From 0196e38d30c462b7e1eab4a786363939a39fb4c7 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Wed, 30 Mar 2022 13:50:30 +0200 Subject: [PATCH] remove the Extension setting always add ext-info-s to KEX and send the SSH_MSG_EXT_INFO message if we received ext-info-c from the client Signed-off-by: Nicola Murino --- ssh/common.go | 15 +-------------- ssh/handshake.go | 8 +++----- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/ssh/common.go b/ssh/common.go index 9e09180495..27343d4afa 100644 --- a/ssh/common.go +++ b/ssh/common.go @@ -28,14 +28,9 @@ const ( const ( extInfoServer = "ext-info-s" extInfoClient = "ext-info-c" - ExtServerSigAlgs = "server-sig-algs" + extServerSigAlgs = "server-sig-algs" ) -// defaultExtensions lists extensions enabled by default. -var defaultExtensions = []string{ - ExtServerSigAlgs, -} - // supportedCiphers lists ciphers we support but might not recommend. var supportedCiphers = []string{ "aes128-ctr", "aes192-ctr", "aes256-ctr", @@ -282,10 +277,6 @@ type Config struct { // The allowed MAC algorithms. If unspecified then a sensible default // is used. MACs []string - - // A list of enabled extensions. If unspecified then a sensible - // default is used - Extensions []string } // SetDefaults sets sensible values for unset fields in config. This is @@ -315,10 +306,6 @@ func (c *Config) SetDefaults() { c.MACs = supportedMACs } - if c.Extensions == nil { - c.Extensions = defaultExtensions - } - if c.RekeyThreshold == 0 { // cipher specific default } else if c.RekeyThreshold < minRekeyThreshold { diff --git a/ssh/handshake.go b/ssh/handshake.go index 7e6e52ec7e..9fdb1e95e3 100644 --- a/ssh/handshake.go +++ b/ssh/handshake.go @@ -479,9 +479,7 @@ func (t *handshakeTransport) sendKexInit() error { msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, keyFormat) } } - if contains(t.config.Extensions, ExtServerSigAlgs) { - msg.KexAlgos = append(msg.KexAlgos, extInfoServer) - } + msg.KexAlgos = append(msg.KexAlgos, extInfoServer) } else { msg.ServerHostKeyAlgos = t.hostKeyAlgorithms @@ -642,13 +640,13 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error { if !isClient { // We're on the server side, see if the client sent the extension signal - if !t.extInfoSent && contains(clientInit.KexAlgos, extInfoClient) && contains(t.config.Extensions, ExtServerSigAlgs) { + if !t.extInfoSent && contains(clientInit.KexAlgos, extInfoClient) { // The other side supports ext info, an ext info message hasn't been sent this session, // and we have at least one extension enabled, so send an SSH_MSG_EXT_INFO message. extensions := map[string][]byte{} // We're the server, the client supports SSH_MSG_EXT_INFO and server-sig-algs // is enabled. Prepare the server-sig-algos extension message to send. - extensions[ExtServerSigAlgs] = []byte(strings.Join(supportedServerSigAlgs, ",")) + extensions[extServerSigAlgs] = []byte(strings.Join(supportedServerSigAlgs, ",")) var payload []byte for k, v := range extensions { payload = appendInt(payload, len(k))