Overview

File 3891-ssh-prefer-more-secure-algorithms.patch of Package erlang

From 0d9b1e2f0ada363902fe00a00eb7ab17ee8fac79 Mon Sep 17 00:00:00 2001
From: Jakub Witczak <kuba@erlang.org>
Date: Fri, 16 Feb 2024 10:31:41 +0100
Subject: [PATCH] ssh: prefer more secure algorithms

- default order of algorithms is adjusted
- related docs are updated and fixed
---
 lib/ssh/doc/src/SSH_app.xml   | 24 ++++++++++++------------
 lib/ssh/src/ssh_transport.erl | 28 +++++++++++++---------------
 2 files changed, 25 insertions(+), 27 deletions(-)

diff --git a/lib/ssh/doc/src/SSH_app.xml b/lib/ssh/doc/src/SSH_app.xml
index 8f3b5fc80b..3c064f4550 100644
--- a/lib/ssh/doc/src/SSH_app.xml
+++ b/lib/ssh/doc/src/SSH_app.xml
@@ -172,16 +172,16 @@
       <tag>Key exchange algorithms</tag>
       <item>
 	<list type="bulleted">
-	  <item>ecdh-sha2-nistp384</item>
+	  <item>curve25519-sha256</item>
+	  <item>curve25519-sha256@libssh.org</item>
+	  <item>curve448-sha512</item>
 	  <item>ecdh-sha2-nistp521</item>
+	  <item>ecdh-sha2-nistp384</item>
 	  <item>ecdh-sha2-nistp256</item>
 	  <item>diffie-hellman-group-exchange-sha256</item>
 	  <item>diffie-hellman-group16-sha512</item>
 	  <item>diffie-hellman-group18-sha512</item>
 	  <item>diffie-hellman-group14-sha256</item>
-	  <item>curve25519-sha256</item>
-	  <item>curve25519-sha256@libssh.org</item>
-	  <item>curve448-sha512</item>
 	</list>
 	<p>The following unsecure <c>SHA1</c> algorithms are now disabled by default:</p>
 	<list>
@@ -199,13 +199,13 @@
       <tag>Public key algorithms</tag>
       <item>
 	<list type="bulleted">
-	  <item>ecdsa-sha2-nistp384</item>
-	  <item>ecdsa-sha2-nistp521</item>
-	  <item>ecdsa-sha2-nistp256</item>
-	  <item>ssh-ed25519</item>
+          <item>ssh-ed25519</item>
 	  <item>ssh-ed448</item>
+          <item>ecdsa-sha2-nistp521</item>
+          <item>ecdsa-sha2-nistp384</item>
+	  <item>ecdsa-sha2-nistp256</item>
+          <item>rsa-sha2-512</item>
 	  <item>rsa-sha2-256</item>
-	  <item>rsa-sha2-512</item>
 	</list>
 	<p>The following unsecure <c>SHA1</c> algorithms are supported but disabled by default:</p>
 	<list>
@@ -227,11 +227,11 @@
       <tag>MAC algorithms</tag>
       <item>
 	<list type="bulleted">
-	  <item>hmac-sha2-256-etm@openssh.com</item>
 	  <item>hmac-sha2-512-etm@openssh.com</item>
-	  <item>hmac-sha1-etm@openssh.com</item>
-	  <item>hmac-sha2-256</item>
+	  <item>hmac-sha2-256-etm@openssh.com</item>
 	  <item>hmac-sha2-512</item>
+	  <item>hmac-sha2-256</item>
+          <item>hmac-sha1-etm@openssh.com</item>
 	  <item>hmac-sha1</item>
 	</list>
 	<p>The following unsecure <c>SHA1</c> algorithm is disabled by default:</p>
diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index e43c345130..003ab4e4e9 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -220,13 +218,13 @@ supported_algorithms(kex) ->
 supported_algorithms(public_key) ->
     select_crypto_supported(
       [
-       {'ecdsa-sha2-nistp384',  [{public_keys,ecdsa}, {hashs,sha384}, {curves,secp384r1}]},
-       {'ecdsa-sha2-nistp521',  [{public_keys,ecdsa}, {hashs,sha512}, {curves,secp521r1}]},
-       {'ecdsa-sha2-nistp256',  [{public_keys,ecdsa}, {hashs,sha256}, {curves,secp256r1}]},
        {'ssh-ed25519',          [{public_keys,eddsa}, {curves,ed25519}                    ]},
        {'ssh-ed448',            [{public_keys,eddsa}, {curves,ed448}                      ]},
-       {'rsa-sha2-256',         [{public_keys,rsa},   {hashs,sha256}                      ]},
+       {'ecdsa-sha2-nistp521',  [{public_keys,ecdsa}, {hashs,sha512}, {curves,secp521r1}]},
+       {'ecdsa-sha2-nistp384',  [{public_keys,ecdsa}, {hashs,sha384}, {curves,secp384r1}]},
+       {'ecdsa-sha2-nistp256',  [{public_keys,ecdsa}, {hashs,sha256}, {curves,secp256r1}]},
        {'rsa-sha2-512',         [{public_keys,rsa},   {hashs,sha512}                      ]},
+       {'rsa-sha2-256',         [{public_keys,rsa},   {hashs,sha256}                      ]},
        {'ssh-rsa',              [{public_keys,rsa},   {hashs,sha}                         ]},
        {'ssh-dss',              [{public_keys,dss},   {hashs,sha}                         ]} % Gone in OpenSSH 7.3.p1
       ]);
@@ -252,15 +250,15 @@ supported_algorithms(cipher) ->
 supported_algorithms(mac) ->
     same(
       select_crypto_supported(
-	[{'hmac-sha2-256-etm@openssh.com', [{macs,hmac}, {hashs,sha256}]},
-         {'hmac-sha2-512-etm@openssh.com', [{macs,hmac}, {hashs,sha256}]},
-         {'hmac-sha2-256',    [{macs,hmac}, {hashs,sha256}]},
+	[{'hmac-sha2-512-etm@openssh.com', [{macs,hmac}, {hashs,sha256}]},
+         {'hmac-sha2-256-etm@openssh.com', [{macs,hmac}, {hashs,sha256}]},
 	 {'hmac-sha2-512',    [{macs,hmac}, {hashs,sha512}]},
+         {'hmac-sha2-256',    [{macs,hmac}, {hashs,sha256}]},
          {'hmac-sha1-etm@openssh.com', [{macs,hmac}, {hashs,sha256}]},
 	 {'hmac-sha1',        [{macs,hmac}, {hashs,sha}]},
 	 {'hmac-sha1-96',     [{macs,hmac}, {hashs,sha}]},
-	 {'AEAD_AES_128_GCM', [{ciphers,aes_128_gcm}]},
-	 {'AEAD_AES_256_GCM', [{ciphers,aes_256_gcm}]}
+         {'AEAD_AES_256_GCM', [{ciphers,aes_256_gcm}]},
+	 {'AEAD_AES_128_GCM', [{ciphers,aes_128_gcm}]}
 	]
        ));
 supported_algorithms(compression) ->
-- 
2.35.3
openSUSE Build Service is sponsored by
Places