openssh/openssh-mitigate-lingering-secrets.patch

346 lines
9.6 KiB
Diff
Raw Normal View History

- Update to openssh 9.9p1: * No changes for askpass, see main package changelog for details. - Update to openssh 9.9p1: = Future deprecation notice * OpenSSH plans to remove support for the DSA signature algorithm in early 2025. This release disables DSA by default at compile time. DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is only 80 bits symmetric equivalent. OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to-implement algorithm in the SSHv2 RFCs, mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified. This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries. = Potentially-incompatible changes * ssh(1): remove support for pre-authentication compression. OpenSSH has only supported post-authentication compression in the server for some years. Compression before authentication significantly increases the attack surface of SSH servers and risks creating oracles that reveal information about information sent during authentication. OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=275
2024-09-25 10:42:29 +02:00
Index: openssh-9.3p2/kex.c
===================================================================
--- openssh-9.3p2.orig/kex.c
+++ openssh-9.3p2/kex.c
@@ -1564,16 +1564,16 @@ enc_destroy(struct sshenc *enc)
return;
if (enc->key) {
- memset(enc->key, 0, enc->key_len);
+ explicit_bzero(enc->key, enc->key_len);
free(enc->key);
}
if (enc->iv) {
- memset(enc->iv, 0, enc->iv_len);
+ explicit_bzero(enc->iv, enc->iv_len);
free(enc->iv);
}
- memset(enc, 0, sizeof(*enc));
+ explicit_bzero(enc, sizeof(*enc));
}
void
@@ -1584,7 +1584,7 @@ newkeys_destroy(struct newkeys *newkeys)
enc_destroy(&newkeys->enc);
mac_destroy(&newkeys->mac);
- memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+ explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
}
/*
Index: openssh-9.3p2/mac.c
===================================================================
--- openssh-9.3p2.orig/mac.c
+++ openssh-9.3p2/mac.c
@@ -284,11 +284,11 @@ mac_destroy(struct sshmac *mac)
return;
if (mac->key) {
- memset(mac->key, 0, mac->key_len);
+ explicit_bzero(mac->key, mac->key_len);
free(mac->key);
}
- memset(mac, 0, sizeof(*mac));
+ explicit_bzero(mac, sizeof(*mac));
}
/* XXX copied from ciphers_valid */
Index: openssh-9.3p2/monitor.c
===================================================================
--- openssh-9.3p2.orig/monitor.c
+++ openssh-9.3p2/monitor.c
@@ -1789,8 +1789,12 @@ mm_answer_audit_end_command(struct ssh *
void
monitor_clear_keystate(struct ssh *ssh, struct monitor *pmonitor)
{
- ssh_clear_newkeys(ssh, MODE_IN);
- ssh_clear_newkeys(ssh, MODE_OUT);
+ u_int mode;
+
+ for (mode = 0; mode < MODE_MAX; mode++) {
+ ssh_clear_curkeys(ssh, mode); /* current keys */
+ ssh_clear_newkeys(ssh, mode); /* next keys */
+ }
sshbuf_free(child_state);
child_state = NULL;
}
Index: openssh-9.3p2/packet.c
===================================================================
--- openssh-9.3p2.orig/packet.c
+++ openssh-9.3p2/packet.c
@@ -655,6 +655,7 @@ ssh_packet_close_internal(struct ssh *ss
ssh->local_ipaddr = NULL;
free(ssh->remote_ipaddr);
ssh->remote_ipaddr = NULL;
+ explicit_bzero(ssh->state, sizeof(*ssh->state));
free(ssh->state);
ssh->state = NULL;
kex_free(ssh->kex);
@@ -783,8 +784,10 @@ compress_buffer(struct ssh *ssh, struct
case Z_OK:
/* Append compressed data to output_buffer. */
if ((r = sshbuf_put(out, buf, sizeof(buf) -
- ssh->state->compression_out_stream.avail_out)) != 0)
+ ssh->state->compression_out_stream.avail_out)) != 0) {
+ explicit_bzero(buf, sizeof(buf));
return r;
+ }
break;
case Z_STREAM_ERROR:
default:
@@ -819,8 +822,10 @@ uncompress_buffer(struct ssh *ssh, struc
switch (status) {
case Z_OK:
if ((r = sshbuf_put(out, buf, sizeof(buf) -
- ssh->state->compression_in_stream.avail_out)) != 0)
+ ssh->state->compression_in_stream.avail_out)) != 0) {
+ explicit_bzero(buf, sizeof(buf));
return r;
+ }
break;
case Z_BUF_ERROR:
/*
@@ -870,6 +875,17 @@ uncompress_buffer(struct ssh *ssh, struc
#endif /* WITH_ZLIB */
void
+ssh_clear_curkeys(struct ssh *ssh, int mode)
+{
+ struct session_state *state = ssh->state;
+
+ if (state && state->newkeys[mode]) {
+ kex_free_newkeys(state->newkeys[mode]);
+ state->newkeys[mode] = NULL;
+ }
+}
+
+void
ssh_clear_newkeys(struct ssh *ssh, int mode)
{
if (ssh->kex && ssh->kex->newkeys[mode]) {
@@ -1418,7 +1434,9 @@ ssh_packet_read_seqnr(struct ssh *ssh, u
}
/* Append it to the buffer. */
- if ((r = ssh_packet_process_incoming(ssh, buf, len)) != 0)
+ r = ssh_packet_process_incoming(ssh, buf, len);
+ explicit_bzero(buf, len);
+ if (r != 0)
goto out;
}
out:
@@ -2375,9 +2393,12 @@ ssh_packet_get_state(struct ssh *ssh, st
(r = sshbuf_put_u32(m, state->p_read.packets)) != 0 ||
(r = sshbuf_put_u64(m, state->p_read.bytes)) != 0 ||
(r = sshbuf_put_stringb(m, state->input)) != 0 ||
- (r = sshbuf_put_stringb(m, state->output)) != 0)
+ (r = sshbuf_put_stringb(m, state->output)) != 0) {
+ sshbuf_obfuscate(m);
return r;
+ }
+ sshbuf_obfuscate(m);
return 0;
}
@@ -2496,6 +2517,8 @@ ssh_packet_set_state(struct ssh *ssh, st
size_t ilen, olen;
int r;
+ sshbuf_unobfuscate(m);
+
if ((r = kex_from_blob(m, &ssh->kex)) != 0 ||
(r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 ||
(r = newkeys_from_blob(m, ssh, MODE_IN)) != 0 ||
@@ -2509,7 +2532,7 @@ ssh_packet_set_state(struct ssh *ssh, st
(r = sshbuf_get_u64(m, &state->p_read.blocks)) != 0 ||
(r = sshbuf_get_u32(m, &state->p_read.packets)) != 0 ||
(r = sshbuf_get_u64(m, &state->p_read.bytes)) != 0)
- return r;
+ goto out;
/*
* We set the time here so that in post-auth privsep child we
* count from the completion of the authentication.
@@ -2518,10 +2541,10 @@ ssh_packet_set_state(struct ssh *ssh, st
/* XXX ssh_set_newkeys overrides p_read.packets? XXX */
if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0 ||
(r = ssh_set_newkeys(ssh, MODE_OUT)) != 0)
- return r;
+ goto out;
if ((r = ssh_packet_set_postauth(ssh)) != 0)
- return r;
+ goto out;
sshbuf_reset(state->input);
sshbuf_reset(state->output);
@@ -2529,12 +2552,19 @@ ssh_packet_set_state(struct ssh *ssh, st
(r = sshbuf_get_string_direct(m, &output, &olen)) != 0 ||
(r = sshbuf_put(state->input, input, ilen)) != 0 ||
(r = sshbuf_put(state->output, output, olen)) != 0)
- return r;
+ goto out;
- if (sshbuf_len(m))
- return SSH_ERR_INVALID_FORMAT;
+ if (sshbuf_len(m)) {
+ r = SSH_ERR_INVALID_FORMAT;
+ goto out;
+ }
+
+ r = 0;
+out:
+ if (r != 0)
+ sshbuf_obfuscate(m);
debug3_f("done");
- return 0;
+ return r;
}
/* NEW API */
Index: openssh-9.3p2/packet.h
===================================================================
--- openssh-9.3p2.orig/packet.h
+++ openssh-9.3p2/packet.h
@@ -103,6 +103,7 @@ void ssh_packet_close(struct ssh *);
void ssh_packet_close(struct ssh *);
void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *);
void ssh_packet_clear_keys(struct ssh *);
+void ssh_clear_curkeys(struct ssh *, int);
void ssh_clear_newkeys(struct ssh *, int);
int ssh_packet_is_rekeying(struct ssh *);
Index: openssh-9.3p2/sshbuf.c
===================================================================
--- openssh-9.3p2.orig/sshbuf.c
+++ openssh-9.3p2/sshbuf.c
@@ -309,6 +309,31 @@ sshbuf_mutable_ptr(const struct sshbuf *
return buf->d + buf->off;
}
+/* Trivially obfuscate the buffer. This is used to make sensitive data
+ * (e.g. keystate) slightly less obvious if found lingering in kernel
+ * memory after being sent from the privsep child to its parent.
+ *
+ * Longer term we should consider using a one-time pad or a stream cipher
+ * here. */
+void
+sshbuf_obfuscate(struct sshbuf *buf)
+{
+ size_t i;
+
+ if (sshbuf_check_sanity(buf) != 0 || buf->readonly || buf->refcount > 1)
+ return;
+
+ for (i = buf->off; i < buf->size; i++) {
+ buf->d [i] ^= 0xaa;
+ }
+}
+
+void
+sshbuf_unobfuscate(struct sshbuf *buf)
+{
+ sshbuf_obfuscate(buf);
+}
+
int
sshbuf_check_reserve(const struct sshbuf *buf, size_t len)
{
Index: openssh-9.3p2/sshbuf.h
===================================================================
--- openssh-9.3p2.orig/sshbuf.h
+++ openssh-9.3p2/sshbuf.h
@@ -298,6 +298,9 @@ int sshbuf_write_file(const char *path,
int sshbuf_read(int, struct sshbuf *, size_t, size_t *)
__attribute__((__nonnull__ (2)));
+void sshbuf_obfuscate(struct sshbuf *buf);
+void sshbuf_unobfuscate(struct sshbuf *buf);
+
/* Macros for decoding/encoding integers */
#define PEEK_U64(p) \
(((u_int64_t)(((const u_char *)(p))[0]) << 56) | \
Index: openssh-9.3p2/sshd-session.c
===================================================================
--- openssh-9.3p2.orig/sshd-session.c
+++ openssh-9.3p2/sshd-session.c
@@ -197,6 +197,19 @@ static void do_ssh2_kex(struct ssh *);
static void do_ssh2_kex(struct ssh *);
/*
+ * Clear some stack space. This is a bit naive, but hopefully helps mitigate
+ * information leaks due to registers and other data having been stored on
+ * the stack. Called after fork() and before exit().
+ */
+static void
+clobber_stack(void)
+{
+ char data [32768];
+
+ explicit_bzero(data, 32768);
+}
+
+/*
* Signal handler for the alarm after the login grace period has expired.
* As usual, this may only take signal-safe actions, even though it is
* terminal.
@@ -260,6 +260,8 @@ destroy_sensitive_data(struct ssh *ssh,
sensitive_data.host_certificates[i] = NULL;
}
}
+
+ clobber_stack();
}
/* Demote private to public keys for network child */
@@ -431,6 +432,8 @@ privsep_preauth(struct ssh *ssh)
{
int skip_privdrop = 0;
+ clobber_stack();
+
/*
* Hack for systems that don't support FD passing: retain privileges
* in the post-auth privsep process so it can allocate PTYs directly.
@@ -1354,6 +1356,7 @@ main(int ac, char **av)
*/
mm_send_keystate(ssh, pmonitor);
ssh_packet_clear_keys(ssh);
+ clobber_stack();
exit(0);
authenticated:
@@ -1431,6 +1434,7 @@ main(int ac, char **av)
mm_terminate();
+ clobber_stack();
exit(0);
}
@@ -1577,8 +1581,10 @@ cleanup_exit(int i)
/* cleanup_exit can be called at the very least from the privsep
wrappers used for auditing. Make sure we don't recurse
indefinitely. */
- if (in_cleanup)
+ if (in_cleanup) {
+ clobber_stack();
_exit(i);
+ }
in_cleanup = 1;
extern int auth_attempted; /* monitor.c */
@@ -1604,6 +1610,8 @@ cleanup_exit(int i)
mm_is_monitor())
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
#endif
+
+ clobber_stack();
/* Override default fatal exit value when auth was attempted */
if (i == 255 && auth_attempted)
_exit(EXIT_AUTH_ATTEMPTED);