main/openssh: security fix (CVE-2016-6210). Fixes #5929

(cherry picked from commit 1a6c29da7c4a7e3d05009f4ea2b940878b57ac81)
(cherry picked from commit cf8a8f7b76eebaebfdb148506df212cd8e61a37b)

3 files changed, 236 insertions, 5 deletions

diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index 6e13d6f0b8..2f955679db 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=openssh
 pkgver=6.7_p1
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=4
+pkgrel=5
 pkgdesc="Port of OpenBSD's free SSH release"
 url="http://www.openssh.org/portable.html"
 arch="all"
@@ -11,7 +11,7 @@ options="suid"
 depends="openssh-client"
 makedepends="openssl-dev zlib-dev"
 subpackages="$pkgname-doc $pkgname-client $pkgname-keysign"
-source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
+source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
 	openssh6.7-dynwindows.diff
 	openssh6.5-peaktput.diff
 	openssh-fix-includes.diff
@@ -25,9 +25,15 @@ source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.
 	CVE-2015-6565.patch
 	CVE-2016-0777_CVE-2016-0778.patch
 	CVE-2016-3115.patch
+	CVE-2016-6210-1.patch
+	CVE-2016-6210-2.patch
 	"
 # HPN patches are from: http://www.psc.edu/index.php/hpn-ssh
 
+# secfixes:
+#   6.7_p1-r5:
+#     - CVE-2016-6210
+
 _builddir="$srcdir"/$pkgname-$_myver
 prepare() {
 	cd "$_builddir"
@@ -126,7 +132,9 @@ ae3ac6c890f3172327118f3b793e7f05  CVE-2015-6563.patch
 9e107e2636250f33199ba47550ceca1e  CVE-2015-6564.patch
 48b16c12877d665d9701809fdc6f4bc6  CVE-2015-6565.patch
 05cc6c7c1101b76959eac0d2d843561f  CVE-2016-0777_CVE-2016-0778.patch
-9dcae186783ebc1eaf80867016dde695  CVE-2016-3115.patch"
+9dcae186783ebc1eaf80867016dde695  CVE-2016-3115.patch
+8bdbd8213f3f5cac420839045fd377be  CVE-2016-6210-1.patch
+0a21e81b0920b2b79f788668072b827e  CVE-2016-6210-2.patch"
 sha256sums="b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507  openssh-6.7p1.tar.gz
 7d02930524d1357232770e9dc5a92746e654d6dafcbd5762c8618b059f0bf7b9  openssh6.7-dynwindows.diff
 bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249  openssh6.5-peaktput.diff
@@ -140,7 +148,9 @@ d7bc0d62a9741775ab618725c63c9bdda915e5c6d2e8a4c6995ebe1fa8b3224f  CVE-2015-5600.
 0f4db4d65edbbef21862ac10714bdd4f8911cf9f9b6eb220f94663be0c4872c8  CVE-2015-6564.patch
 e42adee1f712850efcce272b556909fd3daf688c1f6059d86bfcc064cea09e87  CVE-2015-6565.patch
 0b5536dc8b1d19a536826d0fe2fe27e4b814b12a2d5f1902ffd6f96ce14e6b49  CVE-2016-0777_CVE-2016-0778.patch
-75c8353309d0c1870c40498f1c9ca370dfef336d7771a4a6a4301edc5a020115  CVE-2016-3115.patch"
+75c8353309d0c1870c40498f1c9ca370dfef336d7771a4a6a4301edc5a020115  CVE-2016-3115.patch
+9d241c182c62d6ac55ef2db0f377cea8b2293131b75b97de939f36ece61725a4  CVE-2016-6210-1.patch
+021f15627e56ca5c45a05d3a71d2c79af9d3c86637c1eb40208c6f71d2fb9697  CVE-2016-6210-2.patch"
 sha512sums="2469dfcd289948374843311dd9e5f7e144ce1cebd4bfce0d387d0b75cb59f3e1af1b9ebf96bd4ab6407dfa77a013c5d25742971053e61cae2541054aeaca559d  openssh-6.7p1.tar.gz
 4985134b4b1b06d9c8bc81af9f0e0690c3f23d78f3df2af70cd0030cc7ab5bd8d9aad60031ce8069902c6bb8ae6dde754aa87d6fd4587cdc6e99e7bb33f0d1bb  openssh6.7-dynwindows.diff
 e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c9826d36761da73d08db9583c047d58a08dc7b2149a949075b1  openssh6.5-peaktput.diff
@@ -154,4 +164,6 @@ c53410eb119fdba313661bdffbbbc0e19970c2321fdf24cb086d1946d0f99c8fb06c65b7edc52a74
 e5a7d536837aefb07260b01c2863f96d0db2521d7739ded69f92490fad4c8537c853320458cdbc3a86cd90805d54fc87e081ece1dd4cb19392599888f9078e26  CVE-2015-6564.patch
 2f74906d7bfc2ca48f001470606a055ade36b44c17d386ed89e44507c8821f1c7b48eed022be729459185d5b6f848fd5763f7b711e106fbc20fb18c10bb688bd  CVE-2015-6565.patch
 c60a6d66537f08b69bcb320903c2903c10f7685052fa58b5ef3deb102f7a1ea50d817e5980bcc6c96d7b898f9cb8f4b0081c59d06c5a49dbc7e1ca737b63f6b1  CVE-2016-0777_CVE-2016-0778.patch
-3fdfa02f4892abd1f5ca4cbe5e1cf5fe528c55b0ead3dd32de0bc04d4ec1ff6aec377b8e3a912bc209bb5186802ff9d86bd86ae7aefb59740005e4e091643aef  CVE-2016-3115.patch"
