lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-12-15 18:32:26 +03:00
Code Activity

CVE-2023-48795: client side mitigation

Browse Source 
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Aris Adamantiadis
2023-12-12 23:09:57 +01:00
committed by Andreas Schneider
parent f353b39ff2
commit 7ecc6a704b
12 changed files with 125 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
include/libssh/packet.h
View File

@@ -67,6 +67,7 @@ SSH_PACKET_CALLBACK(ssh_packet_ext_info);
SSH_PACKET_CALLBACK(ssh_packet_kexdh_init);
#endif
int ssh_packet_send_newkeys(ssh_session session);
int ssh_packet_send_unimplemented(ssh_session session, uint32_t seqnum);
int ssh_packet_parse_type(ssh_session session);
//int packet_flush(ssh_session session, int enforce_blocking);

6
include/libssh/session.h
View File

@@ -84,6 +84,12 @@ enum ssh_pending_call_e {
* sending it twice during key exchange to simplify the state machine. */
#define SSH_SESSION_FLAG_KEXINIT_SENT 0x0008
/* The current SSH2 session implements the "strict KEX" feature and should behave
* differently on SSH2_MSG_NEWKEYS. */
#define SSH_SESSION_FLAG_KEX_STRICT 0x0010
/* Unexpected packets have been sent while the session was still unencrypted */
#define SSH_SESSION_FLAG_KEX_TAINTED 0x0020
/* codes to use with ssh_handle_packets*() */
/* Infinite timeout */
#define SSH_TIMEOUT_INFINITE -1

19
src/curve25519.c
View File

@@ -335,16 +335,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_curve25519_reply){
}
/* Send the MSG_NEWKEYS */
if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
goto error;
}
rc=ssh_packet_send(session);
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
return SSH_PACKET_USED;
@@ -502,18 +496,13 @@ static SSH_PACKET_CALLBACK(ssh_packet_server_curve25519_init){
return SSH_ERROR;
}
/* Send the MSG_NEWKEYS */
rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
if (rc < 0) {
goto error;
}
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
rc = ssh_packet_send(session);
/* Send the MSG_NEWKEYS */
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
return SSH_PACKET_USED;
error:

7
src/dh-gex.c
View File

@@ -297,15 +297,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_dhgex_reply)
}
/* Send the MSG_NEWKEYS */
if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
goto error;
}
rc = ssh_packet_send(session);
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
return SSH_PACKET_USED;

17
src/dh.c
View File

@@ -398,16 +398,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_dh_reply){
}
/* Send the MSG_NEWKEYS */
if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
goto error;
}
rc=ssh_packet_send(session);
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
return SSH_PACKET_USED;
error:
@@ -551,15 +545,12 @@ int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet)
}
SSH_LOG(SSH_LOG_DEBUG, "Sent KEX_DH_[GEX]_REPLY");
if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
ssh_buffer_reinit(session->out_buffer);
goto error;
}
session->dh_handshake_state=DH_STATE_NEWKEYS_SENT;
if (ssh_packet_send(session) == SSH_ERROR) {
/* Send the MSG_NEWKEYS */
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
SSH_LOG(SSH_LOG_PACKET, "SSH_MSG_NEWKEYS sent");
return SSH_OK;
error:

8
src/ecdh.c
View File

@@ -93,16 +93,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_ecdh_reply){
}
/* Send the MSG_NEWKEYS */
if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
goto error;
}
rc=ssh_packet_send(session);
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
return SSH_PACKET_USED;

12
src/ecdh_crypto.c
View File

@@ -522,18 +522,12 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init)
goto error;
}
/* Send the MSG_NEWKEYS */
rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
if (rc < 0) {
goto error;
}
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
rc = ssh_packet_send(session);
if (rc == SSH_ERROR){
/* Send the MSG_NEWKEYS */
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
return SSH_PACKET_USED;
error:

10
src/ecdh_gcrypt.c
View File

@@ -372,17 +372,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
goto out;
}
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
/* Send the MSG_NEWKEYS */
rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
if (rc != SSH_OK) {
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto out;
}
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
rc = ssh_packet_send(session);
SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
out:
gcry_sexp_release(param);
gcry_sexp_release(key);

11
src/ecdh_mbedcrypto.c
View File

@@ -318,16 +318,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
goto out;
}
rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
if (rc < 0) {
rc = SSH_ERROR;
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
/* Send the MSG_NEWKEYS */
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto out;
}
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
rc = ssh_packet_send(session);
SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
out:
mbedtls_ecp_group_free(&grp);
if (rc == SSH_ERROR) {

