Trang chủ Khám phá Trợ giúp
Đăng ký Đăng nhập
publics
/
crypto
0
0
Fork 0
Các tập tin Các vấn đề 0 Yêu cầu khéo về 0 Wiki
Browse Source

ssh: remove arcfour ciphers from the default preference list

OpenSSH removed these ciphers from sshd's default configuration with
release 6.7 in 2014.

Change-Id: Ia8b6d671dc8fa5d0493bf933d3b541f8ae5707a3
Reviewed-on: https://go-review.googlesource.com/86955
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Han-Wen Nienhuys 8 năm trước cách đây
mục cha
a660000891
commit
1835319e08
3 tập tin đã thay đổi với 24 bổ sung8 xóa
Split View Hiển thị tình trạng sai khác
  1. 6 1
      ssh/cipher_test.go
  2. 12 3
      ssh/common.go
  3. 6 4
      ssh/test/session_test.go

+ 6 - 1
ssh/cipher_test.go
Xem Tập Tin 

@@ -15,7 +15,12 @@ import (
 
 func TestDefaultCiphersExist(t *testing.T) {
 
 	for _, cipherAlgo := range supportedCiphers {
 
 		if _, ok := cipherModes[cipherAlgo]; !ok {
 
-			t.Errorf("default cipher %q is unknown", cipherAlgo)
 
+			t.Errorf("supported cipher %q is unknown", cipherAlgo)
 
+		}
 
+	}
 
+	for _, cipherAlgo := range preferredCiphers {
 
+		if _, ok := cipherModes[cipherAlgo]; !ok {
 
+			t.Errorf("preferred cipher %q is unknown", cipherAlgo)
 
 		}
 
 	}
 
 }

+ 12 - 3
ssh/common.go
Xem Tập Tin 

@@ -24,12 +24,21 @@ const (
 
 	serviceSSH      = "ssh-connection"
 
 )
 
 
-// supportedCiphers specifies the supported ciphers in preference order.
 
+// supportedCiphers lists ciphers we support but might not recommend.
 
 var supportedCiphers = []string{
 
 	"aes128-ctr", "aes192-ctr", "aes256-ctr",
 
 	"aes128-gcm@openssh.com",
 
 	chacha20Poly1305ID,
 
-	"arcfour256", "arcfour128",
 
+	"arcfour256", "arcfour128", "arcfour",
 
+	aes128cbcID,
 
+	tripledescbcID,
 
+}
 
+
 
+// preferredCiphers specifies the default preference for ciphers.
 
+var preferredCiphers = []string{
 
+	"aes128-ctr", "aes192-ctr", "aes256-ctr",
 
+	"aes128-gcm@openssh.com",
 
+	chacha20Poly1305ID,
 
 }
 
 
 // supportedKexAlgos specifies the supported key-exchange algorithms in
 
@@ -212,7 +221,7 @@ func (c *Config) SetDefaults() {
 
 		c.Rand = rand.Reader
 
 	}
 
 	if c.Ciphers == nil {
 
-		c.Ciphers = supportedCiphers
 
+		c.Ciphers = preferredCiphers
 
 	}
 
 	var ciphers []string
 
 	for _, c := range c.Ciphers {

+ 6 - 4
ssh/test/session_test.go
Xem Tập Tin 

@@ -324,13 +324,15 @@ func TestWindowChange(t *testing.T) {
 
 	}
 
 }
 
 
+var deprecatedCiphers = []string{
 
+	"aes128-cbc", "3des-cbc",
 
+	"arcfour128", "arcfour256",
 
+}
 
+
 
 func TestCiphers(t *testing.T) {
 
 	var config ssh.Config
 
 	config.SetDefaults()
 
-	cipherOrder := config.Ciphers
 
-	// These ciphers will not be tested when commented out in cipher.go it will
 
-	// fallback to the next available as per line 292.
 
-	cipherOrder = append(cipherOrder, "aes128-cbc", "3des-cbc")
 
+	cipherOrder := append(config.Ciphers, deprecatedCiphers...)
 
 
 	for _, ciph := range cipherOrder {
 
 		t.Run(ciph, func(t *testing.T) {