x/crypto/ssh: allow a custom Config to specify CBC mode. Cryptographic flaws are so hard to kill it can only be a matter of time before they start crying “brains!” and holding their arms out straight. Fixes golang/go#13776. Change-Id: Iee1c19dbe823eb8728e283dd11083638e41f7189 Reviewed-on: https://go-review.googlesource.com/18482 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>

commit: 803f01ea27e23d998825ec085f0d153cac01c828 [log] [tgz]
author: Adam Langley <agl@golang.org> Sat Jan 09 19:40:53 2016 -0800
committer: Brad Fitzpatrick <bradfitz@golang.org> Sun Jan 10 18:39:22 2016 +0000
tree: feb88bea2c8cb8f899531841b16cb2c96db6d2a2
parent: f23ba3a5ee43012fcb4b92e1a2a405a92554f4f2 [diff]
diff --git a/ssh/cipher.go b/ssh/cipher.go
index 3e06da0..2732963 100644
--- a/ssh/cipher.go
+++ b/ssh/cipher.go

@@ -115,9 +115,12 @@
 	// should invest a cleaner way to do this.
 	gcmCipherID: {16, 12, 0, nil},
 
-	// insecure cipher, see http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf
-	// uncomment below to enable it.
-	// aes128cbcID: {16, aes.BlockSize, 0, nil},
+	// CBC mode is insecure and so is not included in the default config.
+	// (See http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf). If absolutely
+	// needed, it's possible to specify a custom Config to enable it.
+	// You should expect that an active attacker can recover plaintext if
+	// you do.
+	aes128cbcID: {16, aes.BlockSize, 0, nil},
 }
 
 // prefixLen is the length of the packet prefix that contains the packet length
commit	803f01ea27e23d998825ec085f0d153cac01c828	[log] [tgz]
author	Adam Langley <agl@golang.org>	Sat Jan 09 19:40:53 2016 -0800
committer	Brad Fitzpatrick <bradfitz@golang.org>	Sun Jan 10 18:39:22 2016 +0000
tree	feb88bea2c8cb8f899531841b16cb2c96db6d2a2
parent	f23ba3a5ee43012fcb4b92e1a2a405a92554f4f2 [diff]