-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix bug with AEAD ciphers when compression is used. #15
Conversation
The inflater code expects the end of buffer to not include the AEAD tag.
I'm not sure what caused this failure with just ea4283a applied earlier:
It seems to have gone away after I pushed 1393e81 to try and get more details... |
I also had test failures with my latest changes. Some flakiness, because when re-running the maven job without any code changes, it went through. Now it failed again after re-running. We need to investigate. |
Yes, I've reproduced the intermittent failures locally and I'm attempting to track them down. |
Yes could be. Locally I have OpenJdk 14 and AlgorithmsIT#testJava11KEXs is
failing.
com.jcraft.jsch.JSchException: There are not any available kexes.
at com.jcraft.jsch.Session.send_kexinit(Session.java:651)
at com.jcraft.jsch.Session.connect(Session.java:310)
at com.jcraft.jsch.Session.connect(Session.java:186)
at com.jcraft.jsch.AlgorithmsIT.doSftp(AlgorithmsIT.java:361)
at com.jcraft.jsch.AlgorithmsIT.testJava11KEXs(AlgorithmsIT.java:115)`
|
…lgorithm in verify logging.
The Q_C value was not properly zero-extended to the full 32-byte length before being inserted into the SSH_MSG_KEX_ECDH_INIT packet, as well as for use in the hash H computation. Additionally, stop trying to clear sign bit of Q values: this appears to be unnecessary (or is handled by the JCE X25519 implementation). Finally, validate the length of Q_S sent by the server in order to comply with section 3 of RFC 8731.
Ok, I apologize for the overall size of this PR now: but I think I've finally tracked down the source of the intermittent test failures. It appears that the I've run the tests in a continuous loop locally for a couple hours this afternoon and didn't see any failures. |
Ok, I let the tests run in a loop for almost 3 hours locally (
I don't believe any of these are caused by latent bugs in the new crypto code, so I believe the issues with the AES-GCM & X25519 implementations may finally be solved with the changes contained in this PR. |
FYI, on a separate note: I now have an implementation of |
The inflater code expects the end of buffer to not include the AEAD tag.
I updated the integration tests to always test every cipher & mac both with and without compression enabled to hopefully catch issues like this in the future.