From 192379acc9e112f393ad18e20f4951d1e318a7a0 Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Wed, 26 Apr 2017 11:49:43 +0200
Subject: ssh: Correction of misspelled type

---
 lib/ssh/src/ssh.hrl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ssh/src/ssh.hrl b/lib/ssh/src/ssh.hrl
index 315310f700..c7ed11895c 100644
--- a/lib/ssh/src/ssh.hrl
+++ b/lib/ssh/src/ssh.hrl
@@ -134,7 +134,7 @@
 	  role :: client | role(),
 	  peer :: undefined | 
                   {inet:hostname(),
-                   {inet:ip_adress(),inet:port_number()}},         %% string version of peer address 
+                   {inet:ip_address(),inet:port_number()}},         %% string version of peer address 
 
 	  c_vsn,        %% client version {Major,Minor}
 	  s_vsn,        %% server version {Major,Minor}
-- 
cgit v1.2.3


From c0d2e134f90ddd3fd2f5b0f9a94a5b0d55c93416 Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Mon, 10 Apr 2017 13:19:37 +0200
Subject: ssh: clearify public key option handling

Change the handling of option pref_public_key_algs so that the same
checks are not performed twice.
---
 lib/ssh/src/ssh_auth.erl | 47 ++++++++++++++++++++---------------------------
 1 file changed, 20 insertions(+), 27 deletions(-)

diff --git a/lib/ssh/src/ssh_auth.erl b/lib/ssh/src/ssh_auth.erl
index 88c8144063..51df54341f 100644
--- a/lib/ssh/src/ssh_auth.erl
+++ b/lib/ssh/src/ssh_auth.erl
@@ -175,6 +175,7 @@ service_request_msg(Ssh) ->
 
 %%%----------------------------------------------------------------
 init_userauth_request_msg(#ssh{opts = Opts} = Ssh) ->
+    %% Client side
     case ?GET_OPT(user, Opts) of
 	undefined ->
 	    ErrStr = "Could not determine the users name",
@@ -183,25 +184,17 @@ init_userauth_request_msg(#ssh{opts = Opts} = Ssh) ->
 				  description = ErrStr});
         
 	User ->
-	    Msg = #ssh_msg_userauth_request{user = User,
-					    service = "ssh-connection",
-					    method = "none",
-					    data = <<>>},
-	    Algs0 = ?GET_OPT(pref_public_key_algs, Opts),
-	    %% The following line is not strictly correct. The call returns the
-	    %% supported HOST key types while we are interested in USER keys. However,
-	    %% they "happens" to be the same (for now).  This could change....
-	    %% There is no danger as long as the set of user keys is a subset of the set
-	    %% of host keys.
-	    CryptoSupported = ssh_transport:supported_algorithms(public_key),
-	    Algs = [A || A <- Algs0,
-			 lists:member(A, CryptoSupported)],
-
-	    Prefs = method_preference(Algs),
-	    ssh_transport:ssh_packet(Msg, Ssh#ssh{user = User,
-						  userauth_preference = Prefs,
-						  userauth_methods = none,
-						  service = "ssh-connection"})
+            ssh_transport:ssh_packet(
+              #ssh_msg_userauth_request{user = User,
+                                        service = "ssh-connection",
+                                        method = "none",
+                                        data = <<>>},
+              Ssh#ssh{user = User,
+                      userauth_preference = 
+                          method_preference(?GET_OPT(pref_public_key_algs, Opts)),
+                      userauth_methods = none,
+                      service = "ssh-connection"}
+             )
     end.
 
 %%%----------------------------------------------------------------
@@ -453,14 +446,14 @@ handle_userauth_info_response(#ssh_msg_userauth_info_response{},
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
-method_preference(Algs) ->
-    lists:foldr(fun(A, Acc) ->
-		       [{"publickey", ?MODULE, publickey_msg, [A]} | Acc]
-	       end, 
-	       [{"password", ?MODULE, password_msg, []},
-		{"keyboard-interactive", ?MODULE, keyboard_interactive_msg, []}
-	       ],
-	       Algs).
+method_preference(PubKeyAlgs) ->
+    %% PubKeyAlgs: List of user (client) public key algorithms to try to use.
+    %% All of the acceptable algorithms is the default values.
+    PubKeyDefs = [{"publickey", ?MODULE, publickey_msg, [A]} || A <- PubKeyAlgs],
+    NonPKmethods = [{"password", ?MODULE, password_msg, []},
+                    {"keyboard-interactive", ?MODULE, keyboard_interactive_msg, []}
+                   ],
+    PubKeyDefs ++ NonPKmethods.
 
 check_password(User, Password, Opts, Ssh) ->
     case ?GET_OPT(pwdfun, Opts) of
-- 
cgit v1.2.3


From 29d7533c715f972ee996382c2c45cc0c055e10d2 Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Mon, 10 Apr 2017 16:25:06 +0200
Subject: ssh: Implement ext-info extension. draft-ietf-curdle-ssh-ext-info

This is only a draft extension, but it is quite stable and already supported
by some implementations.  OpenSSH has had it for some year now.
---
 lib/ssh/src/ssh.hrl                    |   7 +-
 lib/ssh/src/ssh_connection_handler.erl | 142 ++++++++++++++++-----
 lib/ssh/src/ssh_dbg.erl                |   5 +-
 lib/ssh/src/ssh_message.erl            |  33 +++++
 lib/ssh/src/ssh_options.erl            |  22 +++-
 lib/ssh/src/ssh_transport.erl          | 221 ++++++++++++++++++++++-----------
 lib/ssh/src/ssh_transport.hrl          |  15 +++
 lib/ssh/test/ssh_trpt_test_lib.erl     |  11 +-
 8 files changed, 344 insertions(+), 112 deletions(-)

diff --git a/lib/ssh/src/ssh.hrl b/lib/ssh/src/ssh.hrl
index c7ed11895c..1a95bb27e7 100644
--- a/lib/ssh/src/ssh.hrl
+++ b/lib/ssh/src/ssh.hrl
@@ -145,6 +145,9 @@
 	  c_keyinit,    %% binary payload of kexinit packet
 	  s_keyinit,    %% binary payload of kexinit packet
 
+          send_ext_info, %% May send ext-info to peer
+          recv_ext_info, %% Expect ext-info from peer
+
 	  algorithms,   %% #alg{}
 	  
 	  kex,          %% key exchange algorithm
@@ -216,7 +219,9 @@
 	  compress,
 	  decompress,
 	  c_lng,
-	  s_lng
+	  s_lng,
+          send_ext_info,
+          recv_ext_info
 	 }).
 
 -record(ssh_key,
diff --git a/lib/ssh/src/ssh_connection_handler.erl b/lib/ssh/src/ssh_connection_handler.erl
index 84bb7dc23f..0ff7c9b3a1 100644
--- a/lib/ssh/src/ssh_connection_handler.erl
+++ b/lib/ssh/src/ssh_connection_handler.erl
@@ -453,7 +453,9 @@ init_ssh_record(Role, _Socket, PeerAddr, Opts) ->
 	    PeerName = case ?GET_INTERNAL_OPT(host, Opts) of
                            PeerIP when is_tuple(PeerIP) ->
                                inet_parse:ntoa(PeerIP);
-                           PeerName0 ->
+                           PeerName0 when is_atom(PeerName0) ->
+                               atom_to_list(PeerName0);
+                           PeerName0 when is_list(PeerName0) ->
                                PeerName0
                        end,
 	    S0#ssh{c_vsn = Vsn,
@@ -493,6 +495,7 @@ init_ssh_record(Role, _Socket, PeerAddr, Opts) ->
       | {key_exchange_dh_gex_init, server, renegotiate_flag()}
       | {key_exchange_dh_gex_reply, client, renegotiate_flag()}
       | {new_keys, role()}
+      | {ext_info, role(), renegotiate_flag()}
       | {service_request, role()}
       | {userauth, role()}
       | {userauth_keyboard_interactive, role()}
@@ -589,13 +592,17 @@ handle_event(_, {#ssh_msg_kexinit{}=Kex, Payload}, {kexinit,Role,ReNeg},
 handle_event(_, #ssh_msg_kexdh_init{} = Msg, {key_exchange,server,ReNeg}, D) ->
     {ok, KexdhReply, Ssh1} = ssh_transport:handle_kexdh_init(Msg, D#data.ssh_params),
     send_bytes(KexdhReply, D),
-    {ok, NewKeys, Ssh} = ssh_transport:new_keys_message(Ssh1),
+    {ok, NewKeys, Ssh2} = ssh_transport:new_keys_message(Ssh1),
     send_bytes(NewKeys, D),
+    {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh2),
+    send_bytes(ExtInfo, D),
     {next_state, {new_keys,server,ReNeg}, D#data{ssh_params=Ssh}};
 
 handle_event(_, #ssh_msg_kexdh_reply{} = Msg, {key_exchange,client,ReNeg}, D) ->
-    {ok, NewKeys, Ssh} = ssh_transport:handle_kexdh_reply(Msg, D#data.ssh_params),
+    {ok, NewKeys, Ssh1} = ssh_transport:handle_kexdh_reply(Msg, D#data.ssh_params),
     send_bytes(NewKeys, D),
+    {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh1),
+    send_bytes(ExtInfo, D),
     {next_state, {new_keys,client,ReNeg}, D#data{ssh_params=Ssh}};
 
 %%%---- diffie-hellman group exchange
@@ -620,13 +627,17 @@ handle_event(_, #ssh_msg_kex_dh_gex_group{} = Msg, {key_exchange,client,ReNeg},
 handle_event(_, #ssh_msg_kex_ecdh_init{} = Msg, {key_exchange,server,ReNeg}, D) ->
     {ok, KexEcdhReply, Ssh1} = ssh_transport:handle_kex_ecdh_init(Msg, D#data.ssh_params),
     send_bytes(KexEcdhReply, D),
-    {ok, NewKeys, Ssh} = ssh_transport:new_keys_message(Ssh1),
+    {ok, NewKeys, Ssh2} = ssh_transport:new_keys_message(Ssh1),
     send_bytes(NewKeys, D),
+    {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh2),
+    send_bytes(ExtInfo, D),
     {next_state, {new_keys,server,ReNeg}, D#data{ssh_params=Ssh}};
 
 handle_event(_, #ssh_msg_kex_ecdh_reply{} = Msg, {key_exchange,client,ReNeg}, D) ->
-    {ok, NewKeys, Ssh} = ssh_transport:handle_kex_ecdh_reply(Msg, D#data.ssh_params),
+    {ok, NewKeys, Ssh1} = ssh_transport:handle_kex_ecdh_reply(Msg, D#data.ssh_params),
     send_bytes(NewKeys, D),
+    {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh1),
+    send_bytes(ExtInfo, D),
     {next_state, {new_keys,client,ReNeg}, D#data{ssh_params=Ssh}};
 
 
@@ -635,8 +646,10 @@ handle_event(_, #ssh_msg_kex_ecdh_reply{} = Msg, {key_exchange,client,ReNeg}, D)
 handle_event(_, #ssh_msg_kex_dh_gex_init{} = Msg, {key_exchange_dh_gex_init,server,ReNeg}, D) ->
     {ok, KexGexReply, Ssh1} =  ssh_transport:handle_kex_dh_gex_init(Msg, D#data.ssh_params),
     send_bytes(KexGexReply, D),
-    {ok, NewKeys, Ssh} = ssh_transport:new_keys_message(Ssh1),
+    {ok, NewKeys, Ssh2} = ssh_transport:new_keys_message(Ssh1),
     send_bytes(NewKeys, D),
+    {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh2),
+    send_bytes(ExtInfo, D),
     {next_state, {new_keys,server,ReNeg}, D#data{ssh_params=Ssh}};
 
 
@@ -645,30 +658,60 @@ handle_event(_, #ssh_msg_kex_dh_gex_init{} = Msg, {key_exchange_dh_gex_init,serv
 handle_event(_, #ssh_msg_kex_dh_gex_reply{} = Msg, {key_exchange_dh_gex_reply,client,ReNeg}, D) ->
     {ok, NewKeys, Ssh1} = ssh_transport:handle_kex_dh_gex_reply(Msg, D#data.ssh_params),
     send_bytes(NewKeys, D),
-    {next_state, {new_keys,client,ReNeg}, D#data{ssh_params=Ssh1}};
+    {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh1),
+    send_bytes(ExtInfo, D),
+    {next_state, {new_keys,client,ReNeg}, D#data{ssh_params=Ssh}};
 
 
 %%% ######## {new_keys, client|server} ####
 
 %% First key exchange round:
-handle_event(_, #ssh_msg_newkeys{} = Msg, {new_keys,Role,init}, D) ->
+handle_event(_, #ssh_msg_newkeys{} = Msg, {new_keys,client,init}, D) ->
     {ok, Ssh1} = ssh_transport:handle_new_keys(Msg, D#data.ssh_params),
-    Ssh = case Role of
-	      client ->
-		  {MsgReq, Ssh2} = ssh_auth:service_request_msg(Ssh1),
-		  send_bytes(MsgReq, D),
-		  Ssh2;
-	      server ->
-		  Ssh1
-	  end,
-    {next_state, {service_request,Role}, D#data{ssh_params=Ssh}};
+    %% {ok, ExtInfo, Ssh2} = ssh_transport:ext_info_message(Ssh1),
+    %% send_bytes(ExtInfo, D),
+    {MsgReq, Ssh} = ssh_auth:service_request_msg(Ssh1),
+    send_bytes(MsgReq, D),
+    {next_state, {ext_info,client,init}, D#data{ssh_params=Ssh}};
+
+handle_event(_, #ssh_msg_newkeys{} = Msg, {new_keys,server,init}, D) ->
+    {ok, Ssh} = ssh_transport:handle_new_keys(Msg, D#data.ssh_params),
+    %% {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh1),
+    %% send_bytes(ExtInfo, D),
+    {next_state, {ext_info,server,init}, D#data{ssh_params=Ssh}};
 
 %% Subsequent key exchange rounds (renegotiation):
 handle_event(_, #ssh_msg_newkeys{} = Msg, {new_keys,Role,renegotiate}, D) ->
     {ok, Ssh} = ssh_transport:handle_new_keys(Msg, D#data.ssh_params),
-    {next_state, {connected,Role}, D#data{ssh_params=Ssh}};
+    %% {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh1),
+    %% send_bytes(ExtInfo, D),
+    {next_state, {ext_info,Role,renegotiate}, D#data{ssh_params=Ssh}};
+
+
+%%% ######## {ext_info, client|server, init|renegotiate} ####
+
+handle_event(_, #ssh_msg_ext_info{}=Msg, {ext_info,Role,init}, D0) ->
+    D = handle_ssh_msg_ext_info(Msg, D0),
+    {next_state, {service_request,Role}, D};
+
+handle_event(_, #ssh_msg_ext_info{}=Msg, {ext_info,Role,renegotiate}, D0) ->
+    D = handle_ssh_msg_ext_info(Msg, D0),
+    {next_state, {connected,Role}, D};
+
+handle_event(_, #ssh_msg_newkeys{}=Msg, {ext_info,_Role,renegotiate}, D) ->
+    {ok, Ssh} = ssh_transport:handle_new_keys(Msg, D#data.ssh_params),
+    {keep_state, D#data{ssh_params = Ssh}};
+    
+
+handle_event(internal, Msg, {ext_info,Role,init}, D) when is_tuple(Msg) ->
+    %% If something else arrives, goto next state and handle the event in that one
+    {next_state, {service_request,Role}, D, [postpone]};
 
-%%% ######## {service_request, client|server}
+handle_event(internal, Msg, {ext_info,Role,renegotiate}, D) when is_tuple(Msg) ->
+    %% If something else arrives, goto next state and handle the event in that one
+    {next_state, {connected,Role}, D, [postpone]};
+
+%%% ######## {service_request, client|server} ####
 
 handle_event(_, Msg = #ssh_msg_service_request{name=ServiceName}, StateName = {service_request,server}, D) ->
     case ServiceName of
@@ -747,6 +790,11 @@ handle_event(_,
     end;
 
 %%---- userauth success to client
+handle_event(_, #ssh_msg_ext_info{}=Msg, {userauth,client}, D0) ->
+    %% FIXME: need new state to receive this msg!
+    D = handle_ssh_msg_ext_info(Msg, D0),
+    {keep_state, D};
+
 handle_event(_, #ssh_msg_userauth_success{}, {userauth,client}, D=#data{ssh_params = Ssh}) ->
     D#data.starter ! ssh_connected,
     {next_state, {connected,client}, D#data{ssh_params=Ssh#ssh{authenticated = true}}};
@@ -849,6 +897,11 @@ handle_event(_, #ssh_msg_userauth_failure{}, {userauth_keyboard_interactive_info
 	end,
     {next_state, {userauth,client}, D, [postpone]};
 
+handle_event(_, #ssh_msg_ext_info{}=Msg, {userauth_keyboard_interactive_info_response, client}, D0) ->
+    %% FIXME: need new state to receive this msg!
+    D = handle_ssh_msg_ext_info(Msg, D0),
+    {keep_state, D};
+
 handle_event(_, #ssh_msg_userauth_success{}, {userauth_keyboard_interactive_info_response, client}, D) ->
     {next_state, {userauth,client}, D, [postpone]};
 
@@ -1080,26 +1133,34 @@ handle_event({call,_}, _, StateName, _) when StateName /= {connected,server},
 					     StateName /= {connected,client}  ->
     {keep_state_and_data, [postpone]};
 
-handle_event({call,From}, {request, ChannelPid, ChannelId, Type, Data, Timeout}, {connected,_}, D0) ->
+handle_event({call,From}, {request, ChannelPid, ChannelId, Type, Data, Timeout}, StateName, D0) 
+  when element(1,StateName) == connected ;
+       element(1,StateName) == ext_info ->
     D = handle_request(ChannelPid, ChannelId, Type, Data, true, From, D0),
     %% Note reply to channel will happen later when reply is recived from peer on the socket
     start_channel_request_timer(ChannelId, From, Timeout),
     {keep_state, cache_request_idle_timer_check(D)};
 
-handle_event({call,From}, {request, ChannelId, Type, Data, Timeout}, {connected,_}, D0) ->
+handle_event({call,From}, {request, ChannelId, Type, Data, Timeout}, StateName, D0) 
+  when element(1,StateName) == connected ;
+       element(1,StateName) == ext_info ->
     D = handle_request(ChannelId, Type, Data, true, From, D0),
     %% Note reply to channel will happen later when reply is recived from peer on the socket
     start_channel_request_timer(ChannelId, From, Timeout),
     {keep_state, cache_request_idle_timer_check(D)};
 
-handle_event({call,From}, {data, ChannelId, Type, Data, Timeout}, {connected,_}, D0) ->
+handle_event({call,From}, {data, ChannelId, Type, Data, Timeout}, StateName, D0) 
+  when element(1,StateName) == connected ;
+       element(1,StateName) == ext_info ->
     {{replies, Replies}, Connection} =
 	ssh_connection:channel_data(ChannelId, Type, Data, D0#data.connection_state, From),
     {Repls,D} = send_replies(Replies, D0#data{connection_state = Connection}),
     start_channel_request_timer(ChannelId, From, Timeout), % FIXME: No message exchange so why?
     {keep_state, D, Repls};
 
-handle_event({call,From}, {eof, ChannelId}, {connected,_}, D0) ->
+handle_event({call,From}, {eof, ChannelId}, StateName, D0) 
+  when element(1,StateName) == connected ;
+       element(1,StateName) == ext_info ->
     case ssh_channel:cache_lookup(cache(D0), ChannelId) of
 	#channel{remote_id = Id, sent_close = false} ->
 	    D = send_msg(ssh_connection:channel_eof_msg(Id), D0),
@@ -1110,8 +1171,9 @@ handle_event({call,From}, {eof, ChannelId}, {connected,_}, D0) ->
 
 handle_event({call,From},
 	     {open, ChannelPid, Type, InitialWindowSize, MaxPacketSize, Data, Timeout},
-	     {connected,_},
-	     D0) ->
+	     StateName,
+	     D0) when element(1,StateName) == connected ;
+                      element(1,StateName) == ext_info ->
     erlang:monitor(process, ChannelPid),
     {ChannelId, D1} = new_channel_id(D0),
     D2 = send_msg(ssh_connection:channel_open_msg(Type, ChannelId,
@@ -1131,7 +1193,9 @@ handle_event({call,From},
     start_channel_request_timer(ChannelId, From, Timeout),
     {keep_state, cache_cancel_idle_timer(D)};
 
-handle_event({call,From}, {send_window, ChannelId}, {connected,_}, D) ->
+handle_event({call,From}, {send_window, ChannelId}, StateName, D) 
+  when element(1,StateName) == connected ;
+       element(1,StateName) == ext_info ->
     Reply = case ssh_channel:cache_lookup(cache(D), ChannelId) of
 		#channel{send_window_size = WinSize,
 			 send_packet_size = Packsize} ->
@@ -1141,7 +1205,9 @@ handle_event({call,From}, {send_window, ChannelId}, {connected,_}, D) ->
 	    end,
     {keep_state_and_data, [{reply,From,Reply}]};
 
-handle_event({call,From}, {recv_window, ChannelId}, {connected,_}, D) ->
+handle_event({call,From}, {recv_window, ChannelId}, StateName, D) 
+  when element(1,StateName) == connected ;
+       element(1,StateName) == ext_info ->
     Reply = case ssh_channel:cache_lookup(cache(D), ChannelId) of
 		#channel{recv_window_size = WinSize,
 			 recv_packet_size = Packsize} ->
@@ -1151,7 +1217,9 @@ handle_event({call,From}, {recv_window, ChannelId}, {connected,_}, D) ->
 	    end,
     {keep_state_and_data, [{reply,From,Reply}]};
 
-handle_event({call,From}, {close, ChannelId}, {connected,_}, D0) ->
+handle_event({call,From}, {close, ChannelId}, StateName, D0) 
+  when element(1,StateName) == connected ;
+       element(1,StateName) == ext_info ->
     case ssh_channel:cache_lookup(cache(D0), ChannelId) of
 	#channel{remote_id = Id} = Channel ->
 	    D1 = send_msg(ssh_connection:channel_close_msg(Id), D0),
@@ -1323,7 +1391,8 @@ handle_event(Type, Ev, StateName, D) ->
     Descr =
 	case catch atom_to_list(element(1,Ev)) of
 	    "ssh_msg_" ++_ when Type==internal ->
-		"Message in wrong state";
+%%		"Message in wrong state";
+lists:flatten(io_lib:format("Message ~p in wrong state (~p)", [element(1,Ev), StateName]));
 	    _ ->
 		"Internal error"
 	end,
@@ -1516,6 +1585,8 @@ send_msg(Msg, State=#data{ssh_params=Ssh0}) when is_tuple(Msg) ->
     send_bytes(Bytes, State),
     State#data{ssh_params=Ssh}.
 
+send_bytes("", _D) ->
+    ok;
 send_bytes(Bytes, #data{socket = Socket, transport_cb = Transport}) ->
     _ = Transport:send(Socket, Bytes),
     ok.
@@ -1621,6 +1692,19 @@ kex(_) -> undefined.
 cache(#data{connection_state=C}) -> C#connection.channel_cache.
     
 
+%%%----------------------------------------------------------------
+handle_ssh_msg_ext_info(#ssh_msg_ext_info{}, D=#data{ssh_params = #ssh{recv_ext_info=false}} ) ->
+    % The peer sent this although we didn't allow it!
+    D;
+handle_ssh_msg_ext_info(#ssh_msg_ext_info{data=Data}, D0) ->
+    lists:foldl(fun ext_info/2, D0, Data).
+
+%% ext_info({ExtName,ExtValue}, D0) ->
+%%     D0;
+ext_info(_, D0) ->
+    %% Not implemented
+    D0.
+
 %%%----------------------------------------------------------------
 handle_request(ChannelPid, ChannelId, Type, Data, WantReply, From, D) ->
     case ssh_channel:cache_lookup(cache(D), ChannelId) of
diff --git a/lib/ssh/src/ssh_dbg.erl b/lib/ssh/src/ssh_dbg.erl
index 0345bbdea7..9431bf1817 100644
--- a/lib/ssh/src/ssh_dbg.erl
+++ b/lib/ssh/src/ssh_dbg.erl
@@ -56,7 +56,7 @@ messages(Write, MangleArg) when is_function(Write,2),
 dbg_ssh_messages() ->
     dbg:tp(ssh_message,encode,1, x),
     dbg:tp(ssh_message,decode,1, x),
-    dbg:tpl(ssh_transport,select_algorithm,3, x),
+    dbg:tpl(ssh_transport,select_algorithm,4, x),
     dbg:tp(ssh_transport,hello_version_msg,1, x),
     dbg:tp(ssh_transport,handle_hello_version,1, x).
    
@@ -77,7 +77,7 @@ msg_formater({trace_ts,Pid,return_from,{ssh_message,decode,1},Msg,TS}, D) ->
 	
 msg_formater({trace_ts,_Pid,call,{ssh_transport,select_algorithm,_},_TS}, D) ->
     D;
-msg_formater({trace_ts,Pid,return_from,{ssh_transport,select_algorithm,3},{ok,Alg},TS}, D) ->
+msg_formater({trace_ts,Pid,return_from,{ssh_transport,select_algorithm,_},{ok,Alg},TS}, D) ->
     fmt("~n~s ~p ALGORITHMS~n~s~n", [ts(TS),Pid, wr_record(Alg)], D);
 
 msg_formater({trace_ts,_Pid,call,{ssh_transport,hello_version_msg,_},_TS}, D) ->
@@ -160,6 +160,7 @@ shrink_bin(X) -> X.
 ?wr_record(ssh_msg_kexdh_init);
 ?wr_record(ssh_msg_kexdh_reply);
 ?wr_record(ssh_msg_newkeys);
+?wr_record(ssh_msg_ext_info);
 ?wr_record(ssh_msg_kex_dh_gex_request);
 ?wr_record(ssh_msg_kex_dh_gex_request_old);
 ?wr_record(ssh_msg_kex_dh_gex_group);
diff --git a/lib/ssh/src/ssh_message.erl b/lib/ssh/src/ssh_message.erl
index 562f040477..56f678876c 100644
--- a/lib/ssh/src/ssh_message.erl
+++ b/lib/ssh/src/ssh_message.erl
@@ -215,6 +215,16 @@ encode(#ssh_msg_service_accept{
 	 }) ->
     <<?Ebyte(?SSH_MSG_SERVICE_ACCEPT), ?Estring_utf8(Service)>>;
 
+encode(#ssh_msg_ext_info{
+          nr_extensions = N,
+          data = Data
+         }) ->
+    lists:foldl(fun({ExtName,ExtVal}, Acc) ->
+                        <<Acc/binary, ?Estring(ExtName), ?Estring(ExtVal)>>
+                end,
+                <<?Ebyte(?SSH_MSG_EXT_INFO), ?Euint32(N)>>,
+                Data);
+
 encode(#ssh_msg_newkeys{}) ->
     <<?Ebyte(?SSH_MSG_NEWKEYS)>>;
 
@@ -435,6 +445,18 @@ decode(<<?BYTE(?SSH_MSG_USERAUTH_INFO_RESPONSE), ?UINT32(Num), Data/binary>>) ->
        num_responses = Num,
        data = Data};
 
+decode(<<?BYTE(?SSH_MSG_EXT_INFO), ?UINT32(N), BinData/binary>>) ->
+    Data = bin_foldr(
+             fun(Bin,Acc) when length(Acc) == N ->
+                     {Bin,Acc};
+                (<<?DEC_BIN(V0,__0), ?DEC_BIN(V1,__1), Rest/binary>>, Acc) -> 
+                     {Rest,[{binary_to_list(V0),binary_to_list(V1)}|Acc]}
+             end, [], BinData),
+    #ssh_msg_ext_info{
+       nr_extensions = N,
+       data = Data
+      };
+
 %%% Keyexchange messages
 decode(<<?BYTE(?SSH_MSG_KEXINIT), Cookie:128, Data/binary>>) ->
     decode_kex_init(Data, [Cookie, ssh_msg_kexinit], 10);
@@ -537,17 +559,28 @@ decode(<<?BYTE(?SSH_MSG_DEBUG), ?BYTE(Bool), ?DEC_BIN(Msg,__0), ?DEC_BIN(Lang,__
 %%% Helper functions
 %%%
 
+bin_foldr(Fun, Acc, Bin) ->
+    lists:reverse(bin_foldl(Fun, Acc, Bin)).
+
+bin_foldl(_, Acc, <<>>) -> Acc;
+bin_foldl(Fun, Acc0, Bin0) ->
+    {Bin,Acc} = Fun(Bin0,Acc0),
+    bin_foldl(Fun, Acc, Bin).
+
+%%%----------------------------------------------------------------
 decode_keyboard_interactive_prompts(<<>>, Acc) ->
     lists:reverse(Acc);
 decode_keyboard_interactive_prompts(<<?DEC_BIN(Prompt,__0), ?BYTE(Bool), Bin/binary>>,
 				    Acc) ->
     decode_keyboard_interactive_prompts(Bin, [{Prompt, erl_boolean(Bool)} | Acc]).
 
+%%%----------------------------------------------------------------
 erl_boolean(0) ->
     false;
 erl_boolean(1) ->
     true.
 
+%%%----------------------------------------------------------------
 decode_kex_init(<<?BYTE(Bool), ?UINT32(X)>>, Acc, 0) ->
     list_to_tuple(lists:reverse([X, erl_boolean(Bool) | Acc]));
 decode_kex_init(<<?BYTE(Bool)>>, Acc, 0) ->
diff --git a/lib/ssh/src/ssh_options.erl b/lib/ssh/src/ssh_options.erl
index ee3cdbb8a0..6e898b4fde 100644
--- a/lib/ssh/src/ssh_options.erl
+++ b/lib/ssh/src/ssh_options.erl
@@ -614,11 +614,23 @@ default(common) ->
             },
 
        {max_random_length_padding, def} =>
-          #{default => ?MAX_RND_PADDING_LEN,
-            chk => fun check_non_neg_integer/1,
-            class => user_options
-           }
-    }.
+           #{default => ?MAX_RND_PADDING_LEN,
+             chk => fun check_non_neg_integer/1,
+             class => user_options
+            },
+
+       {send_ext_info, def} =>
+           #{default => true,
+             chk => fun erlang:is_boolean/1,
+             class => user_options
+            },
+
+       {recv_ext_info, def} =>
+           #{default => true,
+             chk => fun erlang:is_boolean/1,
+             class => user_options
+            }
+     }.
 
 
 %%%================================================================
diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index 6b47868d5c..d623d24529 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -38,6 +38,7 @@
 	 handle_hello_version/1,
 	 key_exchange_init_msg/1,
 	 key_init/3, new_keys_message/1,
+         ext_info_message/1,
 	 handle_kexinit_msg/3, handle_kexdh_init/2,
 	 handle_kex_dh_gex_group/2, handle_kex_dh_gex_init/2, handle_kex_dh_gex_reply/2,
 	 handle_new_keys/2, handle_kex_dh_gex_request/2,
@@ -230,7 +231,7 @@ key_exchange_init_msg(Ssh0) ->
 kex_init(#ssh{role = Role, opts = Opts, available_host_keys = HostKeyAlgs}) ->
     Random = ssh_bits:random(16),
     PrefAlgs = ?GET_OPT(preferred_algorithms, Opts),
-    kexinit_message(Role, Random, PrefAlgs, HostKeyAlgs).
+    kexinit_message(Role, Random, PrefAlgs, HostKeyAlgs, Opts).
 
 key_init(client, Ssh, Value) ->
     Ssh#ssh{c_keyinit = Value};
@@ -238,10 +239,11 @@ key_init(server, Ssh, Value) ->
     Ssh#ssh{s_keyinit = Value}.
 
 
-kexinit_message(_Role, Random, Algs, HostKeyAlgs) ->
+kexinit_message(Role, Random, Algs, HostKeyAlgs, Opts) ->
     #ssh_msg_kexinit{
 		  cookie = Random,
-		  kex_algorithms = to_strings( get_algs(kex,Algs) ),
+		  kex_algorithms = to_strings( get_algs(kex,Algs) )
+                                   ++ kex_ext_info(Role,Opts),
 		  server_host_key_algorithms = HostKeyAlgs,
 		  encryption_algorithms_client_to_server = c2s(cipher,Algs),
 		  encryption_algorithms_server_to_client = s2c(cipher,Algs),
@@ -263,39 +265,42 @@ get_algs(Key, Algs) -> proplists:get_value(Key, Algs, default_algorithms(Key)).
 to_strings(L) -> lists:map(fun erlang:atom_to_list/1, L).
 
 new_keys_message(Ssh0) ->
-    {SshPacket, Ssh} = 
-	ssh_packet(#ssh_msg_newkeys{}, Ssh0),
+    {SshPacket, Ssh1} = ssh_packet(#ssh_msg_newkeys{}, Ssh0),
+    Ssh = install_alg(snd, Ssh1),
     {ok, SshPacket, Ssh}.
 
 
 handle_kexinit_msg(#ssh_msg_kexinit{} = CounterPart, #ssh_msg_kexinit{} = Own,
-			    #ssh{role = client} = Ssh0) ->
-    {ok, Algoritms} = select_algorithm(client, Own, CounterPart),  
-    case verify_algorithm(Algoritms) of
-	true ->
-	    key_exchange_first_msg(Algoritms#alg.kex, 
-				   Ssh0#ssh{algorithms = Algoritms});
-	{false,Alg} ->
-	    %% TODO: Correct code?
-    ssh_connection_handler:disconnect(
-      #ssh_msg_disconnect{code = ?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
-			  description = "Selection of key exchange algorithm failed: "
-                          ++ Alg
-			 })
+                   #ssh{role = client} = Ssh) ->
+    try
+        {ok, Algorithms} = select_algorithm(client, Own, CounterPart, Ssh#ssh.opts),
+        true = verify_algorithm(Algorithms),
+        Algorithms
+    of
+	Algos ->
+	    key_exchange_first_msg(Algos#alg.kex, 
+				   Ssh#ssh{algorithms = Algos})
+    catch
+        _:_ ->
+            ssh_connection_handler:disconnect(
+              #ssh_msg_disconnect{code = ?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+                                  description = "Selection of key exchange algorithm failed"})
     end;
 
 handle_kexinit_msg(#ssh_msg_kexinit{} = CounterPart, #ssh_msg_kexinit{} = Own,
-			    #ssh{role = server} = Ssh) ->
-    {ok, Algoritms} = select_algorithm(server, CounterPart, Own),
-    case  verify_algorithm(Algoritms) of
-	true ->
-	    {ok, Ssh#ssh{algorithms = Algoritms}};
-	{false,Alg} ->
-    ssh_connection_handler:disconnect(
-      #ssh_msg_disconnect{code = ?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
-			  description = "Selection of key exchange algorithm failed: "
-                          ++ Alg
-			 })
+                   #ssh{role = server} = Ssh) ->
+    try
+        {ok, Algorithms} = select_algorithm(server, CounterPart, Own, Ssh#ssh.opts),
+        true = verify_algorithm(Algorithms),
+        Algorithms
+    of
+	Algos ->
+            {ok, Ssh#ssh{algorithms = Algos}}
+    catch
+        _:_ ->
+            ssh_connection_handler:disconnect(
+              #ssh_msg_disconnect{code = ?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+                                  description = "Selection of key exchange algorithm failed"})
     end.
 
 
@@ -308,6 +313,8 @@ verify_algorithm(#alg{decrypt = undefined})   ->  {false, "decrypt"};
 verify_algorithm(#alg{compress = undefined})  ->  {false, "compress"};
 verify_algorithm(#alg{decompress = undefined}) -> {false, "decompress"};
 verify_algorithm(#alg{kex = Kex}) -> 
+    %% This also catches the error if 'ext-info-s' or 'ext-info-c' is selected.
+    %% (draft-ietf-curdle-ssh-ext-info-04 2.2)
     case lists:member(Kex, supported_algorithms(kex)) of
         true -> true;
         false -> {false, "kex"}
@@ -414,9 +421,9 @@ handle_kexdh_reply(#ssh_msg_kexdh_reply{public_host_key = PeerPubHostKey,
 	    case verify_host_key(Ssh0, PeerPubHostKey, H, H_SIG) of
 		ok ->
 		    {SshPacket, Ssh} = ssh_packet(#ssh_msg_newkeys{}, Ssh0),
-		    {ok, SshPacket, Ssh#ssh{shared_secret  = ssh_bits:mpint(K),
-					    exchanged_hash = H,
-					    session_id = sid(Ssh, H)}};
+		    {ok, SshPacket, install_alg(snd, Ssh#ssh{shared_secret  = ssh_bits:mpint(K),
+                                                             exchanged_hash = H,
+                                                             session_id = sid(Ssh, H)})};
 		Error ->
 	    ssh_connection_handler:disconnect(
 	      #ssh_msg_disconnect{
@@ -584,9 +591,9 @@ handle_kex_dh_gex_reply(#ssh_msg_kex_dh_gex_reply{public_host_key = PeerPubHostK
 		    case verify_host_key(Ssh0, PeerPubHostKey, H, H_SIG) of
 			ok ->
 			    {SshPacket, Ssh} = ssh_packet(#ssh_msg_newkeys{}, Ssh0),
-			    {ok, SshPacket, Ssh#ssh{shared_secret  = ssh_bits:mpint(K),
-						    exchanged_hash = H,
-						    session_id = sid(Ssh, H)}};
+			    {ok, SshPacket, install_alg(snd, Ssh#ssh{shared_secret  = ssh_bits:mpint(K),
+                                                                     exchanged_hash = H,
+                                                                     session_id = sid(Ssh, H)})};
 			_Error ->
 			    ssh_connection_handler:disconnect(
 			      #ssh_msg_disconnect{
@@ -660,9 +667,9 @@ handle_kex_ecdh_reply(#ssh_msg_kex_ecdh_reply{public_host_key = PeerPubHostKey,
 	    case verify_host_key(Ssh0, PeerPubHostKey, H, H_SIG) of
 		ok ->
 		    {SshPacket, Ssh} = ssh_packet(#ssh_msg_newkeys{}, Ssh0),
-		    {ok, SshPacket, Ssh#ssh{shared_secret  = ssh_bits:mpint(K),
-					    exchanged_hash = H,
-					    session_id = sid(Ssh, H)}};
+		    {ok, SshPacket, install_alg(snd, Ssh#ssh{shared_secret  = ssh_bits:mpint(K),
+                                                             exchanged_hash = H,
+                                                             session_id = sid(Ssh, H)})};
 		Error ->
 		    ssh_connection_handler:disconnect(
 		       #ssh_msg_disconnect{
@@ -682,7 +689,7 @@ handle_kex_ecdh_reply(#ssh_msg_kex_ecdh_reply{public_host_key = PeerPubHostKey,
 
 %%%----------------------------------------------------------------
 handle_new_keys(#ssh_msg_newkeys{}, Ssh0) ->
-    try install_alg(Ssh0) of
+    try install_alg(rcv, Ssh0) of
 	#ssh{} = Ssh ->
 	    {ok, Ssh}
     catch 
@@ -693,6 +700,34 @@ handle_new_keys(#ssh_msg_newkeys{}, Ssh0) ->
 				 })
     end. 
 
+
+%%%----------------------------------------------------------------
+kex_ext_info(Role, Opts) ->
+    case ?GET_OPT(recv_ext_info,Opts) of
+        true when Role==client -> ["ext-info-c"];
+        true when Role==server -> ["ext-info-s"];
+        false -> []
+    end.
+    
+ext_info_message(#ssh{role=client,
+                      algorithms=#alg{send_ext_info=true}} = Ssh0) ->
+    %% FIXME: no extensions implemented for clients
+    {ok, "", Ssh0};
+
+ext_info_message(#ssh{role=server,
+                      algorithms=#alg{send_ext_info=true}} = Ssh0) ->
+    AlgsList = lists:map(fun erlang:atom_to_list/1,
+                         ssh_transport:default_algorithms(public_key)),
+    Msg = #ssh_msg_ext_info{nr_extensions = 1,
+                            data = [{"server-sig-algs", string:join(AlgsList,",")}]
+                           },
+    {SshPacket, Ssh} = ssh_packet(Msg, Ssh0),
+    {ok, SshPacket, Ssh};
+
+ext_info_message(Ssh0) ->
+    {ok, "", Ssh0}.                          % "" means: 'do not send'
+
+%%%----------------------------------------------------------------
 %% select session id
 sid(#ssh{session_id = undefined}, H) -> 
     H;
@@ -812,7 +847,7 @@ known_host_key(#ssh{opts = Opts, key_cb = {KeyCb,KeyCbOpts}, peer = {PeerName,_}
 %%
 %%   The first algorithm in each list MUST be the preferred (guessed)
 %%   algorithm.  Each string MUST contain at least one algorithm name.
-select_algorithm(Role, Client, Server) ->
+select_algorithm(Role, Client, Server, Opts) ->
     {Encrypt0, Decrypt0} = select_encrypt_decrypt(Role, Client, Server),
     {SendMac0, RecvMac0} = select_send_recv_mac(Role, Client, Server),
 
@@ -837,17 +872,34 @@ select_algorithm(Role, Client, Server) ->
     Kex = select(Client#ssh_msg_kexinit.kex_algorithms,
 		 Server#ssh_msg_kexinit.kex_algorithms),
 
-    Alg = #alg{kex = Kex, 
-	       hkey = HK,
-	       encrypt = Encrypt,
-	       decrypt = Decrypt,
-	       send_mac = SendMac,
-	       recv_mac = RecvMac,
-	       compress = Compression,
-	       decompress = Decompression,
-	       c_lng = C_Lng,
-	       s_lng = S_Lng},
-    {ok, Alg}.
+    SendExtInfo =
+        %% To send we must have that option enabled and ...
+        ?GET_OPT(send_ext_info,Opts) andalso
+        %% ... the peer must have told us to send:
+        case Role of
+            server -> lists:member("ext-info-c", Client#ssh_msg_kexinit.kex_algorithms);
+            client -> lists:member("ext-info-s", Server#ssh_msg_kexinit.kex_algorithms)
+        end,
+
+    RecvExtInfo =
+        %% The peer should not send unless told so by us (which is
+        %% guided by an option).
+        %% (However a malicious peer could send anyway, so we must be prepared)
+        ?GET_OPT(recv_ext_info,Opts),
+
+    {ok, #alg{kex = Kex,
+              hkey = HK,
+              encrypt = Encrypt,
+              decrypt = Decrypt,
+              send_mac = SendMac,
+              recv_mac = RecvMac,
+              compress = Compression,
+              decompress = Decompression,
+              c_lng = C_Lng,
+              s_lng = S_Lng,
+              send_ext_info = SendExtInfo,
+              recv_ext_info = RecvExtInfo
+             }}.
 
 
 %%% It is an agreed problem with RFC 5674 that if the selection is
@@ -928,45 +980,66 @@ select_compression_decompression(server, Client, Server) ->
 	       Server#ssh_msg_kexinit.compression_algorithms_server_to_client),
     {Compression, Decompression}.
 
-install_alg(SSH) ->
-    SSH1 = alg_final(SSH),
-    SSH2 = alg_setup(SSH1),
-    alg_init(SSH2).
+%% DIr = rcv | snd
+install_alg(Dir, SSH) ->
+    SSH1 = alg_final(Dir, SSH),
+    SSH2 = alg_setup(Dir, SSH1),
+    alg_init(Dir, SSH2).
 
-alg_setup(SSH) ->
+alg_setup(snd, SSH) ->
     ALG = SSH#ssh.algorithms,
     SSH#ssh{kex = ALG#alg.kex,
 	    hkey = ALG#alg.hkey,
 	    encrypt = ALG#alg.encrypt,
-	    decrypt = ALG#alg.decrypt,
 	    send_mac = ALG#alg.send_mac,
 	    send_mac_size = mac_digest_size(ALG#alg.send_mac),
+	    compress = ALG#alg.compress,
+	    c_lng = ALG#alg.c_lng,
+	    s_lng = ALG#alg.s_lng,
+            send_ext_info = ALG#alg.send_ext_info,
+            recv_ext_info = ALG#alg.recv_ext_info
+	   };
+
+alg_setup(rcv, SSH) ->
+    ALG = SSH#ssh.algorithms,
+    SSH#ssh{kex = ALG#alg.kex,
+	    hkey = ALG#alg.hkey,
+	    decrypt = ALG#alg.decrypt,
 	    recv_mac = ALG#alg.recv_mac,
 	    recv_mac_size = mac_digest_size(ALG#alg.recv_mac),
-	    compress = ALG#alg.compress,
 	    decompress = ALG#alg.decompress,
 	    c_lng = ALG#alg.c_lng,
 	    s_lng = ALG#alg.s_lng,
-	    algorithms = undefined
+            send_ext_info = ALG#alg.send_ext_info,
+            recv_ext_info = ALG#alg.recv_ext_info
 	   }.
 
-alg_init(SSH0) ->
+
+alg_init(snd, SSH0) ->
     {ok,SSH1} = send_mac_init(SSH0),
-    {ok,SSH2} = recv_mac_init(SSH1),
-    {ok,SSH3} = encrypt_init(SSH2),
-    {ok,SSH4} = decrypt_init(SSH3),
-    {ok,SSH5} = compress_init(SSH4),
-    {ok,SSH6} = decompress_init(SSH5),
-    SSH6.
-
-alg_final(SSH0) ->
+    {ok,SSH2} = encrypt_init(SSH1),
+    {ok,SSH3} = compress_init(SSH2),
+    SSH3;
+
+alg_init(rcv, SSH0) ->
+    {ok,SSH1} = recv_mac_init(SSH0),
+    {ok,SSH2} = decrypt_init(SSH1),
+    {ok,SSH3} = decompress_init(SSH2),
+    SSH3.
+
+
+alg_final(snd, SSH0) ->
     {ok,SSH1} = send_mac_final(SSH0),
-    {ok,SSH2} = recv_mac_final(SSH1),
-    {ok,SSH3} = encrypt_final(SSH2),
-    {ok,SSH4} = decrypt_final(SSH3),
-    {ok,SSH5} = compress_final(SSH4),
-    {ok,SSH6} = decompress_final(SSH5),
-    SSH6.
+    {ok,SSH2} = encrypt_final(SSH1),
+    {ok,SSH3} = compress_final(SSH2),
+    SSH3;
+
+alg_final(rcv, SSH0) ->
+    {ok,SSH1} = recv_mac_final(SSH0),
+    {ok,SSH2} = decrypt_final(SSH1),
+    {ok,SSH3} = decompress_final(SSH2),
+    SSH3.
+
 
 select_all(CL, SL) when length(CL) + length(SL) < ?MAX_NUM_ALGORITHMS ->
     A = CL -- SL,  %% algortihms only used by client
diff --git a/lib/ssh/src/ssh_transport.hrl b/lib/ssh/src/ssh_transport.hrl
index 19b3f5c437..faae6008f2 100644
--- a/lib/ssh/src/ssh_transport.hrl
+++ b/lib/ssh/src/ssh_transport.hrl
@@ -48,6 +48,7 @@
 -define(SSH_MSG_DEBUG,                  4).
 -define(SSH_MSG_SERVICE_REQUEST,        5).
 -define(SSH_MSG_SERVICE_ACCEPT,         6).
+-define(SSH_MSG_EXT_INFO,               7).
 
 -define(SSH_MSG_KEXINIT,                20).
 -define(SSH_MSG_NEWKEYS,                21).
@@ -88,6 +89,20 @@
 	  name     %% string
 	 }).
 
+-record(ssh_msg_ext_info,
+       {
+         nr_extensions, %% uint32
+
+         %% repeat the following 2 fields "nr-extensions" times:
+         %%   string   extension-name
+         %%   string   extension-value
+
+         data  %% [{extension-name,    %% string
+               %%   extension-value},  %% string
+               %%         ...
+               %% ]
+       }).
+
 -record(ssh_msg_kexinit,
 	{
 	  cookie,                                   %% random(16)
diff --git a/lib/ssh/test/ssh_trpt_test_lib.erl b/lib/ssh/test/ssh_trpt_test_lib.erl
index e1f4c65300..781889ddd1 100644
--- a/lib/ssh/test/ssh_trpt_test_lib.erl
+++ b/lib/ssh/test/ssh_trpt_test_lib.erl
@@ -397,6 +397,12 @@ send(S0, {special,Msg,PacketFun}) when is_tuple(Msg),
     send_bytes(Packet, S#s{ssh = C, %%inc_send_seq_num(C),
 			   return_value = Msg});
 
+send(S0, #ssh_msg_newkeys{} = Msg) ->
+    S = opt(print_messages, S0,
+	    fun(X) when X==true;X==detail -> {"Send~n~s~n",[format_msg(Msg)]} end),
+    {ok, Packet, C} = ssh_transport:new_keys_message(S#s.ssh),
+    send_bytes(Packet, S#s{ssh = C});
+    
 send(S0, Msg) when is_tuple(Msg) ->
     S = opt(print_messages, S0,
 	    fun(X) when X==true;X==detail -> {"Send~n~s~n",[format_msg(Msg)]} end),
@@ -455,7 +461,10 @@ recv(S0 = #s{}) ->
 		       };
 		#ssh_msg_kexdh_reply{} ->
 		    {ok, _NewKeys, C} = ssh_transport:handle_kexdh_reply(PeerMsg, S#s.ssh),
-		    S#s{ssh=C#ssh{send_sequence=S#s.ssh#ssh.send_sequence}}; % Back the number
+                    S#s{ssh = (S#s.ssh)#ssh{shared_secret = C#ssh.shared_secret,
+                                            exchanged_hash = C#ssh.exchanged_hash,
+                                            session_id = C#ssh.session_id}};
+		    %%%S#s{ssh=C#ssh{send_sequence=S#s.ssh#ssh.send_sequence}}; % Back the number
 		#ssh_msg_newkeys{} ->
 		    {ok, C} = ssh_transport:handle_new_keys(PeerMsg, S#s.ssh),
 		    S#s{ssh=C};
-- 
cgit v1.2.3


From b7cba805e37e591d8fa7d7df06f9563a9f926e23 Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Wed, 26 Apr 2017 12:08:01 +0200
Subject: ssh: state machine fixes for calls during re-negotiation

---
 lib/ssh/src/ssh_connection_handler.erl | 47 +++++++++++++++-------------------
 1 file changed, 20 insertions(+), 27 deletions(-)

diff --git a/lib/ssh/src/ssh_connection_handler.erl b/lib/ssh/src/ssh_connection_handler.erl
index 0ff7c9b3a1..128a9175f5 100644
--- a/lib/ssh/src/ssh_connection_handler.erl
+++ b/lib/ssh/src/ssh_connection_handler.erl
@@ -365,7 +365,7 @@ init_connection_handler(Role, Socket, Opts) ->
         {ok, StartState, D} ->
             process_flag(trap_exit, true),
             gen_statem:enter_loop(?MODULE,
-                                  [], %%[{debug,[trace,log,statistics,debug]} || Role==server],
+                                  [], %%[{debug,[trace,log,statistics,debug]} ], %% []
                                   StartState,
                                   D);
 
@@ -504,6 +504,10 @@ init_ssh_record(Role, _Socket, PeerAddr, Opts) ->
 
 -type handle_event_result() :: gen_statem:handle_event_result().
 
+-define(CONNECTED(StateName), 
+        (element(1,StateName) == connected orelse
+         element(1,StateName) == ext_info ) ).
+
 -spec handle_event(gen_statem:event_type(),
 		   event_content(),
 		   state_name(),
@@ -1020,12 +1024,10 @@ handle_event(cast, data_size, _, _) ->
 
 
 
-handle_event(cast, _, StateName, _) when StateName /= {connected,server},
-					 StateName /= {connected,client} ->
+handle_event(cast, _, StateName, _) when not ?CONNECTED(StateName) ->
     {keep_state_and_data, [postpone]};
 
-
-handle_event(cast, {adjust_window,ChannelId,Bytes}, {connected,_}, D) ->
+handle_event(cast, {adjust_window,ChannelId,Bytes}, StateName, D) when ?CONNECTED(StateName) ->
     case ssh_channel:cache_lookup(cache(D), ChannelId) of
 	#channel{recv_window_size = WinSize,
 		 recv_window_pending = Pending,
@@ -1051,7 +1053,7 @@ handle_event(cast, {adjust_window,ChannelId,Bytes}, {connected,_}, D) ->
 	    keep_state_and_data
     end;
 
-handle_event(cast, {reply_request,success,ChannelId}, {connected,_}, D) ->
+handle_event(cast, {reply_request,success,ChannelId}, StateName, D) when ?CONNECTED(StateName) ->
     case ssh_channel:cache_lookup(cache(D), ChannelId) of
 	#channel{remote_id = RemoteId} ->
 	    Msg = ssh_connection:channel_success_msg(RemoteId),
@@ -1062,13 +1064,13 @@ handle_event(cast, {reply_request,success,ChannelId}, {connected,_}, D) ->
 	    keep_state_and_data
     end;
 
-handle_event(cast, {request,ChannelPid, ChannelId, Type, Data}, {connected,_}, D) ->
+handle_event(cast, {request,ChannelPid, ChannelId, Type, Data}, StateName, D) when ?CONNECTED(StateName) ->
     {keep_state,  handle_request(ChannelPid, ChannelId, Type, Data, false, none, D)};
 
-handle_event(cast, {request,ChannelId,Type,Data}, {connected,_}, D) ->
+handle_event(cast, {request,ChannelId,Type,Data}, StateName, D) when ?CONNECTED(StateName) ->
     {keep_state,  handle_request(ChannelId, Type, Data, false, none, D)};
 
-handle_event(cast, {unknown,Data}, {connected,_}, D) ->
+handle_event(cast, {unknown,Data}, StateName, D) when ?CONNECTED(StateName) ->
     Msg = #ssh_msg_unimplemented{sequence = Data},
     {keep_state, send_msg(Msg,D)};
 
@@ -1129,29 +1131,25 @@ handle_event({call,From}, stop, StateName, D0) ->
     {Repls,D} = send_replies(Replies, D0),
     {stop_and_reply, normal, [{reply,From,ok}|Repls], D#data{connection_state=Connection}};
 
-handle_event({call,_}, _, StateName, _) when StateName /= {connected,server},
-					     StateName /= {connected,client}  ->
+handle_event({call,_}, _, StateName, _) when not ?CONNECTED(StateName) ->
     {keep_state_and_data, [postpone]};
 
 handle_event({call,From}, {request, ChannelPid, ChannelId, Type, Data, Timeout}, StateName, D0) 
-  when element(1,StateName) == connected ;
-       element(1,StateName) == ext_info ->
+  when ?CONNECTED(StateName) ->
     D = handle_request(ChannelPid, ChannelId, Type, Data, true, From, D0),
     %% Note reply to channel will happen later when reply is recived from peer on the socket
     start_channel_request_timer(ChannelId, From, Timeout),
     {keep_state, cache_request_idle_timer_check(D)};
 
 handle_event({call,From}, {request, ChannelId, Type, Data, Timeout}, StateName, D0) 
-  when element(1,StateName) == connected ;
-       element(1,StateName) == ext_info ->
+  when ?CONNECTED(StateName) ->
     D = handle_request(ChannelId, Type, Data, true, From, D0),
     %% Note reply to channel will happen later when reply is recived from peer on the socket
     start_channel_request_timer(ChannelId, From, Timeout),
     {keep_state, cache_request_idle_timer_check(D)};
 
 handle_event({call,From}, {data, ChannelId, Type, Data, Timeout}, StateName, D0) 
-  when element(1,StateName) == connected ;
-       element(1,StateName) == ext_info ->
+  when ?CONNECTED(StateName) ->
     {{replies, Replies}, Connection} =
 	ssh_connection:channel_data(ChannelId, Type, Data, D0#data.connection_state, From),
     {Repls,D} = send_replies(Replies, D0#data{connection_state = Connection}),
@@ -1159,8 +1157,7 @@ handle_event({call,From}, {data, ChannelId, Type, Data, Timeout}, StateName, D0)
     {keep_state, D, Repls};
 
 handle_event({call,From}, {eof, ChannelId}, StateName, D0) 
-  when element(1,StateName) == connected ;
-       element(1,StateName) == ext_info ->
+  when ?CONNECTED(StateName) ->
     case ssh_channel:cache_lookup(cache(D0), ChannelId) of
 	#channel{remote_id = Id, sent_close = false} ->
 	    D = send_msg(ssh_connection:channel_eof_msg(Id), D0),
@@ -1172,8 +1169,7 @@ handle_event({call,From}, {eof, ChannelId}, StateName, D0)
 handle_event({call,From},
 	     {open, ChannelPid, Type, InitialWindowSize, MaxPacketSize, Data, Timeout},
 	     StateName,
-	     D0) when element(1,StateName) == connected ;
-                      element(1,StateName) == ext_info ->
+	     D0) when ?CONNECTED(StateName) ->
     erlang:monitor(process, ChannelPid),
     {ChannelId, D1} = new_channel_id(D0),
     D2 = send_msg(ssh_connection:channel_open_msg(Type, ChannelId,
@@ -1194,8 +1190,7 @@ handle_event({call,From},
     {keep_state, cache_cancel_idle_timer(D)};
 
 handle_event({call,From}, {send_window, ChannelId}, StateName, D) 
-  when element(1,StateName) == connected ;
-       element(1,StateName) == ext_info ->
+  when ?CONNECTED(StateName) ->
     Reply = case ssh_channel:cache_lookup(cache(D), ChannelId) of
 		#channel{send_window_size = WinSize,
 			 send_packet_size = Packsize} ->
@@ -1206,8 +1201,7 @@ handle_event({call,From}, {send_window, ChannelId}, StateName, D)
     {keep_state_and_data, [{reply,From,Reply}]};
 
 handle_event({call,From}, {recv_window, ChannelId}, StateName, D) 
-  when element(1,StateName) == connected ;
-       element(1,StateName) == ext_info ->
+  when ?CONNECTED(StateName) ->
     Reply = case ssh_channel:cache_lookup(cache(D), ChannelId) of
 		#channel{recv_window_size = WinSize,
 			 recv_packet_size = Packsize} ->
@@ -1218,8 +1212,7 @@ handle_event({call,From}, {recv_window, ChannelId}, StateName, D)
     {keep_state_and_data, [{reply,From,Reply}]};
 
 handle_event({call,From}, {close, ChannelId}, StateName, D0) 
-  when element(1,StateName) == connected ;
-       element(1,StateName) == ext_info ->
+  when ?CONNECTED(StateName) ->
     case ssh_channel:cache_lookup(cache(D0), ChannelId) of
 	#channel{remote_id = Id} = Channel ->
 	    D1 = send_msg(ssh_connection:channel_close_msg(Id), D0),
-- 
cgit v1.2.3


From 519f89016e7ce755775a88730814fa34af21676c Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Wed, 19 Apr 2017 12:01:26 +0200
Subject: ssh: server-sig-algs, client side

---
 lib/ssh/src/ssh.hrl                    |  2 +-
 lib/ssh/src/ssh_auth.erl               | 85 +++++++++++++++-------------------
 lib/ssh/src/ssh_connection_handler.erl | 23 +++++++--
 lib/ssh/src/ssh_options.erl            | 20 ++------
 4 files changed, 61 insertions(+), 69 deletions(-)

diff --git a/lib/ssh/src/ssh.hrl b/lib/ssh/src/ssh.hrl
index 1a95bb27e7..cf2a359e6c 100644
--- a/lib/ssh/src/ssh.hrl
+++ b/lib/ssh/src/ssh.hrl
@@ -38,7 +38,6 @@
 -define(MAX_RND_PADDING_LEN, 15).
 
 -define(SUPPORTED_AUTH_METHODS, "publickey,keyboard-interactive,password").
--define(SUPPORTED_USER_KEYS, ['ssh-rsa','ssh-dss','ecdsa-sha2-nistp256','ecdsa-sha2-nistp384','ecdsa-sha2-nistp521']).
 
 -define(FALSE, 0).
 -define(TRUE,  1).
@@ -201,6 +200,7 @@
 	  userauth_quiet_mode,              %  boolean()
 	  userauth_methods,                 %  list( string() )  eg ["keyboard-interactive", "password"]
 	  userauth_supported_methods,       %  string() eg "keyboard-interactive,password"
+          userauth_pubkeys,
 	  kb_tries_left = 0,                %  integer(), num tries left for "keyboard-interactive"
 	  userauth_preference,
 	  available_host_keys,
diff --git a/lib/ssh/src/ssh_auth.erl b/lib/ssh/src/ssh_auth.erl
index 51df54341f..aadd1ad6dc 100644
--- a/lib/ssh/src/ssh_auth.erl
+++ b/lib/ssh/src/ssh_auth.erl
@@ -136,34 +136,40 @@ keyboard_interactive_msg([#ssh{user = User,
 	      Ssh)
     end.
 
-publickey_msg([Alg, #ssh{user = User,
+publickey_msg([SigAlg, #ssh{user = User,
 		       session_id = SessionId,
 		       service = Service,
 		       opts = Opts} = Ssh]) ->
-    Hash = ssh_transport:sha(Alg),
+    Hash = ssh_transport:sha(SigAlg),
+    KeyAlg = key_alg(SigAlg),
     {KeyCb,KeyCbOpts} = ?GET_OPT(key_cb, Opts),
     UserOpts = ?GET_OPT(user_options, Opts),
-    case KeyCb:user_key(Alg, [{key_cb_private,KeyCbOpts}|UserOpts]) of
+    case KeyCb:user_key(KeyAlg, [{key_cb_private,KeyCbOpts}|UserOpts]) of
 	{ok, PrivKey} ->
-	    StrAlgo = atom_to_list(Alg),
-            case encode_public_key(StrAlgo, ssh_transport:extract_public_key(PrivKey)) of
-		not_ok ->
-		    {not_ok, Ssh};
+	    SigAlgStr = atom_to_list(SigAlg),
+            try
+                Key = ssh_transport:extract_public_key(PrivKey),
+                public_key:ssh_encode(Key, ssh2_pubkey)
+            of
 		PubKeyBlob ->
-		    SigData = build_sig_data(SessionId, 
-					     User, Service, PubKeyBlob, StrAlgo),
+		    SigData = build_sig_data(SessionId, User, Service,
+                                             PubKeyBlob, SigAlgStr),
 		    Sig = ssh_transport:sign(SigData, Hash, PrivKey),
-		    SigBlob = list_to_binary([?string(StrAlgo), ?binary(Sig)]),
+		    SigBlob = list_to_binary([?string(SigAlgStr),
+                                              ?binary(Sig)]),
 		    ssh_transport:ssh_packet(
 		      #ssh_msg_userauth_request{user = User,
 						service = Service,
 						method = "publickey",
 						data = [?TRUE,
-							?string(StrAlgo),
+							?string(SigAlgStr),
 							?binary(PubKeyBlob),
 							?binary(SigBlob)]},
 		      Ssh)
-	    end;
+            catch
+                _:_ -> 
+		    {not_ok, Ssh}
+            end;
      	_Error ->
 	    {not_ok, Ssh}
     end.
@@ -190,8 +196,7 @@ init_userauth_request_msg(#ssh{opts = Opts} = Ssh) ->
                                         method = "none",
                                         data = <<>>},
               Ssh#ssh{user = User,
-                      userauth_preference = 
-                          method_preference(?GET_OPT(pref_public_key_algs, Opts)),
+                      userauth_preference = method_preference(Ssh#ssh.userauth_pubkeys),
                       userauth_methods = none,
                       service = "ssh-connection"}
              )
@@ -265,8 +270,7 @@ handle_userauth_request(#ssh_msg_userauth_request{user = User,
 			#ssh{opts = Opts,
 			     userauth_supported_methods = Methods} = Ssh) ->
 
-    case pre_verify_sig(User, binary_to_list(BAlg),
-			KeyBlob, Opts) of
+    case pre_verify_sig(User, KeyBlob, Opts) of
 	true ->
 	    {not_authorized, {User, undefined},
 	     ssh_transport:ssh_packet(
@@ -446,10 +450,10 @@ handle_userauth_info_response(#ssh_msg_userauth_info_response{},
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
-method_preference(PubKeyAlgs) ->
+method_preference(SigKeyAlgs) ->
     %% PubKeyAlgs: List of user (client) public key algorithms to try to use.
     %% All of the acceptable algorithms is the default values.
-    PubKeyDefs = [{"publickey", ?MODULE, publickey_msg, [A]} || A <- PubKeyAlgs],
+    PubKeyDefs = [{"publickey", ?MODULE, publickey_msg, [A]} || A <- SigKeyAlgs],
     NonPKmethods = [{"password", ?MODULE, password_msg, []},
                     {"keyboard-interactive", ?MODULE, keyboard_interactive_msg, []}
                    ],
@@ -492,9 +496,9 @@ get_password_option(Opts, User) ->
 	false -> ?GET_OPT(password, Opts)
     end.
 	    
-pre_verify_sig(User, Alg, KeyBlob, Opts) ->
+pre_verify_sig(User, KeyBlob, Opts) ->
     try
-	{ok, Key} = decode_public_key_v2(KeyBlob, Alg),
+	Key = public_key:ssh_decode(KeyBlob, ssh2_pubkey), % or exception
         {KeyCb,KeyCbOpts} = ?GET_OPT(key_cb, Opts),
         UserOpts = ?GET_OPT(user_options, Opts),
         KeyCb:is_auth_key(Key, User, [{key_cb_private,KeyCbOpts}|UserOpts])
@@ -505,21 +509,19 @@ pre_verify_sig(User, Alg, KeyBlob, Opts) ->
 
 verify_sig(SessionId, User, Service, Alg, KeyBlob, SigWLen, Opts) ->
     try
-	{ok, Key} = decode_public_key_v2(KeyBlob, Alg),
-
         {KeyCb,KeyCbOpts} = ?GET_OPT(key_cb, Opts),
         UserOpts = ?GET_OPT(user_options, Opts),
-        case KeyCb:is_auth_key(Key, User, [{key_cb_private,KeyCbOpts}|UserOpts]) of
-	    true ->
-		PlainText = build_sig_data(SessionId, User,
-					   Service, KeyBlob, Alg),
-		<<?UINT32(AlgSigLen), AlgSig:AlgSigLen/binary>> = SigWLen,
-		<<?UINT32(AlgLen), _Alg:AlgLen/binary,
-		  ?UINT32(SigLen), Sig:SigLen/binary>> = AlgSig,
-		ssh_transport:verify(PlainText, ssh_transport:sha(list_to_atom(Alg)), Sig, Key);
-	    false ->
-		false
-	end
+        Key0 = public_key:ssh_decode(KeyBlob, ssh2_pubkey), % or exception
+        true = KeyCb:is_auth_key(Key0, User, [{key_cb_private,KeyCbOpts}|UserOpts]),
+        Key0
+    of
+        Key ->
+            PlainText = build_sig_data(SessionId, User, Service,
+                                       KeyBlob, Alg),
+            <<?UINT32(AlgSigLen), AlgSig:AlgSigLen/binary>> = SigWLen,
+            <<?UINT32(AlgLen), _Alg:AlgLen/binary,
+              ?UINT32(SigLen), Sig:SigLen/binary>> = AlgSig,
+            ssh_transport:verify(PlainText, ssh_transport:sha(list_to_atom(Alg)), Sig, Key)
     catch
 	_:_ ->
 	    false
@@ -591,18 +593,7 @@ keyboard_interact_fun(KbdInteractFun, Name, Instr,  PromptInfos, NumPrompts) ->
 				       language = "en"}})
     end.
 
-decode_public_key_v2(Bin, _Type) ->
-    try 
-	public_key:ssh_decode(Bin, ssh2_pubkey)
-    of
-	Key -> {ok, Key}
-    catch
-	_:_ -> {error, bad_format}
-    end.
 
-encode_public_key(_Alg, Key) ->
-    try
-	public_key:ssh_encode(Key, ssh2_pubkey)
-    catch
-	_:_ -> not_ok
-    end.
+key_alg('rsa-sha2-256') -> 'ssh-rsa';
+key_alg('rsa-sha2-512') -> 'ssh-rsa';
+key_alg(Alg) -> Alg.
diff --git a/lib/ssh/src/ssh_connection_handler.erl b/lib/ssh/src/ssh_connection_handler.erl
index 128a9175f5..ac1b792f32 100644
--- a/lib/ssh/src/ssh_connection_handler.erl
+++ b/lib/ssh/src/ssh_connection_handler.erl
@@ -464,6 +464,7 @@ init_ssh_record(Role, _Socket, PeerAddr, Opts) ->
 			       true ->  ssh_io;
 			       false -> ssh_no_io
 			   end,
+                   userauth_pubkeys = ?GET_OPT(pref_public_key_algs, Opts),
 		   userauth_quiet_mode = ?GET_OPT(quiet_mode, Opts),
 		   peer = {PeerName, PeerAddr}
 		  };
@@ -711,7 +712,7 @@ handle_event(internal, Msg, {ext_info,Role,init}, D) when is_tuple(Msg) ->
     %% If something else arrives, goto next state and handle the event in that one
     {next_state, {service_request,Role}, D, [postpone]};
 
-handle_event(internal, Msg, {ext_info,Role,renegotiate}, D) when is_tuple(Msg) ->
+handle_event(internal, Msg, {ext_info,Role,_ReNegFlag}, D) when is_tuple(Msg) ->
     %% If something else arrives, goto next state and handle the event in that one
     {next_state, {connected,Role}, D, [postpone]};
 
@@ -1131,6 +1132,7 @@ handle_event({call,From}, stop, StateName, D0) ->
     {Repls,D} = send_replies(Replies, D0),
     {stop_and_reply, normal, [{reply,From,ok}|Repls], D#data{connection_state=Connection}};
 
+
 handle_event({call,_}, _, StateName, _) when not ?CONNECTED(StateName) ->
     {keep_state_and_data, [postpone]};
 
@@ -1380,12 +1382,16 @@ handle_event(info, UnexpectedMessage, StateName, D = #data{ssh_params = Ssh}) ->
 handle_event(internal, {disconnect,Msg,_Reason}, StateName, D) ->
     disconnect(Msg, StateName, D);
 
+handle_event(_Type, _Msg, {ext_info,Role,_ReNegFlag}, D) ->
+    %% If something else arrives, goto next state and handle the event in that one
+    {next_state, {connected,Role}, D, [postpone]};
+
 handle_event(Type, Ev, StateName, D) ->
     Descr =
 	case catch atom_to_list(element(1,Ev)) of
 	    "ssh_msg_" ++_ when Type==internal ->
 %%		"Message in wrong state";
-lists:flatten(io_lib:format("Message ~p in wrong state (~p)", [element(1,Ev), StateName]));
+                lists:flatten(io_lib:format("Message ~p in wrong state (~p)", [element(1,Ev), StateName]));
 	    _ ->
 		"Internal error"
 	end,
@@ -1689,11 +1695,20 @@ cache(#data{connection_state=C}) -> C#connection.channel_cache.
 handle_ssh_msg_ext_info(#ssh_msg_ext_info{}, D=#data{ssh_params = #ssh{recv_ext_info=false}} ) ->
     % The peer sent this although we didn't allow it!
     D;
+
 handle_ssh_msg_ext_info(#ssh_msg_ext_info{data=Data}, D0) ->
     lists:foldl(fun ext_info/2, D0, Data).
 
-%% ext_info({ExtName,ExtValue}, D0) ->
-%%     D0;
+
+ext_info({"server-sig-algs",SigAlgs}, D0 = #data{ssh_params=#ssh{role=client}=Ssh0}) ->
+    %% Make strings to eliminate risk of beeing bombed with odd strings that fills the atom table:
+    SupportedAlgs = lists:map(fun erlang:atom_to_list/1, ssh_transport:supported_algorithms(public_key)),
+    Ssh = Ssh0#ssh{userauth_pubkeys = 
+                       [list_to_atom(SigAlg) || SigAlg <- string:tokens(SigAlgs,","),
+                                                lists:member(SigAlg, SupportedAlgs)
+                       ]},
+    D0#data{ssh_params = Ssh};
+
 ext_info(_, D0) ->
     %% Not implemented
     D0.
diff --git a/lib/ssh/src/ssh_options.erl b/lib/ssh/src/ssh_options.erl
index 6e898b4fde..0886d5b34d 100644
--- a/lib/ssh/src/ssh_options.erl
+++ b/lib/ssh/src/ssh_options.erl
@@ -437,9 +437,7 @@ default(client) ->
 
       {pref_public_key_algs, def} =>
           #{default => 
-                %% Get dynamically supported keys in the order of the ?SUPPORTED_USER_KEYS
-                [A || A <- ?SUPPORTED_USER_KEYS,
-                      lists:member(A, ssh_transport:supported_algorithms(public_key))],
+                ssh_transport:supported_algorithms(public_key),
             chk => 
                 fun check_pref_public_key_algs/1,
             class =>
@@ -670,20 +668,8 @@ check_pref_public_key_algs(V) ->
     PKs = ssh_transport:supported_algorithms(public_key),
     CHK = fun(A, Ack) ->
                   case lists:member(A, PKs) of
-                      true ->
-                          [A|Ack];
-                      false -> 
-                          %% Check with the documented options, that is,
-                          %% the one we can handle
-                          case lists:member(A,?SUPPORTED_USER_KEYS) of
-                              false ->
-                                  %% An algorithm ssh never can handle
-                                  error_in_check(A, "Not supported public key");
-                              true ->
-                                  %% An algorithm ssh can handle, but not in
-                                  %% this very call
-                                  Ack
-                          end
+                      true ->  [A|Ack];
+                      false -> error_in_check(A, "Not supported public key")
                   end
           end,
     case lists:foldr(
-- 
cgit v1.2.3


From a053401a7a7142d4d2a068b2945ef91cb7957f89 Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Wed, 19 Apr 2017 14:04:05 +0200
Subject: ssh: server-sig-algs, server side

---
 lib/ssh/src/ssh_transport.erl | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index d623d24529..3c2c345261 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -710,12 +710,12 @@ kex_ext_info(Role, Opts) ->
     end.
     
 ext_info_message(#ssh{role=client,
-                      algorithms=#alg{send_ext_info=true}} = Ssh0) ->
-    %% FIXME: no extensions implemented for clients
+                      send_ext_info=true} = Ssh0) ->
+    %% FIXME: no extensions implemented
     {ok, "", Ssh0};
 
 ext_info_message(#ssh{role=server,
-                      algorithms=#alg{send_ext_info=true}} = Ssh0) ->
+                      send_ext_info=true} = Ssh0) ->
     AlgsList = lists:map(fun erlang:atom_to_list/1,
                          ssh_transport:default_algorithms(public_key)),
     Msg = #ssh_msg_ext_info{nr_extensions = 1,
@@ -729,10 +729,8 @@ ext_info_message(Ssh0) ->
 
 %%%----------------------------------------------------------------
 %% select session id
-sid(#ssh{session_id = undefined}, H) -> 
-    H;
-sid(#ssh{session_id = Id}, _) -> 
-    Id.
+sid(#ssh{session_id = undefined}, H) ->  H;
+sid(#ssh{session_id = Id},        _) -> Id.
 
 %%
 %% The host key should be read from storage
-- 
cgit v1.2.3


From 2e55f44545504aa1ba109e072e6833f5c045b58f Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Wed, 19 Apr 2017 14:10:29 +0200
Subject: ssh: Implement signature algorithms rsa-sha2-*.
 draft-ietf-curdle-rsa-sha2

---
 lib/public_key/src/pubkey_ssh.erl      |  39 ++++---
 lib/public_key/src/public_key.erl      |   1 +
 lib/ssh/src/ssh_connection_handler.erl |  53 +++++----
 lib/ssh/src/ssh_file.erl               |  24 ++--
 lib/ssh/src/ssh_message.erl            |  19 ++-
 lib/ssh/src/ssh_transport.erl          | 205 ++++++++++++++++++---------------
 6 files changed, 188 insertions(+), 153 deletions(-)

diff --git a/lib/public_key/src/pubkey_ssh.erl b/lib/public_key/src/pubkey_ssh.erl
index 90726b1eb3..816d7b3336 100644
--- a/lib/public_key/src/pubkey_ssh.erl
+++ b/lib/public_key/src/pubkey_ssh.erl
@@ -44,11 +44,6 @@
 %%====================================================================
 
 %%--------------------------------------------------------------------
--spec decode(binary(), public_key | public_key:ssh_file()) -> 
-		    [{public_key:public_key(), Attributes::list()}]
-	  ; (binary(), ssh2_pubkey) ->  public_key:public_key()
-	  .
-%%
 %% Description: Decodes a ssh file-binary.
 %%--------------------------------------------------------------------
 decode(Bin, public_key)->
@@ -66,11 +61,6 @@ decode(Bin, Type) ->
     openssh_decode(Bin, Type).
 
 %%--------------------------------------------------------------------
--spec encode([{public_key:public_key(), Attributes::list()}], public_key:ssh_file()) ->
-		    binary()
-	  ; (public_key:public_key(), ssh2_pubkey) -> binary()
-	  .
-%%
 %% Description: Encodes a list of ssh file entries.
 %%--------------------------------------------------------------------
 encode(Bin, ssh2_pubkey) ->
@@ -81,10 +71,6 @@ encode(Entries, Type) ->
 				      end, Entries)).
 
 %%--------------------------------------------------------------------
--spec dh_gex_group(integer(), integer(), integer(), 
-		   undefined | [{integer(),[{integer(),integer()}]}]) ->
-			  {ok,{integer(),{integer(),integer()}}} | {error,any()} .
-%%
 %% Description: Returns Generator and Modulus given MinSize, WantedSize
 %%              and MaxSize
 %%--------------------------------------------------------------------
@@ -421,14 +407,21 @@ comma_list_encode([Option | Rest], []) ->
 comma_list_encode([Option | Rest], Acc) ->
     comma_list_encode(Rest, Acc ++ "," ++ Option).
 
+
+%% An experimental fix adding the signature algorithm name as the last element in a tuple...
+
 ssh2_pubkey_encode(#'RSAPublicKey'{modulus = N, publicExponent = E}) ->
-    TypeStr = <<"ssh-rsa">>,
-    StrLen = size(TypeStr),
+    ssh2_pubkey_encode({#'RSAPublicKey'{modulus = N, publicExponent = E}, 'ssh-rsa'});
+ssh2_pubkey_encode({#'RSAPublicKey'{modulus = N, publicExponent = E}, SignAlg}) ->
+    SignAlgName = list_to_binary(atom_to_list(SignAlg)),
+    StrLen = size(SignAlgName),
     EBin = mpint(E),
     NBin = mpint(N),
-    <<?UINT32(StrLen), TypeStr:StrLen/binary,
+    <<?UINT32(StrLen), SignAlgName:StrLen/binary,
       EBin/binary,
       NBin/binary>>;
+ssh2_pubkey_encode({{_,#'Dss-Parms'{}}=Key, _}) ->
+    ssh2_pubkey_encode(Key);
 ssh2_pubkey_encode({Y,  #'Dss-Parms'{p = P, q = Q, g = G}}) ->
     TypeStr = <<"ssh-dss">>,
     StrLen = size(TypeStr),
@@ -441,6 +434,8 @@ ssh2_pubkey_encode({Y,  #'Dss-Parms'{p = P, q = Q, g = G}}) ->
       QBin/binary,
       GBin/binary,
       YBin/binary>>;
+ssh2_pubkey_encode({{#'ECPoint'{},_}=Key, _}) ->
+    ssh2_pubkey_encode(Key);
 ssh2_pubkey_encode(Key={#'ECPoint'{point = Q}, {namedCurve,OID}}) ->
     TypeStr = key_type(Key),
     StrLen = size(TypeStr),
@@ -453,10 +448,16 @@ ssh2_pubkey_encode(Key={#'ECPoint'{point = Q}, {namedCurve,OID}}) ->
 ssh2_pubkey_decode(Bin = <<?UINT32(Len), Type:Len/binary, _/binary>>) ->
     ssh2_pubkey_decode(Type, Bin).
 
-ssh2_pubkey_decode(<<"ssh-rsa">>,
+%% An experimental fix with the Signature Algorithm Name
+ssh2_pubkey_decode(SignAlgName,
 		   <<?UINT32(Len),   _:Len/binary,
 		     ?UINT32(SizeE), E:SizeE/binary,
-		     ?UINT32(SizeN), N:SizeN/binary>>) ->
+		     ?UINT32(SizeN), N:SizeN/binary>>)
+  when SignAlgName == <<"ssh-rsa">> ;
+       SignAlgName == <<"rsa-sha2-256">> ;
+       SignAlgName == <<"rsa-sha2-384">> ;
+       SignAlgName == <<"rsa-sha2-512">> 
+       ->
     #'RSAPublicKey'{modulus = erlint(SizeN, N),
 		    publicExponent = erlint(SizeE, E)};
 
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index 7b5819fa84..0894e1860b 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -900,6 +900,7 @@ ssh_decode(SshBin, Type) when is_binary(SshBin),
 %%--------------------------------------------------------------------
 -spec ssh_encode([{public_key(), Attributes::list()}], ssh_file()) -> binary()
 	      ; (public_key(), ssh2_pubkey) -> binary()
+	      ; ({public_key(),atom()}, ssh2_pubkey) -> binary()
 	      .
 %%
 %% Description: Encodes a list of ssh file entries (public keys and
diff --git a/lib/ssh/src/ssh_connection_handler.erl b/lib/ssh/src/ssh_connection_handler.erl
index ac1b792f32..220b05e6b0 100644
--- a/lib/ssh/src/ssh_connection_handler.erl
+++ b/lib/ssh/src/ssh_connection_handler.erl
@@ -490,20 +490,32 @@ init_ssh_record(Role, _Socket, PeerAddr, Opts) ->
 -type renegotiate_flag() :: init | renegotiate.
 
 -type state_name() :: 
-        {hello, role()}
-      | {kexinit, role(), renegotiate_flag()}
-      | {key_exchange, role(), renegotiate_flag()}
-      | {key_exchange_dh_gex_init, server, renegotiate_flag()}
+        {hello,                     role()                    }
+      | {kexinit,                   role(), renegotiate_flag()}
+      | {key_exchange,              role(), renegotiate_flag()}
+      | {key_exchange_dh_gex_init,  server, renegotiate_flag()}
       | {key_exchange_dh_gex_reply, client, renegotiate_flag()}
-      | {new_keys, role()}
-      | {ext_info, role(), renegotiate_flag()}
-      | {service_request, role()}
-      | {userauth, role()}
-      | {userauth_keyboard_interactive, role()}
-      | {connected, role()}
+      | {new_keys,                  role(), renegotiate_flag()}
+      | {ext_info,                  role(), renegotiate_flag()}
+      | {service_request,           role()                    }
+      | {userauth,                  role()                    }
+      | {userauth_keyboard_interactive,       role()          }
+      | {userauth_keyboard_interactive_extra, server          }
+      | {userauth_keyboard_interactive_info_response, client  }
+      | {connected,                 role()                    }
 	.
 
--type handle_event_result() :: gen_statem:handle_event_result().
+%% The state names must fulfill some rules regarding
+%% where the role() and the renegotiate_flag() is placed:
+
+-spec role(state_name()) -> role().
+role({_,Role}) -> Role;
+role({_,Role,_}) -> Role.
+
+-spec renegotiation(state_name()) -> boolean().
+renegotiation({_,_,ReNeg}) -> ReNeg == renegotiation;
+renegotiation(_) -> false.
+
 
 -define(CONNECTED(StateName), 
         (element(1,StateName) == connected orelse
@@ -513,7 +525,7 @@ init_ssh_record(Role, _Socket, PeerAddr, Opts) ->
 		   event_content(),
 		   state_name(),
 		   #data{}
-		  ) -> handle_event_result().
+		  ) -> gen_statem:event_handler_result(state_name()) .
 		   
 %% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 
@@ -1530,16 +1542,6 @@ finalize_termination(_StateName, #data{transport_cb = Transport,
 peer_role(client) -> server;
 peer_role(server) -> client.
 
-%%--------------------------------------------------------------------
-%% StateName to Role
-role({_,Role}) -> Role;
-role({_,Role,_}) -> Role.
-
-%%--------------------------------------------------------------------
-%% Check the StateName to see if we are in the renegotiation phase
-renegotiation({_,_,ReNeg}) -> ReNeg == renegotiation;
-renegotiation(_) -> false.
-
 %%--------------------------------------------------------------------
 supported_host_keys(client, _, Options) ->
     try
@@ -1576,8 +1578,11 @@ find_sup_hkeys(Options) ->
 %% Alg :: atom()
 available_host_key({KeyCb,KeyCbOpts}, Alg, Opts) ->
     UserOpts = ?GET_OPT(user_options, Opts),
-    element(1,
-            catch KeyCb:host_key(Alg, [{key_cb_private,KeyCbOpts}|UserOpts])) == ok.
+    case KeyCb:host_key(Alg, [{key_cb_private,KeyCbOpts}|UserOpts]) of
+        {ok,_} -> true;
+        _ -> false
+    end.
+
 
 send_msg(Msg, State=#data{ssh_params=Ssh0}) when is_tuple(Msg) ->
     {Bytes, Ssh} = ssh_transport:ssh_packet(Msg, Ssh0),
diff --git a/lib/ssh/src/ssh_file.erl b/lib/ssh/src/ssh_file.erl
index 88f4d10792..4498c70d34 100644
--- a/lib/ssh/src/ssh_file.erl
+++ b/lib/ssh/src/ssh_file.erl
@@ -75,17 +75,12 @@ host_key(Algorithm, Opts) ->
     Password = proplists:get_value(identity_pass_phrase(Algorithm), Opts, ignore),
     case decode(File, Password) of
 	{ok,Key} ->
-	    case {Key,Algorithm} of
-		{#'RSAPrivateKey'{}, 'ssh-rsa'} -> {ok,Key};
-		{#'DSAPrivateKey'{}, 'ssh-dss'} -> {ok,Key};
-		{#'ECPrivateKey'{parameters = {namedCurve, ?'secp256r1'}}, 'ecdsa-sha2-nistp256'} -> {ok,Key};
-		{#'ECPrivateKey'{parameters = {namedCurve, ?'secp384r1'}}, 'ecdsa-sha2-nistp384'} -> {ok,Key};
-		{#'ECPrivateKey'{parameters = {namedCurve, ?'secp521r1'}}, 'ecdsa-sha2-nistp521'} -> {ok,Key};
-		_ -> 
-		    {error,bad_keytype_in_file}
+	    case ssh_transport:valid_key_sha_alg(Key,Algorithm) of
+                true -> {ok,Key};
+                false -> {error,bad_keytype_in_file}
 	    end;
-	Other ->
-	    Other
+	{error,DecodeError} ->
+            {error,DecodeError}
     end.
 
 is_auth_key(Key, User,Opts) ->
@@ -115,6 +110,9 @@ user_key(Algorithm, Opts) ->
 %% Internal functions %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
 file_base_name('ssh-rsa'            ) -> "ssh_host_rsa_key";
+file_base_name('rsa-sha2-256'       ) -> "ssh_host_rsa_key";
+file_base_name('rsa-sha2-384'       ) -> "ssh_host_rsa_key";
+file_base_name('rsa-sha2-512'       ) -> "ssh_host_rsa_key";
 file_base_name('ssh-dss'            ) -> "ssh_host_dsa_key";
 file_base_name('ecdsa-sha2-nistp256') -> "ssh_host_ecdsa_key";
 file_base_name('ecdsa-sha2-nistp384') -> "ssh_host_ecdsa_key";
@@ -253,12 +251,18 @@ do_lookup_host_key(KeyToMatch, Host, Alg, Opts) ->
 
 identity_key_filename('ssh-dss'            ) -> "id_dsa";
 identity_key_filename('ssh-rsa'            ) -> "id_rsa";
+identity_key_filename('rsa-sha2-256'       ) -> "id_rsa";
+identity_key_filename('rsa-sha2-384'       ) -> "id_rsa";
+identity_key_filename('rsa-sha2-512'       ) -> "id_rsa";
 identity_key_filename('ecdsa-sha2-nistp256') -> "id_ecdsa";
 identity_key_filename('ecdsa-sha2-nistp384') -> "id_ecdsa";
 identity_key_filename('ecdsa-sha2-nistp521') -> "id_ecdsa".
 
 identity_pass_phrase("ssh-dss"       ) -> dsa_pass_phrase;
 identity_pass_phrase("ssh-rsa"       ) -> rsa_pass_phrase;
+identity_pass_phrase("rsa-sha2-256"  ) -> rsa_pass_phrase;
+identity_pass_phrase("rsa-sha2-384"  ) -> rsa_pass_phrase;
+identity_pass_phrase("rsa-sha2-512"  ) -> rsa_pass_phrase;
 identity_pass_phrase("ecdsa-sha2-"++_) -> ecdsa_pass_phrase;
 identity_pass_phrase(P) when is_atom(P) -> 
     identity_pass_phrase(atom_to_list(P)).
diff --git a/lib/ssh/src/ssh_message.erl b/lib/ssh/src/ssh_message.erl
index 56f678876c..21c0eabcd3 100644
--- a/lib/ssh/src/ssh_message.erl
+++ b/lib/ssh/src/ssh_message.erl
@@ -602,11 +602,22 @@ decode_signature(<<?DEC_BIN(_Alg,__0), ?UINT32(_), Signature/binary>>) ->
     Signature.
 
 
-encode_signature(#'RSAPublicKey'{}, Signature) ->
-    <<?Ebinary(<<"ssh-rsa">>), ?Ebinary(Signature)>>;
-encode_signature({_, #'Dss-Parms'{}}, Signature) ->
+encode_signature({#'RSAPublicKey'{},Sign}, Signature) ->
+    SignName = list_to_binary(atom_to_list(Sign)),
+    <<?Ebinary(SignName), ?Ebinary(Signature)>>;
+encode_signature({{_, #'Dss-Parms'{}},_}, Signature) ->
     <<?Ebinary(<<"ssh-dss">>), ?Ebinary(Signature)>>;
-encode_signature({#'ECPoint'{}, {namedCurve,OID}}, Signature) ->
+encode_signature({{#'ECPoint'{}, {namedCurve,OID}},_}, Signature) ->
     CurveName = public_key:oid2ssh_curvename(OID),
     <<?Ebinary(<<"ecdsa-sha2-",CurveName/binary>>), ?Ebinary(Signature)>>.
 
+%% encode_signature(#'RSAPublicKey'{}, Signature) ->
+%%     SignName = <<"ssh-rsa">>,
+%%     <<?Ebinary(SignName), ?Ebinary(Signature)>>;
+%% encode_signature({_, #'Dss-Parms'{}}, Signature) ->
+%%     <<?Ebinary(<<"ssh-dss">>), ?Ebinary(Signature)>>;
+%% encode_signature({#'ECPoint'{}, {namedCurve,OID}}, Signature) ->
+%%     CurveName = public_key:oid2ssh_curvename(OID),
+%%     <<?Ebinary(<<"ecdsa-sha2-",CurveName/binary>>), ?Ebinary(Signature)>>.
+
+
diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index 3c2c345261..3cf1e60634 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -48,6 +48,7 @@
          parallell_gen_key/1,
 	 extract_public_key/1,
 	 ssh_packet/2, pack/2,
+         valid_key_sha_alg/2,
 	 sha/1, sign/3, verify/4]).
 
 %%% For test suites
@@ -117,6 +118,9 @@ supported_algorithms(public_key) ->
        {'ecdsa-sha2-nistp384',  [{public_keys,ecdsa}, {hashs,sha384}, {ec_curve,secp384r1}]},
        {'ecdsa-sha2-nistp521',  [{public_keys,ecdsa}, {hashs,sha512}, {ec_curve,secp521r1}]},
        {'ecdsa-sha2-nistp256',  [{public_keys,ecdsa}, {hashs,sha256}, {ec_curve,secp256r1}]},
+       {'rsa-sha2-256',         [{public_keys,rsa},   {hashs,sha256}                      ]},
+       {'rsa-sha2-384',         [{public_keys,rsa},   {hashs,sha384}                      ]},
+       {'rsa-sha2-512',         [{public_keys,rsa},   {hashs,sha512}                      ]},
        {'ssh-rsa',              [{public_keys,rsa},   {hashs,sha}                         ]},
        {'ssh-dss',              [{public_keys,dss},   {hashs,sha}                         ]} % Gone in OpenSSH 7.3.p1
       ]);
@@ -377,7 +381,8 @@ key_exchange_first_msg(Kex, Ssh0) when Kex == 'ecdh-sha2-nistp256' ;
 %%% diffie-hellman-group18-sha512
 %%% 
 handle_kexdh_init(#ssh_msg_kexdh_init{e = E}, 
-		  Ssh0 = #ssh{algorithms = #alg{kex=Kex} = Algs}) ->
+		  Ssh0 = #ssh{algorithms = #alg{kex=Kex,
+                                                hkey=SignAlg} = Algs}) ->
     %% server
     {G, P} = dh_group(Kex),
     if
@@ -385,12 +390,12 @@ handle_kexdh_init(#ssh_msg_kexdh_init{e = E},
             Sz = dh_bits(Algs),
 	    {Public, Private} = generate_key(dh, [P,G,2*Sz]),
 	    K = compute_key(dh, E, Private, [P,G]),
-	    MyPrivHostKey = get_host_key(Ssh0),
+	    MyPrivHostKey = get_host_key(Ssh0, SignAlg),
 	    MyPubHostKey = extract_public_key(MyPrivHostKey),
-	    H = kex_h(Ssh0, MyPubHostKey, E, Public, K),
-	    H_SIG = sign_host_key(Ssh0, MyPrivHostKey, H),
+            H = kex_hash(Ssh0, MyPubHostKey, SignAlg, sha(Kex), {E,Public,K}),
+            H_SIG = sign(H, sha(SignAlg), MyPrivHostKey),
 	    {SshPacket, Ssh1} = 
-		ssh_packet(#ssh_msg_kexdh_reply{public_host_key = MyPubHostKey,
+		ssh_packet(#ssh_msg_kexdh_reply{public_host_key = {MyPubHostKey,SignAlg},
 						f = Public,
 						h_sig = H_SIG
 					       }, Ssh0),
@@ -411,13 +416,14 @@ handle_kexdh_init(#ssh_msg_kexdh_init{e = E},
 handle_kexdh_reply(#ssh_msg_kexdh_reply{public_host_key = PeerPubHostKey,
 					f = F,
 					h_sig = H_SIG}, 
-		   #ssh{keyex_key = {{Private, Public}, {G, P}}} = Ssh0) ->
+		   #ssh{keyex_key = {{Private, Public}, {G, P}},
+                        algorithms = #alg{kex=Kex,
+                                          hkey=SignAlg}} = Ssh0) ->
     %% client
     if 
 	1=<F, F=<(P-1)->
 	    K = compute_key(dh, F, Private, [P,G]),
-	    H = kex_h(Ssh0, PeerPubHostKey, Public, F, K),
-
+            H = kex_hash(Ssh0, PeerPubHostKey, SignAlg, sha(Kex), {Public,F,K}),
 	    case verify_host_key(Ssh0, PeerPubHostKey, H, H_SIG) of
 		ok ->
 		    {SshPacket, Ssh} = ssh_packet(#ssh_msg_newkeys{}, Ssh0),
@@ -493,7 +499,7 @@ handle_kex_dh_gex_request(#ssh_msg_kex_dh_gex_request_old{n = NBits},
 		ssh_packet(#ssh_msg_kex_dh_gex_group{p = P, g = G}, Ssh0),
 	    {ok, SshPacket, 
 	     Ssh#ssh{keyex_key = {x, {G, P}},
-		     keyex_info = {-1, -1, NBits} % flag for kex_h hash calc
+		     keyex_info = {-1, -1, NBits} % flag for kex_hash calc
 		    }};
 	{error,_} ->
 	    ssh_connection_handler:disconnect(
@@ -539,20 +545,21 @@ handle_kex_dh_gex_group(#ssh_msg_kex_dh_gex_group{p = P, g = G}, Ssh0) ->
 
 handle_kex_dh_gex_init(#ssh_msg_kex_dh_gex_init{e = E}, 
 		       #ssh{keyex_key = {{Private, Public}, {G, P}},
-			    keyex_info = {Min, Max, NBits}} = 
-			   Ssh0) ->
+			    keyex_info = {Min, Max, NBits},
+                            algorithms = #alg{kex=Kex,
+                                              hkey=SignAlg}} = Ssh0) ->
     %% server
     if
 	1=<E, E=<(P-1) ->
 	    K = compute_key(dh, E, Private, [P,G]),
 	    if
 		1<K, K<(P-1) ->
-		    MyPrivHostKey = get_host_key(Ssh0),
+		    MyPrivHostKey = get_host_key(Ssh0, SignAlg),
 		    MyPubHostKey = extract_public_key(MyPrivHostKey),
-		    H = kex_h(Ssh0, MyPubHostKey, Min, NBits, Max, P, G, E, Public, K),
-		    H_SIG = sign_host_key(Ssh0, MyPrivHostKey, H),
+                    H = kex_hash(Ssh0, MyPubHostKey, SignAlg, sha(Kex), {Min,NBits,Max,P,G,E,Public,K}),
+                    H_SIG = sign(H, sha(SignAlg), MyPrivHostKey),
 		    {SshPacket, Ssh} = 
-			ssh_packet(#ssh_msg_kex_dh_gex_reply{public_host_key = MyPubHostKey,
+			ssh_packet(#ssh_msg_kex_dh_gex_reply{public_host_key = {MyPubHostKey,SignAlg},
 							     f = Public,
 							     h_sig = H_SIG}, Ssh0),
 		    {ok, SshPacket, Ssh#ssh{shared_secret = ssh_bits:mpint(K),
@@ -578,7 +585,9 @@ handle_kex_dh_gex_reply(#ssh_msg_kex_dh_gex_reply{public_host_key = PeerPubHostK
 						  f = F,
 						  h_sig = H_SIG},
 			#ssh{keyex_key = {{Private, Public}, {G, P}},
-			     keyex_info = {Min, Max, NBits}} = 
+			     keyex_info = {Min, Max, NBits},
+                             algorithms = #alg{kex=Kex,
+                                               hkey=SignAlg}} = 
 			    Ssh0) ->
     %% client
     if 
@@ -586,8 +595,7 @@ handle_kex_dh_gex_reply(#ssh_msg_kex_dh_gex_reply{public_host_key = PeerPubHostK
 	    K = compute_key(dh, F, Private, [P,G]),
 	    if
 		1<K, K<(P-1) ->
-		    H = kex_h(Ssh0, PeerPubHostKey, Min, NBits, Max, P, G, Public, F, K),
-
+                    H = kex_hash(Ssh0, PeerPubHostKey, SignAlg, sha(Kex), {Min,NBits,Max,P,G,Public,F,K}),
 		    case verify_host_key(Ssh0, PeerPubHostKey, H, H_SIG) of
 			ok ->
 			    {SshPacket, Ssh} = ssh_packet(#ssh_msg_newkeys{}, Ssh0),
@@ -623,7 +631,8 @@ handle_kex_dh_gex_reply(#ssh_msg_kex_dh_gex_reply{public_host_key = PeerPubHostK
 %%% diffie-hellman-ecdh-sha2-*
 %%% 
 handle_kex_ecdh_init(#ssh_msg_kex_ecdh_init{q_c = PeerPublic},
-		     Ssh0 = #ssh{algorithms = #alg{kex=Kex}}) ->
+		     Ssh0 = #ssh{algorithms = #alg{kex=Kex,
+                                                   hkey=SignAlg}}) ->
     %% at server
     Curve = ecdh_curve(Kex),
     {MyPublic, MyPrivate} = generate_key(ecdh, Curve),
@@ -631,12 +640,12 @@ handle_kex_ecdh_init(#ssh_msg_kex_ecdh_init{q_c = PeerPublic},
 	compute_key(ecdh, PeerPublic, MyPrivate, Curve)
     of
 	K ->
-	    MyPrivHostKey = get_host_key(Ssh0),
+	    MyPrivHostKey = get_host_key(Ssh0, SignAlg),
 	    MyPubHostKey = extract_public_key(MyPrivHostKey),
-	    H = kex_h(Ssh0, Curve, MyPubHostKey, PeerPublic, MyPublic, K),
-	    H_SIG = sign_host_key(Ssh0, MyPrivHostKey, H),
+            H = kex_hash(Ssh0, MyPubHostKey, SignAlg, sha(Curve), {PeerPublic, MyPublic, K}),
+            H_SIG = sign(H, sha(SignAlg), MyPrivHostKey),
 	    {SshPacket, Ssh1} = 
-		ssh_packet(#ssh_msg_kex_ecdh_reply{public_host_key = MyPubHostKey,
+		ssh_packet(#ssh_msg_kex_ecdh_reply{public_host_key = {MyPubHostKey,SignAlg},
 						   q_s = MyPublic,
 						   h_sig = H_SIG},
 			   Ssh0),
@@ -656,14 +665,15 @@ handle_kex_ecdh_init(#ssh_msg_kex_ecdh_init{q_c = PeerPublic},
 handle_kex_ecdh_reply(#ssh_msg_kex_ecdh_reply{public_host_key = PeerPubHostKey,
 					      q_s = PeerPublic,
 					      h_sig = H_SIG},
-		      #ssh{keyex_key = {{MyPublic,MyPrivate}, Curve}} = Ssh0
+		      #ssh{keyex_key = {{MyPublic,MyPrivate}, Curve},
+                           algorithms = #alg{hkey=SignAlg}} = Ssh0
 		     ) ->
     %% at client
     try
 	compute_key(ecdh, PeerPublic, MyPrivate, Curve)
     of
 	K ->
-	    H = kex_h(Ssh0, Curve, PeerPubHostKey, MyPublic, PeerPublic, K), 
+            H = kex_hash(Ssh0, PeerPubHostKey,  SignAlg, sha(Curve), {MyPublic,PeerPublic,K}),
 	    case verify_host_key(Ssh0, PeerPubHostKey, H, H_SIG) of
 		ok ->
 		    {SshPacket, Ssh} = ssh_packet(#ssh_msg_newkeys{}, Ssh0),
@@ -735,25 +745,14 @@ sid(#ssh{session_id = Id},        _) -> Id.
 %%
 %% The host key should be read from storage
 %%
-get_host_key(SSH) ->
-    #ssh{key_cb = {KeyCb,KeyCbOpts}, opts = Opts, algorithms = ALG} = SSH,
+get_host_key(SSH, SignAlg) ->
+    #ssh{key_cb = {KeyCb,KeyCbOpts}, opts = Opts} = SSH,
     UserOpts = ?GET_OPT(user_options, Opts),
-    case KeyCb:host_key(ALG#alg.hkey, [{key_cb_private,KeyCbOpts}|UserOpts]) of
-	{ok, #'RSAPrivateKey'{} = Key} ->  Key;
-	{ok, #'DSAPrivateKey'{} = Key} ->  Key;
-	{ok, #'ECPrivateKey'{}  = Key} ->  Key;
-	Result ->
-	    exit({error, {Result, unsupported_key_type}})
+    case KeyCb:host_key(SignAlg, [{key_cb_private,KeyCbOpts}|UserOpts]) of
+	{ok, PrivHostKey} ->  PrivHostKey;
+	Result -> exit({error, {Result, unsupported_key_type}})
     end.
 
-sign_host_key(_Ssh, PrivateKey, H) ->
-     sign(H, sign_host_key_sha(PrivateKey), PrivateKey).
-
-sign_host_key_sha(#'ECPrivateKey'{parameters = {namedCurve,OID}}) -> sha(OID);
-sign_host_key_sha(#'RSAPrivateKey'{}) -> sha;
-sign_host_key_sha(#'DSAPrivateKey'{}) -> sha.
-
-
 extract_public_key(#'RSAPrivateKey'{modulus = N, publicExponent = E}) ->
     #'RSAPublicKey'{modulus = N, publicExponent = E};
 extract_public_key(#'DSAPrivateKey'{y = Y, p = P, q = Q, g = G}) ->
@@ -763,8 +762,8 @@ extract_public_key(#'ECPrivateKey'{parameters = {namedCurve,OID},
     {#'ECPoint'{point=Q}, {namedCurve,OID}}.
 
 
-verify_host_key(SSH, PublicKey, Digest, Signature) ->
-    case verify(Digest, host_key_sha(PublicKey), Signature, PublicKey) of
+verify_host_key(#ssh{algorithms=Alg}=SSH, PublicKey, Digest, Signature) ->
+    case verify(Digest, sha(Alg#alg.hkey), Signature, PublicKey) of
 	false ->
 	    {error, bad_signature};
 	true ->
@@ -772,16 +771,6 @@ verify_host_key(SSH, PublicKey, Digest, Signature) ->
     end.
 
 
-host_key_sha(#'RSAPublicKey'{})    -> sha;
-host_key_sha({_, #'Dss-Parms'{}})  -> sha;
-host_key_sha({#'ECPoint'{},{namedCurve,OID}}) -> sha(OID).
-
-public_algo(#'RSAPublicKey'{}) ->   'ssh-rsa';
-public_algo({_, #'Dss-Parms'{}}) -> 'ssh-dss';
-public_algo({#'ECPoint'{},{namedCurve,OID}}) -> 
-    Curve = public_key:oid2ssh_curvename(OID),
-    list_to_atom("ecdsa-sha2-" ++ binary_to_list(Curve)).
-
 
 accepted_host(Ssh, PeerName, Public, Opts) ->
     case ?GET_OPT(silently_accept_hosts, Opts) of
@@ -1201,29 +1190,29 @@ payload(<<PacketLen:32, PaddingLen:8, PayloadAndPadding/binary>>) ->
     <<Payload:PayloadLen/binary, _/binary>> = PayloadAndPadding,
     Payload.
 
-sign(SigData, Hash,  #'DSAPrivateKey'{} = Key) ->
-    DerSignature = public_key:sign(SigData, Hash, Key),
+sign(SigData, HashAlg,  #'DSAPrivateKey'{} = Key) ->
+    DerSignature = public_key:sign(SigData, HashAlg, Key),
     #'Dss-Sig-Value'{r = R, s = S} = public_key:der_decode('Dss-Sig-Value', DerSignature),
     <<R:160/big-unsigned-integer, S:160/big-unsigned-integer>>;
-sign(SigData, Hash, Key = #'ECPrivateKey'{}) ->
-    DerEncodedSign =  public_key:sign(SigData, Hash, Key),
+sign(SigData, HashAlg, Key = #'ECPrivateKey'{}) ->
+    DerEncodedSign =  public_key:sign(SigData, HashAlg, Key),
     #'ECDSA-Sig-Value'{r=R, s=S} = public_key:der_decode('ECDSA-Sig-Value', DerEncodedSign),
     <<?Empint(R),?Empint(S)>>;
-sign(SigData, Hash, Key) ->
-    public_key:sign(SigData, Hash, Key).
+sign(SigData, HashAlg, Key) ->
+    public_key:sign(SigData, HashAlg, Key).
 
-verify(PlainText, Hash, Sig, {_,  #'Dss-Parms'{}} = Key) ->
+verify(PlainText, HashAlg, Sig, {_,  #'Dss-Parms'{}} = Key) ->
     <<R:160/big-unsigned-integer, S:160/big-unsigned-integer>> = Sig,
     Signature = public_key:der_encode('Dss-Sig-Value', #'Dss-Sig-Value'{r = R, s = S}),
-    public_key:verify(PlainText, Hash, Signature, Key);
-verify(PlainText, Hash, Sig, {#'ECPoint'{},_} = Key) ->
+    public_key:verify(PlainText, HashAlg, Signature, Key);
+verify(PlainText, HashAlg, Sig, {#'ECPoint'{},_} = Key) ->
     <<?UINT32(Rlen),R:Rlen/big-signed-integer-unit:8,
       ?UINT32(Slen),S:Slen/big-signed-integer-unit:8>> = Sig,
     Sval = #'ECDSA-Sig-Value'{r=R, s=S},
     DerEncodedSig = public_key:der_encode('ECDSA-Sig-Value',Sval),
-    public_key:verify(PlainText, Hash, DerEncodedSig, Key);
-verify(PlainText, Hash, Sig, Key) ->
-    public_key:verify(PlainText, Hash, Sig, Key).
+    public_key:verify(PlainText, HashAlg, DerEncodedSig, Key);
+verify(PlainText, HashAlg, Sig, Key) ->
+    public_key:verify(PlainText, HashAlg, Sig, Key).
 
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -1730,39 +1719,63 @@ hash(K, H, Ki, N, HashAlg) ->
     hash(K, H, <<Ki/binary, Kj/binary>>, N-128, HashAlg).
 
 %%%----------------------------------------------------------------
-kex_h(SSH, Key, E, F, K) ->
-    KeyBin = public_key:ssh_encode(Key, ssh2_pubkey),
-    L = <<?Estring(SSH#ssh.c_version), ?Estring(SSH#ssh.s_version),
-	  ?Ebinary(SSH#ssh.c_keyinit), ?Ebinary(SSH#ssh.s_keyinit), ?Ebinary(KeyBin),
-	  ?Empint(E), ?Empint(F), ?Empint(K)>>,
-    crypto:hash(sha((SSH#ssh.algorithms)#alg.kex), L).
-
-kex_h(SSH, Curve, Key, Q_c, Q_s, K) ->
-    KeyBin = public_key:ssh_encode(Key, ssh2_pubkey),
-    L = <<?Estring(SSH#ssh.c_version), ?Estring(SSH#ssh.s_version),
-	  ?Ebinary(SSH#ssh.c_keyinit), ?Ebinary(SSH#ssh.s_keyinit), ?Ebinary(KeyBin),
-	  ?Empint(Q_c), ?Empint(Q_s), ?Empint(K)>>,
-    crypto:hash(sha(Curve), L).
-
-kex_h(SSH, Key, Min, NBits, Max, Prime, Gen, E, F, K) ->
-    KeyBin = public_key:ssh_encode(Key, ssh2_pubkey),
-    L = if Min==-1; Max==-1 ->
-		%% flag from 'ssh_msg_kex_dh_gex_request_old'
-		%% It was like this before that message was supported,
-		%% why?
-		<<?Estring(SSH#ssh.c_version), ?Estring(SSH#ssh.s_version),
-		  ?Ebinary(SSH#ssh.c_keyinit), ?Ebinary(SSH#ssh.s_keyinit), ?Ebinary(KeyBin),
-		  ?Empint(E), ?Empint(F), ?Empint(K)>>;
-	   true ->
-		<<?Estring(SSH#ssh.c_version), ?Estring(SSH#ssh.s_version),
-		  ?Ebinary(SSH#ssh.c_keyinit), ?Ebinary(SSH#ssh.s_keyinit), ?Ebinary(KeyBin),
-		  ?Euint32(Min), ?Euint32(NBits), ?Euint32(Max),
-		  ?Empint(Prime), ?Empint(Gen), ?Empint(E), ?Empint(F), ?Empint(K)>>
-	end,
-    crypto:hash(sha((SSH#ssh.algorithms)#alg.kex), L).
-  
+kex_hash(SSH, Key, SignAlg, HashAlg, Args) ->
+    crypto:hash(HashAlg, kex_plaintext(SSH,Key,SignAlg,Args)).
+
+kex_plaintext(SSH, Key, SignAlg, Args) ->
+    EncodedKey = public_key:ssh_encode({Key,SignAlg}, ssh2_pubkey),
+    <<?Estring(SSH#ssh.c_version), ?Estring(SSH#ssh.s_version),
+      ?Ebinary(SSH#ssh.c_keyinit), ?Ebinary(SSH#ssh.s_keyinit),
+      ?Ebinary(EncodedKey),
+      (kex_alg_dependent(Args))/binary>>.
+
+kex_alg_dependent({E, F, K}) ->
+    %% diffie-hellman and ec diffie-hellman (with E = Q_c, F = Q_s)
+    <<?Empint(E), ?Empint(F), ?Empint(K)>>;
+
+kex_alg_dependent({-1, _, -1, _, _, E, F, K}) ->
+    %% ssh_msg_kex_dh_gex_request_old
+    <<?Empint(E), ?Empint(F), ?Empint(K)>>;
+
+kex_alg_dependent({Min, NBits, Max, Prime, Gen, E, F, K}) ->
+    %% diffie-hellman group exchange
+    <<?Euint32(Min), ?Euint32(NBits), ?Euint32(Max),
+      ?Empint(Prime), ?Empint(Gen), ?Empint(E), ?Empint(F), ?Empint(K)>>.
+
+%%%----------------------------------------------------------------
+
+valid_key_sha_alg(#'RSAPublicKey'{}, 'rsa-sha2-512') -> true;
+valid_key_sha_alg(#'RSAPublicKey'{}, 'rsa-sha2-384') -> true;
+valid_key_sha_alg(#'RSAPublicKey'{}, 'rsa-sha2-256') -> true;
+valid_key_sha_alg(#'RSAPublicKey'{}, 'ssh-rsa'     ) -> true;
+
+valid_key_sha_alg(#'RSAPrivateKey'{}, 'rsa-sha2-512') -> true;
+valid_key_sha_alg(#'RSAPrivateKey'{}, 'rsa-sha2-384') -> true;
+valid_key_sha_alg(#'RSAPrivateKey'{}, 'rsa-sha2-256') -> true;
+valid_key_sha_alg(#'RSAPrivateKey'{}, 'ssh-rsa'     ) -> true;
+
+valid_key_sha_alg({_, #'Dss-Parms'{}}, 'ssh-dss') -> true;
+valid_key_sha_alg(#'DSAPrivateKey'{},  'ssh-dss') -> true;
+
+valid_key_sha_alg({#'ECPoint'{},{namedCurve,OID}},                Alg) -> sha(OID) == sha(Alg);
+valid_key_sha_alg(#'ECPrivateKey'{parameters = {namedCurve,OID}}, Alg) -> sha(OID) == sha(Alg);
+valid_key_sha_alg(_, _) -> false.
+    
+
+
+public_algo(#'RSAPublicKey'{}) ->   'ssh-rsa';  % FIXME: Not right with draft-curdle-rsa-sha2
+public_algo({_, #'Dss-Parms'{}}) -> 'ssh-dss';
+public_algo({#'ECPoint'{},{namedCurve,OID}}) -> 
+    Curve = public_key:oid2ssh_curvename(OID),
+    list_to_atom("ecdsa-sha2-" ++ binary_to_list(Curve)).
+
+
+
 
 sha('ssh-rsa') -> sha;
+sha('rsa-sha2-256') -> sha256;
+sha('rsa-sha2-384') -> sha384;
+sha('rsa-sha2-512') -> sha512;
 sha('ssh-dss') -> sha;
 sha('ecdsa-sha2-nistp256') -> sha(secp256r1);
 sha('ecdsa-sha2-nistp384') -> sha(secp384r1);
-- 
cgit v1.2.3


From 98fa13854707fc1f4aecb6d2f7bc167f478bdd6f Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Tue, 25 Apr 2017 13:43:56 +0200
Subject: ssh: test case adjustments

---
 lib/ssh/test/ssh_basic_SUITE.erl    |  1 +
 lib/ssh/test/ssh_protocol_SUITE.erl |  1 +
 lib/ssh/test/ssh_test_lib.erl       | 13 +++++++++----
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/lib/ssh/test/ssh_basic_SUITE.erl b/lib/ssh/test/ssh_basic_SUITE.erl
index 089d191fea..34928ab0e9 100644
--- a/lib/ssh/test/ssh_basic_SUITE.erl
+++ b/lib/ssh/test/ssh_basic_SUITE.erl
@@ -651,6 +651,7 @@ exec_key_differs_fail(Config) when is_list(Config) ->
 
     IO = ssh_test_lib:start_io_server(),
     ssh_test_lib:start_shell(Port, IO, [{user_dir,UserDir},
+                                        {recv_ext_info, false},
 					{preferred_algorithms,[{public_key,['ssh-rsa']}]},
 					{pref_public_key_algs,['ssh-dss']}]),
     receive
diff --git a/lib/ssh/test/ssh_protocol_SUITE.erl b/lib/ssh/test/ssh_protocol_SUITE.erl
index 2c4fa8be88..9e7d1a5fa3 100644
--- a/lib/ssh/test/ssh_protocol_SUITE.erl
+++ b/lib/ssh/test/ssh_protocol_SUITE.erl
@@ -752,6 +752,7 @@ connect_and_kex(Config, InitialState) ->
                                 {cipher,?DEFAULT_CIPHERS}
                                ]},
 	 {silently_accept_hosts, true},
+         {recv_ext_info, false},
 	 {user_dir, user_dir(Config)},
 	 {user_interaction, false}]},
        receive_hello,
diff --git a/lib/ssh/test/ssh_test_lib.erl b/lib/ssh/test/ssh_test_lib.erl
index 6186d44890..ab44fc8275 100644
--- a/lib/ssh/test/ssh_test_lib.erl
+++ b/lib/ssh/test/ssh_test_lib.erl
@@ -858,8 +858,9 @@ get_kex_init(Conn) ->
 
 get_kex_init(Conn, Ref, TRef) ->
     %% First, validate the key exchange is complete (StateName == connected)
-    case sys:get_state(Conn) of
-	{{connected,_}, S} ->
+    {State, S} = sys:get_state(Conn),
+    case expected_state(State) of
+	true ->
 	    timer:cancel(TRef),
 	    %% Next, walk through the elements of the #state record looking
 	    %% for the #ssh_msg_kexinit record. This method is robust against
@@ -873,8 +874,8 @@ get_kex_init(Conn, Ref, TRef) ->
 		    KexInit
 	    end;
 
-	{OtherState, S} ->
-	    ct:log("Not in 'connected' state: ~p",[OtherState]),
+	false ->
+	    ct:log("Not in 'connected' state: ~p",[State]),
 	    receive
 		{reneg_timeout,Ref} -> 
 		    ct:log("S = ~p", [S]),
@@ -886,6 +887,10 @@ get_kex_init(Conn, Ref, TRef) ->
 	    end
     end.
     
+expected_state({ext_info,_,_}) -> true;
+expected_state({connected,_}) -> true;
+expected_state(_) -> false.
+
 %%%----------------------------------------------------------------
 %%% Return a string with N random characters
 %%%
-- 
cgit v1.2.3


From 9bcd621df2abf35394cd9f68b42c446d3ab83f11 Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Wed, 26 Apr 2017 16:52:05 +0200
Subject: ssh: Codenomicon/Defensics fixes

---
 lib/ssh/src/ssh_auth.erl               | 24 ++++++++++--------------
 lib/ssh/src/ssh_connection_handler.erl | 13 ++++++++-----
 lib/ssh/src/ssh_transport.erl          | 27 ++++++++++++++++++---------
 3 files changed, 36 insertions(+), 28 deletions(-)

diff --git a/lib/ssh/src/ssh_auth.erl b/lib/ssh/src/ssh_auth.erl
index aadd1ad6dc..9eb11a53dc 100644
--- a/lib/ssh/src/ssh_auth.erl
+++ b/lib/ssh/src/ssh_auth.erl
@@ -296,8 +296,7 @@ handle_userauth_request(#ssh_msg_userauth_request{user = User,
 			     userauth_supported_methods = Methods} = Ssh) ->
     
     case verify_sig(SessionId, User, "ssh-connection", 
-		    binary_to_list(BAlg),
-		    KeyBlob, SigWLen, Opts) of
+		    BAlg, KeyBlob, SigWLen, Opts) of
 	true ->
 	    {authorized, User, 
 	     ssh_transport:ssh_packet(
@@ -507,21 +506,18 @@ pre_verify_sig(User, KeyBlob, Opts) ->
 	    false
     end.
 
-verify_sig(SessionId, User, Service, Alg, KeyBlob, SigWLen, Opts) ->
+verify_sig(SessionId, User, Service, AlgBin, KeyBlob, SigWLen, Opts) ->
     try
+        Alg = binary_to_list(AlgBin),
         {KeyCb,KeyCbOpts} = ?GET_OPT(key_cb, Opts),
         UserOpts = ?GET_OPT(user_options, Opts),
-        Key0 = public_key:ssh_decode(KeyBlob, ssh2_pubkey), % or exception
-        true = KeyCb:is_auth_key(Key0, User, [{key_cb_private,KeyCbOpts}|UserOpts]),
-        Key0
-    of
-        Key ->
-            PlainText = build_sig_data(SessionId, User, Service,
-                                       KeyBlob, Alg),
-            <<?UINT32(AlgSigLen), AlgSig:AlgSigLen/binary>> = SigWLen,
-            <<?UINT32(AlgLen), _Alg:AlgLen/binary,
-              ?UINT32(SigLen), Sig:SigLen/binary>> = AlgSig,
-            ssh_transport:verify(PlainText, ssh_transport:sha(list_to_atom(Alg)), Sig, Key)
+        Key = public_key:ssh_decode(KeyBlob, ssh2_pubkey), % or exception
+        true = KeyCb:is_auth_key(Key, User, [{key_cb_private,KeyCbOpts}|UserOpts]),
+        PlainText = build_sig_data(SessionId, User, Service, KeyBlob, Alg),
+        <<?UINT32(AlgSigLen), AlgSig:AlgSigLen/binary>> = SigWLen,
+        <<?UINT32(AlgLen), _Alg:AlgLen/binary,
+          ?UINT32(SigLen), Sig:SigLen/binary>> = AlgSig,
+        ssh_transport:verify(PlainText, ssh_transport:sha(Alg), Sig, Key)
     catch
 	_:_ ->
 	    false
diff --git a/lib/ssh/src/ssh_connection_handler.erl b/lib/ssh/src/ssh_connection_handler.erl
index 220b05e6b0..74e14a233f 100644
--- a/lib/ssh/src/ssh_connection_handler.erl
+++ b/lib/ssh/src/ssh_connection_handler.erl
@@ -1710,6 +1710,7 @@ ext_info({"server-sig-algs",SigAlgs}, D0 = #data{ssh_params=#ssh{role=client}=Ss
     SupportedAlgs = lists:map(fun erlang:atom_to_list/1, ssh_transport:supported_algorithms(public_key)),
     Ssh = Ssh0#ssh{userauth_pubkeys = 
                        [list_to_atom(SigAlg) || SigAlg <- string:tokens(SigAlgs,","),
+                                                %% length of SigAlg is implicitly checked by member:
                                                 lists:member(SigAlg, SupportedAlgs)
                        ]},
     D0#data{ssh_params = Ssh};
@@ -2008,12 +2009,14 @@ handshake(Pid, Ref, Timeout) ->
     end.
 
 update_inet_buffers(Socket) ->
-    {ok, BufSzs0} = inet:getopts(Socket, [sndbuf,recbuf]),
-    MinVal = 655360,
-    case
-	[{Tag,MinVal} || {Tag,Val} <- BufSzs0,
-			 Val < MinVal]
+    try
+        {ok, BufSzs0} = inet:getopts(Socket, [sndbuf,recbuf]),
+        MinVal = 655360,
+        [{Tag,MinVal} || {Tag,Val} <- BufSzs0,
+                         Val < MinVal]
     of
 	[] -> ok;
 	NewOpts -> inet:setopts(Socket, NewOpts)
+    catch
+        _:_ -> ok
     end.
diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index 3cf1e60634..09b5d1ac81 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -1202,15 +1202,23 @@ sign(SigData, HashAlg, Key) ->
     public_key:sign(SigData, HashAlg, Key).
 
 verify(PlainText, HashAlg, Sig, {_,  #'Dss-Parms'{}} = Key) ->
-    <<R:160/big-unsigned-integer, S:160/big-unsigned-integer>> = Sig,
-    Signature = public_key:der_encode('Dss-Sig-Value', #'Dss-Sig-Value'{r = R, s = S}),
-    public_key:verify(PlainText, HashAlg, Signature, Key);
+    case Sig of
+        <<R:160/big-unsigned-integer, S:160/big-unsigned-integer>> ->
+            Signature = public_key:der_encode('Dss-Sig-Value', #'Dss-Sig-Value'{r = R, s = S}),
+            public_key:verify(PlainText, HashAlg, Signature, Key);
+        _ ->
+            false
+    end;
 verify(PlainText, HashAlg, Sig, {#'ECPoint'{},_} = Key) ->
-    <<?UINT32(Rlen),R:Rlen/big-signed-integer-unit:8,
-      ?UINT32(Slen),S:Slen/big-signed-integer-unit:8>> = Sig,
-    Sval = #'ECDSA-Sig-Value'{r=R, s=S},
-    DerEncodedSig = public_key:der_encode('ECDSA-Sig-Value',Sval),
-    public_key:verify(PlainText, HashAlg, DerEncodedSig, Key);
+    case Sig of
+        <<?UINT32(Rlen),R:Rlen/big-signed-integer-unit:8,
+          ?UINT32(Slen),S:Slen/big-signed-integer-unit:8>> ->
+            Sval = #'ECDSA-Sig-Value'{r=R, s=S},
+            DerEncodedSig = public_key:der_encode('ECDSA-Sig-Value',Sval),
+            public_key:verify(PlainText, HashAlg, DerEncodedSig, Key);
+        _ ->
+            false
+    end;
 verify(PlainText, HashAlg, Sig, Key) ->
     public_key:verify(PlainText, HashAlg, Sig, Key).
 
@@ -1795,7 +1803,8 @@ sha(?'secp384r1') -> sha(secp384r1);
 sha(?'secp521r1') -> sha(secp521r1);
 sha('ecdh-sha2-nistp256') -> sha(secp256r1);
 sha('ecdh-sha2-nistp384') -> sha(secp384r1);
-sha('ecdh-sha2-nistp521') -> sha(secp521r1).
+sha('ecdh-sha2-nistp521') -> sha(secp521r1);
+sha(Str) when is_list(Str), length(Str)<50 -> sha(list_to_atom(Str)).
 
 
 mac_key_bytes('hmac-sha1')    -> 20;
-- 
cgit v1.2.3


From 6f26467274a77d0838596775f3e7e6a33aad7273 Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Thu, 27 Apr 2017 14:58:47 +0200
Subject: ssh: Don't expose new rsa-sha2-* as default

---
 lib/ssh/src/ssh_transport.erl | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index 09b5d1ac81..7c7dda7a1e 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -92,6 +92,10 @@ default_algorithms(cipher) ->
 default_algorithms(mac) ->
     supported_algorithms(mac, same(['AEAD_AES_128_GCM',
 				    'AEAD_AES_256_GCM']));
+default_algorithms(public_key) ->
+    supported_algorithms(public_key, ['rsa-sha2-256',
+                                      'rsa-sha2-384',
+                                      'rsa-sha2-512']);
 default_algorithms(Alg) ->
     supported_algorithms(Alg, []).
 
-- 
cgit v1.2.3