shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-07 10:40:28 +09:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2023-48795: client side mitigation

Browse Source 
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Aris Adamantiadis
2023-12-12 23:09:57 +01:00
committed by Andreas Schneider
parent 6a8a18c73e
commit 87b93be5a2
12 changed files with 126 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/curve25519.c
View File

@@ -335,16 +335,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_curve25519_reply){
}
/* Send the MSG_NEWKEYS */
if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
goto error;
}
rc=ssh_packet_send(session);
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
return SSH_PACKET_USED;
@@ -502,18 +496,13 @@ static SSH_PACKET_CALLBACK(ssh_packet_server_curve25519_init){
return SSH_ERROR;
}
/* Send the MSG_NEWKEYS */
rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
if (rc < 0) {
goto error;
}
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
rc = ssh_packet_send(session);
/* Send the MSG_NEWKEYS */
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
return SSH_PACKET_USED;
error:

7
src/dh-gex.c
View File

@@ -287,15 +287,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_dhgex_reply)
}
/* Send the MSG_NEWKEYS */
if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
goto error;
}
rc = ssh_packet_send(session);
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
return SSH_PACKET_USED;

17
src/dh.c
View File

@@ -386,16 +386,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_dh_reply){
}
/* Send the MSG_NEWKEYS */
if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
goto error;
}
rc=ssh_packet_send(session);
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
return SSH_PACKET_USED;
error:
@@ -532,15 +526,12 @@ int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet)
}
SSH_LOG(SSH_LOG_DEBUG, "Sent KEX_DH_[GEX]_REPLY");
if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
ssh_buffer_reinit(session->out_buffer);
goto error;
}
session->dh_handshake_state=DH_STATE_NEWKEYS_SENT;
if (ssh_packet_send(session) == SSH_ERROR) {
/* Send the MSG_NEWKEYS */
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
SSH_LOG(SSH_LOG_PACKET, "SSH_MSG_NEWKEYS sent");
return SSH_OK;
error:

8
src/ecdh.c
View File

@@ -93,16 +93,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_ecdh_reply){
}
/* Send the MSG_NEWKEYS */
if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
goto error;
}
rc=ssh_packet_send(session);
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
return SSH_PACKET_USED;

12
src/ecdh_crypto.c
View File

@@ -323,18 +323,12 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
goto error;
}
/* Send the MSG_NEWKEYS */
rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
if (rc < 0) {
goto error;
}
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
rc = ssh_packet_send(session);
if (rc == SSH_ERROR){
/* Send the MSG_NEWKEYS */
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
return SSH_PACKET_USED;
error:

10
src/ecdh_gcrypt.c
View File

@@ -372,17 +372,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
goto out;
}
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
/* Send the MSG_NEWKEYS */
rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
if (rc != SSH_OK) {
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto out;
}
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
rc = ssh_packet_send(session);
SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
out:
gcry_sexp_release(param);
gcry_sexp_release(key);

11
src/ecdh_mbedcrypto.c
View File

@@ -300,16 +300,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
goto out;
}
rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
if (rc < 0) {
rc = SSH_ERROR;
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
/* Send the MSG_NEWKEYS */
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto out;
}
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
rc = ssh_packet_send(session);
SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
out:
mbedtls_ecp_group_free(&grp);
if (rc == SSH_ERROR) {

34
src/kex.c
View File

@@ -163,6 +163,9 @@
/* RFC 8308 */
#define KEX_EXTENSION_CLIENT "ext-info-c"
/* Strict kex mitigation against CVE-2023-48795 */
#define KEX_STRICT_CLIENT "kex-strict-c-v00@openssh.com"
#define KEX_STRICT_SERVER "kex-strict-s-v00@openssh.com"
/* Allowed algorithms in FIPS mode */
#define FIPS_ALLOWED_CIPHERS "aes256-gcm@openssh.com,"\
@@ -491,6 +494,27 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
session->first_kex_follows_guess_wrong ? "wrong" : "right");
}
/*
* handle the "strict KEX" feature. If supported by peer, then set up the
* flag and verify packet sequence numbers.
*/
if (server_kex) {
ok = ssh_match_group(crypto->client_kex.methods[SSH_KEX],
KEX_STRICT_CLIENT);
if (ok) {
SSH_LOG(SSH_LOG_DEBUG, "Client supports strict kex, enabling.");
session->flags |= SSH_SESSION_FLAG_KEX_STRICT;
}
} else {
/* client kex */
ok = ssh_match_group(crypto->server_kex.methods[SSH_KEX],
KEX_STRICT_SERVER);
if (ok) {
SSH_LOG(SSH_LOG_DEBUG, "Server supports strict kex, enabling.");
session->flags |= SSH_SESSION_FLAG_KEX_STRICT;
}
}
if (server_kex) {
/*
* If client sent a ext-info-c message in the kex list, it supports
@@ -767,21 +791,21 @@ int ssh_set_client_kex(ssh_session session)
return SSH_OK;
}
/* Here we append ext-info-c to the list of kex algorithms */
/* Here we append ext-info-c and kex-strict-c-v00@openssh.com to the list of kex algorithms */
kex = client->methods[SSH_KEX];
len = strlen(kex);
if (len + strlen(KEX_EXTENSION_CLIENT) + 2 < len) {
/* Comma, comma, nul byte */
kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 + strlen(KEX_STRICT_CLIENT ) + 1;
if (kex_len >= MAX_PACKET_LEN) {
/* Overflow */
return SSH_ERROR;
}
kex_len = len + strlen(KEX_EXTENSION_CLIENT) + 2; /* comma, NULL */
kex_tmp = realloc(kex, kex_len);
if (kex_tmp == NULL) {
free(kex);
ssh_set_error_oom(session);
return SSH_ERROR;
}
snprintf(kex_tmp + len, kex_len - len, ",%s", KEX_EXTENSION_CLIENT);
snprintf(kex_tmp + len, kex_len - len, ",%s,%s", KEX_EXTENSION_CLIENT, KEX_STRICT_CLIENT);
client->methods[SSH_KEX] = kex_tmp;
return SSH_OK;

