diff options
Diffstat (limited to 'debian/patches/curve25519-sha256-bignum-encoding.patch')
-rw-r--r-- | debian/patches/curve25519-sha256-bignum-encoding.patch | 161 |
1 files changed, 161 insertions, 0 deletions
diff --git a/debian/patches/curve25519-sha256-bignum-encoding.patch b/debian/patches/curve25519-sha256-bignum-encoding.patch new file mode 100644 index 000000000..ccb66048d --- /dev/null +++ b/debian/patches/curve25519-sha256-bignum-encoding.patch | |||
@@ -0,0 +1,161 @@ | |||
1 | From 02883061577ec43ff8d0e8f0cf486bc5131db507 Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Miller <djm@mindrot.org> | ||
3 | Date: Sun, 20 Apr 2014 13:47:45 +1000 | ||
4 | Subject: bad bignum encoding for curve25519-sha256@libssh.org | ||
5 | |||
6 | Hi, | ||
7 | |||
8 | So I screwed up when writing the support for the curve25519 KEX method | ||
9 | that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left | ||
10 | leading zero bytes where they should have been skipped. The impact of | ||
11 | this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a | ||
12 | peer that implements curve25519-sha256@libssh.org properly about 0.2% | ||
13 | of the time (one in every 512ish connections). | ||
14 | |||
15 | We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256 | ||
16 | key exchange for previous versions, but I'd recommend distributors | ||
17 | of OpenSSH apply this patch so the affected code doesn't become | ||
18 | too entrenched in LTS releases. | ||
19 | |||
20 | The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as | ||
21 | to distinguish itself from the incorrect versions so the compatibility | ||
22 | code to disable the affected KEX isn't activated. | ||
23 | |||
24 | I've committed this on the 6.6 branch too. | ||
25 | |||
26 | Apologies for the hassle. | ||
27 | |||
28 | -d | ||
29 | |||
30 | Origin: upstream, https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html | ||
31 | Forwarded: not-needed | ||
32 | Last-Update: 2014-04-21 | ||
33 | |||
34 | Patch-Name: curve25519-sha256-bignum-encoding.patch | ||
35 | --- | ||
36 | bufaux.c | 5 ++++- | ||
37 | compat.c | 17 ++++++++++++++++- | ||
38 | compat.h | 2 ++ | ||
39 | sshconnect2.c | 2 ++ | ||
40 | sshd.c | 3 +++ | ||
41 | version.h | 2 +- | ||
42 | 6 files changed, 28 insertions(+), 3 deletions(-) | ||
43 | |||
44 | diff --git a/bufaux.c b/bufaux.c | ||
45 | index e24b5fc..f6a6f2a 100644 | ||
46 | --- a/bufaux.c | ||
47 | +++ b/bufaux.c | ||
48 | @@ -1,4 +1,4 @@ | ||
49 | -/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ | ||
50 | +/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ | ||
51 | /* | ||
52 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
53 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
54 | @@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l) | ||
55 | |||
56 | if (l > 8 * 1024) | ||
57 | fatal("%s: length %u too long", __func__, l); | ||
58 | + /* Skip leading zero bytes */ | ||
59 | + for (; l > 0 && *s == 0; l--, s++) | ||
60 | + ; | ||
61 | p = buf = xmalloc(l + 1); | ||
62 | /* | ||
63 | * If most significant bit is set then prepend a zero byte to | ||
64 | diff --git a/compat.c b/compat.c | ||
65 | index 9d9fabe..2709dc5 100644 | ||
66 | --- a/compat.c | ||
67 | +++ b/compat.c | ||
68 | @@ -95,6 +95,9 @@ compat_datafellows(const char *version) | ||
69 | { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, | ||
70 | { "OpenSSH_4*", 0 }, | ||
71 | { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, | ||
72 | + { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, | ||
73 | + { "OpenSSH_6.5*," | ||
74 | + "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, | ||
75 | { "OpenSSH*", SSH_NEW_OPENSSH }, | ||
76 | { "*MindTerm*", 0 }, | ||
77 | { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| | ||
78 | @@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop) | ||
79 | return cipher_prop; | ||
80 | } | ||
81 | |||
82 | - | ||
83 | char * | ||
84 | compat_pkalg_proposal(char *pkalg_prop) | ||
85 | { | ||
86 | @@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop) | ||
87 | return pkalg_prop; | ||
88 | } | ||
89 | |||
90 | +char * | ||
91 | +compat_kex_proposal(char *kex_prop) | ||
92 | +{ | ||
93 | + if (!(datafellows & SSH_BUG_CURVE25519PAD)) | ||
94 | + return kex_prop; | ||
95 | + debug2("%s: original KEX proposal: %s", __func__, kex_prop); | ||
96 | + kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org"); | ||
97 | + debug2("%s: compat KEX proposal: %s", __func__, kex_prop); | ||
98 | + if (*kex_prop == '\0') | ||
99 | + fatal("No supported key exchange algorithms found"); | ||
100 | + return kex_prop; | ||
101 | +} | ||
102 | + | ||
103 | diff --git a/compat.h b/compat.h | ||
104 | index b174fa1..a6c3f3d 100644 | ||
105 | --- a/compat.h | ||
106 | +++ b/compat.h | ||
107 | @@ -59,6 +59,7 @@ | ||
108 | #define SSH_BUG_RFWD_ADDR 0x02000000 | ||
109 | #define SSH_NEW_OPENSSH 0x04000000 | ||
110 | #define SSH_BUG_DYNAMIC_RPORT 0x08000000 | ||
111 | +#define SSH_BUG_CURVE25519PAD 0x10000000 | ||
112 | |||
113 | void enable_compat13(void); | ||
114 | void enable_compat20(void); | ||
115 | @@ -66,6 +67,7 @@ void compat_datafellows(const char *); | ||
116 | int proto_spec(const char *); | ||
117 | char *compat_cipher_proposal(char *); | ||
118 | char *compat_pkalg_proposal(char *); | ||
119 | +char *compat_kex_proposal(char *); | ||
120 | |||
121 | extern int compat13; | ||
122 | extern int compat20; | ||
123 | diff --git a/sshconnect2.c b/sshconnect2.c | ||
124 | index 66cb035..1a4e551 100644 | ||
125 | --- a/sshconnect2.c | ||
126 | +++ b/sshconnect2.c | ||
127 | @@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | ||
128 | } | ||
129 | if (options.kex_algorithms != NULL) | ||
130 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | ||
131 | + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
132 | + myproposal[PROPOSAL_KEX_ALGS]); | ||
133 | |||
134 | #ifdef GSSAPI | ||
135 | /* If we've got GSSAPI algorithms, then we also support the | ||
136 | diff --git a/sshd.c b/sshd.c | ||
137 | index 0964491..fe78d7b 100644 | ||
138 | --- a/sshd.c | ||
139 | +++ b/sshd.c | ||
140 | @@ -2534,6 +2534,9 @@ do_ssh2_kex(void) | ||
141 | if (options.kex_algorithms != NULL) | ||
142 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | ||
143 | |||
144 | + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
145 | + myproposal[PROPOSAL_KEX_ALGS]); | ||
146 | + | ||
147 | if (options.rekey_limit || options.rekey_interval) | ||
148 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | ||
149 | (time_t)options.rekey_interval); | ||
150 | diff --git a/version.h b/version.h | ||
151 | index a97c337..0659576 100644 | ||
152 | --- a/version.h | ||
153 | +++ b/version.h | ||
154 | @@ -1,6 +1,6 @@ | ||
155 | /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ | ||
156 | |||
157 | -#define SSH_VERSION "OpenSSH_6.6" | ||
158 | +#define SSH_VERSION "OpenSSH_6.6.1" | ||
159 | |||
160 | #define SSH_PORTABLE "p1" | ||
161 | #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE | ||