[crypto] ssh: respect signer's algorithm preference in pickSignatureAlgorithm
4 views
Skip to first unread message
Nicola Murino (Gerrit)
Feb 16, 2026, 4:39:48 AMFeb 16
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Nicola Murino has uploaded the change for review![]( "Open in Gerrit")
Commit message
ssh: respect signer's algorithm preference in pickSignatureAlgorithm
Previously, pickSignatureAlgorithm constructed the list of candidate
algorithms by iterating over the static list returned by
algorithmsForKeyFormat. This caused the Signer's preference order
to be ignored in favor of the library's default internal order.
This change inverts the filtering logic to iterate over the signer's
supported algorithms first. This ensures that if a MultiAlgorithmSigner
explicitly prefers a specific algorithm (e.g., rsa-sha2-512 over
rsa-sha2-256), that preference is preserved and respected during the
handshake negotiation.
Fixes golang/go#77585
Change-Id: I48a0aac720be7f973963342b82047ce32fc96699
Change diff
diff --git a/ssh/client_auth.go b/ssh/client_auth.go
index 3127e49..bf3d03e 100644
--- a/ssh/client_auth.go
+++ b/ssh/client_auth.go
@@ -275,9 +275,14 @@
// Filter algorithms based on those supported by MultiAlgorithmSigner.
var keyAlgos []string
- for _, algo := range algorithmsForKeyFormat(keyFormat) {
- if slices.Contains(as.Algorithms(), underlyingAlgo(algo)) {
- keyAlgos = append(keyAlgos, algo)
+ supportedKeyAlgos := algorithmsForKeyFormat(keyFormat)
+
+ for _, signerAlgo := range as.Algorithms() {
+ for _, algo := range supportedKeyAlgos {
+ if underlyingAlgo(algo) == signerAlgo {
+ keyAlgos = append(keyAlgos, algo)
+ break
+ }
}
}
diff --git a/ssh/client_auth_test.go b/ssh/client_auth_test.go
index a183c21..199d207 100644
--- a/ssh/client_auth_test.go
+++ b/ssh/client_auth_test.go
@@ -1159,6 +1159,52 @@
}
}
+func TestPickSignatureAlgorithmRespectsSignerPreference(t *testing.T) {
+ algoSigner, ok := testSigners["rsa"].(AlgorithmSigner)
+ if !ok {
+ t.Fatalf("rsa test signer does not implement the AlgorithmSigner interface")
+ }
+
+ serverExtensions := map[string][]byte{
+ "server-sig-algs": []byte(KeyAlgoRSASHA256 + "," + KeyAlgoRSASHA512),
+ }
+
+ tests := []struct {
+ name string
+ signerPrefs []string
+ expectedAlgo string
+ }{
+ {
+ name: "Signer prefers SHA512 then SHA256",
+ signerPrefs: []string{KeyAlgoRSASHA512, KeyAlgoRSASHA256},
+ expectedAlgo: KeyAlgoRSASHA512,
+ },
+ {
+ name: "Signer prefers SHA256 then SHA512",
+ signerPrefs: []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512},
+ expectedAlgo: KeyAlgoRSASHA256,
+ },
+ }
+
+ for _, tc := range tests {
+ t.Run(tc.name, func(t *testing.T) {
+ orderedSigner, err := NewSignerWithAlgorithms(algoSigner, tc.signerPrefs)
+ if err != nil {
+ t.Fatalf("failed to create ordered signer: %v", err)
+ }
+
+ _, selectedAlgo, err := pickSignatureAlgorithm(orderedSigner, serverExtensions)
+ if err != nil {
+ t.Fatalf("unexpected error: %v", err)
+ }
+
+ if selectedAlgo != tc.expectedAlgo {
+ t.Errorf("Algorithm mismatch; got %q want %q", selectedAlgo, tc.expectedAlgo)
+ }
+ })
+ }
+}
+
// configurablePublicKeyCallback is a public key callback that allows to
// configure the signature algorithm and format. This way we can emulate the
// behavior of buggy clients.
Change information
Files:
- M ssh/client_auth.go
- M ssh/client_auth_test.go
Change size: M
Delta: 2 files changed, 54 insertions(+), 3 deletions(-)
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Nicola Murino (Gerrit)
Feb 16, 2026, 4:42:02 AMFeb 16
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Nicola Murino voted Commit-Queue+1![]( "Open in Gerrit")
| Commit-Queue | +1 |
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Lonny Wong (Gerrit)
Feb 19, 2026, 5:32:08 AMFeb 19
to Nicola Murino, goph...@pubsubhelper.golang.org, Roland Shoemaker, Filippo Valsorda, Gopher Robot, Go LUCI, golang-co...@googlegroups.com
Attention needed from Filippo Valsorda, Nicola Murino and Roland Shoemaker
Lonny Wong voted Code-Review+1![]( "Open in Gerrit")
| Code-Review | +1 |
Related details
Attention is currently required from:
- Filippo Valsorda
- Nicola Murino
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Nicola Murino (Gerrit)
Mar 15, 2026, 1:16:54 PM (5 days ago) Mar 15
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Nicola Murino
Nicola Murino uploaded new patchset![]( "Open in Gerrit")
Nicola Murino uploaded patch set #2 to this change.
Following approvals got outdated and were removed:
- TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
Related details
Attention is currently required from:
- Nicola Murino
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Nicola Murino (Gerrit)
Mar 15, 2026, 1:35:20 PM (5 days ago) Mar 15
to goph...@pubsubhelper.golang.org, Lonny Wong, Roland Shoemaker, Filippo Valsorda, Gopher Robot, Go LUCI, golang-co...@googlegroups.com
Nicola Murino voted Commit-Queue+1![]( "Open in Gerrit")
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Filippo Valsorda (Gerrit)
Mar 17, 2026, 8:06:04 AM (3 days ago) Mar 17
to Nicola Murino, goph...@pubsubhelper.golang.org, Filippo Valsorda, Go LUCI, Lonny Wong, Roland Shoemaker, Gopher Robot, golang-co...@googlegroups.com
Attention needed from Nicola Murino
Filippo Valsorda voted Code-Review+2![]( "Open in Gerrit")
Attention is currently required from:
- Nicola Murino
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Lonny Wong (Gerrit)
Mar 19, 2026, 5:08:35 AM (yesterday) Mar 19
to Nicola Murino, goph...@pubsubhelper.golang.org, Filippo Valsorda, Go LUCI, Roland Shoemaker, Gopher Robot, golang-co...@googlegroups.com
Attention needed from Nicola Murino
Lonny Wong voted Code-Review+1![]( "Open in Gerrit")
| Code-Review | +1 |
Dmitri Shuralyov (Gerrit)
Mar 19, 2026, 7:12:41 PM (10 hours ago) Mar 19
to Nicola Murino, goph...@pubsubhelper.golang.org, Dmitri Shuralyov, Filippo Valsorda, Go LUCI, Lonny Wong, Roland Shoemaker, Gopher Robot, golang-co...@googlegroups.com
Attention needed from Nicola Murino
Dmitri Shuralyov voted and added 1 comment![]( "Open in Gerrit")
Votes added by Dmitri Shuralyov
| Code-Review | +1 |
1 comment
Commit Message
Line 20, Patchset 2 (Latest):
Fixes golang/go#77585Dmitri Shuralyov . unresolved
This issue is currently marked as a [proposal](https://go.dev/s/proposal). If this change is indeed in scope of the proposal process, this CL shouldn't be submitted before the proposal is accepted.
Related details
Attention is currently required from:
- Nicola Murino
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Lonny Wong (Gerrit)
Mar 19, 2026, 7:26:37 PM (10 hours ago) Mar 19
to Nicola Murino, goph...@pubsubhelper.golang.org, Dmitri Shuralyov, Dmitri Shuralyov, Filippo Valsorda, Go LUCI, Roland Shoemaker, Gopher Robot, golang-co...@googlegroups.com
Attention needed from Nicola Murino
Lonny Wong added 1 comment![]( "Open in Gerrit")
Commit Message
Line 20, Patchset 2 (Latest):
Fixes golang/go#77585Dmitri Shuralyov . unresolved
This issue is currently marked as a [proposal](https://go.dev/s/proposal). If this change is indeed in scope of the proposal process, this CL shouldn't be submitted before the proposal is accepted.
Lonny Wong
I originally proposed prioritizing rsa-sha2-512 by default. During the discussion, it was noted that users should be able to customize the order via the Algorithms() []string method. However, I discovered that the custom ordering is currently not taking effect, which is a bug. This CL is intended to fix that issue. Given this is a bug fix for existing functionality, is it possible to reclassify the issue from a proposal to a bug?
Dmitri Shuralyov (Gerrit)
Mar 19, 2026, 8:12:59 PM (9 hours ago) Mar 19
to Nicola Murino, goph...@pubsubhelper.golang.org, Dmitri Shuralyov, Dmitri Shuralyov, Filippo Valsorda, Go LUCI, Lonny Wong, Roland Shoemaker, Gopher Robot, golang-co...@googlegroups.com
Attention needed from Lonny Wong and Nicola Murino
Dmitri Shuralyov added 1 comment![]( "Open in Gerrit")
Commit Message
Line 20, Patchset 2 (Latest):
Fixes golang/go#77585Dmitri Shuralyov . unresolved
Lonny WongThis issue is currently marked as a [proposal](https://go.dev/s/proposal). If this change is indeed in scope of the proposal process, this CL shouldn't be submitted before the proposal is accepted.
I originally proposed prioritizing rsa-sha2-512 by default. During the discussion, it was noted that users should be able to customize the order via the Algorithms() []string method. However, I discovered that the custom ordering is currently not taking effect, which is a bug. This CL is intended to fix that issue. Given this is a bug fix for existing functionality, is it possible to reclassify the issue from a proposal to a bug?
Dmitri Shuralyov
Yes, fixing a bug doesn't need a proposal. It sounds like you should either update #746020 to describe the bug instead of the original proposal, or if the original proposal should still be pursued then file a separate issue for the bug and this CL can be updated to target it instead.
Related details
Attention is currently required from:
- Lonny Wong
- Nicola Murino
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages