add support for DHGEX

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-07 14:50:55 +03:00 · 2022-11-17 18:15:53 +01:00
parent 67de4c9c07
commit a22282f275
9 changed files with 115 additions and 39 deletions
--- a/internal/sftpd/server.go
+++ b/internal/sftpd/server.go
@@ -141,6 +141,12 @@ type Configuration struct {
 	// HostKeyAlgorithms lists the public key algorithms that the server will accept for host
 	// key authentication.
 	HostKeyAlgorithms []string `json:"host_key_algorithms" mapstructure:"host_key_algorithms"`
+	// Diffie-Hellman moduli files.
+	// Each moduli file can be defined as a path relative to the configuration directory or an absolute one.
+	// If set, "diffie-hellman-group-exchange-sha256" and "diffie-hellman-group-exchange-sha1" KEX algorithms
+	// will be available, `diffie-hellman-group-exchange-sha256` will be enabled by default if you
+	// don't explicitly set KEXs
+	Moduli []string `json:"moduli" mapstructure:"moduli"`
 	// KexAlgorithms specifies the available KEX (Key Exchange) algorithms in
 	// preference order.
 	KexAlgorithms []string `json:"kex_algorithms" mapstructure:"kex_algorithms"`
@@ -294,6 +300,10 @@ func (c *Configuration) Initialize(configDir string) error {
 		return err
 	}

+	if err := c.loadModuli(configDir); err != nil {
+		return err
+	}
+
 	sftp.SetSFTPExtensions(sftpExtensions...) //nolint:errcheck // we configure valid SFTP Extensions so we cannot get an error

 	if err := c.configureSecurityOptions(serverConfig); err != nil {
@@ -840,6 +850,29 @@ func (c *Configuration) checkHostKeyAutoGeneration(configDir string) error {
 	return nil
 }

+func (c *Configuration) loadModuli(configDir string) error {
+	supportedKexAlgos = util.Remove(supportedKexAlgos, "diffie-hellman-group-exchange-sha1")
+	supportedKexAlgos = util.Remove(supportedKexAlgos, "diffie-hellman-group-exchange-sha256")
+	for _, m := range c.Moduli {
+		m = strings.TrimSpace(m)
+		if !util.IsFileInputValid(m) {
+			logger.Warn(logSender, "", "unable to load invalid moduli file %q", m)
+			logger.WarnToConsole("unable to load invalid host moduli file %q", m)
+			continue
+		}
+		if !filepath.IsAbs(m) {
+			m = filepath.Join(configDir, m)
+		}
+		logger.Info(logSender, "", "loading moduli file %q", m)
+		if err := ssh.ParseModuli(m); err != nil {
+			return err
+		}
+		supportedKexAlgos = append(supportedKexAlgos, "diffie-hellman-group-exchange-sha1",
+			"diffie-hellman-group-exchange-sha256")
+	}
+	return nil
+}
+
 // If no host keys are defined we try to use or generate the default ones.
 func (c *Configuration) checkAndLoadHostKeys(configDir string, serverConfig *ssh.ServerConfig) error {
 	if err := c.checkHostKeyAutoGeneration(configDir); err != nil {
@@ -853,14 +886,14 @@ func (c *Configuration) checkAndLoadHostKeys(configDir string, serverConfig *ssh
 	for _, hostKey := range c.HostKeys {
 		hostKey = strings.TrimSpace(hostKey)
 		if !util.IsFileInputValid(hostKey) {
-			logger.Warn(logSender, "", "unable to load invalid host key %#v", hostKey)
-			logger.WarnToConsole("unable to load invalid host key %#v", hostKey)
+			logger.Warn(logSender, "", "unable to load invalid host key %q", hostKey)
+			logger.WarnToConsole("unable to load invalid host key %q", hostKey)
 			continue
 		}
 		if !filepath.IsAbs(hostKey) {
 			hostKey = filepath.Join(configDir, hostKey)
 		}
-		logger.Info(logSender, "", "Loading private host key %#v", hostKey)
+		logger.Info(logSender, "", "Loading private host key %q", hostKey)

 		privateBytes, err := os.ReadFile(hostKey)
 		if err != nil {