Accepting request 230928 from home:namtrac:bugfix

- Add fix-curve25519-kex.patch to fix a key-exchange problem
  with curve25519-sha256@libssh.org, see
  http://marc.info/?l=openssh-unix-dev&m=139797807804698&w=2

OBS-URL: https://build.opensuse.org/request/show/230928
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=79

fix-curve25519-kex.patch

@@ -0,0 +1,136 @@
+Hi,
+
+So I screwed up when writing the support for the curve25519 KEX method
+that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
+leading zero bytes where they should have been skipped. The impact of
+this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
+peer that implements curve25519-sha256@libssh.org properly about 0.2%
+of the time (one in every 512ish connections).
+
+We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
+key exchange for previous versions, but I'd recommend distributors
+of OpenSSH apply this patch so the affected code doesn't become
+too entrenched in LTS releases.
+
+The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
+to distinguish itself from the incorrect versions so the compatibility
+code to disable the affected KEX isn't activated.
+
+I've committed this on the 6.6 branch too.
+
+Apologies for the hassle.
+
+-d
+
+Index: version.h
+===================================================================
+--- version.h.orig
++++ version.h
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+ 
+-#define SSH_VERSION	"OpenSSH_6.6"
++#define SSH_VERSION	"OpenSSH_6.6.1"
+ 
+ #define SSH_PORTABLE	"p1"
+ #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+Index: compat.c
+===================================================================
+--- compat.c.orig
++++ compat.c
+@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
+ 		{ "Sun_SSH_1.0*",	SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
+ 		{ "OpenSSH_4*",		0 },
+ 		{ "OpenSSH_5*",		SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
++		{ "OpenSSH_6.6.1*",	SSH_NEW_OPENSSH},
++		{ "OpenSSH_6.5*,"
++		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
+ 		{ "OpenSSH*",		SSH_NEW_OPENSSH },
+ 		{ "*MindTerm*",		0 },
+ 		{ "2.1.0*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
+ 	return cipher_prop;
+ }
+ 
+-
+ char *
+ compat_pkalg_proposal(char *pkalg_prop)
+ {
+@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
+ 	return pkalg_prop;
+ }
+ 
++char *
++compat_kex_proposal(char *kex_prop)
++{
++	if (!(datafellows & SSH_BUG_CURVE25519PAD))
++		return kex_prop;
++	debug2("%s: original KEX proposal: %s", __func__, kex_prop);
++	kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
++	debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
++	if (*kex_prop == '\0')
++		fatal("No supported key exchange algorithms found");
++	return kex_prop;
++}
++
+Index: compat.h
+===================================================================
+--- compat.h.orig
++++ compat.h
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR	0x02000000
+ #define SSH_NEW_OPENSSH		0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT	0x08000000
++#define SSH_BUG_CURVE25519PAD	0x10000000
+ 
+ void     enable_compat13(void);
+ void     enable_compat20(void);
+@@ -66,6 +67,7 @@ void     compat_datafellows(const char *
+ int	 proto_spec(const char *);
+ char	*compat_cipher_proposal(char *);
+ char	*compat_pkalg_proposal(char *);
++char	*compat_kex_proposal(char *);
+ 
+ extern int compat13;
+ extern int compat20;
+Index: sshd.c
+===================================================================
+--- sshd.c.orig
++++ sshd.c
+@@ -2675,6 +2675,9 @@ do_ssh2_kex(void)
+ 	if (options.kex_algorithms != NULL)
+ 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+ 
++	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++	    myproposal[PROPOSAL_KEX_ALGS]);
++
+ 	if (options.rekey_limit || options.rekey_interval)
+ 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ 		    (time_t)options.rekey_interval);
+Index: sshconnect2.c
+===================================================================
+--- sshconnect2.c.orig
++++ sshconnect2.c
+@@ -232,6 +232,8 @@ ssh_kex2(char *host, struct sockaddr *ho
+ 	}
+ 	if (options.kex_algorithms != NULL)
+ 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
++	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++	    myproposal[PROPOSAL_KEX_ALGS]);
+ 
+ #ifdef GSSAPI
+ 	/* If we've got GSSAPI algorithms, then we also support the
+Index: bufaux.c
+===================================================================
+--- bufaux.c.orig
++++ bufaux.c
+@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b
+ 
+ 	if (l > 8 * 1024)
+ 		fatal("%s: length %u too long", __func__, l);
++	/* Skip leading zero bytes */
++	for (; l > 0 && *s == 0; l--, s++)
++		;
+ 	p = buf = xmalloc(l + 1);
+ 	/*
+ 	 * If most significant bit is set then prepend a zero byte to

openssh.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Apr 21 08:46:58 UTC 2014 - idonmez@suse.com
+
+- Add fix-curve25519-kex.patch to fix a key-exchange problem
+  with curve25519-sha256@libssh.org, see
+  http://marc.info/?l=openssh-unix-dev&m=139797807804698&w=2
+
 -------------------------------------------------------------------
 Tue Apr 15 09:26:16 UTC 2014 - rhafer@suse.com
 

openssh.spec

@@ -147,6 +147,7 @@ Patch36:        openssh-6.6p1-seccomp_getuid.patch
 Patch37:        openssh-6.6p1-X_forward_with_disabled_ipv6.patch
 Patch38:        openssh-6.6p1-fips-checks.patch
 Patch39:        openssh-6.6p1-ldap.patch
+Patch40:        fix-curve25519-kex.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -221,6 +222,7 @@ cryptomodule.
 %patch37 -p2
 %patch38 -p2
 %patch39 -p2
+%patch40 -p0
 cp %{SOURCE3} %{SOURCE4} .
 
 %build