[Bug 3475] New: ED25519 signature verification nondeterministic spurious failure

Sun Sep 25 04:22:20 AEST 2022

https://bugzilla.mindrot.org/show_bug.cgi?id=3475

            Bug ID: 3475
           Summary: ED25519 signature verification nondeterministic
                    spurious failure
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: douzzer at mega.nu

Created attachment 3614
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3614&action=edit
patch with a kludge fix

An update to net-misc/openssh-9.0_p1-r6 (Gentoo port) this morning led
immediately to nondeterministic (~50% failure rate) connection
failures, both in ssh and sshd, with this message:

ssh_dispatch_run_fatal: Connection to a.b.c.d port 22: incorrect
signature

It quickly became apparent that the problem only affected connections
authenticated with ED25519.

I found, by instrumenting ed25519.c:crypto_sign_ed25519_open(), that
bit #256 (of 255 valid bits) in sm[] was nondeterministically set or
clear, whereas the corresponding bit in t2[] was always clear.

I strongly suspect the new behavior is due to new compiler behavior,
because (1) reverting to openssh-8.9_p1 fixed the problem even though
all ED source code is identical, and (2) reverting to a rebuilt
openssh-9.0_p1-r4 (Gentoo port revision again), which was functioning
flawlessly before the rebuild, did not fix the problem.

The compiler version for the openssh-9.0_p1-r4 that worked right was
gcc-11.3.0, versus currently installed gcc-11.3.1_p20220909.

For now I've kludged a fix for myself that just copies the spurious
256th bit from sm[31] to t2[31].  See attached patch.  This is not the
right way to fix the problem of course.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.