net-ssh-net-ssh 2.0.12

data/test/transport/test_algorithms.rb

@@ -0,0 +1,302 @@
+require 'common'
+require 'net/ssh/transport/algorithms'
+
+module Transport
+
+  class TestAlgorithms < Test::Unit::TestCase
+    include Net::SSH::Transport::Constants
+
+    def test_allowed_packets
+      (0..255).each do |type|
+        packet = stub("packet", :type => type)
+        case type
+        when 1..4, 6..19, 21..49 then assert(Net::SSH::Transport::Algorithms.allowed_packet?(packet), "#{type} should be allowed during key exchange")
+        else assert(!Net::SSH::Transport::Algorithms.allowed_packet?(packet), "#{type} should not be allowed during key exchange")
+        end
+      end
+    end
+
+    def test_constructor_should_build_default_list_of_preferred_algorithms
+      assert_equal %w(ssh-rsa ssh-dss), algorithms[:host_key]
+      assert_equal %w(diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1), algorithms[:kex]
+      assert_equal %w(aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se idea-cbc none arcfour128 arcfour256), algorithms[:encryption]
+      assert_equal %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96 none), algorithms[:hmac]
+      assert_equal %w(none zlib@openssh.com zlib), algorithms[:compression]
+      assert_equal %w(), algorithms[:language]
+    end
+
+    def test_constructor_should_set_client_and_server_prefs_identically
+      %w(encryption hmac compression language).each do |key|
+        assert_equal algorithms[key.to_sym], algorithms[:"#{key}_client"], key
+        assert_equal algorithms[key.to_sym], algorithms[:"#{key}_server"], key
+      end
+    end
+
+    def test_constructor_with_preferred_host_key_type_should_put_preferred_host_key_type_first
+      assert_equal %w(ssh-dss ssh-rsa), algorithms(:host_key => "ssh-dss")[:host_key]
+    end
+
+    def test_constructor_with_known_hosts_reporting_known_host_key_should_use_that_host_key_type
+      Net::SSH::KnownHosts.expects(:search_for).with("net.ssh.test,127.0.0.1", {}).returns([stub("key", :ssh_type => "ssh-dss")])
+      assert_equal %w(ssh-dss ssh-rsa), algorithms[:host_key]
+    end
+
+    def test_constructor_with_unrecognized_host_key_type_should_raise_exception
+      assert_raises(NotImplementedError) { algorithms(:host_key => "bogus") }
+    end
+
+    def test_constructor_with_preferred_kex_should_put_preferred_kex_first
+      assert_equal %w(diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1), algorithms(:kex => "diffie-hellman-group1-sha1")[:kex]
+    end
+
+    def test_constructor_with_unrecognized_kex_should_raise_exception
+      assert_raises(NotImplementedError) { algorithms(:kex => "bogus") }
+    end
+
+    def test_constructor_with_preferred_encryption_should_put_preferred_encryption_first
+      assert_equal %w(aes256-cbc aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc rijndael-cbc@lysator.liu.se idea-cbc none arcfour128 arcfour256), algorithms(:encryption => "aes256-cbc")[:encryption]
+    end
+
+    def test_constructor_with_multiple_preferred_encryption_should_put_all_preferred_encryption_first
+      assert_equal %w(aes256-cbc 3des-cbc idea-cbc aes128-cbc blowfish-cbc cast128-cbc aes192-cbc rijndael-cbc@lysator.liu.se none arcfour128 arcfour256), algorithms(:encryption => %w(aes256-cbc 3des-cbc idea-cbc))[:encryption]
+    end
+
+    def test_constructor_with_unrecognized_encryption_should_raise_exception
+      assert_raises(NotImplementedError) { algorithms(:encryption => "bogus") }
+    end
+
+    def test_constructor_with_preferred_hmac_should_put_preferred_hmac_first
+      assert_equal %w(hmac-md5-96 hmac-sha1 hmac-md5 hmac-sha1-96 none), algorithms(:hmac => "hmac-md5-96")[:hmac]
+    end
+
+    def test_constructor_with_multiple_preferred_hmac_should_put_all_preferred_hmac_first
+      assert_equal %w(hmac-md5-96 hmac-sha1-96 hmac-sha1 hmac-md5 none), algorithms(:hmac => %w(hmac-md5-96 hmac-sha1-96))[:hmac]
+    end
+
+    def test_constructor_with_unrecognized_hmac_should_raise_exception
+      assert_raises(NotImplementedError) { algorithms(:hmac => "bogus") }
+    end
+
+    def test_constructor_with_preferred_compression_should_put_preferred_compression_first
+      assert_equal %w(zlib none zlib@openssh.com), algorithms(:compression => "zlib")[:compression]
+    end
+
+    def test_constructor_with_multiple_preferred_compression_should_put_all_preferred_compression_first
+      assert_equal %w(zlib@openssh.com zlib none), algorithms(:compression => %w(zlib@openssh.com zlib))[:compression]
+    end
+
+    def test_constructor_with_general_preferred_compression_should_put_none_last
+      assert_equal %w(zlib@openssh.com zlib none), algorithms(:compression => true)[:compression]
+    end
+
+    def test_constructor_with_unrecognized_compression_should_raise_exception
+      assert_raises(NotImplementedError) { algorithms(:compression => "bogus") }
+    end
+
+    def test_initial_state_should_be_neither_pending_nor_initialized
+      assert !algorithms.pending?
+      assert !algorithms.initialized?
+    end
+
+    def test_key_exchange_when_initiated_by_server
+      transport.expect do |t, buffer|
+        assert_kexinit(buffer)
+        install_mock_key_exchange(buffer)
+      end
+
+      install_mock_algorithm_lookups
+      algorithms.accept_kexinit(kexinit)
+
+      assert_exchange_results
+    end
+
+    def test_key_exchange_when_initiated_by_client
+      state = nil
+      transport.expect do |t, buffer|
+        assert_kexinit(buffer)
+        state = :sent_kexinit
+        install_mock_key_exchange(buffer)
+      end
+
+      algorithms.rekey!
+      assert_equal state, :sent_kexinit
+      assert algorithms.pending?
+
+      install_mock_algorithm_lookups
+      algorithms.accept_kexinit(kexinit)
+
+      assert_exchange_results
+    end
+
+    def test_key_exchange_when_server_does_not_support_preferred_kex_should_fallback_to_secondary
+      kexinit :kex => "diffie-hellman-group1-sha1"
+      transport.expect do |t,buffer|
+        assert_kexinit(buffer)
+        install_mock_key_exchange(buffer, :kex => Net::SSH::Transport::Kex::DiffieHellmanGroup1SHA1)
+      end
+      algorithms.accept_kexinit(kexinit)
+    end
+
+    def test_key_exchange_when_server_does_not_support_any_preferred_kex_should_raise_error
+      kexinit :kex => "something-obscure"
+      transport.expect { |t,buffer| assert_kexinit(buffer) }
+      assert_raises(Net::SSH::Exception) { algorithms.accept_kexinit(kexinit) }
+    end
+
+    def test_allow_when_not_pending_should_be_true_for_all_packets
+      (0..255).each do |type|
+        packet = stub("packet", :type => type)
+        assert algorithms.allow?(packet), type
+      end
+    end
+
+    def test_allow_when_pending_should_be_true_only_for_packets_valid_during_key_exchange
+      transport.expect!
+      algorithms.rekey!
+      assert algorithms.pending?
+
+      (0..255).each do |type|
+        packet = stub("packet", :type => type)
+        case type
+        when 1..4, 6..19, 21..49 then assert(algorithms.allow?(packet), "#{type} should be allowed during key exchange")
+        else assert(!algorithms.allow?(packet), "#{type} should not be allowed during key exchange")
+        end
+      end
+    end
+
+    def test_exchange_with_zlib_compression_enabled_sets_compression_to_standard
+      algorithms :compression => "zlib"
+
+      transport.expect do |t, buffer|
+        assert_kexinit(buffer, :compression_client => "zlib,none,zlib@openssh.com", :compression_server => "zlib,none,zlib@openssh.com")
+        install_mock_key_exchange(buffer)
+      end
+
+      install_mock_algorithm_lookups
+      algorithms.accept_kexinit(kexinit)
+
+      assert_equal :standard, transport.client_options[:compression]
+      assert_equal :standard, transport.server_options[:compression]
+    end
+
+    def test_exchange_with_zlib_at_openssh_dot_com_compression_enabled_sets_compression_to_delayed
+      algorithms :compression => "zlib@openssh.com"
+
+      transport.expect do |t, buffer|
+        assert_kexinit(buffer, :compression_client => "zlib@openssh.com,none,zlib", :compression_server => "zlib@openssh.com,none,zlib")
+        install_mock_key_exchange(buffer)
+      end
+
+      install_mock_algorithm_lookups
+      algorithms.accept_kexinit(kexinit)
+
+      assert_equal :delayed, transport.client_options[:compression]
+      assert_equal :delayed, transport.server_options[:compression]
+    end
+
+    private
+
+      def install_mock_key_exchange(buffer, options={})
+        kex = options[:kex] || Net::SSH::Transport::Kex::DiffieHellmanGroupExchangeSHA1
+
+        Net::SSH::Transport::Kex::MAP.each do |name, klass|
+          next if klass == kex
+          klass.expects(:new).never
+        end
+
+        kex.expects(:new).
+          with(algorithms, transport,
+            :client_version_string => Net::SSH::Transport::ServerVersion::PROTO_VERSION,
+            :server_version_string => transport.server_version.version,
+            :server_algorithm_packet => kexinit.to_s,
+            :client_algorithm_packet => buffer.to_s,
+            :need_bytes => 20,
+            :logger => nil).
+          returns(stub("kex", :exchange_keys => { :shared_secret => shared_secret, :session_id => session_id, :hashing_algorithm => hashing_algorithm }))
+      end
+
+      def install_mock_algorithm_lookups(options={})
+        Net::SSH::Transport::CipherFactory.expects(:get).
+          with(options[:client_cipher] || "aes128-cbc", :iv => key("A"), :key => key("C"), :shared => shared_secret.to_ssh, :hash => session_id, :digester => hashing_algorithm, :encrypt => true).
+          returns(:client_cipher)
+        Net::SSH::Transport::CipherFactory.expects(:get).
+          with(options[:server_cipher] || "aes128-cbc", :iv => key("B"), :key => key("D"), :shared => shared_secret.to_ssh, :hash => session_id, :digester => hashing_algorithm, :decrypt => true).
+          returns(:server_cipher)
+
+        Net::SSH::Transport::HMAC.expects(:get).with(options[:client_hmac] || "hmac-sha1", key("E")).returns(:client_hmac)
+        Net::SSH::Transport::HMAC.expects(:get).with(options[:server_hmac] || "hmac-sha1", key("F")).returns(:server_hmac)
+      end
+
+      def shared_secret
+        @shared_secret ||= OpenSSL::BN.new("1234567890", 10)
+      end
+
+      def session_id
+        @session_id ||= "this is the session id"
+      end
+
+      def hashing_algorithm
+        OpenSSL::Digest::SHA1
+      end
+
+      def key(salt)
+        hashing_algorithm.digest(shared_secret.to_ssh + session_id + salt + session_id)
+      end
+
+      def cipher(type, options={})
+        Net::SSH::Transport::CipherFactory.get(type, options)
+      end
+
+      def kexinit(options={})
+        @kexinit ||= P(:byte, KEXINIT,
+          :long, rand(0xFFFFFFFF), :long, rand(0xFFFFFFFF), :long, rand(0xFFFFFFFF), :long, rand(0xFFFFFFFF),
+          :string, options[:kex] || "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1",
+          :string, options[:host_key] || "ssh-rsa,ssh-dss",
+          :string, options[:encryption_client] || "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,idea-cbc",
+          :string, options[:encryption_server] || "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,idea-cbc",
+          :string, options[:hmac_client] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96",
+          :string, options[:hmac_server] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96",
+          :string, options[:compmression_client] || "none,zlib@openssh.com,zlib",
+          :string, options[:compmression_server] || "none,zlib@openssh.com,zlib",
+          :string, options[:language_client] || "",
+          :string, options[:langauge_server] || "",
+          :bool, options[:first_kex_follows])
+      end
+
+      def assert_kexinit(buffer, options={})
+        assert_equal KEXINIT, buffer.type
+        assert_equal 16, buffer.read(16).length
+        assert_equal options[:kex] || "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1", buffer.read_string
+        assert_equal options[:host_key] || "ssh-rsa,ssh-dss", buffer.read_string
+        assert_equal options[:encryption_client] || "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,idea-cbc,none,arcfour128,arcfour256", buffer.read_string
+        assert_equal options[:encryption_server] || "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,idea-cbc,none,arcfour128,arcfour256", buffer.read_string
+        assert_equal options[:hmac_client] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,none", buffer.read_string
+        assert_equal options[:hmac_server] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,none", buffer.read_string
+        assert_equal options[:compression_client] || "none,zlib@openssh.com,zlib", buffer.read_string
+        assert_equal options[:compression_server] || "none,zlib@openssh.com,zlib", buffer.read_string
+        assert_equal options[:language_client] || "", buffer.read_string
+        assert_equal options[:language_server] || "", buffer.read_string
+        assert_equal options[:first_kex_follows] || false, buffer.read_bool
+      end
+
+      def assert_exchange_results
+        assert algorithms.initialized?
+        assert !algorithms.pending?
+        assert !transport.client_options[:compression]
+        assert !transport.server_options[:compression]
+        assert_equal :client_cipher, transport.client_options[:cipher]
+        assert_equal :server_cipher, transport.server_options[:cipher]
+        assert_equal :client_hmac, transport.client_options[:hmac]
+        assert_equal :server_hmac, transport.server_options[:hmac]
+      end
+
+      def algorithms(options={})
+        @algorithms ||= Net::SSH::Transport::Algorithms.new(transport, options)
+      end
+
+      def transport
+        @transport ||= MockTransport.new
+      end
+  end
+
+end

data/test/transport/test_cipher_factory.rb

@@ -0,0 +1,171 @@
+require 'common'
+require 'net/ssh/transport/cipher_factory'
+
+module Transport
+
+  class TestCipherFactory < Test::Unit::TestCase
+    def self.if_supported?(name)
+      yield if Net::SSH::Transport::CipherFactory.supported?(name)
+    end
+
+    def test_lengths_for_none
+      assert_equal [0,0], factory.get_lengths("none")
+      assert_equal [0,0], factory.get_lengths("bogus")
+    end
+
+    def test_lengths_for_blowfish_cbc
+      assert_equal [16,8], factory.get_lengths("blowfish-cbc")
+    end
+
+    if_supported?("idea-cbc") do
+      def test_lengths_for_idea_cbc
+        assert_equal [16,8], factory.get_lengths("idea-cbc")
+      end
+    end
+
+    def test_lengths_for_rijndael_cbc
+      assert_equal [32,16], factory.get_lengths("rijndael-cbc@lysator.liu.se")
+    end
+
+    def test_lengths_for_cast128_cbc
+      assert_equal [16,8], factory.get_lengths("cast128-cbc")
+    end
+
+    def test_lengths_for_3des_cbc
+      assert_equal [24,8], factory.get_lengths("3des-cbc")
+    end
+
+    def test_lengths_for_aes192_cbc
+      assert_equal [24,16], factory.get_lengths("aes192-cbc")
+    end
+
+    def test_lengths_for_aes128_cbc
+      assert_equal [16,16], factory.get_lengths("aes128-cbc")
+    end
+
+    def test_lengths_for_aes256_cbc
+      assert_equal [32,16], factory.get_lengths("aes256-cbc")
+    end
+
+    BLOWFISH = "\210\021\200\315\240_\026$\352\204g\233\244\242x\332e\370\001\327\224Nv@9_\323\037\252kb\037\036\237\375]\343/y\037\237\312Q\f7]\347Y\005\275%\377\0010$G\272\250B\265Nd\375\342\372\025r6}+Y\213y\n\237\267\\\374^\346BdJ$\353\220Ik\023<\236&H\277=\225"
+
+    def test_blowfish_cbc_for_encryption
+      assert_equal BLOWFISH, encrypt("blowfish-cbc")
+    end
+
+    def test_blowfish_cbc_for_decryption
+      assert_equal TEXT, decrypt("blowfish-cbc", BLOWFISH)
+    end
+
+    if_supported?("idea-cbc") do
+      IDEA = "W\234\017G\231\b\357\370H\b\256U]\343M\031k\233]~\023C\363\263\177\262-\261\341$\022\376mv\217\322\b\2763\270H\306\035\343z\313\312\3531\351\t\201\302U\022\360\300\354ul7$z\320O]\360g\024\305\005`V\005\335A\351\312\270c\320D\232\eQH1\340\265\2118\031g*\303v"
+
+      def test_idea_cbc_for_encryption
+        assert_equal IDEA, encrypt("idea-cbc")
+      end
+
+      def test_idea_cbc_for_decryption
+        assert_equal TEXT, decrypt("idea-cbc", IDEA)
+      end
+    end
+
+    RIJNDAEL = "$\253\271\255\005Z\354\336&\312\324\221\233\307Mj\315\360\310Fk\241EfN\037\231\213\361{'\310\204\347I\343\271\005\240`\325;\034\346uM>#\241\231C`\374\261\vo\226;Z\302:\b\250\366T\330\\#V\330\340\226\363\374!\bm\266\232\207!\232\347\340\t\307\370\356z\236\343=v\210\206y"
+
+    def test_rijndael_cbc_for_encryption
+      assert_equal RIJNDAEL, encrypt("rijndael-cbc@lysator.liu.se")
+    end
+
+    def test_rijndael_cbc_for_decryption
+      assert_equal TEXT, decrypt("rijndael-cbc@lysator.liu.se", RIJNDAEL)
+    end
+
+    CAST128 = "qW\302\331\333P\223t[9 ~(sg\322\271\227\272\022I\223\373p\255>k\326\314\260\2003\236C_W\211\227\373\205>\351\334\322\227\223\e\236\202Ii\032!P\214\035:\017\360h7D\371v\210\264\317\236a\262w1\2772\023\036\331\227\240:\f/X\351\324I\t[x\350\323E\2301\016m"
+
+    def test_cast128_cbc_for_encryption
+      assert_equal CAST128, encrypt("cast128-cbc")
+    end
+
+    def test_cast128_cbc_for_decryption
+      assert_equal TEXT, decrypt("cast128-cbc", CAST128)
+    end
+
+    TRIPLE_DES = "\322\252\216D\303Q\375gg\367A{\177\313\3436\272\353%\223K?\257\206|\r&\353/%\340\336 \203E8rY\206\234\004\274\267\031\233T/{\"\227/B!i?[qGaw\306T\206\223\213n \212\032\244%]@\355\250\334\312\265E\251\017\361\270\357\230\274KP&^\031r+r%\370"
+
+    def test_3des_cbc_for_encryption
+      assert_equal TRIPLE_DES, encrypt("3des-cbc")
+    end
+
+    def test_3des_cbc_for_decryption
+      assert_equal TEXT, decrypt("3des-cbc", TRIPLE_DES)
+    end
+
+    AES128 = "k\026\350B\366-k\224\313\3277}B\035\004\200\035\r\233\024$\205\261\231Q\2214r\245\250\360\315\237\266hg\262C&+\321\346Pf\267v\376I\215P\327\345-\232&HK\375\326_\030<\a\276\212\303g\342C\242O\233\260\006\001a&V\345`\\T\e\236.\207\223l\233ri^\v\252\363\245"
+
+    def test_aes128_cbc_for_encryption
+      assert_equal AES128, encrypt("aes128-cbc")
+    end
+
+    def test_aes128_cbc_for_decryption
+      assert_equal TEXT, decrypt("aes128-cbc", AES128)
+    end
+
+    AES192 = "\256\017)x\270\213\336\303L\003f\235'jQ\3231k9\225\267\242\364C4\370\224\201\302~\217I\202\374\2167='\272\037\225\223\177Y\r\212\376(\275\n\3553\377\177\252C\254\236\016MA\274Z@H\331<\rL\317\205\323[\305X8\376\237=\374\352bH9\244\0231\353\204\352p\226\326~J\242"
+
+    def test_aes192_cbc_for_encryption
+      assert_equal AES192, encrypt("aes192-cbc")
+    end
+
+    def test_aes192_cbc_for_decryption
+      assert_equal TEXT, decrypt("aes192-cbc", AES192)
+    end
+
+    AES256 = "$\253\271\255\005Z\354\336&\312\324\221\233\307Mj\315\360\310Fk\241EfN\037\231\213\361{'\310\204\347I\343\271\005\240`\325;\034\346uM>#\241\231C`\374\261\vo\226;Z\302:\b\250\366T\330\\#V\330\340\226\363\374!\bm\266\232\207!\232\347\340\t\307\370\356z\236\343=v\210\206y"
+
+    def test_aes256_cbc_for_encryption
+      assert_equal AES256, encrypt("aes256-cbc")
+    end
+
+    def test_aes256_cbc_for_decryption
+      assert_equal TEXT, decrypt("aes256-cbc", AES256)
+    end
+
+    def test_none_for_encryption
+      assert_equal TEXT, encrypt("none").strip
+    end
+
+    def test_none_for_decryption
+      assert_equal TEXT, decrypt("none", TEXT)
+    end
+
+    private
+
+      TEXT = "But soft! What light through yonder window breaks? It is the east, and Juliet is the sun!"
+
+      OPTIONS = { :iv => "ABC",
+        :key => "abc",
+        :digester => OpenSSL::Digest::MD5,
+        :shared => "1234567890123456780",
+        :hash => '!@#$%#$^%$&^&%#$@$'
+      }
+
+      def factory
+        Net::SSH::Transport::CipherFactory
+      end
+
+      def encrypt(type)
+        cipher = factory.get(type, OPTIONS.merge(:encrypt => true))
+        padding = TEXT.length % cipher.block_size
+        result = cipher.update(TEXT.dup)
+        result << cipher.update(" " * (cipher.block_size - padding)) if padding > 0
+        result << cipher.final
+      end
+
+      def decrypt(type, data)
+        cipher = factory.get(type, OPTIONS.merge(:decrypt => true))
+        result = cipher.update(data.dup)
+        result << cipher.final
+        result.strip
+      end
+  end
+
+end