summaryrefslogtreecommitdiff
path: root/debian/patches/curve25519-sha256-bignum-encoding.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/curve25519-sha256-bignum-encoding.patch')
-rw-r--r--debian/patches/curve25519-sha256-bignum-encoding.patch161
1 files changed, 161 insertions, 0 deletions
diff --git a/debian/patches/curve25519-sha256-bignum-encoding.patch b/debian/patches/curve25519-sha256-bignum-encoding.patch
new file mode 100644
index 000000000..ccb66048d
--- /dev/null
+++ b/debian/patches/curve25519-sha256-bignum-encoding.patch
@@ -0,0 +1,161 @@
1From 02883061577ec43ff8d0e8f0cf486bc5131db507 Mon Sep 17 00:00:00 2001
2From: Damien Miller <djm@mindrot.org>
3Date: Sun, 20 Apr 2014 13:47:45 +1000
4Subject: bad bignum encoding for curve25519-sha256@libssh.org
5
6Hi,
7
8So I screwed up when writing the support for the curve25519 KEX method
9that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
10leading zero bytes where they should have been skipped. The impact of
11this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
12peer that implements curve25519-sha256@libssh.org properly about 0.2%
13of the time (one in every 512ish connections).
14
15We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
16key exchange for previous versions, but I'd recommend distributors
17of OpenSSH apply this patch so the affected code doesn't become
18too entrenched in LTS releases.
19
20The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
21to distinguish itself from the incorrect versions so the compatibility
22code to disable the affected KEX isn't activated.
23
24I've committed this on the 6.6 branch too.
25
26Apologies for the hassle.
27
28-d
29
30Origin: upstream, https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html
31Forwarded: not-needed
32Last-Update: 2014-04-21
33
34Patch-Name: curve25519-sha256-bignum-encoding.patch
35---
36 bufaux.c | 5 ++++-
37 compat.c | 17 ++++++++++++++++-
38 compat.h | 2 ++
39 sshconnect2.c | 2 ++
40 sshd.c | 3 +++
41 version.h | 2 +-
42 6 files changed, 28 insertions(+), 3 deletions(-)
43
44diff --git a/bufaux.c b/bufaux.c
45index e24b5fc..f6a6f2a 100644
46--- a/bufaux.c
47+++ b/bufaux.c
48@@ -1,4 +1,4 @@
49-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
50+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
51 /*
52 * Author: Tatu Ylonen <ylo@cs.hut.fi>
53 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
54@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
55
56 if (l > 8 * 1024)
57 fatal("%s: length %u too long", __func__, l);
58+ /* Skip leading zero bytes */
59+ for (; l > 0 && *s == 0; l--, s++)
60+ ;
61 p = buf = xmalloc(l + 1);
62 /*
63 * If most significant bit is set then prepend a zero byte to
64diff --git a/compat.c b/compat.c
65index 9d9fabe..2709dc5 100644
66--- a/compat.c
67+++ b/compat.c
68@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
69 { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
70 { "OpenSSH_4*", 0 },
71 { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
72+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
73+ { "OpenSSH_6.5*,"
74+ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
75 { "OpenSSH*", SSH_NEW_OPENSSH },
76 { "*MindTerm*", 0 },
77 { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
78@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
79 return cipher_prop;
80 }
81
82-
83 char *
84 compat_pkalg_proposal(char *pkalg_prop)
85 {
86@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
87 return pkalg_prop;
88 }
89
90+char *
91+compat_kex_proposal(char *kex_prop)
92+{
93+ if (!(datafellows & SSH_BUG_CURVE25519PAD))
94+ return kex_prop;
95+ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
96+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
97+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
98+ if (*kex_prop == '\0')
99+ fatal("No supported key exchange algorithms found");
100+ return kex_prop;
101+}
102+
103diff --git a/compat.h b/compat.h
104index b174fa1..a6c3f3d 100644
105--- a/compat.h
106+++ b/compat.h
107@@ -59,6 +59,7 @@
108 #define SSH_BUG_RFWD_ADDR 0x02000000
109 #define SSH_NEW_OPENSSH 0x04000000
110 #define SSH_BUG_DYNAMIC_RPORT 0x08000000
111+#define SSH_BUG_CURVE25519PAD 0x10000000
112
113 void enable_compat13(void);
114 void enable_compat20(void);
115@@ -66,6 +67,7 @@ void compat_datafellows(const char *);
116 int proto_spec(const char *);
117 char *compat_cipher_proposal(char *);
118 char *compat_pkalg_proposal(char *);
119+char *compat_kex_proposal(char *);
120
121 extern int compat13;
122 extern int compat20;
123diff --git a/sshconnect2.c b/sshconnect2.c
124index 66cb035..1a4e551 100644
125--- a/sshconnect2.c
126+++ b/sshconnect2.c
127@@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
128 }
129 if (options.kex_algorithms != NULL)
130 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
131+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
132+ myproposal[PROPOSAL_KEX_ALGS]);
133
134 #ifdef GSSAPI
135 /* If we've got GSSAPI algorithms, then we also support the
136diff --git a/sshd.c b/sshd.c
137index 0964491..fe78d7b 100644
138--- a/sshd.c
139+++ b/sshd.c
140@@ -2534,6 +2534,9 @@ do_ssh2_kex(void)
141 if (options.kex_algorithms != NULL)
142 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
143
144+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
145+ myproposal[PROPOSAL_KEX_ALGS]);
146+
147 if (options.rekey_limit || options.rekey_interval)
148 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
149 (time_t)options.rekey_interval);
150diff --git a/version.h b/version.h
151index a97c337..0659576 100644
152--- a/version.h
153+++ b/version.h
154@@ -1,6 +1,6 @@
155 /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
156
157-#define SSH_VERSION "OpenSSH_6.6"
158+#define SSH_VERSION "OpenSSH_6.6.1"
159
160 #define SSH_PORTABLE "p1"
161 #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE