From 86d17c6989740652b554e776f7944a90d516abda Mon Sep 17 00:00:00 2001 From: Dag Wieers Date: Fri, 25 Jul 2014 12:28:08 +0200 Subject: [PATCH 1/3] Add hmac-sha2-256 MAC support This small patch adds hmac-sha2-256 support separately as requested in #423. Some security standards now recommend to disable MD5 and SHA1, and use SHA2 instead. This change was tested using SHA2 against RHEL6's OpenSSH v5.3p1 and Solaris 11. And was also tested with RHEL5's OpenSSH 4.3p2 which doesn't include SHA2. --- phpseclib/Net/SSH2.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/phpseclib/Net/SSH2.php b/phpseclib/Net/SSH2.php index 9514c1a4..50529ec1 100644 --- a/phpseclib/Net/SSH2.php +++ b/phpseclib/Net/SSH2.php @@ -1163,6 +1163,7 @@ class Net_SSH2 } $mac_algorithms = array( + 'hmac-sha2-256',// RECOMMENDED HMAC-SHA256 (digest length = key length = 32) 'hmac-sha1-96', // RECOMMENDED first 96 bits of HMAC-SHA1 (digest length = 12, key length = 20) 'hmac-sha1', // REQUIRED HMAC-SHA1 (digest length = key length = 20) 'hmac-md5-96', // OPTIONAL first 96 bits of HMAC-MD5 (digest length = 12, key length = 16) @@ -1692,6 +1693,10 @@ class Net_SSH2 $createKeyLength = 0; // ie. $mac_algorithms[$i] == 'none' switch ($mac_algorithms[$i]) { + case 'hmac-sha2-256': + $this->hmac_create = new Crypt_Hash('sha256'); + $createKeyLength = 32; + break; case 'hmac-sha1': $this->hmac_create = new Crypt_Hash('sha1'); $createKeyLength = 20; @@ -1718,6 +1723,11 @@ class Net_SSH2 $checkKeyLength = 0; $this->hmac_size = 0; switch ($mac_algorithms[$i]) { + case 'hmac-sha2-256': + $this->hmac_check = new Crypt_Hash('sha256'); + $checkKeyLength = 32; + $this->hmac_size = 32; + break; case 'hmac-sha1': $this->hmac_check = new Crypt_Hash('sha1'); $checkKeyLength = 20; From 1a330b68e2cfb6b097a3206810fe89b4c8bfa489 Mon Sep 17 00:00:00 2001 From: Dag Wieers Date: Fri, 25 Jul 2014 14:10:01 +0200 Subject: [PATCH 2/3] Added RFC6668 Added the requested changed. --- phpseclib/Net/SSH2.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/phpseclib/Net/SSH2.php b/phpseclib/Net/SSH2.php index 50529ec1..395242f5 100644 --- a/phpseclib/Net/SSH2.php +++ b/phpseclib/Net/SSH2.php @@ -1163,7 +1163,9 @@ class Net_SSH2 } $mac_algorithms = array( - 'hmac-sha2-256',// RECOMMENDED HMAC-SHA256 (digest length = key length = 32) + // from : + 'hmac-sha2-256',// RECOMMENDED HMAC-SHA256 (digest length = key length = 32) + 'hmac-sha1-96', // RECOMMENDED first 96 bits of HMAC-SHA1 (digest length = 12, key length = 20) 'hmac-sha1', // REQUIRED HMAC-SHA1 (digest length = key length = 20) 'hmac-md5-96', // OPTIONAL first 96 bits of HMAC-MD5 (digest length = 12, key length = 16) From 4be4533a6ef4504b1ced62f2ac5177869976ed16 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Sat, 26 Jul 2014 13:02:52 +0200 Subject: [PATCH 3/3] ssh-hmac-sha2-256: Remove whitespace at end of line. --- phpseclib/Net/SSH2.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpseclib/Net/SSH2.php b/phpseclib/Net/SSH2.php index 395242f5..726ca88c 100644 --- a/phpseclib/Net/SSH2.php +++ b/phpseclib/Net/SSH2.php @@ -1165,7 +1165,7 @@ class Net_SSH2 $mac_algorithms = array( // from : 'hmac-sha2-256',// RECOMMENDED HMAC-SHA256 (digest length = key length = 32) - + 'hmac-sha1-96', // RECOMMENDED first 96 bits of HMAC-SHA1 (digest length = 12, key length = 20) 'hmac-sha1', // REQUIRED HMAC-SHA1 (digest length = key length = 20) 'hmac-md5-96', // OPTIONAL first 96 bits of HMAC-MD5 (digest length = 12, key length = 16)