2232 – curve25519-sha256@libssh.org Signature Failures When 'ssh' Used with Dropbear, libssh Servers

Bug 2232 - curve25519-sha256@libssh.org Signature Failures When 'ssh' Used with Dropbear, libssh Servers

Summary: curve25519-sha256@libssh.org Signature Failures When 'ssh' Used with Dropbear...

Status:	CLOSED DUPLICATE of bug 2233

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	6.6p1
Hardware:	All All

Importance:	P5 major
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-04-19 08:37 AEST by Jon Simons
Modified:	2015-08-11 23:03 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jon Simons 2014-04-19 08:37:00 AEST

Overview:

  When using the curve25519-sha256@libssh.org kex algorithm, host key signature
  validation will sometimes fail between an OpenSSH 'ssh' client and other SSH
  servers (dropbear-2014.63, libssh 0.6.3 or beyond).

Steps to Reproduce:

  Download or build dropbear-2014.63 'dropbearkey' and 'dropbear' programs.

  Start a dropbear server in one terminal (will use ~/.ssh/authorized_keys):

    # ./dropbearkey  -t rsa -f ./test-rsa-hostkey
    # ./dropbear -r ./test-rsa-hostkey -F -p 1234 -v -E

  In a second terminal run 'ssh echo "hello"' commands in a loop using
  'ssh' from 6.6p1:

    # ITER=1; echo "Start"; while [ $? -eq 0 ]; do let ITER=ITER+1; echo "$ITER"; ./ssh -o KexAlgorithms="curve25519-sha256@libssh.org" -p 1234 localhost echo "hello"; done

Actual Results:

  Eventually the loop above will fail.  Sometimes failure happens quickly,
  sometimes it can many iterations:

    ...
    hello
    224
    hello
    225
    hash mismatch
    key_verify failed for server_host_key

Expected Results:

  The loop should never fail with the 'hash_mismatch' error above.

Build Date & Hardware:

  # git rev-parse HEAD
  19158b2447e35838d69b2b735fb640d1e86061ea

  # git show V_6_6_P1
  commit 19158b2447e35838d69b2b735fb640d1e86061ea
  Author: Damien Miller <djm@mindrot.org>
  Date:   Thu Mar 13 13:14:21 2014 +1100
  
       - (djm) Release OpenSSH 6.6
  ...

Additional Builds and Platforms:

  Also reproducible with 6.5p1.

Additional Information:

  Originally discovered here: https://red.libssh.org/issues/159.

  My understanding of the actual bug is that OpenSSH is generating the
  shared secret bignum value 'K' in a way that is not expected by other
  implementations.

  I believe the problem is in 'buffer_put_bignum2_from_string' (used by
  'kexc25519_shared_key'), as is mentioned here on the mailing list,
  with a patch to bufaux.c to fix:

    http://marc.info/?l=openssh-unix-dev&m=139699836815285&w=2

  Some test results between a patched OpenSSH client and a libssh-based
  server are in the above libssh bug link, and they suggest that the
  patch does fix the problem.

  I believe this bug affects interop of 'curve25519-sha256@libssh.org'
  going forward, so I've set Severity to 'major'.

Comment 1 Damien Miller 2014-04-20 22:21:27 AEST


*** This bug has been marked as a duplicate of bug 2233 ***

Comment 2 Damien Miller 2015-08-11 23:03:09 AEST

Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1