Add support for Let's Encrypt http-01 challenge

vendor/golang.org/x/crypto/ssh/benchmark_test.go

@@ -40,7 +40,8 @@ func sshPipe() (Conn, *server, error) {
 	}
 
 	clientConf := ClientConfig{
-		User: "user",
+		User:            "user",
+		HostKeyCallback: InsecureIgnoreHostKey(),
 	}
 	serverConf := ServerConfig{
 		NoClientAuth: true,

vendor/golang.org/x/crypto/ssh/certs.go

@@ -340,7 +340,7 @@ func (c *CertChecker) Authenticate(conn ConnMetadata, pubKey PublicKey) (*Permis
 // the signature of the certificate.
 func (c *CertChecker) CheckCert(principal string, cert *Certificate) error {
 	if c.IsRevoked != nil && c.IsRevoked(cert) {
-		return fmt.Errorf("ssh: certicate serial %d revoked", cert.Serial)
+		return fmt.Errorf("ssh: certificate serial %d revoked", cert.Serial)
 	}
 
 	for opt := range cert.CriticalOptions {

vendor/golang.org/x/crypto/ssh/certs_test.go

@@ -6,10 +6,15 @@ package ssh
 
 import (
 	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
+	"net"
 	"reflect"
 	"testing"
 	"time"
+
+	"golang.org/x/crypto/ssh/testdata"
 )
 
 // Cert generated by ssh-keygen 6.0p1 Debian-4.
@@ -220,3 +225,111 @@ func TestHostKeyCert(t *testing.T) {
 		}
 	}
 }
+
+func TestCertTypes(t *testing.T) {
+	var testVars = []struct {
+		name string
+		keys func() Signer
+	}{
+		{
+			name: CertAlgoECDSA256v01,
+			keys: func() Signer {
+				s, _ := ParsePrivateKey(testdata.PEMBytes["ecdsap256"])
+				return s
+			},
+		},
+		{
+			name: CertAlgoECDSA384v01,
+			keys: func() Signer {
+				s, _ := ParsePrivateKey(testdata.PEMBytes["ecdsap384"])
+				return s
+			},
+		},
+		{
+			name: CertAlgoECDSA521v01,
+			keys: func() Signer {
+				s, _ := ParsePrivateKey(testdata.PEMBytes["ecdsap521"])
+				return s
+			},
+		},
+		{
+			name: CertAlgoED25519v01,
+			keys: func() Signer {
+				s, _ := ParsePrivateKey(testdata.PEMBytes["ed25519"])
+				return s
+			},
+		},
+		{
+			name: CertAlgoRSAv01,
+			keys: func() Signer {
+				s, _ := ParsePrivateKey(testdata.PEMBytes["rsa"])
+				return s
+			},
+		},
+		{
+			name: CertAlgoDSAv01,
+			keys: func() Signer {
+				s, _ := ParsePrivateKey(testdata.PEMBytes["dsa"])
+				return s
+			},
+		},
+	}
+
+	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("error generating host key: %v", err)
+	}
+
+	signer, err := NewSignerFromKey(k)
+	if err != nil {
+		t.Fatalf("error generating signer for ssh listener: %v", err)
+	}
+
+	conf := &ServerConfig{
+		PublicKeyCallback: func(c ConnMetadata, k PublicKey) (*Permissions, error) {
+			return new(Permissions), nil
+		},
+	}
+	conf.AddHostKey(signer)
+
+	for _, m := range testVars {
+		t.Run(m.name, func(t *testing.T) {
+
+			c1, c2, err := netPipe()
+			if err != nil {
+				t.Fatalf("netPipe: %v", err)
+			}
+			defer c1.Close()
+			defer c2.Close()
+
+			go NewServerConn(c1, conf)
+
+			priv := m.keys()
+			if err != nil {
+				t.Fatalf("error generating ssh pubkey: %v", err)
+			}
+
+			cert := &Certificate{
+				CertType: UserCert,
+				Key:      priv.PublicKey(),
+			}
+			cert.SignCert(rand.Reader, priv)
+
+			certSigner, err := NewCertSigner(cert, priv)
+			if err != nil {
+				t.Fatalf("error generating cert signer: %v", err)
+			}
+
+			config := &ClientConfig{
+				User:            "user",
+				HostKeyCallback: func(h string, r net.Addr, k PublicKey) error { return nil },
+				Auth:            []AuthMethod{PublicKeys(certSigner)},
+			}
+
+			_, _, _, err = NewClientConn(c2, "", config)
+			if err != nil {
+				t.Fatalf("error connecting: %v", err)
+			}
+		})
+	}
+}

vendor/golang.org/x/crypto/ssh/cipher.go

@@ -16,6 +16,9 @@ import (
 	"hash"
 	"io"
 	"io/ioutil"
+
+	"golang.org/x/crypto/internal/chacha20"
+	"golang.org/x/crypto/poly1305"
 )
 
 const (
@@ -53,78 +56,78 @@ func newRC4(key, iv []byte) (cipher.Stream, error) {
 	return rc4.NewCipher(key)
 }
 
