Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 3306] test_kex.c should check #ifdef USE_SNTRUP761X25519
bugzilla-daemon at mindrot
Apr 28, 2021, 3:24 PM
Post #1 of 5 (289 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3306

balu <balu.gajjala@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |balu.gajjala@gmail.com

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3306] test_kex.c should check #ifdef USE_SNTRUP761X25519 [ In reply to ]
bugzilla-daemon at mindrot
Apr 28, 2021, 3:54 PM
Post #2 of 5 (289 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3306

--- Comment #1 from balu <balu.gajjala@gmail.com> ---
Can you please clarify if sntrup761x25519-sha512@openssh.com is enabled
by default or not? Also is it an experimental algorithm?

release page (https://www.openssh.com/releasenotes.html) says it's
disable by default.

ssh(1), sshd(8): update/replace the experimental post-quantum
hybrid key exchange method based on Streamlined NTRU Prime coupled
with X25519.

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per its
designers, the sntrup4591761 algorithm was superseded almost two
years ago by sntrup761.

(note this both the updated method and the one that it replaced are
disabled by default)

openbsd man page (https://man.openbsd.org/sshd_config.5) says it's
supported which means it's enabled.

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3306] test_kex.c should check #ifdef USE_SNTRUP761X25519 [ In reply to ]
bugzilla-daemon at mindrot
Apr 28, 2021, 4:47 PM
Post #3 of 5 (289 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3306

Darren Tucker <dtucker@dtucker.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker@dtucker.net

--- Comment #2 from Darren Tucker <dtucker@dtucker.net> ---
(In reply to balu from comment #1)
> Can you please clarify if sntrup761x25519-sha512@openssh.com is
> enabled by default or not?

It's compiled in by default:
$ ssh -Q kex | grep sntrup
sntrup761x25519-sha512@openssh.com

as long as the compiler supports variable length arrays:
/*
* sntrup761 uses variable length arrays, only enable if the compiler
* supports them.
*/
#ifdef VARIABLE_LENGTH_ARRAYS
# define USE_SNTRUP761X25519 1
#endif

but it is not in the default KexAlgorithms list in either client:
$ ssh -F /dev/null -G localhost | grep kex
kexalgorithms
curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

or server:
$ sudo /usr/sbin/sshd -f /dev/null -T | grep kex
kexalgorithms
curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

so it is disabled by default and will never be used unless enabled at
runtime by the user/admin in the configuration or flags.

> Also is it an experimental algorithm?

Yes.

[...]
> openbsd man page (https://man.openbsd.org/sshd_config.5) says it's
> supported which means it's enabled.

Those are not the same thing. For example, diffie-hellman-group1-sha1
is also supported but not enabled by default.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3306] test_kex.c should check #ifdef USE_SNTRUP761X25519 [ In reply to ]
bugzilla-daemon at mindrot
Apr 28, 2021, 8:05 PM
Post #4 of 5 (289 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3306

Darren Tucker <dtucker@dtucker.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3302


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3302
[Bug 3302] Tracking bug for openssh-8.7
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3306] test_kex.c should check #ifdef USE_SNTRUP761X25519 [ In reply to ]
bugzilla-daemon at mindrot
Apr 28, 2021, 9:08 PM
Post #5 of 5 (289 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3306

Darren Tucker <dtucker@dtucker.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED

--- Comment #3 from Darren Tucker <dtucker@dtucker.net> ---
Fixed. Thanks for the report.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal