Don't end strict kex until receiving newkeys

mkj · mkj · commit 6b0e0041bc5c · 2025-05-06T22:49:05.000+08:00
Previously non-strict packets would be allowed once Dropbear's own
SSH_MSG_NEWKEYS had been sent, but for correctness it should only be
allowed once receiving the SSH_MSG_NEWKEYS from the peer.

Reported by Fabian Bäumer
diff --git a/src/common-kex.c b/src/common-kex.c
@@ -197,6 +197,7 @@ void recv_msg_newkeys() {
 	if (ses.kexstate.strict_kex) {
 		ses.recvseq = 0;
 	}
+	ses.kexstate.recvfirstnewkeys = 1;
 
 	TRACE(("leave recv_msg_newkeys"))
 }
diff --git a/src/kex.h b/src/kex.h
@@ -91,6 +91,7 @@ struct KEXState {
 	unsigned int donefirstkex; /* Set to 1 after the first kex has completed,
 								  ie the transport layer has been set up */
 	unsigned int donesecondkex; /* Set to 1 after the second kex has completed */
+	unsigned int recvfirstnewkeys; /* Set to 1 after the first valid newkeys has been received */
 
 	unsigned our_first_follows_matches : 1;
 
diff --git a/src/process-packet.c b/src/process-packet.c
@@ -44,7 +44,7 @@ void process_packet() {
 
 	unsigned char type;
 	unsigned int i;
-	unsigned int first_strict_kex = ses.kexstate.strict_kex && !ses.kexstate.donefirstkex;
+	unsigned int first_strict_kex = ses.kexstate.strict_kex && !ses.kexstate.recvfirstnewkeys;
 	time_t now;
 
 	TRACE2(("enter process_packet"))

Original file line number	Diff line number	Diff line change
`@@ -197,6 +197,7 @@ void recv_msg_newkeys() {`
`197`	`197`	`if (ses.kexstate.strict_kex) {`
`198`	`198`	`ses.recvseq = 0;`
`199`	`199`	`}`
	`200`	`+ ses.kexstate.recvfirstnewkeys = 1;`
`200`	`201`
`201`	`202`	`TRACE(("leave recv_msg_newkeys"))`
`202`	`203`	`}`