-type streamCipherMode struct {
-	keySize    int
-	ivSize     int
-	skip       int
-	createFunc func(key, iv []byte) (cipher.Stream, error)
+type cipherMode struct {
+	keySize int
+	ivSize  int
+	create  func(key, iv []byte, macKey []byte, algs directionAlgorithms) (packetCipher, error)
 }
 
-func (c *streamCipherMode) createStream(key, iv []byte) (cipher.Stream, error) {
-	if len(key) < c.keySize {
-		panic("ssh: key length too small for cipher")
-	}
-	if len(iv) < c.ivSize {
-		panic("ssh: iv too small for cipher")
-	}
-
-	stream, err := c.createFunc(key[:c.keySize], iv[:c.ivSize])
-	if err != nil {
-		return nil, err
-	}
-
-	var streamDump []byte
-	if c.skip > 0 {
-		streamDump = make([]byte, 512)
-	}
-
-	for remainingToDump := c.skip; remainingToDump > 0; {
-		dumpThisTime := remainingToDump
-		if dumpThisTime > len(streamDump) {
-			dumpThisTime = len(streamDump)
+func streamCipherMode(skip int, createFunc func(key, iv []byte) (cipher.Stream, error)) func(key, iv []byte, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
+	return func(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
+		stream, err := createFunc(key, iv)
+		if err != nil {
+			return nil, err
 		}
-		stream.XORKeyStream(streamDump[:dumpThisTime], streamDump[:dumpThisTime])
-		remainingToDump -= dumpThisTime
-	}
 
-	return stream, nil
+		var streamDump []byte
+		if skip > 0 {
+			streamDump = make([]byte, 512)
+		}
+
+		for remainingToDump := skip; remainingToDump > 0; {
+			dumpThisTime := remainingToDump
+			if dumpThisTime > len(streamDump) {
+				dumpThisTime = len(streamDump)
+			}
+			stream.XORKeyStream(streamDump[:dumpThisTime], streamDump[:dumpThisTime])
+			remainingToDump -= dumpThisTime
+		}
+
+		mac := macModes[algs.MAC].new(macKey)
+		return &streamPacketCipher{
+			mac:       mac,
+			etm:       macModes[algs.MAC].etm,
+			macResult: make([]byte, mac.Size()),
+			cipher:    stream,
+		}, nil
+	}
 }
 
 // cipherModes documents properties of supported ciphers. Ciphers not included
 // are not supported and will not be negotiated, even if explicitly requested in
 // ClientConfig.Crypto.Ciphers.
-var cipherModes = map[string]*streamCipherMode{
+var cipherModes = map[string]*cipherMode{
 	// Ciphers from RFC4344, which introduced many CTR-based ciphers. Algorithms
 	// are defined in the order specified in the RFC.
-	"aes128-ctr": {16, aes.BlockSize, 0, newAESCTR},
-	"aes192-ctr": {24, aes.BlockSize, 0, newAESCTR},
-	"aes256-ctr": {32, aes.BlockSize, 0, newAESCTR},
+	"aes128-ctr": {16, aes.BlockSize, streamCipherMode(0, newAESCTR)},
+	"aes192-ctr": {24, aes.BlockSize, streamCipherMode(0, newAESCTR)},
+	"aes256-ctr": {32, aes.BlockSize, streamCipherMode(0, newAESCTR)},
 
 	// Ciphers from RFC4345, which introduces security-improved arcfour ciphers.
 	// They are defined in the order specified in the RFC.
-	"arcfour128": {16, 0, 1536, newRC4},
-	"arcfour256": {32, 0, 1536, newRC4},
+	"arcfour128": {16, 0, streamCipherMode(1536, newRC4)},
+	"arcfour256": {32, 0, streamCipherMode(1536, newRC4)},
 
 	// Cipher defined in RFC 4253, which describes SSH Transport Layer Protocol.
 	// Note that this cipher is not safe, as stated in RFC 4253: "Arcfour (and
 	// RC4) has problems with weak keys, and should be used with caution."
 	// RFC4345 introduces improved versions of Arcfour.
-	"arcfour": {16, 0, 0, newRC4},
+	"arcfour": {16, 0, streamCipherMode(0, newRC4)},
 
-	// AES-GCM is not a stream cipher, so it is constructed with a
-	// special case. If we add any more non-stream ciphers, we
-	// should invest a cleaner way to do this.
-	gcmCipherID: {16, 12, 0, nil},
+	// AEAD ciphers
+	gcmCipherID:        {16, 12, newGCMCipher},
+	chacha20Poly1305ID: {64, 0, newChaCha20Cipher},
 
 	// CBC mode is insecure and so is not included in the default config.
 	// (See http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf). If absolutely
 	// needed, it's possible to specify a custom Config to enable it.
 	// You should expect that an active attacker can recover plaintext if
 	// you do.
-	aes128cbcID: {16, aes.BlockSize, 0, nil},
+	aes128cbcID: {16, aes.BlockSize, newAESCBCCipher},
 
-	// 3des-cbc is insecure and is disabled by default.
-	tripledescbcID: {24, des.BlockSize, 0, nil},
+	// 3des-cbc is insecure and is not included in the default
+	// config.
+	tripledescbcID: {24, des.BlockSize, newTripleDESCBCCipher},
 }
 
 // prefixLen is the length of the packet prefix that contains the packet length
@@ -304,7 +307,7 @@ type gcmCipher struct {
 	buf    []byte
 }
 
-func newGCMCipher(iv, key []byte) (packetCipher, error) {
+func newGCMCipher(key, iv, unusedMacKey []byte, unusedAlgs directionAlgorithms) (packetCipher, error) {
 	c, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err
@@ -422,7 +425,7 @@ type cbcCipher struct {
 	oracleCamouflage uint32
 }
 
-func newCBCCipher(c cipher.Block, iv, key, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
+func newCBCCipher(c cipher.Block, key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
 	cbc := &cbcCipher{
 		mac:        macModes[algs.MAC].new(macKey),
 		decrypter:  cipher.NewCBCDecrypter(c, iv),
@@ -436,13 +439,13 @@ func newCBCCipher(c cipher.Block, iv, key, macKey []byte, algs directionAlgorith
 	return cbc, nil
 }
 
-func newAESCBCCipher(iv, key, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
+func newAESCBCCipher(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
 	c, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err
 	}
 
-	cbc, err := newCBCCipher(c, iv, key, macKey, algs)
+	cbc, err := newCBCCipher(c, key, iv, macKey, algs)
 	if err != nil {
 		return nil, err
 	}
@@ -450,13 +453,13 @@ func newAESCBCCipher(iv, key, macKey []byte, algs directionAlgorithms) (packetCi
 	return cbc, nil
 }
 
-func newTripleDESCBCCipher(iv, key, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
+func newTripleDESCBCCipher(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
 	c, err := des.NewTripleDESCipher(key)
 	if err != nil {
 		return nil, err
 	}
 
-	cbc, err := newCBCCipher(c, iv, key, macKey, algs)
+	cbc, err := newCBCCipher(c, key, iv, macKey, algs)
 	if err != nil {
 		return nil, err
 	}
@@ -627,3 +630,142 @@ func (c *cbcCipher) writePacket(seqNum uint32, w io.Writer, rand io.Reader, pack
 
 	return nil
 }
+
+const chacha20Poly1305ID = "chacha20-poly1305@openssh.com"
+
+// chacha20Poly1305Cipher implements the chacha20-poly1305@openssh.com
+// AEAD, which is described here:
+//
+//   https://tools.ietf.org/html/draft-josefsson-ssh-chacha20-poly1305-openssh-00
+//
+// the methods here also implement padding, which RFC4253 Section 6
+// also requires of stream ciphers.
+type chacha20Poly1305Cipher struct {
+	lengthKey  [32]byte
+	contentKey [32]byte
+	buf        []byte
+}
+
+func newChaCha20Cipher(key, unusedIV, unusedMACKey []byte, unusedAlgs directionAlgorithms) (packetCipher, error) {
+	if len(key) != 64 {
+		panic(len(key))
+	}
+
+	c := &chacha20Poly1305Cipher{
+		buf: make([]byte, 256),
+	}
+
+	copy(c.contentKey[:], key[:32])
+	copy(c.lengthKey[:], key[32:])
+	return c, nil
+}
+
+// The Poly1305 key is obtained by encrypting 32 0-bytes.
+var chacha20PolyKeyInput [32]byte
+
+func (c *chacha20Poly1305Cipher) readPacket(seqNum uint32, r io.Reader) ([]byte, error) {
+	var counter [16]byte
+	binary.BigEndian.PutUint64(counter[8:], uint64(seqNum))
+
+	var polyKey [32]byte
+	chacha20.XORKeyStream(polyKey[:], chacha20PolyKeyInput[:], &counter, &c.contentKey)
+
+	encryptedLength := c.buf[:4]
+	if _, err := io.ReadFull(r, encryptedLength); err != nil {
+		return nil, err
+	}
+
+	var lenBytes [4]byte
+	chacha20.XORKeyStream(lenBytes[:], encryptedLength, &counter, &c.lengthKey)
+
+	length := binary.BigEndian.Uint32(lenBytes[:])
+	if length > maxPacket {
+		return nil, errors.New("ssh: invalid packet length, packet too large")
+	}
+
+	contentEnd := 4 + length
+	packetEnd := contentEnd + poly1305.TagSize
+	if uint32(cap(c.buf)) < packetEnd {
+		c.buf = make([]byte, packetEnd)
+		copy(c.buf[:], encryptedLength)
+	} else {
+		c.buf = c.buf[:packetEnd]
+	}
+
+	if _, err := io.ReadFull(r, c.buf[4:packetEnd]); err != nil {
+		return nil, err
+	}
+
+	var mac [poly1305.TagSize]byte
+	copy(mac[:], c.buf[contentEnd:packetEnd])
+	if !poly1305.Verify(&mac, c.buf[:contentEnd], &polyKey) {
+		return nil, errors.New("ssh: MAC failure")
+	}
+
+	counter[0] = 1
+
+	plain := c.buf[4:contentEnd]
+	chacha20.XORKeyStream(plain, plain, &counter, &c.contentKey)
+
+	padding := plain[0]
+	if padding < 4 {
+		// padding is a byte, so it automatically satisfies
+		// the maximum size, which is 255.
+		return nil, fmt.Errorf("ssh: illegal padding %d", padding)
+	}
+
+	if int(padding)+1 >= len(plain) {
+		return nil, fmt.Errorf("ssh: padding %d too large", padding)
+	}
+
+	plain = plain[1 : len(plain)-int(padding)]
+
+	return plain, nil
+}
+
+func (c *chacha20Poly1305Cipher) writePacket(seqNum uint32, w io.Writer, rand io.Reader, payload []byte) error {
+	var counter [16]byte
+	binary.BigEndian.PutUint64(counter[8:], uint64(seqNum))
+
+	var polyKey [32]byte
+	chacha20.XORKeyStream(polyKey[:], chacha20PolyKeyInput[:], &counter, &c.contentKey)
+
+	// There is no blocksize, so fall back to multiple of 8 byte
+	// padding, as described in RFC 4253, Sec 6.
+	const packetSizeMultiple = 8
+
+	padding := packetSizeMultiple - (1+len(payload))%packetSizeMultiple
+	if padding < 4 {
+		padding += packetSizeMultiple
+	}
+
+	// size (4 bytes), padding (1), payload, padding, tag.
+	totalLength := 4 + 1 + len(payload) + padding + poly1305.TagSize
+	if cap(c.buf) < totalLength {
+		c.buf = make([]byte, totalLength)
+	} else {
+		c.buf = c.buf[:totalLength]
+	}
+
+	binary.BigEndian.PutUint32(c.buf, uint32(1+len(payload)+padding))
+	chacha20.XORKeyStream(c.buf, c.buf[:4], &counter, &c.lengthKey)
+	c.buf[4] = byte(padding)
+	copy(c.buf[5:], payload)
+	packetEnd := 5 + len(payload) + padding
+	if _, err := io.ReadFull(rand, c.buf[5+len(payload):packetEnd]); err != nil {
+		return err
+	}
+
+	counter[0] = 1
+	chacha20.XORKeyStream(c.buf[4:], c.buf[4:packetEnd], &counter, &c.contentKey)
+
+	var mac [poly1305.TagSize]byte
+	poly1305.Sum(&mac, c.buf[:packetEnd], &polyKey)
+
+	copy(c.buf[packetEnd:], mac[:])
+
+	if _, err := w.Write(c.buf); err != nil {
+		return err
+	}
+	return nil
+}

vendor/golang.org/x/crypto/ssh/cipher_test.go

@@ -7,7 +7,6 @@ package ssh
 import (
 	"bytes"
 	"crypto"
-	"crypto/aes"
 	"crypto/rand"
 	"testing"
 )
@@ -15,60 +14,63 @@ import (
 func TestDefaultCiphersExist(t *testing.T) {
 	for _, cipherAlgo := range supportedCiphers {
 		if _, ok := cipherModes[cipherAlgo]; !ok {
-			t.Errorf("default cipher %q is unknown", cipherAlgo)
+			t.Errorf("supported cipher %q is unknown", cipherAlgo)
+		}
+	}
+	for _, cipherAlgo := range preferredCiphers {
+		if _, ok := cipherModes[cipherAlgo]; !ok {
+			t.Errorf("preferred cipher %q is unknown", cipherAlgo)
 		}
 	}
 }
 
 func TestPacketCiphers(t *testing.T) {
-	// Still test aes128cbc cipher although it's commented out.
-	cipherModes[aes128cbcID] = &streamCipherMode{16, aes.BlockSize, 0, nil}
-	defer delete(cipherModes, aes128cbcID)
-
+	defaultMac := "hmac-sha2-256"
+	defaultCipher := "aes128-ctr"
 	for cipher := range cipherModes {
-		for mac := range macModes {
-			kr := &kexResult{Hash: crypto.SHA1}
-			algs := directionAlgorithms{
-				Cipher:      cipher,
-				MAC:         mac,
-				Compression: "none",
-			}
-			client, err := newPacketCipher(clientKeys, algs, kr)
-			if err != nil {
-				t.Errorf("newPacketCipher(client, %q, %q): %v", cipher, mac, err)
-				continue
-			}
-			server, err := newPacketCipher(clientKeys, algs, kr)
-			if err != nil {
-				t.Errorf("newPacketCipher(client, %q, %q): %v", cipher, mac, err)
-				continue
-			}
+		t.Run("cipher="+cipher,
+			func(t *testing.T) { testPacketCipher(t, cipher, defaultMac) })
+	}
+	for mac := range macModes {
+		t.Run("mac="+mac,
+			func(t *testing.T) { testPacketCipher(t, defaultCipher, mac) })
+	}
+}
 
