Home Explore Help
Register Sign In
publics
/
crypto
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

ssh: remove chacha20-poly1305 from preferredCipher list

This effectively disables the cipher.

Add a test against OpenSSH which sends larger packets through the
tested ciphers. This reproduces the problem reported in golang/go#23510

Change-Id: I4b124c690c409c6a0af2621e58a964ff55815f57
Reviewed-on: https://go-review.googlesource.com/88995
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Han-Wen Nienhuys 7 years ago
parent
39efaea5da
commit
31469a2049
2 changed files with 39 additions and 13 deletions
Unified View Show Diff Stats
  1. 0 1
      ssh/common.go
  2. 39 12
      ssh/test/session_test.go

+ 0 - 1
ssh/common.go
View File 

@@ -38,7 +38,6 @@ var supportedCiphers = []string{
 
 var preferredCiphers = []string{
 
 var preferredCiphers = []string{
 
 	"aes128-ctr", "aes192-ctr", "aes256-ctr",
 
 	"aes128-ctr", "aes192-ctr", "aes256-ctr",
 
 	"aes128-gcm@openssh.com",
 
 	"aes128-gcm@openssh.com",
 
-	chacha20Poly1305ID,
 
 }
 
 }
 
 
 
 // supportedKexAlgos specifies the supported key-exchange algorithms in
 
 // supportedKexAlgos specifies the supported key-exchange algorithms in

+ 39 - 12
ssh/test/session_test.go
View File 

@@ -11,6 +11,7 @@ package test
 
 import (
 
 import (
 
 	"bytes"
 
 	"bytes"
 
 	"errors"
 
 	"errors"
 
+	"fmt"
 
 	"io"
 
 	"io"
 
 	"strings"
 
 	"strings"
 
 	"testing"
 
 	"testing"
 
@@ -324,6 +325,42 @@ func TestWindowChange(t *testing.T) {
 
 	}
 
 	}
 
 }
 
 }
 
 
 
+func testOneCipher(t *testing.T, cipher string, cipherOrder []string) {
 
+	server := newServer(t)
 
+	defer server.Shutdown()
 
+	conf := clientConfig()
 
+	conf.Ciphers = []string{cipher}
 
+	// Don't fail if sshd doesn't have the cipher.
 
+	conf.Ciphers = append(conf.Ciphers, cipherOrder...)
 
+	conn, err := server.TryDial(conf)
 
+	if err != nil {
 
+		t.Fatalf("TryDial: %v", err)
 
+	}
 
+	defer conn.Close()
 
+
 
+	numBytes := 4096
 
+
 
+	// Exercise sending data to the server
 
+	if _, _, err := conn.Conn.SendRequest("drop-me", false, make([]byte, numBytes)); err != nil {
 
+		t.Fatalf("SendRequest: %v", err)
 
+	}
 
+
 
+	// Exercise receiving data from the server
 
+	session, err := conn.NewSession()
 
+	if err != nil {
 
+		t.Fatalf("NewSession: %v", err)
 
+	}
 
+
 
+	out, err := session.Output(fmt.Sprintf("dd if=/dev/zero of=/dev/stdout bs=%d count=1", numBytes))
 
+	if err != nil {
 
+		t.Fatalf("Output: %v", err)
 
+	}
 
+
 
+	if len(out) != numBytes {
 
+		t.Fatalf("got %d bytes, want %d bytes", len(out), numBytes)
 
+	}
 
+}
 
+
 
 var deprecatedCiphers = []string{
 
 var deprecatedCiphers = []string{
 
 	"aes128-cbc", "3des-cbc",
 
 	"aes128-cbc", "3des-cbc",
 
 	"arcfour128", "arcfour256",
 
 	"arcfour128", "arcfour256",
 
@@ -336,21 +373,11 @@ func TestCiphers(t *testing.T) {
 
 
 
 	for _, ciph := range cipherOrder {
 
 	for _, ciph := range cipherOrder {
 
 		t.Run(ciph, func(t *testing.T) {
 
 		t.Run(ciph, func(t *testing.T) {
 
-			server := newServer(t)
 
-			defer server.Shutdown()
 
-			conf := clientConfig()
 
-			conf.Ciphers = []string{ciph}
 
-			// Don't fail if sshd doesn't have the cipher.
 
-			conf.Ciphers = append(conf.Ciphers, cipherOrder...)
 
-			conn, err := server.TryDial(conf)
 
-			if err == nil {
 
-				conn.Close()
 
-			} else {
 
-				t.Fatalf("failed for cipher %q", ciph)
 
-			}
 
+			testOneCipher(t, ciph, cipherOrder)
 
 		})
 
 		})
 
 	}
 
 	}
 
 }
 
 }
 
+
 
 func TestMACs(t *testing.T) {
 
 func TestMACs(t *testing.T) {
 
 	var config ssh.Config
 
 	var config ssh.Config
 
 	config.SetDefaults()
 
 	config.SetDefaults()