ssh: export supported algorithms

Fixes golang/go#61537

Change-Id: If3478121e3ae445391e3faeceeb889d75e9e3214
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/531935
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Nicola Murino <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
Reviewed-by: Michael Knyszek <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>

Author: drakkan

ssh/agent/client.go

@@ -555,7 +555,7 @@ func (c *client) insertKey(s interface{}, comment string, constraints []byte) er
 		})
 	case *dsa.PrivateKey:
 		req = ssh.Marshal(dsaKeyMsg{
-			Type:        ssh.KeyAlgoDSA,
+			Type:        ssh.InsecureKeyAlgoDSA,
 			P:           k.P,
 			Q:           k.Q,
 			G:           k.G,
@@ -803,16 +803,16 @@ var _ ssh.AlgorithmSigner = &agentKeyringSigner{}
 //
 // This map must be kept in sync with the one in certs.go.
 var certKeyAlgoNames = map[string]string{
-	ssh.CertAlgoRSAv01:        ssh.KeyAlgoRSA,
-	ssh.CertAlgoRSASHA256v01:  ssh.KeyAlgoRSASHA256,
-	ssh.CertAlgoRSASHA512v01:  ssh.KeyAlgoRSASHA512,
-	ssh.CertAlgoDSAv01:        ssh.KeyAlgoDSA,
-	ssh.CertAlgoECDSA256v01:   ssh.KeyAlgoECDSA256,
-	ssh.CertAlgoECDSA384v01:   ssh.KeyAlgoECDSA384,
-	ssh.CertAlgoECDSA521v01:   ssh.KeyAlgoECDSA521,
-	ssh.CertAlgoSKECDSA256v01: ssh.KeyAlgoSKECDSA256,
-	ssh.CertAlgoED25519v01:    ssh.KeyAlgoED25519,
-	ssh.CertAlgoSKED25519v01:  ssh.KeyAlgoSKED25519,
+	ssh.CertAlgoRSAv01:         ssh.KeyAlgoRSA,
+	ssh.CertAlgoRSASHA256v01:   ssh.KeyAlgoRSASHA256,
+	ssh.CertAlgoRSASHA512v01:   ssh.KeyAlgoRSASHA512,
+	ssh.InsecureCertAlgoDSAv01: ssh.InsecureKeyAlgoDSA,
+	ssh.CertAlgoECDSA256v01:    ssh.KeyAlgoECDSA256,
+	ssh.CertAlgoECDSA384v01:    ssh.KeyAlgoECDSA384,
+	ssh.CertAlgoECDSA521v01:    ssh.KeyAlgoECDSA521,
+	ssh.CertAlgoSKECDSA256v01:  ssh.KeyAlgoSKECDSA256,
+	ssh.CertAlgoED25519v01:     ssh.KeyAlgoED25519,
+	ssh.CertAlgoSKED25519v01:   ssh.KeyAlgoSKED25519,
 }
 
 // underlyingAlgo returns the signature algorithm associated with algo (which is

ssh/agent/server.go

@@ -506,15 +506,15 @@ func (s *server) insertIdentity(req []byte) error {
 	switch record.Type {
 	case ssh.KeyAlgoRSA:
 		addedKey, err = parseRSAKey(req)
-	case ssh.KeyAlgoDSA:
+	case ssh.InsecureKeyAlgoDSA:
 		addedKey, err = parseDSAKey(req)
 	case ssh.KeyAlgoECDSA256, ssh.KeyAlgoECDSA384, ssh.KeyAlgoECDSA521:
 		addedKey, err = parseECDSAKey(req)
 	case ssh.KeyAlgoED25519:
 		addedKey, err = parseEd25519Key(req)
 	case ssh.CertAlgoRSAv01:
 		addedKey, err = parseRSACert(req)
-	case ssh.CertAlgoDSAv01:
+	case ssh.InsecureCertAlgoDSAv01:
 		addedKey, err = parseDSACert(req)
 	case ssh.CertAlgoECDSA256v01, ssh.CertAlgoECDSA384v01, ssh.CertAlgoECDSA521v01:
 		addedKey, err = parseECDSACert(req)

ssh/certs.go

@@ -20,14 +20,19 @@ import (
 // returned by MultiAlgorithmSigner and don't appear in the Signature.Format
 // field.
 const (
-	CertAlgoRSAv01        = "[email protected]"
-	CertAlgoDSAv01        = "[email protected]"
-	CertAlgoECDSA256v01   = "[email protected]"
-	CertAlgoECDSA384v01   = "[email protected]"
-	CertAlgoECDSA521v01   = "[email protected]"
-	CertAlgoSKECDSA256v01 = "[email protected]"
-	CertAlgoED25519v01    = "[email protected]"
-	CertAlgoSKED25519v01  = "[email protected]"
+	CertAlgoRSAv01 = "[email protected]"
+	// Deprecated: DSA is only supported at insecure key sizes, and was removed
+	// from major implementations.
+	CertAlgoDSAv01 = InsecureCertAlgoDSAv01
+	// Deprecated: DSA is only supported at insecure key sizes, and was removed
+	// from major implementations.
+	InsecureCertAlgoDSAv01 = "[email protected]"
+	CertAlgoECDSA256v01    = "[email protected]"
+	CertAlgoECDSA384v01    = "[email protected]"
+	CertAlgoECDSA521v01    = "[email protected]"
+	CertAlgoSKECDSA256v01  = "[email protected]"
+	CertAlgoED25519v01     = "[email protected]"
+	CertAlgoSKED25519v01   = "[email protected]"
 
 	// CertAlgoRSASHA256v01 and CertAlgoRSASHA512v01 can't appear as a
 	// Certificate.Type (or PublicKey.Type), but only in
@@ -485,16 +490,16 @@ func (c *Certificate) SignCert(rand io.Reader, authority Signer) error {
 //
 // This map must be kept in sync with the one in agent/client.go.
 var certKeyAlgoNames = map[string]string{
-	CertAlgoRSAv01:        KeyAlgoRSA,
-	CertAlgoRSASHA256v01:  KeyAlgoRSASHA256,
-	CertAlgoRSASHA512v01:  KeyAlgoRSASHA512,
-	CertAlgoDSAv01:        KeyAlgoDSA,
-	CertAlgoECDSA256v01:   KeyAlgoECDSA256,
-	CertAlgoECDSA384v01:   KeyAlgoECDSA384,
-	CertAlgoECDSA521v01:   KeyAlgoECDSA521,
-	CertAlgoSKECDSA256v01: KeyAlgoSKECDSA256,
-	CertAlgoED25519v01:    KeyAlgoED25519,
-	CertAlgoSKED25519v01:  KeyAlgoSKED25519,
+	CertAlgoRSAv01:         KeyAlgoRSA,
+	CertAlgoRSASHA256v01:   KeyAlgoRSASHA256,
+	CertAlgoRSASHA512v01:   KeyAlgoRSASHA512,
+	InsecureCertAlgoDSAv01: InsecureKeyAlgoDSA,
+	CertAlgoECDSA256v01:    KeyAlgoECDSA256,
+	CertAlgoECDSA384v01:    KeyAlgoECDSA384,
+	CertAlgoECDSA521v01:    KeyAlgoECDSA521,
+	CertAlgoSKECDSA256v01:  KeyAlgoSKECDSA256,
+	CertAlgoED25519v01:     KeyAlgoED25519,
+	CertAlgoSKED25519v01:   KeyAlgoSKED25519,
 }
 
 // underlyingAlgo returns the signature algorithm associated with algo (which is

ssh/certs_test.go

@@ -297,7 +297,7 @@ func TestCertTypes(t *testing.T) {
 		{"legacyRSASigner", &legacyRSASigner{testSigners["rsa"]}, KeyAlgoRSA},
 		{"multiAlgoRSASignerSHA256", multiAlgoSignerSHA256, KeyAlgoRSASHA256},
 		{"multiAlgoRSASignerSHA512", multiAlgoSignerSHA512, KeyAlgoRSASHA512},
-		{CertAlgoDSAv01, testSigners["dsa"], ""},
+		{InsecureCertAlgoDSAv01, testSigners["dsa"], ""},
 	}
 
 	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

ssh/cipher.go

@@ -98,36 +98,36 @@ func streamCipherMode(skip int, createFunc func(key, iv []byte) (cipher.Stream,
 var cipherModes = map[string]*cipherMode{
 	// Ciphers from RFC 4344, which introduced many CTR-based ciphers. Algorithms
 	// are defined in the order specified in the RFC.
-	"aes128-ctr": {16, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-	"aes192-ctr": {24, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-	"aes256-ctr": {32, aes.BlockSize, streamCipherMode(0, newAESCTR)},
+	CipherAES128CTR: {16, aes.BlockSize, streamCipherMode(0, newAESCTR)},
+	CipherAES192CTR: {24, aes.BlockSize, streamCipherMode(0, newAESCTR)},
+	CipherAES256CTR: {32, aes.BlockSize, streamCipherMode(0, newAESCTR)},
 
 	// Ciphers from RFC 4345, which introduces security-improved arcfour ciphers.
 	// They are defined in the order specified in the RFC.
-	"arcfour128": {16, 0, streamCipherMode(1536, newRC4)},
-	"arcfour256": {32, 0, streamCipherMode(1536, newRC4)},
+	InsecureCipherRC4128: {16, 0, streamCipherMode(1536, newRC4)},
+	InsecureCipherRC4256: {32, 0, streamCipherMode(1536, newRC4)},
 
 	// Cipher defined in RFC 4253, which describes SSH Transport Layer Protocol.
 	// Note that this cipher is not safe, as stated in RFC 4253: "Arcfour (and
 	// RC4) has problems with weak keys, and should be used with caution."
 	// RFC 4345 introduces improved versions of Arcfour.
-	"arcfour": {16, 0, streamCipherMode(0, newRC4)},
+	InsecureCipherRC4: {16, 0, streamCipherMode(0, newRC4)},
 
 	// AEAD ciphers
-	gcm128CipherID:     {16, 12, newGCMCipher},
-	gcm256CipherID:     {32, 12, newGCMCipher},
-	chacha20Poly1305ID: {64, 0, newChaCha20Cipher},
+	CipherAES128GCM:        {16, 12, newGCMCipher},
+	CipherAES256GCM:        {32, 12, newGCMCipher},
+	CipherChaCha20Poly1305: {64, 0, newChaCha20Cipher},
 
 	// CBC mode is insecure and so is not included in the default config.
 	// (See https://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf). If absolutely
 	// needed, it's possible to specify a custom Config to enable it.
 	// You should expect that an active attacker can recover plaintext if
 	// you do.
-	aes128cbcID: {16, aes.BlockSize, newAESCBCCipher},
+	InsecureCipherAES128CBC: {16, aes.BlockSize, newAESCBCCipher},
 
 	// 3des-cbc is insecure and is not included in the default
 	// config.
-	tripledescbcID: {24, des.BlockSize, newTripleDESCBCCipher},
+	InsecureCipherTripleDESCBC: {24, des.BlockSize, newTripleDESCBCCipher},
 }
 
 // prefixLen is the length of the packet prefix that contains the packet length
@@ -635,8 +635,6 @@ func (c *cbcCipher) writeCipherPacket(seqNum uint32, w io.Writer, rand io.Reader
 	return nil
 }
 
-const chacha20Poly1305ID = "[email protected]"
-
 // chacha20Poly1305Cipher implements the [email protected]
 // AEAD, which is described here:
 //

ssh/cipher_test.go

@@ -22,16 +22,16 @@ func TestDefaultCiphersExist(t *testing.T) {
 			t.Errorf("supported cipher %q is unknown", cipherAlgo)
 		}
 	}
-	for _, cipherAlgo := range preferredCiphers {
+	for _, cipherAlgo := range defaultCiphers {
 		if _, ok := cipherModes[cipherAlgo]; !ok {
 			t.Errorf("preferred cipher %q is unknown", cipherAlgo)
 		}
 	}
 }
 
 func TestPacketCiphers(t *testing.T) {
-	defaultMac := "hmac-sha2-256"
-	defaultCipher := "aes128-ctr"
+	defaultMac := HMACSHA256
+	defaultCipher := CipherAES128CTR
 	for cipher := range cipherModes {
 		t.Run("cipher="+cipher,
 			func(t *testing.T) { testPacketCipher(t, cipher, defaultMac) })
@@ -47,7 +47,7 @@ func testPacketCipher(t *testing.T, cipher, mac string) {
 	algs := directionAlgorithms{
 		Cipher:      cipher,
 		MAC:         mac,
-		Compression: "none",
+		Compression: compressionNone,
 	}
 	client, err := newPacketCipher(clientKeys, algs, kr)
 	if err != nil {
@@ -78,9 +78,9 @@ func testPacketCipher(t *testing.T, cipher, mac string) {
 func TestCBCOracleCounterMeasure(t *testing.T) {
 	kr := &kexResult{Hash: crypto.SHA1}
 	algs := directionAlgorithms{
-		Cipher:      aes128cbcID,
-		MAC:         "hmac-sha1",
-		Compression: "none",
+		Cipher:      InsecureCipherAES128CBC,
+		MAC:         HMACSHA1,
+		Compression: compressionNone,
 	}
 	client, err := newPacketCipher(clientKeys, algs, kr)
 	if err != nil {
@@ -141,7 +141,7 @@ func TestCVE202143565(t *testing.T) {
 		constructPacket func(packetCipher) io.Reader
 	}{
 		{
-			cipher: gcm128CipherID,
+			cipher: CipherAES128GCM,
 			constructPacket: func(client packetCipher) io.Reader {
 				internalCipher := client.(*gcmCipher)
 				b := &bytes.Buffer{}
@@ -159,7 +159,7 @@ func TestCVE202143565(t *testing.T) {
 			},
 		},
 		{
-			cipher: chacha20Poly1305ID,
+			cipher: CipherChaCha20Poly1305,
 			constructPacket: func(client packetCipher) io.Reader {
 				internalCipher := client.(*chacha20Poly1305Cipher)
 				b := &bytes.Buffer{}
@@ -201,13 +201,13 @@ func TestCVE202143565(t *testing.T) {
 	}
 
 	for _, tc := range tests {
-		mac := "hmac-sha2-256"
+		mac := HMACSHA256
 
 		kr := &kexResult{Hash: crypto.SHA1}
 		algs := directionAlgorithms{
 			Cipher:      tc.cipher,
 			MAC:         mac,
-			Compression: "none",
+			Compression: compressionNone,
 		}
 		client, err := newPacketCipher(clientKeys, algs, kr)
 		if err != nil {

ssh/client_auth_test.go

@@ -324,6 +324,9 @@ func TestMethodInvalidAlgorithm(t *testing.T) {
 }
 
 func TestClientHMAC(t *testing.T) {
+	supportedAlgos := SupportedAlgorithms()
+	insecureAlgos := InsecureAlgorithms()
+	supportedMACs := append(supportedAlgos.MACs, insecureAlgos.MACs...)
 	for _, mac := range supportedMACs {
 		config := &ClientConfig{
 			User: "testuser",
@@ -349,7 +352,7 @@ func TestClientUnsupportedCipher(t *testing.T) {
 			PublicKeys(),
 		},
 		Config: Config{
-			Ciphers: []string{"aes128-cbc"}, // not currently supported
+			Ciphers: []string{"unsupported-cipher"}, // not currently supported
 		},
 	}
 	if err := tryAuth(t, config); err == nil {

ssh/client_test.go

@@ -292,7 +292,7 @@ func TestUnsupportedAlgorithm(t *testing.T) {
 		{
 			"unsupported and supported KEXs",
 			Config{
-				KeyExchanges: []string{"unsupported", kexAlgoCurve25519SHA256},
+				KeyExchanges: []string{"unsupported", KeyExchangeCurve25519},
 			},
 			"",
 		},
@@ -306,7 +306,7 @@ func TestUnsupportedAlgorithm(t *testing.T) {
 		{
 			"unsupported and supported ciphers",
 			Config{
-				Ciphers: []string{"unsupported", chacha20Poly1305ID},
+				Ciphers: []string{"unsupported", CipherChaCha20Poly1305},
 			},
 			"",
 		},
@@ -315,16 +315,16 @@ func TestUnsupportedAlgorithm(t *testing.T) {
 			Config{
 				MACs: []string{"unsupported"},
 				// MAC is used for non AAED ciphers.
-				Ciphers: []string{"aes256-ctr"},
+				Ciphers: []string{CipherAES256CTR},
 			},
 			"no common algorithm",
 		},
 		{
 			"unsupported and supported MACs",
 			Config{
-				MACs: []string{"unsupported", "[email protected]"},
+				MACs: []string{"unsupported", HMACSHA256ETM},
 				// MAC is used for non AAED ciphers.
-				Ciphers: []string{"aes256-ctr"},
+				Ciphers: []string{CipherAES256CTR},
 			},
 			"",
 		},