Bug 3306 - test_kex.c should check #ifdef USE_SNTRUP761X25519
Summary: test_kex.c should check #ifdef USE_SNTRUP761X25519
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Regression tests (show other bugs)
Version: 8.6p1
Hardware: Other Windows 10
: P5 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_8_7
  Show dependency treegraph
 
Reported: 2021-04-29 08:24 AEST by balu
Modified: 2022-02-25 13:58 AEDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description balu 2021-04-29 08:24:24 AEST 
V8_5 introduced an experimental key exchange method sntrup761x25519-sha512@openssh.com which is disabled by default.

test_kex.c assume the new kex method is enabled which is not true.

Code change - 
https://github.com/openssh/openssh-portable/blob/e86968280e358e62649d268d41f698d64d0dc9fa/regress/unittests/kex/test_kex.c#L205

From
    do_kex("sntrup761x25519-sha512@openssh.com");

To
#ifdef USE_SNTRUP761X25519
	do_kex("sntrup761x25519-sha512@openssh.com");
#endif
Comment 1 balu 2021-04-29 08:54:30 AEST 
Can you please clarify if sntrup761x25519-sha512@openssh.com is enabled by default or not? Also is it an experimental algorithm?

release page (https://www.openssh.com/releasenotes.html) says it's disable by default.

 ssh(1), sshd(8): update/replace the experimental post-quantum
   hybrid key exchange method based on Streamlined NTRU Prime coupled
   with X25519.

   The previous sntrup4591761x25519-sha512@tinyssh.org method is
   replaced with sntrup761x25519-sha512@openssh.com. Per its
   designers, the sntrup4591761 algorithm was superseded almost two
   years ago by sntrup761.

   (note this both the updated method and the one that it replaced are
   disabled by default)

openbsd man page (https://man.openbsd.org/sshd_config.5) says it's supported which means it's enabled.
Comment 2 Darren Tucker 2021-04-29 09:47:15 AEST 
(In reply to balu from comment #1)
> Can you please clarify if sntrup761x25519-sha512@openssh.com is
> enabled by default or not?

It's compiled in by default:
$ ssh -Q kex | grep sntrup
sntrup761x25519-sha512@openssh.com

as long as the compiler supports variable length arrays:
/*
 * sntrup761 uses variable length arrays, only enable if the compiler
 * supports them.
 */
#ifdef VARIABLE_LENGTH_ARRAYS
# define USE_SNTRUP761X25519 1
#endif

but it is not in the default KexAlgorithms list in either client:
$ ssh -F /dev/null -G localhost | grep kex
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

or server:
$ sudo /usr/sbin/sshd -f /dev/null -T | grep kex
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

so it is disabled by default and will never be used unless enabled at runtime by the user/admin in the configuration or flags.

> Also is it an experimental algorithm?

Yes.

[...]
> openbsd man page (https://man.openbsd.org/sshd_config.5) says it's
> supported which means it's enabled.

Those are not the same thing.  For example, diffie-hellman-group1-sha1 is also supported but not enabled by default.
Comment 3 Darren Tucker 2021-04-29 14:08:12 AEST 
Fixed.  Thanks for the report.
Comment 4 Damien Miller 2022-02-25 13:58:32 AEDT 
closing bugs resolved before openssh-8.9