-			want := "bla bla"
-			input := []byte(want)
-			buf := &bytes.Buffer{}
-			if err := client.writePacket(0, buf, rand.Reader, input); err != nil {
-				t.Errorf("writePacket(%q, %q): %v", cipher, mac, err)
-				continue
-			}
+func testPacketCipher(t *testing.T, cipher, mac string) {
+	kr := &kexResult{Hash: crypto.SHA1}
+	algs := directionAlgorithms{
+		Cipher:      cipher,
+		MAC:         mac,
+		Compression: "none",
+	}
+	client, err := newPacketCipher(clientKeys, algs, kr)
+	if err != nil {
+		t.Fatalf("newPacketCipher(client, %q, %q): %v", cipher, mac, err)
+	}
+	server, err := newPacketCipher(clientKeys, algs, kr)
+	if err != nil {
+		t.Fatalf("newPacketCipher(client, %q, %q): %v", cipher, mac, err)
+	}
 
-			packet, err := server.readPacket(0, buf)
-			if err != nil {
-				t.Errorf("readPacket(%q, %q): %v", cipher, mac, err)
-				continue
-			}
+	want := "bla bla"
+	input := []byte(want)
+	buf := &bytes.Buffer{}
+	if err := client.writePacket(0, buf, rand.Reader, input); err != nil {
+		t.Fatalf("writePacket(%q, %q): %v", cipher, mac, err)
+	}
 
-			if string(packet) != want {
-				t.Errorf("roundtrip(%q, %q): got %q, want %q", cipher, mac, packet, want)
-			}
-		}
+	packet, err := server.readPacket(0, buf)
+	if err != nil {
+		t.Fatalf("readPacket(%q, %q): %v", cipher, mac, err)
+	}
+
+	if string(packet) != want {
+		t.Errorf("roundtrip(%q, %q): got %q, want %q", cipher, mac, packet, want)
 	}
 }
 
 func TestCBCOracleCounterMeasure(t *testing.T) {
-	cipherModes[aes128cbcID] = &streamCipherMode{16, aes.BlockSize, 0, nil}
-	defer delete(cipherModes, aes128cbcID)
-
 	kr := &kexResult{Hash: crypto.SHA1}
 	algs := directionAlgorithms{
 		Cipher:      aes128cbcID,

vendor/golang.org/x/crypto/ssh/client_test.go

@@ -5,41 +5,77 @@
 package ssh
 
 import (
-	"net"
 	"strings"
 	"testing"
 )
 
-func testClientVersion(t *testing.T, config *ClientConfig, expected string) {
-	clientConn, serverConn := net.Pipe()
-	defer clientConn.Close()
-	receivedVersion := make(chan string, 1)
-	config.HostKeyCallback = InsecureIgnoreHostKey()
-	go func() {
-		version, err := readVersion(serverConn)
-		if err != nil {
-			receivedVersion <- ""
-		} else {
-			receivedVersion <- string(version)
-		}
-		serverConn.Close()
-	}()
-	NewClientConn(clientConn, "", config)
-	actual := <-receivedVersion
-	if actual != expected {
-		t.Fatalf("got %s; want %s", actual, expected)
+func TestClientVersion(t *testing.T) {
+	for _, tt := range []struct {
+		name      string
+		version   string
+		multiLine string
+		wantErr   bool
+	}{
+		{
+			name:    "default version",
+			version: packageVersion,
+		},
+		{
+			name:    "custom version",
+			version: "SSH-2.0-CustomClientVersionString",
+		},
+		{
+			name:      "good multi line version",
+			version:   packageVersion,
+			multiLine: strings.Repeat("ignored\r\n", 20),
+		},
+		{
+			name:      "bad multi line version",
+			version:   packageVersion,
+			multiLine: "bad multi line version",
+			wantErr:   true,
+		},
+		{
+			name:      "long multi line version",
+			version:   packageVersion,
+			multiLine: strings.Repeat("long multi line version\r\n", 50)[:256],
+			wantErr:   true,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			c1, c2, err := netPipe()
+			if err != nil {
+				t.Fatalf("netPipe: %v", err)
+			}
+			defer c1.Close()
+			defer c2.Close()
+			go func() {
+				if tt.multiLine != "" {
+					c1.Write([]byte(tt.multiLine))
+				}
+				NewClientConn(c1, "", &ClientConfig{
+					ClientVersion:   tt.version,
+					HostKeyCallback: InsecureIgnoreHostKey(),
+				})
+				c1.Close()
+			}()
+			conf := &ServerConfig{NoClientAuth: true}
+			conf.AddHostKey(testSigners["rsa"])
+			conn, _, _, err := NewServerConn(c2, conf)
+			if err == nil == tt.wantErr {
+				t.Fatalf("got err %v; wantErr %t", err, tt.wantErr)
+			}
+			if tt.wantErr {
+				// Don't verify the version on an expected error.
+				return
+			}
+			if got := string(conn.ClientVersion()); got != tt.version {
+				t.Fatalf("got %q; want %q", got, tt.version)
+			}
+		})
 	}
 }
 
-func TestCustomClientVersion(t *testing.T) {
-	version := "Test-Client-Version-0.0"
-	testClientVersion(t, &ClientConfig{ClientVersion: version}, version)
-}
-
-func TestDefaultClientVersion(t *testing.T) {
-	testClientVersion(t, &ClientConfig{}, packageVersion)
-}
-
 func TestHostKeyCheck(t *testing.T) {
 	for _, tt := range []struct {
 		name      string

vendor/golang.org/x/crypto/ssh/common.go

@@ -24,11 +24,21 @@ const (
 	serviceSSH      = "ssh-connection"
 )
 
-// supportedCiphers specifies the supported ciphers in preference order.
+// supportedCiphers lists ciphers we support but might not recommend.
 var supportedCiphers = []string{
 	"aes128-ctr", "aes192-ctr", "aes256-ctr",
 	"aes128-gcm@openssh.com",
-	"arcfour256", "arcfour128",
+	chacha20Poly1305ID,
+	"arcfour256", "arcfour128", "arcfour",
+	aes128cbcID,
+	tripledescbcID,
+}
+
+// preferredCiphers specifies the default preference for ciphers.
+var preferredCiphers = []string{
+	"aes128-gcm@openssh.com",
+	chacha20Poly1305ID,
+	"aes128-ctr", "aes192-ctr", "aes256-ctr",
 }
 
 // supportedKexAlgos specifies the supported key-exchange algorithms in
@@ -211,7 +221,7 @@ func (c *Config) SetDefaults() {
 		c.Rand = rand.Reader
 	}
 	if c.Ciphers == nil {
-		c.Ciphers = supportedCiphers
+		c.Ciphers = preferredCiphers
 	}
 	var ciphers []string
 	for _, c := range c.Ciphers {

vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go

@@ -414,7 +414,7 @@ func (db *hostKeyDB) Read(r io.Reader, filename string) error {
 
 // New creates a host key callback from the given OpenSSH host key
 // files. The returned callback is for use in
-// ssh.ClientConfig.HostKeyCallback. Hashed hostnames are not supported.
+// ssh.ClientConfig.HostKeyCallback.
 func New(files ...string) (ssh.HostKeyCallback, error) {
 	db := newHostKeyDB()
 	for _, fn := range files {

vendor/golang.org/x/crypto/ssh/server.go

@@ -256,7 +256,7 @@ func (s *connection) serverHandshake(config *ServerConfig) (*Permissions, error)
 func isAcceptableAlgo(algo string) bool {
 	switch algo {
 	case KeyAlgoRSA, KeyAlgoDSA, KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521, KeyAlgoED25519,
-		CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01:
+		CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01:
 		return true
 	}
 	return false

vendor/golang.org/x/crypto/ssh/terminal/util_windows.go

@@ -93,5 +93,13 @@ func ReadPassword(fd int) ([]byte, error) {
 		windows.SetConsoleMode(windows.Handle(fd), old)
 	}()
 
-	return readPasswordLine(os.NewFile(uintptr(fd), "stdin"))
+	var h windows.Handle
+	p, _ := windows.GetCurrentProcess()
+	if err := windows.DuplicateHandle(p, windows.Handle(fd), p, &h, 0, false, windows.DUPLICATE_SAME_ACCESS); err != nil {
+		return nil, err
+	}
+
+	f := os.NewFile(uintptr(h), "stdin")
+	defer f.Close()
+	return readPasswordLine(f)
 }

vendor/golang.org/x/crypto/ssh/test/session_test.go

@@ -11,6 +11,7 @@ package test
 import (
 	"bytes"
 	"errors"
+	"fmt"
 	"io"
 	"strings"
 	"testing"
@@ -324,27 +325,56 @@ func TestWindowChange(t *testing.T) {
 	}
 }
 
+func testOneCipher(t *testing.T, cipher string, cipherOrder []string) {
+	server := newServer(t)
+	defer server.Shutdown()
+	conf := clientConfig()
+	conf.Ciphers = []string{cipher}
+	// Don't fail if sshd doesn't have the cipher.
+	conf.Ciphers = append(conf.Ciphers, cipherOrder...)
+	conn, err := server.TryDial(conf)
+	if err != nil {
+		t.Fatalf("TryDial: %v", err)
+	}
+	defer conn.Close()
+
+	numBytes := 4096
+
+	// Exercise sending data to the server
+	if _, _, err := conn.Conn.SendRequest("drop-me", false, make([]byte, numBytes)); err != nil {
+		t.Fatalf("SendRequest: %v", err)
+	}
+
+	// Exercise receiving data from the server
+	session, err := conn.NewSession()
+	if err != nil {
+		t.Fatalf("NewSession: %v", err)
+	}
+
+	out, err := session.Output(fmt.Sprintf("dd if=/dev/zero of=/dev/stdout bs=%d count=1", numBytes))
+	if err != nil {
+		t.Fatalf("Output: %v", err)
+	}
+
+	if len(out) != numBytes {
+		t.Fatalf("got %d bytes, want %d bytes", len(out), numBytes)
+	}
+}
+
+var deprecatedCiphers = []string{
+	"aes128-cbc", "3des-cbc",
+	"arcfour128", "arcfour256",
+}
+
 func TestCiphers(t *testing.T) {
 	var config ssh.Config
 	config.SetDefaults()
-	cipherOrder := config.Ciphers
-	// These ciphers will not be tested when commented out in cipher.go it will
-	// fallback to the next available as per line 292.
-	cipherOrder = append(cipherOrder, "aes128-cbc", "3des-cbc")
+	cipherOrder := append(config.Ciphers, deprecatedCiphers...)
 
