From 3e8d8f4595182d0e695cc166d5c6cf4490d17e75 Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Tue, 4 Aug 2015 16:46:46 +0200 Subject: ssh: options 'dh_gex_groups' and 'dh_gex_limits' --- lib/ssh/src/ssh.erl | 31 +++++++++++++++++++++++++ lib/ssh/src/ssh_transport.erl | 54 ++++++++++++++++++++++++++++++++----------- 2 files changed, 71 insertions(+), 14 deletions(-) diff --git a/lib/ssh/src/ssh.erl b/lib/ssh/src/ssh.erl index 370f086600..cc2c591735 100644 --- a/lib/ssh/src/ssh.erl +++ b/lib/ssh/src/ssh.erl @@ -373,6 +373,10 @@ handle_option([{auth_method_kb_interactive_data, _} = Opt | Rest], SocketOptions handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); handle_option([{preferred_algorithms,_} = Opt | Rest], SocketOptions, SshOptions) -> handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); +handle_option([{dh_gex_groups,_} = Opt | Rest], SocketOptions, SshOptions) -> + handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); +handle_option([{dh_gex_limits,_} = Opt | Rest], SocketOptions, SshOptions) -> + handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); handle_option([{quiet_mode, _} = Opt|Rest], SocketOptions, SshOptions) -> handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); handle_option([{idle_time, _} = Opt | Rest], SocketOptions, SshOptions) -> @@ -411,6 +415,33 @@ handle_ssh_option({user_interaction, Value} = Opt) when is_boolean(Value) -> Opt; handle_ssh_option({preferred_algorithms,[_|_]} = Opt) -> handle_pref_algs(Opt); +handle_ssh_option({dh_gex_groups,L=[{I1,I2,I3}|_]}) when is_integer(I1), I1>0, + is_integer(I2), I2>0, + is_integer(I3), I3>0 -> + {dh_gex_groups, [{N,{G,P}} || {N,P,G} <- L]}; +handle_ssh_option({dh_gex_groups,{file,File=[C|_]}}=Opt) when is_integer(C), C>0 -> + %% A string, (file name) + case file:consult(File) of + {ok, List} -> + case lists:all(fun({I1,I2,I3}) when is_integer(I1), I1>0, + is_integer(I2), I2>0, + is_integer(I3), I3>0 -> + true; + (_) -> + false + end, List) of + true -> + handle_ssh_option({dh_gex_groups,List}); + false -> + throw({error, {{eoptions, Opt}, "Bad format in file "++File}}) + end; + Error -> + throw({error, {{eoptions, Opt},{"Error reading file",Error}}}) + end; +handle_ssh_option({dh_gex_limits,{Min,I,Max}} = Opt) when is_integer(Min), Min>0, + is_integer(I), I>0, + is_integer(Max), Max>0 -> + Opt; handle_ssh_option({connect_timeout, Value} = Opt) when is_integer(Value); Value == infinity -> Opt; handle_ssh_option({max_sessions, Value} = Opt) when is_integer(Value), Value>0 -> diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl index 69ba797faf..dda9192284 100644 --- a/lib/ssh/src/ssh_transport.erl +++ b/lib/ssh/src/ssh_transport.erl @@ -404,9 +404,10 @@ handle_kexdh_reply(#ssh_msg_kexdh_reply{public_host_key = HostKey, %%% handle_kex_dh_gex_request(#ssh_msg_kex_dh_gex_request{min = Min, n = NBits, - max = Max}, Ssh0) when Min= + max = Max}, + Ssh0=#ssh{opts=Opts}) when Min= %% server - {G, P} = dh_gex_group(Min, NBits, Max), + {G, P} = dh_gex_group(Min, NBits, Max, proplists:get_value(dh_gex_groups,Opts)), {Private, Public} = dh_gen_key(G, P, 1024), {SshPacket, Ssh} = ssh_packet(#ssh_msg_kex_dh_gex_group{p = P, g = G}, Ssh0), @@ -1236,21 +1237,46 @@ dh_group15() -> dh_group16() -> {2, 16#FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF}. - dh_group('diffie-hellman-group1-sha1') -> dh_group1(); dh_group('diffie-hellman-group14-sha1') -> dh_group14(). - -%%% First try exact match: -dh_gex_group(_Min, N, _Max) when N==1024 -> dh_group1(); -dh_gex_group(_Min, N, _Max) when N==2048 -> dh_group14(); -dh_gex_group(_Min, N, _Max) when N==3072 -> dh_group15(); -dh_gex_group(_Min, N, _Max) when N==4096 -> dh_group16(); -%%% If not an exact match, select the largest possible: -dh_gex_group(Min, _N, Max) when Min=<4096, 4096= dh_group16(); -dh_gex_group(Min, _N, Max) when Min=<3072, 3072= dh_group15(); -dh_gex_group(Min, _N, Max) when Min=<2048, 2048= dh_group14(); -dh_gex_group(Min, _N, Max) when Min=<1024, 1024= dh_group1(). +dh_gex_default_groups() -> + [{1024, dh_group1() }, + {2048, dh_group14()}, + {3072, dh_group15()}, + {4096, dh_group16()}]. + + +dh_gex_group(Min, N, Max, undefined) -> + dh_gex_group(Min, N, Max, dh_gex_default_groups()); +dh_gex_group(Min, N, Max, Groups) -> + %% First try to find an exact match. If not an exact match, select the largest possible. + {_,Group} = + lists:foldl( + fun(_, {I,G}) when I==N -> + %% If we have an exact match already: use that one + {I,G}; + ({I,G}, _) when I==N -> + %% If we now found an exact match: use that very one + {I,G}; + ({I,G}, {Imax,_Gmax}) when Min=Imax -> % b) {I,G} is larger than current max + %% A group within the limits and better than the one we have + {I,G}; + (_, IGmax) -> + %% Keep the one we have + IGmax + end, {-1,undefined}, Groups), + + case Group of + undefined -> + throw(#ssh_msg_disconnect{ + code = ?SSH_DISCONNECT_PROTOCOL_ERROR, + description = "No possible diffie-hellman-group-exchange group found", + language = ""}); + _ -> + Group + end. dh_gen_key(G, P, _) -> -- cgit v1.2.3 From 99825046c9e17510d5e627f9d2cb61b5e5eb7110 Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Wed, 5 Aug 2015 13:10:14 +0200 Subject: ssh: more dh_gex test cases --- lib/ssh/src/ssh.erl | 23 +++--- lib/ssh/src/ssh_transport.erl | 28 ++------ lib/ssh/src/ssh_transport.hrl | 20 ++++++ lib/ssh/test/ssh_protocol_SUITE.erl | 82 +++++++++++++++++++--- lib/ssh/test/ssh_protocol_SUITE_data/dh_group_test | 3 + 5 files changed, 112 insertions(+), 44 deletions(-) create mode 100644 lib/ssh/test/ssh_protocol_SUITE_data/dh_group_test diff --git a/lib/ssh/src/ssh.erl b/lib/ssh/src/ssh.erl index cc2c591735..5b2e0a988c 100644 --- a/lib/ssh/src/ssh.erl +++ b/lib/ssh/src/ssh.erl @@ -418,29 +418,24 @@ handle_ssh_option({preferred_algorithms,[_|_]} = Opt) -> handle_ssh_option({dh_gex_groups,L=[{I1,I2,I3}|_]}) when is_integer(I1), I1>0, is_integer(I2), I2>0, is_integer(I3), I3>0 -> - {dh_gex_groups, [{N,{G,P}} || {N,P,G} <- L]}; + {dh_gex_groups, lists:map(fun({N,G,P}) -> {N,{G,P}} end, L)}; handle_ssh_option({dh_gex_groups,{file,File=[C|_]}}=Opt) when is_integer(C), C>0 -> %% A string, (file name) case file:consult(File) of {ok, List} -> - case lists:all(fun({I1,I2,I3}) when is_integer(I1), I1>0, - is_integer(I2), I2>0, - is_integer(I3), I3>0 -> - true; - (_) -> - false - end, List) of - true -> - handle_ssh_option({dh_gex_groups,List}); - false -> - throw({error, {{eoptions, Opt}, "Bad format in file "++File}}) + try handle_ssh_option({dh_gex_groups,List}) of + {dh_gex_groups,_} = NewOpt -> + NewOpt + catch + _:_ -> + throw({error, {{eoptions, Opt}, "Bad format in file"}}) end; Error -> throw({error, {{eoptions, Opt},{"Error reading file",Error}}}) end; handle_ssh_option({dh_gex_limits,{Min,I,Max}} = Opt) when is_integer(Min), Min>0, - is_integer(I), I>0, - is_integer(Max), Max>0 -> + is_integer(I), I>=Min, + is_integer(Max), Max>=I -> Opt; handle_ssh_option({connect_timeout, Value} = Opt) when is_integer(Value); Value == infinity -> Opt; diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl index dda9192284..d9dc7df73d 100644 --- a/lib/ssh/src/ssh_transport.erl +++ b/lib/ssh/src/ssh_transport.erl @@ -1221,30 +1221,14 @@ peer_name({Host, _}) -> %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%% rfc 2489, ch 6.2 -dh_group1() -> - {2, 16#FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF}. +dh_group('diffie-hellman-group1-sha1') -> ?dh_group1; +dh_group('diffie-hellman-group14-sha1') -> ?dh_group14. -%%% rfc 3526, ch3 -dh_group14() -> - {2, 16#FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF}. - -%%% rfc 3526, ch4 -dh_group15() -> - {2, 16#FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF}. - -%%% rfc 3526, ch5 -dh_group16() -> - {2, 16#FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF}. - -dh_group('diffie-hellman-group1-sha1') -> dh_group1(); -dh_group('diffie-hellman-group14-sha1') -> dh_group14(). - dh_gex_default_groups() -> - [{1024, dh_group1() }, - {2048, dh_group14()}, - {3072, dh_group15()}, - {4096, dh_group16()}]. + [{1024, ?dh_group1 }, + {2048, ?dh_group14}, + {3072, ?dh_group15}, + {4096, ?dh_group16}]. dh_gex_group(Min, N, Max, undefined) -> diff --git a/lib/ssh/src/ssh_transport.hrl b/lib/ssh/src/ssh_transport.hrl index ab59742b96..9e1de171c2 100644 --- a/lib/ssh/src/ssh_transport.hrl +++ b/lib/ssh/src/ssh_transport.hrl @@ -188,4 +188,24 @@ -define(SSH_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE, 14). -define(SSH_DISCONNECT_ILLEGAL_USER_NAME, 15). +%% groups + +%%% rfc 2489, ch 6.2 +-define(dh_group1, + {2, 16#FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF}). + +%%% rfc 3526, ch3 +-define(dh_group14, + {2, 16#FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF}). + +%%% rfc 3526, ch4 +-define(dh_group15, + {2, 16#FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF}). + +%%% rfc 3526, ch5 +-define(dh_group16, + {2, 16#FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF}). + + + -endif. % -ifdef(ssh_transport). diff --git a/lib/ssh/test/ssh_protocol_SUITE.erl b/lib/ssh/test/ssh_protocol_SUITE.erl index d82cdaf2c7..246e3d4898 100644 --- a/lib/ssh/test/ssh_protocol_SUITE.erl +++ b/lib/ssh/test/ssh_protocol_SUITE.erl @@ -56,7 +56,11 @@ groups() -> lib_no_match ]}, {kex, [], [no_common_alg_server_disconnects, - no_common_alg_client_disconnects + no_common_alg_client_disconnects, + gex_client_init_default_noexact, + gex_client_init_default_exact, + gex_client_init_option_groups, + gex_client_init_option_groups_file ]} ]. @@ -68,9 +72,32 @@ end_per_suite(Config) -> stop_apps(Config). + +init_per_testcase(TC, Config) when TC == gex_client_init_default_noexact ; + TC == gex_client_init_default_exact ; + TC == gex_client_init_option_groups ; + TC == gex_client_init_option_groups_file -> + Opts = case TC of + gex_client_init_option_groups -> + [{dh_gex_groups, [{2345, 3, 41}]}]; + gex_client_init_option_groups_file -> + DataDir = ?config(data_dir, Config), + F = filename:join(DataDir, "dh_group_test"), + [{dh_gex_groups, {file,F}}]; + _ -> + [] + end, + start_std_daemon(Config, + [{preferred_algorithms, ssh_transport:supported_algorithms()} + | Opts]); init_per_testcase(_TestCase, Config) -> check_std_daemon_works(Config, ?LINE). +end_per_testcase(TC, Config) when TC == gex_client_init_default_noexact ; + TC == gex_client_init_default_exact ; + TC == gex_client_init_option_groups ; + TC == gex_client_init_option_groups_file -> + stop_std_daemon(Config); end_per_testcase(_TestCase, Config) -> check_std_daemon_works(Config, ?LINE). @@ -293,6 +320,48 @@ no_common_alg_client_disconnects(Config) -> X -> ct:fail(X) end. +%%%-------------------------------------------------------------------- +gex_client_init_default_noexact(Config) -> + do_gex_client_init(Config, {2000, 3000, 4000}, + %% Warning, app knowledege: + ?dh_group15). + + +gex_client_init_default_exact(Config) -> + do_gex_client_init(Config, {2000, 2048, 4000}, + %% Warning, app knowledege: + ?dh_group14). + + +gex_client_init_option_groups(Config) -> + do_gex_client_init(Config, {2000, 2048, 4000}, {3,41}). + + +gex_client_init_option_groups_file(Config) -> + do_gex_client_init(Config, {2000, 2048, 4000}, {5,61}). + +do_gex_client_init(Config, {Min,N,Max}, {G,P}) -> + {ok,_} = + ssh_trpt_test_lib:exec( + [{set_options, [print_ops, print_seqnums, print_messages]}, + {connect, + server_host(Config),server_port(Config), + [{silently_accept_hosts, true}, + {user_dir, user_dir(Config)}, + {user_interaction, false}, + {preferred_algorithms,[{kex,['diffie-hellman-group-exchange-sha1']}]} + ]}, + receive_hello, + {send, hello}, + {send, ssh_msg_kexinit}, + {match, #ssh_msg_kexinit{_='_'}, receive_msg}, + {send, #ssh_msg_kex_dh_gex_request{min = Min, + n = N, + max = Max}}, + {match, #ssh_msg_kex_dh_gex_group{p=P, g=G, _='_'}, receive_msg} + ] + ). + %%%================================================================ %%%==== Internal functions ======================================== %%%================================================================ @@ -353,6 +422,7 @@ stop_std_daemon(Config) -> ct:log("Std server ~p at ~p:~p stopped", [server_pid(Config), server_host(Config), server_port(Config)]), lists:keydelete(server, 1, Config). + check_std_daemon_works(Config, Line) -> case std_connect(Config) of {ok,C} -> @@ -362,13 +432,9 @@ check_std_daemon_works(Config, Line) -> ok = ssh:close(C), Config; Error = {error,_} -> - {fail, - lists:flatten( - io_lib:format("Standard server ~p:~p ~p is ill at line ~p: ~p", - [server_host(Config), server_port(Config), - server_pid(Config), Line, Error]) - ) - } + ct:fail("Standard server ~p:~p ~p is ill at line ~p: ~p", + [server_host(Config), server_port(Config), + server_pid(Config), Line, Error]) end. server_pid(Config) -> element(1,?v(server,Config)). diff --git a/lib/ssh/test/ssh_protocol_SUITE_data/dh_group_test b/lib/ssh/test/ssh_protocol_SUITE_data/dh_group_test new file mode 100644 index 0000000000..2887bb4b60 --- /dev/null +++ b/lib/ssh/test/ssh_protocol_SUITE_data/dh_group_test @@ -0,0 +1,3 @@ +{2222, 5, 61}. +{1111, 7, 91}. + -- cgit v1.2.3 From 25db64119ec6369156129a77330c64753a6706eb Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Wed, 5 Aug 2015 13:41:35 +0200 Subject: ssh: document new options in doc/ssh.xml --- lib/ssh/doc/src/ssh.xml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/ssh/doc/src/ssh.xml b/lib/ssh/doc/src/ssh.xml index d24025ca4d..cf5e8f1aff 100644 --- a/lib/ssh/doc/src/ssh.xml +++ b/lib/ssh/doc/src/ssh.xml @@ -43,7 +43,7 @@ Supported public key algorithms: ssh-rsa and ssh-dss. Supported MAC algorithms: hmac-sha2-256 and hmac-sha1. Supported encryption algorithms: aes128-ctr, aes128-cb and 3des-cbc. - Supported key exchange algorithms: diffie-hellman-group1-sha1. + Supported key exchange algorithms: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256. Supported compression algorithms: none, zlib, zlib@openssh.com, Supports unicode filenames if the emulator and the underlaying OS support it. See section DESCRIPTION in the @@ -240,6 +240,13 @@ kex is implicit but public_key is set explicitly.

 + + +

Sets the three diffie-hellman-group-exchange parameters that guides the connected server in choosing a group. + See RFC 4419 for the function of thoose. The default value is {512, 1024, 4096}. +

+ +

Sets a time-out on the transport layer @@ -449,6 +456,15 @@ kex is implicit but public_key is set explicitly.

 + + +

Sets the groups that the server may choose among when diffie-hellman-group-exchange is negotiated. + See RFC 4419 for details. +

+

If the parameter is {file,filename()}, the file must exist and have one or more three-tuples terminated by a dot. The interpretation is as if the tuples had been given directly in the option. The file is read when the daemon starts. +

+ + boolean()}]]>

Provides a function for password validation. This function is called -- cgit v1.2.3 From b2e9955be035d1dce8ef118b341a79cc05339f44 Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Wed, 5 Aug 2015 14:02:17 +0200 Subject: ssh: announce dh-group-exchange --- lib/ssh/src/ssh_transport.erl | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl index d9dc7df73d..38a0b7ec7c 100644 --- a/lib/ssh/src/ssh_transport.erl +++ b/lib/ssh/src/ssh_transport.erl @@ -67,10 +67,7 @@ default_algorithms(compression) -> %% Do not announce 'zlib@openssh.com' because there seem to be problems supported_algorithms(compression, same(['zlib@openssh.com'])); default_algorithms(kex) -> - %% Do not announce the experimental 'diffie-hellman-group-exchange-sha*' yet - supported_algorithms(kex, ['diffie-hellman-group-exchange-sha1', - 'diffie-hellman-group-exchange-sha256' - ]); + supported_algorithms(kex, []); default_algorithms(Alg) -> supported_algorithms(Alg). -- cgit v1.2.3