diff options
| author | Nicolas Iooss | 2014-04-24 11:21:38 +0200 |
|---|---|---|
| committer | Nicolas Iooss | 2015-06-27 11:44:55 +0800 |
| commit | 0abf0328018ffbc530bcaaab3a055f8699b1fab8 (patch) | |
| tree | a15bcb8317383af34e449421ce8283387cf44bcd | |
| parent | 6c1981db79dab264421f1fd665a8ce8c4f98654f (diff) | |
| download | aur-0abf0328018ffbc530bcaaab3a055f8699b1fab8.tar.gz | |
openssh-selinux 6.6p1-2 update
| -rw-r--r-- | .SRCINFO | 8 | ||||
| -rw-r--r-- | PKGBUILD | 10 | ||||
| -rw-r--r-- | curve25519pad.patch | 171 |
3 files changed, 185 insertions, 4 deletions
@@ -1,7 +1,7 @@ pkgbase = openssh-selinux pkgdesc = Free version of the SSH connectivity tools with SELinux support pkgver = 6.6p1 - pkgrel = 1 + pkgrel = 2 url = http://www.openssh.org/portable.html install = install arch = i686 @@ -16,8 +16,8 @@ pkgbase = openssh-selinux depends = libselinux optdepends = xorg-xauth: X11 forwarding optdepends = x11-ssh-askpass: input passphrase in X - provides = openssh=6.6p1-1 - provides = selinux-openssh=6.6p1-1 + provides = openssh=6.6p1-2 + provides = selinux-openssh=6.6p1-2 conflicts = openssh conflicts = selinux-openssh backup = etc/ssh/ssh_config @@ -25,6 +25,7 @@ pkgbase = openssh-selinux backup = etc/pam.d/sshd source = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz source = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz.asc + source = curve25519pad.patch source = sshdgenkeys.service source = sshd@.service source = sshd.service @@ -32,6 +33,7 @@ pkgbase = openssh-selinux source = sshd.pam sha1sums = b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e sha1sums = SKIP + sha1sums = 13b74b57b3d9b9a256eeb44b4fca29a8f27aa7ad sha1sums = cc1ceec606c98c7407e7ac21ade23aed81e31405 sha1sums = 6a0ff3305692cf83aca96e10f3bb51e1c26fccda sha1sums = ec49c6beba923e201505f5669cea48cad29014db @@ -4,10 +4,11 @@ # Contributor: judd <jvinet@zeroflux.org> # SELinux Maintainer: Timothée Ravier <tim@siosm.fr> # Contributor: Nicky726 <Nicky726@gmail.com> +# SELinux Contributor: Nicolas Iooss (nicolas <dot> iooss <at> m4x <dot> org) pkgname=openssh-selinux pkgver=6.6p1 -pkgrel=1 +pkgrel=2 pkgdesc='Free version of the SSH connectivity tools with SELinux support' url='http://www.openssh.org/portable.html' license=('custom:BSD') @@ -21,12 +22,14 @@ provides=("${pkgname/-selinux}=${pkgver}-${pkgrel}" "selinux-${pkgname/-selinux}=${pkgver}-${pkgrel}") groups=('selinux') source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname/-selinux}-${pkgver}.tar.gz"{,.asc} + 'curve25519pad.patch' 'sshdgenkeys.service' 'sshd@.service' 'sshd.service' 'sshd.socket' 'sshd.pam') sha1sums=('b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e' 'SKIP' + '13b74b57b3d9b9a256eeb44b4fca29a8f27aa7ad' 'cc1ceec606c98c7407e7ac21ade23aed81e31405' '6a0ff3305692cf83aca96e10f3bb51e1c26fccda' 'ec49c6beba923e201505f5669cea48cad29014db' @@ -37,6 +40,11 @@ backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd') install=install +prepare() { + cd "${srcdir}/${pkgname/-selinux}-${pkgver}" + patch -p0 -i ../curve25519pad.patch +} + build() { cd "${srcdir}/${pkgname/-selinux}-${pkgver}" diff --git a/curve25519pad.patch b/curve25519pad.patch new file mode 100644 index 000000000000..9774a93999b0 --- /dev/null +++ b/curve25519pad.patch @@ -0,0 +1,171 @@ +Hi, + +So I screwed up when writing the support for the curve25519 KEX method +that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left +leading zero bytes where they should have been skipped. The impact of +this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a +peer that implements curve25519-sha256@libssh.org properly about 0.2% +of the time (one in every 512ish connections). + +We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256 +key exchange for previous versions, but I'd recommend distributors +of OpenSSH apply this patch so the affected code doesn't become +too entrenched in LTS releases. + +The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as +to distinguish itself from the incorrect versions so the compatibility +code to disable the affected KEX isn't activated. + +I've committed this on the 6.6 branch too. + +Apologies for the hassle. + +-d + +Index: version.h +=================================================================== +RCS file: /var/cvs/openssh/version.h,v +retrieving revision 1.82 +diff -u -p -r1.82 version.h +--- version.h 27 Feb 2014 23:01:54 -0000 1.82 ++++ version.h 20 Apr 2014 03:35:15 -0000 +@@ -1,6 +1,6 @@ + /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ + +-#define SSH_VERSION "OpenSSH_6.6" ++#define SSH_VERSION "OpenSSH_6.6.1" + + #define SSH_PORTABLE "p1" + #define SSH_RELEASE SSH_VERSION SSH_PORTABLE +Index: compat.c +=================================================================== +RCS file: /var/cvs/openssh/compat.c,v +retrieving revision 1.82 +retrieving revision 1.85 +diff -u -p -r1.82 -r1.85 +--- compat.c 31 Dec 2013 01:25:41 -0000 1.82 ++++ compat.c 20 Apr 2014 03:33:59 -0000 1.85 +@@ -95,6 +95,9 @@ compat_datafellows(const char *version) + { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, + { "OpenSSH_4*", 0 }, + { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, ++ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, ++ { "OpenSSH_6.5*," ++ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, + { "OpenSSH*", SSH_NEW_OPENSSH }, + { "*MindTerm*", 0 }, + { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| +@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop + return cipher_prop; + } + +- + char * + compat_pkalg_proposal(char *pkalg_prop) + { +@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop) + if (*pkalg_prop == '\0') + fatal("No supported PK algorithms found"); + return pkalg_prop; ++} ++ ++char * ++compat_kex_proposal(char *kex_prop) ++{ ++ if (!(datafellows & SSH_BUG_CURVE25519PAD)) ++ return kex_prop; ++ debug2("%s: original KEX proposal: %s", __func__, kex_prop); ++ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org"); ++ debug2("%s: compat KEX proposal: %s", __func__, kex_prop); ++ if (*kex_prop == '\0') ++ fatal("No supported key exchange algorithms found"); ++ return kex_prop; + } + +Index: compat.h +=================================================================== +RCS file: /var/cvs/openssh/compat.h,v +retrieving revision 1.42 +retrieving revision 1.43 +diff -u -p -r1.42 -r1.43 +--- compat.h 31 Dec 2013 01:25:41 -0000 1.42 ++++ compat.h 20 Apr 2014 03:25:31 -0000 1.43 +@@ -59,6 +59,7 @@ + #define SSH_BUG_RFWD_ADDR 0x02000000 + #define SSH_NEW_OPENSSH 0x04000000 + #define SSH_BUG_DYNAMIC_RPORT 0x08000000 ++#define SSH_BUG_CURVE25519PAD 0x10000000 + + void enable_compat13(void); + void enable_compat20(void); +@@ -66,6 +67,7 @@ void compat_datafellows(const char * + int proto_spec(const char *); + char *compat_cipher_proposal(char *); + char *compat_pkalg_proposal(char *); ++char *compat_kex_proposal(char *); + + extern int compat13; + extern int compat20; +Index: sshd.c +=================================================================== +RCS file: /var/cvs/openssh/sshd.c,v +retrieving revision 1.448 +retrieving revision 1.453 +diff -u -p -r1.448 -r1.453 +--- sshd.c 26 Feb 2014 23:20:08 -0000 1.448 ++++ sshd.c 20 Apr 2014 03:28:41 -0000 1.453 +@@ -2462,6 +2438,9 @@ do_ssh2_kex(void) + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; + ++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( ++ myproposal[PROPOSAL_KEX_ALGS]); ++ + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); +Index: sshconnect2.c +=================================================================== +RCS file: /var/cvs/openssh/sshconnect2.c,v +retrieving revision 1.197 +retrieving revision 1.199 +diff -u -p -r1.197 -r1.199 +--- sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197 ++++ sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199 +@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho + } + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; ++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( ++ myproposal[PROPOSAL_KEX_ALGS]); + + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, +Index: bufaux.c +=================================================================== +RCS file: /var/cvs/openssh/bufaux.c,v +retrieving revision 1.62 +retrieving revision 1.63 +diff -u -p -r1.62 -r1.63 +--- bufaux.c 4 Feb 2014 00:20:15 -0000 1.62 ++++ bufaux.c 20 Apr 2014 03:24:50 -0000 1.63 +@@ -1,4 +1,4 @@ +-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ ++/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b + + if (l > 8 * 1024) + fatal("%s: length %u too long", __func__, l); ++ /* Skip leading zero bytes */ ++ for (; l > 0 && *s == 0; l--, s++) ++ ; + p = buf = xmalloc(l + 1); + /* + * If most significant bit is set then prepend a zero byte to +_______________________________________________ +openssh-unix-dev mailing list +openssh-unix-dev@mindrot.org +https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
\ No newline at end of file |