ssh: AEAD_AES_(128|256)_GCM and aes(128|256)[email protected] crypto

Note that the rfc5647 is ambigous so this implementation of AEAD_AES_(128|256)_GCM
may or may not be compatible with others. They are note enabled by default but may
be enabled by the user. See the Reference Manual, Application SSH for details of
how we interpret the rfc.

To be safe, use [email protected] or [email protected] instead.

1 files changed, 333 insertions, 131 deletions

diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index f18e4b4d01..e2d19b9cef 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -70,10 +70,15 @@ default_algorithms() -> [{K,default_algorithms(K)} || K <- algo_classes()].
 
 algo_classes() -> [kex, public_key, cipher, mac, compression].
 
-%% default_algorithms(kex) -> % Example of how to disable an algorithm
-%%     supported_algorithms(kex, ['ecdh-sha2-nistp521']);
+
+default_algorithms(cipher) ->
+    supported_algorithms(cipher, same(['AEAD_AES_128_GCM',
+				       'AEAD_AES_256_GCM']));
+default_algorithms(mac) ->
+    supported_algorithms(mac, same(['AEAD_AES_128_GCM',
+				    'AEAD_AES_256_GCM']));
 default_algorithms(Alg) ->
-    supported_algorithms(Alg).
+    supported_algorithms(Alg, []).
 
 
 supported_algorithms() -> [{K,supported_algorithms(K)} || K <- algo_classes()].
@@ -101,19 +106,25 @@ supported_algorithms(public_key) ->
 supported_algorithms(cipher) ->
     same(
       select_crypto_supported(
-	[{'aes256-ctr', [{ciphers,{aes_ctr,256}}]},
-	 {'aes192-ctr', [{ciphers,{aes_ctr,192}}]},
-	 {'aes128-ctr', [{ciphers,{aes_ctr,128}}]},
-	 {'aes128-cbc', [{ciphers,aes_cbc128}]},
-	 {'3des-cbc',   [{ciphers,des3_cbc}]}
+	[{'aes256-ctr',       [{ciphers,{aes_ctr,256}}]},
+	 {'aes192-ctr',       [{ciphers,{aes_ctr,192}}]},
+	 {'aes128-ctr',       [{ciphers,{aes_ctr,128}}]},
+	 {'aes128-cbc',       [{ciphers,aes_cbc128}]},
+	 {'[email protected]', [{ciphers,{aes_gcm,128}}]},
+	 {'[email protected]', [{ciphers,{aes_gcm,256}}]},
+	 {'AEAD_AES_128_GCM', [{ciphers,{aes_gcm,128}}]},
+	 {'AEAD_AES_256_GCM', [{ciphers,{aes_gcm,256}}]},
+	 {'3des-cbc',         [{ciphers,des3_cbc}]}
 	]
        ));
 supported_algorithms(mac) ->
     same(
       select_crypto_supported(
-	[{'hmac-sha2-256', [{hashs,sha256}]},
-	 {'hmac-sha2-512', [{hashs,sha512}]},
-	 {'hmac-sha1',     [{hashs,sha}]}
+	[{'hmac-sha2-256',    [{hashs,sha256}]},
+	 {'hmac-sha2-512',    [{hashs,sha512}]},
+	 {'hmac-sha1',        [{hashs,sha}]},
+	 {'AEAD_AES_128_GCM', [{ciphers,{aes_gcm,128}}]},
+	 {'AEAD_AES_256_GCM', [{ciphers,{aes_gcm,256}}]}
 	]
        ));
 supported_algorithms(compression) ->
@@ -122,46 +133,6 @@ supported_algorithms(compression) ->
 	  'zlib'
 	 ]).
 
-%% Dialyzer complains when not called...supported_algorithms(Key, [{client2server,BL1},{server2client,BL2}]) ->
-%% Dialyzer complains when not called...    [{client2server,As1},{server2client,As2}] = supported_algorithms(Key),
-%% Dialyzer complains when not called...    [{client2server,As1--BL1},{server2client,As2--BL2}];
-%% Dialyzer complains when not called...supported_algorithms(Key, BlackList) ->
-%% Dialyzer complains when not called...    supported_algorithms(Key) -- BlackList.
-
-select_crypto_supported(L) ->    
-    Sup = [{ec_curve,crypto_supported_curves()} | crypto:supports()],
-    [Name || {Name,CryptoRequires} <- L,
-	     crypto_supported(CryptoRequires, Sup)].
-
-crypto_supported_curves() ->
-    try crypto:ec_curves()
-    catch _:_ -> []
-    end.
-
-crypto_supported(Conditions, Supported) ->
-    lists:all( fun({Tag,CryptoName}) when is_atom(CryptoName) ->
-		       crypto_name_supported(Tag,CryptoName,Supported);
-		  ({Tag,{Name=aes_ctr,Len}}) when is_integer(Len) ->
-		       crypto_name_supported(Tag,Name,Supported) andalso
-			   ctr_len_supported(Name,Len)
-	       end, Conditions).
-
-crypto_name_supported(Tag, CryptoName, Supported) ->
-    lists:member(CryptoName, proplists:get_value(Tag,Supported,[])).
-
-ctr_len_supported(Name, Len) ->
-    try
-	crypto:stream_encrypt(crypto:stream_init(Name, <<0:Len>>, <<0:128>>), <<"">>)
-    of
-	{_,X} -> is_binary(X)
-    catch
-	_:_ -> false
-    end.
-	    
-
-same(Algs) ->  [{client2server,Algs}, {server2client,Algs}].
-
-
 %%%----------------------------------------------------------------------------
 versions(client, Options)->
     Vsn = proplists:get_value(vsn, Options, ?DEFAULT_CLIENT_VERSION),
@@ -755,8 +726,12 @@ known_host_key(#ssh{opts = Opts, key_cb = Mod, peer = Peer} = Ssh,
 %%   The first algorithm in each list MUST be the preferred (guessed)
 %%   algorithm.  Each string MUST contain at least one algorithm name.
 select_algorithm(Role, Client, Server) ->
-    {Encrypt, Decrypt} = select_encrypt_decrypt(Role, Client, Server),
-    {SendMac, RecvMac} = select_send_recv_mac(Role, Client, Server),
+    {Encrypt0, Decrypt0} = select_encrypt_decrypt(Role, Client, Server),
+    {SendMac0, RecvMac0} = select_send_recv_mac(Role, Client, Server),
+
+    {Encrypt, SendMac} = aead_gcm_simultan(Encrypt0, SendMac0),
+    {Decrypt, RecvMac} = aead_gcm_simultan(Decrypt0, RecvMac0),
+
     {Compression, Decompression} = 
 	select_compression_decompression(Role, Client, Server),
 
@@ -787,6 +762,38 @@ select_algorithm(Role, Client, Server) ->
 	       s_lng = S_Lng},
     {ok, Alg}.
 
+
+%%% It is an agreed problem with RFC 5674 that if the selection is
+%%%   Cipher = AEAD_AES_x_GCM and
+%%%      Mac = AEAD_AES_y_GCM (where x =/= y)
+%%% then it is undefined what length should be selected.
+%%%
+%%% If only one of the two lengths (128,256) is available, I claim that
+%%% there is no such ambiguity.
+
+%%% From https://anongit.mindrot.org/openssh.git/plain/PROTOCOL
+%%% (read Nov 20, 2015)
+%%% 1.6 transport: AES-GCM
+%%% 
+%%% OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.
+%%% Because of problems with the specification of the key exchange
+%%% the behaviour of OpenSSH differs from the RFC as follows:
+%%% 
+%%% AES-GCM is only negotiated as the cipher algorithms
+%%% "[email protected]" or "[email protected]" and never as
+%%% an MAC algorithm. Additionally, if AES-GCM is selected as the cipher
+%%% the exchanged MAC algorithms are ignored and there doesn't have to be
+%%% a matching MAC.
+
+aead_gcm_simultan('[email protected]', _) -> {'AEAD_AES_128_GCM', 'AEAD_AES_128_GCM'};
+aead_gcm_simultan('[email protected]', _) -> {'AEAD_AES_256_GCM', 'AEAD_AES_256_GCM'};
+aead_gcm_simultan('AEAD_AES_128_GCM', _) -> {'AEAD_AES_128_GCM', 'AEAD_AES_128_GCM'};
+aead_gcm_simultan('AEAD_AES_256_GCM', _) -> {'AEAD_AES_256_GCM', 'AEAD_AES_256_GCM'};
+aead_gcm_simultan(_, 'AEAD_AES_128_GCM') -> {'AEAD_AES_128_GCM', 'AEAD_AES_128_GCM'};
+aead_gcm_simultan(_, 'AEAD_AES_256_GCM') -> {'AEAD_AES_256_GCM', 'AEAD_AES_256_GCM'};
+aead_gcm_simultan(Cipher, Mac) -> {Cipher,Mac}.
+
+
 select_encrypt_decrypt(client, Client, Server) ->
     Encrypt = 
 	select(Client#ssh_msg_kexinit.encryption_algorithms_client_to_server,
@@ -821,18 +828,18 @@ select_compression_decompression(client, Client, Server) ->
     Compression = 
 	select(Client#ssh_msg_kexinit.compression_algorithms_client_to_server,
 	       Server#ssh_msg_kexinit.compression_algorithms_client_to_server),
-    Decomprssion = 
+    Decompression = 
 	select(Client#ssh_msg_kexinit.compression_algorithms_server_to_client,
 	       Server#ssh_msg_kexinit.compression_algorithms_server_to_client),
-    {Compression, Decomprssion};
+    {Compression, Decompression};
 select_compression_decompression(server, Client, Server) ->
-    Decomprssion = 
+    Decompression = 
 	select(Client#ssh_msg_kexinit.compression_algorithms_client_to_server,
 	       Server#ssh_msg_kexinit.compression_algorithms_client_to_server),
     Compression = 
 	select(Client#ssh_msg_kexinit.compression_algorithms_server_to_client,
 	       Server#ssh_msg_kexinit.compression_algorithms_server_to_client),
-    {Compression, Decomprssion}.
+    {Compression, Decompression}.
 
 install_alg(SSH) ->
     SSH1 = alg_final(SSH),
@@ -909,14 +916,39 @@ pack(Data, Ssh=#ssh{}) ->
 %%% Note: pack/3 is only to be called from tests that wants
 %%% to deliberetly send packets with wrong PacketLength!
 %%% Use pack/2 for all other purposes!
-pack(Data0, #ssh{encrypt_block_size = BlockSize, 
-		 send_sequence = SeqNum, send_mac = MacAlg,
-		 send_mac_key = MacKey,
-		 random_length_padding = RandomLengthPadding} 
-     = Ssh0,
-     PacketLenDeviationForTests) when is_binary(Data0) ->
-    {Ssh1, Data} = compress(Ssh0, Data0),
-    PL = (BlockSize - ((4 + 1 + size(Data)) rem BlockSize)) rem BlockSize,
+pack(PlainText,
+     #ssh{send_sequence = SeqNum,
+	  send_mac = MacAlg,
+	  send_mac_key = MacKey,
+	  encrypt = CryptoAlg} = Ssh0,  PacketLenDeviationForTests) when is_binary(PlainText) ->
+
+    {Ssh1, CompressedPlainText} = compress(Ssh0, PlainText),
+    {EcryptedPacket, MAC, Ssh3} =
+	case pkt_type(CryptoAlg) of
+	    common ->
+		PaddingLen = padding_length(4+1+size(CompressedPlainText), Ssh0),
+		Padding =  ssh_bits:random(PaddingLen),
+		PlainPacketLen = 1 + PaddingLen + size(CompressedPlainText) + PacketLenDeviationForTests,
+		PlainPacketData = <<?UINT32(PlainPacketLen),?BYTE(PaddingLen), CompressedPlainText/binary, Padding/binary>>,
+		{Ssh2, EcryptedPacket0} = encrypt(Ssh1, PlainPacketData),
+		MAC0 = mac(MacAlg, MacKey, SeqNum, PlainPacketData),
+		{EcryptedPacket0, MAC0, Ssh2};
+	    aead ->
+		PaddingLen = padding_length(1+size(CompressedPlainText), Ssh0),
+		Padding =  ssh_bits:random(PaddingLen),
+		PlainPacketLen = 1 + PaddingLen + size(CompressedPlainText) + PacketLenDeviationForTests,
+		PlainPacketData = <<?BYTE(PaddingLen), CompressedPlainText/binary, Padding/binary>>,
+		{Ssh2, {EcryptedPacket0,MAC0}} = encrypt(Ssh1, {<<?UINT32(PlainPacketLen)>>,PlainPacketData}),
+		{<<?UINT32(PlainPacketLen),EcryptedPacket0/binary>>, MAC0, Ssh2}
+	end,
+    FinalPacket = [EcryptedPacket, MAC],
+    Ssh = Ssh3#ssh{send_sequence = (SeqNum+1) band 16#ffffffff},
+    {FinalPacket, Ssh}.
+
+
+padding_length(Size, #ssh{encrypt_block_size = BlockSize,
+			  random_length_padding = RandomLengthPadding}) ->
+    PL = (BlockSize - (Size rem BlockSize)) rem BlockSize,
     MinPaddingLen = if PL <  4 -> PL + BlockSize;
 		       true -> PL
 		    end,
@@ -925,79 +957,94 @@ pack(Data0, #ssh{encrypt_block_size = BlockSize,
     ExtraPaddingLen = try crypto:rand_uniform(0,MaxExtraBlocks)*PadBlockSize
 		      catch _:_ -> 0
 		      end,
-    PaddingLen = MinPaddingLen + ExtraPaddingLen,
-    Padding = ssh_bits:random(PaddingLen),
-    PacketLen = 1 + PaddingLen + size(Data) + PacketLenDeviationForTests,
-    PacketData = <<?UINT32(PacketLen),?BYTE(PaddingLen), 
-		  Data/binary, Padding/binary>>,
-    {Ssh2, EncPacket} = encrypt(Ssh1, PacketData),
-    MAC = mac(MacAlg, MacKey, SeqNum, PacketData),
-    Packet = [EncPacket, MAC],
-    Ssh = Ssh2#ssh{send_sequence = (SeqNum+1) band 16#ffffffff},
-    {Packet, Ssh}.
-
-
-handle_packet_part(<<>>, Encoded0, undefined, Ssh0) ->
+    MinPaddingLen + ExtraPaddingLen.
+
+
+
+handle_packet_part(<<>>, Encrypted0, undefined, #ssh{decrypt = CryptoAlg} = Ssh0) ->
     %% New ssh packet
-    case get_length(Encoded0, Ssh0) of
+    case get_length(pkt_type(CryptoAlg), Encrypted0, Ssh0) of
 	get_more ->
 	    %% too short to get the length
-	    {get_more, <<>>, Encoded0, undefined, Ssh0};
+	    {get_more, <<>>, Encrypted0, undefined, Ssh0};
 
-	{ok, PacketLen, _DecData, _Encoded1, _Ssh1} when PacketLen > ?SSH_MAX_PACKET_SIZE ->
+	{ok, PacketLen, _, _, _} when PacketLen > ?SSH_MAX_PACKET_SIZE ->
 	    %% far too long message than expected
 	    throw(#ssh_msg_disconnect{code = ?SSH_DISCONNECT_PROTOCOL_ERROR,
 				      description = "Bad packet length " 
 				      ++ integer_to_list(PacketLen),
 				      language = ""});
 	
-	{ok, PacketLen, DecData, Encoded1, 
-	 #ssh{decrypt_block_size = BlockSize,
-	      recv_mac_size = MacSize} = Ssh1} ->
+	{ok, PacketLen, Decrypted, Encrypted1,
+	 #ssh{recv_mac_size = MacSize} = Ssh1} ->
 	    %% enough bytes so we got the length and can calculate how many
 	    %% more bytes to expect for a full packet
-	    Remaining = (PacketLen + ?SSH_LENGHT_INDICATOR_SIZE) - BlockSize + MacSize,
-	    handle_packet_part(DecData, Encoded1, Remaining, Ssh1)
+	    TotalNeeded = (4 + PacketLen + MacSize),
+	    handle_packet_part(Decrypted, Encrypted1, TotalNeeded, Ssh1)
     end;
-handle_packet_part(Decoded0, Encoded0, Remaining, Ssh0) 
-  when size(Encoded0) < Remaining ->
+
+handle_packet_part(DecryptedPfx, EncryptedBuffer, TotalNeeded, Ssh0) 
+  when (size(DecryptedPfx)+size(EncryptedBuffer)) < TotalNeeded ->
     %% need more bytes to finalize the packet
-    {get_more, Decoded0, Encoded0, Remaining, Ssh0};
-handle_packet_part(Decoded0, Encoded0, Remaining, 
-		   #ssh{recv_mac_size = MacSize} = Ssh0) ->
+    {get_more, DecryptedPfx, EncryptedBuffer, TotalNeeded, Ssh0};
+
+handle_packet_part(DecryptedPfx, EncryptedBuffer, TotalNeeded, 
+		   #ssh{recv_mac_size = MacSize,
+			decrypt = CryptoAlg} = Ssh0) ->
     %% enough bytes to decode the packet.
-    SshLengthNotDecoded = Remaining - MacSize,
-    <<PktT:SshLengthNotDecoded/binary, Mac:MacSize/binary, EncRest0/binary>> = Encoded0,
-    {Ssh1, DecData} = decrypt(Ssh0, PktT),
-    MsgBytes = <<Decoded0/binary,DecData/binary>>,
-    case is_valid_mac(Mac, MsgBytes, Ssh1) of
-	false ->
-	    {bad_mac, Ssh1};
-	true ->
-	    {Ssh, DecompressedMsgBytes} = decompress(Ssh1, msg_data(MsgBytes)),
-	    {decoded, DecompressedMsgBytes, EncRest0, Ssh}
+    DecryptLen = TotalNeeded - size(DecryptedPfx) - MacSize,
+    <<EncryptedSfx:DecryptLen/binary, Mac:MacSize/binary, NextPacketBytes/binary>> = EncryptedBuffer,
+    case pkt_type(CryptoAlg) of
+	common ->
+	    {Ssh1, DecryptedSfx} = decrypt(Ssh0, EncryptedSfx),
+	    DecryptedPacket = <<DecryptedPfx/binary, DecryptedSfx/binary>>,
+	    case is_valid_mac(Mac, DecryptedPacket, Ssh1) of
+		false ->
+		    {bad_mac, Ssh1};
+		true ->
+		    {Ssh, DecompressedPayload} = decompress(Ssh1, payload(DecryptedPacket)),
+		    {decoded, DecompressedPayload, NextPacketBytes, Ssh}
+	    end;
+	aead ->
+	    PacketLenBin = DecryptedPfx,
+	    case decrypt(Ssh0, {PacketLenBin,EncryptedSfx,Mac}) of
+		{Ssh1, error} ->
+		    {bad_mac, Ssh1};
+		{Ssh1, DecryptedSfx} ->
+                    DecryptedPacket = <<DecryptedPfx/binary, DecryptedSfx/binary>>,
+		    {Ssh, DecompressedPayload} = decompress(Ssh1, payload(DecryptedPacket)),
+		    {decoded, DecompressedPayload, NextPacketBytes, Ssh}
+	    end
     end.
     
     
-get_length(Encoded0, #ssh{decrypt_block_size = BlockSize} = Ssh0) ->
-    case size(Encoded0) >= erlang:max(8, BlockSize) of
+get_length(common, EncryptedBuffer, #ssh{decrypt_block_size = BlockSize} = Ssh0) ->
+    case size(EncryptedBuffer) >= erlang:max(8, BlockSize) of
 	true ->
-	    <<EncBlock:BlockSize/binary, EncodedRest/binary>> = Encoded0,
-	    {Ssh, Decoded} = decrypt(Ssh0, EncBlock),
-	    <<?UINT32(PacketLen), _/binary>> = Decoded,
-	    {ok, PacketLen, Decoded, EncodedRest, Ssh};
+	    <<EncBlock:BlockSize/binary, EncryptedRest/binary>> = EncryptedBuffer,
+	    {Ssh, 
+	     <<?UINT32(PacketLen),_/binary>> = Decrypted} = decrypt(Ssh0, EncBlock),
+	    {ok, PacketLen, Decrypted, EncryptedRest, Ssh};
+	false ->
+	    get_more
+    end;
+get_length(aead, EncryptedBuffer, Ssh) ->
+    case size(EncryptedBuffer) >= 4 of
+	true ->
+	    <<?UINT32(PacketLen), EncryptedRest/binary>> = EncryptedBuffer,
+	    {ok, PacketLen, <<?UINT32(PacketLen)>>, EncryptedRest, Ssh};
 	false ->
 	    get_more
     end.
 
+pkt_type('AEAD_AES_128_GCM') -> aead;
+pkt_type('AEAD_AES_256_GCM') -> aead;
+pkt_type(_) -> common.
 
-
-msg_data(PacketData) ->
-    <<Len:32, PaddingLen:8, _/binary>> = PacketData,
-    DataLen = Len - PaddingLen - 1,
-    <<_:32, _:8, Data:DataLen/binary, 
-     _:PaddingLen/binary>> = PacketData,
-    Data.
+payload(<<PacketLen:32, PaddingLen:8, PayloadAndPadding/binary>>) ->
+    PayloadLen = PacketLen - PaddingLen - 1,
+    <<Payload:PayloadLen/binary, _/binary>> = PayloadAndPadding,
+    Payload.
 
 sign(SigData, Hash,  #'DSAPrivateKey'{} = Key) ->
     DerSignature = public_key:sign(SigData, Hash, Key),
@@ -1023,6 +1070,7 @@ verify(PlainText, Hash, Sig, {#'ECPoint'{},_} = Key) ->
 verify(PlainText, Hash, Sig, Key) ->
     public_key:verify(PlainText, Hash, Sig, Key).
 
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%
 %% Encryption
@@ -1031,6 +1079,30 @@ verify(PlainText, Hash, Sig, Key) ->
 
 encrypt_init(#ssh{encrypt = none} = Ssh) ->
     {ok, Ssh};
+encrypt_init(#ssh{encrypt = 'AEAD_AES_128_GCM', role = client} = Ssh) ->
+    IV = hash(Ssh, "A", 12*8),
+    <<K:16/binary>> = hash(Ssh, "C", 128),
+    {ok, Ssh#ssh{encrypt_keys = K,
+		 encrypt_block_size = 16,
+		 encrypt_ctx = IV}};
+encrypt_init(#ssh{encrypt = 'AEAD_AES_128_GCM', role = server} = Ssh) ->
+    IV = hash(Ssh, "B", 12*8),
+    <<K:16/binary>> = hash(Ssh, "D", 128),
+    {ok, Ssh#ssh{encrypt_keys = K,
+		 encrypt_block_size = 16,
+		 encrypt_ctx = IV}};
+encrypt_init(#ssh{encrypt = 'AEAD_AES_256_GCM', role = client} = Ssh) ->
+    IV = hash(Ssh, "A", 12*8),
+    <<K:32/binary>> = hash(Ssh, "C", 256),
+    {ok, Ssh#ssh{encrypt_keys = K,
+		 encrypt_block_size = 16,
+		 encrypt_ctx = IV}};
+encrypt_init(#ssh{encrypt = 'AEAD_AES_256_GCM', role = server} = Ssh) ->
+    IV = hash(Ssh, "B", 12*8),
+    <<K:32/binary>> = hash(Ssh, "D", 256),
+    {ok, Ssh#ssh{encrypt_keys = K,
+		 encrypt_block_size = 16,
+		 encrypt_ctx = IV}};
 encrypt_init(#ssh{encrypt = '3des-cbc', role = client} = Ssh) ->
     IV = hash(Ssh, "A", 64),
     <<K1:8/binary, K2:8/binary, K3:8/binary>> = hash(Ssh, "C", 192),
@@ -1107,6 +1179,18 @@ encrypt_final(Ssh) ->
 
 encrypt(#ssh{encrypt = none} = Ssh, Data) ->
     {Ssh, Data};
+encrypt(#ssh{encrypt = 'AEAD_AES_128_GCM',
+            encrypt_keys = K,
+            encrypt_ctx = IV0} = Ssh, Data={_AAD,_Ptext}) ->
+    Enc = {_Ctext,_Ctag} = crypto:block_encrypt(aes_gcm, K, IV0, Data),
+    IV = next_gcm_iv(IV0),
+    {Ssh#ssh{encrypt_ctx = IV}, Enc};
+encrypt(#ssh{encrypt = 'AEAD_AES_256_GCM',
+            encrypt_keys = K,
+            encrypt_ctx = IV0} = Ssh, Data={_AAD,_Ptext}) ->
+    Enc = {_Ctext,_Ctag} = crypto:block_encrypt(aes_gcm, K, IV0, Data),
+    IV = next_gcm_iv(IV0),
+    {Ssh#ssh{encrypt_ctx = IV}, Enc};
 encrypt(#ssh{encrypt = '3des-cbc',
 	     encrypt_keys = {K1,K2,K3},
 	     encrypt_ctx = IV0} = Ssh, Data) ->
@@ -1139,6 +1223,30 @@ encrypt(#ssh{encrypt = 'aes256-ctr',
 
 decrypt_init(#ssh{decrypt = none} = Ssh) ->
     {ok, Ssh};
+decrypt_init(#ssh{decrypt = 'AEAD_AES_128_GCM', role = client} = Ssh) ->
+    IV = hash(Ssh, "B", 12*8),
+    <<K:16/binary>> = hash(Ssh, "D", 128),
+    {ok, Ssh#ssh{decrypt_keys = K,
+		 decrypt_block_size = 16,
+		 decrypt_ctx = IV}};
+decrypt_init(#ssh{decrypt = 'AEAD_AES_128_GCM', role = server} = Ssh) ->
+    IV = hash(Ssh, "A", 12*8),
+    <<K:16/binary>> = hash(Ssh, "C", 128),
+    {ok, Ssh#ssh{decrypt_keys = K,
+		 decrypt_block_size = 16,
+		 decrypt_ctx = IV}};
+decrypt_init(#ssh{decrypt = 'AEAD_AES_256_GCM', role = client} = Ssh) ->
+    IV = hash(Ssh, "B", 12*8),
+    <<K:32/binary>> = hash(Ssh, "D", 256),
+    {ok, Ssh#ssh{decrypt_keys = K,
+		 decrypt_block_size = 16,
+		 decrypt_ctx = IV}};
+decrypt_init(#ssh{decrypt = 'AEAD_AES_256_GCM', role = server} = Ssh) ->
+    IV = hash(Ssh, "A", 12*8),
+    <<K:32/binary>> = hash(Ssh, "C", 256),
+    {ok, Ssh#ssh{decrypt_keys = K,
+		 decrypt_block_size = 16,
+		 decrypt_ctx = IV}};
 decrypt_init(#ssh{decrypt = '3des-cbc', role = client} = Ssh) ->
     {IV, KD} = {hash(Ssh, "B", 64),
 		hash(Ssh, "D", 192)},
@@ -1217,6 +1325,18 @@ decrypt(Ssh, <<>>) ->
     {Ssh, <<>>};
 decrypt(#ssh{decrypt = none} = Ssh, Data) ->
     {Ssh, Data};
+decrypt(#ssh{decrypt = 'AEAD_AES_128_GCM',
+	     decrypt_keys = K,
+	     decrypt_ctx = IV0} = Ssh, Data = {_AAD,_Ctext,_Ctag}) ->
+    Dec = crypto:block_decrypt(aes_gcm, K, IV0, Data), % Dec = PlainText | error 
+    IV = next_gcm_iv(IV0),
+    {Ssh#ssh{decrypt_ctx = IV}, Dec};
+decrypt(#ssh{decrypt = 'AEAD_AES_256_GCM',
+	     decrypt_keys = K,
+	     decrypt_ctx = IV0} = Ssh, Data = {_AAD,_Ctext,_Ctag}) ->
+    Dec = crypto:block_decrypt(aes_gcm, K, IV0, Data), % Dec = PlainText | error 
+    IV = next_gcm_iv(IV0),
+    {Ssh#ssh{decrypt_ctx = IV}, Dec};
 decrypt(#ssh{decrypt = '3des-cbc', decrypt_keys = Keys,
 	     decrypt_ctx = IV0} = Ssh, Data) ->
     {K1, K2, K3} = Keys,
@@ -1241,6 +1361,10 @@ decrypt(#ssh{decrypt = 'aes256-ctr',
     {State, Enc} = crypto:stream_decrypt(State0,Data),
     {Ssh#ssh{decrypt_ctx = State}, Enc}.
 
+
+next_gcm_iv(<<Fixed:32, InvCtr:64>>) -> <<Fixed:32, (InvCtr+1):64>>.
+
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %% Compression
 %%
@@ -1329,28 +1453,42 @@ decompress(#ssh{decompress = '[email protected]', decompress_ctx = Context, authe
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
 send_mac_init(SSH) ->
-    case SSH#ssh.role of
-	client ->
-	    KeySize =mac_key_size(SSH#ssh.send_mac),
-	    Key = hash(SSH, "E", KeySize),
-	    {ok, SSH#ssh { send_mac_key = Key }};
-	server ->
-	    KeySize = mac_key_size(SSH#ssh.send_mac),
-	    Key = hash(SSH, "F", KeySize),
-	    {ok, SSH#ssh { send_mac_key = Key }}
+    case pkt_type(SSH#ssh.send_mac) of
+	common ->
+	    case SSH#ssh.role of
+		client ->
+		    KeySize = mac_key_size(SSH#ssh.send_mac),
+		    Key = hash(SSH, "E", KeySize),
+		    {ok, SSH#ssh { send_mac_key = Key }};
+		server ->
+		    KeySize = mac_key_size(SSH#ssh.send_mac),
+		    Key = hash(SSH, "F", KeySize),
+		    {ok, SSH#ssh { send_mac_key = Key }}
+	    end;
+	aead ->
+	    %% Not applicable
+	    {ok, SSH}
     end.
 
