Google Git
Sign in
go / crypto / beb2a9779c3b677077c41673505f150149fce895
commitbeb2a9779c3b677077c41673505f150149fce895[log] [tgz]
authorHan-Wen Nienhuys <hanwen@google.com>Thu Apr 05 16:16:06 2018 +0200
committerHan-Wen Nienhuys <hanwen@google.com>Mon Apr 09 15:00:46 2018 +0000
tree168db0608edf62adfe5afd9e3dadf339cd613703
parentb2aa35443fbc700ab74c586ae79b81c171851023 [diff]
ssh/knownhosts: disregard IP address if the hostname is available

This fixes the following vulnerability scenario:

* Victim logs into SAFE-HOST on SAFE-IP-ADDRESS regularly.

* Victim is cajoled into connecting to attacker controlled
  ATTACK-HOST, on ATTACK-IP-ADDRESS. ATTACK-HOST uses a different host
  key type (e.g. Ed25519 vs RSA). The new key is added at the end of
  known_hosts.

* Attacker makes DNS system return ATTACK-IP-ADDRESS for SAFE-HOST.

* Victim logs into SAFE-HOST, but is not warned because the host key
  matches ATTACK-IP-ADDRESS.

For this attack to work, the key type has to be different, because
knownhosts gives precedence to the first key found for each type. Add
a test that asserts this behavior.

The new semantics simplify the code, but callers that modify
.ssh/known_host interactviely must now take an extra step to remain
OpenSSH compatible: on successful login, the IP address must be
checked without hostname, and if it is not known, added separately to
the known_hosts file, so future logins that use an IP address only
will be protected too.

Thanks to Daniel Parks <security@demonhorse.net> for finding this
vulnerability.

Change-Id: I62b1b60ceb02e2f583a4657213feac1a8885dd42
Reviewed-on: https://go-review.googlesource.com/104939
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2 files changed
tree: 168db0608edf62adfe5afd9e3dadf339cd613703
  1. acme/
  2. argon2/
  3. bcrypt/
  4. blake2b/
  5. blake2s/
  6. blowfish/
  7. bn256/
  8. cast5/
  9. chacha20poly1305/
  10. cryptobyte/
  11. curve25519/
  12. ed25519/
  13. hkdf/
  14. internal/
  15. md4/
  16. nacl/
  17. ocsp/
  18. openpgp/
  19. otr/
  20. pbkdf2/
  21. pkcs12/
  22. poly1305/
  23. ripemd160/
  24. salsa20/
  25. scrypt/
  26. sha3/
  27. ssh/
  28. tea/
  29. twofish/
  30. xtea/
  31. xts/
  32. .gitattributes
  33. .gitignore
  34. AUTHORS
  35. codereview.cfg
  36. CONTRIBUTING.md
  37. CONTRIBUTORS
  38. LICENSE
  39. PATENTS
  40. README.md
README.md

Go Cryptography

This repository holds supplementary Go cryptography libraries.

Download/Install

The easiest way to install is to run go get -u golang.org/x/crypto/.... You can also manually git clone the repository to $GOPATH/src/golang.org/x/crypto.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html.

The main issue tracker for the crypto repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/crypto:” in the subject line, so it is easy to find.

Note that contributions to the cryptography package receive additional scrutiny due to their sensitive nature. Patches may take longer than normal to receive feedback.