Added implementation for DHEat denial-of-service attack (CVE-2002-20001). (#211, #217)

2025-06-21 18:23:40 +02:00 · 2024-04-18 13:58:13 -04:00
parent d7f8bf3e6d
commit 8190fe59d0
24 changed files with 1313 additions and 61 deletions
--- a/test/conftest.py
+++ b/test/conftest.py
@ -73,6 +73,7 @@ class _VirtualSocket:
        self.rdata = []
        self.sdata = []
        self.errors = {}
+        self.blocking = False
        self.gsock = _VirtualGlobalSocket(self)

    def _check_err(self, method):
@ -83,12 +84,18 @@ class _VirtualSocket:
    def connect(self, address):
        return self._connect(address, False)

+    def connect_ex(self, address):
+        return self.connect(address)
+
    def _connect(self, address, ret=True):
        self.peer_address = address
        self._connected = True
        self._check_err('connect')
        return self if ret else None

+    def setblocking(self, r: bool):
+        self.blocking = r
+
    def settimeout(self, timeout):
        self.timeout = timeout

--- a/test/docker/expected_results/dropbear_2019.78_test1.json
+++ b/test/docker/expected_results/dropbear_2019.78_test1.json
@ -1,7 +1,5 @@
 {
-    "additional_notes": [
-        ""
-    ],
+    "additional_notes": [],
    "banner": {
        "comments": null,
        "protocol": "2.0",
--- a/test/docker/expected_results/openssh_4.0p1_test1.json
+++ b/test/docker/expected_results/openssh_4.0p1_test1.json
@ -1,7 +1,5 @@
 {
-    "additional_notes": [
-        ""
-    ],
+    "additional_notes": [],
    "banner": {
        "comments": null,
        "protocol": "1.99",
--- a/test/docker/expected_results/openssh_5.6p1_test1.json
+++ b/test/docker/expected_results/openssh_5.6p1_test1.json
@ -1,7 +1,5 @@
 {
-    "additional_notes": [
-        ""
-    ],
+    "additional_notes": [],
    "banner": {
        "comments": null,
        "protocol": "2.0",
--- a/test/docker/expected_results/openssh_5.6p1_test2.json
+++ b/test/docker/expected_results/openssh_5.6p1_test2.json
@ -1,7 +1,5 @@
 {
-    "additional_notes": [
-        ""
-    ],
+    "additional_notes": [],
    "banner": {
        "comments": null,
        "protocol": "2.0",
--- a/test/docker/expected_results/openssh_5.6p1_test3.json
+++ b/test/docker/expected_results/openssh_5.6p1_test3.json
@ -1,7 +1,5 @@
 {
-    "additional_notes": [
-        ""
-    ],
+    "additional_notes": [],
    "banner": {
        "comments": null,
        "protocol": "2.0",
--- a/test/docker/expected_results/openssh_5.6p1_test4.json
+++ b/test/docker/expected_results/openssh_5.6p1_test4.json
@ -1,7 +1,5 @@
 {
-    "additional_notes": [
-        ""
-    ],
+    "additional_notes": [],
    "banner": {
        "comments": null,
        "protocol": "2.0",
--- a/test/docker/expected_results/openssh_5.6p1_test5.json
+++ b/test/docker/expected_results/openssh_5.6p1_test5.json
@ -1,7 +1,5 @@
 {
-    "additional_notes": [
-        ""
-    ],
+    "additional_notes": [],
    "banner": {
        "comments": null,
        "protocol": "2.0",
--- a/test/docker/expected_results/openssh_8.0p1_test1.json
+++ b/test/docker/expected_results/openssh_8.0p1_test1.json
@ -1,7 +1,5 @@
 {
-    "additional_notes": [
-        ""
-    ],
+    "additional_notes": [],
    "banner": {
        "comments": null,
        "protocol": "2.0",
--- a/test/docker/expected_results/openssh_8.0p1_test2.json
+++ b/test/docker/expected_results/openssh_8.0p1_test2.json
@ -1,7 +1,5 @@
 {
-    "additional_notes": [
-        ""
-    ],
+    "additional_notes": [],
    "banner": {
        "comments": null,
        "protocol": "2.0",
--- a/test/docker/expected_results/openssh_8.0p1_test3.json
+++ b/test/docker/expected_results/openssh_8.0p1_test3.json
@ -1,7 +1,5 @@
 {
-    "additional_notes": [
-        ""
-    ],
+    "additional_notes": [],
    "banner": {
        "comments": null,
        "protocol": "2.0",
--- a/test/docker/expected_results/tinyssh_20190101_test1.json
+++ b/test/docker/expected_results/tinyssh_20190101_test1.json
@ -1,7 +1,5 @@
 {
-    "additional_notes": [
-        ""
-    ],
+    "additional_notes": [],
    "banner": {
        "comments": "",
        "protocol": "2.0",
--- a/test/test_dheater.py
+++ b/test/test_dheater.py
@ -0,0 +1,29 @@
+import pytest
+
+from ssh_audit.ssh2_kexdb import SSH2_KexDB
+from ssh_audit.dheat import DHEat
+
+
+class TestDHEat:
+
+    @pytest.fixture(autouse=True)
+    def init(self):
+        self.SSH2_KexDB = SSH2_KexDB
+        self.DHEat = DHEat
+
+    def test_kex_definition_completeness(self):
+        alg_db = self.SSH2_KexDB.get_db()
+        kex_db = alg_db['kex']
+
+        # Get all Diffie-Hellman algorithms defined in our database.
+        dh_algs = []
+        for kex in kex_db:
+            if kex.startswith('diffie-hellman-'):
+                dh_algs.append(kex)
+
+        # Ensure that each DH algorithm in our database is in either DHEat's alg_priority or gex_algs list.  Also ensure that all non-group exchange algorithms are accounted for in the alg_modulus_sizes dictionary.
+        for dh_alg in dh_algs:
+            assert (dh_alg in self.DHEat.alg_priority) or (dh_alg in self.DHEat.gex_algs)
+
+            if dh_alg.find("group-exchange") == -1:
+                assert dh_alg in self.DHEat.alg_modulus_sizes
--- a/test/test_errors.py
+++ b/test/test_errors.py
@ -17,6 +17,7 @@ class TestErrors:
        conf = self.AuditConf('localhost', 22)
        conf.colors = False
        conf.batch = True
+        conf.skip_rate_test = True
        return conf

    def _audit(self, spy, conf=None, exit_expected=False):
--- a/test/test_ssh1.py
+++ b/test/test_ssh1.py
@ -33,6 +33,7 @@ class TestSSH1:
        conf.verbose = True
        conf.ssh1 = True
        conf.ssh2 = False
+        conf.skip_rate_test = True
        return conf

    def _create_ssh1_packet(self, payload, valid_crc=True):
--- a/test/test_ssh2.py
+++ b/test/test_ssh2.py
@ -32,6 +32,7 @@ class TestSSH2:
        conf.verbose = True
        conf.ssh1 = False
        conf.ssh2 = True
+        conf.skip_rate_test = True
        return conf

    @classmethod