[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: libssh 0.9.7 and 0.10.5 were released


On 5/15/23 18:09, Orion Poplawski wrote:
On 5/15/23 04:04, Jakub Jelen wrote:
On 5/9/23 19:25, Jakub Jelen wrote:
On 5/8/23 19:52, Jakub Jelen wrote:
On 5/8/23 04:05, Orion Poplawski wrote:
On 5/4/23 06:23, Jakub Jelen wrote:
Hello,

the libssh team released libssh 0.9.7 and 0.10.5, fixing previously
announced security issues CVE-2023-1667 and CVE-2023-2283:

https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/

We're seeing a test failure just on i686 on Fedora rawhide:

40/62 Test #40: torture_rekey ....................***Failed   23.34 sec
[==========] tests: Running 14 test(s).
OK: SSH-2.0-OpenSSH_9.0
[ RUN      ] torture_rekey_default
[       OK ] torture_rekey_default
[ RUN      ] torture_rekey_time
[       OK ] torture_rekey_time
[ RUN      ] torture_rekey_recv
[       OK ] torture_rekey_recv
[ RUN      ] torture_rekey_send
[       OK ] torture_rekey_send
[ RUN      ] torture_rekey_different_kex
[  ERROR   ] --- 0x20 != 0x40
[   LINE   ] ---
/builddir/build/BUILD/libssh-0.10.5/tests/client/torture_rekey.c:522:
error: Failure!
[  FAILED  ] torture_rekey_different_kex
[ RUN      ] torture_rekey_send_compression_delayed
[       OK ] torture_rekey_send_compression_delayed
[ RUN      ] torture_rekey_recv_compression_delayed
[       OK ] torture_rekey_recv_compression_delayed
[ RUN      ] torture_rekey_server_different_kex
OK: SSH-2.0-OpenSSH_9.0
[  ERROR   ] --- 0x20 != 0x40
[   LINE   ] ---
/builddir/build/BUILD/libssh-0.10.5/tests/client/torture_rekey.c:597:
error: Failure!
[  FAILED  ] torture_rekey_server_different_kex
[ RUN      ] torture_rekey_server_send
OK: SSH-2.0-OpenSSH_9.0
[       OK ] torture_rekey_server_send
[ RUN      ] torture_rekey_guess_send
OK: SSH-2.0-OpenSSH_9.0
[       OK ] torture_rekey_guess_send
[ RUN      ] torture_rekey_guess_wrong_send
OK: SSH-2.0-OpenSSH_9.0
[       OK ] torture_rekey_guess_wrong_send
[ RUN      ] torture_rekey_server_recv
OK: SSH-2.0-OpenSSH_9.0
[       OK ] torture_rekey_server_recv
[ RUN      ] torture_rekey_guess_recv
OK: SSH-2.0-OpenSSH_9.0
[       OK ] torture_rekey_guess_recv
[ RUN      ] torture_rekey_guess_wrong_recv
OK: SSH-2.0-OpenSSH_9.0
[       OK ] torture_rekey_guess_wrong_recv
[==========] tests: 14 test(s) run.
[  PASSED  ] 12 test(s).
[  FAILED  ] tests: 2 test(s), listed below:
[  FAILED  ] torture_rekey_different_kex
[  FAILED  ] torture_rekey_server_different_kex
   2 FAILED TEST(S)


any idea what might be causing that?


Hi,
I was hoping I debugged all these issues while working on the release, but
it looks like there are still some timing/memory/architecture variables.

This error happens in case the rekey did not happen as expected (unexpected
size of digest size). I was bumping the amount of sent data in [1] and [2]
in both branches, which looked like solving the problem in upstream tests.
Other option might be adding some sleep between the sending and processing
the packets to make sure the server gets its turn, but hard to say if this
would help ... the packet processing and rekey is asynchronous ... but
there might better ways to do that.

[1]
https://gitlab.com/libssh/libssh-mirror/-/commit/31a33fd2fd0fdad7c814748fdff75c7390c7f06e [0.9]
[2]
https://gitlab.com/libssh/libssh-mirror/-/commit/dc1254d53e4fc6cbeb4797fc6ca1c9ed2c21f15c [0.10]

Regards,

  From my understanding, this is an issue of the OpenSSH in Rawhide. I can
reliably reproduce it in mock and it goes away when I try the same code in
Fedora 38 (regardless of architecture).

There are several patches in rawhide openssh that are missing from the F38
version so I will continue some investigation tomorrow.

This is a Fedora's OpenSSH bug on i686 (or OpenSSL one):

https://bugzilla.redhat.com/show_bug.cgi?id=2203241

We are still investigating the real cause.

In the meantime, the libssh in Fedora rawhide was updated with skipping this
test. Updates in older versions are landing as they do not have this issue.

Regards,

Thank you for the investigation and the updates.

For the record also here, the bottom-line is that it is really an libssh test issue. I updated all stable version of Fedora with the 0.10.5 version and verified that just giving more time for the (new) openssh server is really enough to make the test working. The upstream patch is here for anyone interested:

https://gitlab.com/libssh/libssh-mirror/-/merge_requests/370

I will also backport it to the 0.10 branch and Fedora rawhide as soon as it will get merged upstream.

Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.


References:
libssh 0.9.7 and 0.10.5 were releasedJakub Jelen <jjelen@xxxxxxxxxx>
Re: libssh 0.9.7 and 0.10.5 were releasedOrion Poplawski <orion@xxxxxxxx>
Re: libssh 0.9.7 and 0.10.5 were releasedJakub Jelen <jjelen@xxxxxxxxxx>
Re: libssh 0.9.7 and 0.10.5 were releasedJakub Jelen <jjelen@xxxxxxxxxx>
Re: libssh 0.9.7 and 0.10.5 were releasedJakub Jelen <jjelen@xxxxxxxxxx>
Re: libssh 0.9.7 and 0.10.5 were releasedOrion Poplawski <orion@xxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org