Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for ecdh-sha2-nistp256 #210

Closed
Apolo-sys opened this issue Nov 6, 2023 · 5 comments · Fixed by #282
Closed

Support for ecdh-sha2-nistp256 #210

Apolo-sys opened this issue Nov 6, 2023 · 5 comments · Fixed by #282

Comments

@Apolo-sys
Copy link

Would be nice if support added for "ecdh-sha2-nistp256"
@Eugeny
Copy link
Owner

Eugeny commented Nov 6, 2023

Screenshot 2023-11-06 at 13 46 53

:(

Duplicate of #201

@Eugeny Eugeny closed this as completed Nov 6, 2023
@Apolo-sys
Copy link
Author

Yeah but not ecdh-sha2-nistp256

@Eugeny Eugeny reopened this Nov 17, 2023
@Eugeny
Copy link
Owner

Eugeny commented Nov 17, 2023

🤦

@gleason-m
Copy link
Contributor

+1 on the request for support for the ecdh-sha2-nistp{256,384,521} kex algorithms.

@Eugeny, I noticed a comment in curve25519.rs about NIST P-256 formerly being supported. According to blame, this looks like something forked from thrussh (thrussh's source repo won't load for me at the moment, so hard to confirm).
https://github.com/warp-tech/russh/blob/0fc65ea1d45257c0aef2044d333c634a35891402/russh/src/kex/curve25519.rs#L40C1-L42C41

Would it be possible to add back in this implementation? And if there are concerns over the security of the kex, maybe leave these three off of the default preferred safe kex order but still allow a client to opt-in with a custom config?

@Eugeny
Copy link
Owner

Eugeny commented May 8, 2024

@gleason-m yes, that's inherited from thrussh. Their repo history pre-2020 was wiped and those lines already were there at that point in time.

I don't have a lot of time to work in russh right now but I'm hopeful that the kex trait would make it easy for someone to add NIST curves using Curve25519 implementation as a reference

@gleason-m gleason-m mentioned this issue May 10, 2024
Merged
Eugeny added a commit that referenced this issue May 10, 2024
@gleason-m @Eugeny
ecdh-sha2-nistp{256,384,521} kex support (#282)
3bfd99f 
Adds support for ecdh-sha2-nistp{256,384,521} key exchange algorithms
using the
[elliptic-curve](https://docs.rs/elliptic-curve/latest/elliptic_curve/index.html),
[p256](https://docs.rs/p256/latest/p256/index.html),
[p384](https://docs.rs/p384/latest/p384/), and
[p521](https://docs.rs/p521/latest/p521/) crates.

Intentionally avoids adding these to the preferred Kex list as the
security of these curves is considered controversial. Users would need
to explicitly use the kex via config

Resolves #210

---------

Co-authored-by: Eugene <inbox@null.page>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ecdh-sha2-nistp{256,384,521} kex support gleason-m/russh
3 participants
@Eugeny @Apolo-sys @gleason-m