Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[#10203] Use kex registry to get digest algorithm for non-group kex algorighms. #1603

Merged
merged 1 commit into from
May 24, 2021
Merged

[#10203] Use kex registry to get digest algorithm for non-group kex algorighms. #1603

merged 1 commit into from
May 24, 2021

Conversation

adiroiban
Copy link
Member

Scope and purpose

This refactors the SSH transport server and client side to not use hardcoded SHA1

No tests were added as this is just an internal refactoring.

This make it easier to implement diffie-hellman-group14-sha256 in the future in https://twistedmatrix.com/trac/ticket/10202

Contributor Checklist:

  • The associated ticket in Trac is here: https://twistedmatrix.com/trac/ticket/10203
  • I ran tox -e lint to format my patch to meet the Twisted Coding Standard
  • I have created a newsfragment in src/twisted/newsfragments/ (see: News files)
  • The title of the PR starts with the associated Trac ticket number (without the # character).
  • [NA] I have updated the automated tests and checked that all checks for the PR are green.
  • I have submitted the associated Trac ticket for review by adding the word review to the keywords field in Trac, and putting a link to this PR in the comment; it shows up in https://twisted.reviews/ now.
  • The merge commit will use the below format
    The first line is automatically generated by GitHub based on PR ID and branch name.
    The other lines generated by GitHub should be replaced.
Merge pull request #123 from twisted/4356-branch-name-with-trac-id

Author: adiroiban
Reviewer: 
Fixes: ticket:10203

Use kex registry to get digest algorithm for non-group kex algorighms.

@adiroiban adiroiban requested a review from a team May 24, 2021 20:24
twm
twm approved these changes May 24, 2021
View reviewed changes
Copy link
Contributor

@twm twm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not deeply familiar with Conch, but this looks like a reasonable application of well-established patterns there. I had one minor note; feel free to address it or not as you prefer.

src/twisted/conch/ssh/transport.py
@@ -1454,7 +1454,7 @@ def _ssh_KEXDH_INIT(self, packet):
self.g, self.p = _kex.getDHGeneratorAndPrime(self.kexAlg)
self._startEphemeralDH()
sharedSecret = self._finishEphemeralDH(clientDHpublicKey)
h = sha1()
h = _kex.getHashProcessor(self.kexAlg)()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this will allow any of these algorithms (from _kex.py):

  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group14-sha1
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521

Looking at the implementations, these are all sha1, sha256, sha384 or sha512. Perhaps the change fragment should mention the newly supported algorithms?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many thanks for the prompt review :) Much appreciated.

This is called only for "non-group key exchange" aka kex._IFixedGroupKexAlgorithm

The only fixed group that is still supported "upstream" by Twisted is "diffie-hellman-group14-sha1"

diffie-hellman-group1-sha1 was removed in #747 ... but it is not hard to monkey patch Twisted and add back support for it. I am doing it for my production code.

The main change in this PR is to make it easy to monkey patch support for

diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512

I have created ticket https://twistedmatrix.com/trac/ticket/10202 for that... but I don't know if other devs are interested into adding legacy KEX algorithms to Twisted.

@adiroiban adiroiban merged commit da61086 into trunk May 24, 2021
@adiroiban adiroiban deleted the 10203-fixed-group-kex-sha branch May 24, 2021 23:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@twm twm twm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@adiroiban @twm