0cf486bc5131db507 (diff)
2 files changed, 162 insertions, 0 deletions
diff --git a/debian/patches/curve25519-sha256-bignum-encoding.patch b/debian/patches/curve25519-sha256-bignum-encoding.patch
new file mode 100644
index 000000000..ccb66048d
--- /dev/null
+++ b/debian/patches/curve25519-sha256-bignum-encoding.patch
@@ -0,0 +1,161 @@
+From 02883061577ec43ff8d0e8f0cf486bc5131db507 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Sun, 20 Apr 2014 13:47:45 +1000
+Subject: bad bignum encoding for curve25519-sha256@libssh.org
+Hi,
+So I screwed up when writing the support for the curve25519 KEX method
+that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
+leading zero bytes where they should have been skipped. The impact of
+this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
+peer that implements curve25519-sha256@libssh.org properly about 0.2%
+of the time (one in every 512ish connections).
+We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
+key exchange for previous versions, but I'd recommend distributors
+of OpenSSH apply this patch so the affected code doesn't become
+too entrenched in LTS releases.
+The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
+to distinguish itself from the incorrect versions so the compatibility
+code to disable the affected KEX isn't activated.
+I've committed this on the 6.6 branch too.
+Apologies for the hassle.
+-d
+Origin: upstream, https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html
+Forwarded: not-needed
+Last-Update: 2014-04-21
+Patch-Name: curve25519-sha256-bignum-encoding.patch
+---
+ bufaux.c      |  5 ++++-
+ compat.c      | 17 ++++++++++++++++-
+ compat.h      |  2 ++
+ sshconnect2.c |  2 ++
+ sshd.c        |  3 +++
+ version.h     |  2 +-
+ 6 files changed, 28 insertions(+), 3 deletions(-)
+diff --git a/bufaux.c b/bufaux.c
+index e24b5fc..f6a6f2a 100644
+--- a/bufaux.c
+++ b/bufaux.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
+ 
+        if (l > 8 * 1024)
+                fatal("%s: length %u too long", __func__, l);
+       /* Skip leading zero bytes */
+       for (; l > 0 && *s == 0; l--, s++)
+               ;
+        p = buf = xmalloc(l + 1);
+        /*
+         * If most significant bit is set then prepend a zero byte to
+diff --git a/compat.c b/compat.c
+index 9d9fabe..2709dc5 100644
+--- a/compat.c
+++ b/compat.c
+@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
+                { "Sun_SSH_1.0*",       SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
+                { "OpenSSH_4*",         0 },
+                { "OpenSSH_5*",         SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
+               { "OpenSSH_6.6.1*",     SSH_NEW_OPENSSH},
+               { "OpenSSH_6.5*,"
+                 "OpenSSH_6.6*",       SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
+                { "OpenSSH*",           SSH_NEW_OPENSSH },
+                { "*MindTerm*",         0 },
+                { "2.1.0*",             SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
+        return cipher_prop;
+ }
+ 
+-
+ char *
+ compat_pkalg_proposal(char *pkalg_prop)
+ {
+@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
+        return pkalg_prop;
+ }
+ 
+char *
+compat_kex_proposal(char *kex_prop)
+{
+       if (!(datafellows & SSH_BUG_CURVE25519PAD))
+               return kex_prop;
+       debug2("%s: original KEX proposal: %s", __func__, kex_prop);
+       kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
+       debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
+       if (*kex_prop == '\0')
+               fatal("No supported key exchange algorithms found");
+       return kex_prop;
+}
+
+diff --git a/compat.h b/compat.h
+index b174fa1..a6c3f3d 100644
+--- a/compat.h
+++ b/compat.h
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR      0x02000000
+ #define SSH_NEW_OPENSSH                0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT  0x08000000
+#define SSH_BUG_CURVE25519PAD  0x10000000
+ 
+ void     enable_compat13(void);
+ void     enable_compat20(void);
+@@ -66,6 +67,7 @@ void     compat_datafellows(const char *);
+ int     proto_spec(const char *);
+ char   *compat_cipher_proposal(char *);
+ char   *compat_pkalg_proposal(char *);
+char   *compat_kex_proposal(char *);
+ 
+ extern int compat13;
+ extern int compat20;
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 66cb035..1a4e551 100644
+--- a/sshconnect2.c
+++ b/sshconnect2.c
+@@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+        }
+        if (options.kex_algorithms != NULL)
+                myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+       myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+           myproposal[PROPOSAL_KEX_ALGS]);
+ 
+ #ifdef GSSAPI
+        /* If we've got GSSAPI algorithms, then we also support the
+diff --git a/sshd.c b/sshd.c
+index 0964491..fe78d7b 100644
+--- a/sshd.c
+++ b/sshd.c
+@@ -2534,6 +2534,9 @@ do_ssh2_kex(void)
+        if (options.kex_algorithms != NULL)
+                myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+ 
+       myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+           myproposal[PROPOSAL_KEX_ALGS]);
+
+        if (options.rekey_limit || options.rekey_interval)
+                packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+                    (time_t)options.rekey_interval);
+diff --git a/version.h b/version.h
+index a97c337..0659576 100644
+--- a/version.h
+++ b/version.h
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+ 
+-#define SSH_VERSION    "OpenSSH_6.6"
+#define SSH_VERSION    "OpenSSH_6.6.1"
+ 
+ #define SSH_PORTABLE   "p1"
+ #define SSH_RELEASE_MINIMUM    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/series b/debian/patches/series
index de7c9902d..c554b34ca 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,3 +27,4 @@ gnome-ssh-askpass2-icon.patch
 sigstop.patch
 debian-config.patch
 sshfp_with_server_cert_upstr
+curve25519-sha256-bignum-encoding.patch
author	Colin Watson <cjwatson@debian.org>	2014-04-21 21:24:52 +0100
committer	Colin Watson <cjwatson@debian.org>	2014-04-21 21:28:19 +0100
commit	7cc2be72098d7b3384daf09d85d9969d9da0420e (patch)
tree	c762cfc9b928dc4b8dc41399308e3552b1e6a5ca /debian/patches
parent	c730d55d220e15fb7bc6b9b56633541e97817175 (diff)
parent	02883061577ec43ff8d0e8f0cf486bc5131db507 (diff)

diff --git a/debian/patches/curve25519-sha256-bignum-encoding.patch b/debian/patches/curve25519-sha256-bignum-encoding.patch new file mode 100644 index 000000000..ccb66048d --- /dev/null +++ b/debian/patches/curve25519-sha256-bignum-encoding.patch
@@ -0,0 +1,161 @@
		1	From 02883061577ec43ff8d0e8f0cf486bc5131db507 Mon Sep 17 00:00:00 2001
		2	From: Damien Miller <djm@mindrot.org>
		3	Date: Sun, 20 Apr 2014 13:47:45 +1000
		4	Subject: bad bignum encoding for curve25519-sha256@libssh.org
		5
		6	Hi,
		7
		8	So I screwed up when writing the support for the curve25519 KEX method
		9	that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
		10	leading zero bytes where they should have been skipped. The impact of
		11	this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
		12	peer that implements curve25519-sha256@libssh.org properly about 0.2%
		13	of the time (one in every 512ish connections).
		14
		15	We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
		16	key exchange for previous versions, but I'd recommend distributors
		17	of OpenSSH apply this patch so the affected code doesn't become
		18	too entrenched in LTS releases.
		19
		20	The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
		21	to distinguish itself from the incorrect versions so the compatibility
		22	code to disable the affected KEX isn't activated.
		23
		24	I've committed this on the 6.6 branch too.
		25
		26	Apologies for the hassle.
		27
		28	-d
		29
		30	Origin: upstream, https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html
		31	Forwarded: not-needed
		32	Last-Update: 2014-04-21
		33
		34	Patch-Name: curve25519-sha256-bignum-encoding.patch
		35	---
		36	bufaux.c \| 5 ++++-
		37	compat.c \| 17 ++++++++++++++++-
		38	compat.h \| 2 ++
		39	sshconnect2.c \| 2 ++
		40	sshd.c \| 3 +++
		41	version.h \| 2 +-
		42	6 files changed, 28 insertions(+), 3 deletions(-)
		43
		44	diff --git a/bufaux.c b/bufaux.c
		45	index e24b5fc..f6a6f2a 100644
		46	--- a/bufaux.c
		47	+++ b/bufaux.c
		48	@@ -1,4 +1,4 @@
		49	-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
		50	+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
		51	/*
