From cf53a360685b1a01a5c7fc0e06660ce8d76d96b0 Mon Sep 17 00:00:00 2001
From: Alex Wilson <alex@cooperi.net>
Date: Thu, 28 Aug 2014 11:13:57 +1000
Subject: SSH: only enable ciphers/MACs when they are available in crypto

Also adjusts tests to only expect a positive outcome when
crypto supports the relevant base ciphers/MACs.
---
 lib/ssh/src/ssh_transport.erl         | 30 ++++++++++++++++++++++--------
 lib/ssh/test/ssh_to_openssh_SUITE.erl | 20 +++++++++++++-------
 2 files changed, 35 insertions(+), 15 deletions(-)

(limited to 'lib')

diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index 805114f792..ea05c849b7 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -113,15 +113,28 @@ key_init(client, Ssh, Value) ->
 key_init(server, Ssh, Value) ->
     Ssh#ssh{s_keyinit = Value}.
 
+available_ssh_algos() ->
+    Supports = crypto:supports(),
+    CipherAlgos = [{aes_ctr, "aes128-ctr"}, {aes_cbc128, "aes128-cbc"}, {des3_cbc, "3des-cbc"}],
+    Ciphers = [SshAlgo ||
+	{CryptoAlgo, SshAlgo} <- CipherAlgos,
+	lists:member(CryptoAlgo, proplists:get_value(ciphers, Supports, []))],
+    HashAlgos = [{sha256, "hmac-sha2-256"}, {sha, "hmac-sha1"}],
+    Hashs = [SshAlgo ||
+	{CryptoAlgo, SshAlgo} <- HashAlgos,
+	lists:member(CryptoAlgo, proplists:get_value(hashs, Supports, []))],
+    {Ciphers, Hashs}.
+
 kexinit_messsage(client, Random, Compression, HostKeyAlgs) ->
+    {CipherAlgs, HashAlgs} = available_ssh_algos(),
     #ssh_msg_kexinit{ 
 		  cookie = Random,
 		  kex_algorithms = ["diffie-hellman-group1-sha1"],
 		  server_host_key_algorithms = HostKeyAlgs,
-		  encryption_algorithms_client_to_server = ["aes128-ctr","aes128-cbc","3des-cbc"],
-		  encryption_algorithms_server_to_client = ["aes128-ctr","aes128-cbc","3des-cbc"],
-		  mac_algorithms_client_to_server = ["hmac-sha2-256","hmac-sha1"],
-		  mac_algorithms_server_to_client = ["hmac-sha2-256","hmac-sha1"],
+		  encryption_algorithms_client_to_server = CipherAlgs,
+		  encryption_algorithms_server_to_client = CipherAlgs,
+		  mac_algorithms_client_to_server = HashAlgs,
+		  mac_algorithms_server_to_client = HashAlgs,
 		  compression_algorithms_client_to_server = Compression,
 		  compression_algorithms_server_to_client = Compression,
 		  languages_client_to_server = [],
@@ -129,14 +142,15 @@ kexinit_messsage(client, Random, Compression, HostKeyAlgs) ->
 		 };
 
 kexinit_messsage(server, Random, Compression, HostKeyAlgs) ->
+    {CipherAlgs, HashAlgs} = available_ssh_algos(),
     #ssh_msg_kexinit{
 		  cookie = Random,
 		  kex_algorithms = ["diffie-hellman-group1-sha1"],
 		  server_host_key_algorithms = HostKeyAlgs,
-		  encryption_algorithms_client_to_server = ["aes128-ctr","aes128-cbc","3des-cbc"],
-		  encryption_algorithms_server_to_client = ["aes128-ctr","aes128-cbc","3des-cbc"],
-		  mac_algorithms_client_to_server = ["hmac-sha2-256","hmac-sha1"],
-		  mac_algorithms_server_to_client = ["hmac-sha2-256","hmac-sha1"],
+		  encryption_algorithms_client_to_server = CipherAlgs,
+		  encryption_algorithms_server_to_client = CipherAlgs,
+		  mac_algorithms_client_to_server = HashAlgs,
+		  mac_algorithms_server_to_client = HashAlgs,
 		  compression_algorithms_client_to_server = Compression,
 		  compression_algorithms_server_to_client = Compression,
 		  languages_client_to_server = [],
diff --git a/lib/ssh/test/ssh_to_openssh_SUITE.erl b/lib/ssh/test/ssh_to_openssh_SUITE.erl
index 5a3bd21b55..e003b135b1 100644
--- a/lib/ssh/test/ssh_to_openssh_SUITE.erl
+++ b/lib/ssh/test/ssh_to_openssh_SUITE.erl
@@ -237,10 +237,14 @@ erlang_server_openssh_client_cipher_suites(Config) when is_list(Config) ->
 
     ct:sleep(500),
 
-    Ciphers = [{"3des-cbc", true},
-        {"aes128-cbc", true},
-        {"aes128-ctr", true},
-        {"aes256-cbc", false}],
+    Supports = crypto:supports(),
+    Ciphers = proplists:get_value(ciphers, Supports),
+    Tests = [
+        {"3des-cbc", lists:member(des3_cbc, Ciphers)},
+        {"aes128-cbc", lists:member(aes_cbc128, Ciphers)},
+        {"aes128-ctr", lists:member(aes_ctr, Ciphers)},
+        {"aes256-cbc", false}
+    ],
     lists:foreach(fun({Cipher, Expect}) ->
         Cmd = "ssh -p " ++ integer_to_list(Port) ++
         " -o UserKnownHostsFile=" ++ KnownHosts ++ " " ++ Host ++ " " ++
@@ -266,7 +270,7 @@ erlang_server_openssh_client_cipher_suites(Config) when is_list(Config) ->
                     ct:fail("Did not receive no matching cipher message")
                 end
         end
-    end, Ciphers),
+    end, Tests),
 
      ssh:stop_daemon(Pid).
 
@@ -285,8 +289,10 @@ erlang_server_openssh_client_macs(Config) when is_list(Config) ->
 
     ct:sleep(500),
 
-    MACs = [{"hmac-sha1", true},
-        {"hmac-sha2-256", true},
+    Supports = crypto:supports(),
+    Hashs = proplists:get_value(hashs, Supports),
+    MACs = [{"hmac-sha1", lists:member(sha, Hashs)},
+        {"hmac-sha2-256", lists:member(sha256, Hashs)},
         {"hmac-md5-96", false},
         {"hmac-ripemd160", false}],
     lists:foreach(fun({MAC, Expect}) ->
-- 
cgit v1.2.3