x/crypto/ssh: allow a custom Config to specify CBC mode.

Cryptographic flaws are so hard to kill it can only be a matter of time before they start crying “brains!” and holding their arms out straight. Fixes golang/go#13776. Change-Id: Iee1c19dbe823eb8728e283dd11083638e41f7189 Reviewed-on: https://go-review.googlesource.com/18482 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-01-09 19:40:53 -08:00 · 2016-01-09 19:40:53 -08:00 · 803f01ea27
--- a/ssh/cipher.go
+++ b/ssh/cipher.go
@ -115,9 +115,12 @@ var cipherModes = map[string]*streamCipherMode{
 	// should invest a cleaner way to do this.
 	gcmCipherID: {16, 12, 0, nil},

-	// insecure cipher, see http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf
-	// uncomment below to enable it.
-	// aes128cbcID: {16, aes.BlockSize, 0, nil},
+	// CBC mode is insecure and so is not included in the default config.
+	// (See http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf). If absolutely
+	// needed, it's possible to specify a custom Config to enable it.
+	// You should expect that an active attacker can recover plaintext if
+	// you do.
+	aes128cbcID: {16, aes.BlockSize, 0, nil},
 }

 // prefixLen is the length of the packet prefix that contains the packet length