diff --git a/fix-curve25519-kex.patch b/fix-curve25519-kex.patch new file mode 100644 index 0000000..3bd5d4b --- /dev/null +++ b/fix-curve25519-kex.patch @@ -0,0 +1,136 @@ +Hi, + +So I screwed up when writing the support for the curve25519 KEX method +that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left +leading zero bytes where they should have been skipped. The impact of +this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a +peer that implements curve25519-sha256@libssh.org properly about 0.2% +of the time (one in every 512ish connections). + +We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256 +key exchange for previous versions, but I'd recommend distributors +of OpenSSH apply this patch so the affected code doesn't become +too entrenched in LTS releases. + +The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as +to distinguish itself from the incorrect versions so the compatibility +code to disable the affected KEX isn't activated. + +I've committed this on the 6.6 branch too. + +Apologies for the hassle. + +-d + +Index: version.h +=================================================================== +--- version.h.orig ++++ version.h +@@ -1,6 +1,6 @@ + /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ + +-#define SSH_VERSION "OpenSSH_6.6" ++#define SSH_VERSION "OpenSSH_6.6.1" + + #define SSH_PORTABLE "p1" + #define SSH_RELEASE SSH_VERSION SSH_PORTABLE +Index: compat.c +=================================================================== +--- compat.c.orig ++++ compat.c +@@ -95,6 +95,9 @@ compat_datafellows(const char *version) + { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, + { "OpenSSH_4*", 0 }, + { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, ++ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, ++ { "OpenSSH_6.5*," ++ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, + { "OpenSSH*", SSH_NEW_OPENSSH }, + { "*MindTerm*", 0 }, + { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| +@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop + return cipher_prop; + } + +- + char * + compat_pkalg_proposal(char *pkalg_prop) + { +@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop) + return pkalg_prop; + } + ++char * ++compat_kex_proposal(char *kex_prop) ++{ ++ if (!(datafellows & SSH_BUG_CURVE25519PAD)) ++ return kex_prop; ++ debug2("%s: original KEX proposal: %s", __func__, kex_prop); ++ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org"); ++ debug2("%s: compat KEX proposal: %s", __func__, kex_prop); ++ if (*kex_prop == '\0') ++ fatal("No supported key exchange algorithms found"); ++ return kex_prop; ++} ++ +Index: compat.h +=================================================================== +--- compat.h.orig ++++ compat.h +@@ -59,6 +59,7 @@ + #define SSH_BUG_RFWD_ADDR 0x02000000 + #define SSH_NEW_OPENSSH 0x04000000 + #define SSH_BUG_DYNAMIC_RPORT 0x08000000 ++#define SSH_BUG_CURVE25519PAD 0x10000000 + + void enable_compat13(void); + void enable_compat20(void); +@@ -66,6 +67,7 @@ void compat_datafellows(const char * + int proto_spec(const char *); + char *compat_cipher_proposal(char *); + char *compat_pkalg_proposal(char *); ++char *compat_kex_proposal(char *); + + extern int compat13; + extern int compat20; +Index: sshd.c +=================================================================== +--- sshd.c.orig ++++ sshd.c +@@ -2675,6 +2675,9 @@ do_ssh2_kex(void) + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; + ++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( ++ myproposal[PROPOSAL_KEX_ALGS]); ++ + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); +Index: sshconnect2.c +=================================================================== +--- sshconnect2.c.orig ++++ sshconnect2.c +@@ -232,6 +232,8 @@ ssh_kex2(char *host, struct sockaddr *ho + } + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; ++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( ++ myproposal[PROPOSAL_KEX_ALGS]); + + #ifdef GSSAPI + /* If we've got GSSAPI algorithms, then we also support the +Index: bufaux.c +=================================================================== +--- bufaux.c.orig ++++ bufaux.c +@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b + + if (l > 8 * 1024) + fatal("%s: length %u too long", __func__, l); ++ /* Skip leading zero bytes */ ++ for (; l > 0 && *s == 0; l--, s++) ++ ; + p = buf = xmalloc(l + 1); + /* + * If most significant bit is set then prepend a zero byte to diff --git a/openssh.changes b/openssh.changes index 40bb887..a86aff7 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Apr 21 08:46:58 UTC 2014 - idonmez@suse.com + +- Add fix-curve25519-kex.patch to fix a key-exchange problem + with curve25519-sha256@libssh.org, see + http://marc.info/?l=openssh-unix-dev&m=139797807804698&w=2 + ------------------------------------------------------------------- Tue Apr 15 09:26:16 UTC 2014 - rhafer@suse.com diff --git a/openssh.spec b/openssh.spec index 0bd0b84..4bc5eb6 100644 --- a/openssh.spec +++ b/openssh.spec @@ -147,6 +147,7 @@ Patch36: openssh-6.6p1-seccomp_getuid.patch Patch37: openssh-6.6p1-X_forward_with_disabled_ipv6.patch Patch38: openssh-6.6p1-fips-checks.patch Patch39: openssh-6.6p1-ldap.patch +Patch40: fix-curve25519-kex.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -221,6 +222,7 @@ cryptomodule. %patch37 -p2 %patch38 -p2 %patch39 -p2 +%patch40 -p0 cp %{SOURCE3} %{SOURCE4} . %build