Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are. (#239)

This commit is contained in:
Joe Testa 2024-02-16 21:58:51 -05:00
parent f326d58068
commit 73b669b49d
3 changed files with 15 additions and 1 deletions

View File

@ -181,6 +181,7 @@ For convenience, a web front-end on top of the command-line tool is available at
### v3.2.0-dev (???) ### v3.2.0-dev (???)
- Expanded filter of CBC ciphers to flag for the Terrapin vulnerability. It now includes more rarely found ciphers. - Expanded filter of CBC ciphers to flag for the Terrapin vulnerability. It now includes more rarely found ciphers.
- Color output is disabled if the `NO_COLOR` environment variable is set (see https://no-color.org/). - Color output is disabled if the `NO_COLOR` environment variable is set (see https://no-color.org/).
- Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are.
### v3.1.0 (2023-12-20) ### v3.1.0 (2023-12-20)
- Added test for the Terrapin message prefix truncation vulnerability ([CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795)). - Added test for the Terrapin message prefix truncation vulnerability ([CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795)).

View File

@ -180,7 +180,7 @@ class HostKeyTest:
hostkey_min_good = 256 hostkey_min_good = 256
hostkey_min_warn = 224 hostkey_min_warn = 224
hostkey_warn_str = HostKeyTest.SMALL_ECC_MODULUS_WARNING hostkey_warn_str = HostKeyTest.SMALL_ECC_MODULUS_WARNING
if ca_key_type.startswith('ssh-ed25519') or host_key_type.startswith('ecdsa-sha2-nistp'): if ca_key_type.startswith('ssh-ed25519') or ca_key_type.startswith('ecdsa-sha2-nistp'):
cakey_min_good = 256 cakey_min_good = 256
cakey_min_warn = 224 cakey_min_warn = 224
cakey_warn_str = HostKeyTest.SMALL_ECC_MODULUS_WARNING cakey_warn_str = HostKeyTest.SMALL_ECC_MODULUS_WARNING
@ -209,6 +209,10 @@ class HostKeyTest:
elif (0 < ca_modulus_size < cakey_min_good) and (cakey_warn_str not in key_warn_comments): elif (0 < ca_modulus_size < cakey_min_good) and (cakey_warn_str not in key_warn_comments):
key_warn_comments.append(cakey_warn_str) key_warn_comments.append(cakey_warn_str)
# If the CA key type uses ECDSA with a NIST P-curve, fail it for possibly being back-doored.
if ca_key_type.startswith('ecdsa-sha2-nistp'):
key_fail_comments.append('CA key uses elliptic curves that are suspected as being backdoored by the U.S. National Security Agency')
# If this host key type is in the RSA family, then mark them all as parsed (since results in one are valid for them all). # If this host key type is in the RSA family, then mark them all as parsed (since results in one are valid for them all).
if host_key_type in HostKeyTest.RSA_FAMILY: if host_key_type in HostKeyTest.RSA_FAMILY:
for rsa_type in HostKeyTest.RSA_FAMILY: for rsa_type in HostKeyTest.RSA_FAMILY:

View File

@ -212,6 +212,15 @@ class KexDH: # pragma: nocover
# CA's modulus. Bingo. # CA's modulus. Bingo.
ca_key_n, ca_key_n_len, ptr = KexDH.__get_bytes(ca_key, ptr) # pylint: disable=unused-variable ca_key_n, ca_key_n_len, ptr = KexDH.__get_bytes(ca_key, ptr) # pylint: disable=unused-variable
if ca_key_type.startswith("ecdsa-sha2-nistp") and ca_key_n_len > 0:
self.out.d("Found ecdsa-sha2-nistp* CA key type.")
# 0x04 signifies that this is an uncompressed public key (meaning that full X and Y values are provided in ca_key_n.
if ca_key_n[0] == 4:
ca_key_n_len = ca_key_n_len - 1 # Subtract the 0x04 byte.
ca_key_n_len = int(ca_key_n_len / 2) # Divide by 2 since the modulus is the size of either the X or Y value.
else: else:
self.out.d("Certificate type %u found; this is not usually valid in the context of a host key! Skipping it..." % cert_type) self.out.d("Certificate type %u found; this is not usually valid in the context of a host key! Skipping it..." % cert_type)