Skip to content

Commit e4b3678

Browse files
FiloSottiledrakkan
FiloSottile
and
drakkan
committed
ssh: add diffie-hellman-group14-sha256 kex
RFC 9142 made diffie-hellman-group14-sha256 from RFC 8268 a MUST, and it's strictly better than diffie-hellman-group14-sha1, which we already have, and trivial to add. > The method of key exchange used for the name "diffie-hellman- > group14-sha256" is the same as that for "diffie-hellman-group14-sha1" > except that the SHA256 hash algorithm is used. Ignore the bigger groups which have a meaningful performance cost, and don't share the same interoperability benefit. Adapted from CL 387994. Fixes golang/go#31731 Co-authored-by: Nicola Murino <[email protected]> Change-Id: Id4ce345a2065840f193986739ea890f105a1e929 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/392014 Trust: Filippo Valsorda <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]>
1 parent 9b07691 commit e4b3678

File tree

2 files changed

+27
-18
lines changed

2 files changed

+27
-18
lines changed

ssh/common.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ var supportedKexAlgos = []string{
4848
// P384 and P521 are not constant-time yet, but since we don't
4949
// reuse ephemeral keys, using them for ECDH should be OK.
5050
kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
51-
kexAlgoDH14SHA1, kexAlgoDH1SHA1,
51+
kexAlgoDH14SHA256, kexAlgoDH14SHA1, kexAlgoDH1SHA1,
5252
}
5353

5454
// serverForbiddenKexAlgos contains key exchange algorithms, that are forbidden
@@ -63,7 +63,7 @@ var serverForbiddenKexAlgos = map[string]struct{}{
6363
var preferredKexAlgos = []string{
6464
kexAlgoCurve25519SHA256, kexAlgoCurve25519SHA256LibSSH,
6565
kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
66-
kexAlgoDH14SHA1,
66+
kexAlgoDH14SHA256, kexAlgoDH14SHA1,
6767
}
6868

6969
// supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods

ssh/kex.go

Lines changed: 25 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ import (
2222
const (
2323
kexAlgoDH1SHA1 = "diffie-hellman-group1-sha1"
2424
kexAlgoDH14SHA1 = "diffie-hellman-group14-sha1"
25+
kexAlgoDH14SHA256 = "diffie-hellman-group14-sha256"
2526
kexAlgoECDH256 = "ecdh-sha2-nistp256"
2627
kexAlgoECDH384 = "ecdh-sha2-nistp384"
2728
kexAlgoECDH521 = "ecdh-sha2-nistp521"
@@ -87,6 +88,7 @@ type kexAlgorithm interface {
8788
// dhGroup is a multiplicative group suitable for implementing Diffie-Hellman key agreement.
8889
type dhGroup struct {
8990
g, p, pMinus1 *big.Int
91+
hashFunc crypto.Hash
9092
}
9193

9294
func (group *dhGroup) diffieHellman(theirPublic, myPrivate *big.Int) (*big.Int, error) {
@@ -97,8 +99,6 @@ func (group *dhGroup) diffieHellman(theirPublic, myPrivate *big.Int) (*big.Int,
9799
}
98100

99101
func (group *dhGroup) Client(c packetConn, randSource io.Reader, magics *handshakeMagics) (*kexResult, error) {
100-
hashFunc := crypto.SHA1
101-
102102
var x *big.Int
103103
for {
104104
var err error
@@ -133,7 +133,7 @@ func (group *dhGroup) Client(c packetConn, randSource io.Reader, magics *handsha
133133
return nil, err
134134
}
135135

136-
h := hashFunc.New()
136+
h := group.hashFunc.New()
137137
magics.write(h)
138138
writeString(h, kexDHReply.HostKey)
139139
writeInt(h, X)
@@ -147,12 +147,11 @@ func (group *dhGroup) Client(c packetConn, randSource io.Reader, magics *handsha
147147
K: K,
148148
HostKey: kexDHReply.HostKey,
149149
Signature: kexDHReply.Signature,
150-
Hash: crypto.SHA1,
150+
Hash: group.hashFunc,
151151
}, nil
152152
}
153153

154154
func (group *dhGroup) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
155-
hashFunc := crypto.SHA1
156155
packet, err := c.readPacket()
157156
if err != nil {
158157
return
@@ -180,7 +179,7 @@ func (group *dhGroup) Server(c packetConn, randSource io.Reader, magics *handsha
180179

181180
hostKeyBytes := priv.PublicKey().Marshal()
182181

183-
h := hashFunc.New()
182+
h := group.hashFunc.New()
184183
magics.write(h)
185184
writeString(h, hostKeyBytes)
186185
writeInt(h, kexDHInit.X)
@@ -212,7 +211,7 @@ func (group *dhGroup) Server(c packetConn, randSource io.Reader, magics *handsha
212211
K: K,
213212
HostKey: hostKeyBytes,
214213
Signature: sig,
215-
Hash: crypto.SHA1,
214+
Hash: group.hashFunc,
216215
}, err
217216
}
218217

@@ -388,25 +387,35 @@ func (kex *ecdh) Server(c packetConn, rand io.Reader, magics *handshakeMagics, p
388387
var kexAlgoMap = map[string]kexAlgorithm{}
389388

390389
func init() {
391-
// This is the group called diffie-hellman-group1-sha1 in RFC
392-
// 4253 and Oakley Group 2 in RFC 2409.
390+
// This is the group called diffie-hellman-group1-sha1 in
391+
// RFC 4253 and Oakley Group 2 in RFC 2409.
393392
p, _ := new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF", 16)
394393
kexAlgoMap[kexAlgoDH1SHA1] = &dhGroup{
395-
g: new(big.Int).SetInt64(2),
396-
p: p,
397-
pMinus1: new(big.Int).Sub(p, bigOne),
394+
g: new(big.Int).SetInt64(2),
395+
p: p,
396+
pMinus1: new(big.Int).Sub(p, bigOne),
397+
hashFunc: crypto.SHA1,
398398
}
399399

400-
// This is the group called diffie-hellman-group14-sha1 in RFC
401-
// 4253 and Oakley Group 14 in RFC 3526.
400+
// This are the groups called diffie-hellman-group14-sha1 and
401+
// diffie-hellman-group14-sha256 in RFC 4253 and RFC 8268,
402+
// and Oakley Group 14 in RFC 3526.
402403
p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", 16)
403-
404-
kexAlgoMap[kexAlgoDH14SHA1] = &dhGroup{
404+
group14 := &dhGroup{
405405
g: new(big.Int).SetInt64(2),
406406
p: p,
407407
pMinus1: new(big.Int).Sub(p, bigOne),
408408
}
409409

410+
kexAlgoMap[kexAlgoDH14SHA1] = &dhGroup{
411+
g: group14.g, p: group14.p, pMinus1: group14.pMinus1,
412+
hashFunc: crypto.SHA1,
413+
}
414+
kexAlgoMap[kexAlgoDH14SHA256] = &dhGroup{
415+
g: group14.g, p: group14.p, pMinus1: group14.pMinus1,
416+
hashFunc: crypto.SHA256,
417+
}
418+
410419
kexAlgoMap[kexAlgoECDH521] = &ecdh{elliptic.P521()}
411420
kexAlgoMap[kexAlgoECDH384] = &ecdh{elliptic.P384()}
412421
kexAlgoMap[kexAlgoECDH256] = &ecdh{elliptic.P256()}

0 commit comments

Comments
 (0)