openssh/openssh-6.6p1-curve25519-6.6.1p1.patch
Petr Cerny 9fb40d132b Accepting request 231427 from home:pcerny:factory
- curve25519 key exchange fix (-curve25519-6.6.1p1.patch)
- patch re-ordering (-audit3-key_auth_usage-fips.patch,
    -audit4-kex_results-fips.patch)

OBS-URL: https://build.opensuse.org/request/show/231427
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=80
2014-04-25 13:11:58 +00:00

206 lines
7.1 KiB
Diff

# Date: Sun, 20 Apr 2014 17:14:08 +1000 (EST)
# From: Damien Miller <djm@mindrot.org>
# To: openssh-unix-dev@mindrot.org
# Subject: bad bignum encoding for curve25519-sha256@libssh.org
# Message-ID: <alpine.BSO.2.11.1404201713390.26134@natsu.mindrot.org>
#
# Hi,
#
# So I screwed up when writing the support for the curve25519 KEX method
# that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
# leading zero bytes where they should have been skipped. The impact of
# this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
# peer that implements curve25519-sha256@libssh.org properly about 0.2%
# of the time (one in every 512ish connections).
#
# We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
# key exchange for previous versions, but I'd recommend distributors
# of OpenSSH apply this patch so the affected code doesn't become
# too entrenched in LTS releases.
#
# The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
# to distinguish itself from the incorrect versions so the compatibility
# code to disable the affected KEX isn't activated.
#
# I've committed this on the 6.6 branch too.
#
# Apologies for the hassle.
#
# -d
diff --git a/openssh-6.6p1/bufaux.c b/openssh-6.6p1/bufaux.c
--- a/openssh-6.6p1/bufaux.c
+++ b/openssh-6.6p1/bufaux.c
@@ -1,9 +1,9 @@
-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
* Auxiliary functions for storing and retrieving various data types to/from
* Buffers.
*
* As far as I am concerned, the code I have written for this software
@@ -367,16 +367,19 @@ buffer_get_bignum2_as_string(Buffer *buf
void
buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
{
u_char *buf, *p;
int pad = 0;
if (l > 8 * 1024)
fatal("%s: length %u too long", __func__, l);
+ /* Skip leading zero bytes */
+ for (; l > 0 && *s == 0; l--, s++)
+ ;
p = buf = xmalloc(l + 1);
/*
* If most significant bit is set then prepend a zero byte to
* avoid interpretation as a negative number.
*/
if (l > 0 && (s[0] & 0x80) != 0) {
*p++ = '\0';
pad = 1;
diff --git a/openssh-6.6p1/compat.c b/openssh-6.6p1/compat.c
--- a/openssh-6.6p1/compat.c
+++ b/openssh-6.6p1/compat.c
@@ -90,16 +90,19 @@ compat_datafellows(const char *version)
SSH_OLD_FORWARD_ADDR},
{ "OpenSSH_2.*,"
"OpenSSH_3.0*,"
"OpenSSH_3.1*", SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR},
{ "OpenSSH_3.*", SSH_OLD_FORWARD_ADDR },
{ "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
{ "OpenSSH_4*", 0 },
{ "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
+ { "OpenSSH_6.5*,"
+ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
{ "OpenSSH*", SSH_NEW_OPENSSH },
{ "*MindTerm*", 0 },
{ "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE|
SSH_BUG_FIRSTKEX },
{ "2.1 *", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
@@ -246,22 +249,34 @@ compat_cipher_proposal(char *cipher_prop
debug2("%s: original cipher proposal: %s", __func__, cipher_prop);
cipher_prop = filter_proposal(cipher_prop, "aes*");
debug2("%s: compat cipher proposal: %s", __func__, cipher_prop);
if (*cipher_prop == '\0')
fatal("No supported ciphers found");
return cipher_prop;
}
-
char *
compat_pkalg_proposal(char *pkalg_prop)
{
if (!(datafellows & SSH_BUG_RSASIGMD5))
return pkalg_prop;
debug2("%s: original public key proposal: %s", __func__, pkalg_prop);
pkalg_prop = filter_proposal(pkalg_prop, "ssh-rsa");
debug2("%s: compat public key proposal: %s", __func__, pkalg_prop);
if (*pkalg_prop == '\0')
fatal("No supported PK algorithms found");
return pkalg_prop;
}
+char *
+compat_kex_proposal(char *kex_prop)
+{
+ if (!(datafellows & SSH_BUG_CURVE25519PAD))
+ return kex_prop;
+ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
+ if (*kex_prop == '\0')
+ fatal("No supported key exchange algorithms found");
+ return kex_prop;
+}
+
diff --git a/openssh-6.6p1/compat.h b/openssh-6.6p1/compat.h
--- a/openssh-6.6p1/compat.h
+++ b/openssh-6.6p1/compat.h
@@ -54,20 +54,22 @@
#define SSH_BUG_DUMMYCHAN 0x00100000
#define SSH_BUG_EXTEOF 0x00200000
#define SSH_BUG_PROBE 0x00400000
#define SSH_BUG_FIRSTKEX 0x00800000
#define SSH_OLD_FORWARD_ADDR 0x01000000
#define SSH_BUG_RFWD_ADDR 0x02000000
#define SSH_NEW_OPENSSH 0x04000000
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
+#define SSH_BUG_CURVE25519PAD 0x10000000
void enable_compat13(void);
void enable_compat20(void);
void compat_datafellows(const char *);
int proto_spec(const char *);
char *compat_cipher_proposal(char *);
char *compat_pkalg_proposal(char *);
+char *compat_kex_proposal(char *);
extern int compat13;
extern int compat20;
extern int datafellows;
#endif
diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
--- a/openssh-6.6p1/sshconnect2.c
+++ b/openssh-6.6p1/sshconnect2.c
@@ -190,16 +190,18 @@ ssh_kex2(char *host, struct sockaddr *ho
else {
/* Prefer algorithms that we already have keys for */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(
order_hostkeyalgs(host, hostaddr, port));
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+ myproposal[PROPOSAL_KEX_ALGS]);
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
(time_t)options.rekey_interval);
/* start key exchange */
kex = kex_setup(myproposal);
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -2457,16 +2457,19 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
} else if (options.compression == COMP_DELAYED) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+ myproposal[PROPOSAL_KEX_ALGS]);
+
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
(time_t)options.rekey_interval);
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types());
/* start key exchange */
diff --git a/openssh-6.6p1/version.h b/openssh-6.6p1/version.h
--- a/openssh-6.6p1/version.h
+++ b/openssh-6.6p1/version.h
@@ -1,6 +1,6 @@
/* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
-#define SSH_VERSION "OpenSSH_6.6"
+#define SSH_VERSION "OpenSSH_6.6.1"
#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE