net-ssh 2.4.0 → 2.5.0

data/test/test_buffer.rb

@@ -290,7 +290,7 @@ class TestBuffer < Test::Unit::TestCase
     key.pub_key = 0xeeccaa8866442200
 
     buffer.write_key(key)
-    assert_equal "start\0\0\0\7ssh-dss\0\0\0\011\0\xff\xee\xdd\xcc\xbb\xaa\x99\x88\0\0\0\010\x77\x66\x55\x44\x33\x22\x11\x00\0\0\0\011\0\xff\xdd\xbb\x99\x77\x55\x33\x11\0\0\0\011\0\xee\xcc\xaa\x88\x66\x44\x22\x00", buffer.to_s
+assert_equal "start\0\0\0\7ssh-dss\0\0\0\011\0\xff\xee\xdd\xcc\xbb\xaa\x99\x88\0\0\0\010\x77\x66\x55\x44\x33\x22\x11\x00\0\0\0\011\0\xff\xdd\xbb\x99\x77\x55\x33\x11\0\0\0\011\0\xee\xcc\xaa\x88\x66\x44\x22\x00", buffer.to_s
   end
 
   def test_write_rsa_key_should_write_argument_to_end_of_buffer
@@ -304,6 +304,67 @@ class TestBuffer < Test::Unit::TestCase
     assert_equal "start\0\0\0\7ssh-rsa\0\0\0\011\0\xff\xee\xdd\xcc\xbb\xaa\x99\x88\0\0\0\010\x77\x66\x55\x44\x33\x22\x11\x00", buffer.to_s
   end
 
+  if defined?(OpenSSL::PKey::EC)
+    def test_read_key_blob_should_read_ecdsa_sha2_nistp256_keys
+      random_ecdsa_sha2_nistp256 { |buffer|
+        buffer.read_keyblob("ecdsa-sha2-nistp256")
+      }
+    end
+    def test_read_key_blob_should_read_ecdsa_sha2_nistp384_keys
+      random_ecdsa_sha2_nistp384 { |buffer|
+        buffer.read_keyblob("ecdsa-sha2-nistp384")
+      }
+    end
+    def test_read_key_blob_should_read_ecdsa_sha2_nistp521_keys
+      random_ecdsa_sha2_nistp521 { |buffer|
+        buffer.read_keyblob("ecdsa-sha2-nistp521")
+      }
+    end
+
+    def test_read_key_should_read_ecdsa_sha2_nistp256_key_type_and_keyblob
+      random_ecdsa_sha2_nistp256 do |buffer|
+        b2 = Net::SSH::Buffer.from(:string, "ecdsa-sha2-nistp256", :raw, buffer)
+        b2.read_key
+      end
+    end
+    def test_read_key_should_read_ecdsa_sha2_nistp384_key_type_and_keyblob
+      random_ecdsa_sha2_nistp384 do |buffer|
+        b2 = Net::SSH::Buffer.from(:string, "ecdsa-sha2-nistp384", :raw, buffer)
+        b2.read_key
+      end
+    end
+    def test_read_key_should_read_ecdsa_sha2_nistp521_key_type_and_keyblob
+      random_ecdsa_sha2_nistp521 do |buffer|
+        b2 = Net::SSH::Buffer.from(:string, "ecdsa-sha2-nistp521", :raw, buffer)
+        b2.read_key
+      end
+    end
+
+    def test_write_ecdsa_sha2_nistp256_key_should_write_argument_to_end_of_buffer
+      buffer = new("start")
+      key = OpenSSL::PKey::EC.new("-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIISGj5vAJCWt2KPI8NwaWVDSNLl2vbRxDIOkY+n6O0VVoAoGCCqGSM49\nAwEHoUQDQgAEnKbs0yEogTKT4QRu8T9nb2svl2mEWXb6g224oCpD2o6TYNXNw54H\nmWkdCv+kFCqSlfSi5fqFhrXdfEY6zSzQYQ==\n-----END EC PRIVATE KEY-----\n")
+
+      buffer.write_key(key)
+      assert_equal "start\000\000\000\023ecdsa-sha2-nistp256\000\000\000\bnistp256\000\000\000A\004\234\246\354\323!(\2012\223\341\004n\361?gok/\227i\204Yv\372\203m\270\240*C\332\216\223`\325\315\303\236\a\231i\035\n\377\244\024*\222\225\364\242\345\372\205\206\265\335|F:\315,\320a", buffer.to_s
+    end
+
+    def test_write_ecdsa_sha2_nistp384_key_should_write_argument_to_end_of_buffer
+      buffer = new("start")
+      key = OpenSSL::PKey::EC.new("-----BEGIN EC PRIVATE KEY-----\nMIGkAgEBBDBAfxJpzhsR7O+wMol6BcDgualR8rJBvYegUDYbBUrDnPzDx2/gD1lZ\nnwG1FuD2s9igBwYFK4EEACKhZANiAATsfiU4Kxyvvj1DdvFYsdDnZIT7loRlan9I\n8geCWPPl6x7NFRP+awrnTaarMgieGqxG8IQaIA0SsDOICfbDBkuatRi0S1Et/in4\nZwVEZvO81Ro5YSrjuUDAsytnI6OXS28=\n-----END EC PRIVATE KEY-----\n")
+
+      buffer.write_key(key)
+      assert_equal "start\000\000\000\023ecdsa-sha2-nistp384\000\000\000\bnistp384\000\000\000a\004\354~%8+\034\257\276=Cv\361X\261\320\347d\204\373\226\204ej\177H\362\a\202X\363\345\353\036\315\025\023\376k\n\347M\246\2532\b\236\032\254F\360\204\032 \r\022\2603\210\t\366\303\006K\232\265\030\264KQ-\376)\370g\005Df\363\274\325\0329a*\343\271@\300\263+g#\243\227Ko", buffer.to_s
+    end
+
+    def test_write_ecdsa_sha2_nistp521_key_should_write_argument_to_end_of_buffer
+      buffer = new("start")
+      key = OpenSSL::PKey::EC.new("-----BEGIN EC PRIVATE KEY-----\nMIHbAgEBBEGhnQF/SFo4Vym88HnCfc6BR8WwYqDh9wNTPeqzR8auxIpp0GKQlCG2\nuHzyteJX5/YalV8empYhEzNmNLNn8x7j0aAHBgUrgQQAI6GBiQOBhgAEAYygOgV9\nVI8UyLQ3BDlv+rb3es+ufrIcj++cqcc9QcmRn237NiWRr/1NKy2AKijsEdACtZXo\nxPC0x9Vs9ieC2oR+ANOBubcxPl2giDnBYm8ywAmmlXsP5ByAM17k97CzW5O+Z/uO\nbxGUzzhoXTNcjqpAckhRVKdnh6FL/rKelT0tBYi+\n-----END EC PRIVATE KEY-----\n")
+
+      buffer.write_key(key)
+      assert_equal "start\000\000\000\023ecdsa-sha2-nistp521\000\000\000\bnistp521\000\000\000\205\004\001\214\240:\005}T\217\024\310\2647\0049o\372\266\367z\317\256~\262\034\217\357\234\251\307=A\311\221\237m\3736%\221\257\375M+-\200*(\354\021\320\002\265\225\350\304\360\264\307\325l\366'\202\332\204~\000\323\201\271\2671>]\240\2109\301bo2\300\t\246\225{\017\344\034\2003^\344\367\260\263[\223\276g\373\216o\021\224\3178h]3\\\216\252@rHQT\247g\207\241K\376\262\236\225=-\005\210\276", buffer.to_s
+    end
+  end
+
   private
 
     def random_rsa
@@ -330,7 +391,36 @@ class TestBuffer < Test::Unit::TestCase
       assert_equal n4, key.pub_key
     end
 
+    if defined?(OpenSSL::PKey::EC)
+      def random_ecdsa_sha2_nistp256
+        k = OpenSSL::PKey::EC.new("prime256v1").generate_key
+        buffer = Net::SSH::Buffer.from(:string, "nistp256",
+                                       :string, k.public_key.to_bn.to_s(2))
+        key = yield(buffer)
+        assert_equal "ecdsa-sha2-nistp256", key.ssh_type
+        assert_equal k.public_key, key.public_key
+      end
+
+      def random_ecdsa_sha2_nistp384
+        k = OpenSSL::PKey::EC.new("secp384r1").generate_key
+        buffer = Net::SSH::Buffer.from(:string, "nistp384",
+                                       :string, k.public_key.to_bn.to_s(2))
+        key = yield(buffer)
+        assert_equal "ecdsa-sha2-nistp384", key.ssh_type
+        assert_equal k.public_key, key.public_key
+      end
+
+      def random_ecdsa_sha2_nistp521
+        k = OpenSSL::PKey::EC.new("secp521r1").generate_key
+        buffer = Net::SSH::Buffer.from(:string, "nistp521",
+                                       :string, k.public_key.to_bn.to_s(2))
+        key = yield(buffer)
+        assert_equal "ecdsa-sha2-nistp521", key.ssh_type
+        assert_equal k.public_key, key.public_key
+      end
+    end
+
     def new(*args)
       Net::SSH::Buffer.new(*args)
     end
-end
+end

data/test/test_key_factory.rb

@@ -55,6 +55,34 @@ class TestKeyFactory < Test::Unit::TestCase
     assert_equal rsa_key.to_blob, Net::SSH::KeyFactory.load_public_key(@key_file).to_blob
   end
 
+  if defined?(OpenSSL::PKey::EC)
+    def test_load_unencrypted_private_ecdsa_sha2_nistp256_key_should_return_key
+      File.expects(:read).with("/key-file").returns(ecdsa_sha2_nistp256_key.to_pem)
+      assert_equal ecdsa_sha2_nistp256_key.to_der, Net::SSH::KeyFactory.load_private_key("/key-file").to_der
+    end
+    def test_load_unencrypted_private_ecdsa_sha2_nistp384_key_should_return_key
+      File.expects(:read).with("/key-file").returns(ecdsa_sha2_nistp384_key.to_pem)
+      assert_equal ecdsa_sha2_nistp384_key.to_der, Net::SSH::KeyFactory.load_private_key("/key-file").to_der
+    end
+    def test_load_unencrypted_private_ecdsa_sha2_nistp521_key_should_return_key
+      File.expects(:read).with("/key-file").returns(ecdsa_sha2_nistp521_key.to_pem)
+      assert_equal ecdsa_sha2_nistp521_key.to_der, Net::SSH::KeyFactory.load_private_key("/key-file").to_der
+    end
+
+    def test_load_public_ecdsa_sha2_nistp256_key_should_return_key
+      File.expects(:read).with("/key-file").returns(public(ecdsa_sha2_nistp256_key))
+      assert_equal ecdsa_sha2_nistp256_key.to_blob, Net::SSH::KeyFactory.load_public_key("/key-file").to_blob
+    end
+    def test_load_public_ecdsa_sha2_nistp384_key_should_return_key
+      File.expects(:read).with("/key-file").returns(public(ecdsa_sha2_nistp384_key))
+      assert_equal ecdsa_sha2_nistp384_key.to_blob, Net::SSH::KeyFactory.load_public_key("/key-file").to_blob
+    end
+    def test_load_public_ecdsa_sha2_nistp521_key_should_return_key
+      File.expects(:read).with("/key-file").returns(public(ecdsa_sha2_nistp521_key))
+      assert_equal ecdsa_sha2_nistp521_key.to_blob, Net::SSH::KeyFactory.load_public_key("/key-file").to_blob
+    end
+  end
+
   private
 
     def rsa_key
@@ -67,6 +95,20 @@ class TestKeyFactory < Test::Unit::TestCase
       @dsa_key ||= OpenSSL::PKey::DSA.new("0\201\367\002\001\000\002A\000\203\316/\037u\272&J\265\003l3\315d\324h\372{\t8\252#\331_\026\006\035\270\266\255\343\353Z\302\276\335\336\306\220\375\202L\244\244J\206>\346\b\315\211\302L\246x\247u\a\376\366\345\302\016#\002\025\000\244\274\302\221Og\275/\302+\356\346\360\024\373wI\2573\361\002@\027\215\270r*\f\213\350C\245\021:\350 \006\\\376\345\022`\210b\262\3643\023XLKS\320\370\002\276\347A\nU\204\276\324\256`=\026\240\330\306J\316V\213\024\e\030\215\355\006\037q\337\356ln\002@\017\257\034\f\260\333'S\271#\237\230E\321\312\027\021\226\331\251Vj\220\305\316\036\v\266+\000\230\270\177B\003?t\a\305]e\344\261\334\023\253\323\251\223M\2175)a(\004\"lI8\312\303\307\a\002\024_\aznW\345\343\203V\326\246ua\203\376\201o\350\302\002")
     end
 
+    if defined?(OpenSSL::PKey::EC)
+      def ecdsa_sha2_nistp256_key
+        @ecdsa_sha2_nistp256_key ||= OpenSSL::PKey::EC.new("-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEINv6pPVLlkqvT1v5MJlWgaSWGwqupISG4U79bUXQDNCaoAoGCCqGSM49\nAwEHoUQDQgAElqubvi/GkSme+bwtncU1NiE0dWQ0EO07VufUQg8lUJ5+Fi6f96qa\n95T1zwOMQhY1h8PP9rQIZr4S48vN/ZnQLw==\n-----END EC PRIVATE KEY-----\n")
+      end
+
+      def ecdsa_sha2_nistp384_key
+        @ecdsa_sha2_nistp384_key ||= OpenSSL::PKey::EC.new("-----BEGIN EC PRIVATE KEY-----\nMIGkAgEBBDBxwkmydCn4mP4KMhlMpeBvIroQolWKVNoRPXpG7brFgK+Yiikqw8wd\nIZW5OlL4y3mgBwYFK4EEACKhZANiAARkoIR1oABi+aQJbKcmvzeYSKURQOyXM0HU\nR4T68v4hd/lJE4fFQRczj3wAaECe9u3CWI/oDlow4Vr0vab82ZGjIoblxblKQWYl\nyzENgzl226waGg1bLBo8Auilyf1B5yI=\n-----END EC PRIVATE KEY-----\n")
+      end
+
+      def ecdsa_sha2_nistp521_key
+        @ecdsa_sha2_nistp521_key ||= OpenSSL::PKey::EC.new("-----BEGIN EC PRIVATE KEY-----\nMIHbAgEBBEHQ2i7kjEGQHQB4pUQW9a2eCLWR2S5Go8U3CDyfbRCrYEp/pTSgI8uu\nMXyR3bf3SjqFQgZ6MZk5lkyrissJuwmvZKAHBgUrgQQAI6GBiQOBhgAEAN14FACK\nbs/KTqw4rxijeozGTVJTh1hNzBl2XaIhM4Fv8o3fE/pvogymyFu53GCng6gC4dmx\n/hycF41iIM29xVKPAeBnRNl6MdFBjuthOmE8eCRezgk1Bak8aBDUrzNT8OQssscw\npvQK4nc6ga/wTDaQGy5kV8tCOHNs2wKH+p2LpWTJ\n-----END EC PRIVATE KEY-----\n")
+      end
+    end
+
     def encrypted(key, password)
       key.export(OpenSSL::Cipher::Cipher.new("des-ede3-cbc"), password)
     end

data/test/transport/hmac/test_ripemd160.rb

@@ -0,0 +1,34 @@
+require 'common'
+require 'net/ssh/transport/hmac/ripemd160'
+
+module Transport; module HMAC
+
+  class TestRipemd160 < Test::Unit::TestCase
+    def test_expected_digest_class
+      assert_equal OpenSSL::Digest::RIPEMD160, subject.digest_class
+      assert_equal OpenSSL::Digest::RIPEMD160, subject.new.digest_class
+    end
+
+    def test_expected_key_length
+      assert_equal 20, subject.key_length
+      assert_equal 20, subject.new.key_length
+    end
+
+    def test_expected_mac_length
+      assert_equal 20, subject.mac_length
+      assert_equal 20, subject.new.mac_length
+    end
+
+    def test_expected_digest
+      hmac = subject.new("1234567890123456")
+      assert_equal "\xE4\x10\t\xB3\xD8,\x14\xA0k\x10\xB5\x0F?\x0E\x96q\x02\x16;E", hmac.digest("hello world")
+    end
+
+    private
+
+      def subject
+        Net::SSH::Transport::HMAC::RIPEMD160
+      end
+  end
+
+end; end

data/test/transport/kex/test_diffie_hellman_group14_sha1.rb

@@ -0,0 +1,13 @@
+require 'common'
+require 'net/ssh/transport/kex/diffie_hellman_group14_sha1'
+require 'transport/kex/test_diffie_hellman_group1_sha1'
+require 'ostruct'
+
+module Transport; module Kex
+
+  class TestDiffieHellmanGroup14SHA1 < TestDiffieHellmanGroup1SHA1
+      def subject
+        Net::SSH::Transport::Kex::DiffieHellmanGroup14SHA1
+      end
+  end
+end; end

data/test/transport/kex/test_ecdh_sha2_nistp256.rb

@@ -0,0 +1,161 @@
+require 'openssl'
+
+unless defined?(OpenSSL::PKey::EC)
+  puts "Skipping tests for ecdh-sha2-nistp256 key exchange"
+else
+  require 'common'
+  require 'transport/kex/test_diffie_hellman_group1_sha1'
+  require 'net/ssh/transport/kex/ecdh_sha2_nistp256'
+  require 'ostruct'
+
+  module Transport; module Kex
+
+    class TestEcdhSHA2NistP256 < Test::Unit::TestCase
+      include Net::SSH::Transport::Constants
+
+      def setup
+        @ecdh = @algorithms = @connection = @server_key = 
+          @packet_data = @shared_secret = nil
+      end
+
+      def test_exchange_keys_should_return_expected_results_when_successful
+        result = exchange!
+        assert_equal session_id, result[:session_id]
+        assert_equal server_host_key.to_blob, result[:server_key].to_blob
+        assert_equal shared_secret, result[:shared_secret]
+        assert_equal digester, result[:hashing_algorithm]
+      end
+
+      def test_exchange_keys_with_unverifiable_host_should_raise_exception
+        connection.verifier { false }
+        assert_raises(Net::SSH::Exception) { exchange! }
+      end
+
+      def test_exchange_keys_with_signature_key_type_mismatch_should_raise_exception
+        assert_raises(Net::SSH::Exception) { exchange! :key_type => "ssh-dss" }
+      end
+
+      def test_exchange_keys_with_host_key_type_mismatch_should_raise_exception
+        algorithms :host_key => "ssh-dss"
+        assert_raises(Net::SSH::Exception) { exchange! :key_type => "ssh-dss" }
+      end
+
+      def test_exchange_keys_when_server_signature_could_not_be_verified_should_raise_exception
+        @signature = "1234567890"
+        assert_raises(Net::SSH::Exception) { exchange! }
+      end
+
+      def test_exchange_keys_should_pass_expected_parameters_to_host_key_verifier
+        verified = false
+        connection.verifier do |data|
+          verified = true
+          assert_equal server_host_key.to_blob, data[:key].to_blob
+
+          blob = b(:key, data[:key]).to_s
+          fingerprint = OpenSSL::Digest::MD5.hexdigest(blob).scan(/../).join(":")
+
+          assert_equal blob, data[:key_blob]
+          assert_equal fingerprint, data[:fingerprint]
+          assert_equal connection, data[:session]
+
+          true
+        end
+
+        assert_nothing_raised { exchange! }
+        assert verified
+      end
+
+      private
+
+      def digester
+        OpenSSL::Digest::SHA256
+      end
+
+      def subject
+        Net::SSH::Transport::Kex::EcdhSHA2NistP256
+      end
+
+      def ecparam
+        "prime256v1"
+      end
+
+      def key_type
+        "ecdsa-sha2-nistp256"
+      end
+
+      def exchange!(options={})
+        connection.expect do |t, buffer|
+          assert_equal KEXECDH_INIT, buffer.type
+          assert_equal ecdh.ecdh.public_key.to_bn.to_s(2), buffer.read_string
+          t.return(KEXECDH_REPLY,
+                   :string, b(:key, server_host_key),
+                   :string, server_ecdh_pubkey.to_bn.to_s(2),
+                   :string, b(:string, options[:key_type] || key_type,
+                              :string, signature))
+          connection.expect do |t2, buffer2|
+            assert_equal NEWKEYS, buffer2.type
+            t2.return(NEWKEYS)
+          end
+        end
+        ecdh.exchange_keys
+      end
+
+      def ecdh
+        @ecdh ||= subject.new(algorithms, connection, packet_data)
+      end
+
+      def algorithms(options={})
+        @algorithms ||= OpenStruct.new(:host_key => options[:server_host_key] || "ecdsa-sha2-nistp256")
+      end
+
+      def connection
+        @connection ||= MockTransport.new
+      end
+
+      def server_key
+        @server_key ||= OpenSSL::PKey::EC.new(ecparam).generate_key
+      end
+
+      def server_host_key
+        @server_host_key ||= OpenSSL::PKey::EC.new("prime256v1").generate_key
+      end
+
+      def packet_data
+        @packet_data ||= { :client_version_string => "client version string",
+          :server_version_string => "server version string",
+          :server_algorithm_packet => "server algorithm packet",
+          :client_algorithm_packet => "client algorithm packet" }
+      end
+
+      def server_ecdh_pubkey
+        @server_ecdh_pubkey ||= server_key.public_key
+      end
+
+      def shared_secret
+        @shared_secret ||= OpenSSL::BN.new(ecdh.ecdh.dh_compute_key(server_ecdh_pubkey), 2)
+      end
+
+      def session_id
+        @session_id ||= begin
+          buffer = Net::SSH::Buffer.from(:string, packet_data[:client_version_string],
+                                         :string, packet_data[:server_version_string],
+                                         :string, packet_data[:client_algorithm_packet],
+                                         :string, packet_data[:server_algorithm_packet],
+                                         :string, Net::SSH::Buffer.from(:key, server_host_key),
+                                         :string, ecdh.ecdh.public_key.to_bn.to_s(2),
+                                         :string, server_ecdh_pubkey.to_bn.to_s(2),
+                                         :bignum, shared_secret)
+          digester.digest(buffer.to_s)
+        end
+      end
+
+      def signature
+        @signature ||= server_host_key.ssh_do_sign(session_id)
+      end
+
+      def b(*args)
+        Net::SSH::Buffer.from(*args)
+      end
+    end
+  end; end;
+end

data/test/transport/kex/test_ecdh_sha2_nistp384.rb

@@ -0,0 +1,37 @@
+require 'openssl'
+
+unless defined?(OpenSSL::PKey::EC)
+  puts "Skipping tests for ecdh-sha2-nistp384 key exchange"
+else
+  module Transport; module Kex
+    class TestEcdhSHA2NistP384 < TestEcdhSHA2NistP256
+
+      def setup
+        @ecdh = @algorithms = @connection = @server_key = 
+          @packet_data = @shared_secret = nil
+      end
+
+      def test_exchange_keys_should_return_expected_results_when_successful
+        result = exchange!
+        assert_equal session_id, result[:session_id]
+        assert_equal server_host_key.to_blob, result[:server_key].to_blob
+        assert_equal shared_secret, result[:shared_secret]
+        assert_equal digester, result[:hashing_algorithm]
+      end
+
+      private
+
+      def digester
+        OpenSSL::Digest::SHA384
+      end
+
+      def subject
+        Net::SSH::Transport::Kex::EcdhSHA2NistP384
+      end
+
+      def ecparam
+        "secp384r1"
+      end
+    end
+  end; end
+  end

data/test/transport/kex/test_ecdh_sha2_nistp521.rb

@@ -0,0 +1,37 @@
+require 'openssl'
+
+unless defined?(OpenSSL::PKey::EC)
+  puts "Skipping tests for ecdh-sha2-nistp521 key exchange"
+else
+  module Transport; module Kex
+    class TestEcdhSHA2NistP521 < TestEcdhSHA2NistP256
+
+      def setup
+        @ecdh = @algorithms = @connection = @server_key = 
+          @packet_data = @shared_secret = nil
+      end
+
+      def test_exchange_keys_should_return_expected_results_when_successful
+        result = exchange!
+        assert_equal session_id, result[:session_id]
+        assert_equal server_host_key.to_blob, result[:server_key].to_blob
+        assert_equal shared_secret, result[:shared_secret]
+        assert_equal digester, result[:hashing_algorithm]
+      end
+
+      private
+
+      def digester
+        OpenSSL::Digest::SHA512
+      end
+
+      def subject
+        Net::SSH::Transport::Kex::EcdhSHA2NistP521
+      end
+
+      def ecparam
+        "secp521r1"
+      end
+    end
+  end; end
+end