x/crypto/ssh: server gcmCipher appears to do erroneous check for padding size #18953
Comments
|
Hmmm. I tried removing the check and testing to see if it works. Now I get Likely something more going on here. Regardless, I think it warrants investigation as this client is pretty widely used. I guess now I cannot be sure if the problem is in Go or in this client. |
odeke-em
changed the title
|
there is a test under test/ which runs all ciphers against openSSH. If the cipher doesn't follow spec, it should fail. |
|
for reference, AES-GCM was reviewed here: https://codereview.appspot.com/57720043/ |
|
For reference, I'm hitting this on OpenSSH 7.4p1: |
|
I'm having something similar happening to me. Scenario: I'm running a Golang SSH server on localhost for tests.
Changing the gcmReadPacket to skip the max padding size: https://github.com/golang/crypto/blob/master/ssh/cipher.go#L395 To: Makes the OpenSSH client work fine. My Q is what's different with the gcm not allowing >= 20 bytes of padding? |
|
GCM was added in https://codereview.appspot.com/57720043/ , by me. |
https://codereview.appspot.com/57720043/diff/20001/ssh/cipher.go assumption: I put this in because the writing side only needs up to 19 bytes of padding (https://codereview.appspot.com/57720043/diff/20001/ssh/cipher.go, line 249). https://tools.ietf.org/html/rfc5647 says byte padding_length; // 4 <= padding_length < 256 so the padding can be larger. Should probably check how OpenSSH calculates the padding to make sure we are following their spec. |
|
CL https://golang.org/cl/47590 mentions this issue. |
The writing side would generate a maximum of 19 bytes of padding, so the reading side erroneously checked this. However, RFC 5647 specifies 255 as the maximum amount of padding for AES-GCM. Fixes golang/go#18953. Change-Id: I416b0023c6e4cbd91a6a1b4214a03f1663b77248 Reviewed-on: https://go-review.googlesource.com/47590 Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
The writing side would generate a maximum of 19 bytes of padding, so the reading side erroneously checked this. However, RFC 5647 specifies 255 as the maximum amount of padding for AES-GCM. Fixes golang/go#18953. Change-Id: I416b0023c6e4cbd91a6a1b4214a03f1663b77248 Reviewed-on: https://go-review.googlesource.com/47590 Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
The writing side would generate a maximum of 19 bytes of padding, so the reading side erroneously checked this. However, RFC 5647 specifies 255 as the maximum amount of padding for AES-GCM. Fixes golang/go#18953. Change-Id: I416b0023c6e4cbd91a6a1b4214a03f1663b77248 Reviewed-on: https://go-review.googlesource.com/47590 Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
The writing side would generate a maximum of 19 bytes of padding, so the reading side erroneously checked this. However, RFC 5647 specifies 255 as the maximum amount of padding for AES-GCM. Fixes golang/go#18953. Change-Id: I416b0023c6e4cbd91a6a1b4214a03f1663b77248 Reviewed-on: https://go-review.googlesource.com/47590 Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
The writing side would generate a maximum of 19 bytes of padding, so the reading side erroneously checked this. However, RFC 5647 specifies 255 as the maximum amount of padding for AES-GCM. Fixes golang/go#18953. Change-Id: I416b0023c6e4cbd91a6a1b4214a03f1663b77248 Reviewed-on: https://go-review.googlesource.com/47590 Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
The writing side would generate a maximum of 19 bytes of padding, so the reading side erroneously checked this. However, RFC 5647 specifies 255 as the maximum amount of padding for AES-GCM. Fixes golang/go#18953. Change-Id: I416b0023c6e4cbd91a6a1b4214a03f1663b77248 Reviewed-on: https://go-review.googlesource.com/47590 Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
The writing side would generate a maximum of 19 bytes of padding, so the reading side erroneously checked this. However, RFC 5647 specifies 255 as the maximum amount of padding for AES-GCM. Fixes golang/go#18953. Change-Id: I416b0023c6e4cbd91a6a1b4214a03f1663b77248 Reviewed-on: https://go-review.googlesource.com/47590 Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
I think the problem is here: https://github.com/golang/crypto/blob/master/ssh/cipher.go#L347
Based on my reading of the RFC, padding up to 255 is permitted. https://tools.ietf.org/html/rfc4253#section-6
What version of Go are you using (
go version)?go version devel +4cce27a3fa Sat Jan 21 03:20:55 2017 +0000 linux/amd64
What operating system and processor architecture are you using (
go env)?GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH=""
GORACE=""
GOROOT="/usr/lib/google-golang"
GOTOOLDIR="/usr/lib/google-golang/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build525614664=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
What did you do?
What did you expect to see?
Successful SSH login.
What did you see instead?
Server has error "ssh: illegal padding 79".
Client says server closed connection.
The text was updated successfully, but these errors were encountered: