Hello. Today I helped a Gentoo user on freenode's #openssh. User was having trouble connecting to a non-hpn OpenSSH 6.6.1 server from a Gentoo client running OpenSSH 6.6.1+hpn. The issue boils down to the hpn patch you use (openssh-6.6.1p1-hpnssh14v5.diff) assigning the same value to hpn's SSH_BUG_LARGEWINDOW as used by OpenSSH to detect buggy curve25519 implementations: SSH_BUG_CURVE25519PAD. Both are 0x10000000. If the hpn code sets the SSH_BUG_LARGEWINDOW flag, then OpenSSH disable curve25519 during key exchange because it believes it's speaking with a peer with broken curve25519. Solution: change the flag value for SSH_BUG_LARGEWINDOW. --mancha
Thanks for the bug. Did you inform the people responsible for the hpn patches as well? I doubt we can simply go and assign a new value for SSH_BUG_LARGEWINDOW by ourselves. Imagine others would do the same and do not use the same value...
Lars, you maybe want to set the value to "0x80000000": https://github.com/freebsd/freebsd/commit/e1e5f20b8815dab6b04e73d6ba98044da9075bbc
Created attachment 385692 [details, diff] ebuild: fix hpn curve25519 conflict
(In reply to Lars Wendler (Polynomial-C) from comment #1) > Thanks for the bug. Did you inform the people responsible for the hpn > patches as well? I doubt we can simply go and assign a new value for > SSH_BUG_LARGEWINDOW by ourselves. Imagine others would do the same and do > not use the same value... The bugzilla was down or I'd have answered sooner. I didn't report this to HPN but I checked their site and they support up through OpenSSH 6.6p1 (last upstream release). They might not be aware there was an official OOB hotfix that bumped things up to 6.6.1p1 and introduced SSH_BUG_CURVE25519PAD. I'll leave it up to Gentoo to decide how it wants to fix its broken package: a) lobby HPN for a patch against a hotfixed OpenSSH or b) fix it in-house. If you go with b), the attached diff to the ebuild will do. There's no reason to worry about others changing the flag to something else. --mancha
net-misc/openssh-6.6.1_p1-r4 is now in the tree trying to address this bug. Unfortunately I set the value of SSH_BUG_LARGEWINDOW to 0x20000000 before I saw comment #2. As a result I now sent a mail to the hpn devs asking for their help/input. Let's keep this bug open until I got reply from them.
Your change is fine as is. The commit referenced in comment #2 chose to leave space for two possible future flag additions by OpenSSH. OpenSSH hotfixes occur once every 143 years so the next time a flag might be added is with a release (say 6.7p1). When this happens HPN will have to re-base its patch anyways. I wouldn't over-think this. The issue is solved. --mancha
Hello, I write here to report that there is a problem when getting the patch from the mirrors, the updated patch isn't actually picked up: From /usr/portage/net-misc/openssh/Manifest: ... openssh-6.6.1p1-hpnssh14v5.diff.xz 20952 SHA256 fe31dfbc934be7c7c07ddcd2aef01083c62f225ee8097622aec23d536e118053 ... From Lars' devspace (new version of the patch, from Sep 28): $ wget http://dev.gentoo.org/~polynomial-c/openssh-6.6.1p1-hpnssh14v5.diff.xz ... $ sha256sum openssh-6.6.1p1-hpnssh14v5.diff.xz fe31dfbc934be7c7c07ddcd2aef01083c62f225ee8097622aec23d536e118053 openssh-6.6.1p1-hpnssh14v5.diff.xz From mirrors (_old_ version of the patch, from Sep 8): $ wget http://gentoo.osuosl.org/distfiles/openssh-6.6.1p1-hpnssh14v5.diff.xz ... $ sha256sum openssh-6.6.1p1-hpnssh14v5.diff.xz 674de88b158c3b305f720ad86f917be79cd6bd9b47cf33f56b1d92eee9440b8e openssh-6.6.1p1-hpnssh14v5.diff.xz
should be fixed in the latest versions
