Skip to content

Commit

Permalink
Merge branch '3.0'
Browse files Browse the repository at this point in the history
  • Loading branch information
terrafrost committed Dec 7, 2024
2 parents 58e9e43 + b59d7be commit c6c89a6
Showing 1 changed file with 22 additions and 5 deletions.
27 changes: 22 additions & 5 deletions phpseclib/Net/SSH2.php
Original file line number Diff line number Diff line change
Expand Up @@ -991,6 +991,19 @@ class SSH2
*/
private $kex_buffer = [];

/**
* Strict KEX Flag
*
* If [email protected] is present in the first KEX packet it need not
* be present in subsequent packet
*
* @see self::_key_exchange()
* @see self::exec()
* @var array
* @access private
*/
private $strict_kex_flag = false;

/**
* Default Constructor.
*
Expand Down Expand Up @@ -1413,8 +1426,13 @@ private function key_exchange($kexinit_payload_server = false): bool
$first_kex_packet_follows
] = Strings::unpackSSH2('L10C', $response);
if (in_array('[email protected]', $this->kex_algorithms)) {
if ($this->session_id === false && count($this->kex_buffer)) {
throw new \UnexpectedValueException('Possible Terrapin Attack detected');
if ($this->session_id === false) {
// [[email protected] is] only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
// if [it is] present in subsequent SSH2_MSG_KEXINIT packets
$this->strict_kex_flag = true;
if (count($this->kex_buffer)) {
throw new \UnexpectedValueException('Possible Terrapin Attack detected');
}
}
}

Expand Down Expand Up @@ -1651,12 +1669,11 @@ private function key_exchange($kexinit_payload_server = false): bool

$packet = pack('C', MessageType::NEWKEYS);
$this->send_binary_packet($packet);

$response = $this->get_binary_packet_or_close(MessageType::NEWKEYS);
$this->get_binary_packet_or_close(MessageType::NEWKEYS);

$this->keyExchangeInProgress = false;

if (in_array('[email protected]', $this->kex_algorithms)) {
if ($this->strict_kex_flag) {
$this->get_seq_no = $this->send_seq_no = 0;
}

Expand Down

0 comments on commit c6c89a6

Please sign in to comment.