net-ssh 2.2.2 → 2.3.0

data/CHANGELOG.rdoc

@@ -1,4 +1,8 @@
 
+=== 2.3.0 / 11 Jan 2012
+
+* Support for hmac-sha2 and diffie-hellman-group-exchange-sha256 [Ryosuke Yamazaki]
+
 === 2.2.2 / 04 Jan 2012
 
 * Fixed: Connection hangs on ServerVersion.new(socket, logger) [muffl0n]

data/Manifest

@@ -54,10 +54,16 @@ lib/net/ssh/transport/hmac/md5_96.rb
 lib/net/ssh/transport/hmac/none.rb
 lib/net/ssh/transport/hmac/sha1.rb
 lib/net/ssh/transport/hmac/sha1_96.rb
+lib/net/ssh/transport/hmac/sha2_256.rb
+lib/net/ssh/transport/hmac/sha2_256_96.rb
+lib/net/ssh/transport/hmac/sha2_512.rb
+lib/net/ssh/transport/hmac/sha2_512_96.rb
 lib/net/ssh/transport/identity_cipher.rb
+lib/net/ssh/transport/key_expander.rb
 lib/net/ssh/transport/kex.rb
 lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb
 lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha1.rb
+lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha256.rb
 lib/net/ssh/transport/openssl.rb
 lib/net/ssh/transport/packet_stream.rb
 lib/net/ssh/transport/server_version.rb
@@ -98,8 +104,13 @@ test/transport/hmac/test_md5_96.rb
 test/transport/hmac/test_none.rb
 test/transport/hmac/test_sha1.rb
 test/transport/hmac/test_sha1_96.rb
+test/transport/hmac/test_sha2_256.rb
+test/transport/hmac/test_sha2_256_96.rb
+test/transport/hmac/test_sha2_512.rb
+test/transport/hmac/test_sha2_512_96.rb
 test/transport/kex/test_diffie_hellman_group1_sha1.rb
 test/transport/kex/test_diffie_hellman_group_exchange_sha1.rb
+test/transport/kex/test_diffie_hellman_group_exchange_sha256.rb
 test/transport/test_algorithms.rb
 test/transport/test_cipher_factory.rb
 test/transport/test_hmac.rb

data/lib/net/ssh/transport/algorithms.rb

@@ -24,11 +24,14 @@ module Net; module SSH; module Transport
     ALGORITHMS = {
       :host_key    => %w(ssh-rsa ssh-dss),
       :kex         => %w(diffie-hellman-group-exchange-sha1
-                         diffie-hellman-group1-sha1),
+                         diffie-hellman-group1-sha1
+                         diffie-hellman-group-exchange-sha256),
       :encryption  => %w(aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
                          aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
                          idea-cbc none arcfour128 arcfour256),
-      :hmac        => %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96 none),
+      :hmac        => %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96
+                         hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96
+                         hmac-sha2-512-96 none),
       :compression => %w(none zlib@openssh.com zlib),
       :language    => %w() 
     }
@@ -345,14 +348,13 @@ module Net; module SSH; module Transport
         mac_key_client = key["E"]
         mac_key_server = key["F"]
 
-        parameters = { :iv => iv_client, :key => key_client, :shared => secret,
-          :hash => hash, :digester => digester }
+        parameters = { :shared => secret, :hash => hash, :digester => digester }
         
-        cipher_client = CipherFactory.get(encryption_client, parameters.merge(:encrypt => true))
+        cipher_client = CipherFactory.get(encryption_client, parameters.merge(:iv => iv_client, :key => key_client, :encrypt => true))
         cipher_server = CipherFactory.get(encryption_server, parameters.merge(:iv => iv_server, :key => key_server, :decrypt => true))
 
-        mac_client = HMAC.get(hmac_client, mac_key_client)
-        mac_server = HMAC.get(hmac_server, mac_key_server)
+        mac_client = HMAC.get(hmac_client, mac_key_client, parameters)
+        mac_server = HMAC.get(hmac_server, mac_key_server, parameters)
 
         session.configure_client :cipher => cipher_client, :hmac => mac_client,
           :compression => normalize_compression_name(compression_client),
@@ -381,4 +383,4 @@ module Net; module SSH; module Transport
         end
       end
   end
-end; end; end
+end; end; end

data/lib/net/ssh/transport/cipher_factory.rb

@@ -1,4 +1,5 @@
 require 'openssl'
+require 'net/ssh/transport/key_expander'
 require 'net/ssh/transport/identity_cipher'
 
 module Net; module SSH; module Transport
@@ -50,10 +51,10 @@ module Net; module SSH; module Transport
       cipher.send(options[:encrypt] ? :encrypt : :decrypt)
 
       cipher.padding = 0
-      cipher.iv      = make_key(cipher.iv_len, options[:iv], options) if ossl_name != "rc4"
+      cipher.iv      = Net::SSH::Transport::KeyExpander.expand_key(cipher.iv_len, options[:iv], options) if ossl_name != "rc4"
       key_len = KEY_LEN_OVERRIDE[name] || cipher.key_len
       cipher.key_len = key_len
-      cipher.key     = make_key(key_len, options[:key], options)
+      cipher.key     = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
       cipher.update(" " * 1536) if ossl_name == "rc4"
 
       return cipher
@@ -73,25 +74,6 @@ module Net; module SSH; module Transport
       
       return [key_len, ossl_name=="rc4" ? 8 : cipher.block_size]
     end
-
-    private
-
-      # Generate a key value in accordance with the SSH2 specification.
-      def self.make_key(bytes, start, options={})
-        k = start[0, bytes]
-        
-        digester = options[:digester] or raise 'No digester supplied'
-        shared   = options[:shared] or raise 'No shared secret supplied'
-        hash     = options[:hash] or raise 'No hash supplied'
-
-        while k.length < bytes
-          step = digester.digest(shared + hash + k)
-          bytes_needed = bytes - k.length
-          k << step[0, bytes_needed]
-        end
-
-        return k
-      end
   end
 
 end; end; end

data/lib/net/ssh/transport/hmac.rb

@@ -1,7 +1,12 @@
+require 'net/ssh/transport/key_expander'
 require 'net/ssh/transport/hmac/md5'
 require 'net/ssh/transport/hmac/md5_96'
 require 'net/ssh/transport/hmac/sha1'
 require 'net/ssh/transport/hmac/sha1_96'
+require 'net/ssh/transport/hmac/sha2_256'
+require 'net/ssh/transport/hmac/sha2_256_96'
+require 'net/ssh/transport/hmac/sha2_512'
+require 'net/ssh/transport/hmac/sha2_512_96'
 require 'net/ssh/transport/hmac/none'
 
 # Implements a simple factory interface for fetching hmac implementations, or
@@ -16,11 +21,17 @@ module Net::SSH::Transport::HMAC
     'none'         => None
   }
 
+  # add mapping to sha2 hmac algorithms if they're available
+  MAP['hmac-sha2-256']    = SHA2_256    if defined?(::Net::SSH::Transport::HMAC::SHA2_256)
+  MAP['hmac-sha2-256-96'] = SHA2_256_96 if defined?(::Net::SSH::Transport::HMAC::SHA2_256_96)
+  MAP['hmac-sha2-512']    = SHA2_512    if defined?(::Net::SSH::Transport::HMAC::SHA2_512)
+  MAP['hmac-sha2-512-96'] = SHA2_512_96 if defined?(::Net::SSH::Transport::HMAC::SHA2_512_96)
+
   # Retrieves a new hmac instance of the given SSH type (+name+). If +key+ is
   # given, the new instance will be initialized with that key.
-  def self.get(name, key="")
+  def self.get(name, key="", parameters = {})
     impl = MAP[name] or raise ArgumentError, "hmac not found: #{name.inspect}"
-    impl.new(key)
+    impl.new(Net::SSH::Transport::KeyExpander.expand_key(impl.key_length, key, parameters))
   end
 
   # Retrieves the key length for the hmac of the given SSH type (+name+).
@@ -28,4 +39,4 @@ module Net::SSH::Transport::HMAC
     impl = MAP[name] or raise ArgumentError, "hmac not found: #{name.inspect}"
     impl.key_length
   end
-end
+end

data/lib/net/ssh/transport/hmac/sha2_256.rb

@@ -0,0 +1,15 @@
+require 'net/ssh/transport/hmac/abstract'
+
+if defined?(OpenSSL::Digest::SHA256) # need openssl support
+  module Net::SSH::Transport::HMAC
+
+    # The SHA-256 HMAC algorithm. This has a mac and key length of 32, and
+    # uses the SHA-256 digest algorithm.
+    class SHA2_256 < Abstract
+      mac_length   32
+      key_length   32
+      digest_class OpenSSL::Digest::SHA256
+    end
+
+  end
+end

data/lib/net/ssh/transport/hmac/sha2_256_96.rb

@@ -0,0 +1,13 @@
+require 'net/ssh/transport/hmac/abstract'
+
+module Net::SSH::Transport::HMAC
+
+  if defined?(SHA2_256) # need openssl support
+    # The SHA256-96 HMAC algorithm. This returns only the first 12 bytes of
+    # the digest.
+    class SHA2_256_96 < SHA2_256
+      mac_length   12
+    end
+  end
+
+end

data/lib/net/ssh/transport/hmac/sha2_512.rb

@@ -0,0 +1,14 @@
+require 'net/ssh/transport/hmac/abstract'
+
+module Net::SSH::Transport::HMAC
+
+  if defined?(OpenSSL::Digest::SHA512) # need openssl support
+    # The SHA-512 HMAC algorithm. This has a mac and key length of 64, and
+    # uses the SHA-512 digest algorithm.
+    class SHA2_512 < Abstract
+      mac_length   64
+      key_length   64
+      digest_class OpenSSL::Digest::SHA512
+    end
+  end
+end

data/lib/net/ssh/transport/hmac/sha2_512_96.rb

@@ -0,0 +1,13 @@
+require 'net/ssh/transport/hmac/abstract'
+
+module Net::SSH::Transport::HMAC
+
+  if defined?(SHA2_512) # need openssl support
+    # The SHA2-512-96 HMAC algorithm. This returns only the first 12 bytes of
+    # the digest.
+    class SHA2_512_96 < SHA2_512
+      mac_length   12
+    end
+  end
+
+end

data/lib/net/ssh/transport/kex.rb

@@ -1,5 +1,6 @@
 require 'net/ssh/transport/kex/diffie_hellman_group1_sha1'
 require 'net/ssh/transport/kex/diffie_hellman_group_exchange_sha1'
+require 'net/ssh/transport/kex/diffie_hellman_group_exchange_sha256'
 
 module Net::SSH::Transport
   module Kex
@@ -7,7 +8,10 @@ module Net::SSH::Transport
     # to their corresponding implementors.
     MAP = {
       'diffie-hellman-group-exchange-sha1' => DiffieHellmanGroupExchangeSHA1,
-      'diffie-hellman-group1-sha1'         => DiffieHellmanGroup1SHA1
+      'diffie-hellman-group1-sha1'         => DiffieHellmanGroup1SHA1,
     }
+    if defined?(DiffieHellmanGroupExchangeSHA256)
+      MAP['diffie-hellman-group-exchange-sha256'] = DiffieHellmanGroupExchangeSHA256
+    end
   end
-end
+end

data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha1.rb

@@ -19,7 +19,10 @@ module Net::SSH::Transport::Kex
 
       # Compute the number of bits needed for the given number of bytes.
       def compute_need_bits
-        need_bits = data[:need_bytes] * 8
+
+        # for Compatibility: OpenSSH requires (need_bits * 2 + 1) length of parameter
+        need_bits = data[:need_bytes] * 8 * 2 + 1
+
         if need_bits < MINIMUM_BITS
           need_bits = MINIMUM_BITS
         elsif need_bits > MAXIMUM_BITS
@@ -74,4 +77,4 @@ module Net::SSH::Transport::Kex
       end
   end
 
-end
+end

data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha256.rb

@@ -0,0 +1,15 @@
+require 'net/ssh/transport/kex/diffie_hellman_group_exchange_sha1'
+
+module Net::SSH::Transport::Kex
+  if defined?(OpenSSL::Digest::SHA256)
+    # A key-exchange service implementing the
+    # "diffie-hellman-group-exchange-sha256" key-exchange algorithm.
+    class DiffieHellmanGroupExchangeSHA256 < DiffieHellmanGroupExchangeSHA1
+      def initialize(*args)
+        super(*args)
+
+        @digester = OpenSSL::Digest::SHA256
+      end
+    end
+  end
+end

data/lib/net/ssh/transport/key_expander.rb

@@ -0,0 +1,26 @@
+module Net; module SSH; module Transport
+  module KeyExpander
+
+  # Generate a key value in accordance with the SSH2 specification.
+  # (RFC4253 7.2. "Output from Key Exchange")
+  def self.expand_key(bytes, start, options={})
+    if bytes == 0
+      return ""
+    end
+
+    k = start[0, bytes]
+
+    digester = options[:digester] or raise 'No digester supplied'
+    shared   = options[:shared] or raise 'No shared secret supplied'
+    hash     = options[:hash] or raise 'No hash supplied'
+
+    while k.length < bytes
+      step = digester.digest(shared + hash + k)
+      bytes_needed = bytes - k.length
+      k << step[0, bytes_needed]
+    end
+
+    return k
+  end
+end
+end; end; end

data/lib/net/ssh/version.rb

@@ -48,10 +48,10 @@ module Net; module SSH
     MAJOR = 2
 
     # The minor component of this version of the Net::SSH library
-    MINOR = 2
+    MINOR = 3
 
     # The tiny component of this version of the Net::SSH library
-    TINY  = 2
+    TINY  = 0
 
     # The current version of the Net::SSH library as a Version instance
     CURRENT = new(MAJOR, MINOR, TINY)

data/net-ssh.gemspec

@@ -1,7 +1,7 @@
 @spec = Gem::Specification.new do |s|
 	s.name = "net-ssh"
         s.rubyforge_project = 'net-ssh'
-	s.version = "2.2.2"
+	s.version = "2.3.0"
 	s.summary = "Net::SSH: a pure-Ruby implementation of the SSH2 client protocol."
 	s.description = s.summary
 	s.authors = ["Jamis Buck", "Delano Mandelbaum"]
@@ -74,10 +74,16 @@
   lib/net/ssh/transport/hmac/none.rb
   lib/net/ssh/transport/hmac/sha1.rb
   lib/net/ssh/transport/hmac/sha1_96.rb
+  lib/net/ssh/transport/hmac/sha2_256.rb
+  lib/net/ssh/transport/hmac/sha2_256_96.rb
+  lib/net/ssh/transport/hmac/sha2_512.rb
+  lib/net/ssh/transport/hmac/sha2_512_96.rb
   lib/net/ssh/transport/identity_cipher.rb
+  lib/net/ssh/transport/key_expander.rb
   lib/net/ssh/transport/kex.rb
   lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb
   lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha1.rb
+  lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha256.rb
   lib/net/ssh/transport/openssl.rb
   lib/net/ssh/transport/packet_stream.rb
   lib/net/ssh/transport/server_version.rb
@@ -91,7 +97,6 @@
   setup.rb
   support/arcfour_check.rb
   support/ssh_tunnel_bug.rb
-  test/README.txt
   test/authentication/methods/common.rb
   test/authentication/methods/test_abstract.rb
   test/authentication/methods/test_hostbased.rb
@@ -106,12 +111,9 @@
   test/configs/exact_match
   test/configs/host_plus
   test/configs/multihost
-  test/configs/nohost
-  test/configs/numeric_host
   test/configs/wild_cards
   test/connection/test_channel.rb
   test/connection/test_session.rb
-  test/manual/test_forward.rb
   test/test_all.rb
   test/test_buffer.rb
   test/test_buffered_io.rb
@@ -122,8 +124,13 @@
   test/transport/hmac/test_none.rb
   test/transport/hmac/test_sha1.rb
   test/transport/hmac/test_sha1_96.rb
+  test/transport/hmac/test_sha2_256.rb
+  test/transport/hmac/test_sha2_256_96.rb
+  test/transport/hmac/test_sha2_512.rb
+  test/transport/hmac/test_sha2_512_96.rb
   test/transport/kex/test_diffie_hellman_group1_sha1.rb
   test/transport/kex/test_diffie_hellman_group_exchange_sha1.rb
+  test/transport/kex/test_diffie_hellman_group_exchange_sha256.rb
   test/transport/test_algorithms.rb
   test/transport/test_cipher_factory.rb
   test/transport/test_hmac.rb

data/test/transport/hmac/test_sha2_256.rb

@@ -0,0 +1,35 @@
+require 'common'
+require 'net/ssh/transport/hmac/sha2_256'
+
+module Transport; module HMAC
+
+  class TestSHA2_256 < Test::Unit::TestCase
+    def test_expected_digest_class
+      assert_equal OpenSSL::Digest::SHA256, subject.digest_class
+      assert_equal OpenSSL::Digest::SHA256, subject.new.digest_class
+    end
+
+    def test_expected_key_length
+      assert_equal 32, subject.key_length
+      assert_equal 32, subject.new.key_length
+    end
+
+    def test_expected_mac_length
+      assert_equal 32, subject.mac_length
+      assert_equal 32, subject.new.mac_length
+    end
+
+    def test_expected_digest
+      hmac = subject.new("1234567890123456")
+      assert_equal "\x16^>\x9FhO}\xB1>(\xBAF\xFBW\xB8\xF2\xFA\x824+\xC0\x94\x95\xC2\r\xE6\x88/\xEF\t\xF5%", hmac.digest("hello world")
+
+    end
+
+    private
+
+      def subject
+        Net::SSH::Transport::HMAC::SHA2_256
+      end
+  end
+
+end; end

data/test/transport/hmac/test_sha2_256_96.rb

@@ -0,0 +1,25 @@
+require 'common'
+require 'transport/hmac/test_sha2_256'
+require 'net/ssh/transport/hmac/sha2_256_96'
+
+module Transport; module HMAC
+
+  class TestSHA2_256_96 < TestSHA2_256
+    def test_expected_mac_length
+      assert_equal 12, subject.mac_length
+      assert_equal 12, subject.new.mac_length
+    end
+
+    def test_expected_digest
+      hmac = subject.new("1234567890123456")
+      assert_equal "\x16^>\x9FhO}\xB1>(\xBAF", hmac.digest("hello world")
+    end
+
+    private
+
+      def subject
+        Net::SSH::Transport::HMAC::SHA2_256_96
+      end
+  end
+
+end; end