aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlex Wilson <[email protected]>2014-08-28 11:13:57 +1000
committerAlex Wilson <[email protected]>2014-08-28 11:13:57 +1000
commitcf53a360685b1a01a5c7fc0e06660ce8d76d96b0 (patch)
tree82f187ca8b58b21ff3ca72ace1dc51a2d7bbe75b
parentccf1e0385fe0877279141acdcb0ac4f43e5596e4 (diff)
downloadotp-cf53a360685b1a01a5c7fc0e06660ce8d76d96b0.tar.gz
otp-cf53a360685b1a01a5c7fc0e06660ce8d76d96b0.tar.bz2
otp-cf53a360685b1a01a5c7fc0e06660ce8d76d96b0.zip
SSH: only enable ciphers/MACs when they are available in crypto
Also adjusts tests to only expect a positive outcome when crypto supports the relevant base ciphers/MACs.
-rw-r--r--lib/ssh/src/ssh_transport.erl30
-rw-r--r--lib/ssh/test/ssh_to_openssh_SUITE.erl20
2 files changed, 35 insertions, 15 deletions
diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index 805114f792..ea05c849b7 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -113,15 +113,28 @@ key_init(client, Ssh, Value) ->
key_init(server, Ssh, Value) ->
Ssh#ssh{s_keyinit = Value}.
+available_ssh_algos() ->
+ Supports = crypto:supports(),
+ CipherAlgos = [{aes_ctr, "aes128-ctr"}, {aes_cbc128, "aes128-cbc"}, {des3_cbc, "3des-cbc"}],
+ Ciphers = [SshAlgo ||
+ {CryptoAlgo, SshAlgo} <- CipherAlgos,
+ lists:member(CryptoAlgo, proplists:get_value(ciphers, Supports, []))],
+ HashAlgos = [{sha256, "hmac-sha2-256"}, {sha, "hmac-sha1"}],
+ Hashs = [SshAlgo ||
+ {CryptoAlgo, SshAlgo} <- HashAlgos,
+ lists:member(CryptoAlgo, proplists:get_value(hashs, Supports, []))],
+ {Ciphers, Hashs}.
+
kexinit_messsage(client, Random, Compression, HostKeyAlgs) ->
+ {CipherAlgs, HashAlgs} = available_ssh_algos(),
#ssh_msg_kexinit{
cookie = Random,
kex_algorithms = ["diffie-hellman-group1-sha1"],
server_host_key_algorithms = HostKeyAlgs,
- encryption_algorithms_client_to_server = ["aes128-ctr","aes128-cbc","3des-cbc"],
- encryption_algorithms_server_to_client = ["aes128-ctr","aes128-cbc","3des-cbc"],
- mac_algorithms_client_to_server = ["hmac-sha2-256","hmac-sha1"],
- mac_algorithms_server_to_client = ["hmac-sha2-256","hmac-sha1"],
+ encryption_algorithms_client_to_server = CipherAlgs,
+ encryption_algorithms_server_to_client = CipherAlgs,
+ mac_algorithms_client_to_server = HashAlgs,
+ mac_algorithms_server_to_client = HashAlgs,
compression_algorithms_client_to_server = Compression,
compression_algorithms_server_to_client = Compression,
languages_client_to_server = [],
@@ -129,14 +142,15 @@ kexinit_messsage(client, Random, Compression, HostKeyAlgs) ->
};
kexinit_messsage(server, Random, Compression, HostKeyAlgs) ->
+ {CipherAlgs, HashAlgs} = available_ssh_algos(),
#ssh_msg_kexinit{
cookie = Random,
kex_algorithms = ["diffie-hellman-group1-sha1"],
server_host_key_algorithms = HostKeyAlgs,
- encryption_algorithms_client_to_server = ["aes128-ctr","aes128-cbc","3des-cbc"],
- encryption_algorithms_server_to_client = ["aes128-ctr","aes128-cbc","3des-cbc"],
- mac_algorithms_client_to_server = ["hmac-sha2-256","hmac-sha1"],
- mac_algorithms_server_to_client = ["hmac-sha2-256","hmac-sha1"],
+ encryption_algorithms_client_to_server = CipherAlgs,
+ encryption_algorithms_server_to_client = CipherAlgs,
+ mac_algorithms_client_to_server = HashAlgs,
+ mac_algorithms_server_to_client = HashAlgs,
compression_algorithms_client_to_server = Compression,
compression_algorithms_server_to_client = Compression,
languages_client_to_server = [],
diff --git a/lib/ssh/test/ssh_to_openssh_SUITE.erl b/lib/ssh/test/ssh_to_openssh_SUITE.erl
index 5a3bd21b55..e003b135b1 100644
--- a/lib/ssh/test/ssh_to_openssh_SUITE.erl
+++ b/lib/ssh/test/ssh_to_openssh_SUITE.erl
@@ -237,10 +237,14 @@ erlang_server_openssh_client_cipher_suites(Config) when is_list(Config) ->
ct:sleep(500),
- Ciphers = [{"3des-cbc", true},
- {"aes128-cbc", true},
- {"aes128-ctr", true},
- {"aes256-cbc", false}],
+ Supports = crypto:supports(),
+ Ciphers = proplists:get_value(ciphers, Supports),
+ Tests = [
+ {"3des-cbc", lists:member(des3_cbc, Ciphers)},
+ {"aes128-cbc", lists:member(aes_cbc128, Ciphers)},
+ {"aes128-ctr", lists:member(aes_ctr, Ciphers)},
+ {"aes256-cbc", false}
+ ],
lists:foreach(fun({Cipher, Expect}) ->
Cmd = "ssh -p " ++ integer_to_list(Port) ++
" -o UserKnownHostsFile=" ++ KnownHosts ++ " " ++ Host ++ " " ++
@@ -266,7 +270,7 @@ erlang_server_openssh_client_cipher_suites(Config) when is_list(Config) ->
ct:fail("Did not receive no matching cipher message")
end
end
- end, Ciphers),
+ end, Tests),
ssh:stop_daemon(Pid).
@@ -285,8 +289,10 @@ erlang_server_openssh_client_macs(Config) when is_list(Config) ->
ct:sleep(500),
- MACs = [{"hmac-sha1", true},
- {"hmac-sha2-256", true},
+ Supports = crypto:supports(),
+ Hashs = proplists:get_value(hashs, Supports),
+ MACs = [{"hmac-sha1", lists:member(sha, Hashs)},
+ {"hmac-sha2-256", lists:member(sha256, Hashs)},
{"hmac-md5-96", false},
{"hmac-ripemd160", false}],
lists:foreach(fun({MAC, Expect}) ->