 	for _, ciph := range cipherOrder {
-		server := newServer(t)
-		defer server.Shutdown()
-		conf := clientConfig()
-		conf.Ciphers = []string{ciph}
-		// Don't fail if sshd doesn't have the cipher.
-		conf.Ciphers = append(conf.Ciphers, cipherOrder...)
-		conn, err := server.TryDial(conf)
-		if err == nil {
-			conn.Close()
-		} else {
-			t.Fatalf("failed for cipher %q", ciph)
-		}
+		t.Run(ciph, func(t *testing.T) {
+			testOneCipher(t, ciph, cipherOrder)
+		})
 	}
 }
 

vendor/golang.org/x/crypto/ssh/testdata/keys.go

@@ -23,6 +23,27 @@ MHcCAQEEINGWx0zo6fhJ/0EAfrPzVFyFC9s18lBt3cRoEDhS3ARooAoGCCqGSM49
 AwEHoUQDQgAEi9Hdw6KvZcWxfg2IDhA7UkpDtzzt6ZqJXSsFdLd+Kx4S3Sx4cVO+
 6/ZOXRnPmNAlLUqjShUsUBBngG0u2fqEqA==
 -----END EC PRIVATE KEY-----
+`),
+	"ecdsap256": []byte(`-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIAPCE25zK0PQSnsgVcEbM1mbKTASH4pqb5QJajplDwDZoAoGCCqGSM49
+AwEHoUQDQgAEWy8TxGcIHRh5XGpO4dFVfDjeNY+VkgubQrf/eyFJZHxAn1SKraXU
+qJUjTKj1z622OxYtJ5P7s9CfAEVsTzLCzg==
+-----END EC PRIVATE KEY-----
+`),
+	"ecdsap384": []byte(`-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDBWfSnMuNKq8J9rQLzzEkx3KAoEohSXqhE/4CdjEYtoU2i22HW80DDS
+qQhYNHRAduygBwYFK4EEACKhZANiAAQWaDMAd0HUd8ZiXCX7mYDDnC54gwH/nG43
+VhCUEYmF7HMZm/B9Yn3GjFk3qYEDEvuF/52+NvUKBKKaLbh32AWxMv0ibcoba4cz
+hL9+hWYhUD9XIUlzMWiZ2y6eBE9PdRI=
+-----END EC PRIVATE KEY-----
+`),
+	"ecdsap521": []byte(`-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBrkYpQcy8KTVHNiAkjlFZwee90224Bu6wz94R4OBo+Ts0eoAQG7SF
+iaygEDMUbx6kTgXTBcKZ0jrWPKakayNZ/kigBwYFK4EEACOhgYkDgYYABADFuvLV
+UoaCDGHcw5uNfdRIsvaLKuWSpLsl48eWGZAwdNG432GDVKduO+pceuE+8XzcyJb+
+uMv+D2b11Q/LQUcHJwE6fqbm8m3EtDKPsoKs0u/XUJb0JsH4J8lkZzbUTjvGYamn
+FFlRjzoB3Oxu8UQgb+MWPedtH9XYBbg9biz4jJLkXQ==
+-----END EC PRIVATE KEY-----
 `),
 	"rsa": []byte(`-----BEGIN RSA PRIVATE KEY-----
 MIICXAIBAAKBgQC8A6FGHDiWCSREAXCq6yBfNVr0xCVG2CzvktFNRpue+RXrGs/2

vendor/golang.org/x/crypto/ssh/transport.go

@@ -6,6 +6,7 @@ package ssh
 
 import (
 	"bufio"
+	"bytes"
 	"errors"
 	"io"
 	"log"
@@ -232,52 +233,22 @@ var (
 	clientKeys = direction{[]byte{'A'}, []byte{'C'}, []byte{'E'}}
 )
 
-// generateKeys generates key material for IV, MAC and encryption.
-func generateKeys(d direction, algs directionAlgorithms, kex *kexResult) (iv, key, macKey []byte) {
-	cipherMode := cipherModes[algs.Cipher]
-	macMode := macModes[algs.MAC]
-
-	iv = make([]byte, cipherMode.ivSize)
-	key = make([]byte, cipherMode.keySize)
-	macKey = make([]byte, macMode.keySize)
-
-	generateKeyMaterial(iv, d.ivTag, kex)
-	generateKeyMaterial(key, d.keyTag, kex)
-	generateKeyMaterial(macKey, d.macKeyTag, kex)
-	return
-}
-
 // setupKeys sets the cipher and MAC keys from kex.K, kex.H and sessionId, as
 // described in RFC 4253, section 6.4. direction should either be serverKeys
 // (to setup server->client keys) or clientKeys (for client->server keys).
 func newPacketCipher(d direction, algs directionAlgorithms, kex *kexResult) (packetCipher, error) {
-	iv, key, macKey := generateKeys(d, algs, kex)
+	cipherMode := cipherModes[algs.Cipher]
+	macMode := macModes[algs.MAC]
 
-	if algs.Cipher == gcmCipherID {
-		return newGCMCipher(iv, key)
-	}
+	iv := make([]byte, cipherMode.ivSize)
+	key := make([]byte, cipherMode.keySize)
+	macKey := make([]byte, macMode.keySize)
 
-	if algs.Cipher == aes128cbcID {
-		return newAESCBCCipher(iv, key, macKey, algs)
-	}
+	generateKeyMaterial(iv, d.ivTag, kex)
+	generateKeyMaterial(key, d.keyTag, kex)
+	generateKeyMaterial(macKey, d.macKeyTag, kex)
 
-	if algs.Cipher == tripledescbcID {
-		return newTripleDESCBCCipher(iv, key, macKey, algs)
-	}
-
-	c := &streamPacketCipher{
-		mac: macModes[algs.MAC].new(macKey),
-		etm: macModes[algs.MAC].etm,
-	}
-	c.macResult = make([]byte, c.mac.Size())
-
-	var err error
-	c.cipher, err = cipherModes[algs.Cipher].createStream(key, iv)
-	if err != nil {
-		return nil, err
-	}
-
-	return c, nil
+	return cipherModes[algs.Cipher].create(key, iv, macKey, algs)
 }
 
 // generateKeyMaterial fills out with key material generated from tag, K, H
@@ -342,7 +313,7 @@ func readVersion(r io.Reader) ([]byte, error) {
 	var ok bool
 	var buf [1]byte
 
-	for len(versionString) < maxVersionStringBytes {
+	for length := 0; length < maxVersionStringBytes; length++ {
 		_, err := io.ReadFull(r, buf[:])
 		if err != nil {
 			return nil, err
@@ -350,6 +321,13 @@ func readVersion(r io.Reader) ([]byte, error) {
 		// The RFC says that the version should be terminated with \r\n
 		// but several SSH servers actually only send a \n.
 		if buf[0] == '\n' {
+			if !bytes.HasPrefix(versionString, []byte("SSH-")) {
+				// RFC 4253 says we need to ignore all version string lines
+				// except the one containing the SSH version (provided that
+				// all the lines do not exceed 255 bytes in total).
+				versionString = versionString[:0]
+				continue
+			}
 			ok = true
 			break
 		}

vendor/golang.org/x/crypto/ssh/transport_test.go

@@ -13,11 +13,13 @@ import (
 )
 
 func TestReadVersion(t *testing.T) {
-	longversion := strings.Repeat("SSH-2.0-bla", 50)[:253]
+	longVersion := strings.Repeat("SSH-2.0-bla", 50)[:253]
+	multiLineVersion := strings.Repeat("ignored\r\n", 20) + "SSH-2.0-bla\r\n"
 	cases := map[string]string{
 		"SSH-2.0-bla\r\n":    "SSH-2.0-bla",
 		"SSH-2.0-bla\n":      "SSH-2.0-bla",
-		longversion + "\r\n": longversion,
+		multiLineVersion:     "SSH-2.0-bla",
+		longVersion + "\r\n": longVersion,
 	}
 
 	for in, want := range cases {
@@ -33,9 +35,11 @@ func TestReadVersion(t *testing.T) {
 }
 
 func TestReadVersionError(t *testing.T) {
-	longversion := strings.Repeat("SSH-2.0-bla", 50)[:253]
+	longVersion := strings.Repeat("SSH-2.0-bla", 50)[:253]
+	multiLineVersion := strings.Repeat("ignored\r\n", 50) + "SSH-2.0-bla\r\n"
 	cases := []string{
-		longversion + "too-long\r\n",
+		longVersion + "too-long\r\n",
+		multiLineVersion,
 	}
 	for _, in := range cases {
 		if _, err := readVersion(bytes.NewBufferString(in)); err == nil {
@@ -60,7 +64,7 @@ func TestExchangeVersionsBasic(t *testing.T) {
 func TestExchangeVersions(t *testing.T) {
 	cases := []string{
 		"not\x000allowed",
-		"not allowed\n",
+		"not allowed\x01\r\n",
 	}
 	for _, c := range cases {
 		buf := bytes.NewBufferString("SSH-2.0-bla\r\n")