33
src/kex.c
View File

@@ -178,6 +178,9 @@
/* RFC 8308 */
#define KEX_EXTENSION_CLIENT "ext-info-c"
/* Strict kex mitigation against CVE-2023-48795 */
#define KEX_STRICT_CLIENT "kex-strict-c-v00@openssh.com"
#define KEX_STRICT_SERVER "kex-strict-s-v00@openssh.com"
/* Allowed algorithms in FIPS mode */
#define FIPS_ALLOWED_CIPHERS "aes256-gcm@openssh.com,"\
@@ -509,6 +512,26 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
session->first_kex_follows_guess_wrong ? "wrong" : "right");
}
/*
* handle the "strict KEX" feature. If supported by peer, then set up the
* flag and verify packet sequence numbers.
*/
if (server_kex) {
ok = ssh_match_group(crypto->client_kex.methods[SSH_KEX],
KEX_STRICT_CLIENT);
if (ok) {
SSH_LOG(SSH_LOG_DEBUG, "Client supports strict kex, enabling.");
session->flags |= SSH_SESSION_FLAG_KEX_STRICT;
}
} else {
/* client kex */
ok = ssh_match_group(crypto->server_kex.methods[SSH_KEX],
KEX_STRICT_SERVER);
if (ok) {
SSH_LOG(SSH_LOG_DEBUG, "Server supports strict kex, enabling.");
session->flags |= SSH_SESSION_FLAG_KEX_STRICT;
}
}
#ifdef WITH_SERVER
if (server_kex) {
/*
@@ -789,21 +812,21 @@ int ssh_set_client_kex(ssh_session session)
return SSH_OK;
}
/* Here we append ext-info-c to the list of kex algorithms */
/* Here we append ext-info-c and kex-strict-c-v00@openssh.com to the list of kex algorithms */
kex = client->methods[SSH_KEX];
len = strlen(kex);
if (len + strlen(KEX_EXTENSION_CLIENT) + 2 < len) {
/* Comma, comma, nul byte */
kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 + strlen(KEX_STRICT_CLIENT ) + 1;
if (kex_len >= MAX_PACKET_LEN) {
/* Overflow */
return SSH_ERROR;
}
kex_len = len + strlen(KEX_EXTENSION_CLIENT) + 2; /* comma, NULL */
kex_tmp = realloc(kex, kex_len);
if (kex_tmp == NULL) {
free(kex);
ssh_set_error_oom(session);
return SSH_ERROR;
}
snprintf(kex_tmp + len, kex_len - len, ",%s", KEX_EXTENSION_CLIENT);
snprintf(kex_tmp + len, kex_len - len, ",%s,%s", KEX_EXTENSION_CLIENT, KEX_STRICT_CLIENT);
client->methods[SSH_KEX] = kex_tmp;
return SSH_OK;

58
src/packet.c
View File

@@ -1314,6 +1314,19 @@ ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
}
#endif /* WITH_ZLIB */
payloadsize = ssh_buffer_get_len(session->in_buffer);
if (session->recv_seq == UINT32_MAX) {
/* Overflowing sequence numbers is always fishy */
if (crypto == NULL) {
/* don't allow sequence number overflow when unencrypted */
ssh_set_error(session,
SSH_FATAL,
"Incoming sequence number overflow");
goto error;
} else {
SSH_LOG(SSH_LOG_WARNING,
"Incoming sequence number overflow");
}
}
session->recv_seq++;
if (crypto != NULL) {
struct ssh_cipher_struct *cipher = NULL;
@@ -1338,7 +1351,19 @@ ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
"comp=%" PRIu32 ",payload=%" PRIu32 "]",
session->in_packet.type, packet_len, padding, compsize,
payloadsize);
if (crypto == NULL) {
/* In strict kex, only a few packets are allowed. Taint the session
* if we received packets that are normally allowed but to be
* refused if we are in strict kex when KEX is over.
*/
uint8_t type = session->in_packet.type;
if (type != SSH2_MSG_KEXINIT && type != SSH2_MSG_NEWKEYS &&
(type < SSH2_MSG_KEXDH_INIT ||
type > SSH2_MSG_KEX_DH_GEX_REQUEST)) {
session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
}
}
/* Check if the packet is expected */
filter_result = ssh_packet_incoming_filter(session);
@@ -1354,6 +1379,9 @@ ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
session->in_packet.type);
goto error;
case SSH_PACKET_UNKNOWN:
if (crypto == NULL) {
session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
}
ssh_packet_send_unimplemented(session, session->recv_seq - 1);
break;
}
@@ -1529,7 +1557,33 @@ void ssh_packet_process(ssh_session session, uint8_t type)
SSH_LOG(SSH_LOG_RARE, "Failed to send unimplemented: %s",
ssh_get_error(session));
}
if (session->current_crypto == NULL) {
session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
}
}
}
/** @internal
* @brief sends a SSH_MSG_NEWKEYS when enabling the new negotiated ciphers
* @param session the SSH session
* @return SSH_ERROR on error, else SSH_OK
*/
int ssh_packet_send_newkeys(ssh_session session)
{
int rc;
/* Send the MSG_NEWKEYS */
rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
if (rc < 0) {
return rc;
}
rc = ssh_packet_send(session);
if (rc == SSH_ERROR) {
return rc;
}
SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
return rc;
}
/** @internal
@@ -1842,6 +1896,10 @@ int ssh_packet_send(ssh_session session)
if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) {
struct ssh_iterator *it;
if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) {
/* reset packet sequence number when running in strict kex mode */
session->send_seq = 0;
}
for (it = ssh_list_get_iterator(session->out_queue);
it != NULL;
it = ssh_list_get_iterator(session->out_queue)) {

12
src/packet_cb.c
View File

@@ -133,6 +133,18 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys)
goto error;
}
if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) {
/* reset packet sequence number when running in strict kex mode */
session->recv_seq = 0;
/* Check that we aren't tainted */
if (session->flags & SSH_SESSION_FLAG_KEX_TAINTED) {
ssh_set_error(session,
SSH_FATAL,
"Received unexpected packets in strict KEX mode.");
goto error;
}
}
if (session->server) {
/* server things are done in server.c */
session->dh_handshake_state=DH_STATE_FINISHED;