-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sntrup761x25519-sha512@openssh.com KEX causing "incorrect signature" with OpenSSH client #525
Comments
OK, it looks like if I bump BouncyCastle from 1.72 to 1.78.1 then it starts working; this might not "really" be a Mina-SSHd bug at all, but it might be a good idea to disable this KEX method if the available BouncyCastle is too old? |
I thought that was done?
|
As far as I see all checks for Bouncy Castle and that eddsa library being available are done. There is nothing to do in that respect. However: There is indeed a bug in our implementation of sntrup761x25519-sha512 that causes the key exchange to fail with probability 1/256 with an Work-around: don't use sntrup761x25519-sha512. Explicitly set the DH factories you want on the SshClient, and do not include sntrup761x25519-sha512 in that list. This bug will be fixed in the next release. |
Because all other KEX algorithms treat the secret resulting from the key agreement as "mpint", our key agreements all returned the "mpint" representation of the result of the key agreement. But sntrup761x25519-sha512 needs the raw 32 bytes of the key agreement (curve25519-sha256). Add a flag to XDH that determines whether it returns the raw bytes or the "mpint" bytes. Bug: apache#525
Because all other KEX algorithms treat the secret resulting from the key agreement as "mpint", our key agreements all returned the "mpint" representation of the result of the key agreement. But sntrup761x25519-sha512 needs the raw 32 bytes of the key agreement (curve25519-sha256). Add a flag to XDH that determines whether it returns the raw bytes or the "mpint" bytes. Bug: apache#525
Apache MINA 2.13.[01] had a bug in the new sntrup761x25519-sha256 KEX exchange that was fixed in 2.13.2.[1] This is the only upstream code change. Bump the lower bound in the MANIFEST.MFs to 2.13.2 to avoid we ever use the broken 2.13.[01]. [1] apache/mina-sshd#525 Change-Id: I5904f9826f99c46b50abc634153f90035646ce50 Signed-off-by: Thomas Wolf <twolf@apache.org>
@tomaswolf there's something going on with the BC version. I can repro this on Gerrit master with sshd 2.13.2, but it goes away when I bump BC to 1.78.1 (to get that key size fix). That said, the code you linked to in mina-sshd/sshd-core/src/main/java/org/apache/sshd/common/kex/BuiltinDHFactories.java Line 340 in 4f2ccf8
|
@quic-nasserg Hi Nasser! What do you mean by
mina-sshd/sshd-core/src/main/java/org/apache/sshd/common/kex/BuiltinDHFactories.java Lines 340 to 343 in 4f2ccf8
calls mina-sshd/sshd-core/src/main/java/org/apache/sshd/common/kex/BuiltinKEM.java Lines 41 to 44 in 4f2ccf8
which calls mina-sshd/sshd-core/src/main/java/org/apache/sshd/common/kex/SNTRUP761.java Lines 44 to 53 in 4f2ccf8
which does the key size check and which also returns false if BC doesn't have The DH factories are set up by default in mina-sshd/sshd-core/src/main/java/org/apache/sshd/server/ServerBuilder.java Lines 177 to 179 in 4f2ccf8
which gets called at
with mina-sshd/sshd-common/src/main/java/org/apache/sshd/common/NamedFactory.java Lines 51 to 57 in 4f2ccf8
should call I have no idea why the check might not be effective for some setups. I have been wondering, though, why everybody seems to use "soft requirements" with maven. In OSGi (e.g., the JGit MANIFEST.MFs) we always use hard requirements with strict version ranges. It seems that even though we specify 1.78.1 as minimum it can at runtime still resolve to an earlier BC version? There might also be something not quite right with our |
Oh dear. This is wrong:
That's not "ignore unsupported", it's "include unsupported"! Gerrit calls it (quite naturally) with the value The filter should be Interestingly this bug has been in the code base since the method was introcued in 2015. :-( |
Thanks for finding that! I wonder how many people make this kind of mistake with My eyes completely missed the |
I've created issue #582 for this.
|
Version
2.13.1
Bug description
Using Mina SSHd inside Gerrit, if sntrup761x25519-sha512@openssh.com is enabled, then OpenSSH cannot connect with an "incorrect signature" error.
Actual behavior
Expected behavior
Both connections using sntrup761x25519-sha512@openssh.com and not using sntrup761x25519-sha512@openssh.com should work.
Relevant log output
No response
Other information
I'm not 100% sure if BouncyCastle is available on the classpath; I'll add some more debugging information once it's available.
This KEX method is new and was added in #498 by @tomaswolf
The text was updated successfully, but these errors were encountered: