SSH: only enable ciphers/MACs when they are available in crypto

Also adjusts tests to only expect a positive outcome when crypto supports the relevant base ciphers/MACs.
author: Alex Wilson <[email protected]> 2014-08-28 11:13:57 +1000
committer: Alex Wilson <[email protected]> 2014-08-28 11:13:57 +1000
commit: cf53a360685b1a01a5c7fc0e06660ce8d76d96b0 (patch)
tree: 82f187ca8b58b21ff3ca72ace1dc51a2d7bbe75b /lib
parent: ccf1e0385fe0877279141acdcb0ac4f43e5596e4 (diff)
download: otp-cf53a360685b1a01a5c7fc0e06660ce8d76d96b0.tar.gz
otp-cf53a360685b1a01a5c7fc0e06660ce8d76d96b0.tar.bz2
otp-cf53a360685b1a01a5c7fc0e06660ce8d76d96b0.zip
2 files changed, 35 insertions, 15 deletions
diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index 805114f792..ea05c849b7 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -113,15 +113,28 @@ key_init(client, Ssh, Value) ->
 key_init(server, Ssh, Value) ->
     Ssh#ssh{s_keyinit = Value}.
 
+available_ssh_algos() ->
+    Supports = crypto:supports(),
+    CipherAlgos = [{aes_ctr, "aes128-ctr"}, {aes_cbc128, "aes128-cbc"}, {des3_cbc, "3des-cbc"}],
+    Ciphers = [SshAlgo ||
+	{CryptoAlgo, SshAlgo} <- CipherAlgos,
+	lists:member(CryptoAlgo, proplists:get_value(ciphers, Supports, []))],
+    HashAlgos = [{sha256, "hmac-sha2-256"}, {sha, "hmac-sha1"}],
+    Hashs = [SshAlgo ||
+	{CryptoAlgo, SshAlgo} <- HashAlgos,
+	lists:member(CryptoAlgo, proplists:get_value(hashs, Supports, []))],
+    {Ciphers, Hashs}.
+
 kexinit_messsage(client, Random, Compression, HostKeyAlgs) ->
+    {CipherAlgs, HashAlgs} = available_ssh_algos(),
     #ssh_msg_kexinit{ 
 		  cookie = Random,
 		  kex_algorithms = ["diffie-hellman-group1-sha1"],
 		  server_host_key_algorithms = HostKeyAlgs,
-		  encryption_algorithms_client_to_server = ["aes128-ctr","aes128-cbc","3des-cbc"],
-		  encryption_algorithms_server_to_client = ["aes128-ctr","aes128-cbc","3des-cbc"],
-		  mac_algorithms_client_to_server = ["hmac-sha2-256","hmac-sha1"],
-		  mac_algorithms_server_to_client = ["hmac-sha2-256","hmac-sha1"],
+		  encryption_algorithms_client_to_server = CipherAlgs,
+		  encryption_algorithms_server_to_client = CipherAlgs,
+		  mac_algorithms_client_to_server = HashAlgs,
+		  mac_algorithms_server_to_client = HashAlgs,
 		  compression_algorithms_client_to_server = Compression,
 		  compression_algorithms_server_to_client = Compression,
 		  languages_client_to_server = [],
@@ -129,14 +142,15 @@ kexinit_messsage(client, Random, Compression, HostKeyAlgs) ->
 		 };
 
 kexinit_messsage(server, Random, Compression, HostKeyAlgs) ->
+    {CipherAlgs, HashAlgs} = available_ssh_algos(),
     #ssh_msg_kexinit{
 		  cookie = Random,
 		  kex_algorithms = ["diffie-hellman-group1-sha1"],
 		  server_host_key_algorithms = HostKeyAlgs,
-		  encryption_algorithms_client_to_server = ["aes128-ctr","aes128-cbc","3des-cbc"],
-		  encryption_algorithms_server_to_client = ["aes128-ctr","aes128-cbc","3des-cbc"],
-		  mac_algorithms_client_to_server = ["hmac-sha2-256","hmac-sha1"],
-		  mac_algorithms_server_to_client = ["hmac-sha2-256","hmac-sha1"],
+		  encryption_algorithms_client_to_server = CipherAlgs,
+		  encryption_algorithms_server_to_client = CipherAlgs,
+		  mac_algorithms_client_to_server = HashAlgs,
+		  mac_algorithms_server_to_client = HashAlgs,
 		  compression_algorithms_client_to_server = Compression,
 		  compression_algorithms_server_to_client = Compression,
 		  languages_client_to_server = [],
diff --git a/lib/ssh/test/ssh_to_openssh_SUITE.erl b/lib/ssh/test/ssh_to_openssh_SUITE.erl
index 5a3bd21b55..e003b135b1 100644
--- a/lib/ssh/test/ssh_to_openssh_SUITE.erl
+++ b/lib/ssh/test/ssh_to_openssh_SUITE.erl
@@ -237,10 +237,14 @@ erlang_server_openssh_client_cipher_suites(Config) when is_list(Config) ->
 
     ct:sleep(500),
 
-    Ciphers = [{"3des-cbc", true},
-        {"aes128-cbc", true},
-        {"aes128-ctr", true},
-        {"aes256-cbc", false}],
+    Supports = crypto:supports(),
+    Ciphers = proplists:get_value(ciphers, Supports),
+    Tests = [
+        {"3des-cbc", lists:member(des3_cbc, Ciphers)},
+        {"aes128-cbc", lists:member(aes_cbc128, Ciphers)},
+        {"aes128-ctr", lists:member(aes_ctr, Ciphers)},
+        {"aes256-cbc", false}
+    ],
     lists:foreach(fun({Cipher, Expect}) ->
         Cmd = "ssh -p " ++ integer_to_list(Port) ++
         " -o UserKnownHostsFile=" ++ KnownHosts ++ " " ++ Host ++ " " ++
@@ -266,7 +270,7 @@ erlang_server_openssh_client_cipher_suites(Config) when is_list(Config) ->
                     ct:fail("Did not receive no matching cipher message")
                 end
         end
-    end, Ciphers),
+    end, Tests),
 
      ssh:stop_daemon(Pid).
 
@@ -285,8 +289,10 @@ erlang_server_openssh_client_macs(Config) when is_list(Config) ->
 
     ct:sleep(500),
 
-    MACs = [{"hmac-sha1", true},
-        {"hmac-sha2-256", true},
+    Supports = crypto:supports(),
+    Hashs = proplists:get_value(hashs, Supports),
+    MACs = [{"hmac-sha1", lists:member(sha, Hashs)},
+        {"hmac-sha2-256", lists:member(sha256, Hashs)},
         {"hmac-md5-96", false},
         {"hmac-ripemd160", false}],
     lists:foreach(fun({MAC, Expect}) ->
author	Alex Wilson <[email protected]>	2014-08-28 11:13:57 +1000
committer	Alex Wilson <[email protected]>	2014-08-28 11:13:57 +1000
commit	cf53a360685b1a01a5c7fc0e06660ce8d76d96b0 (patch)
tree	82f187ca8b58b21ff3ca72ace1dc51a2d7bbe75b /lib
parent	ccf1e0385fe0877279141acdcb0ac4f43e5596e4 (diff)
download	otp-cf53a360685b1a01a5c7fc0e06660ce8d76d96b0.tar.gz otp-cf53a360685b1a01a5c7fc0e06660ce8d76d96b0.tar.bz2 otp-cf53a360685b1a01a5c7fc0e06660ce8d76d96b0.zip