<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Update - I have isolated the intermittent issue down to the interchangeable functions s_mp_exptmod_fast() and s_mp_exptmod() - by default s_mp_exptmod_fast() is compiled instead of s_mp_exptmod() [BN_MP_EXPTMOD_FAST_C] but both functions intermittently fail
and I decided to use s_mp_exptmod() as my focus because it's slightly simpler.</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
s_mp_exptmod() is called indirectly by rsa.c::buf_put_rsa_sign()'s call to mp_exptmod(). For the intermittent failing case if I call mp_exptmod() / s_mp_exptmod() immediately again with the same source mp_int structures it yields the correct data. Example -
debug code bolded:<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<blockquote style="border-color: rgb(200, 200, 200); border-left: 3px solid rgb(200, 200, 200); padding-left: 1ex; margin-left: 0.8ex; color: rgb(102, 102, 102);">
<div><span><span><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> DEF_MP_INT(rsa_s_backup);</span><span><br>
</span></b>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"><b> DEF_MP_INT(rsa_s_backup_2);</b></span><br>
</div>
<span></span><br>
</span></span></div>
<div><b><span><span style="font-family: "Courier New", monospace; font-size: 10pt;"> mp_copy (&rsa_s, &rsa_s_backup);</span><span><br>
</span></span></b></div>
<div><span>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"><b> mp_copy (&rsa_s, &rsa_s_backup_2);</b></span><br>
</div>
<div><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> if (mp_exptmod(&rsa_tmp1, key->d, key->n, &rsa_s) != MP_OKAY) {</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> dropbear_exit("RSA error");</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> }
</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"><b> if (mp_exptmod(&rsa_tmp1, key->d, key->n, &rsa_s_backup) != MP_OKAY) {</b></span><b><br>
</b></div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"><b> dropbear_exit("RSA error");</b></span><b><br>
</b></div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"><b> }
</b></span><b><br>
</b></div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"><b> if (mp_exptmod(&rsa_tmp1, key->d, key->n, &rsa_s_backup_2) != MP_OKAY) {</b></span><span style="font-family: "Courier New", monospace; font-size: 10pt;"><b>
</b></span><b><br>
</b></div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"><b> dropbear_exit("RSA error");</b></span><b><br>
</b></div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"><b> }
</b></span><b><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> printf("after mp_exptmod\n");</span><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> dump_mp_int("rsa_s", &rsa_s);</span><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> dump_mp_int("rsa_s_backup", &rsa_s_backup);</span><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> dump_mp_int("rsa_s_backup_2", &rsa_s_backup_2);</span><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> comp_mp_int("rsa_s", "rsa_s_backup", &rsa_s, &rsa_s_backup);</span><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> comp_mp_int("rsa_s_backup", "rsa_s_backup_2", &rsa_s_backup, &rsa_s_backup_2);</span><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> mp_clear(&rsa_s_backup);</span><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> mp_clear(&rsa_s_backup_2);</span><br>
</b></div>
<b><span></span></b></span></div>
<br>
</blockquote>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Sample output from a failure, which contains the first portion of each mp_int->dp. Bolded text has wrong data:<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<blockquote style="border-color: rgb(200, 200, 200); border-left: 3px solid rgb(200, 200, 200); padding-left: 1ex; margin-left: 0.8ex; color: rgb(102, 102, 102);">
<span style="font-family: "Courier New", monospace; font-size: 10pt;">after mp_exptmod</span><span><br>
</span>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;">rsa_s [0xbef6c358]:</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0000 4a 00 00 00 c0 00 00 00 00 00 00 00 30 e1 8f 00 J...........0...</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"><span style="font-family: "Courier New", monospace; font-size: 10pt">rsa_s</span>->dp [0x008fe130]:</span><br>
</div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0000 05 fb c0 0f 68 91 ff 0a 9f 05 57 0b 35 a2 bd 05 ....h.....W.5...</span><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0010 57 ec a0 0b 34 3c b1 0f fa 8b b5 08 ed aa 9c 04 W...4<..........</span><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0020 7e 88 bb 04 12 42 51 05 9a 6d 7d 0a 98 ef 12 0c ~....BQ..m}.....</span><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0030 76 e0 f4 0f ea 89 d7 0c 87 b0 76 03 12 a1 2d 0e v.........v...-.</span><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0040 d7 3c df 06 0f 54 92 04 23 90 .<...T..#.</span><br>
</b></div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;">rsa_s_backup [0xbef6c398]:</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0000 4a 00 00 00 c0 00 00 00 00 00 00 00 00 d8 8f 00 J...............</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"><span style="font-family: "Courier New", monospace; font-size: 10pt">rsa_s_backup</span>->dp [0x008fd800]:</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0000 ec 9f a0 01 d4 8e e8 07 c3 ae df 0b 45 61 e6 06 ............Ea..</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0010 a1 99 59 03 d7 49 24 02 50 a6 ac 0a de a2 5c 0d ..Y..I$.P.....\.</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0020 cb b7 3c 05 33 cb da 08 28 10 f2 04 14 69 d6 07 ..<.3...(....i..</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0030 8c 8e a5 04 f5 fc 92 0c ba 88 d9 04 71 b4 b2 08 ............q...</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0040 bc 4f c7 0d de 73 f9 06 0d bf .O...s....</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;">rsa_s_backup_2 [0xbef6c3a8]:</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0000 4a 00 00 00 c0 00 00 00 00 00 00 00 e0 d1 8f 00 J...............</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"><span style="font-family: "Courier New", monospace; font-size: 10pt">rsa_s_backup_2</span>->dp [0x008fd1e0]:</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0000 ec 9f a0 01 d4 8e e8 07 c3 ae df 0b 45 61 e6 06 ............Ea..</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0010 a1 99 59 03 d7 49 24 02 50 a6 ac 0a de a2 5c 0d ..Y..I$.P.....\.</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0020 cb b7 3c 05 33 cb da 08 28 10 f2 04 14 69 d6 07 ..<.3...(....i..</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0030 8c 8e a5 04 f5 fc 92 0c ba 88 d9 04 71 b4 b2 08 ............q...</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0040 bc 4f c7 0d de 73 f9 06 0d bf .O...s....</span><br>
</div>
<span style="font-family: "Courier New", monospace; font-size: 10pt;">rsa_s and rsa_s_backup differ</span><br>
</blockquote>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Sometimes it's the second or third call that yields the incorrect data. In this instance it was the second call:<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<blockquote style="border-color: rgb(200, 200, 200); border-left: 3px solid rgb(200, 200, 200); padding-left: 1ex; margin-left: 0.8ex; color: rgb(102, 102, 102);">
<span style="font-family: "Courier New", monospace; font-size: 10pt;"></span><span style="font-family: "Courier New", monospace; font-size: 10pt;">after mp_exptmod</span><span><br>
</span>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;">rsa_s [0xbe9a6358]:</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0000 4a 00 00 00 c0 00 00 00 00 00 00 00 30 c1 40 02 J...........0.@.</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"><span style="font-family: "Courier New", monospace; font-size: 10pt">rsa_s</span>->dp [0x0240c130]:</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0000 25 b9 db 00 ec 62 00 0d 80 2d b0 0d 00 13 d3 06 %....b...-......</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0010 3f ec 8b 0a af 5d e9 03 2d f4 4b 0c 6c 3c 72 08 ?....]..-.K.l<r.</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0020 5d 52 6a 08 21 4c dd 01 a2 59 1a 03 33 16 97 0f ]Rj.!L...Y..3...</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0030 c7 69 c2 08 0b 61 d6 03 b9 86 fc 01 27 15 c8 0c .i...a......'...</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0040 dd 03 b1 04 78 c7 9f 0f d8 9c ....x.....</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;">rsa_s_backup [0xbe9a6398]:</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0000 4a 00 00 00 c0 00 00 00 00 00 00 00 00 b8 40 02 J.............@.</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"><span style="font-family: "Courier New", monospace; font-size: 10pt">rsa_s_backup</span>->dp [0x0240b800]:</span><br>
</div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0000 df 86 0c 0a 6c 2f 68 09 f9 a1 37 01 26 02 e7 0b ....l/h...7.&...</span><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0010 69 5c b8 0e 0b 95 3a 0d 26 24 00 0e 97 6f dc 0b i\....:.&$...o..</span><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0020 64 95 ed 0a c0 75 53 03 66 3d ff 0b 26 4b ce 09 d....uS.f=..&K..</span><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0030 89 12 d2 03 9b 9b 0b 09 19 2c 5a 00 2c 99 fc 0b .........,Z.,...</span><br>
</b></div>
<div><b><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0040 ea ad 61 09 38 e1 6a 0a 49 a5 ..a.8.j.I.</span><br>
</b></div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;">rsa_s_backup_2 [0xbe9a63a8]:</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0000 4a 00 00 00 c0 00 00 00 00 00 00 00 e0 b1 40 02 J.............@.</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"><span style="font-family: "Courier New", monospace; font-size: 10pt">rsa_s_backup_2</span>->dp [0x0240b1e0]:</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0000 25 b9 db 00 ec 62 00 0d 80 2d b0 0d 00 13 d3 06 %....b...-......</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0010 3f ec 8b 0a af 5d e9 03 2d f4 4b 0c 6c 3c 72 08 ?....]..-.K.l<r.</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0020 5d 52 6a 08 21 4c dd 01 a2 59 1a 03 33 16 97 0f ]Rj.!L...Y..3...</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0030 c7 69 c2 08 0b 61 d6 03 b9 86 fc 01 27 15 c8 0c .i...a......'...</span><br>
</div>
<div><span style="font-family: "Courier New", monospace; font-size: 10pt;"> 0040 dd 03 b1 04 78 c7 9f 0f d8 9c</span><span style="font-family: "Courier New", monospace; font-size: 10pt;"> ....x.....</span><br>
</div>
<span style="font-family: "Courier New", monospace; font-size: 10pt;">rsa_s and rsa_s_backup differ</span><br>
</blockquote>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I have heavily instrumented s_mp_exptmod() but due to the complexity of the calcualtions performed it's proving very difficult to root down to the issue. What I can tell so far is the failure point within s_mp_exptmod() varies from instance to instance, which
is odd because the only potential variant between my three, back-to-back invocations are the memory allocations (buffer locations) triggered by mp_exptmod(), although the invocations usually get provided the same buffer addresses. I tried various scaffolding
code on the core memory allocation routines to isolate any buffer overruns/overwrites the logic might be performing, including padding each allocation by a large block of bytes, but the intermittent failure case still occurs. The behavior I'm observing almost
appears as if the execution context is being corrupted (ie, processor registers) because the failure point moves around the various elements of the logic within the routine from one failure to the next - sometimes I see an early-stage mp_int structure with
the wrong data, sometimes one that has undergone many transformations - all within s_mp_exptmod().<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Do you know if OpenWRT has any way to disable SMP at runtime, or a method or technique to provide a critical section around a block of code to prevent any preemptive task switches?<br>
</div>
<div>
<div id="appendonsend"></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Horshack <horshack@live.com><br>
<b>Sent:</b> Thursday, March 19, 2020 7:11 AM<br>
<b>To:</b> Matt Johnston <matt@ucc.asn.au><br>
<b>Cc:</b> dropbear@ucc.asn.au <dropbear@ucc.asn.au><br>
<b>Subject:</b> Re: SSH key exchange fails 30-70% of the time on Netgear X4S R7800</font>
<div> </div>
</div>
<div dir="ltr">
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Thanks Matt, I'll give that a shot when I get a build environment set up for the server-side/openwrt.
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
I also plan to look at the RSA blinding logic in buf_put_rsa_sign(). Considering the intermittency of the issue I'm thinking the issue has some correlation or dependency to the random data generated or transformed by that logic. Crypto is well outside my core
competency so it'll be slow-going.<br>
</div>
<div>
<div id="x_appendonsend"></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Matt Johnston <matt@ucc.asn.au><br>
<b>Sent:</b> Thursday, March 19, 2020 7:04 AM<br>
<b>To:</b> Horshack <horshack@live.com><br>
<b>Cc:</b> dropbear@ucc.asn.au <dropbear@ucc.asn.au><br>
<b>Subject:</b> Re: SSH key exchange fails 30-70% of the time on Netgear X4S R7800</font>
<div> </div>
</div>
<div class="" style="word-wrap:break-word; line-break:after-white-space">Hi,
<div class=""><br class="">
</div>
<div class="">The first thing I'd try would be to build with -O0 compilation flags to rule out compiler optimisations doing something strange. </div>
<div class=""><br class="">
</div>
<div class="">Cheers,</div>
<div class="">Matt</div>
<div class=""><br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Thu 19/3/2020, at 3:42 pm, Horshack <<a href="mailto:horshack@live.com" class="">horshack@live.com</a>> wrote:</div>
<br class="x_x_Apple-interchange-newline">
<div class="">
<div class="" style="font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">
Update - I cloned and built the dbclient source so I could enable the debug tracing facility to get more information about the 'Bad hostkey signature'. The intermittent failure is detected in recv_msg_kexdh_reply() -> buf_rsa_verify() -> mp_cmd(). If I bypass
the buf_rsa_verify() call then the session proceeds normally without issue, which indicates everything else in the key exchange is working 100% of the time. I'll dig deeper to see why the signed host key sent by the server is wrong.<br class="">
</div>
<div class="" style="font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">
<br class="">
</div>
<div class="" style="font-family:Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none">
<hr tabindex="-1" class="" style="display:inline-block; width:605.625px">
<div id="x_x_divRplyFwdMsg" dir="ltr" class=""><font class="" style="font-size:11pt" face="Calibri, sans-serif"><b class="">From:</b><span class="x_x_Apple-converted-space"> </span>Horshack <br class="">
<b class="">Sent:</b><span class="x_x_Apple-converted-space"> </span>Wednesday, March 18, 2020 9:36 AM<br class="">
<b class="">To:</b><span class="x_x_Apple-converted-space"> </span><a href="mailto:dropbear@ucc.asn.au" class="">dropbear@ucc.asn.au</a> <<a href="mailto:dropbear@ucc.asn.au" class="">dropbear@ucc.asn.au</a>><br class="">
<b class="">Subject:</b><span class="x_x_Apple-converted-space"> </span>SSH key exchange fails 30-70% of the time on Netgear X4S R7800</font>
<div class=""> </div>
</div>
<div dir="ltr" class="">
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Hi,</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">
</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">I have a strange issue on my Netgear X4S R7800. Running either DD-WRT or OpenWrt, approximately 30-70% of my SSH login attempts fail. For OpenSSH clients the error reported is "error
in libcrypto". For the PuTTY client the error is more descriptive - "Signature from server's host key is invalid". The failure occurs even when using the OpenSSH client built in to OpenWrt itself (ie, SSH'ing into the router from the router via an existing
remote SSH session).</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">
</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">The failure appears to be at the tail end of the key exchange, before authentication. I've tried varying the cipher (aes128-ctr / aes256-ctr), the MAC (hmac-sha1 / hmac-sha2-256),
and the key exchange algo (curve25519-sha256 / <a href="mailto:curve25519-sha256@libssh.org" class="">
curve25519-sha256@libssh.org</a> / diffie-hellman-group14-sha256 / diffie-hellman-group14-sha1) but the intermittent failure still occurs. The frequency of failure is about the same for all these configuration options except for diffie-hellman-group14-sha256,
which fails much more frequently - it sometimes takes hundreds of attempts to succeed. Perhaps that will provide a clue to the underlying cause.<br class="">
</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">
</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Once an SSH login succeeds the connection is stable. However if I initiate a manual rekey operation via ~R then the key re-exchange fails. The router is otherwise very stable with
no noticeable issues.</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">
</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">I'm an embedded firmware engineer but have never worked on DD-WRT/OpenWrt firmware or dropbear. I have a conceptual understanding of the key exchange algo but haven't looked at the
actual code of any implementation including Dropbear's. I'm seek ideas on how to troubleshoot this issue. Considering the problem is intermittent I'm thinking it's some variant in the key generation/exchange algorithm that's failing due to some issue with
the router, or a more remote possibility, an issue with the Dropbear implementation.<br class="">
</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">
</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Here are pastebin links to the PuTTY full debug logs (w/raw data dumps) for both the failure and success cases:</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Failure Case:<span class="x_x_Apple-converted-space"> </span><a href="https://pastebin.com/MS2BtFmW" target="_blank" rel="noopener noreferrer" class="">https://pastebin.com/MS2BtFmW</a><br class="">
</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Success Case:<span class="x_x_Apple-converted-space"> </span><a href="https://pastebin.com/c4j66Ga9" target="_blank" rel="noopener noreferrer" class="">https://pastebin.com/c4j66Ga9</a><br class="">
</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">
</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">The only message I see from dropbear for a failed connection attempt is:</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">
</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class=""><a href="http://authpriv.info" class="">authpriv.info</a> dropbear[15948]: Child connection from 192.168.1.249:54819<br class="">
</span><span class=""><a href="http://authpriv.info" class="">authpriv.info</a> dropbear[15948]: Exit before auth: Disconnect received</span><br class="">
</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">
</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">
</div>
<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Thanks!</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<div class=""><br class="">
</div>
</div>
</div>
</div>
</div>
</body>
</html>