[jira] [Commented] (SSHD-330) Handshake fails (wrong shared secret) 1 out of 256 times

Thu, 12 Jun 2014 02:30:26 -0700 

    [ 
https://issues.apache.org/jira/browse/SSHD-330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14028968#comment-14028968
 ] 

ASF GitHub Bot commented on SSHD-330:
-------------------------------------

GitHub user pasieronen opened a pull request:

    https://github.com/apache/mina-sshd/pull/5

    SSHD-330 Strip leading zero(es) from the shared secret

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/pasieronen/mina-sshd 
SSHD-330-shared-secret-zeroes

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/mina-sshd/pull/5.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #5
    
----
commit e7ebbc6bf1e13ac0da00b75b12814cc7827eb18d
Author: Pasi Eronen <[email protected]>
Date:   2014-06-12T09:27:33Z

    Strip leading zero(es) from the shared secret

----


> Handshake fails (wrong shared secret) 1 out of 256 times
> --------------------------------------------------------
>
>                 Key: SSHD-330
>                 URL: https://issues.apache.org/jira/browse/SSHD-330
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 0.11.0
>            Reporter: Pasi Eronen
>
> The shared secret returned by KeyAgreement.generateSecret() is a byte array, 
> which can (by chance, roughly 1 out of 256 times) begin with zero byte. In 
> SSH, the shared secret is an integer, so we need to strip the leading 
> zero(es).
> Some JCE providers might strip leading zeroes, though. SunJCE used to do this 
> in Java 6, I think, but not anymore in Java 7 -- and there was an almost 
> identical bug (handshake fails 1 out of 256 times) in Java's SSL/TLS 
> implementation in early Java 7 versions (see 
> http://bugs.java.com/view_bug.do?bug_id=8014618).
> How to reproduce with OpenSSH client (assuming Mina SSH server running in 
> port 9922):
> for x in {1..500}; do sshpass -p wrong ssh -p9922 
> -oKexAlgorithms=diffie-hellman-group-exchange-sha1 someuser@localhost; done 
> for x in {1..500}; do sshpass -p wrong ssh -p9922 
> -oKexAlgorithms=ecdh-sha2-nistp256 someuser@localhost; done 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to