Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ssh2 library not supporting Kex ecdh-sha2-nistp384 #332

Open
Manikanth952 opened this issue Oct 30, 2024 · 6 comments
Open

Ssh2 library not supporting Kex ecdh-sha2-nistp384 #332

Manikanth952 opened this issue Oct 30, 2024 · 6 comments
Labels
enhancement

Comments

@Manikanth952
Copy link

Manikanth952 commented Oct 30, 2024
edited
Loading

With SSH2, Kex ecdh-sha2-nistp384 is not being supported.

SSH handshake failed: Error { code: Session(-5), msg: "Unable to exchange encryption keys" }

sess.method_pref(ssh2::MethodType::Kex, "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521") -> Error: Error { code: Session(-33), msg: "The requested
method(s) are not currently supported" }

We tried enabling this key algorithm using macro to enable libssh2_ecdsa. Still its not working.
This Kex support is highly needed from SSH2 crate. If this is a bug, please provide and update with fix.
If its intentionally not supported, it would be great if you can provide the support.
@yodaldevoid
Copy link
Collaborator

This may have been fixed with #334. Please let me know if you need anything else beyond that.

@Manikanth952
Copy link
Author

This may have been fixed with #334. Please let me know if you need anything else beyond that.

Thanks for the reply @yodaldevoid .
I tried pulling this libssh2 fix locally and provided this path in toml. Still i see sam error and below are the only supported kex list.

Ok(["diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1", "diffie-hellman-group-exchange-sha1", "ext-info-c", "[email protected]"])
[2024-11-05T20:41:43Z ERROR rscm_Conn] SSH handshake failed: Error { code: Session(-5), msg: "Unable to exchange encryption keys" }
Error: Error { code: Session(-5), msg: "Unable to exchange encryption keys" }

Also any reason why this is not released as a proper version upgrade for ssh2?. If you can mainline changes as a version release , in runtime changes will take care

@atulkhare4096
Copy link

@yodaldevoid Note that the issue is specific to Windows. It appears to work without problems on Linux with version 0.9.4. Perhaps, this has something to do with the build options used on Windows for the libssh2-sys crate?

@Manikanth952
Copy link
Author

@yodaldevoid , on Windows libssh2-sys crate is using wincng instead of openssl.

  if target.contains("windows") {
          cfg.include("libssh2/win32");
          cfg.define("LIBSSH2_WIN32", None);
          cfg.file("libssh2/src/agent_win.c");
  
          if env::var_os("CARGO_FEATURE_OPENSSL_ON_WIN32").is_some() {
              cfg.define("LIBSSH2_OPENSSL", None);
              cfg.define("HAVE_EVP_AES_128_CTR", None);
              cfg.file("libssh2/src/openssl.c");
              println!("cargo:rustc-link-lib=static=libssl");
              println!("cargo:rustc-link-lib=static=libcrypto");
          } **else {
              cfg.define("LIBSSH2_WINCNG", None);**
              cfg.file("libssh2/src/wincng.c");
          }

we tried downloading openssl and setting env variable but we are facing build compilation issues. I tried manually to run and install make file using nmake but still unable to build with openssl. Do we have any specific requirements and procedure to build with openssl on windows?.
Also there seems to be a bug on wincng for not supporting kex ecdh-sha2-nistp384.

Any fix on either building with openssl or wincng will unblock the issue.

@yodaldevoid
Copy link
Collaborator

yodaldevoid commented Dec 17, 2024
edited
Loading

Building with openssl on Windows should work as long as you use the openssl-on-win32 feature of ssh2, no environment variables are needed. It may be simplest to also use the vendored-openssl feature, though it isn't technically required.

@ghost ghost mentioned this issue Dec 28, 2024
Closed
@duhbbx
Copy link

duhbbx commented Feb 10, 2025

https://github.com/libssh2/libssh2/blob/a312b43325e3383c865a87bb1d26cb52e3292641/src/wincng.h

/*
 * Conditionally enable ECDSA support.
 *
 * ECDSA support requires the use of
 *
 *   BCryptDeriveKey(..., BCRYPT_KDF_RAW_SECRET, ... )
 *
 * This functionality is only available as of Windows 10. To maintain
 * backward compatibility, ECDSA support is therefore disabled
 * by default and needs to be explicitly enabled using a build
 * flag.
 */
#ifdef LIBSSH2_ECDSA_WINCNG
#define LIBSSH2_ECDSA 1
#else
#define LIBSSH2_ECDSA 0
#endif
static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = {
#if LIBSSH2_ED25519
    &kex_method_ssh_curve25519_sha256,
    &kex_method_ssh_curve25519_sha256_libssh,
#endif
#if LIBSSH2_ECDSA
    &kex_method_ecdh_sha2_nistp256,
    &kex_method_ecdh_sha2_nistp384,
    &kex_method_ecdh_sha2_nistp521,
#endif
    &kex_method_diffie_helman_group_exchange_sha256,
    &kex_method_diffie_helman_group16_sha512,
    &kex_method_diffie_helman_group18_sha512,
    &kex_method_diffie_helman_group14_sha256,
    &kex_method_diffie_helman_group14_sha1,
    &kex_method_diffie_helman_group1_sha1,
    &kex_method_diffie_helman_group_exchange_sha1,
    &kex_method_extension_negotiation,
    &kex_method_strict_client_extension,
    NULL
};

I guess that the macro LIBSSH2_ECDSA_WINCNG was not defined when ssh2 rs was built, which resulted in kex not having a corresponding encryption method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yodaldevoid @duhbbx @atulkhare4096 @Manikanth952