Possible bug derivation keys after keyexchange.

Stef Bon stefbon at gmail.com
Fri Feb 5 19:05:51 AEDT 2021


my client (osns-client, see: https://github.com/stefbon/OSNS) cannot
finish the keyexchange. After sending the newkeys message, the other
side (openssh 8.4p1) disconnects.

It has the ecdh curve25519-sha256 at libssh.org implemented, and
chacga20-poly1305 at openssh.com. Now the length required to init this
cypher is 64 bytes, and the hash length is 32 bytes. So two hashes
appended (2 x 32 = 64) should be enough.

Other key derivations work (64 bytes required, hash is 20 bytes).
Now looking at it since 64 is e neat multiple of 32, it's possible
that openssh just does an extra hash round, and that seems to be the

in file kex.c line 1033 the algorithm to create the required length
does not stop when need==have, which it should. RFC4253 says in
section 7.2:

"If the key length needed is longer than the output of the HASH, the
key is extended by computing HASH of the concatenation of K and H and
the entire key so far, and appending the resulting bytes (as many as
HASH generates) to the key.  This process is repeated until enough
key material is available; the key is taken from the beginning of this value. "

In other words if the key length is not longer than there is enough.
Not longer means less or equal.

What do you think?
I'll make my algo work like the one of openssh (still doing an extra
hash until hashed length > required) and report back.

Stef Bon
the Netherlands

More information about the openssh-unix-dev mailing list