Fix the display of MACs when AEAD is selected

kruton · kruton · commit 677089ac0e0b · 2025-11-05T09:45:33.000-08:00
This is mostly a cosmetic issue, but it is annoying me in ConnectBot.
diff --git a/src/main/java/com/trilead/ssh2/transport/KexManager.java b/src/main/java/com/trilead/ssh2/transport/KexManager.java
@@ -277,10 +277,22 @@ private NegotiatedParameters mergeKexParameters(KexParameters client, KexParamet
 			log.log(20, "enc_algo_client_to_server=" + np.enc_algo_client_to_server);
 			log.log(20, "enc_algo_server_to_client=" + np.enc_algo_server_to_client);
 
-			np.mac_algo_client_to_server = getFirstMatch(client.mac_algorithms_client_to_server,
-					server.mac_algorithms_client_to_server);
-			np.mac_algo_server_to_client = getFirstMatch(client.mac_algorithms_server_to_client,
-					server.mac_algorithms_server_to_client);
+			boolean c2s_is_aead = BlockCipherFactory.isAead(np.enc_algo_client_to_server);
+			boolean s2c_is_aead = BlockCipherFactory.isAead(np.enc_algo_server_to_client);
+
+			if (c2s_is_aead) {
+				np.mac_algo_client_to_server = null;
+			} else {
+				np.mac_algo_client_to_server = getFirstMatch(client.mac_algorithms_client_to_server,
+						server.mac_algorithms_client_to_server);
+			}
+
+			if (s2c_is_aead) {
+				np.mac_algo_server_to_client = null;
+			} else {
+				np.mac_algo_server_to_client = getFirstMatch(client.mac_algorithms_server_to_client,
+						server.mac_algorithms_server_to_client);
+			}
 
 			log.log(20, "mac_algo_client_to_server=" + np.mac_algo_client_to_server);
 			log.log(20, "mac_algo_server_to_client=" + np.mac_algo_server_to_client);
diff --git a/src/test/java/com/trilead/ssh2/AsyncSSHCompatibilityTest.java b/src/test/java/com/trilead/ssh2/AsyncSSHCompatibilityTest.java
@@ -201,6 +201,9 @@ public void canConnectWithCipherAes256Gcm() throws Exception {
 	}
 
 	private void setMac(Connection c, String mac) {
+		// This is needed because AEAD selection would result in null MAC.
+		setCiphers(c, "aes128-ctr");
+
 		c.setClient2ServerMACs(new String[] { mac });
 		c.setServer2ClientMACs(new String[] { mac });
 	}
diff --git a/src/test/java/com/trilead/ssh2/DropbearCompatibilityTest.java b/src/test/java/com/trilead/ssh2/DropbearCompatibilityTest.java
@@ -249,6 +249,9 @@ public void canConnectWithCipherChacha20Poly1305() throws Exception {
 	}
 
 	private void setMac(Connection c, String mac) {
+		// This is needed because AEAD selection would result in null MAC.
+		setCiphers(c, "aes128-ctr");
+
 		c.setClient2ServerMACs(new String[] { mac });
 		c.setServer2ClientMACs(new String[] { mac });
 	}
diff --git a/src/test/java/com/trilead/ssh2/OpenSSHCompatibilityTest.java b/src/test/java/com/trilead/ssh2/OpenSSHCompatibilityTest.java
@@ -80,7 +80,7 @@ private ConnectionInfo connectToServerWithOptions(@NotNull String options) throw
 
 	private void assertCanConnectToServerThatHasKeyType(@NotNull String keyPath, String keyType) throws IOException {
 		ConnectionInfo info = connectToServerWithOptions("-h " + keyPath);
-		assertThat(keyType, is(info.serverHostKeyAlgorithm));
+		assertThat(info.serverHostKeyAlgorithm, is(keyType));
 	}
 
 	private void canConnectWithPubkey(String keyFilename) throws Exception {
@@ -159,7 +159,7 @@ public void connectToEd25519Host() throws Exception {
 
 	private void assertCanConnectToServerWithKex(@NotNull String kexType) throws IOException {
 		ConnectionInfo info = connectToServerWithOptions("-oKexAlgorithms=" + kexType);
-		assertThat(kexType, is(info.keyExchangeAlgorithm));
+		assertThat(info.keyExchangeAlgorithm, is(kexType));
 	}
 
 	@Test
@@ -230,8 +230,8 @@ public void canConnectWithKexMlKem768X25519() throws Exception {
 
 	private void assertCanConnectToServerWithCipher(@NotNull String ciphers) throws IOException {
 		ConnectionInfo info = connectToServerWithOptions("-oCiphers=" + ciphers);
-		assertThat(ciphers, is(info.clientToServerCryptoAlgorithm));
-		assertThat(ciphers, is(info.serverToClientCryptoAlgorithm));
+		assertThat(info.clientToServerCryptoAlgorithm, is(ciphers));
+		assertThat(info.serverToClientCryptoAlgorithm, is(ciphers));
 	}
 
 	@Test
@@ -275,9 +275,9 @@ public void canConnectWithCipherChaCha20Poly1305() throws Exception {
 	}
 
 	private void assertCanConnectToServerWithMac(@NotNull String macs) throws IOException {
-		ConnectionInfo info = connectToServerWithOptions("-oMACs=" + macs);
-		assertThat(macs, is(info.clientToServerMACAlgorithm));
-		assertThat(macs, is(info.serverToClientMACAlgorithm));
+		ConnectionInfo info = connectToServerWithOptions("-oCiphers=aes128-ctr -oMACs=" + macs);
+		assertThat(info.clientToServerMACAlgorithm, is(macs));
+		assertThat(info.serverToClientMACAlgorithm, is(macs));
 	}
 
 	@Test
@@ -324,15 +324,15 @@ public void canConnectWithCompression() throws Exception {
 				}
 
 				ConnectionInfo info = c.getConnectionInfo();
-				assertThat("zlib@openssh.com", is(info.clientToServerCompressionAlgorithm));
-				assertThat("zlib@openssh.com", is(info.serverToClientCompressionAlgorithm));
+				assertThat(info.clientToServerCompressionAlgorithm, is("zlib@openssh.com"));
+				assertThat(info.serverToClientCompressionAlgorithm, is("zlib@openssh.com"));
 			}
 		}
 	}
 
 	private void canConnectWithHostKeyAlgorithm(String keyPath, String hostKeyAlgorithm) throws Exception {
 		ConnectionInfo info = connectToServerWithOptions("-h " + keyPath + " -oHostKeyAlgorithms=" + hostKeyAlgorithm);
-		assertThat(hostKeyAlgorithm, is(info.serverHostKeyAlgorithm));
+		assertThat(info.serverHostKeyAlgorithm, is(hostKeyAlgorithm));
 	}
 
 	@Test

Original file line number	Diff line number	Diff line change
`@@ -201,6 +201,9 @@ public void canConnectWithCipherAes256Gcm() throws Exception {`
`201`	`201`	`}`
`202`	`202`
`203`	`203`	`private void setMac(Connection c, String mac) {`
	`204`	`+ // This is needed because AEAD selection would result in null MAC.`
	`205`	`+ setCiphers(c, "aes128-ctr");`
	`206`	`+`
`204`	`207`	`c.setClient2ServerMACs(new String[] { mac });`
`205`	`208`	`c.setServer2ClientMACs(new String[] { mac });`
`206`	`209`	`}`
Original file line number	Diff line number	Diff line change
`@@ -249,6 +249,9 @@ public void canConnectWithCipherChacha20Poly1305() throws Exception {`
`249`	`249`	`}`
`250`	`250`
`251`	`251`	`private void setMac(Connection c, String mac) {`
	`252`	`+ // This is needed because AEAD selection would result in null MAC.`
	`253`	`+ setCiphers(c, "aes128-ctr");`
	`254`	`+`
`252`	`255`	`c.setClient2ServerMACs(new String[] { mac });`
`253`	`256`	`c.setServer2ClientMACs(new String[] { mac });`
`254`	`257`	`}`
Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ private ConnectionInfo connectToServerWithOptions(@NotNull String options) throw`
`80`	`80`
`81`	`81`	`private void assertCanConnectToServerThatHasKeyType(@NotNull String keyPath, String keyType) throws IOException {`
`82`	`82`	`ConnectionInfo info = connectToServerWithOptions("-h " + keyPath);`
`83`		`- assertThat(keyType, is(info.serverHostKeyAlgorithm));`
	`83`	`+ assertThat(info.serverHostKeyAlgorithm, is(keyType));`
`84`	`84`	`}`
`85`	`85`
`86`	`86`	`private void canConnectWithPubkey(String keyFilename) throws Exception {`
`@@ -159,7 +159,7 @@ public void connectToEd25519Host() throws Exception {`
`159`	`159`
`160`	`160`	`private void assertCanConnectToServerWithKex(@NotNull String kexType) throws IOException {`
`161`	`161`	`ConnectionInfo info = connectToServerWithOptions("-oKexAlgorithms=" + kexType);`
`162`		`- assertThat(kexType, is(info.keyExchangeAlgorithm));`
	`162`	`+ assertThat(info.keyExchangeAlgorithm, is(kexType));`
`163`	`163`	`}`
`164`	`164`
`165`	`165`	`@Test`
`@@ -230,8 +230,8 @@ public void canConnectWithKexMlKem768X25519() throws Exception {`
`230`	`230`
`231`	`231`	`private void assertCanConnectToServerWithCipher(@NotNull String ciphers) throws IOException {`
`232`	`232`	`ConnectionInfo info = connectToServerWithOptions("-oCiphers=" + ciphers);`
`233`		`- assertThat(ciphers, is(info.clientToServerCryptoAlgorithm));`
`234`		`- assertThat(ciphers, is(info.serverToClientCryptoAlgorithm));`
	`233`	`+ assertThat(info.clientToServerCryptoAlgorithm, is(ciphers));`
	`234`	`+ assertThat(info.serverToClientCryptoAlgorithm, is(ciphers));`
`235`	`235`	`}`
`236`	`236`
`237`	`237`	`@Test`
`@@ -275,9 +275,9 @@ public void canConnectWithCipherChaCha20Poly1305() throws Exception {`
`275`	`275`	`}`
`276`	`276`
`277`	`277`	`private void assertCanConnectToServerWithMac(@NotNull String macs) throws IOException {`
`278`		`- ConnectionInfo info = connectToServerWithOptions("-oMACs=" + macs);`
`279`		`- assertThat(macs, is(info.clientToServerMACAlgorithm));`
`280`		`- assertThat(macs, is(info.serverToClientMACAlgorithm));`
	`278`	`+ ConnectionInfo info = connectToServerWithOptions("-oCiphers=aes128-ctr -oMACs=" + macs);`
	`279`	`+ assertThat(info.clientToServerMACAlgorithm, is(macs));`
	`280`	`+ assertThat(info.serverToClientMACAlgorithm, is(macs));`
`281`	`281`	`}`
`282`	`282`
`283`	`283`	`@Test`
`@@ -324,15 +324,15 @@ public void canConnectWithCompression() throws Exception {`
`324`	`324`	`}`
`325`	`325`
`326`	`326`	`ConnectionInfo info = c.getConnectionInfo();`
`327`		`- assertThat("zlib@openssh.com", is(info.clientToServerCompressionAlgorithm));`
`328`		`- assertThat("zlib@openssh.com", is(info.serverToClientCompressionAlgorithm));`
	`327`	`+ assertThat(info.clientToServerCompressionAlgorithm, is("zlib@openssh.com"));`
	`328`	`+ assertThat(info.serverToClientCompressionAlgorithm, is("zlib@openssh.com"));`
`329`	`329`	`}`
`330`	`330`	`}`
`331`	`331`	`}`
`332`	`332`
`333`	`333`	`private void canConnectWithHostKeyAlgorithm(String keyPath, String hostKeyAlgorithm) throws Exception {`
`334`	`334`	`ConnectionInfo info = connectToServerWithOptions("-h " + keyPath + " -oHostKeyAlgorithms=" + hostKeyAlgorithm);`
`335`		`- assertThat(hostKeyAlgorithm, is(info.serverHostKeyAlgorithm));`
	`335`	`+ assertThat(info.serverHostKeyAlgorithm, is(hostKeyAlgorithm));`
`336`	`336`	`}`
`337`	`337`
`338`	`338`	`@Test`