From 86d17c6989740652b554e776f7944a90d516abda Mon Sep 17 00:00:00 2001 From: Dag Wieers Date: Fri, 25 Jul 2014 12:28:08 +0200 Subject: [PATCH] Add hmac-sha2-256 MAC support This small patch adds hmac-sha2-256 support separately as requested in #423. Some security standards now recommend to disable MD5 and SHA1, and use SHA2 instead. This change was tested using SHA2 against RHEL6's OpenSSH v5.3p1 and Solaris 11. And was also tested with RHEL5's OpenSSH 4.3p2 which doesn't include SHA2. --- phpseclib/Net/SSH2.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/phpseclib/Net/SSH2.php b/phpseclib/Net/SSH2.php index 9514c1a4..50529ec1 100644 --- a/phpseclib/Net/SSH2.php +++ b/phpseclib/Net/SSH2.php @@ -1163,6 +1163,7 @@ class Net_SSH2 } $mac_algorithms = array( + 'hmac-sha2-256',// RECOMMENDED HMAC-SHA256 (digest length = key length = 32) 'hmac-sha1-96', // RECOMMENDED first 96 bits of HMAC-SHA1 (digest length = 12, key length = 20) 'hmac-sha1', // REQUIRED HMAC-SHA1 (digest length = key length = 20) 'hmac-md5-96', // OPTIONAL first 96 bits of HMAC-MD5 (digest length = 12, key length = 16) @@ -1692,6 +1693,10 @@ class Net_SSH2 $createKeyLength = 0; // ie. $mac_algorithms[$i] == 'none' switch ($mac_algorithms[$i]) { + case 'hmac-sha2-256': + $this->hmac_create = new Crypt_Hash('sha256'); + $createKeyLength = 32; + break; case 'hmac-sha1': $this->hmac_create = new Crypt_Hash('sha1'); $createKeyLength = 20; @@ -1718,6 +1723,11 @@ class Net_SSH2 $checkKeyLength = 0; $this->hmac_size = 0; switch ($mac_algorithms[$i]) { + case 'hmac-sha2-256': + $this->hmac_check = new Crypt_Hash('sha256'); + $checkKeyLength = 32; + $this->hmac_size = 32; + break; case 'hmac-sha1': $this->hmac_check = new Crypt_Hash('sha1'); $checkKeyLength = 20;