Skip to content

x/crypto/ssh: chacha20-poly1305@openssh.com without common MAC algorithm. #51406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Daedaluz opened this issue Mar 1, 2022 · 2 comments
Closed

x/crypto/ssh: chacha20-poly1305@openssh.com without common MAC algorithm. #51406

Daedaluz opened this issue Mar 1, 2022 · 2 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unreleased

Comments

@Daedaluz
Copy link

Daedaluz commented Mar 1, 2022

What version of Go are you using (go version)?

$ go version
go version go1.17.7 linux/amd64

Does this issue reproduce with the latest release?

yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/me/.cache/go-build"
GOENV="/home/me/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/me/src/go/pkg/mod"
GONOPROXY="*"
GONOSUMDB="*"
GOOS="linux"
GOPATH="/home/me/src/go"
GOPRIVATE="*"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17.7"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2220880823=/tmp/go-build -gno-record-gcc-switches"

What did you do?

package main

import (
	"crypto/rand"
	"golang.org/x/crypto/ed25519"
	"golang.org/x/crypto/ssh"
	"log"
	"net"
)

var sshConfig = &ssh.ServerConfig{
	Config: ssh.Config{
		KeyExchanges: []string{"curve25519-sha256@libssh.org"},
		Ciphers:      []string{"chacha20-poly1305@openssh.com"},
		//MACs:         []string{"hmac-sha1"},
		MACs: []string{},
	},
	NoClientAuth: true,
}

func handleSSHClient(conn net.Conn) {
	sshClient, _, reqs, err := ssh.NewServerConn(conn, sshConfig)
	if err != nil {
		log.Println(err)
		conn.Close()
		return
	}
	go ssh.DiscardRequests(reqs)
	log.Println(err)
	sshClient.Close()
}

func main() {
	_, pKey, _ := ed25519.GenerateKey(rand.Reader)
	signer, _ := ssh.NewSignerFromKey(pKey)
	sshConfig.AddHostKey(signer)
	server, err := net.Listen("tcp", ":2222")
	if err != nil {
		log.Fatal("listen:", err)
	}
	for {
		client, err := server.Accept()
		if err != nil {
			log.Println(err)
			continue
		}
		go handleSSHClient(client)
	}
}

What did you expect to see?

Ignored MAC negotiation since chacha20-poly1305@openssh.com offers both encryption and authentication.

What did you see instead?

2022/03/01 15:32:24 ssh: no common algorithm for client to server MAC; client offered: [umac-64-etm@openssh.com umac-128-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha1-etm@openssh.com umac-64@openssh.com umac-128@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha1], server offered: []

Adding any of the supported MAC algorithms by the client seems to make the connection work, but as i understand it,
if using chacha20-poly1305@openssh.com then the offered MAC algorithms should be ignored and no MAC is required to be negotiated.

I tested with ssh -c chacha20-poly1305@openssh.com -p 2222 localhost

Did i understand something wrong, or is this a bug?
@gopherbot gopherbot added this to the Unreleased milestone Mar 1, 2022
@mengzhuo mengzhuo added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 2, 2022
@mengzhuo
Copy link
Contributor

mengzhuo commented Mar 2, 2022

cc @FiloSottile @rolandshoemaker

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/389214 mentions this issue: ssh: ignore MAC if AEAD ciphers negotiated

iamacarpet pushed a commit to affordablemobiles/xcrypto that referenced this issue Aug 2, 2022
@rolandshoemaker @iamacarpet
ssh: ignore MAC if AEAD ciphers negotiated
1f9d157 
If the server/client cipher chosen is one of the two AEAD ciphers that
we support (aes128-gcm@openssh.com and chacha20-poly1305@openssh.com),
don't attempt to find a common MAC algorithm in findAgreedAlgorithms.
Similarly in newPacketCipher, don't attempt to generate a MAC key if we
are using a AEAD cipher.

Fixes golang/go#51406

Change-Id: Id48ae72f052cb0a0c597b32e9901a0f218e4161f
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/389214
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
LewiGoddard pushed a commit to LewiGoddard/crypto that referenced this issue Feb 16, 2023
@rolandshoemaker @FiloSottile
ssh: ignore MAC if AEAD ciphers negotiated
bb3d4c3 
If the server/client cipher chosen is one of the two AEAD ciphers that
we support (aes128-gcm@openssh.com and chacha20-poly1305@openssh.com),
don't attempt to find a common MAC algorithm in findAgreedAlgorithms.
Similarly in newPacketCipher, don't attempt to generate a MAC key if we
are using a AEAD cipher.

Fixes golang/go#51406

Change-Id: Id48ae72f052cb0a0c597b32e9901a0f218e4161f
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/389214
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
@golang golang locked and limited conversation to collaborators Mar 12, 2023
BiiChris pushed a commit to BiiChris/crypto that referenced this issue Sep 15, 2023
@rolandshoemaker @FiloSottile
ssh: ignore MAC if AEAD ciphers negotiated
3a7ee2f 
If the server/client cipher chosen is one of the two AEAD ciphers that
we support (aes128-gcm@openssh.com and chacha20-poly1305@openssh.com),
don't attempt to find a common MAC algorithm in findAgreedAlgorithms.
Similarly in newPacketCipher, don't attempt to generate a MAC key if we
are using a AEAD cipher.

Fixes golang/go#51406

Change-Id: Id48ae72f052cb0a0c597b32e9901a0f218e4161f
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/389214
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@Daedaluz @mengzhuo @gopherbot