[arch-commits] Commit in openssh/trunk (PKGBUILD curve25519pad.patch)
Gaetan Bisson
bisson at archlinux.org
Tue Oct 7 02:36:53 UTC 2014
Date: Tuesday, October 7, 2014 @ 04:36:53
Author: bisson
Revision: 223946
upstream update
Modified:
openssh/trunk/PKGBUILD
Deleted:
openssh/trunk/curve25519pad.patch
---------------------+
PKGBUILD | 13 ---
curve25519pad.patch | 171 --------------------------------------------------
2 files changed, 3 insertions(+), 181 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2014-10-06 23:34:33 UTC (rev 223945)
+++ PKGBUILD 2014-10-07 02:36:53 UTC (rev 223946)
@@ -4,8 +4,8 @@
# Contributor: judd <jvinet at zeroflux.org>
pkgname=openssh
-pkgver=6.6p1
-pkgrel=2
+pkgver=6.7p1
+pkgrel=1
pkgdesc='Free version of the SSH connectivity tools'
url='http://www.openssh.org/portable.html'
license=('custom:BSD')
@@ -15,14 +15,12 @@
optdepends=('xorg-xauth: X11 forwarding'
'x11-ssh-askpass: input passphrase in X')
source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"{,.asc}
- 'curve25519pad.patch'
'sshdgenkeys.service'
'sshd at .service'
'sshd.service'
'sshd.socket'
'sshd.pam')
-sha1sums=('b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e' 'SKIP'
- '13b74b57b3d9b9a256eeb44b4fca29a8f27aa7ad'
+sha1sums=('14e5fbed710ade334d65925e080d1aaeb9c85bf6' 'SKIP'
'cc1ceec606c98c7407e7ac21ade23aed81e31405'
'6a0ff3305692cf83aca96e10f3bb51e1c26fccda'
'ec49c6beba923e201505f5669cea48cad29014db'
@@ -33,11 +31,6 @@
install=install
-prepare() {
- cd "${srcdir}/${pkgname}-${pkgver}"
- patch -p0 -i ../curve25519pad.patch
-}
-
build() {
cd "${srcdir}/${pkgname}-${pkgver}"
Deleted: curve25519pad.patch
===================================================================
--- curve25519pad.patch 2014-10-06 23:34:33 UTC (rev 223945)
+++ curve25519pad.patch 2014-10-07 02:36:53 UTC (rev 223946)
@@ -1,171 +0,0 @@
-Hi,
-
-So I screwed up when writing the support for the curve25519 KEX method
-that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
-leading zero bytes where they should have been skipped. The impact of
-this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
-peer that implements curve25519-sha256 at libssh.org properly about 0.2%
-of the time (one in every 512ish connections).
-
-We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
-key exchange for previous versions, but I'd recommend distributors
-of OpenSSH apply this patch so the affected code doesn't become
-too entrenched in LTS releases.
-
-The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
-to distinguish itself from the incorrect versions so the compatibility
-code to disable the affected KEX isn't activated.
-
-I've committed this on the 6.6 branch too.
-
-Apologies for the hassle.
-
--d
-
-Index: version.h
-===================================================================
-RCS file: /var/cvs/openssh/version.h,v
-retrieving revision 1.82
-diff -u -p -r1.82 version.h
---- version.h 27 Feb 2014 23:01:54 -0000 1.82
-+++ version.h 20 Apr 2014 03:35:15 -0000
-@@ -1,6 +1,6 @@
- /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
-
--#define SSH_VERSION "OpenSSH_6.6"
-+#define SSH_VERSION "OpenSSH_6.6.1"
-
- #define SSH_PORTABLE "p1"
- #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-Index: compat.c
-===================================================================
-RCS file: /var/cvs/openssh/compat.c,v
-retrieving revision 1.82
-retrieving revision 1.85
-diff -u -p -r1.82 -r1.85
---- compat.c 31 Dec 2013 01:25:41 -0000 1.82
-+++ compat.c 20 Apr 2014 03:33:59 -0000 1.85
-@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
- { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
- { "OpenSSH_4*", 0 },
- { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
-+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
-+ { "OpenSSH_6.5*,"
-+ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
- { "OpenSSH*", SSH_NEW_OPENSSH },
- { "*MindTerm*", 0 },
- { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
-@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
- return cipher_prop;
- }
-
--
- char *
- compat_pkalg_proposal(char *pkalg_prop)
- {
-@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop)
- if (*pkalg_prop == '\0')
- fatal("No supported PK algorithms found");
- return pkalg_prop;
-+}
-+
-+char *
-+compat_kex_proposal(char *kex_prop)
-+{
-+ if (!(datafellows & SSH_BUG_CURVE25519PAD))
-+ return kex_prop;
-+ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
-+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256 at libssh.org");
-+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
-+ if (*kex_prop == '\0')
-+ fatal("No supported key exchange algorithms found");
-+ return kex_prop;
- }
-
-Index: compat.h
-===================================================================
-RCS file: /var/cvs/openssh/compat.h,v
-retrieving revision 1.42
-retrieving revision 1.43
-diff -u -p -r1.42 -r1.43
---- compat.h 31 Dec 2013 01:25:41 -0000 1.42
-+++ compat.h 20 Apr 2014 03:25:31 -0000 1.43
-@@ -59,6 +59,7 @@
- #define SSH_BUG_RFWD_ADDR 0x02000000
- #define SSH_NEW_OPENSSH 0x04000000
- #define SSH_BUG_DYNAMIC_RPORT 0x08000000
-+#define SSH_BUG_CURVE25519PAD 0x10000000
-
- void enable_compat13(void);
- void enable_compat20(void);
-@@ -66,6 +67,7 @@ void compat_datafellows(const char *
- int proto_spec(const char *);
- char *compat_cipher_proposal(char *);
- char *compat_pkalg_proposal(char *);
-+char *compat_kex_proposal(char *);
-
- extern int compat13;
- extern int compat20;
-Index: sshd.c
-===================================================================
-RCS file: /var/cvs/openssh/sshd.c,v
-retrieving revision 1.448
-retrieving revision 1.453
-diff -u -p -r1.448 -r1.453
---- sshd.c 26 Feb 2014 23:20:08 -0000 1.448
-+++ sshd.c 20 Apr 2014 03:28:41 -0000 1.453
-@@ -2462,6 +2438,9 @@ do_ssh2_kex(void)
- if (options.kex_algorithms != NULL)
- myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
-
-+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-+ myproposal[PROPOSAL_KEX_ALGS]);
-+
- if (options.rekey_limit || options.rekey_interval)
- packet_set_rekey_limits((u_int32_t)options.rekey_limit,
- (time_t)options.rekey_interval);
-Index: sshconnect2.c
-===================================================================
-RCS file: /var/cvs/openssh/sshconnect2.c,v
-retrieving revision 1.197
-retrieving revision 1.199
-diff -u -p -r1.197 -r1.199
---- sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197
-+++ sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199
-@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho
- }
- if (options.kex_algorithms != NULL)
- myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
-+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-+ myproposal[PROPOSAL_KEX_ALGS]);
-
- if (options.rekey_limit || options.rekey_interval)
- packet_set_rekey_limits((u_int32_t)options.rekey_limit,
-Index: bufaux.c
-===================================================================
-RCS file: /var/cvs/openssh/bufaux.c,v
-retrieving revision 1.62
-retrieving revision 1.63
-diff -u -p -r1.62 -r1.63
---- bufaux.c 4 Feb 2014 00:20:15 -0000 1.62
-+++ bufaux.c 20 Apr 2014 03:24:50 -0000 1.63
-@@ -1,4 +1,4 @@
--/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
-+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
- /*
- * Author: Tatu Ylonen <ylo at cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
-@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b
-
- if (l > 8 * 1024)
- fatal("%s: length %u too long", __func__, l);
-+ /* Skip leading zero bytes */
-+ for (; l > 0 && *s == 0; l--, s++)
-+ ;
- p = buf = xmalloc(l + 1);
- /*
- * If most significant bit is set then prepend a zero byte to
-_______________________________________________
-openssh-unix-dev mailing list
-openssh-unix-dev at mindrot.org
-https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
\ No newline at end of file
More information about the arch-commits
mailing list