octoleo/phpseclib
1
0
Fork 0
mirror of https://github.com/phpseclib/phpseclib.git synced 2024-11-08 14:51:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.0' into 3.0

Browse Source
This commit is contained in:
terrafrost 2023-12-28 07:54:49 -06:00
commit 80bc33b741
1 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
phpseclib/Net/SSH2.php
View File

@ -1102,6 +1102,16 @@ class SSH2
*/ */
private $errorOnMultipleChannels; private $errorOnMultipleChannels;
/**
* Terrapin Countermeasure
*
* "During initial KEX, terminate the connection if any unexpected or out-of-sequence packet is received"
* -- https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
*
* @var int
*/
private $extra_packets;
/** /**
* Default Constructor. * Default Constructor.
* *
@ -1536,7 +1546,7 @@ class SSH2
$preferred['client_to_server']['comp'] : $preferred['client_to_server']['comp'] :
SSH2::getSupportedCompressionAlgorithms(); SSH2::getSupportedCompressionAlgorithms();
$kex_algorithms = array_merge($kex_algorithms, ['ext-info-c']); $kex_algorithms = array_merge($kex_algorithms, ['ext-info-c', 'kex-strict-c-v00@openssh.com']);
// some SSH servers have buggy implementations of some of the above algorithms // some SSH servers have buggy implementations of some of the above algorithms
switch (true) { switch (true) {
@ -1592,6 +1602,7 @@ class SSH2
if ($kexinit_payload_server === false) { if ($kexinit_payload_server === false) {
$this->send_binary_packet($kexinit_payload_client); $this->send_binary_packet($kexinit_payload_client);
$this->extra_packets = 0;
$kexinit_payload_server = $this->get_binary_packet(); $kexinit_payload_server = $this->get_binary_packet();
if ( if (
@ -1623,6 +1634,11 @@ class SSH2
$this->languages_server_to_client, $this->languages_server_to_client,
$first_kex_packet_follows $first_kex_packet_follows
) = Strings::unpackSSH2('L10C', $response); ) = Strings::unpackSSH2('L10C', $response);
if (in_array('kex-strict-s-v00@openssh.com', $this->kex_algorithms)) {
if ($this->session_id === false && $this->extra_packets) {
throw new \UnexpectedValueException('Possible Terrapin Attack detected');
}
}
$this->supported_private_key_algorithms = $this->server_host_key_algorithms; $this->supported_private_key_algorithms = $this->server_host_key_algorithms;
@ -1881,6 +1897,10 @@ class SSH2
throw new \UnexpectedValueException('Expected SSH_MSG_NEWKEYS'); throw new \UnexpectedValueException('Expected SSH_MSG_NEWKEYS');
} }
if (in_array('kex-strict-s-v00@openssh.com', $this->kex_algorithms)) {
$this->get_seq_no = $this->send_seq_no = 0;
}
$keyBytes = pack('Na*', strlen($keyBytes), $keyBytes); $keyBytes = pack('Na*', strlen($keyBytes), $keyBytes);
$this->encrypt = self::encryption_algorithm_to_crypt_instance($encrypt); $this->encrypt = self::encryption_algorithm_to_crypt_instance($encrypt);
@ -3769,9 +3789,11 @@ class SSH2
$this->bitmap = 0; $this->bitmap = 0;
return false; return false;
case NET_SSH2_MSG_IGNORE: case NET_SSH2_MSG_IGNORE:
$this->extra_packets++;
$payload = $this->get_binary_packet($skip_channel_filter); $payload = $this->get_binary_packet($skip_channel_filter);
break; break;
case NET_SSH2_MSG_DEBUG: case NET_SSH2_MSG_DEBUG:
$this->extra_packets++;
Strings::shift($payload, 2); // second byte is "always_display" Strings::shift($payload, 2); // second byte is "always_display"
list($message) = Strings::unpackSSH2('s', $payload); list($message) = Strings::unpackSSH2('s', $payload);
$this->errors[] = "SSH_MSG_DEBUG: $message"; $this->errors[] = "SSH_MSG_DEBUG: $message";
@ -3780,6 +3802,7 @@ class SSH2
case NET_SSH2_MSG_UNIMPLEMENTED: case NET_SSH2_MSG_UNIMPLEMENTED:
return false; return false;
case NET_SSH2_MSG_KEXINIT: case NET_SSH2_MSG_KEXINIT:
// this is here for key re-exchanges after the initial key exchange
if ($this->session_id !== false) { if ($this->session_id !== false) {
if (!$this->key_exchange($payload)) { if (!$this->key_exchange($payload)) {
$this->bitmap = 0; $this->bitmap = 0;