Merge branch 'hans/ssh/aes_gcm_crypto/OTP-13018' into maint

* hans/ssh/aes_gcm_crypto/OTP-13018:
  ssh: fix dialyzer reported error
  ssh: renegotiate test group for AES_GCM
  ssh: documentation updates
  ssh: AEAD_AES_(128|256)_GCM and aes(128|256)[email protected] crypto
  ssh: refactor packet reception

6 files changed, 475 insertions, 251 deletions

diff --git a/lib/ssh/doc/src/ssh_app.xml b/lib/ssh/doc/src/ssh_app.xml
index 29cbbd79a2..79dd1e210e 100644
--- a/lib/ssh/doc/src/ssh_app.xml
+++ b/lib/ssh/doc/src/ssh_app.xml
@@ -137,6 +137,19 @@
     <p>Supported algorithms are:</p>
 
     <taglist>
+      <tag>Key exchange algorithms</tag>
+      <item>
+	<list type="bulleted">
+	  <item>ecdh-sha2-nistp256</item>
+	  <item>ecdh-sha2-nistp384</item>
+	  <item>ecdh-sha2-nistp521</item>
+	  <item>diffie-hellman-group-exchange-sha1</item>
+	  <item>diffie-hellman-group-exchange-sha256</item>
+	  <item>diffie-hellman-group14-sha1</item>
+	  <item>diffie-hellman-group1-sha1</item>
+	</list>
+      </item>
+
       <tag>Public key algorithms</tag>
       <item>
 	<list type="bulleted">
@@ -157,30 +170,26 @@
 	</list>
       </item>
 
-      <tag>Encryption algorithms</tag>
+      <tag>Encryption algorithms (ciphers)</tag>
       <item>
 	<list type="bulleted">
+	  <item>[email protected] (AEAD_AES_128_GCM)</item>
+          <item>[email protected] (AEAD_AES_256_GCM)</item>
 	  <item>aes128-ctr</item>
 	  <item>aes192-ctr</item>
 	  <item>aes256-ctr</item>
 	  <item>aes128-cbc</item>
 	  <item>3des-cbc</item>
 	</list>
+	<p>Following the internet de-facto standard, the cipher and mac algorithm AEAD_AES_128_GCM is selected when the 
+	cipher [email protected] is negotiated. The cipher and mac algorithm AEAD_AES_256_GCM is selected when the
+	cipher [email protected] is negotiated.
+	</p>
+	<p>See the text at the description of <seealso marker="#rfc5647_note">the rfc 5647 further down</seealso>
+	for more information.
+	</p>
       </item>
-
-      <tag>Key exchange algorithms</tag>
-      <item>
-	<list type="bulleted">
-	  <item>ecdh-sha2-nistp256</item>
-	  <item>ecdh-sha2-nistp384</item>
-	  <item>ecdh-sha2-nistp521</item>
-	  <item>diffie-hellman-group-exchange-sha1</item>
-	  <item>diffie-hellman-group-exchange-sha256</item>
-	  <item>diffie-hellman-group14-sha1</item>
-	  <item>diffie-hellman-group1-sha1</item>
-	</list>
-      </item>
-
+	
       <tag>Compression algorithms</tag>
       <item>
 	<list type="bulleted">
@@ -255,6 +264,30 @@
       <p></p>
       </item>
 
+      <item><url href="https://tools.ietf.org/html/rfc5647">RFC 5647</url>, AES Galois Counter Mode for
+      the Secure Shell Transport Layer Protocol.
+      <p><marker id="rfc5647_note"/>There is an ambiguity in the synchronized selection of cipher and mac algorithm. 
+      This is resolved by OpenSSH in the ciphers [email protected] and [email protected] which are implemented.
+      If the explicit ciphers and macs AEAD_AES_128_GCM or AEAD_AES_256_GCM are needed, 
+      they could be enabled with the option preferred_algorithms.
+      <warning>
+	If the client or the server is not Erlang/OTP, it is the users responsibility to check that 
+	other implementation has the same interpretation of AEAD_AES_*_GCM as the Erlang/OTP SSH before
+	enabling them. The  aes*[email protected] variants are always safe to use since they lack the
+	ambiguity.
+      </warning>
+      </p>
+      <p>The second paragraph in section 5.1 is resolved as:
+      <list type="ordered">
+	<item>If the negotiated cipher is AEAD_AES_128_GCM, the mac algorithm is set to  AEAD_AES_128_GCM.</item>
+	<item>If the negotiated cipher is AEAD_AES_256_GCM, the mac algorithm is set to  AEAD_AES_256_GCM.</item>
+	<item>If the mac algorithm is AEAD_AES_128_GCM, the cipher is set to AEAD_AES_128_GCM.</item>
+	<item>If the mac algorithm is AEAD_AES_256_GCM, the cipher is set to AEAD_AES_256_GCM.</item>
+      </list>
+      The first rule that matches when read in order from the top is applied
+      </p>
+      </item>
+	
       <item><url href="https://tools.ietf.org/html/rfc5656">RFC 5656</url>, Elliptic Curve Algorithm Integration in 
       the Secure Shell Transport Layer.
       <p>Except
@@ -266,6 +299,13 @@
       </list>
       </p>
       </item>
+      
+      <item><url href="https://tools.ietf.org/html/rfc6668">RFC 6668</url>, SHA-2 Data Integrity Verification for
+      the Secure Shell (SSH) Transport Layer Protocol
+      <p>Comment: Defines hmac-sha2-256 and hmac-sha2-512
+      </p>
+      </item>
+      
     </list>
 
   </section>
diff --git a/lib/ssh/src/ssh.hrl b/lib/ssh/src/ssh.hrl
index 4ad936f742..8efc743b67 100644
--- a/lib/ssh/src/ssh.hrl
+++ b/lib/ssh/src/ssh.hrl
@@ -29,7 +29,6 @@
 
 -define(SSH_DEFAULT_PORT, 22).
 -define(SSH_MAX_PACKET_SIZE, (256*1024)).
--define(SSH_LENGHT_INDICATOR_SIZE, 4).
 -define(REKEY_TIMOUT, 3600000).
 -define(REKEY_DATA_TIMOUT, 60000).
 -define(DEFAULT_PROFILE, default).
diff --git a/lib/ssh/src/ssh_connection_handler.erl b/lib/ssh/src/ssh_connection_handler.erl
index 8448218d91..505c6eb181 100644
--- a/lib/ssh/src/ssh_connection_handler.erl
+++ b/lib/ssh/src/ssh_connection_handler.erl
@@ -970,57 +970,39 @@ handle_info({Protocol, Socket, Info}, hello,
 		   transport_protocol = Protocol} = State) -> 
     event({info_line, Info}, hello, State);
 
-handle_info({Protocol, Socket, Data}, Statename, 
+handle_info({Protocol, Socket, Data}, StateName, 
 	    #state{socket = Socket,
 		   transport_protocol = Protocol,
-		   ssh_params = #ssh{decrypt_block_size = BlockSize,
-				     recv_mac_size = MacSize} = Ssh0,
-		   decoded_data_buffer = <<>>,
-		   encoded_data_buffer = EncData0} = State0) ->
-
-    %% Implementations SHOULD decrypt the length after receiving the
-    %% first 8 (or cipher block size, whichever is larger) bytes of a
-    %% packet. (RFC 4253: Section 6 - Binary Packet Protocol)
-    case size(EncData0) + size(Data) >= erlang:max(8, BlockSize) of
-	true ->
-	    {Ssh, SshPacketLen, DecData, EncData} = 
-
-		ssh_transport:decrypt_first_block(<<EncData0/binary, 
-						   Data/binary>>, Ssh0),
-	     case SshPacketLen > ?SSH_MAX_PACKET_SIZE of
- 		true ->
-  		    DisconnectMsg = 
-  			#ssh_msg_disconnect{code = 
-					    ?SSH_DISCONNECT_PROTOCOL_ERROR,
-  					    description = "Bad packet length " 
-					    ++ integer_to_list(SshPacketLen),
-  					    language = "en"},
-  		    handle_disconnect(DisconnectMsg, State0);
-  		false ->
-		    RemainingSshPacketLen = 
-			(SshPacketLen + ?SSH_LENGHT_INDICATOR_SIZE) - 
-			BlockSize + MacSize,
-		    State = State0#state{ssh_params = Ssh},
-		    handle_ssh_packet_data(RemainingSshPacketLen, 
-					   DecData, EncData, Statename,
-					   State)
-	     end;
-	false  ->
-	    {next_state, Statename, 
-	     next_packet(State0#state{encoded_data_buffer = 
-				      <<EncData0/binary, Data/binary>>})}
+		   ssh_params = Ssh0,
+		   decoded_data_buffer = DecData0,
+		   encoded_data_buffer = EncData0,
+		   undecoded_packet_length = RemainingSshPacketLen0} = State0) ->
+    Encoded = <<EncData0/binary, Data/binary>>,
+    case ssh_transport:handle_packet_part(DecData0, Encoded, RemainingSshPacketLen0, Ssh0) of
+	{get_more, DecBytes, EncDataRest, RemainingSshPacketLen, Ssh1} ->
+	    {next_state, StateName,
+	     next_packet(State0#state{encoded_data_buffer = EncDataRest,
+				      decoded_data_buffer = DecBytes,
+				      undecoded_packet_length = RemainingSshPacketLen,
+				      ssh_params = Ssh1})};
+	{decoded, MsgBytes, EncDataRest, Ssh1} ->
+	    generate_event(MsgBytes, StateName,
+			   State0#state{ssh_params = Ssh1,
+					%% Important to be set for
+					%% next_packet
+%%% FIXME: the following three seem to always be set in generate_event!
+					decoded_data_buffer = <<>>,
+					undecoded_packet_length = undefined,
+					encoded_data_buffer = EncDataRest},
+			   EncDataRest);
+	{bad_mac, Ssh1} ->
+	    DisconnectMsg = 
+		    #ssh_msg_disconnect{code = ?SSH_DISCONNECT_PROTOCOL_ERROR,
+					description = "Bad mac",
+					language = ""},
+	    handle_disconnect(DisconnectMsg, State0#state{ssh_params=Ssh1})
     end;
-
-handle_info({Protocol, Socket, Data}, Statename, 
-	    #state{socket = Socket,
-		   transport_protocol = Protocol,
-		   decoded_data_buffer = DecData, 
-		   encoded_data_buffer = EncData,
-		   undecoded_packet_length = Len} = 
-	    State) when is_integer(Len) ->
-    handle_ssh_packet_data(Len, DecData, <<EncData/binary, Data/binary>>, 
-			   Statename, State);
-
+		
 handle_info({CloseTag, _Socket}, _StateName, 
 	    #state{transport_close_tag = CloseTag,
 		   ssh_params = #ssh{role = _Role, opts = _Opts}} = State) ->
@@ -1631,57 +1613,6 @@ after_new_keys_events({connection_reply, _Data} = Reply, {StateName, State}) ->
     NewState = send_replies([Reply], State),
     {next_state, StateName, NewState}.
 
-handle_ssh_packet_data(RemainingSshPacketLen, DecData, EncData, StateName, 
-		       State) ->
-    EncSize =  size(EncData), 
-    case RemainingSshPacketLen > EncSize of
-	true ->
-	    {next_state, StateName, 
-	     next_packet(State#state{decoded_data_buffer = DecData,
-				     encoded_data_buffer = EncData,
-				     undecoded_packet_length = 
-				     RemainingSshPacketLen})};
-	false ->
-	    handle_ssh_packet(RemainingSshPacketLen, StateName,
-			      State#state{decoded_data_buffer = DecData,
-					  encoded_data_buffer = EncData})
-    
-    end.    
-
-handle_ssh_packet(Length, StateName, #state{decoded_data_buffer = DecData0,
-					    encoded_data_buffer = EncData0,
-					    ssh_params = Ssh0,
-					    transport_protocol = _Protocol,
-					    socket = _Socket} = State0) ->
-    try 
-	{Ssh1, DecData, EncData, Mac} = 
-	    ssh_transport:unpack(EncData0, Length, Ssh0),
-	SshPacket = <<DecData0/binary, DecData/binary>>,
-	case ssh_transport:is_valid_mac(Mac, SshPacket, Ssh1) of
-	    true ->
-		PacketData = ssh_transport:msg_data(SshPacket),
-		{Ssh1, Msg} = ssh_transport:decompress(Ssh1, PacketData),
-		generate_event(Msg, StateName, 
-			       State0#state{ssh_params = Ssh1,
-					    %% Important to be set for
-					    %% next_packet
-					    decoded_data_buffer = <<>>},
-			       EncData);
-	    false ->
-		DisconnectMsg = 
-		    #ssh_msg_disconnect{code = ?SSH_DISCONNECT_PROTOCOL_ERROR,
-					description = "Bad mac",
-					language = "en"},
-		handle_disconnect(DisconnectMsg, State0)
-	end
-    catch _:_ ->
-	    Disconnect = 
-		#ssh_msg_disconnect{code = ?SSH_DISCONNECT_PROTOCOL_ERROR,
-				    description = "Bad input",
-				    language = "en"},
-	    handle_disconnect(Disconnect, State0) 
-    end.  
-
 
 handle_disconnect(DisconnectMsg, State) ->
     handle_disconnect(own, DisconnectMsg, State).
diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index 0c999b96cc..041e86bae1 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -31,10 +31,10 @@
 -include("ssh.hrl").
 
 -export([versions/2, hello_version_msg/1]).
--export([next_seqnum/1, decrypt_first_block/2, decrypt_blocks/3,
+-export([next_seqnum/1, 
 	 supported_algorithms/0, supported_algorithms/1,
 	 default_algorithms/0, default_algorithms/1,
-	 is_valid_mac/3,
+	 handle_packet_part/4,
 	 handle_hello_version/1,
 	 key_exchange_init_msg/1,
 	 key_init/3, new_keys_message/1,
@@ -45,9 +45,13 @@
 	 handle_kex_ecdh_init/2,
 	 handle_kex_ecdh_reply/2,
 	 extract_public_key/1,
-	 unpack/3, decompress/2, ssh_packet/2, pack/2, pack/3, msg_data/1,
+	 ssh_packet/2, pack/2,
 	 sign/3, verify/4]).
 
+%%% For test suites
+-export([pack/3]).
+-export([decompress/2,  decrypt_blocks/3, is_valid_mac/3 ]). % FIXME: remove
+
 %%%----------------------------------------------------------------------------
 %%%
 %%% There is a difference between supported and default algorithms. The
@@ -66,10 +70,15 @@ default_algorithms() -> [{K,default_algorithms(K)} || K <- algo_classes()].
 
 algo_classes() -> [kex, public_key, cipher, mac, compression].
 
-%% default_algorithms(kex) -> % Example of how to disable an algorithm
-%%     supported_algorithms(kex, ['ecdh-sha2-nistp521']);
+
+default_algorithms(cipher) ->
+    supported_algorithms(cipher, same(['AEAD_AES_128_GCM',
+				       'AEAD_AES_256_GCM']));
+default_algorithms(mac) ->
+    supported_algorithms(mac, same(['AEAD_AES_128_GCM',
+				    'AEAD_AES_256_GCM']));
 default_algorithms(Alg) ->
-    supported_algorithms(Alg).
+    supported_algorithms(Alg, []).
 
 
 supported_algorithms() -> [{K,supported_algorithms(K)} || K <- algo_classes()].
@@ -97,19 +106,25 @@ supported_algorithms(public_key) ->
 supported_algorithms(cipher) ->
     same(
       select_crypto_supported(
-	[{'aes256-ctr', [{ciphers,{aes_ctr,256}}]},
-	 {'aes192-ctr', [{ciphers,{aes_ctr,192}}]},
-	 {'aes128-ctr', [{ciphers,{aes_ctr,128}}]},
-	 {'aes128-cbc', [{ciphers,aes_cbc128}]},
-	 {'3des-cbc',   [{ciphers,des3_cbc}]}
+	[{'aes256-ctr',       [{ciphers,{aes_ctr,256}}]},
+	 {'aes192-ctr',       [{ciphers,{aes_ctr,192}}]},
+	 {'aes128-ctr',       [{ciphers,{aes_ctr,128}}]},
+	 {'aes128-cbc',       [{ciphers,aes_cbc128}]},
+	 {'[email protected]', [{ciphers,{aes_gcm,128}}]},
+	 {'[email protected]', [{ciphers,{aes_gcm,256}}]},
+	 {'AEAD_AES_128_GCM', [{ciphers,{aes_gcm,128}}]},
+	 {'AEAD_AES_256_GCM', [{ciphers,{aes_gcm,256}}]},
+	 {'3des-cbc',         [{ciphers,des3_cbc}]}
 	]
        ));
 supported_algorithms(mac) ->
     same(
       select_crypto_supported(
-	[{'hmac-sha2-256', [{hashs,sha256}]},
-	 {'hmac-sha2-512', [{hashs,sha512}]},
-	 {'hmac-sha1',     [{hashs,sha}]}
+	[{'hmac-sha2-256',    [{hashs,sha256}]},
+	 {'hmac-sha2-512',    [{hashs,sha512}]},
+	 {'hmac-sha1',        [{hashs,sha}]},
+	 {'AEAD_AES_128_GCM', [{ciphers,{aes_gcm,128}}]},
+	 {'AEAD_AES_256_GCM', [{ciphers,{aes_gcm,256}}]}
 	]
        ));
 supported_algorithms(compression) ->
@@ -118,46 +133,6 @@ supported_algorithms(compression) ->
 	  'zlib'
 	 ]).
 
-%% Dialyzer complains when not called...supported_algorithms(Key, [{client2server,BL1},{server2client,BL2}]) ->
-%% Dialyzer complains when not called...    [{client2server,As1},{server2client,As2}] = supported_algorithms(Key),
-%% Dialyzer complains when not called...    [{client2server,As1--BL1},{server2client,As2--BL2}];
-%% Dialyzer complains when not called...supported_algorithms(Key, BlackList) ->
-%% Dialyzer complains when not called...    supported_algorithms(Key) -- BlackList.
-
-select_crypto_supported(L) ->    
-    Sup = [{ec_curve,crypto_supported_curves()} | crypto:supports()],
-    [Name || {Name,CryptoRequires} <- L,
-	     crypto_supported(CryptoRequires, Sup)].
-
-crypto_supported_curves() ->
-    try crypto:ec_curves()
-    catch _:_ -> []
-    end.
-
-crypto_supported(Conditions, Supported) ->
-    lists:all( fun({Tag,CryptoName}) when is_atom(CryptoName) ->
-		       crypto_name_supported(Tag,CryptoName,Supported);
-		  ({Tag,{Name=aes_ctr,Len}}) when is_integer(Len) ->
-		       crypto_name_supported(Tag,Name,Supported) andalso
-			   ctr_len_supported(Name,Len)
-	       end, Conditions).
-
-crypto_name_supported(Tag, CryptoName, Supported) ->
-    lists:member(CryptoName, proplists:get_value(Tag,Supported,[])).
-
-ctr_len_supported(Name, Len) ->
-    try
-	crypto:stream_encrypt(crypto:stream_init(Name, <<0:Len>>, <<0:128>>), <<"">>)
-    of
-	{_,X} -> is_binary(X)
-    catch
-	_:_ -> false
-    end.
-	    
-
-same(Algs) ->  [{client2server,Algs}, {server2client,Algs}].
-
-
 %%%----------------------------------------------------------------------------
 versions(client, Options)->
     Vsn = proplists:get_value(vsn, Options, ?DEFAULT_CLIENT_VERSION),
@@ -196,12 +171,6 @@ hello_version_msg(Data) ->
 next_seqnum(SeqNum) ->
     (SeqNum + 1) band 16#ffffffff.
 
-decrypt_first_block(Bin, #ssh{decrypt_block_size = BlockSize} = Ssh0) ->
-    <<EncBlock:BlockSize/binary, EncData/binary>> = Bin,
-    {Ssh, <<?UINT32(PacketLen), _/binary>> = DecData} =
-	decrypt(Ssh0, EncBlock),
-    {Ssh, PacketLen, DecData, EncData}.
-    
 decrypt_blocks(Bin, Length, Ssh0) ->
     <<EncBlocks:Length/binary, EncData/binary>> = Bin,
     {Ssh, DecData} = decrypt(Ssh0, EncBlocks),
@@ -757,8 +726,12 @@ known_host_key(#ssh{opts = Opts, key_cb = Mod, peer = Peer} = Ssh,
 %%   The first algorithm in each list MUST be the preferred (guessed)
 %%   algorithm.  Each string MUST contain at least one algorithm name.
 select_algorithm(Role, Client, Server) ->
-    {Encrypt, Decrypt} = select_encrypt_decrypt(Role, Client, Server),
-    {SendMac, RecvMac} = select_send_recv_mac(Role, Client, Server),
+    {Encrypt0, Decrypt0} = select_encrypt_decrypt(Role, Client, Server),
+    {SendMac0, RecvMac0} = select_send_recv_mac(Role, Client, Server),
+
+    {Encrypt, SendMac} = aead_gcm_simultan(Encrypt0, SendMac0),
+    {Decrypt, RecvMac} = aead_gcm_simultan(Decrypt0, RecvMac0),
+
     {Compression, Decompression} = 
 	select_compression_decompression(Role, Client, Server),
 
@@ -789,6 +762,38 @@ select_algorithm(Role, Client, Server) ->
 	       s_lng = S_Lng},
     {ok, Alg}.
 
+
+%%% It is an agreed problem with RFC 5674 that if the selection is
+%%%   Cipher = AEAD_AES_x_GCM and
+%%%      Mac = AEAD_AES_y_GCM (where x =/= y)
+%%% then it is undefined what length should be selected.
+%%%
+%%% If only one of the two lengths (128,256) is available, I claim that
+%%% there is no such ambiguity.
+
+%%% From https://anongit.mindrot.org/openssh.git/plain/PROTOCOL
+%%% (read Nov 20, 2015)
+%%% 1.6 transport: AES-GCM
+%%% 
+%%% OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.
+%%% Because of problems with the specification of the key exchange
+%%% the behaviour of OpenSSH differs from the RFC as follows:
+%%% 
+%%% AES-GCM is only negotiated as the cipher algorithms
+%%% "[email protected]" or "[email protected]" and never as
+%%% an MAC algorithm. Additionally, if AES-GCM is selected as the cipher
+%%% the exchanged MAC algorithms are ignored and there doesn't have to be
+%%% a matching MAC.
+
+aead_gcm_simultan('[email protected]', _) -> {'AEAD_AES_128_GCM', 'AEAD_AES_128_GCM'};
+aead_gcm_simultan('[email protected]', _) -> {'AEAD_AES_256_GCM', 'AEAD_AES_256_GCM'};
+aead_gcm_simultan('AEAD_AES_128_GCM', _) -> {'AEAD_AES_128_GCM', 'AEAD_AES_128_GCM'};
+aead_gcm_simultan('AEAD_AES_256_GCM', _) -> {'AEAD_AES_256_GCM', 'AEAD_AES_256_GCM'};
+aead_gcm_simultan(_, 'AEAD_AES_128_GCM') -> {'AEAD_AES_128_GCM', 'AEAD_AES_128_GCM'};
+aead_gcm_simultan(_, 'AEAD_AES_256_GCM') -> {'AEAD_AES_256_GCM', 'AEAD_AES_256_GCM'};
+aead_gcm_simultan(Cipher, Mac) -> {Cipher,Mac}.
+
+
 select_encrypt_decrypt(client, Client, Server) ->
     Encrypt = 
 	select(Client#ssh_msg_kexinit.encryption_algorithms_client_to_server,
@@ -823,18 +828,18 @@ select_compression_decompression(client, Client, Server) ->
     Compression = 
 	select(Client#ssh_msg_kexinit.compression_algorithms_client_to_server,
 	       Server#ssh_msg_kexinit.compression_algorithms_client_to_server),
-    Decomprssion = 
+    Decompression = 
 	select(Client#ssh_msg_kexinit.compression_algorithms_server_to_client,
 	       Server#ssh_msg_kexinit.compression_algorithms_server_to_client),
-    {Compression, Decomprssion};
+    {Compression, Decompression};
 select_compression_decompression(server, Client, Server) ->
-    Decomprssion = 
+    Decompression = 
 	select(Client#ssh_msg_kexinit.compression_algorithms_client_to_server,
 	       Server#ssh_msg_kexinit.compression_algorithms_client_to_server),
     Compression = 
 	select(Client#ssh_msg_kexinit.compression_algorithms_server_to_client,
 	       Server#ssh_msg_kexinit.compression_algorithms_server_to_client),
-    {Compression, Decomprssion}.
+    {Compression, Decompression}.
 
 install_alg(SSH) ->
     SSH1 = alg_final(SSH),
@@ -911,14 +916,39 @@ pack(Data, Ssh=#ssh{}) ->
 %%% Note: pack/3 is only to be called from tests that wants
 %%% to deliberetly send packets with wrong PacketLength!
 %%% Use pack/2 for all other purposes!
-pack(Data0, #ssh{encrypt_block_size = BlockSize, 
-		 send_sequence = SeqNum, send_mac = MacAlg,
-		 send_mac_key = MacKey,
-		 random_length_padding = RandomLengthPadding} 
-     = Ssh0,
-     PacketLenDeviationForTests) when is_binary(Data0) ->
-    {Ssh1, Data} = compress(Ssh0, Data0),
-    PL = (BlockSize - ((4 + 1 + size(Data)) rem BlockSize)) rem BlockSize,
+pack(PlainText,
+     #ssh{send_sequence = SeqNum,
+	  send_mac = MacAlg,
+	  send_mac_key = MacKey,
+	  encrypt = CryptoAlg} = Ssh0,  PacketLenDeviationForTests) when is_binary(PlainText) ->
+
+    {Ssh1, CompressedPlainText} = compress(Ssh0, PlainText),
+    {EcryptedPacket, MAC, Ssh3} =
+	case pkt_type(CryptoAlg) of
+	    common ->
+		PaddingLen = padding_length(4+1+size(CompressedPlainText), Ssh0),
+		Padding =  ssh_bits:random(PaddingLen),
+		PlainPacketLen = 1 + PaddingLen + size(CompressedPlainText) + PacketLenDeviationForTests,
+		PlainPacketData = <<?UINT32(PlainPacketLen),?BYTE(PaddingLen), CompressedPlainText/binary, Padding/binary>>,
+		{Ssh2, EcryptedPacket0} = encrypt(Ssh1, PlainPacketData),
+		MAC0 = mac(MacAlg, MacKey, SeqNum, PlainPacketData),
+		{EcryptedPacket0, MAC0, Ssh2};
+	    aead ->
+		PaddingLen = padding_length(1+size(CompressedPlainText), Ssh0),
+		Padding =  ssh_bits:random(PaddingLen),
+		PlainPacketLen = 1 + PaddingLen + size(CompressedPlainText) + PacketLenDeviationForTests,
+		PlainPacketData = <<?BYTE(PaddingLen), CompressedPlainText/binary, Padding/binary>>,
+		{Ssh2, {EcryptedPacket0,MAC0}} = encrypt(Ssh1, {<<?UINT32(PlainPacketLen)>>,PlainPacketData}),
+		{<<?UINT32(PlainPacketLen),EcryptedPacket0/binary>>, MAC0, Ssh2}
+	end,
+    FinalPacket = [EcryptedPacket, MAC],
+    Ssh = Ssh3#ssh{send_sequence = (SeqNum+1) band 16#ffffffff},
+    {FinalPacket, Ssh}.
+
+
+padding_length(Size, #ssh{encrypt_block_size = BlockSize,
+			  random_length_padding = RandomLengthPadding}) ->
+    PL = (BlockSize - (Size rem BlockSize)) rem BlockSize,
     MinPaddingLen = if PL <  4 -> PL + BlockSize;
 		       true -> PL
 		    end,
@@ -927,45 +957,94 @@ pack(Data0, #ssh{encrypt_block_size = BlockSize,
     ExtraPaddingLen = try crypto:rand_uniform(0,MaxExtraBlocks)*PadBlockSize
 		      catch _:_ -> 0
 		      end,
-    PaddingLen = MinPaddingLen + ExtraPaddingLen,
-    Padding = ssh_bits:random(PaddingLen),
-    PacketLen = 1 + PaddingLen + size(Data) + PacketLenDeviationForTests,
-    PacketData = <<?UINT32(PacketLen),?BYTE(PaddingLen), 
-		  Data/binary, Padding/binary>>,
-    {Ssh2, EncPacket} = encrypt(Ssh1, PacketData),
-    MAC = mac(MacAlg, MacKey, SeqNum, PacketData),
-    Packet = [EncPacket, MAC],
-    Ssh = Ssh2#ssh{send_sequence = (SeqNum+1) band 16#ffffffff},
-    {Packet, Ssh}.
-
-unpack(EncodedSoFar, ReminingLenght, #ssh{recv_mac_size = MacSize} = Ssh0) ->
-    SshLength = ReminingLenght - MacSize,
-    {NoMac, Mac, Rest} = case MacSize of
-			     0 ->
-				 <<NoMac0:SshLength/binary, 
-				  Rest0/binary>> = EncodedSoFar,
-				 {NoMac0, <<>>, Rest0};
-			     _ ->
-				 <<NoMac0:SshLength/binary, 
-				  Mac0:MacSize/binary,
-				  Rest0/binary>> = EncodedSoFar,
-				 {NoMac0, Mac0, Rest0}
-			 end,
-    {Ssh1, DecData, <<>>} = 
-	case SshLength of
-	    0 ->
-		{Ssh0, <<>>, <<>>};
-	    _ ->
-		decrypt_blocks(NoMac, SshLength, Ssh0)
-	end,
-    {Ssh1, DecData, Rest, Mac}.
+    MinPaddingLen + ExtraPaddingLen.
+
+
+
+handle_packet_part(<<>>, Encrypted0, undefined, #ssh{decrypt = CryptoAlg} = Ssh0) ->
+    %% New ssh packet
+    case get_length(pkt_type(CryptoAlg), Encrypted0, Ssh0) of
+	get_more ->
+	    %% too short to get the length
+	    {get_more, <<>>, Encrypted0, undefined, Ssh0};
+
+	{ok, PacketLen, _, _, _} when PacketLen > ?SSH_MAX_PACKET_SIZE ->
+	    %% far too long message than expected
+	    throw(#ssh_msg_disconnect{code = ?SSH_DISCONNECT_PROTOCOL_ERROR,
+				      description = "Bad packet length " 
+				      ++ integer_to_list(PacketLen),
+				      language = ""});
+	
+	{ok, PacketLen, Decrypted, Encrypted1,
+	 #ssh{recv_mac_size = MacSize} = Ssh1} ->
+	    %% enough bytes so we got the length and can calculate how many
+	    %% more bytes to expect for a full packet
+	    TotalNeeded = (4 + PacketLen + MacSize),
+	    handle_packet_part(Decrypted, Encrypted1, TotalNeeded, Ssh1)
+    end;
+
+handle_packet_part(DecryptedPfx, EncryptedBuffer, TotalNeeded, Ssh0) 
+  when (size(DecryptedPfx)+size(EncryptedBuffer)) < TotalNeeded ->
+    %% need more bytes to finalize the packet
+    {get_more, DecryptedPfx, EncryptedBuffer, TotalNeeded, Ssh0};
+
+handle_packet_part(DecryptedPfx, EncryptedBuffer, TotalNeeded, 
+		   #ssh{recv_mac_size = MacSize,
+			decrypt = CryptoAlg} = Ssh0) ->
+    %% enough bytes to decode the packet.
+    DecryptLen = TotalNeeded - size(DecryptedPfx) - MacSize,
+    <<EncryptedSfx:DecryptLen/binary, Mac:MacSize/binary, NextPacketBytes/binary>> = EncryptedBuffer,
+    case pkt_type(CryptoAlg) of
+	common ->
+	    {Ssh1, DecryptedSfx} = decrypt(Ssh0, EncryptedSfx),
+	    DecryptedPacket = <<DecryptedPfx/binary, DecryptedSfx/binary>>,
+	    case is_valid_mac(Mac, DecryptedPacket, Ssh1) of
+		false ->
+		    {bad_mac, Ssh1};
+		true ->
+		    {Ssh, DecompressedPayload} = decompress(Ssh1, payload(DecryptedPacket)),
+		    {decoded, DecompressedPayload, NextPacketBytes, Ssh}
+	    end;
+	aead ->
+	    PacketLenBin = DecryptedPfx,
+	    case decrypt(Ssh0, {PacketLenBin,EncryptedSfx,Mac}) of
+		{Ssh1, error} ->
+		    {bad_mac, Ssh1};
+		{Ssh1, DecryptedSfx} ->
+                    DecryptedPacket = <<DecryptedPfx/binary, DecryptedSfx/binary>>,
+		    {Ssh, DecompressedPayload} = decompress(Ssh1, payload(DecryptedPacket)),
+		    {decoded, DecompressedPayload, NextPacketBytes, Ssh}
+	    end
+    end.
+    
+    
+get_length(common, EncryptedBuffer, #ssh{decrypt_block_size = BlockSize} = Ssh0) ->
+    case size(EncryptedBuffer) >= erlang:max(8, BlockSize) of
+	true ->
+	    <<EncBlock:BlockSize/binary, EncryptedRest/binary>> = EncryptedBuffer,
+	    {Ssh, 
+	     <<?UINT32(PacketLen),_/binary>> = Decrypted} = decrypt(Ssh0, EncBlock),
+	    {ok, PacketLen, Decrypted, EncryptedRest, Ssh};
+	false ->
+	    get_more
+    end;
+get_length(aead, EncryptedBuffer, Ssh) ->
+    case size(EncryptedBuffer) >= 4 of
+	true ->
+	    <<?UINT32(PacketLen), EncryptedRest/binary>> = EncryptedBuffer,
+	    {ok, PacketLen, <<?UINT32(PacketLen)>>, EncryptedRest, Ssh};
+	false ->
+	    get_more
+    end.
+
+pkt_type('AEAD_AES_128_GCM') -> aead;
+pkt_type('AEAD_AES_256_GCM') -> aead;
+pkt_type(_) -> common.
 
-msg_data(PacketData) ->
-    <<Len:32, PaddingLen:8, _/binary>> = PacketData,
-    DataLen = Len - PaddingLen - 1,
-    <<_:32, _:8, Data:DataLen/binary, 
-     _:PaddingLen/binary>> = PacketData,
-    Data.
+payload(<<PacketLen:32, PaddingLen:8, PayloadAndPadding/binary>>) ->
+    PayloadLen = PacketLen - PaddingLen - 1,
+    <<Payload:PayloadLen/binary, _/binary>> = PayloadAndPadding,
+    Payload.
 
 sign(SigData, Hash,  #'DSAPrivateKey'{} = Key) ->
     DerSignature = public_key:sign(SigData, Hash, Key),
@@ -991,6 +1070,7 @@ verify(PlainText, Hash, Sig, {#'ECPoint'{},_} = Key) ->
 verify(PlainText, Hash, Sig, Key) ->
     public_key:verify(PlainText, Hash, Sig, Key).
 
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%
 %% Encryption
@@ -999,6 +1079,30 @@ verify(PlainText, Hash, Sig, Key) ->
 
 encrypt_init(#ssh{encrypt = none} = Ssh) ->
     {ok, Ssh};
+encrypt_init(#ssh{encrypt = 'AEAD_AES_128_GCM', role = client} = Ssh) ->
+    IV = hash(Ssh, "A", 12*8),
+    <<K:16/binary>> = hash(Ssh, "C", 128),
+    {ok, Ssh#ssh{encrypt_keys = K,
+		 encrypt_block_size = 16,
+		 encrypt_ctx = IV}};
+encrypt_init(#ssh{encrypt = 'AEAD_AES_128_GCM', role = server} = Ssh) ->
+    IV = hash(Ssh, "B", 12*8),
+    <<K:16/binary>> = hash(Ssh, "D", 128),
+    {ok, Ssh#ssh{encrypt_keys = K,
+		 encrypt_block_size = 16,
+		 encrypt_ctx = IV}};
+encrypt_init(#ssh{encrypt = 'AEAD_AES_256_GCM', role = client} = Ssh) ->
+    IV = hash(Ssh, "A", 12*8),
+    <<K:32/binary>> = hash(Ssh, "C", 256),
+    {ok, Ssh#ssh{encrypt_keys = K,
+		 encrypt_block_size = 16,
+		 encrypt_ctx = IV}};
+encrypt_init(#ssh{encrypt = 'AEAD_AES_256_GCM', role = server} = Ssh) ->
+    IV = hash(Ssh, "B", 12*8),
+    <<K:32/binary>> = hash(Ssh, "D", 256),
+    {ok, Ssh#ssh{encrypt_keys = K,
+		 encrypt_block_size = 16,
+		 encrypt_ctx = IV}};
 encrypt_init(#ssh{encrypt = '3des-cbc', role = client} = Ssh) ->
     IV = hash(Ssh, "A", 64),
     <<K1:8/binary, K2:8/binary, K3:8/binary>> = hash(Ssh, "C", 192),
@@ -1075,6 +1179,18 @@ encrypt_final(Ssh) ->
 
 encrypt(#ssh{encrypt = none} = Ssh, Data) ->
     {Ssh, Data};
+encrypt(#ssh{encrypt = 'AEAD_AES_128_GCM',
+            encrypt_keys = K,
+            encrypt_ctx = IV0} = Ssh, Data={_AAD,_Ptext}) ->
+    Enc = {_Ctext,_Ctag} = crypto:block_encrypt(aes_gcm, K, IV0, Data),
+    IV = next_gcm_iv(IV0),
+    {Ssh#ssh{encrypt_ctx = IV}, Enc};
+encrypt(#ssh{encrypt = 'AEAD_AES_256_GCM',
+            encrypt_keys = K,
+            encrypt_ctx = IV0} = Ssh, Data={_AAD,_Ptext}) ->
+    Enc = {_Ctext,_Ctag} = crypto:block_encrypt(aes_gcm, K, IV0, Data),
+    IV = next_gcm_iv(IV0),
+    {Ssh#ssh{encrypt_ctx = IV}, Enc};
 encrypt(#ssh{encrypt = '3des-cbc',
 	     encrypt_keys = {K1,K2,K3},
 	     encrypt_ctx = IV0} = Ssh, Data) ->
@@ -1107,6 +1223,30 @@ encrypt(#ssh{encrypt = 'aes256-ctr',
 
 decrypt_init(#ssh{decrypt = none} = Ssh) ->
     {ok, Ssh};
+decrypt_init(#ssh{decrypt = 'AEAD_AES_128_GCM', role = client} = Ssh) ->
+    IV = hash(Ssh, "B", 12*8),
+    <<K:16/binary>> = hash(Ssh, "D", 128),
+    {ok, Ssh#ssh{decrypt_keys = K,
+		 decrypt_block_size = 16,
+		 decrypt_ctx = IV}};
+decrypt_init(#ssh{decrypt = 'AEAD_AES_128_GCM', role = server} = Ssh) ->
+    IV = hash(Ssh, "A", 12*8),
+    <<K:16/binary>> = hash(Ssh, "C", 128),
+    {ok, Ssh#ssh{decrypt_keys = K,
+		 decrypt_block_size = 16,
+		 decrypt_ctx = IV}};
+decrypt_init(#ssh{decrypt = 'AEAD_AES_256_GCM', role = client} = Ssh) ->
+    IV = hash(Ssh, "B", 12*8),
+    <<K:32/binary>> = hash(Ssh, "D", 256),
+    {ok, Ssh#ssh{decrypt_keys = K,
+		 decrypt_block_size = 16,
+		 decrypt_ctx = IV}};
+decrypt_init(#ssh{decrypt = 'AEAD_AES_256_GCM', role = server} = Ssh) ->
+    IV = hash(Ssh, "A", 12*8),
+    <<K:32/binary>> = hash(Ssh, "C", 256),
+    {ok, Ssh#ssh{decrypt_keys = K,
+		 decrypt_block_size = 16,
+		 decrypt_ctx = IV}};
 decrypt_init(#ssh{decrypt = '3des-cbc', role = client} = Ssh) ->
     {IV, KD} = {hash(Ssh, "B", 64),
 		hash(Ssh, "D", 192)},
@@ -1181,8 +1321,22 @@ decrypt_final(Ssh) ->
 		  decrypt_ctx = undefined,
 		  decrypt_block_size = 8}}.
 
+decrypt(Ssh, <<>>) ->
+    {Ssh, <<>>};
 decrypt(#ssh{decrypt = none} = Ssh, Data) ->
     {Ssh, Data};
+decrypt(#ssh{decrypt = 'AEAD_AES_128_GCM',
+	     decrypt_keys = K,
+	     decrypt_ctx = IV0} = Ssh, Data = {_AAD,_Ctext,_Ctag}) ->
+    Dec = crypto:block_decrypt(aes_gcm, K, IV0, Data), % Dec = PlainText | error 
+    IV = next_gcm_iv(IV0),
+    {Ssh#ssh{decrypt_ctx = IV}, Dec};
+decrypt(#ssh{decrypt = 'AEAD_AES_256_GCM',
+	     decrypt_keys = K,
+	     decrypt_ctx = IV0} = Ssh, Data = {_AAD,_Ctext,_Ctag}) ->
+    Dec = crypto:block_decrypt(aes_gcm, K, IV0, Data), % Dec = PlainText | error 
+    IV = next_gcm_iv(IV0),
+    {Ssh#ssh{decrypt_ctx = IV}, Dec};
 decrypt(#ssh{decrypt = '3des-cbc', decrypt_keys = Keys,
 	     decrypt_ctx = IV0} = Ssh, Data) ->
     {K1, K2, K3} = Keys,
@@ -1207,6 +1361,10 @@ decrypt(#ssh{decrypt = 'aes256-ctr',
     {State, Enc} = crypto:stream_decrypt(State0,Data),
     {Ssh#ssh{decrypt_ctx = State}, Enc}.
 
+
+next_gcm_iv(<<Fixed:32, InvCtr:64>>) -> <<Fixed:32, (InvCtr+1):64>>.
+
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %% Compression
 %%
@@ -1295,28 +1453,42 @@ decompress(#ssh{decompress = '[email protected]', decompress_ctx = Context, authe
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
 send_mac_init(SSH) ->
-    case SSH#ssh.role of
-	client ->
-	    KeySize =mac_key_size(SSH#ssh.send_mac),
-	    Key = hash(SSH, "E", KeySize),
-	    {ok, SSH#ssh { send_mac_key = Key }};
-	server ->
-	    KeySize = mac_key_size(SSH#ssh.send_mac),
-	    Key = hash(SSH, "F", KeySize),
-	    {ok, SSH#ssh { send_mac_key = Key }}
+    case pkt_type(SSH#ssh.send_mac) of
+	common ->
+	    case SSH#ssh.role of
+		client ->
+		    KeySize = mac_key_size(SSH#ssh.send_mac),
+		    Key = hash(SSH, "E", KeySize),
+		    {ok, SSH#ssh { send_mac_key = Key }};
+		server ->
+		    KeySize = mac_key_size(SSH#ssh.send_mac),
+		    Key = hash(SSH, "F", KeySize),
+		    {ok, SSH#ssh { send_mac_key = Key }}
+	    end;
+	aead ->
+	    %% Not applicable
+	    {ok, SSH}
     end.
 
 send_mac_final(SSH) ->
-    {ok, SSH#ssh {  send_mac = none, send_mac_key = undefined }}.
+    {ok, SSH#ssh {send_mac = none, 
+		  send_mac_key = undefined }}.
+
 
 recv_mac_init(SSH) ->
-    case SSH#ssh.role of
-	client ->
-	    Key = hash(SSH, "F", mac_key_size(SSH#ssh.recv_mac)),
-	    {ok, SSH#ssh { recv_mac_key = Key }};
-	server ->
-	    Key = hash(SSH, "E", mac_key_size(SSH#ssh.recv_mac)),
-	    {ok, SSH#ssh { recv_mac_key = Key }}
+    case pkt_type(SSH#ssh.recv_mac) of
+	common ->
+	    case SSH#ssh.role of
+		client ->
+		    Key = hash(SSH, "F", mac_key_size(SSH#ssh.recv_mac)),
+		    {ok, SSH#ssh { recv_mac_key = Key }};
+		server ->
+		    Key = hash(SSH, "E", mac_key_size(SSH#ssh.recv_mac)),
+		    {ok, SSH#ssh { recv_mac_key = Key }}
+	    end;
+	aead ->
+	    %% Not applicable
+	    {ok, SSH}
     end.
 
 recv_mac_final(SSH) ->
@@ -1447,6 +1619,8 @@ mac_digest_size('hmac-md5')    -> 20;
 mac_digest_size('hmac-md5-96') -> 12;
 mac_digest_size('hmac-sha2-256') -> 32;
 mac_digest_size('hmac-sha2-512') -> 64;
+mac_digest_size('AEAD_AES_128_GCM') -> 16;
+mac_digest_size('AEAD_AES_256_GCM') -> 16;
 mac_digest_size(none) -> 0.
 
 peer_name({Host, _}) ->
@@ -1476,6 +1650,68 @@ ecdh_curve('ecdh-sha2-nistp256') -> secp256r1;
 ecdh_curve('ecdh-sha2-nistp384') -> secp384r1;
 ecdh_curve('ecdh-sha2-nistp521') -> secp521r1.
 
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%
+%% Utils for default_algorithms/1 and supported_algorithms/1
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+supported_algorithms(Key, [{client2server,BL1},{server2client,BL2}]) ->
+    [{client2server,As1},{server2client,As2}] = supported_algorithms(Key),
+    [{client2server,As1--BL1},{server2client,As2--BL2}];
+supported_algorithms(Key, BlackList) ->
+    supported_algorithms(Key) -- BlackList.
+
+
+select_crypto_supported(L) ->    
+    Sup = [{ec_curve,crypto_supported_curves()} | crypto:supports()],
+    [Name || {Name,CryptoRequires} <- L,
+	     crypto_supported(CryptoRequires, Sup)].
+
+crypto_supported_curves() ->
+    try crypto:ec_curves()
+    catch _:_ -> []
+    end.
+
+crypto_supported(Conditions, Supported) ->
+    lists:all( fun({Tag,CryptoName}) when is_atom(CryptoName) ->
+		       crypto_name_supported(Tag,CryptoName,Supported);
+		  ({Tag,{Name,Len}}) when is_integer(Len) ->
+		       crypto_name_supported(Tag,Name,Supported) andalso
+			   len_supported(Name,Len)
+	       end, Conditions).
+
+crypto_name_supported(Tag, CryptoName, Supported) ->
+    lists:member(CryptoName, proplists:get_value(Tag,Supported,[])).
+
+len_supported(Name, Len) ->
+    try
+	case Name of
+	    aes_ctr ->
+		{_, <<_/binary>>} = 
+		    %% Test encryption
+		    crypto:stream_encrypt(crypto:stream_init(Name, <<0:Len>>, <<0:128>>), <<"">>);
+	    aes_gcm ->
+		{<<_/binary>>, <<_/binary>>} = 
+		    crypto:block_encrypt(Name, 
+					 _Key = <<0:Len>>,
+					 _IV = <<0:12/unsigned-unit:8>>,
+					 {<<"AAD">>,"PT"})
+	end
+    of
+	_ -> true
+    catch
+	_:_ -> false
+    end.
+	    
+
+same(Algs) ->  [{client2server,Algs}, {server2client,Algs}].
+
+
+%% default_algorithms(kex) -> % Example of how to disable an algorithm
+%%     supported_algorithms(kex, ['ecdh-sha2-nistp521']);
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%
 %% Other utils
diff --git a/lib/ssh/test/ssh_renegotiate_SUITE.erl b/lib/ssh/test/ssh_renegotiate_SUITE.erl
index ef631d54bd..227dfcddcd 100644
--- a/lib/ssh/test/ssh_renegotiate_SUITE.erl
+++ b/lib/ssh/test/ssh_renegotiate_SUITE.erl
@@ -32,9 +32,15 @@
 
 suite() -> [{ct_hooks,[ts_install_cth]}].
 
-all() -> [rekey, rekey_limit, renegotiate1, renegotiate2].
+all() -> [{group,default_algs},
+	  {group,aes_gcm}
+	 ].
 
-groups() -> [].
+groups() -> [{default_algs, [], tests()},
+	     {aes_gcm,      [], tests()}
+	    ].
+
+tests() -> [rekey, rekey_limit, renegotiate1, renegotiate2].
 
 %%--------------------------------------------------------------------
 init_per_suite(Config) ->
@@ -50,6 +56,18 @@ end_per_suite(_Config) ->
     crypto:stop().
 
 %%--------------------------------------------------------------------
+init_per_group(aes_gcm, Config) ->
+    [{preferred_algorithms, [{cipher,[{client2server,['[email protected]']},
+				      {server2client,['[email protected]']}]}]}
+     | Config];
+init_per_group(_, Config) ->
+    [{preferred_algorithms, ssh:default_algorithms()} | Config].
+
+
+end_per_group(_, Config) ->
+    Config.
+
+%%--------------------------------------------------------------------
 init_per_testcase(_TestCase, Config) ->
     ssh:start(),
     Config.
diff --git a/lib/ssh/test/ssh_test_lib.erl b/lib/ssh/test/ssh_test_lib.erl
index 5816b708f2..424afc76fe 100644
--- a/lib/ssh/test/ssh_test_lib.erl
+++ b/lib/ssh/test/ssh_test_lib.erl
@@ -296,7 +296,7 @@ setup_dsa(DataDir, UserDir) ->
     file:make_dir(System),
     file:copy(filename:join(DataDir, "ssh_host_dsa_key"), filename:join(System, "ssh_host_dsa_key")),
     file:copy(filename:join(DataDir, "ssh_host_dsa_key.pub"), filename:join(System, "ssh_host_dsa_key.pub")),
-ct:pal("DataDir ~p:~n ~p~n~nSystDir ~p:~n ~p~n~nUserDir ~p:~n ~p",[DataDir, file:list_dir(DataDir), System, file:list_dir(System), UserDir, file:list_dir(UserDir)]),
+ct:log("DataDir ~p:~n ~p~n~nSystDir ~p:~n ~p~n~nUserDir ~p:~n ~p",[DataDir, file:list_dir(DataDir), System, file:list_dir(System), UserDir, file:list_dir(UserDir)]),
     setup_dsa_known_host(DataDir, UserDir),
     setup_dsa_auth_keys(DataDir, UserDir).
     
@@ -306,7 +306,7 @@ setup_rsa(DataDir, UserDir) ->
     file:make_dir(System),
     file:copy(filename:join(DataDir, "ssh_host_rsa_key"), filename:join(System, "ssh_host_rsa_key")),
     file:copy(filename:join(DataDir, "ssh_host_rsa_key.pub"), filename:join(System, "ssh_host_rsa_key.pub")),
-ct:pal("DataDir ~p:~n ~p~n~nSystDir ~p:~n ~p~n~nUserDir ~p:~n ~p",[DataDir, file:list_dir(DataDir), System, file:list_dir(System), UserDir, file:list_dir(UserDir)]),
+ct:log("DataDir ~p:~n ~p~n~nSystDir ~p:~n ~p~n~nUserDir ~p:~n ~p",[DataDir, file:list_dir(DataDir), System, file:list_dir(System), UserDir, file:list_dir(UserDir)]),
     setup_rsa_known_host(DataDir, UserDir),
     setup_rsa_auth_keys(DataDir, UserDir).
 
@@ -316,7 +316,7 @@ setup_ecdsa(Size, DataDir, UserDir) ->
     file:make_dir(System),
     file:copy(filename:join(DataDir, "ssh_host_ecdsa_key"++Size), filename:join(System, "ssh_host_ecdsa_key")),
     file:copy(filename:join(DataDir, "ssh_host_ecdsa_key"++Size++".pub"), filename:join(System, "ssh_host_ecdsa_key.pub")),
-ct:pal("DataDir ~p:~n ~p~n~nSystDir ~p:~n ~p~n~nUserDir ~p:~n ~p",[DataDir, file:list_dir(DataDir), System, file:list_dir(System), UserDir, file:list_dir(UserDir)]),
+ct:log("DataDir ~p:~n ~p~n~nSystDir ~p:~n ~p~n~nUserDir ~p:~n ~p",[DataDir, file:list_dir(DataDir), System, file:list_dir(System), UserDir, file:list_dir(UserDir)]),
     setup_ecdsa_known_host(Size, System, UserDir),
     setup_ecdsa_auth_keys(Size, UserDir, UserDir).
 
@@ -502,7 +502,7 @@ default_algorithms(sshd, Host, Port) ->
 				  {user_interaction, false}]}]))
     catch
 	_C:_E ->
-	    ct:pal("***~p:~p: ~p:~p",[?MODULE,?LINE,_C,_E]),
+	    ct:log("***~p:~p: ~p:~p",[?MODULE,?LINE,_C,_E]),
 	    []
     end.
 
@@ -522,7 +522,7 @@ default_algorithms(sshc, DaemonOptions) ->
 						    InitialState))
 		       catch
 			   _C:_E ->
-			       ct:pal("***~p:~p: ~p:~p",[?MODULE,?LINE,_C,_E]),
+			       ct:log("***~p:~p: ~p:~p",[?MODULE,?LINE,_C,_E]),
 			       []
 		       end}
 	  end),