From f72e2632c9a10b1e62e73541f2a8c339059a0cd9 Mon Sep 17 00:00:00 2001
From: Johannes Matheis <jomat+alpinebuild@jmt.gr>
Date: Tue, 2 Sep 2014 15:02:59 +0000
Subject: main/openssh: curve25519pad patch added

https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html:
> bad bignum encoding for curve25519-sha256@libssh.org
>[...]
> So I screwed up when writing the support for the curve25519 KEX method
> that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
> leading zero bytes where they should have been skipped. The impact of
> this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
> peer that implements curve25519-sha256@libssh.org properly about 0.2%
> of the time (one in every 512ish connections).

(cherry picked from commit 5bc265ef454ba0f8d82e8298c3246999fb11a9c8)

Conflicts:
	main/openssh/APKBUILD
---
 main/openssh/APKBUILD                    |  12 ++-
 main/openssh/openssh-curve25519pad.patch | 169 +++++++++++++++++++++++++++++++
 2 files changed, 177 insertions(+), 4 deletions(-)
 create mode 100644 main/openssh/openssh-curve25519pad.patch

diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index a94a79cbc..1b6155246 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=openssh
 pkgver=6.6_p1
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=3
+pkgrel=4
 pkgdesc="Port of OpenBSD's free SSH release"
 url="http://www.openssh.org/portable.html"
 arch="all"
@@ -18,6 +18,7 @@ source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.
 	sshd.initd
 	sshd.confd
 	CVE-2014-2653.patch
+	openssh-curve25519pad.patch
 	"
 # HPN patches are from: http://www.psc.edu/index.php/hpn-ssh
 
@@ -109,7 +110,8 @@ cd52fe99cb4b7d0d847bf5d710d93564  openssh6.5-peaktput.diff
 f7d9d6f96940ef66bd3c3a0aa27e57a7  openssh-fix-utmp.diff
 bcf990d4ef7ff446160cde7dbd32bf1f  sshd.initd
 b35e9f3829f4cfca07168fcba98749c7  sshd.confd
-02a7de5652d9769576e3b252d768cd0f  CVE-2014-2653.patch"
+02a7de5652d9769576e3b252d768cd0f  CVE-2014-2653.patch
+da797337121f07bc3fac8a21afac20f8  openssh-curve25519pad.patch"
 sha256sums="48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb  openssh-6.6p1.tar.gz
 83f2b2c07988c6321875240c02a161a83ec84661d592cbd2188ea8c962f9b1ad  openssh6.6-dynwindows.diff
 bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249  openssh6.5-peaktput.diff
@@ -117,7 +119,8 @@ c3189ba0e17e60e83851ac2d6f18ad5b08cb90cccfce31d61cccb9fd76d44d59  openssh-fix-in
 f2748da45d0bc31055727f8c80d93e1872cc043ced3202e2f6d150aca3c08dde  openssh-fix-utmp.diff
 2a9889ab224be7202ece80a7085aa3e85bbba9432467031b436dcd77cb92a2ac  sshd.initd
 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41  sshd.confd
-03826427d72f86c68f079acab6c9c86e8f27f7514b66428f404c2f235fd0c0bd  CVE-2014-2653.patch"
+03826427d72f86c68f079acab6c9c86e8f27f7514b66428f404c2f235fd0c0bd  CVE-2014-2653.patch
+8b0caf249298eec28aad3cb77256d31a90652c77bdc1a54a00f04e8c1446d5c4  openssh-curve25519pad.patch"
 sha512sums="3d3566ed87649882702cad52db1adefebfb3ef788c9f77a493f99db7e9ca2e8edcde793dd426df7df0aed72a42a31c20a63ef51506111369d3a7c49e0bf6c82b  openssh-6.6p1.tar.gz
 3aab8b8e1f86ce04ebc69bbdbf3c70cefd510d7b4080b99067ec49957b5e421b49e3b8a0a62103d17cf644cd7c0b30e9283a62a24988b1bbb0fbdabbdc1202fd  openssh6.6-dynwindows.diff
 e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c9826d36761da73d08db9583c047d58a08dc7b2149a949075b1  openssh6.5-peaktput.diff
@@ -125,4 +128,5 @@ e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c98
 cc909f68d9da1b264926973b96d36162b5c588299c98d62f526faf2ef1273d98bb8d8dea4d482770a2aef88bcbf15fa61144401aef9ab916c15e1623bcf449b5  openssh-fix-utmp.diff
 eeafefcb8a3357b498591480b39dc0116ab3440c88faeaeaddeac0b860f9e268abe6f603bc27893b79945acde06a45a7616d1bdc6ca27201cd8dc522f49b207e  sshd.initd
 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81  sshd.confd
-be48059ae1715669f970a19acde14f262588172c5a8d8d1c84159bc69a60c5750b21c98f39f65df72ae071f7f918046000a2499b9ef16ba2cb4bcd8399bc8e40  CVE-2014-2653.patch"
+be48059ae1715669f970a19acde14f262588172c5a8d8d1c84159bc69a60c5750b21c98f39f65df72ae071f7f918046000a2499b9ef16ba2cb4bcd8399bc8e40  CVE-2014-2653.patch
+5c946726e9fb472412972ca73c6e4565598b7729558843be2391e04d8935f0e35a992b4fa9f89c8a98917665c12219ea5ad58359269cbe2cf90907f7d1e2cec8  openssh-curve25519pad.patch"
diff --git a/main/openssh/openssh-curve25519pad.patch b/main/openssh/openssh-curve25519pad.patch
new file mode 100644
index 000000000..6c4ff72dc
--- /dev/null
+++ b/main/openssh/openssh-curve25519pad.patch
@@ -0,0 +1,169 @@
+https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html
+
+Hi,
+
+So I screwed up when writing the support for the curve25519 KEX method
+that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
+leading zero bytes where they should have been skipped. The impact of
+this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
+peer that implements curve25519-sha256@libssh.org properly about 0.2%
+of the time (one in every 512ish connections).
+
+We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
+key exchange for previous versions, but I'd recommend distributors
+of OpenSSH apply this patch so the affected code doesn't become
+too entrenched in LTS releases.
+
+The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
+to distinguish itself from the incorrect versions so the compatibility
+code to disable the affected KEX isn't activated.
+
+I've committed this on the 6.6 branch too.
+
+Apologies for the hassle.
+
+-d
+
+Index: version.h
+===================================================================
+RCS file: /var/cvs/openssh/version.h,v
+retrieving revision 1.82
+diff -u -p -r1.82 version.h
+--- a/version.h	27 Feb 2014 23:01:54 -0000	1.82
++++ b/version.h	20 Apr 2014 03:35:15 -0000
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+ 
+-#define SSH_VERSION	"OpenSSH_6.6"
++#define SSH_VERSION	"OpenSSH_6.6.1"
+ 
+ #define SSH_PORTABLE	"p1"
+ #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+Index: compat.c
+===================================================================
+RCS file: /var/cvs/openssh/compat.c,v
+retrieving revision 1.82
+retrieving revision 1.85
+diff -u -p -r1.82 -r1.85
+--- a/compat.c	31 Dec 2013 01:25:41 -0000	1.82
++++ b/compat.c	20 Apr 2014 03:33:59 -0000	1.85
+@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
+ 		{ "Sun_SSH_1.0*",	SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
+ 		{ "OpenSSH_4*",		0 },
+ 		{ "OpenSSH_5*",		SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
++		{ "OpenSSH_6.6.1*",	SSH_NEW_OPENSSH},
++		{ "OpenSSH_6.5*,"
++		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
+ 		{ "OpenSSH*",		SSH_NEW_OPENSSH },
+ 		{ "*MindTerm*",		0 },
+ 		{ "2.1.0*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
+ 	return cipher_prop;
+ }
+ 
+-
+ char *
+ compat_pkalg_proposal(char *pkalg_prop)
+ {
+@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop)
+ 	if (*pkalg_prop == '\0')
+ 		fatal("No supported PK algorithms found");
+ 	return pkalg_prop;
++}
++
++char *
++compat_kex_proposal(char *kex_prop)
++{
++	if (!(datafellows & SSH_BUG_CURVE25519PAD))
++		return kex_prop;
++	debug2("%s: original KEX proposal: %s", __func__, kex_prop);
++	kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
++	debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
++	if (*kex_prop == '\0')
++		fatal("No supported key exchange algorithms found");
++	return kex_prop;
+ }
+ 
+Index: compat.h
+===================================================================
+RCS file: /var/cvs/openssh/compat.h,v
+retrieving revision 1.42
+retrieving revision 1.43
+diff -u -p -r1.42 -r1.43
+--- a/compat.h	31 Dec 2013 01:25:41 -0000	1.42
++++ b/compat.h	20 Apr 2014 03:25:31 -0000	1.43
+@@ -60,6 +60,7 @@
+ #define SSH_NEW_OPENSSH		0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT	0x08000000
+ #define SSH_BUG_LARGEWINDOW     0x10000000
++#define SSH_BUG_CURVE25519PAD	0x20000000
+ 
+ void     enable_compat13(void);
+ void     enable_compat20(void);
+@@ -67,6 +68,7 @@ void     compat_datafellows(const char *
+ int	 proto_spec(const char *);
+ char	*compat_cipher_proposal(char *);
+ char	*compat_pkalg_proposal(char *);
++char	*compat_kex_proposal(char *);
+ 
+ extern int compat13;
+ extern int compat20;
+Index: sshd.c
+===================================================================
+RCS file: /var/cvs/openssh/sshd.c,v
+retrieving revision 1.448
+retrieving revision 1.453
+diff -u -p -r1.448 -r1.453
+--- a/sshd.c	26 Feb 2014 23:20:08 -0000	1.448
++++ b/sshd.c	20 Apr 2014 03:28:41 -0000	1.453
+@@ -2462,6 +2438,9 @@ do_ssh2_kex(void)
+ 	if (options.kex_algorithms != NULL)
+ 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+ 
++	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++	    myproposal[PROPOSAL_KEX_ALGS]);
++
+ 	if (options.rekey_limit || options.rekey_interval)
+ 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ 		    (time_t)options.rekey_interval);
+Index: sshconnect2.c
+===================================================================
+RCS file: /var/cvs/openssh/sshconnect2.c,v
+retrieving revision 1.197
+retrieving revision 1.199
+diff -u -p -r1.197 -r1.199
+--- a/sshconnect2.c	4 Feb 2014 00:20:16 -0000	1.197
++++ b/sshconnect2.c	20 Apr 2014 03:25:31 -0000	1.199
+@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho
+ 	}
+ 	if (options.kex_algorithms != NULL)
+ 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
++	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++	    myproposal[PROPOSAL_KEX_ALGS]);
+ 
+ 	if (options.rekey_limit || options.rekey_interval)
+ 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+Index: bufaux.c
+===================================================================
+RCS file: /var/cvs/openssh/bufaux.c,v
+retrieving revision 1.62
+retrieving revision 1.63
+diff -u -p -r1.62 -r1.63
+--- a/bufaux.c	4 Feb 2014 00:20:15 -0000	1.62
++++ b/bufaux.c	20 Apr 2014 03:24:50 -0000	1.63
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
++/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b
+ 
+ 	if (l > 8 * 1024)
+ 		fatal("%s: length %u too long", __func__, l);
++	/* Skip leading zero bytes */
++	for (; l > 0 && *s == 0; l--, s++)
++		;
+ 	p = buf = xmalloc(l + 1);
+ 	/*
+ 	 * If most significant bit is set then prepend a zero byte to
-- 
cgit v1.2.3