You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Guillaume Nodet (JIRA)" <ji...@apache.org> on 2014/10/15 23:35:34 UTC
[jira] [Updated] (SSHD-330) Handshake fails (wrong shared secret) 1
out of 256 times
[ https://issues.apache.org/jira/browse/SSHD-330?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Guillaume Nodet updated SSHD-330:
---------------------------------
Fix Version/s: 0.9.1
> Handshake fails (wrong shared secret) 1 out of 256 times
> --------------------------------------------------------
>
> Key: SSHD-330
> URL: https://issues.apache.org/jira/browse/SSHD-330
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 0.11.0
> Reporter: Pasi Eronen
> Assignee: Guillaume Nodet
> Fix For: 0.12.0, 0.9.1
>
>
> The shared secret returned by KeyAgreement.generateSecret() is a byte array, which can (by chance, roughly 1 out of 256 times) begin with zero byte. In SSH, the shared secret is an integer, so we need to strip the leading zero(es).
> Some JCE providers might strip leading zeroes, though. SunJCE used to do this in Java 6, I think, but not anymore in Java 7 -- and there was an almost identical bug (handshake fails 1 out of 256 times) in Java's SSL/TLS implementation in early Java 7 versions (see http://bugs.java.com/view_bug.do?bug_id=8014618).
> Pull request here:
> https://github.com/apache/mina-sshd/pull/5
> How to reproduce with OpenSSH client (assuming Mina SSH server running in port 9922):
> for x in {1..500}; do sshpass -p wrong ssh -p9922 -oKexAlgorithms=diffie-hellman-group-exchange-sha1 someuser@localhost; done
> for x in {1..500}; do sshpass -p wrong ssh -p9922 -oKexAlgorithms=ecdh-sha2-nistp256 someuser@localhost; done
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)