Bug 2233

Summary: curve25519-sha256@libssh.org Signature Failures When 'sshd' Used with Dropbear Clients
Product: Portable OpenSSH Reporter: Jon Simons <throwaway.xy+opensshbugzilla>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: major CC: djm
Priority: P5    
Version: 6.6p1   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 2226    

Description Jon Simons 2014-04-19 08:37:59 AEST 
Overview:

  When using the curve25519-sha256@libssh.org kex algorithm, host key signature
  validation will sometimes fail between an OpenSSH 'sshd' server and
  dropbear-2014.63 clients.

Steps to Reproduce:

  Download or build dropbear-2014.63 'dbclient' program.

  Run 'sshd' version 6.6p1 locally in one terminal:

    # grep -v "#" ./sshd_config | grep .
    PubkeyAuthentication yes
    AuthorizedKeysFile      .ssh/authorized_keys
    UsePrivilegeSeparation no

    # ssh-keygen -t rsa -N "" -q -f ./test-rsa-hostkey

    # $PWD/sshd -D -e -h $PWD/test-rsa-hostkey -p 1235 -f ./sshd_config

  In a second terminal run 'dbclient echo "hello"' commands in a loop:

    # ITER=1; echo "Start"; while [ $? -eq 0 ]; do let ITER=ITER+1; echo "$ITER"; ./dbclient -i ./test_id localhost/1235 echo "hello"; done

Actual Results:

  Eventually the loop above will fail.  Sometimes failure happens quickly,
  sometimes it can many iterations:

    ...
    82
    hello
    83
    hello
    84
    hello
    85
    ./dbclient: Connection to simonsj@localhost:1235 exited: Bad hostkey signature

Expected Results:

  The loop should never fail with the 'Bad hostkey signature' error above.

Build Date & Hardware:

  # git rev-parse HEAD
  19158b2447e35838d69b2b735fb640d1e86061ea

  # git show V_6_6_P1
  commit 19158b2447e35838d69b2b735fb640d1e86061ea
  Author: Damien Miller <djm@mindrot.org>
  Date:   Thu Mar 13 13:14:21 2014 +1100
  
       - (djm) Release OpenSSH 6.6
  ...

Additional Builds and Platforms:

  Also reproducible with 6.5p1.

Additional Information:

  Originally discovered here: https://red.libssh.org/issues/159.

  My understanding of the actual bug is that OpenSSH is generating the
  shared secret bignum value 'K' in a way that is not expected by other
  implementations.

  I believe the problem is in 'buffer_put_bignum2_from_string' (used by
  'kexc25519_shared_key'), as is mentioned here on the mailing list,
  with a patch to bufaux.c to fix:

    http://marc.info/?l=openssh-unix-dev&m=139699836815285&w=2

  With the bufaux.c patch applied, I am no longer able to reproduce
  the failure.

  I believe this bug affects interop of 'curve25519-sha256@libssh.org'
  going forward, so I've set Severity to 'major'.
Comment 1 Damien Miller 2014-04-19 10:28:18 AEST 
Yes, there's a bug in 6.5 and 6.5 that causes one of the components of the shared secret to be encoded incorrectly in about 0.2% of cases.

OpenSSH 6.7 will disable the curve25519 KEX when speaking to <6.7. I suggest that Dropbear do the same.
Comment 2 Damien Miller 2014-04-20 22:21:27 AEST 
*** Bug 2232 has been marked as a duplicate of this bug. ***
Comment 3 Damien Miller 2014-10-08 08:00:27 AEDT 
Close all bugs left open from 6.6 and 6.7 releases.