diff options
-rw-r--r-- | bufaux.c | 5 | ||||
-rw-r--r-- | compat.c | 17 | ||||
-rw-r--r-- | compat.h | 2 | ||||
-rw-r--r-- | debian/.git-dpm | 4 | ||||
-rw-r--r-- | debian/changelog | 2 | ||||
-rw-r--r-- | debian/patches/curve25519-sha256-bignum-encoding.patch | 161 | ||||
-rw-r--r-- | debian/patches/series | 1 | ||||
-rw-r--r-- | sshconnect2.c | 2 | ||||
-rw-r--r-- | sshd.c | 3 | ||||
-rw-r--r-- | version.h | 2 |
10 files changed, 194 insertions, 5 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ | 1 | /* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l) | |||
372 | 372 | ||
373 | if (l > 8 * 1024) | 373 | if (l > 8 * 1024) |
374 | fatal("%s: length %u too long", __func__, l); | 374 | fatal("%s: length %u too long", __func__, l); |
375 | /* Skip leading zero bytes */ | ||
376 | for (; l > 0 && *s == 0; l--, s++) | ||
377 | ; | ||
375 | p = buf = xmalloc(l + 1); | 378 | p = buf = xmalloc(l + 1); |
376 | /* | 379 | /* |
377 | * If most significant bit is set then prepend a zero byte to | 380 | * If most significant bit is set then prepend a zero byte to |
@@ -95,6 +95,9 @@ compat_datafellows(const char *version) | |||
95 | { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, | 95 | { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, |
96 | { "OpenSSH_4*", 0 }, | 96 | { "OpenSSH_4*", 0 }, |
97 | { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, | 97 | { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, |
98 | { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, | ||
99 | { "OpenSSH_6.5*," | ||
100 | "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, | ||
98 | { "OpenSSH*", SSH_NEW_OPENSSH }, | 101 | { "OpenSSH*", SSH_NEW_OPENSSH }, |
99 | { "*MindTerm*", 0 }, | 102 | { "*MindTerm*", 0 }, |
100 | { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| | 103 | { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| |
@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop) | |||
251 | return cipher_prop; | 254 | return cipher_prop; |
252 | } | 255 | } |
253 | 256 | ||
254 | |||
255 | char * | 257 | char * |
256 | compat_pkalg_proposal(char *pkalg_prop) | 258 | compat_pkalg_proposal(char *pkalg_prop) |
257 | { | 259 | { |
@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop) | |||
265 | return pkalg_prop; | 267 | return pkalg_prop; |
266 | } | 268 | } |
267 | 269 | ||
270 | char * | ||
271 | compat_kex_proposal(char *kex_prop) | ||
272 | { | ||
273 | if (!(datafellows & SSH_BUG_CURVE25519PAD)) | ||
274 | return kex_prop; | ||
275 | debug2("%s: original KEX proposal: %s", __func__, kex_prop); | ||
276 | kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org"); | ||
277 | debug2("%s: compat KEX proposal: %s", __func__, kex_prop); | ||
278 | if (*kex_prop == '\0') | ||
279 | fatal("No supported key exchange algorithms found"); | ||
280 | return kex_prop; | ||
281 | } | ||
282 | |||
@@ -59,6 +59,7 @@ | |||
59 | #define SSH_BUG_RFWD_ADDR 0x02000000 | 59 | #define SSH_BUG_RFWD_ADDR 0x02000000 |
60 | #define SSH_NEW_OPENSSH 0x04000000 | 60 | #define SSH_NEW_OPENSSH 0x04000000 |
61 | #define SSH_BUG_DYNAMIC_RPORT 0x08000000 | 61 | #define SSH_BUG_DYNAMIC_RPORT 0x08000000 |
62 | #define SSH_BUG_CURVE25519PAD 0x10000000 | ||
62 | 63 | ||
63 | void enable_compat13(void); | 64 | void enable_compat13(void); |
64 | void enable_compat20(void); | 65 | void enable_compat20(void); |
@@ -66,6 +67,7 @@ void compat_datafellows(const char *); | |||
66 | int proto_spec(const char *); | 67 | int proto_spec(const char *); |
67 | char *compat_cipher_proposal(char *); | 68 | char *compat_cipher_proposal(char *); |
68 | char *compat_pkalg_proposal(char *); | 69 | char *compat_pkalg_proposal(char *); |
70 | char *compat_kex_proposal(char *); | ||
69 | 71 | ||
70 | extern int compat13; | 72 | extern int compat13; |
71 | extern int compat20; | 73 | extern int compat20; |
diff --git a/debian/.git-dpm b/debian/.git-dpm index db6725726..696b3a3d3 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
@@ -1,6 +1,6 @@ | |||
1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
2 | 08a63152deb5deda168aaef870bdb9f56425acb3 | 2 | 02883061577ec43ff8d0e8f0cf486bc5131db507 |
3 | 08a63152deb5deda168aaef870bdb9f56425acb3 | 3 | 02883061577ec43ff8d0e8f0cf486bc5131db507 |
4 | 796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7 | 4 | 796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7 |
5 | 796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7 | 5 | 796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7 |
6 | openssh_6.6p1.orig.tar.gz | 6 | openssh_6.6p1.orig.tar.gz |
diff --git a/debian/changelog b/debian/changelog index d8634f3ab..4187e72e2 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -2,6 +2,8 @@ openssh (1:6.6p1-4) UNRELEASED; urgency=medium | |||
2 | 2 | ||
3 | * Debconf translations: | 3 | * Debconf translations: |
4 | - Spanish (thanks, Matías Bellone; closes: #744867). | 4 | - Spanish (thanks, Matías Bellone; closes: #744867). |
5 | * Apply upstream-recommended patch to fix bignum encoding for | ||
6 | curve25519-sha256@libssh.org, fixing occasional key exchange failures. | ||
5 | 7 | ||
6 | -- Colin Watson <cjwatson@debian.org> Tue, 15 Apr 2014 17:27:21 +0100 | 8 | -- Colin Watson <cjwatson@debian.org> Tue, 15 Apr 2014 17:27:21 +0100 |
7 | 9 | ||
diff --git a/debian/patches/curve25519-sha256-bignum-encoding.patch b/debian/patches/curve25519-sha256-bignum-encoding.patch new file mode 100644 index 000000000..ccb66048d --- /dev/null +++ b/debian/patches/curve25519-sha256-bignum-encoding.patch | |||
@@ -0,0 +1,161 @@ | |||
1 | From 02883061577ec43ff8d0e8f0cf486bc5131db507 Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Miller <djm@mindrot.org> | ||
3 | Date: Sun, 20 Apr 2014 13:47:45 +1000 | ||
4 | Subject: bad bignum encoding for curve25519-sha256@libssh.org | ||
5 | |||
6 | Hi, | ||
7 | |||
8 | So I screwed up when writing the support for the curve25519 KEX method | ||
9 | that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left | ||
10 | leading zero bytes where they should have been skipped. The impact of | ||
11 | this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a | ||
12 | peer that implements curve25519-sha256@libssh.org properly about 0.2% | ||
13 | of the time (one in every 512ish connections). | ||
14 | |||
15 | We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256 | ||
16 | key exchange for previous versions, but I'd recommend distributors | ||
17 | of OpenSSH apply this patch so the affected code doesn't become | ||
18 | too entrenched in LTS releases. | ||
19 | |||
20 | The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as | ||
21 | to distinguish itself from the incorrect versions so the compatibility | ||
22 | code to disable the affected KEX isn't activated. | ||
23 | |||
24 | I've committed this on the 6.6 branch too. | ||
25 | |||
26 | Apologies for the hassle. | ||
27 | |||
28 | -d | ||
29 | |||
30 | Origin: upstream, https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html | ||
31 | Forwarded: not-needed | ||
32 | Last-Update: 2014-04-21 | ||
33 | |||
34 | Patch-Name: curve25519-sha256-bignum-encoding.patch | ||
35 | --- | ||
36 | bufaux.c | 5 ++++- | ||
37 | compat.c | 17 ++++++++++++++++- | ||
38 | compat.h | 2 ++ | ||
39 | sshconnect2.c | 2 ++ | ||
40 | sshd.c | 3 +++ | ||
41 | version.h | 2 +- | ||
42 | 6 files changed, 28 insertions(+), 3 deletions(-) | ||
43 | |||
44 | diff --git a/bufaux.c b/bufaux.c | ||
45 | index e24b5fc..f6a6f2a 100644 | ||
46 | --- a/bufaux.c | ||
47 | +++ b/bufaux.c | ||
48 | @@ -1,4 +1,4 @@ | ||
49 | -/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ | ||
50 | +/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ | ||
51 | /* | ||
52 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
53 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
54 | @@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l) | ||
55 | |||
56 | if (l > 8 * 1024) | ||
57 | fatal("%s: length %u too long", __func__, l); | ||
58 | + /* Skip leading zero bytes */ | ||
59 | + for (; l > 0 && *s == 0; l--, s++) | ||
60 | + ; | ||
61 | p = buf = xmalloc(l + 1); | ||
62 | /* | ||
63 | * If most significant bit is set then prepend a zero byte to | ||
64 | diff --git a/compat.c b/compat.c | ||
65 | index 9d9fabe..2709dc5 100644 | ||
66 | --- a/compat.c | ||
67 | +++ b/compat.c | ||
68 | @@ -95,6 +95,9 @@ compat_datafellows(const char *version) | ||
69 | { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, | ||
70 | { "OpenSSH_4*", 0 }, | ||
71 | { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, | ||
72 | + { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, | ||
73 | + { "OpenSSH_6.5*," | ||
74 | + "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, | ||
75 | { "OpenSSH*", SSH_NEW_OPENSSH }, | ||
76 | { "*MindTerm*", 0 }, | ||
77 | { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| | ||
78 | @@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop) | ||
79 | return cipher_prop; | ||
80 | } | ||
81 | |||
82 | - | ||
83 | char * | ||
84 | compat_pkalg_proposal(char *pkalg_prop) | ||
85 | { | ||
86 | @@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop) | ||
87 | return pkalg_prop; | ||
88 | } | ||
89 | |||
90 | +char * | ||
91 | +compat_kex_proposal(char *kex_prop) | ||
92 | +{ | ||
93 | + if (!(datafellows & SSH_BUG_CURVE25519PAD)) | ||
94 | + return kex_prop; | ||
95 | + debug2("%s: original KEX proposal: %s", __func__, kex_prop); | ||
96 | + kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org"); | ||
97 | + debug2("%s: compat KEX proposal: %s", __func__, kex_prop); | ||
98 | + if (*kex_prop == '\0') | ||
99 | + fatal("No supported key exchange algorithms found"); | ||
100 | + return kex_prop; | ||
101 | +} | ||
102 | + | ||
103 | diff --git a/compat.h b/compat.h | ||
104 | index b174fa1..a6c3f3d 100644 | ||
105 | --- a/compat.h | ||
106 | +++ b/compat.h | ||
107 | @@ -59,6 +59,7 @@ | ||
108 | #define SSH_BUG_RFWD_ADDR 0x02000000 | ||
109 | #define SSH_NEW_OPENSSH 0x04000000 | ||
110 | #define SSH_BUG_DYNAMIC_RPORT 0x08000000 | ||
111 | +#define SSH_BUG_CURVE25519PAD 0x10000000 | ||
112 | |||
113 | void enable_compat13(void); | ||
114 | void enable_compat20(void); | ||
115 | @@ -66,6 +67,7 @@ void compat_datafellows(const char *); | ||
116 | int proto_spec(const char *); | ||
117 | char *compat_cipher_proposal(char *); | ||
118 | char *compat_pkalg_proposal(char *); | ||
119 | +char *compat_kex_proposal(char *); | ||
120 | |||
121 | extern int compat13; | ||
122 | extern int compat20; | ||
123 | diff --git a/sshconnect2.c b/sshconnect2.c | ||
124 | index 66cb035..1a4e551 100644 | ||
125 | --- a/sshconnect2.c | ||
126 | +++ b/sshconnect2.c | ||
127 | @@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | ||
128 | } | ||
129 | if (options.kex_algorithms != NULL) | ||
130 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | ||
131 | + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
132 | + myproposal[PROPOSAL_KEX_ALGS]); | ||
133 | |||
134 | #ifdef GSSAPI | ||
135 | /* If we've got GSSAPI algorithms, then we also support the | ||
136 | diff --git a/sshd.c b/sshd.c | ||
137 | index 0964491..fe78d7b 100644 | ||
138 | --- a/sshd.c | ||
139 | +++ b/sshd.c | ||
140 | @@ -2534,6 +2534,9 @@ do_ssh2_kex(void) | ||
141 | if (options.kex_algorithms != NULL) | ||
142 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | ||
143 | |||
144 | + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
145 | + myproposal[PROPOSAL_KEX_ALGS]); | ||
146 | + | ||
147 | if (options.rekey_limit || options.rekey_interval) | ||
148 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | ||
149 | (time_t)options.rekey_interval); | ||
150 | diff --git a/version.h b/version.h | ||
151 | index a97c337..0659576 100644 | ||
152 | --- a/version.h | ||
153 | +++ b/version.h | ||
154 | @@ -1,6 +1,6 @@ | ||
155 | /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ | ||
156 | |||
157 | -#define SSH_VERSION "OpenSSH_6.6" | ||
158 | +#define SSH_VERSION "OpenSSH_6.6.1" | ||
159 | |||
160 | #define SSH_PORTABLE "p1" | ||
161 | #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE | ||
diff --git a/debian/patches/series b/debian/patches/series index de7c9902d..c554b34ca 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -27,3 +27,4 @@ gnome-ssh-askpass2-icon.patch | |||
27 | sigstop.patch | 27 | sigstop.patch |
28 | debian-config.patch | 28 | debian-config.patch |
29 | sshfp_with_server_cert_upstr | 29 | sshfp_with_server_cert_upstr |
30 | curve25519-sha256-bignum-encoding.patch | ||
diff --git a/sshconnect2.c b/sshconnect2.c index 66cb03527..1a4e55179 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
220 | } | 220 | } |
221 | if (options.kex_algorithms != NULL) | 221 | if (options.kex_algorithms != NULL) |
222 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | 222 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; |
223 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
224 | myproposal[PROPOSAL_KEX_ALGS]); | ||
223 | 225 | ||
224 | #ifdef GSSAPI | 226 | #ifdef GSSAPI |
225 | /* If we've got GSSAPI algorithms, then we also support the | 227 | /* If we've got GSSAPI algorithms, then we also support the |
@@ -2534,6 +2534,9 @@ do_ssh2_kex(void) | |||
2534 | if (options.kex_algorithms != NULL) | 2534 | if (options.kex_algorithms != NULL) |
2535 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | 2535 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; |
2536 | 2536 | ||
2537 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
2538 | myproposal[PROPOSAL_KEX_ALGS]); | ||
2539 | |||
2537 | if (options.rekey_limit || options.rekey_interval) | 2540 | if (options.rekey_limit || options.rekey_interval) |
2538 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 2541 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
2539 | (time_t)options.rekey_interval); | 2542 | (time_t)options.rekey_interval); |
@@ -1,6 +1,6 @@ | |||
1 | /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ | 1 | /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ |
2 | 2 | ||
3 | #define SSH_VERSION "OpenSSH_6.6" | 3 | #define SSH_VERSION "OpenSSH_6.6.1" |
4 | 4 | ||
5 | #define SSH_PORTABLE "p1" | 5 | #define SSH_PORTABLE "p1" |
6 | #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE | 6 | #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE |