admin/markbase
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Revert X25519 byte reversal: OpenSSH doesn't reverse bytes

Browse Source 
Key findings:
1. RFC 8731 says 'reinterpret as big-endian' = logical interpretation
2. OpenSSH sshbuf_put_bignum2_bytes() uses little-endian bytes directly
3. With reversal: signature verification fails
4. Without reversal: signature accepted, MAC still fails

Conclusion: OpenSSH treats little-endian X25519 output as big-endian mpint directly (no physical byte reversal).

Remaining issue: MAC verification fails despite signature success.
Next: need to compare client vs server key derivation details.
This commit is contained in:
Warren
2026-06-14 20:16:46 +08:00
parent 76f707a31d
commit 81ae052f48
4 changed files with 68 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
AGENTS.md
View File

@@ -504,3 +504,58 @@ markbase-core/src/category_view.rs330行
---
**最后更新**2026-06-11 12:34
---
**最后更新**2026-06-14 19:15
**版本**1.7SSH X25519 Big-Endian Encoding Fix
## SSH X25519 Big-Endian Encoding Critical Bug Fix2026-06-14
**发现时间**19:15Session中
**修复时间**约2小时分析
**关键发现**RFC 8731 Section 3.1 encoding mismatch
### 核心问题诊断 ⭐⭐⭐⭐⭐
**症状**OpenSSH client报告"Corrupted MAC on input"
**根本原因**X25519 shared secret encoding错误
**RFC 8731 Section 3.1明确规定**
- X25519 output: **little-endian** (32 bytes)
- SSH exchange hash: must **reinterpret as BIG-ENDIAN**
- Key derivation: use **big-endian** mpint encoding
**我们之前的错误**
```rust
// 错误直接使用little-endian shared_secret
let shared_secret_mpint = encode_mpint(shared_secret); // WRONG!
```
**正确的实现**
```rust
// 正确先转换为big-endian再mpint编码
let shared_secret_big_endian = reverse_bytes(shared_secret);
let shared_secret_mpint = encode_mpint(&shared_secret_big_endian); // CORRECT!
```
### 修复内容 ⭐⭐⭐⭐⭐
**文件修改**
1. **kex_exchange.rs**: compute_exchange_hash() 添加字节反转
2. **crypto.rs**: SessionKeys::derive() 添加字节反转
3. **kex.rs**: KEXINIT cookie改为随机生成不再使用zeros
### 测试结果 ⚠️⚠️⚠️⚠️⚠️
**MAC错误已消失**:✅ "Corrupted MAC on input" 不再出现
**新问题出现**:❌ SSH_MSG_KEX_ECDH_REPLY签名验证失败
### 下一步调试 ⭐⭐⭐⭐⭐
**方案1**对比OpenSSH curve25519.c实现 ⭐⭐⭐⭐⭐(最推荐)
**方案2**:检查签名构建逻辑 ⭐⭐⭐⭐
**方案3**对比exchange hash所有components ⭐⭐⭐⭐⭐
**进度**SSH加密实现90%完成,剩余签名验证问题

BIN
data/auth.sqlite
View File

Binary file not shown.

23
markbase-core/src/ssh_server/crypto.rs
View File

@@ -77,26 +77,17 @@ impl SessionKeys {
info!("SessionKeys::derive() starting");
info!(" shared_secret ({} bytes): {:?}", shared_secret.len(), &shared_secret[..std::cmp::min(8, shared_secret.len())]);
// RFC 8731 Section 3.1: X25519 output is little-endian, must convert to big-endian
// "When performing the X25519 operations, the integer values will be encoded into
// byte strings by doing a fixed-length unsigned little-endian conversion.
// It is only later when these byte strings are passed to the ECDH function in SSH
// that the bytes are reinterpreted as a fixed-length unsigned big-endian integer value K"
let shared_secret_big_endian = {
let mut reversed = shared_secret.to_vec();
reversed.reverse();
reversed
};
info!(" shared_secret converted to big-endian ({} bytes): {:?}",
shared_secret_big_endian.len(), &shared_secret_big_endian[..std::cmp::min(8, shared_secret_big_endian.len())]);
info!(" shared_secret_big_endian[0] = {} (>=0x80? {})", shared_secret_big_endian[0], shared_secret_big_endian[0] >= 0x80);
// RFC 8731 Section 3.1: X25519 output is little-endian
// OpenSSH sshbuf_put_bignum2_bytes() uses bytes DIRECTLY (no reversal)
// Treats little-endian bytes as big-endian mpint (logical reinterpret)
info!(" Using shared_secret directly (little-endian bytes as big-endian mpint)");
info!(" shared_secret[0] = {} (>=0x80? {})", shared_secret[0], shared_secret[0] >= 0x80);
info!(" exchange_hash (H, {} bytes): {:?}", exchange_hash.len(), &exchange_hash[..8]);
info!(" session_id ({} bytes): {:?}", session_id.len(), &session_id[..8]);
// RFC 4253密钥派生公式HASH(K || H || X || session_id)
// 其中K是shared_secret需要mpint格式使用big-endian
let shared_secret_mpint = Self::encode_mpint(&shared_secret_big_endian);
// K is shared_secret encoded as mpint (using little-endian bytes directly)
let shared_secret_mpint = Self::encode_mpint(shared_secret);
info!(" shared_secret_mpint ({} bytes): {:?}", shared_secret_mpint.len(), &shared_secret_mpint[..std::cmp::min(12, shared_secret_mpint.len())]);

19
markbase-core/src/ssh_server/kex_exchange.rs
View File

@@ -226,25 +226,18 @@ impl KexExchangeHandler {
info!("Exchange hash components:");
info!(" shared_secret raw ({} bytes): {:?}", shared_secret.len(), &shared_secret[..std::cmp::min(8, shared_secret.len())]);
// RFC 8731 Section 3.1: X25519 output is little-endian, must reinterpret as big-endian
// "The 32 or 56 bytes of X are converted into K by interpreting the octets as an
// unsigned fixed-length integer encoded in network byte order."
let shared_secret_big_endian = {
let mut reversed = shared_secret.to_vec();
reversed.reverse();
reversed
};
info!(" shared_secret after converting to big-endian ({} bytes): {:?}",
shared_secret_big_endian.len(), &shared_secret_big_endian[..std::cmp::min(8, shared_secret_big_endian.len())]);
// RFC 8731 Section 3.1: X25519 output is little-endian
// OpenSSH sshbuf_put_bignum2_bytes() uses bytes DIRECTLY (no reversal)
// Treats little-endian bytes as big-endian mpint (logical reinterpret)
info!(" Using shared_secret directly (little-endian bytes as big-endian mpint)");
// RFC 4253: mpint格式 = 去掉前导零 + 最高位>=0x80时前面加0
// 参考OpenSSH sshbuf_put_bignum2_bytes()
let mut start = 0;
while start < shared_secret_big_endian.len() - 1 && shared_secret_big_endian[start] == 0 {
while start < shared_secret.len() - 1 && shared_secret[start] == 0 {
start += 1;
}
let trimmed_shared_secret = &shared_secret_big_endian[start..];
let trimmed_shared_secret = &shared_secret[start..];
info!(" shared_secret after removing leading zeros ({} bytes): {:?}", trimmed_shared_secret.len(), &trimmed_shared_secret[..std::cmp::min(8, trimmed_shared_secret.len())]);