mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-21 10:19:04 +00:00
![Ed Maste](/assets/img/avatar_default.png)
This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
62 lines
1.5 KiB
Bash
62 lines
1.5 KiB
Bash
# $OpenBSD: dhgex.sh,v 1.8 2023/03/02 08:14:52 dtucker Exp $
|
|
# Placed in the Public Domain.
|
|
|
|
tid="dhgex"
|
|
|
|
LOG=${TEST_SSH_LOGFILE}
|
|
rm -f ${LOG}
|
|
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
|
|
|
kexs=`${SSH} -Q kex | grep diffie-hellman-group-exchange`
|
|
|
|
ssh_test_dhgex()
|
|
{
|
|
bits="$1"; shift
|
|
cipher="$1"; shift
|
|
kex="$1"; shift
|
|
|
|
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
|
echo "KexAlgorithms=$kex" >> $OBJ/sshd_proxy
|
|
echo "Ciphers=$cipher" >> $OBJ/sshd_proxy
|
|
rm -f ${LOG}
|
|
opts="-oKexAlgorithms=$kex -oCiphers=$cipher"
|
|
min=2048
|
|
max=8192
|
|
groupsz="$min<$bits<$max"
|
|
verbose "$tid bits $bits $kex $cipher"
|
|
${SSH} ${opts} $@ -vvv -F ${OBJ}/ssh_proxy somehost true
|
|
if [ $? -ne 0 ]; then
|
|
fail "ssh failed ($@)"
|
|
fi
|
|
# check what we request
|
|
grep "SSH2_MSG_KEX_DH_GEX_REQUEST($groupsz) sent" ${LOG} >/dev/null
|
|
if [ $? != 0 ]; then
|
|
got="`egrep 'SSH2_MSG_KEX_DH_GEX_REQUEST(.*) sent' ${LOG}`"
|
|
fail "$tid unexpected GEX sizes, expected $groupsz, got '$got'"
|
|
fi
|
|
# check what we got.
|
|
gotbits="`awk 'BEGIN{FS="/"}/bits set:/{print $2}' ${LOG} |
|
|
head -1 | tr -d '\r\n'`"
|
|
trace "expected '$bits' got '$gotbits'"
|
|
if [ -z "$gotbits" ] || [ "$gotbits" -lt "$bits" ]; then
|
|
fatal "$tid expected $bits bit group, got $gotbits"
|
|
fi
|
|
}
|
|
|
|
check()
|
|
{
|
|
bits="$1"; shift
|
|
|
|
for c in $@; do
|
|
for k in $kexs; do
|
|
ssh_test_dhgex $bits $c $k
|
|
done
|
|
done
|
|
}
|
|
|
|
check 3072 3des-cbc # 112 bits.
|
|
check 3072 `${SSH} -Q cipher | grep 128`
|
|
check 7680 `${SSH} -Q cipher | grep 192`
|
|
check 8192 `${SSH} -Q cipher | grep 256`
|
|
check 8192 chacha20-poly1305@openssh.com
|