+3fdfa02f4892abd1f5ca4cbe5e1cf5fe528c55b0ead3dd32de0bc04d4ec1ff6aec377b8e3a912bc209bb5186802ff9d86bd86ae7aefb59740005e4e091643aef  CVE-2016-3115.patch
+6c78935209d9af00c4f0ce27261a40cdea8714ce0eaf28935ec75853333421f72ee2281c674d70c2a5ef7c297ec0fe4699214e0874efe0341c35dfd5027a1702  CVE-2016-6210-1.patch
+aad1fc45a8f83fc778105ea43b6406860155fc89545a058ff0359586cbb33a0d0ebff99dc70be64a9e1021c4b971658b33bbae3efd383a9d81531dc4395b83a5  CVE-2016-6210-2.patch"
diff --git a/main/openssh/CVE-2016-6210-1.patch b/main/openssh/CVE-2016-6210-1.patch
new file mode 100644
index 0000000000..b4536cc9df
--- /dev/null
+++ b/main/openssh/CVE-2016-6210-1.patch
@@ -0,0 +1,111 @@
+From 9286875a73b2de7736b5e50692739d314cd8d9dc Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@zip.com.au>
+Date: Fri, 15 Jul 2016 13:32:45 +1000
+Subject: Determine appropriate salt for invalid users.
+
+When sshd is processing a non-PAM login for a non-existent user it uses
+the string from the fakepw structure as the salt for crypt(3)ing the
+password supplied by the client.  That string has a Blowfish prefix, so on
+systems that don't understand that crypt will fail fast due to an invalid
+salt, and even on those that do it may have significantly different timing
+from the hash methods used for real accounts (eg sha512).  This allows
+user enumeration by, eg, sending large password strings.  This was noted
+by EddieEzra.Harari at verint.com (CVE-2016-6210).
+
+To mitigate, use the same hash algorithm that root uses for hashing
+passwords for users that do not exist on the system.  ok djm@
+---
+ auth-passwd.c           | 12 ++++++++----
+ openbsd-compat/xcrypt.c | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 42 insertions(+), 4 deletions(-)
+
+diff --git a/auth-passwd.c b/auth-passwd.c
+index 63ccf3c..530b5d4 100644
+--- a/auth-passwd.c
++++ b/auth-passwd.c
+@@ -193,7 +193,7 @@ int
+ sys_auth_passwd(Authctxt *authctxt, const char *password)
+ {
+ 	struct passwd *pw = authctxt->pw;
+-	char *encrypted_password;
++	char *encrypted_password, *salt = NULL;
+ 
+ 	/* Just use the supplied fake password if authctxt is invalid */
+ 	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
+@@ -202,9 +202,13 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
+ 	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
+ 		return (1);
+ 
+-	/* Encrypt the candidate password using the proper salt. */
+-	encrypted_password = xcrypt(password,
+-	    (pw_password[0] && pw_password[1]) ? pw_password : "xx");
++	/*
++	 * Encrypt the candidate password using the proper salt, or pass a
++	 * NULL and let xcrypt pick one.
++	 */
++	if (authctxt->valid && pw_password[0] && pw_password[1])
++		salt = pw_password;
++	encrypted_password = xcrypt(password, salt);
+ 
+ 	/*
+ 	 * Authentication is accepted if the encrypted passwords
+diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
+index 8577cbd..8913bb8 100644
+--- a/openbsd-compat/xcrypt.c
++++ b/openbsd-compat/xcrypt.c
+@@ -25,6 +25,7 @@
+ #include "includes.h"
+ 
+ #include <sys/types.h>
++#include <string.h>
+ #include <unistd.h>
+ #include <pwd.h>
+ 
+@@ -62,11 +63,44 @@
+ #  define crypt DES_crypt
+ # endif
+ 
++/*
++ * Pick an appropriate password encryption type and salt for the running
++ * system.
++ */
++static const char *
++pick_salt(void)
++{
++	struct passwd *pw;
++	char *passwd, *p;
++	size_t typelen;
++	static char salt[32];
++
++	if (salt[0] != '\0')
++		return salt;
++	strlcpy(salt, "xx", sizeof(salt));
++	if ((pw = getpwuid(0)) == NULL)
++		return salt;
++	passwd = shadow_pw(pw);
++	if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
++		return salt;  /* no $, DES */
++	typelen = p - passwd + 1;
++	strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
++	explicit_bzero(passwd, strlen(passwd));
++	return salt;
++}
++
+ char *
+ xcrypt(const char *password, const char *salt)
+ {
+ 	char *crypted;
+ 
++	/*
++	 * If we don't have a salt we are encrypting a fake password for
++	 * for timing purposes.  Pick an appropriate salt.
