[crypto] ssh: add diffie-hellman-group16/18-sha512 kex

Nicola Murino (Gerrit)

unread,

Jun 28, 2023, 1:40:42 PM6/28/23

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Nicola Murino has uploaded this change for review.

ssh: add diffie-hellman-group16/18-sha512 kex

These groups are disabled by default because they have a
significant performance cost.

Change-Id: Id119401fda7e417675325f37e3d442e70585206c
---
M ssh/common.go
M ssh/kex.go
M ssh/test/session_test.go
3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/ssh/common.go b/ssh/common.go
index 9ba6e10..c4791ef 100644
--- a/ssh/common.go
+++ b/ssh/common.go
@@ -49,7 +49,8 @@
 	// P384 and P521 are not constant-time yet, but since we don't
 	// reuse ephemeral keys, using them for ECDH should be OK.
 	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
-	kexAlgoDH14SHA256, kexAlgoDH14SHA1, kexAlgoDH1SHA1,
+	kexAlgoDH14SHA256, kexAlgoDH16SHA512, kexAlgoDH18SHA512,
+	kexAlgoDH14SHA1, kexAlgoDH1SHA1,
 }
 
 // serverForbiddenKexAlgos contains key exchange algorithms, that are forbidden
diff --git a/ssh/kex.go b/ssh/kex.go
index 927a90c..1ad9f93 100644
--- a/ssh/kex.go
+++ b/ssh/kex.go
@@ -23,6 +23,8 @@
 	kexAlgoDH1SHA1                = "diffie-hellman-group1-sha1"
 	kexAlgoDH14SHA1               = "diffie-hellman-group14-sha1"
 	kexAlgoDH14SHA256             = "diffie-hellman-group14-sha256"
+	kexAlgoDH16SHA512             = "diffie-hellman-group16-sha512"
+	kexAlgoDH18SHA512             = "diffie-hellman-group18-sha512"
 	kexAlgoECDH256                = "ecdh-sha2-nistp256"
 	kexAlgoECDH384                = "ecdh-sha2-nistp384"
 	kexAlgoECDH521                = "ecdh-sha2-nistp521"
@@ -430,6 +432,28 @@
 		hashFunc: crypto.SHA256,
 	}
 
+	// This is the group called diffie-hellman-group16-sha512 in RFC
+	// 8268 and Oakley Group 16 in RFC 3526.
+	p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF", 16)
+
+	kexAlgoMap[kexAlgoDH16SHA512] = &dhGroup{
+		g:        new(big.Int).SetInt64(2),
+		p:        p,
+		pMinus1:  new(big.Int).Sub(p, bigOne),
+		hashFunc: crypto.SHA512,
+	}
+
+	// This is the group called diffie-hellman-group18-sha512 in RFC
+	// 8268 and Oakley Group 18 in RFC 3526.
+	p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AACC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DBE115974A3926F12FEE5E438777CB6A932DF8CD8BEC4D073B931BA3BC832B68D9DD300741FA7BF8AFC47ED2576F6936BA424663AAB639C5AE4F5683423B4742BF1C978238F16CBE39D652DE3FDB8BEFC848AD922222E04A4037C0713EB57A81A23F0C73473FC646CEA306B4BCBC8862F8385DDFA9D4B7FA2C087E879683303ED5BDD3A062B3CF5B3A278A66D2A13F83F44F82DDF310EE074AB6A364597E899A0255DC164F31CC50846851DF9AB48195DED7EA1B1D510BD7EE74D73FAF36BC31ECFA268359046F4EB879F924009438B481C6CD7889A002ED5EE382BC9190DA6FC026E479558E4475677E9AA9E3050E2765694DFC81F56E880B96E7160C980DD98EDD3DFFFFFFFFFFFFFFFFF", 16)
+
+	kexAlgoMap[kexAlgoDH18SHA512] = &dhGroup{
+		g:        new(big.Int).SetInt64(2),
+		p:        p,
+		pMinus1:  new(big.Int).Sub(p, bigOne),
+		hashFunc: crypto.SHA512,
+	}
+
 	kexAlgoMap[kexAlgoECDH521] = &ecdh{elliptic.P521()}
 	kexAlgoMap[kexAlgoECDH384] = &ecdh{elliptic.P384()}
 	kexAlgoMap[kexAlgoECDH256] = &ecdh{elliptic.P256()}
diff --git a/ssh/test/session_test.go b/ssh/test/session_test.go
index e98b786..914f3ee 100644
--- a/ssh/test/session_test.go
+++ b/ssh/test/session_test.go
@@ -410,6 +410,9 @@
 	// are not included in the default list of supported kex so we have to add them
 	// here manually.
 	kexOrder = append(kexOrder, "diffie-hellman-group-exchange-sha1", "diffie-hellman-group-exchange-sha256")
+	// diffie-hellman-group16-sha512 and diffie-hellman-group18-sha512 are
+	// disabled by default so we add them here manually.
+	kexOrder = append(kexOrder, "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512")
 	for _, kex := range kexOrder {
 		t.Run(kex, func(t *testing.T) {
 			server := newServer(t)

To view, visit change 506839. To unsubscribe, or for help writing mail filters, visit settings.

Nicola Murino (Gerrit)

unread,

Jul 15, 2023, 1:24:56 PM7/15/23

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Filippo Valsorda, Roland Shoemaker.

Nicola Murino uploaded patch set #2 to this change.

View Change

ssh: add diffie-hellman-group16/18-sha512 kex

These groups are disabled by default because they have a
significant performance cost.

Change-Id: Id119401fda7e417675325f37e3d442e70585206c
---
M ssh/common.go
M ssh/kex.go

M ssh/kex_test.go
M ssh/test/session_test.go
4 files changed, 68 insertions(+), 1 deletion(-)

To view, visit change 506839. To unsubscribe, or for help writing mail filters, visit settings.

Nicola Murino (Gerrit)

unread,

Jul 15, 2023, 1:27:05 PM7/15/23

to goph...@pubsubhelper.golang.org, Filippo Valsorda, Roland Shoemaker, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Filippo Valsorda, Roland Shoemaker.

View Change

1 comment:

Patchset:
- Patch Set #2:
  I added a benchmark, diffie-hellman-group18-sha512 has very poor performance
  BenchmarkKexes/diffie-hellman-group14-sha1-12 1000000000 0.02053 ns/op 0 B/op 0 allocs/op
  BenchmarkKexes/diffie-hellman-group16-sha512-12 1000000000 0.1392 ns/op 0 B/op 0 allocs/op
  BenchmarkKexes/curve25519-sha256-12 1000000000 0.0003657 ns/op 0 B/op 0 allocs/op
  BenchmarkKexes/curve255...@libssh.org-12 1000000000 0.0003561 ns/op 0 B/op 0 allocs/op
  BenchmarkKexes/ecdh-sha2-nistp256-12 1000000000 0.0002683 ns/op 0 B/op 0 allocs/op
  BenchmarkKexes/diffie-hellman-group-exchange-sha1-12 1000000000 0.01888 ns/op 0 B/op 0 allocs/op
  BenchmarkKexes/diffie-hellman-group-exchange-sha256-12 1000000000 0.01980 ns/op 0 B/op 0 allocs/op
  BenchmarkKexes/diffie-hellman-group1-sha1-12 1000000000 0.003308 ns/op 0 B/op 0 allocs/op
  BenchmarkKexes/diffie-hellman-group14-sha256-12 1000000000 0.01919 ns/op 0 B/op 0 allocs/op
  BenchmarkKexes/diffie-hellman-group18-sha512-12 1 1099024323 ns/op 247096 B/op 274 allocs/op
  BenchmarkKexes/ecdh-sha2-nistp521-12 1000000000 0.008938 ns/op 0 B/op 0 allocs/op
  BenchmarkKexes/ecdh-sha2-nistp384-12 1000000000 0.003701 ns/op 0 B/op 0 allocs/op
  PASS
  ok golang.org/x/crypto/ssh 3.416s
  here is the output from the profiler
```
(pprof) top
Showing nodes accounting for 1160ms, 100% of 1160ms total
Showing top 10 nodes out of 11
      flat  flat%   sum%        cum   cum%
    1100ms 94.83% 94.83%     1100ms 94.83%  math/big.addMulVVW
      60ms  5.17%   100%     1160ms   100%  math/big.nat.montgomery
         0     0%   100%      580ms 50.00%  golang.org/x/crypto/ssh.(*dhGroup).Client
         0     0%   100%      580ms 50.00%  golang.org/x/crypto/ssh.(*dhGroup).Server
         0     0%   100%      580ms 50.00%  golang.org/x/crypto/ssh.(*dhGroup).diffieHellman
         0     0%   100%      580ms 50.00%  golang.org/x/crypto/ssh.BenchmarkKexDH18Sha512.func1
         0     0%   100%      580ms 50.00%  golang.org/x/crypto/ssh.BenchmarkKexDH18Sha512.func2
         0     0%   100%     1160ms   100%  math/big.(*Int).Exp (inline)
         0     0%   100%     1160ms   100%  math/big.(*Int).exp
         0     0%   100%     1160ms   100%  math/big.nat.expNN
```

To view, visit change 506839. To unsubscribe, or for help writing mail filters, visit settings.

Nicola Murino (Gerrit)

unread,

Jul 15, 2023, 2:20:18 PM7/15/23

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Filippo Valsorda, Roland Shoemaker.

Nicola Murino uploaded patch set #3 to this change.

View Change

ssh: add diffie-hellman-group16/18-sha512 kex

These groups are disabled by default because they have a
significant performance cost.

Change-Id: Id119401fda7e417675325f37e3d442e70585206c
---
M ssh/common.go
M ssh/kex.go
M ssh/kex_test.go
M ssh/test/session_test.go

4 files changed, 70 insertions(+), 1 deletion(-)

To view, visit change 506839. To unsubscribe, or for help writing mail filters, visit settings.

Nicola Murino (Gerrit)

unread,

Jul 15, 2023, 2:45:16 PM7/15/23

to goph...@pubsubhelper.golang.org, Filippo Valsorda, Roland Shoemaker, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Filippo Valsorda, Roland Shoemaker.

View Change

2 comments:

Patchset:
- Patch Set #2:
  I added a benchmark, diffie-hellman-group18-sha512 has very poor performance […]
  wrong bechmark sorry
Patchset:
- Patch Set #3:
  Benchmark results
  name time/op
  Kexes/diffie-hellman-group14-sha256-12 32.1ms ±15%
  Kexes/diffie-hellman-group16-sha512-12 217ms ±18%
  Kexes/diffie-hellman-group18-sha512-12 1.53s ±16%
  Kexes/curve25519-sha256-12 462µs ±10%
  Kexes/diffie-hellman-group-exchange-sha1-12 28.1ms ±12%
  Kexes/diffie-hellman-group-exchange-sha256-12 27.1ms ±12%
  Kexes/diffie-hellman-group1-sha1-12 4.38ms ± 5%
  Kexes/diffie-hellman-group14-sha1-12 31.5ms ±16%
  Kexes/ecdh-sha2-nistp256-12 329µs ± 6%
  Kexes/curve255...@libssh.org-12 505µs ±14%
  Kexes/ecdh-sha2-nistp521-12 17.0ms ±17%
  Kexes/ecdh-sha2-nistp384-12 5.24ms ±22%
  name alloc/op
  Kexes/diffie-hellman-group14-sha256-12 61.9kB ± 0%
  Kexes/diffie-hellman-group16-sha512-12 117kB ± 0%
  Kexes/diffie-hellman-group18-sha512-12 230kB ± 2%
  Kexes/curve25519-sha256-12 8.21kB ± 0%
  Kexes/diffie-hellman-group-exchange-sha1-12 67.4kB ± 0%
  Kexes/diffie-hellman-group-exchange-sha256-12 67.4kB ± 0%
  Kexes/diffie-hellman-group1-sha1-12 34.9kB ± 0%
  Kexes/diffie-hellman-group14-sha1-12 61.9kB ± 0%
  Kexes/ecdh-sha2-nistp256-12 12.1kB ± 0%
  Kexes/curve255...@libssh.org-12 8.21kB ± 0%
  Kexes/ecdh-sha2-nistp521-12 16.3kB ± 0%
  Kexes/ecdh-sha2-nistp384-12 13.9kB ± 0%
  name allocs/op
  Kexes/diffie-hellman-group14-sha256-12 255 ± 0%
  Kexes/diffie-hellman-group16-sha512-12 256 ± 0%
  Kexes/diffie-hellman-group18-sha512-12 266 ± 3%
  Kexes/curve25519-sha256-12 168 ± 0%
  Kexes/diffie-hellman-group-exchange-sha1-12 314 ± 0%
  Kexes/diffie-hellman-group-exchange-sha256-12 314 ± 0%
  Kexes/diffie-hellman-group1-sha1-12 255 ± 0%
  Kexes/diffie-hellman-group14-sha1-12 255 ± 0%
  Kexes/ecdh-sha2-nistp256-12 213 ± 0%
  Kexes/curve255...@libssh.org-12 168 ± 0%
  Kexes/ecdh-sha2-nistp521-12 245 ± 0%
  Kexes/ecdh-sha2-nistp384-12 243 ± 0%

To view, visit change 506839. To unsubscribe, or for help writing mail filters, visit settings.

Filippo Valsorda (Gerrit)

unread,

Jul 24, 2023, 11:35:46 AM7/24/23

to Nicola Murino, goph...@pubsubhelper.golang.org, Filippo Valsorda, Roland Shoemaker, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Nicola Murino, Roland Shoemaker.

View Change

2 comments:

Commit Message:
- Patch Set #3, Line 10: significant performance cost.
  Add the benchstat to the commit message.
Patchset:
- Patch Set #3:
  217ms is reasonable for opting in, 1.53s is not. Let's add 16 but not 18.

To view, visit change 506839. To unsubscribe, or for help writing mail filters, visit settings.

Nicola Murino (Gerrit)

unread,

Jul 25, 2023, 9:28:56 AM7/25/23

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Nicola Murino, Roland Shoemaker.

Nicola Murino uploaded patch set #4 to this change.

View Change

ssh: add diffie-hellman-group16-sha512 kex

This group is disabled by default because it is a bit slower than
the others.
The group18-sha512 variant is too slow to include.

Benchstat results including diffie-hellman-group18-sha512:

name                                           time/op
Kexes/diffie-hellman-group-exchange-sha256-12  22.6ms ± 9%
Kexes/diffie-hellman-group18-sha512-12          1.15s ±11%
Kexes/ecdh-sha2-nistp384-12                    3.91ms ± 6%
Kexes/ecdh-sha2-nistp256-12                     304µs ± 5%
Kexes/curve255...@libssh.org-12           413µs ± 7%
Kexes/ecdh-sha2-nistp521-12                    11.6ms ±13%
Kexes/curve25519-sha256-12                      361µs ± 5%
Kexes/diffie-hellman-group-exchange-sha1-12    22.9ms ± 9%
Kexes/diffie-hellman-group1-sha1-12            3.59ms ± 6%
Kexes/diffie-hellman-group14-sha1-12           22.1ms ±11%
Kexes/diffie-hellman-group14-sha256-12         21.6ms ± 8%
Kexes/diffie-hellman-group16-sha512-12          138ms ± 9%

name                                           alloc/op
Kexes/diffie-hellman-group-exchange-sha256-12  67.8kB ± 1%
Kexes/diffie-hellman-group18-sha512-12          243kB ± 9%
Kexes/ecdh-sha2-nistp384-12                    13.9kB ± 0%
Kexes/ecdh-sha2-nistp256-12                    12.1kB ± 0%
Kexes/curve255...@libssh.org-12          8.22kB ± 0%
Kexes/ecdh-sha2-nistp521-12                    16.5kB ± 0%
Kexes/curve25519-sha256-12                     8.22kB ± 0%
Kexes/diffie-hellman-group-exchange-sha1-12    67.5kB ± 0%


Kexes/diffie-hellman-group1-sha1-12            34.9kB ± 0%
Kexes/diffie-hellman-group14-sha1-12           61.9kB ± 0%

Kexes/diffie-hellman-group14-sha256-12         62.0kB ± 0%
Kexes/diffie-hellman-group16-sha512-12          117kB ± 0%

name                                           allocs/op
Kexes/diffie-hellman-group-exchange-sha256-12     314 ± 0%
Kexes/diffie-hellman-group18-sha512-12            271 ± 4%
Kexes/ecdh-sha2-nistp384-12                       243 ± 0%


Kexes/ecdh-sha2-nistp256-12                       213 ± 0%
Kexes/curve255...@libssh.org-12             168 ± 0%
Kexes/ecdh-sha2-nistp521-12                       245 ± 0%

Kexes/curve25519-sha256-12                        168 ± 0%
Kexes/diffie-hellman-group-exchange-sha1-12       314 ± 0%

Kexes/diffie-hellman-group1-sha1-12               255 ± 0%
Kexes/diffie-hellman-group14-sha1-12              255 ± 0%

Kexes/diffie-hellman-group14-sha256-12            255 ± 0%
Kexes/diffie-hellman-group16-sha512-12            256 ± 0%

Change-Id: Id119401fda7e417675325f37e3d442e70585206c
---
M ssh/common.go
M ssh/kex.go
M ssh/kex_test.go
M ssh/test/session_test.go

4 files changed, 61 insertions(+), 3 deletions(-)

To view, visit change 506839. To unsubscribe, or for help writing mail filters, visit settings.

Nicola Murino (Gerrit)

unread,

Jul 25, 2023, 9:29:20 AM7/25/23

to goph...@pubsubhelper.golang.org, Filippo Valsorda, Roland Shoemaker, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Filippo Valsorda, Roland Shoemaker.

View Change

2 comments:

Commit Message:

- Patch Set #3, Line 10: significant performance cost.
  Add the benchstat to the commit message.

- Done
Patchset:

- Patch Set #3:
  217ms is reasonable for opting in, 1.53s is not. Let's add 16 but not 18.

- Done

To view, visit change 506839. To unsubscribe, or for help writing mail filters, visit settings.

Filippo Valsorda (Gerrit)

unread,

Jul 27, 2023, 8:42:54 AM7/27/23

to Nicola Murino, goph...@pubsubhelper.golang.org, Filippo Valsorda, Roland Shoemaker, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Roland Shoemaker.

Patch set 4:Run-TryBot +1Auto-Submit +1Code-Review +2

View Change

To view, visit change 506839. To unsubscribe, or for help writing mail filters, visit settings.

David Chase (Gerrit)

unread,

Jul 31, 2023, 11:40:53 AM7/31/23

to Nicola Murino, goph...@pubsubhelper.golang.org, Gopher Robot, Filippo Valsorda, Roland Shoemaker, golang-co...@googlegroups.com

Attention is currently required from: Nicola Murino, Roland Shoemaker.

Patch set 4:Code-Review +1

View Change

To view, visit change 506839. To unsubscribe, or for help writing mail filters, visit settings.

Cherry Mui (Gerrit)

unread,

Jul 31, 2023, 1:46:41 PM7/31/23

to Nicola Murino, goph...@pubsubhelper.golang.org, David Chase, Gopher Robot, Filippo Valsorda, Roland Shoemaker, golang-co...@googlegroups.com

Attention is currently required from: Nicola Murino, Roland Shoemaker.

Patch set 4:Code-Review +1

View Change

To view, visit change 506839. To unsubscribe, or for help writing mail filters, visit settings.

Gopher Robot (Gerrit)

unread,

Jul 31, 2023, 1:46:59 PM7/31/23

to Nicola Murino, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Cherry Mui, David Chase, Filippo Valsorda, Roland Shoemaker, golang-co...@googlegroups.com

Gopher Robot submitted this change.

View Change

Approvals:
  Cherry Mui: Looks good to me, but someone else must approve
  Filippo Valsorda: Looks good to me, approved; Run TryBots; Automatically submit change
  David Chase: Looks good to me, but someone else must approve
  Gopher Robot: TryBots succeeded

Reviewed-on: https://go-review.googlesource.com/c/crypto/+/506839
Run-TryBot: Filippo Valsorda <fil...@golang.org>
TryBot-Result: Gopher Robot <go...@golang.org>
Reviewed-by: Cherry Mui <cher...@google.com>
Auto-Submit: Filippo Valsorda <fil...@golang.org>
Reviewed-by: David Chase <drc...@google.com>
Reviewed-by: Filippo Valsorda <fil...@golang.org>


---
M ssh/common.go
M ssh/kex.go
M ssh/kex_test.go
M ssh/test/session_test.go
4 files changed, 61 insertions(+), 3 deletions(-)

diff --git a/ssh/common.go b/ssh/common.go
index 3862ec8..b419c76 100644


--- a/ssh/common.go
+++ b/ssh/common.go
@@ -49,7 +49,8 @@
 	// P384 and P521 are not constant-time yet, but since we don't
 	// reuse ephemeral keys, using them for ECDH should be OK.
 	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
-	kexAlgoDH14SHA256, kexAlgoDH14SHA1, kexAlgoDH1SHA1,

+	kexAlgoDH14SHA256, kexAlgoDH16SHA512, kexAlgoDH14SHA1,
+	kexAlgoDH1SHA1,


 }
 
 // serverForbiddenKexAlgos contains key exchange algorithms, that are forbidden

@@ -59,8 +60,9 @@
 	kexAlgoDHGEXSHA256: {}, // server half implementation is only minimal to satisfy the automated tests
 }
 
-// preferredKexAlgos specifies the default preference for key-exchange algorithms
-// in preference order.
+// preferredKexAlgos specifies the default preference for key-exchange
+// algorithms in preference order. The diffie-hellman-group16-sha512 algorithm
+// is disabled by default because it is a bit slower than the others.
 var preferredKexAlgos = []string{
 	kexAlgoCurve25519SHA256, kexAlgoCurve25519SHA256LibSSH,
 	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
diff --git a/ssh/kex.go b/ssh/kex.go
index 927a90c..8a05f79 100644
--- a/ssh/kex.go
+++ b/ssh/kex.go
@@ -23,6 +23,7 @@


 	kexAlgoDH1SHA1                = "diffie-hellman-group1-sha1"
 	kexAlgoDH14SHA1               = "diffie-hellman-group14-sha1"
 	kexAlgoDH14SHA256             = "diffie-hellman-group14-sha256"
+	kexAlgoDH16SHA512             = "diffie-hellman-group16-sha512"

 	kexAlgoECDH256                = "ecdh-sha2-nistp256"
 	kexAlgoECDH384                = "ecdh-sha2-nistp384"
 	kexAlgoECDH521                = "ecdh-sha2-nistp521"

@@ -430,6 +431,17 @@


 		hashFunc: crypto.SHA256,
 	}
 
+	// This is the group called diffie-hellman-group16-sha512 in RFC
+	// 8268 and Oakley Group 16 in RFC 3526.
+	p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF", 16)
+
+	kexAlgoMap[kexAlgoDH16SHA512] = &dhGroup{
+		g:        new(big.Int).SetInt64(2),
+		p:        p,
+		pMinus1:  new(big.Int).Sub(p, bigOne),
+		hashFunc: crypto.SHA512,
+	}
+

 	kexAlgoMap[kexAlgoECDH521] = &ecdh{elliptic.P521()}
 	kexAlgoMap[kexAlgoECDH384] = &ecdh{elliptic.P384()}
 	kexAlgoMap[kexAlgoECDH256] = &ecdh{elliptic.P256()}

diff --git a/ssh/kex_test.go b/ssh/kex_test.go
index 327013b..cb7f66a 100644
--- a/ssh/kex_test.go
+++ b/ssh/kex_test.go
@@ -8,6 +8,7 @@
 
 import (
 	"crypto/rand"
+	"fmt"
 	"reflect"
 	"sync"
 	"testing"
@@ -63,3 +64,43 @@
 		})
 	}
 }
+
+func BenchmarkKexes(b *testing.B) {
+	type kexResultErr struct {
+		result *kexResult
+		err    error
+	}
+
+	for name, kex := range kexAlgoMap {
+		b.Run(name, func(b *testing.B) {
+			for i := 0; i < b.N; i++ {
+				t1, t2 := memPipe()
+
+				s := make(chan kexResultErr, 1)
+				c := make(chan kexResultErr, 1)
+				var magics handshakeMagics
+
+				go func() {
+					r, e := kex.Client(t1, rand.Reader, &magics)
+					t1.Close()
+					c <- kexResultErr{r, e}
+				}()
+				go func() {
+					r, e := kex.Server(t2, rand.Reader, &magics, testSigners["ecdsa"].(AlgorithmSigner), testSigners["ecdsa"].PublicKey().Type())
+					t2.Close()
+					s <- kexResultErr{r, e}
+				}()
+
+				clientRes := <-c
+				serverRes := <-s
+
+				if clientRes.err != nil {
+					panic(fmt.Sprintf("client: %v", clientRes.err))
+				}
+				if serverRes.err != nil {
+					panic(fmt.Sprintf("server: %v", serverRes.err))
+				}
+			}
+		})
+	}
+}
diff --git a/ssh/test/session_test.go b/ssh/test/session_test.go
index b44877e..4745ed9 100644


--- a/ssh/test/session_test.go
+++ b/ssh/test/session_test.go
@@ -410,6 +410,9 @@
 	// are not included in the default list of supported kex so we have to add them
 	// here manually.
 	kexOrder = append(kexOrder, "diffie-hellman-group-exchange-sha1", "diffie-hellman-group-exchange-sha256")

+	// The key exchange algorithms diffie-hellman-group16-sha512 is disabled by
+	// default so we add it here manually.
+	kexOrder = append(kexOrder, "diffie-hellman-group16-sha512")


 	for _, kex := range kexOrder {
 		t.Run(kex, func(t *testing.T) {
 			server := newServer(t)

To view, visit change 506839. To unsubscribe, or for help writing mail filters, visit settings.

Reply all

Reply to author

Forward