ecki commented on code in PR #446: URL: https://github.com/apache/mina-sshd/pull/446#discussion_r1435264388
########## sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java: ########## @@ -1741,6 +1979,143 @@ protected byte[] sendKexInit(Map<KexProposalOption, String> proposal) throws Exc return data; } + protected String adjustOutgoingKexProposalOption( + KexProposalOption option, String value, boolean debugEnabled) { + if (GenericUtils.isBlank(value)) { + return value; // can happen for language (e.g.) + } + + if (option != KexProposalOption.ALGORITHMS) { + return value; + } + + if (!CoreModuleProperties.USE_STRICT_KEX.getRequired(this)) { + return value; + } + + /* + * According to https://github.com/openssh/openssh-portable/blob/master/PROTOCOL - section 1.9 + * + * These pseudo-algorithms are only valid in the initial SSH2_MSG_KEXINIT and + * MUST be ignored if they are present in subsequent SSH2_MSG_KEXINIT packets. + * + * Therefore, if this is not the 1st outgoing packet don't bother appending + */ + long outgoingCount = totalOutgingPacketsCount.get(); + if (outgoingCount > 0L) { + if (debugEnabled) { + log.debug("adjustKexOutgoingProposalOption({})[{}] not first outgoing packet ({}) for proposal={}", + this, option, outgoingCount, value); + } + return value; + } + + /* + * According to https://github.com/openssh/openssh-portable/blob/master/PROTOCOL - section 1.9 + * + * The client may append "kex-strict-c-...@openssh.com" to its kex_algorithms + * and the server may append "kex-strict-s-...@openssh.com" + * + */ + String proposal = isServerSession() + ? KexExtensions.STRICT_KEX_SERVER_EXTENSION + : KexExtensions.STRICT_KEX_CLIENT_EXTENSION; + String adjusted = value + "," + proposal; + if (debugEnabled) { + log.debug("adjustOutgoingKexProposalOption({})[{}] adjusted={}", this, option, adjusted); + } + + return adjusted; + } + + protected String preProcessIncomingKexProposalOption( + KexProposalOption option, String value, boolean debugEnabled) { + if (GenericUtils.isBlank(value)) { + return value; // can happen for language (e.g.) + } + + if (option != KexProposalOption.ALGORITHMS) { + return value; + } + + if (!CoreModuleProperties.USE_STRICT_KEX.getRequired(this)) { + return value; + } + + String peerValue = isServerSession() + ? KexExtensions.STRICT_KEX_CLIENT_EXTENSION + : KexExtensions.STRICT_KEX_SERVER_EXTENSION; + if (!value.contains(peerValue)) { + return value; + } + + // Just a bit of paranoia... Review Comment: It’s not about your own code it’s about malformed peer messages . You could say you don’t care because you handle it safely (you remove both) and it is better for interop. In that case a comment to that extend would document it was considered safe. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org