This was discovered at Connectathon 2002 while testing against SSH.COM with their compat flags disabled (they currently don't send guess to any OpenSSH server since they know it isn't implemented). draft-ietf-secsh-transport-13.txt 5. Key Exchange Key exchange begins by each side sending lists of supported algorithms. Each side has a preferred algorithm in each category, and it is assumed that most implementations at any given time will use the same preferred algorithm. Each side MAY guess which algorithm the other side is using, and MAY send an initial key exchange packet according to the algorithm if appropriate for the preferred method. Guess is considered wrong, if: o the kex algorithm and/or the host key algorithm is guessed wrong (server and client have different preferred algorithm), or o if any of the other algorithms cannot be agreed upon (the procedure is defined below in Section Section 5.1). Otherwise, the guess is considered to be right and the optimistically sent packet MUST be handled as the first key exchange packet. The current code for kex in OpenSSH assumes that they only acceptable packet is a NEWKEYS by using this code fragment: packet_read_expect(SSH2_MSG_NEWKEYS); SSH2_MSG_KEXDH_INIT can arrive if the other side sends a guess. I have a partial solution (only works if the client guess was our prefered), solution for the server side but this needs client support as well.
packet_read_expect(SSH2_MSG_NEWKEYS); ^^^ hm, i never thought i need to implement this, but now it seems so. but i don't think it's related to this line. i think if the keyinit packet has first_kex_follows set i have to continue parsing the packet.... not sure how to implement this (ugly?) optimization
todo: discard first packet after kexinit if first_kex_follows is set and peers first algorithms do not match selected althorithms.
Hi, I am new with such pnice projcet , but I will add me remarks, assuming that someone will insert it - or explain to me how to add it to the openssh project. -- I looked at the comment and fix the bug in the follwoing way: 1) Add new function in kex.c /* After kex_choose_conf each entry in the proposal array is NULL terminated so Only the fist index should be checked*/ static int check_guess(char *my[PROPOSAL_MAX],char *peer[PROPOSAL_MAX]){ if(strcmp(my[PROPOSAL_KEX_ALGS],peer[PROPOSAL_KEX_ALGS])!=0) return 1; if(strcmp(my[PROPOSAL_SERVER_HOST_KEY_ALGS],peer [PROPOSAL_SERVER_HOST_KEY_ALGS])!=0) return 1; if(strcmp(my[PROPOSAL_ENC_ALGS_CTOS],peer[PROPOSAL_ENC_ALGS_STOC])!=0) return 1; if(strcmp(my[PROPOSAL_ENC_ALGS_STOC],peer[PROPOSAL_ENC_ALGS_CTOS])!=0) return 1; if(strcmp(my[PROPOSAL_MAC_ALGS_CTOS],peer[PROPOSAL_MAC_ALGS_STOC])!=0) return 1; if(strcmp(my[PROPOSAL_MAC_ALGS_STOC],peer[PROPOSAL_MAC_ALGS_CTOS])!=0) return 1; if(strcmp(my[PROPOSAL_COMP_ALGS_CTOS],peer[PROPOSAL_COMP_ALGS_STOC])!=0) return 1; if(strcmp(my[PROPOSAL_COMP_ALGS_STOC],peer[PROPOSAL_COMP_ALGS_CTOS])!=0) return 1; if(strcmp(my[PROPOSAL_LANG_CTOS],peer[PROPOSAL_LANG_STOC])!=0) return 1; if(strcmp(my[PROPOSAL_LANG_STOC],peer[PROPOSAL_LANG_CTOS])!=0) return 1; return 0; } 2) Add new paramater to kex_buf2prop static char **kex_buf2prop(SshBuffer *raw,int *first_kex_follows) .... *first_kex_follows = sshbuffer_get_char(&b); ... 3)in kex_choose_conf I changed the call to kex_buf2prop peer = kex_buf2prop(&kex->peer,&first_kex_follows); and after all checks I add: if(first_kex_follows){ first_kex_follows=check_guess(my,peer); } if(first_kex_follows){ packet_read_expect(SSH2_MSG_MAX); } 4)I change the packet_read_expect implementation that if it asked to expect SSH2_MSG_MAX it will ignore all messages. if ((type != expected_type) && (expected_type != SSH2_MSG_MAX)) -- - It works fine. -- avraham.fraenkel@comatch.com
The problem exist also in current version -- Avraham
yes, i was too busy to fix this bug. please attach a patch if you have one :) thanks, -m
Created attachment 161 [details] Proposed patch for the Bug I am new in sending patches for open*, so please check it. -- Avraham -- avraham.fraenkel@commatch.com
Created attachment 208 [details] new patch you need to make sure that the ',' from my[] and peer[] are replaced with \0
please check the lasted patch. this patch will probably included in 3.6
You shood check only PROPOSAL_KEX_ALGS and PROPOSAL_SERVER_HOST_KEY_ALGS Only for them it is written that o the kex algorithm and/or the host key algorithm is guessed wrong (server and client have different preferred algorithm). ========== For the other parts of the proposal you will find the mismatch in the choose_enc/mac/comp functions. There is no need that the first option will be a right guess: o if any of the other algorithms cannot be agreed upon. ====== -- Avraham
Created attachment 210 [details] update ok, this only check the kex algs and the host key types.
Created attachment 211 [details] update #3
fixed in 3.6
Mass change of RESOLVED bugs to CLOSED