aboutsummaryrefslogtreecommitdiffstats
path: root/curve25519pad.patch
diff options
context:
space:
mode:
Diffstat (limited to 'curve25519pad.patch')
-rw-r--r--curve25519pad.patch171
1 files changed, 171 insertions, 0 deletions
diff --git a/curve25519pad.patch b/curve25519pad.patch
new file mode 100644
index 0000000..9774a93
--- /dev/null
+++ b/curve25519pad.patch
@@ -0,0 +1,171 @@
+Hi,
+
+So I screwed up when writing the support for the curve25519 KEX method
+that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
+leading zero bytes where they should have been skipped. The impact of
+this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
+peer that implements curve25519-sha256@libssh.org properly about 0.2%
+of the time (one in every 512ish connections).
+
+We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
+key exchange for previous versions, but I'd recommend distributors
+of OpenSSH apply this patch so the affected code doesn't become
+too entrenched in LTS releases.
+
+The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
+to distinguish itself from the incorrect versions so the compatibility
+code to disable the affected KEX isn't activated.
+
+I've committed this on the 6.6 branch too.
+
+Apologies for the hassle.
+
+-d
+
+Index: version.h
+===================================================================
+RCS file: /var/cvs/openssh/version.h,v
+retrieving revision 1.82
+diff -u -p -r1.82 version.h
+--- version.h 27 Feb 2014 23:01:54 -0000 1.82
++++ version.h 20 Apr 2014 03:35:15 -0000
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+
+-#define SSH_VERSION "OpenSSH_6.6"
++#define SSH_VERSION "OpenSSH_6.6.1"
+
+ #define SSH_PORTABLE "p1"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+Index: compat.c
+===================================================================
+RCS file: /var/cvs/openssh/compat.c,v
+retrieving revision 1.82
+retrieving revision 1.85
+diff -u -p -r1.82 -r1.85
+--- compat.c 31 Dec 2013 01:25:41 -0000 1.82
++++ compat.c 20 Apr 2014 03:33:59 -0000 1.85
+@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
+ { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
+ { "OpenSSH_4*", 0 },
+ { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
++ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
++ { "OpenSSH_6.5*,"
++ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
+ { "OpenSSH*", SSH_NEW_OPENSSH },
+ { "*MindTerm*", 0 },
+ { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
+ return cipher_prop;
+ }
+
+-
+ char *
+ compat_pkalg_proposal(char *pkalg_prop)
+ {
+@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop)
+ if (*pkalg_prop == '\0')
+ fatal("No supported PK algorithms found");
+ return pkalg_prop;
++}
++
++char *
++compat_kex_proposal(char *kex_prop)
++{
++ if (!(datafellows & SSH_BUG_CURVE25519PAD))
++ return kex_prop;
++ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
++ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
++ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
++ if (*kex_prop == '\0')
++ fatal("No supported key exchange algorithms found");
++ return kex_prop;
+ }
+
+Index: compat.h
+===================================================================
+RCS file: /var/cvs/openssh/compat.h,v
+retrieving revision 1.42
+retrieving revision 1.43
+diff -u -p -r1.42 -r1.43
+--- compat.h 31 Dec 2013 01:25:41 -0000 1.42
++++ compat.h 20 Apr 2014 03:25:31 -0000 1.43
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR 0x02000000
+ #define SSH_NEW_OPENSSH 0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT 0x08000000
++#define SSH_BUG_CURVE25519PAD 0x10000000
+
+ void enable_compat13(void);
+ void enable_compat20(void);
+@@ -66,6 +67,7 @@ void compat_datafellows(const char *
+ int proto_spec(const char *);
+ char *compat_cipher_proposal(char *);
+ char *compat_pkalg_proposal(char *);
++char *compat_kex_proposal(char *);
+
+ extern int compat13;
+ extern int compat20;
+Index: sshd.c
+===================================================================
+RCS file: /var/cvs/openssh/sshd.c,v
+retrieving revision 1.448
+retrieving revision 1.453
+diff -u -p -r1.448 -r1.453
+--- sshd.c 26 Feb 2014 23:20:08 -0000 1.448
++++ sshd.c 20 Apr 2014 03:28:41 -0000 1.453
+@@ -2462,6 +2438,9 @@ do_ssh2_kex(void)
+ if (options.kex_algorithms != NULL)
+ myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS]);
++
+ if (options.rekey_limit || options.rekey_interval)
+ packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ (time_t)options.rekey_interval);
+Index: sshconnect2.c
+===================================================================
+RCS file: /var/cvs/openssh/sshconnect2.c,v
+retrieving revision 1.197
+retrieving revision 1.199
+diff -u -p -r1.197 -r1.199
+--- sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197
++++ sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199
+@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho
+ }
+ if (options.kex_algorithms != NULL)
+ myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS]);
+
+ if (options.rekey_limit || options.rekey_interval)
+ packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+Index: bufaux.c
+===================================================================
+RCS file: /var/cvs/openssh/bufaux.c,v
+retrieving revision 1.62
+retrieving revision 1.63
+diff -u -p -r1.62 -r1.63
+--- bufaux.c 4 Feb 2014 00:20:15 -0000 1.62
++++ bufaux.c 20 Apr 2014 03:24:50 -0000 1.63
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
++/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b
+
+ if (l > 8 * 1024)
+ fatal("%s: length %u too long", __func__, l);
++ /* Skip leading zero bytes */
++ for (; l > 0 && *s == 0; l--, s++)
++ ;
+ p = buf = xmalloc(l + 1);
+ /*
+ * If most significant bit is set then prepend a zero byte to
+_______________________________________________
+openssh-unix-dev mailing list
+openssh-unix-dev@mindrot.org
+https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev \ No newline at end of file