 send_mac_final(SSH) ->
-    {ok, SSH#ssh {  send_mac = none, send_mac_key = undefined }}.
+    {ok, SSH#ssh {send_mac = none, 
+		  send_mac_key = undefined }}.
+
 
 recv_mac_init(SSH) ->
-    case SSH#ssh.role of
-	client ->
-	    Key = hash(SSH, "F", mac_key_size(SSH#ssh.recv_mac)),
-	    {ok, SSH#ssh { recv_mac_key = Key }};
-	server ->
-	    Key = hash(SSH, "E", mac_key_size(SSH#ssh.recv_mac)),
-	    {ok, SSH#ssh { recv_mac_key = Key }}
+    case pkt_type(SSH#ssh.recv_mac) of
+	common ->
+	    case SSH#ssh.role of
+		client ->
+		    Key = hash(SSH, "F", mac_key_size(SSH#ssh.recv_mac)),
+		    {ok, SSH#ssh { recv_mac_key = Key }};
+		server ->
+		    Key = hash(SSH, "E", mac_key_size(SSH#ssh.recv_mac)),
+		    {ok, SSH#ssh { recv_mac_key = Key }}
+	    end;
+	aead ->
+	    %% Not applicable
+	    {ok, SSH}
     end.
 
 recv_mac_final(SSH) ->
@@ -1481,6 +1619,8 @@ mac_digest_size('hmac-md5')    -> 20;
 mac_digest_size('hmac-md5-96') -> 12;
 mac_digest_size('hmac-sha2-256') -> 32;
 mac_digest_size('hmac-sha2-512') -> 64;
+mac_digest_size('AEAD_AES_128_GCM') -> 16;
+mac_digest_size('AEAD_AES_256_GCM') -> 16;
 mac_digest_size(none) -> 0.
 
 peer_name({Host, _}) ->
@@ -1510,6 +1650,68 @@ ecdh_curve('ecdh-sha2-nistp256') -> secp256r1;
 ecdh_curve('ecdh-sha2-nistp384') -> secp384r1;
 ecdh_curve('ecdh-sha2-nistp521') -> secp521r1.
 
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%
+%% Utils for default_algorithms/1 and supported_algorithms/1
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+supported_algorithms(Key, [{client2server,BL1},{server2client,BL2}]) ->
+    [{client2server,As1},{server2client,As2}] = supported_algorithms(Key),
+    [{client2server,As1--BL1},{server2client,As2--BL2}];
+supported_algorithms(Key, BlackList) ->
+    supported_algorithms(Key) -- BlackList.
+
+
+select_crypto_supported(L) ->    
+    Sup = [{ec_curve,crypto_supported_curves()} | crypto:supports()],
+    [Name || {Name,CryptoRequires} <- L,
+	     crypto_supported(CryptoRequires, Sup)].
+
+crypto_supported_curves() ->
+    try crypto:ec_curves()
+    catch _:_ -> []
+    end.
+
+crypto_supported(Conditions, Supported) ->
+    lists:all( fun({Tag,CryptoName}) when is_atom(CryptoName) ->
+		       crypto_name_supported(Tag,CryptoName,Supported);
+		  ({Tag,{Name,Len}}) when is_integer(Len) ->
+		       crypto_name_supported(Tag,Name,Supported) andalso
+			   len_supported(Name,Len)
+	       end, Conditions).
+
+crypto_name_supported(Tag, CryptoName, Supported) ->
+    lists:member(CryptoName, proplists:get_value(Tag,Supported,[])).
+
+len_supported(Name, Len) ->
+    try
+	case Name of
+	    aes_ctr ->
+		{_, <<_/binary>>} = 
+		    %% Test encryption
+		    crypto:stream_encrypt(crypto:stream_init(Name, <<0:Len>>, <<0:128>>), <<"">>);
+	    aes_gcm ->
+		{<<_/binary>>, <<_/binary>>} = 
+		    crypto:block_encrypt(Name, 
+					 _Key = <<0:Len>>,
+					 _IV = <<0:12/unsigned-unit:8>>,
+					 {"AAD","PT"})
+	end
+    of
+	_ -> true
+    catch
+	_:_ -> false
+    end.
+	    
+
+same(Algs) ->  [{client2server,Algs}, {server2client,Algs}].
+
+
+%% default_algorithms(kex) -> % Example of how to disable an algorithm
+%%     supported_algorithms(kex, ['ecdh-sha2-nistp521']);
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%
 %% Other utils