++	 */
++	if (salt == NULL)
++		salt = pick_salt();
++
+ # ifdef HAVE_MD5_PASSWORDS
+         if (is_md5_salt(salt))
+                 crypted = md5_crypt(password, salt);
+-- 
+cgit v0.12
+
diff --git a/main/openssh/CVE-2016-6210-2.patch b/main/openssh/CVE-2016-6210-2.patch
new file mode 100644
index 0000000000..33a1883dda
--- /dev/null
+++ b/main/openssh/CVE-2016-6210-2.patch
@@ -0,0 +1,108 @@
+From 283b97ff33ea2c641161950849931bd578de6946 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@zip.com.au>
+Date: Fri, 15 Jul 2016 13:49:44 +1000
+Subject: Mitigate timing of disallowed users PAM logins.
+
+When sshd decides to not allow a login (eg PermitRootLogin=no) and
+it's using PAM, it sends a fake password to PAM so that the timing for
+the failure is not noticeably different whether or not the password
+is correct.  This behaviour can be detected by sending a very long
+password string which is slower to hash than the fake password.
+
+Mitigate by constructing an invalid password that is the same length
+as the one from the client and thus takes the same time to hash.
+Diff from djm@
+---
+ auth-pam.c | 35 +++++++++++++++++++++++++++++++----
+ 1 file changed, 31 insertions(+), 4 deletions(-)
+
+diff --git a/auth-pam.c b/auth-pam.c
+index 451de78..465b5a7 100644
+--- a/auth-pam.c
++++ b/auth-pam.c
+@@ -232,7 +232,6 @@ static int sshpam_account_status = -1;
+ static char **sshpam_env = NULL;
+ static Authctxt *sshpam_authctxt = NULL;
+ static const char *sshpam_password = NULL;
+-static char badpw[] = "\b\n\r\177INCORRECT";
+ 
+ /* Some PAM implementations don't implement this */
+ #ifndef HAVE_PAM_GETENVLIST
+@@ -795,12 +794,35 @@ sshpam_query(void *ctx, char **name, char **info,
+ 	return (-1);
+ }
+ 
++/*
++ * Returns a junk password of identical length to that the user supplied.
++ * Used to mitigate timing attacks against crypt(3)/PAM stacks that
++ * vary processing time in proportion to password length.
++ */
++static char *
++fake_password(const char *wire_password)
++{
++	const char junk[] = "\b\n\r\177INCORRECT";
++	char *ret = NULL;
++	size_t i, l = wire_password != NULL ? strlen(wire_password) : 0;
++
++	if (l >= INT_MAX)
++		fatal("%s: password length too long: %zu", __func__, l);
++
++	ret = malloc(l + 1);
++	for (i = 0; i < l; i++)
++		ret[i] = junk[i % (sizeof(junk) - 1)];
++	ret[i] = '\0';
++	return ret;
++}
++
+ /* XXX - see also comment in auth-chall.c:verify_response */
+ static int
+ sshpam_respond(void *ctx, u_int num, char **resp)
+ {
+ 	Buffer buffer;
+ 	struct pam_ctxt *ctxt = ctx;
++	char *fake;
+ 
+ 	debug2("PAM: %s entering, %u responses", __func__, num);
+ 	switch (ctxt->pam_done) {
+@@ -821,8 +843,11 @@ sshpam_respond(void *ctx, u_int num, char **resp)
+ 	    (sshpam_authctxt->pw->pw_uid != 0 ||
+ 	    options.permit_root_login == PERMIT_YES))
+ 		buffer_put_cstring(&buffer, *resp);
+-	else
+-		buffer_put_cstring(&buffer, badpw);
++	else {
++		fake = fake_password(*resp);
++		buffer_put_cstring(&buffer, fake);
++		free(fake);
++	}
+ 	if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
+ 		buffer_free(&buffer);
+ 		return (-1);
+@@ -1166,6 +1191,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
+ {
+ 	int flags = (options.permit_empty_passwd == 0 ?
+ 	    PAM_DISALLOW_NULL_AUTHTOK : 0);
++	char *fake = NULL;
+ 
+ 	if (!options.use_pam || sshpam_handle == NULL)
+ 		fatal("PAM: %s called when PAM disabled or failed to "
+@@ -1181,7 +1207,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
+ 	 */
+ 	if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
+ 	    options.permit_root_login != PERMIT_YES))
+-		sshpam_password = badpw;
++		sshpam_password = fake = fake_password(password);
+ 
+ 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
+ 	    (const void *)&passwd_conv);
+@@ -1191,6 +1217,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
+ 
+ 	sshpam_err = pam_authenticate(sshpam_handle, flags);
+ 	sshpam_password = NULL;
++	free(fake);
+ 	if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
+ 		debug("PAM: password authentication accepted for %.100s",
+ 		    authctxt->user);
+-- 
+cgit v0.12
+