Thursday, June 29, 2017

opmsg saving you from OpenSSH 0days

As I am interested in Crypto and its implementation,
being it my own projects or competing ones, I often take a deep
look into the OpenSSL and LibreSSL projects to estimate
what can potentially go wrong and where special care
must be taken while swimming with sharks.

I have already written and complained here in past about the
shiny OpenSSL 1.1 API changes. I think its safe to say that opmsg
and drops have been the first larger projects being neatly
ported to the 1.1 API, while still being aligned to older
OpenSSL installations and LibreSSL, cross platform of course.
How many projects do you know - and heavily use libcryto
or libssl - can do that?

OpenSSH for example can't. OpenSSH-portable on Linux suffered
similar hard times due to the new 1.1 API. No pain, no gain.
While OpenSSH upstream declined to make
OpenSSH-portable ready for the 1.1 API (at least yet),
there was still demand for it, since lots of newer distros
were simply not able to build their openssh packages with their
own shipped libcrypto packages. Thats why the Fedora project
adopted patches (this one is already fixed after my report).
However they introduced some double-free conditions by
means of RSA_set0_key() and similar functions. You can read
my report and see in the patch how the order of function
calls has been changed to fix the double-frees.

You can thank me later that I saved your Fedora boxes
from an ssh 0day.

No comments: