Add hmac-sha2-256 MAC support

This small patch adds hmac-sha2-256 support separately as requested in #423. Some security standards now recommend to disable MD5 and SHA1, and use SHA2 instead. This change was tested using SHA2 against RHEL6's OpenSSH v5.3p1 and Solaris 11. And was also tested with RHEL5's OpenSSH 4.3p2 which doesn't include SHA2.
2025-01-21 21:41:14 +01:00 · 2014-07-25 12:28:08 +02:00 · 2014-07-25 12:28:08 +02:00 · 86d17c6989
commit 86d17c6989
parent 880bc9d9e6
1 changed files with 10 additions and 0 deletions
--- a/phpseclib/Net/SSH2.php
+++ b/phpseclib/Net/SSH2.php
@ -1163,6 +1163,7 @@ class Net_SSH2
        }

        $mac_algorithms = array(
+            'hmac-sha2-256',// RECOMMENDED HMAC-SHA256 (digest length = key length = 32)
            'hmac-sha1-96', // RECOMMENDED     first 96 bits of HMAC-SHA1 (digest length = 12, key length = 20)
            'hmac-sha1',    // REQUIRED        HMAC-SHA1 (digest length = key length = 20)
            'hmac-md5-96',  // OPTIONAL        first 96 bits of HMAC-MD5 (digest length = 12, key length = 16)
@ -1692,6 +1693,10 @@ class Net_SSH2

        $createKeyLength = 0; // ie. $mac_algorithms[$i] == 'none'
        switch ($mac_algorithms[$i]) {
+            case 'hmac-sha2-256':
+                $this->hmac_create = new Crypt_Hash('sha256');
+                $createKeyLength = 32;
+                break;
            case 'hmac-sha1':
                $this->hmac_create = new Crypt_Hash('sha1');
                $createKeyLength = 20;
@ -1718,6 +1723,11 @@ class Net_SSH2
        $checkKeyLength = 0;
        $this->hmac_size = 0;
        switch ($mac_algorithms[$i]) {
+            case 'hmac-sha2-256':
+                $this->hmac_check = new Crypt_Hash('sha256');
+                $checkKeyLength = 32;
+                $this->hmac_size = 32;
+                break;
            case 'hmac-sha1':
                $this->hmac_check = new Crypt_Hash('sha1');
                $checkKeyLength = 20;