		52	* Author: Tatu Ylonen <ylo@cs.hut.fi>
		53	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
		54	@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer buffer, const u_char s, u_int l)
		55
		56	if (l > 8 * 1024)
		57	fatal("%s: length %u too long", __func__, l);
		58	+ /* Skip leading zero bytes */
		59	+ for (; l > 0 && *s == 0; l--, s++)
		60	+ ;
		61	p = buf = xmalloc(l + 1);
		62	/*
		63	* If most significant bit is set then prepend a zero byte to
		64	diff --git a/compat.c b/compat.c
		65	index 9d9fabe..2709dc5 100644
		66	--- a/compat.c
		67	+++ b/compat.c
		68	@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
		69	{ "Sun_SSH_1.0*", SSH_BUG_NOREKEY\|SSH_BUG_EXTEOF},
		70	{ "OpenSSH_4*", 0 },
		71	{ "OpenSSH_5*", SSH_NEW_OPENSSH\|SSH_BUG_DYNAMIC_RPORT},
		72	+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
		73	+ { "OpenSSH_6.5*,"
		74	+ "OpenSSH_6.6*", SSH_NEW_OPENSSH\|SSH_BUG_CURVE25519PAD},
		75	{ "OpenSSH*", SSH_NEW_OPENSSH },
		76	{ "MindTerm", 0 },
		77	{ "2.1.0*", SSH_BUG_SIGBLOB\|SSH_BUG_HMAC\|
		78	@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
		79	return cipher_prop;
		80	}
		81
		82	-
		83	char *
		84	compat_pkalg_proposal(char *pkalg_prop)
		85	{
		86	@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
		87	return pkalg_prop;
		88	}
		89
		90	+char *
		91	+compat_kex_proposal(char *kex_prop)
		92	+{
		93	+ if (!(datafellows & SSH_BUG_CURVE25519PAD))
		94	+ return kex_prop;
		95	+ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
		96	+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
		97	+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
		98	+ if (*kex_prop == '\0')
		99	+ fatal("No supported key exchange algorithms found");
		100	+ return kex_prop;
		101	+}
		102	+
		103	diff --git a/compat.h b/compat.h
		104	index b174fa1..a6c3f3d 100644
		105	--- a/compat.h
		106	+++ b/compat.h
		107	@@ -59,6 +59,7 @@
		108	#define SSH_BUG_RFWD_ADDR 0x02000000
		109	#define SSH_NEW_OPENSSH 0x04000000
		110	#define SSH_BUG_DYNAMIC_RPORT 0x08000000
		111	+#define SSH_BUG_CURVE25519PAD 0x10000000
		112
		113	void enable_compat13(void);
		114	void enable_compat20(void);
		115	@@ -66,6 +67,7 @@ void compat_datafellows(const char *);
		116	int proto_spec(const char *);
		117	char compat_cipher_proposal(char );
		118	char compat_pkalg_proposal(char );
		119	+char compat_kex_proposal(char );
		120
		121	extern int compat13;
		122	extern int compat20;
		123	diff --git a/sshconnect2.c b/sshconnect2.c
		124	index 66cb035..1a4e551 100644
		125	--- a/sshconnect2.c
		126	+++ b/sshconnect2.c
		127	@@ -220,6 +220,8 @@ ssh_kex2(char host, struct sockaddr hostaddr, u_short port)
		128	}
		129	if (options.kex_algorithms != NULL)
		130	myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
		131	+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
		132	+ myproposal[PROPOSAL_KEX_ALGS]);
		133
		134	#ifdef GSSAPI
		135	/* If we've got GSSAPI algorithms, then we also support the
		136	diff --git a/sshd.c b/sshd.c
		137	index 0964491..fe78d7b 100644
		138	--- a/sshd.c
		139	+++ b/sshd.c
		140	@@ -2534,6 +2534,9 @@ do_ssh2_kex(void)
		141	if (options.kex_algorithms != NULL)
		142	myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
		143
		144	+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
		145	+ myproposal[PROPOSAL_KEX_ALGS]);
		146	+
		147	if (options.rekey_limit \|\| options.rekey_interval)
		148	packet_set_rekey_limits((u_int32_t)options.rekey_limit,
		149	(time_t)options.rekey_interval);
		150	diff --git a/version.h b/version.h
		151	index a97c337..0659576 100644
		152	--- a/version.h
		153	+++ b/version.h
		154	@@ -1,6 +1,6 @@
		155	/* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
		156
		157	-#define SSH_VERSION "OpenSSH_6.6"
		158	+#define SSH_VERSION "OpenSSH_6.6.1"
		159
		160	#define SSH_PORTABLE "p1"
		161	#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE


diff --git a/debian/patches/series b/debian/patches/series index de7c9902d..c554b34ca 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -27,3 +27,4 @@ gnome-ssh-askpass2-icon.patch
27	sigstop.patch	27	sigstop.patch
28	debian-config.patch	28	debian-config.patch
29	sshfp_with_server_cert_upstr	29	sshfp_with_server_cert_upstr
		30	curve25519-sha256-bignum-encoding.patch