Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: Connections using "chacha20-poly1305@openssh.com" fail with "ssh: MAC failure" #23510

Closed
mark-adams opened this issue Jan 22, 2018 · 3 comments

Comments

@mark-adams
Copy link
Contributor

mark-adams commented Jan 22, 2018

What did you do?

I work on an SSH server project for hosting Git repositories and we recently updated our golang.org/x/crypto to a6600008915114d9c087fad9f03d75087b1a74df to get support for the chacha20-poly1305@openssh.com cipher. During our testing, we discovered that our SSH sessions seem to fail when using chacha20-poly1305@openssh.com. Some of our internal users reported that short SSH commands didn't see the problem (i.e. commands that reply with a single line of text) but attempting to clone a repository over SSH would fail.

The server sees a ssh: MAC failure and the client sees packet_write_wait: Connection to 10.192.25.108 port 22: Broken pipe.

I'm using OpenSSH 7.4 (client) against a server running golang.org/x/crypto at a660000.

Failing logs from ssh -vvv -c chacha20-poly1305@openssh.com
ssh-chacha20-poly1305.txt

Successful logs from ssh -vvv -c aes128-gcm
ssh-aes.txt

What version of Go are you using (go version)?

go version go1.9.1 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/go"
GORACE=""
GOROOT="/usr/local/go"
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build670065654=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"

What did you expect to see?

The SSH session did not fail.

What did you see instead?

The SSH session failed. The client saw a disconnect error and the server saw a ssh: MAC error.

cc: @hanwen

@gopherbot gopherbot added this to the Unreleased milestone Jan 22, 2018
@hanwen
Copy link
Contributor

hanwen commented Jan 22, 2018

thanks for the report. Looking.

@gopherbot
Copy link

Change https://golang.org/cl/88995 mentions this issue: ssh: remove chacha20-poly1305 from preferredCipher list

gopherbot pushed a commit to golang/crypto that referenced this issue Jan 22, 2018
This effectively disables the cipher.

Add a test against OpenSSH which sends larger packets through the
tested ciphers. This reproduces the problem reported in golang/go#23510

Change-Id: I4b124c690c409c6a0af2621e58a964ff55815f57
Reviewed-on: https://go-review.googlesource.com/88995
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
@gopherbot
Copy link

Change https://golang.org/cl/89075 mentions this issue: ssh: use io.ReadFull() for reading chacha20-poly1305 packets.

@golang golang locked and limited conversation to collaborators Jan 22, 2019
bored-engineer pushed a commit to bored-engineer/ssh that referenced this issue Oct 13, 2019
Incomplete reads leave (part of) the verification tag zeroed, leading
to a failing MAC, and this is more likely to happen with larger
packets. The test added in the previous commit should stop this from
regressing.

Reinstate chacha20-poly1305 as a default cipher and prefer it over AES
CTR flavors.

Fixes golang/go#23510

Change-Id: I7599897e59448edb7b814eebcc8226ea15b365d6
Reviewed-on: https://go-review.googlesource.com/89075
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
bored-engineer pushed a commit to bored-engineer/ssh that referenced this issue Oct 13, 2019
Incomplete reads leave (part of) the verification tag zeroed, leading
to a failing MAC, and this is more likely to happen with larger
packets. The test added in the previous commit should stop this from
regressing.

Reinstate chacha20-poly1305 as a default cipher and prefer it over AES
CTR flavors.

Fixes golang/go#23510

Change-Id: I7599897e59448edb7b814eebcc8226ea15b365d6
Reviewed-on: https://go-review.googlesource.com/89075
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
bored-engineer pushed a commit to bored-engineer/ssh that referenced this issue Oct 13, 2019
Incomplete reads leave (part of) the verification tag zeroed, leading
to a failing MAC, and this is more likely to happen with larger
packets. The test added in the previous commit should stop this from
regressing.

Reinstate chacha20-poly1305 as a default cipher and prefer it over AES
CTR flavors.

Fixes golang/go#23510

Change-Id: I7599897e59448edb7b814eebcc8226ea15b365d6
Reviewed-on: https://go-review.googlesource.com/89075
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
c-expert-zigbee pushed a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 28, 2022
Incomplete reads leave (part of) the verification tag zeroed, leading
to a failing MAC, and this is more likely to happen with larger
packets. The test added in the previous commit should stop this from
regressing.

Reinstate chacha20-poly1305 as a default cipher and prefer it over AES
CTR flavors.

Fixes golang/go#23510

Change-Id: I7599897e59448edb7b814eebcc8226ea15b365d6
Reviewed-on: https://go-review.googlesource.com/89075
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
c-expert-zigbee pushed a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 29, 2022
Incomplete reads leave (part of) the verification tag zeroed, leading
to a failing MAC, and this is more likely to happen with larger
packets. The test added in the previous commit should stop this from
regressing.

Reinstate chacha20-poly1305 as a default cipher and prefer it over AES
CTR flavors.

Fixes golang/go#23510

Change-Id: I7599897e59448edb7b814eebcc8226ea15b365d6
Reviewed-on: https://go-review.googlesource.com/89075
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
LewiGoddard pushed a commit to LewiGoddard/crypto that referenced this issue Feb 16, 2023
Incomplete reads leave (part of) the verification tag zeroed, leading
to a failing MAC, and this is more likely to happen with larger
packets. The test added in the previous commit should stop this from
regressing.

Reinstate chacha20-poly1305 as a default cipher and prefer it over AES
CTR flavors.

Fixes golang/go#23510

Change-Id: I7599897e59448edb7b814eebcc8226ea15b365d6
Reviewed-on: https://go-review.googlesource.com/89075
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
BiiChris pushed a commit to BiiChris/crypto that referenced this issue Sep 15, 2023
Incomplete reads leave (part of) the verification tag zeroed, leading
to a failing MAC, and this is more likely to happen with larger
packets. The test added in the previous commit should stop this from
regressing.

Reinstate chacha20-poly1305 as a default cipher and prefer it over AES
CTR flavors.

Fixes golang/go#23510

Change-Id: I7599897e59448edb7b814eebcc8226ea15b365d6
Reviewed-on: https://go-review.googlesource.com/89075
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants