mkj
DROPBEAR_2025.87 / 88 crashes at keyexchange with curve25519-sha256
Hello
My localoptions.h (attached) disables RSA an uses KEX curve25519 or ecdh
DROPBEAR_2025.88 crashes:
dani@schmitt:~$ ssh -v [email protected]
OpenSSH_9.2p1 Debian-2+deb12u6, OpenSSL 3.0.16 11 Feb 2025
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 192.168.0.177 [192.168.0.177] port 22.
debug1: Connection established.
debug1: identity file /home/dani/.ssh/id_rsa type 0
debug1: identity file /home/dani/.ssh/id_rsa-cert type -1
debug1: identity file /home/dani/.ssh/id_ecdsa type -1
debug1: identity file /home/dani/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/dani/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/dani/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/dani/.ssh/id_ed25519 type 3
debug1: identity file /home/dani/.ssh/id_ed25519-cert type -1
debug1: identity file /home/dani/.ssh/id_ed25519_sk type -1
debug1: identity file /home/dani/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/dani/.ssh/id_xmss type -1
debug1: identity file /home/dani/.ssh/id_xmss-cert type -1
debug1: identity file /home/dani/.ssh/id_dsa type -1
debug1: identity file /home/dani/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u6
kex_exchange_identification: read: Connection reset by peer
Connection reset by 192.168.0.177 port 22
The crash starts within the following commit:
The crash happens within the following commit
Author: Matt Johnston <[email protected]>
Author date: 5 months ago (12/13/2024 4:09:15 PM)
Commit date: 5 months ago (12/14/2024 3:35:01 PM)
Commit hash: 440b7b5c4ffb9c36c2ffc24efbf3733c296d5909
Children: 73f2a96817
Parent(s): 0756c9509a
Add sntrup761x25519-sha512 post-quantum key exchange
.....
Contained in branches: (HEAD detached at DROPBEAR_2025.88), test1, test4
Contained in tags: DROPBEAR_2025.88, DROPBEAR_2025.87
DROPBEAR_2024.86 is working:
dani@schmitt:~$ ssh -v [email protected]
OpenSSH_9.2p1 Debian-2+deb12u6, OpenSSL 3.0.16 11 Feb 2025
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 192.168.0.177 [192.168.0.177] port 22.
debug1: Connection established.
debug1: identity file /home/dani/.ssh/id_rsa type 0
debug1: identity file /home/dani/.ssh/id_rsa-cert type -1
debug1: identity file /home/dani/.ssh/id_ecdsa type -1
debug1: identity file /home/dani/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/dani/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/dani/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/dani/.ssh/id_ed25519 type 3
debug1: identity file /home/dani/.ssh/id_ed25519-cert type -1
debug1: identity file /home/dani/.ssh/id_ed25519_sk type -1
debug1: identity file /home/dani/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/dani/.ssh/id_xmss type -1
debug1: identity file /home/dani/.ssh/id_xmss-cert type -1
debug1: identity file /home/dani/.ssh/id_dsa type -1
debug1: identity file /home/dani/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u6
debug1: Remote protocol version 2.0, remote software version dropbear_2024.86
debug1: compat_banner: no match: dropbear_2024.86
debug1: Authenticating to 192.168.0.177:22 as 'admin'
debug1: load_hostkeys: fopen /home/dani/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:Ydn4Yy6zyEd/7qEIgIRBRnKmO2wkOJDRkcG1a4dxAGY
debug1: load_hostkeys: fopen /home/dani/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '192.168.0.177' is known and matches the ED25519 host key.
debug1: Found key in /home/dani/.ssh/known_hosts:10
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /home/dani/.ssh/id_rsa RSA SHA256:uawGH49BqbTMDMx1ZpeQnoBSEa/jypxGijFkAZPGU8c
debug1: Will attempt key: /home/dani/.ssh/id_ecdsa
debug1: Will attempt key: /home/dani/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/dani/.ssh/id_ed25519 ED25519 SHA256:CBEOi+fooBJGvMqv2gG4eqiyb45kPqbv1KQRUhFR1w0
debug1: Will attempt key: /home/dani/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/dani/.ssh/id_xmss
debug1: Will attempt key: /home/dani/.ssh/id_dsa
debug1: SSH2_MSG_SERVICE_ACCEPT received
bueroOben
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/dani/.ssh/id_rsa RSA SHA256:uawGH49BqbTMDMx1ZpeQnoBSEa/jypxGijFkAZPGU8c
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /home/dani/.ssh/id_ecdsa
debug1: Trying private key: /home/dani/.ssh/id_ecdsa_sk
debug1: Offering public key: /home/dani/.ssh/id_ed25519 ED25519 SHA256:CBEOi+fooBJGvMqv2gG4eqiyb45kPqbv1KQRUhFR1w0
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/dani/.ssh/id_ed25519_sk
debug1: Trying private key: /home/dani/.ssh/id_xmss
debug1: Trying private key: /home/dani/.ssh/id_dsa
debug1: Next authentication method: password
[email protected]'s password:
Authenticated to 192.168.0.177 ([192.168.0.177]:22) using "password".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_US.UTF-8"
I am cross compiling for 32bit Linux PowerPC ( MPC5200B ) big-endian and Arm v7 Cortex®-A7 32-bit (LS1021A)
attaching localoptions.h does not work so here is the content:
#define DROPBEAR_SVR_PASSWORD_AUTH 0
#define DROPBEAR_SVR_PAM_AUTH 1
#define DROPBEAR_RSA 0
#define DROPBEAR_RSA_SHA1 0
#define DROPBEAR_DH_GROUP14_SHA1 0
#define DROPBEAR_DH_GROUP14_SHA256 0
#define DROPBEAR_CHACHA20POLY1305 0
#define DROPBEAR_SNTRUP761 0
#define DROPBEAR_MLKEM768 0
I can't reproduce a crash here (testing on x86-64). The regression commit doesn't change much when DROPBEAR_SNTRUP761 is disabled. You could try setting KEXHASHBUF_MAX_INTS to the prior value, though if that were wrong I'd expect an error message failure.
https://github.com/mkj/dropbear/commit/440b7b5c4ffb9c36c2ffc24efbf3733c296d5909#diff-f570026aa1c9a5b5a1de627e5fc79a9b94350732c583d55c7209f3bd100d831eL257
Did you "make clean" between revisions?
Setting only KEXHASHBUF_MAX_INTS did not fix it, but I also did "brute force"
#define MAX_PUBKEY_SIZE 1700
#define MAX_PRIVKEY_SIZE 1700
#define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130)
like it was before This fixed it (on DROPBEAR_2025.88) I am out of office until 10. Juni, after that I can do more 32 bit powerpc/arm tests if needed. THX for your work
Update: To narrow things down I switched from pam auth to password auth. This did not changed anything.
I removed dropbear from initd and started it in foreground
root@bueroOben#./dropbear -F -E
[5037] Jun 10 13:21:03 Early exit: Bad buf_getptr
As seen it exits immediately (sorry I did this not before)
Setting MAX_PRIVKEY_SIZE to its old value in the #else branch of key type size fixes the issue in my setup
diff --git a/src/sysoptions.h b/src/sysoptions.h
index 2f3e64e..acc295f 100644
--- a/src/sysoptions.h
+++ b/src/sysoptions.h
@@ -269,7 +269,7 @@
#else
/* 521 bit ecdsa key */
#define MAX_PUBKEY_SIZE 200
-#define MAX_PRIVKEY_SIZE 200
+#define MAX_PRIVKEY_SIZE 1700
#endif
/* For kex hash buffer, worst case size for Q_C || Q_S || K */
additionally here the config.log file of my powerpc build config.log
Hi, I'm facing the same issue. I'm using key type ECDSA with a key size of 521 bytes.
Also dropbearkey throws an error:
# dropbearkey -t ecdsa -s 521 -f /tmp/etc/dropbear.key
Generating 521 bit ecdsa key, this may take a while...
Exited:` Bad buf_getwriteptr
When will there be a fix available?
Hi, I'm facing the same issue. I'm using key type ECDSA with a key size of 521 bytes.
I'll investigate more and try to reproduce here. @SebastianKonplan what platform are you running on?
Hi @mkj, I think the used platform is irrelevant here. The issue is that MAX_PRIVKEY_SIZE of 200 is used for allocating memory for the private key if RSA and DSS is disabled. This is also the case in my configuration. With ECDSA and 521 byte key size the private key file is 241 byte in my case. The code want's to access the buffer with more than the defined 200 bytes. The patch from @dani-schmitt above also fixes the issue for me. I working on arm32 and arm64 platforms.
Thanks, this should be fixed now. It wasn't platform dependent, I just didn't have private ecdsa keys being loaded here when I tested.
Thx a lot @mkj for the fix. I'm looking forward for a new version with the fix.