58
src/packet.c
View File

@@ -1309,6 +1309,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
}
#endif /* WITH_ZLIB */
payloadsize = ssh_buffer_get_len(session->in_buffer);
if (session->recv_seq == UINT32_MAX) {
/* Overflowing sequence numbers is always fishy */
if (crypto == NULL) {
/* don't allow sequence number overflow when unencrypted */
ssh_set_error(session,
SSH_FATAL,
"Incoming sequence number overflow");
goto error;
} else {
SSH_LOG(SSH_LOG_WARNING,
"Incoming sequence number overflow");
}
}
session->recv_seq++;
if (crypto != NULL) {
struct ssh_cipher_struct *cipher = NULL;
@@ -1331,7 +1344,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
SSH_LOG(SSH_LOG_PACKET,
"packet: read type %hhd [len=%d,padding=%hhd,comp=%d,payload=%d]",
session->in_packet.type, packet_len, padding, compsize, payloadsize);
if (crypto == NULL) {
/* In strict kex, only a few packets are allowed. Taint the session
* if we received packets that are normally allowed but to be
* refused if we are in strict kex when KEX is over.
*/
uint8_t type = session->in_packet.type;
if (type != SSH2_MSG_KEXINIT && type != SSH2_MSG_NEWKEYS &&
(type < SSH2_MSG_KEXDH_INIT ||
type > SSH2_MSG_KEX_DH_GEX_REQUEST)) {
session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
}
}
/* Check if the packet is expected */
filter_result = ssh_packet_incoming_filter(session);
@@ -1347,6 +1372,9 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
session->in_packet.type);
goto error;
case SSH_PACKET_UNKNOWN:
if (crypto == NULL) {
session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
}
ssh_packet_send_unimplemented(session, session->recv_seq - 1);
break;
}
@@ -1521,9 +1549,35 @@ void ssh_packet_process(ssh_session session, uint8_t type)
SSH_LOG(SSH_LOG_RARE, "Failed to send unimplemented: %s",
ssh_get_error(session));
}
if (session->current_crypto == NULL) {
session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
}
}
}
/** @internal
* @brief sends a SSH_MSG_NEWKEYS when enabling the new negotiated ciphers
* @param session the SSH session
* @return SSH_ERROR on error, else SSH_OK
*/
int ssh_packet_send_newkeys(ssh_session session)
{
int rc;
/* Send the MSG_NEWKEYS */
rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
if (rc < 0) {
return rc;
}
rc = ssh_packet_send(session);
if (rc == SSH_ERROR) {
return rc;
}
SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
return rc;
}
/** @internal
* @brief sends a SSH_MSG_UNIMPLEMENTED answer to an unhandled packet
* @param session the SSH session
@@ -1829,6 +1883,10 @@ int ssh_packet_send(ssh_session session)
if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) {
struct ssh_iterator *it;
if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) {
/* reset packet sequence number when running in strict kex mode */
session->send_seq = 0;
}
for (it = ssh_list_get_iterator(session->out_queue);
it != NULL;
it = ssh_list_get_iterator(session->out_queue)) {

12
src/packet_cb.c
View File

@@ -110,6 +110,18 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
goto error;
}
if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) {
/* reset packet sequence number when running in strict kex mode */
session->recv_seq = 0;
/* Check that we aren't tainted */
if (session->flags & SSH_SESSION_FLAG_KEX_TAINTED) {
ssh_set_error(session,
SSH_FATAL,
"Received unexpected packets in strict KEX mode.");
goto error;
}
}
if(session->server){
/* server things are done in server.c */
session->dh_handshake_state=DH_STATE_FINISHED;