mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-09 17:38:00 +00:00
244be54127
This is enabled via magic signalling keywords in the kex algorithms
list, similarly to ext-info-{c,s}. If both sides announce the
appropriate keyword, then this signals two changes to the standard SSH
protocol:
1. NEWKEYS resets packet sequence numbers: following any NEWKEYS, the
next packet sent in the same direction has sequence number zero.
2. No extraneous packets such as SSH_MSG_IGNORE are permitted during
the initial cleartext phase of the SSH protocol.
These two changes between them defeat the 'Terrapin' vulnerability,
aka CVE-2023-48795: a protocol-level exploit in which, for example, a
MITM injects a server-to-client SSH_MSG_IGNORE during the cleartext
phase, and deletes an initial segment of the server-to-client
encrypted data stream that it guesses is the right size to be the
server's SSH_MSG_EXT_INFO, so that both sides agree on the sequence
number of the _following_ server-to-client packet. In OpenSSH's
modified binary packet protocol modes this attack can go completely
undetected, and force a downgrade to (for example) SHA-1 based RSA.
(The ChaCha20/Poly1305 binary packet protocol is most vulnerable,
because it reinitialises the IV for each packet from scratch based on
the sequence number, so the keystream doesn't get out of sync.
Exploiting this in OpenSSH's ETM modes requires additional faff to
resync the keystream, and even then, the client likely sees a
corrupted SSH message at the start of the stream - but it will just
send SSH_MSG_UNIMPLEMENTED in response to that and proceed anyway. CBC
modes and standard AES SDCTR aren't vulnerable, because their MACs are
based on the plaintext rather than the ciphertext, so faking a correct
MAC on the corrupted packet requires the attacker to know what it
would decrypt to.)
|
||
|---|---|---|
| .. | ||
| agentf.c | ||
| bpp1.c | ||
| bpp2.c | ||
| bpp-bare.c | ||
| bpp.h | ||
| ca-config.c | ||
| censor1.c | ||
| censor2.c | ||
| channel.h | ||
| CMakeLists.txt | ||
| common.c | ||
| connection1-client.c | ||
| connection1-server.c | ||
| connection1.c | ||
| connection1.h | ||
| connection2-client.c | ||
| connection2-server.c | ||
| connection2.c | ||
| connection2.h | ||
| crc-attack-detector.c | ||
| gss.h | ||
| gssc.c | ||
| gssc.h | ||
| kex2-client.c | ||
| kex2-server.c | ||
| login1-server.c | ||
| login1.c | ||
| mainchan.c | ||
| nogss.c | ||
| nosharing.c | ||
| pgssapi.c | ||
| pgssapi.h | ||
| portfwd.c | ||
| ppl.h | ||
| scpserver.c | ||
| server.c | ||
| server.h | ||
| sesschan.c | ||
| sftp.c | ||
| sftp.h | ||
| sftpcommon.c | ||
| sftpserver.c | ||
| sharing.c | ||
| signal-list.h | ||
| ssh.c | ||
| transient-hostkey-cache.c | ||
| transport2.c | ||
| transport2.h | ||
| ttymode-list.h | ||
| userauth2-client.c | ||
| userauth2-server.c | ||
| verstring.c | ||
| x11fwd.c | ||
| zlib.c | ||