scd: SSH emulation of gpg-agent doesn't work well with sntrup761x25519-sha512@openssh.com
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• gniibe
	Apr 21 2022, 6:41 AM

Description

Because of PQ crypto which size is larger, the data to be signed (with Ed25519) is too large (something like 330-byte). It's not OpenPGP which does double-hashing, the protocol uses bare data to be signed (not hashed beforehand).

While it can be signed by token/smartcard (at least with newer Gnuk), as long as it is smaller than the buffer size, scdaemon itself rejects, not asking token/smartcard.

Details

External Link: https://bugs.debian.org/1008573

Revisions and Commits

rG GnuPG
	rG07e43eda8dc6 scd: Don't inhibit SSH authentication for larger data if it can.
	rGe8fb8e2b3e66 scd: Don't inhibit SSH authentication for larger data if it can.

Related Objects

Mentioned In: T6105: Release GnuPG 2.2.37
T6074: gpg v2.3.6 doesnt work with ssh
T5931: OpenSSH 8.9, 9.0, and 9.1 can't authenticate with gpg-agent and usb token (Gnuk >= 1.2.16 is required)

Event Timeline

With newer Gnuk Token, following patch should work:

diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
index 05e1f3977..439052f8c 100644
--- a/scd/app-openpgp.c
+++ b/scd/app-openpgp.c
@@ -5490,6 +5490,11 @@ do_auth (app_t app, ctrl_t ctrl, const char *keyidstr,
           exmode = 1;    /* Use extended length.  */
           le_value = app->app_local->keyattr[2].rsa.n_bits / 8;
         }
+      else if (app->app_local->cardcap.cmd_chaining && indatalen > 254)
+        {
+          exmode = -254; /* Command chaining with max. 254 bytes.  */
+          le_value = 0;
+        }
       else if (indatalen > 255)
         {
           if (!app->app_local->cardcap.ext_lc_le)

I'll test soon.

• werner triaged this task as Normal priority.Apr 21 2022, 7:35 AM

• werner added a project: ssh.

• werner added a project: gnupg (gpg23).

I confirmed that the patch above works with newer Gnuk (>= 1.2.16).

• gniibe added a commit: rGe8fb8e2b3e66: scd: Don't inhibit SSH authentication for larger data if it can..Apr 22 2022, 4:52 AM

• gniibe added a project: Restricted Project.Apr 22 2022, 6:50 AM

Diaoul added a subscriber: Diaoul.Apr 24 2022, 7:36 PM

There is another case: RSA-4096 key. scdaemon rejects data by Invalid value. Unfortunately, there is no fix for this, as it's really too large. Even if scdaemon allows larger data, the card implementation rejects, when it conforms to PKCS #1 standard (data should not be larger than 40% of the modulus).

We are using rsa-4096 on smartcard for quite some time; so I wonder what's the problem here. Is that that we don't use our Assuan hack for large key material with OpenPGP.3?

Sorry, I was confused. For RSA-4096, data is hashed by gpg-agent and hashed data is signed by a card.

I was trying locate the place where it returns GPG_ERR_INV_VALUE.

It seems that it is Yubikey which errors (not scdaemon itself).
I'll check with Yubikey.

My Yubikey (Yubico.com Yubikey 4/5 OTP+U2F+CCID) (key Ed25519) works fine with OpenSSH using kex of sntrup761x25519-sha512@openssh.com.

dkg mentioned this in T5931: OpenSSH 8.9, 9.0, and 9.1 can't authenticate with gpg-agent and usb token (Gnuk >= 1.2.16 is required).Apr 29 2022, 6:24 PM

KexAlgorithms -sntrup761x25519-sha512@openssh.com

• werner added a project: workaround.May 2 2022, 10:19 AM

I'm going to backport this to 2.2, as it found useful.

• gniibe added a commit: rG07e43eda8dc6: scd: Don't inhibit SSH authentication for larger data if it can..Jul 12 2022, 9:12 AM

• gniibe mentioned this in T6074: gpg v2.3.6 doesnt work with ssh.Jul 18 2022, 10:31 AM

• werner mentioned this in T6105: Release GnuPG 2.2.37.Aug 24 2022, 5:22 PM

• werner closed this task as Resolved.Aug 24 2022, 5:27 PM

• werner removed projects: backport, Restricted Project.