From: kemal Date: Thu, 02 Sep 2021 13:28:48 +0000 Subject: [PATCH] ssh: use RSA/SHA-256 instead of RSA/SHA-1 as the public key algorithm openssh now disables RSA/SHA-1 by default, so using RSA/SHA-1 will eventually cause us problems: https://undeadly.org/cgi?action=article;sid=20210830113413 in addition, github will disable RSA/SHA-1 for recently added RSA keys: https://github.blog/2021-09-01-improving-git-protocol-security-github/ this patch modifies ssh.c to use RSA/SHA-256 (aka rsa-sha2-256) instead of RSA/SHA-1 (aka ssh-rsa) as the public key algorithm. NOTE: public rsa keys and thumbprints are ***NOT AFFECTED*** by this patch. while we're here, remove the workaround for github.com. it seems that github has fixed their implementation, and does not look into macalgs when we're using an aead cipher. --- diff 6c9462710539bd35ae5c51de27e7894522683bd7 696ce28faddb131842825b0bedb8caa6d1a9ec62 --- a/sys/src/cmd/ssh.c Tue Aug 31 18:53:37 2021 +++ b/sys/src/cmd/ssh.c Thu Sep 2 16:28:48 2021 @@ -398,14 +398,16 @@ return pub; } +static char rsasha256[] = "rsa-sha2-256"; + int rsasig2ssh(RSApub *pub, mpint *S, uchar *data, int len) { int l = (mpsignif(pub->n)+7)/8; - if(4+7+4+l > len) + if(4+12+4+l > len) return -1; - mptober(S, data+4+7+4, l); - return pack(data, len, "ss", sshrsa, sizeof(sshrsa)-1, data+4+7+4, l); + mptober(S, data+4+12+4, l); + return pack(data, len, "ss", rsasha256, sizeof(rsasha256)-1, data+4+12+4, l); } mpint* @@ -417,7 +419,7 @@ m = mpnew(0); if(unpack(data, len, "sm", &s, &n, m) < 0 - || n != sizeof(sshrsa)-1 || memcmp(s, sshrsa, n) != 0){ + || n != sizeof(rsasha256)-1 || memcmp(s, rsasha256, n) != 0){ mpfree(m); return nil; } @@ -427,10 +429,10 @@ mpint* pkcs1digest(uchar *data, int len, RSApub *pub) { - uchar digest[SHA1dlen], buf[256]; + uchar digest[SHA2_256dlen], buf[256]; - sha1(data, len, digest, nil); - return pkcs1padbuf(buf, asn1encodedigest(sha1, digest, buf, sizeof(buf)), pub->n, 1); + sha2_256(data, len, digest, nil); + return pkcs1padbuf(buf, asn1encodedigest(sha2_256, digest, buf, sizeof(buf)), pub->n, 1); } int @@ -489,7 +491,7 @@ static char kexalgs[] = "curve25519-sha256,curve25519-sha256@libssh.org"; static char cipheralgs[] = "chacha20-poly1305@openssh.com"; static char zipalgs[] = "none"; - static char macalgs[] = "hmac-sha1"; /* work around for github.com */ + static char macalgs[] = ""; static char langs[] = ""; uchar cookie[16], x[32], yc[32], z[32], k[32+1], h[SHA2_256dlen], *ys, *ks, *sig; @@ -506,7 +508,7 @@ sendpkt("b[ssssssssssbu", MSG_KEXINIT, cookie, sizeof(cookie), kexalgs, sizeof(kexalgs)-1, - sshrsa, sizeof(sshrsa)-1, + rsasha256, sizeof(rsasha256)-1, cipheralgs, sizeof(cipheralgs)-1, cipheralgs, sizeof(cipheralgs)-1, macalgs, sizeof(macalgs)-1, @@ -744,7 +746,7 @@ service, strlen(service), authmeth, sizeof(authmeth)-1, 0, - sshrsa, sizeof(sshrsa)-1, + rsasha256, sizeof(rsasha256)-1, pk, npk); Next1: switch(recvpkt()){ default: @@ -767,7 +769,7 @@ service, strlen(service), authmeth, sizeof(authmeth)-1, 1, - sshrsa, sizeof(sshrsa)-1, + rsasha256, sizeof(rsasha256)-1, pk, npk); S = pkcs1digest(send.b, n, pub); n = snprint((char*)send.b, sizeof(send.b), "%B", S); @@ -788,7 +790,7 @@ service, strlen(service), authmeth, sizeof(authmeth)-1, 1, - sshrsa, sizeof(sshrsa)-1, + rsasha256, sizeof(rsasha256)-1, pk, npk, sig, nsig); Next2: switch(recvpkt()){