path: root/README.mbedtls
diff options
authorDirkjan Bussink <d.bussink@gmail.com>2020-09-29 15:14:09 +0200
committerJakub Jelen <jjelen@redhat.com>2020-10-14 11:07:40 +0200
commit42741b18832aa8acab51c53505efa263e8193537 (patch)
treee0261526c7b7b826120431416302e70389732a1c /README.mbedtls
parent39cbe8178e94279282ca3a045ab126baaea2bb31 (diff)
Fix handshake bug with AEAD ciphers and no HMAC overlapHEADmaster
There's currently a bug in libssh that a handshake doesn't complete if there is no overlap between HMAC methods, but when an AEAD cipher is used. In case of an AEAD cipher such as chacha20-poly1305 or aes256-gcm, the HMAC algorithm that is being picked is not relevant. But the problem here is that the HMAC still needs to have an overlap in the handshake, even if it is not used afterwards. This was found with a very strict server side configuration with libssh where only AEAD ciphers and EtM HMAC modes are accepted. The client tested against was dropbear. Dropbear does have support for chacha20-poly1305 and AES GCM modes, but no support for EtM HMAC modes. This meant that the libssh server in this case rejected the dropbear client, even though it is perfectly able to serve it since dropbear supports AEAD algorithms. The fix implemented here updates the HMAC phase of the handshake to handle this case. If it detects an AEAD cipher is used, it uses the HMAC abbreviations for the method instead. This is the same name that is used in other places as well. It matches the client to server and server to client values, but it does depend on the order of things in the ssh_kex_types_e enum, which I'm assuming here is ok since it's explicit. I've looked at how to add a test for this, but I couldn't really find a suitable place for it. I would love some tips if this is easily possible, or if it's easier for someone else to contribute, that's of course welcome too. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Diffstat (limited to 'README.mbedtls')
0 files changed, 0 insertions, 0 deletions