You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2014/06/12 11:30:02 UTC
[jira] [Commented] (SSHD-330) Handshake fails (wrong shared secret)
1 out of 256 times
[ https://issues.apache.org/jira/browse/SSHD-330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14028968#comment-14028968 ]
ASF GitHub Bot commented on SSHD-330:
-------------------------------------
GitHub user pasieronen opened a pull request:
https://github.com/apache/mina-sshd/pull/5
SSHD-330 Strip leading zero(es) from the shared secret
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/pasieronen/mina-sshd SSHD-330-shared-secret-zeroes
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/mina-sshd/pull/5.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #5
----
commit e7ebbc6bf1e13ac0da00b75b12814cc7827eb18d
Author: Pasi Eronen <pe...@iki.fi>
Date: 2014-06-12T09:27:33Z
Strip leading zero(es) from the shared secret
----
> Handshake fails (wrong shared secret) 1 out of 256 times
> --------------------------------------------------------
>
> Key: SSHD-330
> URL: https://issues.apache.org/jira/browse/SSHD-330
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 0.11.0
> Reporter: Pasi Eronen
>
> The shared secret returned by KeyAgreement.generateSecret() is a byte array, which can (by chance, roughly 1 out of 256 times) begin with zero byte. In SSH, the shared secret is an integer, so we need to strip the leading zero(es).
> Some JCE providers might strip leading zeroes, though. SunJCE used to do this in Java 6, I think, but not anymore in Java 7 -- and there was an almost identical bug (handshake fails 1 out of 256 times) in Java's SSL/TLS implementation in early Java 7 versions (see http://bugs.java.com/view_bug.do?bug_id=8014618).
> How to reproduce with OpenSSH client (assuming Mina SSH server running in port 9922):
> for x in {1..500}; do sshpass -p wrong ssh -p9922 -oKexAlgorithms=diffie-hellman-group-exchange-sha1 someuser@localhost; done
> for x in {1..500}; do sshpass -p wrong ssh -p9922 -oKexAlgorithms=ecdh-sha2-nistp256 someuser@localhost; done
--
This message was sent by Atlassian JIRA
(v6.2#6252)