1 files changed, 161 insertions, 0 deletions
diff --git a/debian/patches/curve25519-sha256-bignum-encoding.patch b/debian/patches/curve25519-sha256-bignum-encoding.patch
new file mode 100644
index 000000000..ccb66048d
--- /dev/null
+++ b/debian/patches/curve25519-sha256-bignum-encoding.patch
@@ -0,0 +1,161 @@
+From 02883061577ec43ff8d0e8f0cf486bc5131db507 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Sun, 20 Apr 2014 13:47:45 +1000
+Subject: bad bignum encoding for curve25519-sha256@libssh.org
+Hi,
+So I screwed up when writing the support for the curve25519 KEX method
+that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
+leading zero bytes where they should have been skipped. The impact of
+this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
+peer that implements curve25519-sha256@libssh.org properly about 0.2%
+of the time (one in every 512ish connections).
+We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
+key exchange for previous versions, but I'd recommend distributors
+of OpenSSH apply this patch so the affected code doesn't become
+too entrenched in LTS releases.
+The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
+to distinguish itself from the incorrect versions so the compatibility
+code to disable the affected KEX isn't activated.
+I've committed this on the 6.6 branch too.
+Apologies for the hassle.
+-d
+Origin: upstream, https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html
+Forwarded: not-needed
+Last-Update: 2014-04-21
+Patch-Name: curve25519-sha256-bignum-encoding.patch
+---
+ bufaux.c      |  5 ++++-
+ compat.c      | 17 ++++++++++++++++-
+ compat.h      |  2 ++
+ sshconnect2.c |  2 ++
+ sshd.c        |  3 +++
+ version.h     |  2 +-
+ 6 files changed, 28 insertions(+), 3 deletions(-)
+diff --git a/bufaux.c b/bufaux.c
+index e24b5fc..f6a6f2a 100644
+--- a/bufaux.c
+++ b/bufaux.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
+ 
+        if (l > 8 * 1024)
+                fatal("%s: length %u too long", __func__, l);
+       /* Skip leading zero bytes */
+       for (; l > 0 && *s == 0; l--, s++)
+               ;
+        p = buf = xmalloc(l + 1);
+        /*
+         * If most significant bit is set then prepend a zero byte to
+diff --git a/compat.c b/compat.c
+index 9d9fabe..2709dc5 100644
+--- a/compat.c
+++ b/compat.c
+@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
+                { "Sun_SSH_1.0*",       SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
+                { "OpenSSH_4*",         0 },
+                { "OpenSSH_5*",         SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
+               { "OpenSSH_6.6.1*",     SSH_NEW_OPENSSH},
+               { "OpenSSH_6.5*,"
+                 "OpenSSH_6.6*",       SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
+                { "OpenSSH*",           SSH_NEW_OPENSSH },
+                { "*MindTerm*",         0 },
+                { "2.1.0*",             SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
+        return cipher_prop;
+ }
+ 
+-
+ char *
+ compat_pkalg_proposal(char *pkalg_prop)
+ {
+@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
+        return pkalg_prop;
+ }
+ 
+char *
+compat_kex_proposal(char *kex_prop)
+{
+       if (!(datafellows & SSH_BUG_CURVE25519PAD))
+               return kex_prop;
+       debug2("%s: original KEX proposal: %s", __func__, kex_prop);
+       kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
+       debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
+       if (*kex_prop == '\0')
+               fatal("No supported key exchange algorithms found");
+       return kex_prop;
+}
+
+diff --git a/compat.h b/compat.h
+index b174fa1..a6c3f3d 100644
+--- a/compat.h
+++ b/compat.h
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR      0x02000000
+ #define SSH_NEW_OPENSSH                0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT  0x08000000
+#define SSH_BUG_CURVE25519PAD  0x10000000
+ 
+ void     enable_compat13(void);
+ void     enable_compat20(void);
+@@ -66,6 +67,7 @@ void     compat_datafellows(const char *);
+ int     proto_spec(const char *);
+ char   *compat_cipher_proposal(char *);
+ char   *compat_pkalg_proposal(char *);
+char   *compat_kex_proposal(char *);
+ 
+ extern int compat13;
+ extern int compat20;
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 66cb035..1a4e551 100644
+--- a/sshconnect2.c
+++ b/sshconnect2.c
+@@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+        }
+        if (options.kex_algorithms != NULL)
+                myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+       myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+           myproposal[PROPOSAL_KEX_ALGS]);
+ 
+ #ifdef GSSAPI
+        /* If we've got GSSAPI algorithms, then we also support the
+diff --git a/sshd.c b/sshd.c
+index 0964491..fe78d7b 100644
+--- a/sshd.c
+++ b/sshd.c
+@@ -2534,6 +2534,9 @@ do_ssh2_kex(void)
+        if (options.kex_algorithms != NULL)
+                myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+ 
+       myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+           myproposal[PROPOSAL_KEX_ALGS]);
+
+        if (options.rekey_limit || options.rekey_interval)
+                packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+                    (time_t)options.rekey_interval);
+diff --git a/version.h b/version.h
+index a97c337..0659576 100644
+--- a/version.h
+++ b/version.h
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+ 
+-#define SSH_VERSION    "OpenSSH_6.6"
+#define SSH_VERSION    "OpenSSH_6.6.1"
+ 
+ #define SSH_PORTABLE   "p1"
+ #define SSH_RELEASE_MINIMUM    SSH_VERSION SSH_PORTABLE

diff --git a/debian/patches/curve25519-sha256-bignum-encoding.patch b/debian/patches/curve25519-sha256-bignum-encoding.patch new file mode 100644 index 000000000..ccb66048d --- /dev/null +++ b/debian/patches/curve25519-sha256-bignum-encoding.patch
@@ -0,0 +1,161 @@
	1	From 02883061577ec43ff8d0e8f0cf486bc5131db507 Mon Sep 17 00:00:00 2001
	2	From: Damien Miller <djm@mindrot.org>
	3	Date: Sun, 20 Apr 2014 13:47:45 +1000
	4	Subject: bad bignum encoding for curve25519-sha256@libssh.org
	5
	6	Hi,
	7
	8	So I screwed up when writing the support for the curve25519 KEX method
	9	that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
	10	leading zero bytes where they should have been skipped. The impact of
	11	this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
	12	peer that implements curve25519-sha256@libssh.org properly about 0.2%
	13	of the time (one in every 512ish connections).
	14
	15	We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
	16	key exchange for previous versions, but I'd recommend distributors
	17	of OpenSSH apply this patch so the affected code doesn't become
	18	too entrenched in LTS releases.
	19
	20	The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
	21	to distinguish itself from the incorrect versions so the compatibility
	22	code to disable the affected KEX isn't activated.
	23
	24	I've committed this on the 6.6 branch too.
	25
	26	Apologies for the hassle.
	27
	28	-d
	29
	30	Origin: upstream, https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html
	31	Forwarded: not-needed
	32	Last-Update: 2014-04-21
	33
	34	Patch-Name: curve25519-sha256-bignum-encoding.patch
	35	---
	36	bufaux.c \| 5 ++++-
	37	compat.c \| 17 ++++++++++++++++-
	38	compat.h \| 2 ++
	39	sshconnect2.c \| 2 ++
	40	sshd.c \| 3 +++
	41	version.h \| 2 +-
	42	6 files changed, 28 insertions(+), 3 deletions(-)
	43
	44	diff --git a/bufaux.c b/bufaux.c
	45	index e24b5fc..f6a6f2a 100644
	46	--- a/bufaux.c
	47	+++ b/bufaux.c
	48	@@ -1,4 +1,4 @@
	49	-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
	50	+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
	51	/*
	52	* Author: Tatu Ylonen <ylo@cs.hut.fi>
	53	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	54	@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer buffer, const u_char s, u_int l)
	55
	56	if (l > 8 * 1024)
	57	fatal("%s: length %u too long", __func__, l);
	58	+ /* Skip leading zero bytes */
	59	+ for (; l > 0 && *s == 0; l--, s++)
	60	+ ;
	61	p = buf = xmalloc(l + 1);
	62	/*
	63	* If most significant bit is set then prepend a zero byte to
	64	diff --git a/compat.c b/compat.c
	65	index 9d9fabe..2709dc5 100644
	66	--- a/compat.c
	67	+++ b/compat.c
	68	@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
	69	{ "Sun_SSH_1.0*", SSH_BUG_NOREKEY\|SSH_BUG_EXTEOF},
	70	{ "OpenSSH_4*", 0 },
	71	{ "OpenSSH_5*", SSH_NEW_OPENSSH\|SSH_BUG_DYNAMIC_RPORT},
	72	+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
	73	+ { "OpenSSH_6.5*,"
	74	+ "OpenSSH_6.6*", SSH_NEW_OPENSSH\|SSH_BUG_CURVE25519PAD},
	75	{ "OpenSSH*", SSH_NEW_OPENSSH },
	76	{ "MindTerm", 0 },
	77	{ "2.1.0*", SSH_BUG_SIGBLOB\|SSH_BUG_HMAC\|
	78	@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
	79	return cipher_prop;
	80	}
	81
	82	-
	83	char *
	84	compat_pkalg_proposal(char *pkalg_prop)
	85	{
	86	@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
	87	return pkalg_prop;
	88	}
	89
	90	+char *
	91	+compat_kex_proposal(char *kex_prop)
	92	+{
	93	+ if (!(datafellows & SSH_BUG_CURVE25519PAD))
	94	+ return kex_prop;
	95	+ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
	96	+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
	97	+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
	98	+ if (*kex_prop == '\0')
	99	+ fatal("No supported key exchange algorithms found");
	100	+ return kex_prop;
	101	+}
	102	+
	103	diff --git a/compat.h b/compat.h
	104	index b174fa1..a6c3f3d 100644
	105	--- a/compat.h
	106	+++ b/compat.h
	107	@@ -59,6 +59,7 @@
	108	#define SSH_BUG_RFWD_ADDR 0x02000000
	109	#define SSH_NEW_OPENSSH 0x04000000
	110	#define SSH_BUG_DYNAMIC_RPORT 0x08000000
	111	+#define SSH_BUG_CURVE25519PAD 0x10000000
	112
	113	void enable_compat13(void);
	114	void enable_compat20(void);
	115	@@ -66,6 +67,7 @@ void compat_datafellows(const char *);
	116	int proto_spec(const char *);
	117	char compat_cipher_proposal(char );
	118	char compat_pkalg_proposal(char );
	119	+char compat_kex_proposal(char );
	120
	121	extern int compat13;
	122	extern int compat20;
	123	diff --git a/sshconnect2.c b/sshconnect2.c
	124	index 66cb035..1a4e551 100644
	125	--- a/sshconnect2.c
	126	+++ b/sshconnect2.c
	127	@@ -220,6 +220,8 @@ ssh_kex2(char host, struct sockaddr hostaddr, u_short port)
	128	}
	129	if (options.kex_algorithms != NULL)
	130	myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
	131	+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
	132	+ myproposal[PROPOSAL_KEX_ALGS]);
	133
	134	#ifdef GSSAPI
	135	/* If we've got GSSAPI algorithms, then we also support the
	136	diff --git a/sshd.c b/sshd.c
	137	index 0964491..fe78d7b 100644
	138	--- a/sshd.c
	139	+++ b/sshd.c
	140	@@ -2534,6 +2534,9 @@ do_ssh2_kex(void)
	141	if (options.kex_algorithms != NULL)
	142	myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
	143
	144	+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
	145	+ myproposal[PROPOSAL_KEX_ALGS]);
	146	+
	147	if (options.rekey_limit \|\| options.rekey_interval)
	148	packet_set_rekey_limits((u_int32_t)options.rekey_limit,
	149	(time_t)options.rekey_interval);
	150	diff --git a/version.h b/version.h
	151	index a97c337..0659576 100644
	152	--- a/version.h
	153	+++ b/version.h
	154	@@ -1,6 +1,6 @@
	155	/* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
	156
	157	-#define SSH_VERSION "OpenSSH_6.6"
	158	+#define SSH_VERSION "OpenSSH_6.6.1"
	159
	160	#define SSH_PORTABLE "p1"
	161	#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE