Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Ledest:erlang:23
erlang
3891-ssh-prefer-more-secure-algorithms.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 3891-ssh-prefer-more-secure-algorithms.patch of Package erlang
From 0d9b1e2f0ada363902fe00a00eb7ab17ee8fac79 Mon Sep 17 00:00:00 2001 From: Jakub Witczak <kuba@erlang.org> Date: Fri, 16 Feb 2024 10:31:41 +0100 Subject: [PATCH] ssh: prefer more secure algorithms - default order of algorithms is adjusted - related docs are updated and fixed --- lib/ssh/doc/src/SSH_app.xml | 24 ++++++++++++------------ lib/ssh/src/ssh_transport.erl | 28 +++++++++++++--------------- 2 files changed, 25 insertions(+), 27 deletions(-) diff --git a/lib/ssh/doc/src/SSH_app.xml b/lib/ssh/doc/src/SSH_app.xml index 8f3b5fc80b..3c064f4550 100644 --- a/lib/ssh/doc/src/SSH_app.xml +++ b/lib/ssh/doc/src/SSH_app.xml @@ -172,16 +172,16 @@ <tag>Key exchange algorithms</tag> <item> <list type="bulleted"> - <item>ecdh-sha2-nistp384</item> + <item>curve25519-sha256</item> + <item>curve25519-sha256@libssh.org</item> + <item>curve448-sha512</item> <item>ecdh-sha2-nistp521</item> + <item>ecdh-sha2-nistp384</item> <item>ecdh-sha2-nistp256</item> <item>diffie-hellman-group-exchange-sha256</item> <item>diffie-hellman-group16-sha512</item> <item>diffie-hellman-group18-sha512</item> <item>diffie-hellman-group14-sha256</item> - <item>curve25519-sha256</item> - <item>curve25519-sha256@libssh.org</item> - <item>curve448-sha512</item> </list> <p>The following unsecure <c>SHA1</c> algorithms are now disabled by default:</p> <list> @@ -199,13 +199,13 @@ <tag>Public key algorithms</tag> <item> <list type="bulleted"> - <item>ecdsa-sha2-nistp384</item> - <item>ecdsa-sha2-nistp521</item> - <item>ecdsa-sha2-nistp256</item> - <item>ssh-ed25519</item> + <item>ssh-ed25519</item> <item>ssh-ed448</item> + <item>ecdsa-sha2-nistp521</item> + <item>ecdsa-sha2-nistp384</item> + <item>ecdsa-sha2-nistp256</item> + <item>rsa-sha2-512</item> <item>rsa-sha2-256</item> - <item>rsa-sha2-512</item> </list> <p>The following unsecure <c>SHA1</c> algorithms are supported but disabled by default:</p> <list> @@ -227,11 +227,11 @@ <tag>MAC algorithms</tag> <item> <list type="bulleted"> - <item>hmac-sha2-256-etm@openssh.com</item> <item>hmac-sha2-512-etm@openssh.com</item> - <item>hmac-sha1-etm@openssh.com</item> - <item>hmac-sha2-256</item> + <item>hmac-sha2-256-etm@openssh.com</item> <item>hmac-sha2-512</item> + <item>hmac-sha2-256</item> + <item>hmac-sha1-etm@openssh.com</item> <item>hmac-sha1</item> </list> <p>The following unsecure <c>SHA1</c> algorithm is disabled by default:</p> diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl index e43c345130..003ab4e4e9 100644 --- a/lib/ssh/src/ssh_transport.erl +++ b/lib/ssh/src/ssh_transport.erl @@ -220,13 +218,13 @@ supported_algorithms(kex) -> supported_algorithms(public_key) -> select_crypto_supported( [ - {'ecdsa-sha2-nistp384', [{public_keys,ecdsa}, {hashs,sha384}, {curves,secp384r1}]}, - {'ecdsa-sha2-nistp521', [{public_keys,ecdsa}, {hashs,sha512}, {curves,secp521r1}]}, - {'ecdsa-sha2-nistp256', [{public_keys,ecdsa}, {hashs,sha256}, {curves,secp256r1}]}, {'ssh-ed25519', [{public_keys,eddsa}, {curves,ed25519} ]}, {'ssh-ed448', [{public_keys,eddsa}, {curves,ed448} ]}, - {'rsa-sha2-256', [{public_keys,rsa}, {hashs,sha256} ]}, + {'ecdsa-sha2-nistp521', [{public_keys,ecdsa}, {hashs,sha512}, {curves,secp521r1}]}, + {'ecdsa-sha2-nistp384', [{public_keys,ecdsa}, {hashs,sha384}, {curves,secp384r1}]}, + {'ecdsa-sha2-nistp256', [{public_keys,ecdsa}, {hashs,sha256}, {curves,secp256r1}]}, {'rsa-sha2-512', [{public_keys,rsa}, {hashs,sha512} ]}, + {'rsa-sha2-256', [{public_keys,rsa}, {hashs,sha256} ]}, {'ssh-rsa', [{public_keys,rsa}, {hashs,sha} ]}, {'ssh-dss', [{public_keys,dss}, {hashs,sha} ]} % Gone in OpenSSH 7.3.p1 ]); @@ -252,15 +250,15 @@ supported_algorithms(cipher) -> supported_algorithms(mac) -> same( select_crypto_supported( - [{'hmac-sha2-256-etm@openssh.com', [{macs,hmac}, {hashs,sha256}]}, - {'hmac-sha2-512-etm@openssh.com', [{macs,hmac}, {hashs,sha256}]}, - {'hmac-sha2-256', [{macs,hmac}, {hashs,sha256}]}, + [{'hmac-sha2-512-etm@openssh.com', [{macs,hmac}, {hashs,sha256}]}, + {'hmac-sha2-256-etm@openssh.com', [{macs,hmac}, {hashs,sha256}]}, {'hmac-sha2-512', [{macs,hmac}, {hashs,sha512}]}, + {'hmac-sha2-256', [{macs,hmac}, {hashs,sha256}]}, {'hmac-sha1-etm@openssh.com', [{macs,hmac}, {hashs,sha256}]}, {'hmac-sha1', [{macs,hmac}, {hashs,sha}]}, {'hmac-sha1-96', [{macs,hmac}, {hashs,sha}]}, - {'AEAD_AES_128_GCM', [{ciphers,aes_128_gcm}]}, - {'AEAD_AES_256_GCM', [{ciphers,aes_256_gcm}]} + {'AEAD_AES_256_GCM', [{ciphers,aes_256_gcm}]}, + {'AEAD_AES_128_GCM', [{ciphers,aes_128_gcm}]} ] )); supported_algorithms(compression) -> -- 2.35.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
