Blame SOURCES/openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch

017ff1
From 5618210618256bbf5f4f71b2887ff186fd451736 Mon Sep 17 00:00:00 2001
017ff1
From: Damien Miller <djm@mindrot.org>
017ff1
Date: Sun, 20 Apr 2014 13:44:47 +1000
017ff1
Subject: [PATCH]  - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c
017ff1
 version.h]    OpenSSH 6.5 and 6.6 sometimes encode a value used in the
017ff1
 curve25519    key exchange incorrectly, causing connection failures about
017ff1
 0.2% of    the time when this method is used against a peer that implements  
017ff1
  the method properly.
017ff1
017ff1
   Fix the problem and disable the curve25519 KEX when speaking to
017ff1
   OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
017ff1
   to enable the compatability code.
017ff1
---
017ff1
 ChangeLog     | 11 +++++++++++
017ff1
 bufaux.c      |  5 ++++-
017ff1
 compat.c      | 17 ++++++++++++++++-
017ff1
 compat.h      |  2 ++
017ff1
 sshconnect2.c |  2 ++
017ff1
 sshd.c        |  3 +++
017ff1
 version.h     |  2 +-
017ff1
 7 files changed, 39 insertions(+), 3 deletions(-)
017ff1
017ff1
diff --git a/ChangeLog b/ChangeLog
017ff1
index 1603a07..928999d 100644
017ff1
--- a/ChangeLog
017ff1
+++ b/ChangeLog
017ff1
@@ -1,13 +1,23 @@
017ff1
 20140420
017ff1
-   - djm@cvs.openbsd.org 2014/04/01 03:34:10
017ff1
-     [sshconnect.c]
017ff1
-     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
017ff1
-     certificate keys to plain keys and attempt SSHFP resolution.
017ff1
-     
017ff1
-     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
017ff1
-     dialog by offering only certificate keys.
017ff1
-     
017ff1
-     Reported by mcv21 AT cam.ac.uk
017ff1
+ - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h]
017ff1
+   OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519
017ff1
+   key exchange incorrectly, causing connection failures about 0.2% of
017ff1
+   the time when this method is used against a peer that implements
017ff1
+   the method properly.
017ff1
+
017ff1
+   Fix the problem and disable the curve25519 KEX when speaking to
017ff1
+   OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
017ff1
+   to enable the compatability code.
017ff1
+
017ff1
+ - djm@cvs.openbsd.org 2014/04/01 03:34:10
017ff1
+   [sshconnect.c]
017ff1
+   When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
017ff1
+   certificate keys to plain keys and attempt SSHFP resolution.
017ff1
+   
017ff1
+   Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
017ff1
+   dialog by offering only certificate keys.
017ff1
+   
017ff1
+   Reported by mcv21 AT cam.ac.uk
017ff1
 
017ff1
 20140313
017ff1
  - (djm) Release OpenSSH 6.6
017ff1
diff --git a/bufaux.c b/bufaux.c
017ff1
index e24b5fc..f6a6f2a 100644
017ff1
--- a/bufaux.c
017ff1
+++ b/bufaux.c
017ff1
@@ -1,4 +1,4 @@
017ff1
-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
017ff1
+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
017ff1
 /*
017ff1
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
017ff1
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
017ff1
@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
017ff1
 
017ff1
 	if (l > 8 * 1024)
017ff1
 		fatal("%s: length %u too long", __func__, l);
017ff1
+	/* Skip leading zero bytes */
017ff1
+	for (; l > 0 && *s == 0; l--, s++)
017ff1
+		;
017ff1
 	p = buf = xmalloc(l + 1);
017ff1
 	/*
017ff1
 	 * If most significant bit is set then prepend a zero byte to
017ff1
diff --git a/compat.c b/compat.c
017ff1
index 9d9fabe..2709dc5 100644
017ff1
--- a/compat.c
017ff1
+++ b/compat.c
017ff1
@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
017ff1
 		{ "Sun_SSH_1.0*",	SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
017ff1
 		{ "OpenSSH_4*",		0 },
017ff1
 		{ "OpenSSH_5*",		SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
017ff1
+		{ "OpenSSH_6.6.1*",	SSH_NEW_OPENSSH},
017ff1
+		{ "OpenSSH_6.5*,"
017ff1
+		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
017ff1
 		{ "OpenSSH*",		SSH_NEW_OPENSSH },
017ff1
 		{ "*MindTerm*",		0 },
017ff1
 		{ "2.1.0*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
017ff1
@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
017ff1
 	return cipher_prop;
017ff1
 }
017ff1
 
017ff1
-
017ff1
 char *
017ff1
 compat_pkalg_proposal(char *pkalg_prop)
017ff1
 {
017ff1
@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
017ff1
 	return pkalg_prop;
017ff1
 }
017ff1
 
017ff1
+char *
017ff1
+compat_kex_proposal(char *kex_prop)
017ff1
+{
017ff1
+	if (!(datafellows & SSH_BUG_CURVE25519PAD))
017ff1
+		return kex_prop;
017ff1
+	debug2("%s: original KEX proposal: %s", __func__, kex_prop);
017ff1
+	kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
017ff1
+	debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
017ff1
+	if (*kex_prop == '\0')
017ff1
+		fatal("No supported key exchange algorithms found");
017ff1
+	return kex_prop;
017ff1
+}
017ff1
+
017ff1
diff --git a/compat.h b/compat.h
017ff1
index b174fa1..a6c3f3d 100644
017ff1
--- a/compat.h
017ff1
+++ b/compat.h
017ff1
@@ -59,6 +59,7 @@
017ff1
 #define SSH_BUG_RFWD_ADDR	0x02000000
017ff1
 #define SSH_NEW_OPENSSH		0x04000000
017ff1
 #define SSH_BUG_DYNAMIC_RPORT	0x08000000
017ff1
+#define SSH_BUG_CURVE25519PAD	0x10000000
017ff1
 
017ff1
 void     enable_compat13(void);
017ff1
 void     enable_compat20(void);
017ff1
@@ -66,6 +67,7 @@ void     compat_datafellows(const char *);
017ff1
 int	 proto_spec(const char *);
017ff1
 char	*compat_cipher_proposal(char *);
017ff1
 char	*compat_pkalg_proposal(char *);
017ff1
+char	*compat_kex_proposal(char *);
017ff1
 
017ff1
 extern int compat13;
017ff1
 extern int compat20;
017ff1
diff --git a/sshconnect2.c b/sshconnect2.c
017ff1
index bb9292f..b00658b 100644
017ff1
--- a/sshconnect2.c
017ff1
+++ b/sshconnect2.c
017ff1
@@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
017ff1
 	}
017ff1
 	if (options.kex_algorithms != NULL)
017ff1
 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
017ff1
+	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
017ff1
+	    myproposal[PROPOSAL_KEX_ALGS]);
017ff1
 
017ff1
 #ifdef GSSAPI
017ff1
 	/* If we've got GSSAPI algorithms, then we also support the
017ff1
diff --git a/sshd.c b/sshd.c
017ff1
index e4e406e..512c7ed 100644
017ff1
--- a/sshd.c
017ff1
+++ b/sshd.c
017ff1
@@ -2488,6 +2488,9 @@ do_ssh2_kex(void)
017ff1
 	if (options.kex_algorithms != NULL)
017ff1
 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
017ff1
 
017ff1
+	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
017ff1
+	    myproposal[PROPOSAL_KEX_ALGS]);
017ff1
+
017ff1
 	if (options.rekey_limit || options.rekey_interval)
017ff1
 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
017ff1
 		    (time_t)options.rekey_interval);
017ff1
diff --git a/version.h b/version.h
017ff1
index a1579ac..a33e77c 100644
017ff1
--- a/version.h
017ff1
+++ b/version.h
017ff1
@@ -1,6 +1,6 @@
017ff1
 /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
017ff1
 
017ff1
-#define SSH_VERSION	"OpenSSH_6.6"
017ff1
+#define SSH_VERSION	"OpenSSH_6.6.1"
017ff1
 
017ff1
 #define SSH_PORTABLE	"p1"
017ff1
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE