RubyGems - net-ssh - Versions diffs - 2.7.0 → 7.3.0 - Mend

net-ssh 2.7.0 → 7.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (199) hide show

checksums.yaml +7 -0
checksums.yaml.gz.sig +0 -0
data/.dockerignore +6 -0
data/.github/FUNDING.yml +1 -0
data/.github/config/rubocop_linter_action.yml +4 -0
data/.github/workflows/ci-with-docker.yml +44 -0
data/.github/workflows/ci.yml +94 -0
data/.github/workflows/rubocop.yml +16 -0
data/.gitignore +15 -0
data/.rubocop.yml +22 -0
data/.rubocop_todo.yml +1081 -0
data/CHANGES.txt +387 -0
data/DEVELOPMENT.md +23 -0
data/Dockerfile +29 -0
data/Dockerfile.openssl3 +17 -0
data/Gemfile +13 -0
data/Gemfile.noed25519 +12 -0
data/Gemfile.norbnacl +12 -0
data/ISSUE_TEMPLATE.md +30 -0
data/Manifest +4 -5
data/README.md +303 -0
data/Rakefile +174 -40
data/SECURITY.md +4 -0
data/THANKS.txt +25 -0
data/appveyor.yml +58 -0
data/docker-compose.yml +25 -0
data/lib/net/ssh/authentication/agent.rb +279 -18
data/lib/net/ssh/authentication/certificate.rb +183 -0
data/lib/net/ssh/authentication/constants.rb +17 -15
data/lib/net/ssh/authentication/ed25519.rb +184 -0
data/lib/net/ssh/authentication/ed25519_loader.rb +31 -0
data/lib/net/ssh/authentication/key_manager.rb +125 -54
data/lib/net/ssh/authentication/methods/abstract.rb +67 -48
data/lib/net/ssh/authentication/methods/hostbased.rb +34 -37
data/lib/net/ssh/authentication/methods/keyboard_interactive.rb +19 -12
data/lib/net/ssh/authentication/methods/none.rb +16 -19
data/lib/net/ssh/authentication/methods/password.rb +56 -19
data/lib/net/ssh/authentication/methods/publickey.rb +96 -55
data/lib/net/ssh/authentication/pageant.rb +483 -246
data/lib/net/ssh/authentication/pub_key_fingerprint.rb +43 -0
data/lib/net/ssh/authentication/session.rb +138 -120
data/lib/net/ssh/buffer.rb +399 -300
data/lib/net/ssh/buffered_io.rb +154 -150
data/lib/net/ssh/config.rb +361 -166
data/lib/net/ssh/connection/channel.rb +640 -596
data/lib/net/ssh/connection/constants.rb +29 -29
data/lib/net/ssh/connection/event_loop.rb +123 -0
data/lib/net/ssh/connection/keepalive.rb +59 -0
data/lib/net/ssh/connection/session.rb +628 -548
data/lib/net/ssh/connection/term.rb +125 -123
data/lib/net/ssh/errors.rb +101 -95
data/lib/net/ssh/key_factory.rb +198 -100
data/lib/net/ssh/known_hosts.rb +221 -98
data/lib/net/ssh/loggable.rb +50 -49
data/lib/net/ssh/packet.rb +83 -79
data/lib/net/ssh/prompt.rb +50 -81
data/lib/net/ssh/proxy/command.rb +108 -60
data/lib/net/ssh/proxy/errors.rb +12 -10
data/lib/net/ssh/proxy/http.rb +82 -78
data/lib/net/ssh/proxy/https.rb +50 -0
data/lib/net/ssh/proxy/jump.rb +54 -0
data/lib/net/ssh/proxy/socks4.rb +5 -8
data/lib/net/ssh/proxy/socks5.rb +18 -20
data/lib/net/ssh/service/forward.rb +383 -255
data/lib/net/ssh/test/channel.rb +145 -136
data/lib/net/ssh/test/extensions.rb +131 -110
data/lib/net/ssh/test/kex.rb +34 -32
data/lib/net/ssh/test/local_packet.rb +46 -44
data/lib/net/ssh/test/packet.rb +89 -70
data/lib/net/ssh/test/remote_packet.rb +32 -30
data/lib/net/ssh/test/script.rb +156 -142
data/lib/net/ssh/test/socket.rb +49 -48
data/lib/net/ssh/test.rb +82 -77
data/lib/net/ssh/transport/aes128_gcm.rb +40 -0
data/lib/net/ssh/transport/aes256_gcm.rb +40 -0
data/lib/net/ssh/transport/algorithms.rb +472 -348
data/lib/net/ssh/transport/chacha20_poly1305_cipher.rb +117 -0
data/lib/net/ssh/transport/chacha20_poly1305_cipher_loader.rb +17 -0
data/lib/net/ssh/transport/cipher_factory.rb +124 -100
data/lib/net/ssh/transport/constants.rb +32 -24
data/lib/net/ssh/transport/ctr.rb +42 -22
data/lib/net/ssh/transport/gcm_cipher.rb +207 -0
data/lib/net/ssh/transport/hmac/abstract.rb +97 -63
data/lib/net/ssh/transport/hmac/md5.rb +0 -2
data/lib/net/ssh/transport/hmac/md5_96.rb +0 -2
data/lib/net/ssh/transport/hmac/none.rb +0 -2
data/lib/net/ssh/transport/hmac/ripemd160.rb +0 -2
data/lib/net/ssh/transport/hmac/sha1.rb +0 -2
data/lib/net/ssh/transport/hmac/sha1_96.rb +0 -2
data/lib/net/ssh/transport/hmac/sha2_256.rb +7 -11
data/lib/net/ssh/transport/hmac/sha2_256_96.rb +4 -8
data/lib/net/ssh/transport/hmac/sha2_256_etm.rb +12 -0
data/lib/net/ssh/transport/hmac/sha2_512.rb +6 -9
data/lib/net/ssh/transport/hmac/sha2_512_96.rb +4 -8
data/lib/net/ssh/transport/hmac/sha2_512_etm.rb +12 -0
data/lib/net/ssh/transport/hmac.rb +14 -12
data/lib/net/ssh/transport/identity_cipher.rb +54 -44
data/lib/net/ssh/transport/kex/abstract.rb +130 -0
data/lib/net/ssh/transport/kex/abstract5656.rb +72 -0
data/lib/net/ssh/transport/kex/curve25519_sha256.rb +39 -0
data/lib/net/ssh/transport/kex/curve25519_sha256_loader.rb +30 -0
data/lib/net/ssh/transport/kex/diffie_hellman_group14_sha1.rb +33 -40
data/lib/net/ssh/transport/kex/diffie_hellman_group14_sha256.rb +11 -0
data/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb +119 -213
data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha1.rb +53 -61
data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha256.rb +5 -9
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb +36 -90
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp384.rb +18 -10
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp521.rb +18 -10
data/lib/net/ssh/transport/kex.rb +15 -12
data/lib/net/ssh/transport/key_expander.rb +24 -20
data/lib/net/ssh/transport/openssl.rb +161 -124
data/lib/net/ssh/transport/openssl_cipher_extensions.rb +8 -0
data/lib/net/ssh/transport/packet_stream.rb +246 -183
data/lib/net/ssh/transport/server_version.rb +57 -51
data/lib/net/ssh/transport/session.rb +307 -235
data/lib/net/ssh/transport/state.rb +178 -176
data/lib/net/ssh/verifiers/accept_new.rb +33 -0
data/lib/net/ssh/verifiers/accept_new_or_local_tunnel.rb +33 -0
data/lib/net/ssh/verifiers/always.rb +58 -0
data/lib/net/ssh/verifiers/never.rb +19 -0
data/lib/net/ssh/version.rb +57 -51
data/lib/net/ssh.rb +140 -40
data/net-ssh-public_cert.pem +21 -0
data/net-ssh.gemspec +39 -184
data/support/ssh_tunnel_bug.rb +5 -5
data.tar.gz.sig +0 -0
metadata +205 -99
metadata.gz.sig +0 -0
data/README.rdoc +0 -219
data/Rudyfile +0 -96
data/gem-public_cert.pem +0 -20
data/lib/net/ssh/authentication/agent/java_pageant.rb +0 -85
data/lib/net/ssh/authentication/agent/socket.rb +0 -170
data/lib/net/ssh/ruby_compat.rb +0 -51
data/lib/net/ssh/verifiers/lenient.rb +0 -30
data/lib/net/ssh/verifiers/null.rb +0 -12
data/lib/net/ssh/verifiers/secure.rb +0 -54
data/lib/net/ssh/verifiers/strict.rb +0 -24
data/setup.rb +0 -1585
data/support/arcfour_check.rb +0 -20
data/test/README.txt +0 -47
data/test/authentication/methods/common.rb +0 -28
data/test/authentication/methods/test_abstract.rb +0 -51
data/test/authentication/methods/test_hostbased.rb +0 -114
data/test/authentication/methods/test_keyboard_interactive.rb +0 -100
data/test/authentication/methods/test_none.rb +0 -41
data/test/authentication/methods/test_password.rb +0 -52
data/test/authentication/methods/test_publickey.rb +0 -148
data/test/authentication/test_agent.rb +0 -205
data/test/authentication/test_key_manager.rb +0 -218
data/test/authentication/test_session.rb +0 -108
data/test/common.rb +0 -108
data/test/configs/eqsign +0 -3
data/test/configs/exact_match +0 -8
data/test/configs/host_plus +0 -10
data/test/configs/multihost +0 -4
data/test/configs/nohost +0 -19
data/test/configs/numeric_host +0 -4
data/test/configs/send_env +0 -2
data/test/configs/substitutes +0 -8
data/test/configs/wild_cards +0 -14
data/test/connection/test_channel.rb +0 -467
data/test/connection/test_session.rb +0 -526
data/test/known_hosts/github +0 -1
data/test/manual/test_forward.rb +0 -223
data/test/start/test_options.rb +0 -36
data/test/start/test_transport.rb +0 -28
data/test/test_all.rb +0 -11
data/test/test_buffer.rb +0 -433
data/test/test_buffered_io.rb +0 -63
data/test/test_config.rb +0 -151
data/test/test_key_factory.rb +0 -173
data/test/test_known_hosts.rb +0 -13
data/test/transport/hmac/test_md5.rb +0 -41
data/test/transport/hmac/test_md5_96.rb +0 -27
data/test/transport/hmac/test_none.rb +0 -34
data/test/transport/hmac/test_ripemd160.rb +0 -36
data/test/transport/hmac/test_sha1.rb +0 -36
data/test/transport/hmac/test_sha1_96.rb +0 -27
data/test/transport/hmac/test_sha2_256.rb +0 -37
data/test/transport/hmac/test_sha2_256_96.rb +0 -27
data/test/transport/hmac/test_sha2_512.rb +0 -37
data/test/transport/hmac/test_sha2_512_96.rb +0 -27
data/test/transport/kex/test_diffie_hellman_group14_sha1.rb +0 -13
data/test/transport/kex/test_diffie_hellman_group1_sha1.rb +0 -146
data/test/transport/kex/test_diffie_hellman_group_exchange_sha1.rb +0 -92
data/test/transport/kex/test_diffie_hellman_group_exchange_sha256.rb +0 -34
data/test/transport/kex/test_ecdh_sha2_nistp256.rb +0 -161
data/test/transport/kex/test_ecdh_sha2_nistp384.rb +0 -38
data/test/transport/kex/test_ecdh_sha2_nistp521.rb +0 -38
data/test/transport/test_algorithms.rb +0 -330
data/test/transport/test_cipher_factory.rb +0 -443
data/test/transport/test_hmac.rb +0 -34
data/test/transport/test_identity_cipher.rb +0 -40
data/test/transport/test_packet_stream.rb +0 -1755
data/test/transport/test_server_version.rb +0 -78
data/test/transport/test_session.rb +0 -319
data/test/transport/test_state.rb +0 -181

data/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb CHANGED Viewed

@@ -1,216 +1,122 @@
-require 'net/ssh/buffer'
-require 'net/ssh/errors'
-require 'net/ssh/loggable'
-require 'net/ssh/transport/openssl'
-require 'net/ssh/transport/constants'
-module Net; module SSH; module Transport; module Kex
-  # A key-exchange service implementing the "diffie-hellman-group1-sha1"
-  # key-exchange algorithm.
-  class DiffieHellmanGroup1SHA1
-    include Constants, Loggable
-    # The value of 'P', as a string, in hexadecimal
-    P_s = "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" +
-          "C4C6628B" "80DC1CD1" "29024E08" "8A67CC74" +
-          "020BBEA6" "3B139B22" "514A0879" "8E3404DD" +
-          "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" +
-          "4FE1356D" "6D51C245" "E485B576" "625E7EC6" +
-          "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" +
-          "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" +
-          "49286651" "ECE65381" "FFFFFFFF" "FFFFFFFF"
-    # The radix in which P_s represents the value of P
-    P_r = 16
-    # The group constant
-    G = 2
-    attr_reader :p
-    attr_reader :g
-    attr_reader :digester
-    attr_reader :algorithms
-    attr_reader :connection
-    attr_reader :data
-    attr_reader :dh
-    # Create a new instance of the DiffieHellmanGroup1SHA1 algorithm.
-    # The data is a Hash of symbols representing information
-    # required by this algorithm, which was acquired during earlier
-    # processing.
-    def initialize(algorithms, connection, data)
-      @p = get_p
-      @g = get_g
-      @digester = OpenSSL::Digest::SHA1
-      @algorithms = algorithms
-      @connection = connection
-      @data = data.dup
-      @dh = generate_key
-      @logger = @data.delete(:logger)
-    end
-    # Perform the key-exchange for the given session, with the given
-    # data. This method will return a hash consisting of the
-    # following keys:
-    #
-    # * :session_id
-    # * :server_key
-    # * :shared_secret
-    # * :hashing_algorithm
-    #
-    # The caller is expected to be able to understand how to use these
-    # deliverables.
-    def exchange_keys
-      result = send_kexinit
-      verify_server_key(result[:server_key])
-      session_id = verify_signature(result)
-      confirm_newkeys
-      return { :session_id        => session_id,
-               :server_key        => result[:server_key],
-               :shared_secret     => result[:shared_secret],
-               :hashing_algorithm => digester }
-    end
-    private
-      def get_p
-        OpenSSL::BN.new(P_s, P_r)
-      end
-      def get_g
-        G
-      end
-      # Returns the DH key parameters for the current connection.
-      def get_parameters
-        [p, g]
-      end
-      # Returns the INIT/REPLY constants used by this algorithm.
-      def get_message_types
-        [KEXDH_INIT, KEXDH_REPLY]
-      end
-      # Build the signature buffer to use when verifying a signature from
-      # the server.
-      def build_signature_buffer(result)
-        response = Net::SSH::Buffer.new
-        response.write_string data[:client_version_string],
-                              data[:server_version_string],
-                              data[:client_algorithm_packet],
-                              data[:server_algorithm_packet],
-                              result[:key_blob]
-        response.write_bignum dh.pub_key,
-                              result[:server_dh_pubkey],
-                              result[:shared_secret]
-        response
-      end
-      # Generate a DH key with a private key consisting of the given
-      # number of bytes.
-      def generate_key #:nodoc:
-        dh = OpenSSL::PKey::DH.new
-        dh.p, dh.g = get_parameters
-        dh.priv_key = OpenSSL::BN.rand(data[:need_bytes] * 8)
-        dh.generate_key! until dh.valid?
-        dh
-      end
-      # Send the KEXDH_INIT message, and expect the KEXDH_REPLY. Return the
-      # resulting buffer.
-      #
-      # Parse the buffer from a KEXDH_REPLY message, returning a hash of
-      # the extracted values.
-      def send_kexinit #:nodoc:
-        init, reply = get_message_types
-        # send the KEXDH_INIT message
-        buffer = Net::SSH::Buffer.from(:byte, init, :bignum, dh.pub_key)
-        connection.send_message(buffer)
-        # expect the KEXDH_REPLY message
-        buffer = connection.next_message
-        raise Net::SSH::Exception, "expected REPLY" unless buffer.type == reply
-        result = Hash.new
-        result[:key_blob] = buffer.read_string
-        result[:server_key] = Net::SSH::Buffer.new(result[:key_blob]).read_key
-        result[:server_dh_pubkey] = buffer.read_bignum
-        result[:shared_secret] = OpenSSL::BN.new(dh.compute_key(result[:server_dh_pubkey]), 2)
-        sig_buffer = Net::SSH::Buffer.new(buffer.read_string)
-        sig_type = sig_buffer.read_string
-        if sig_type != algorithms.host_key
-          raise Net::SSH::Exception,
-            "host key algorithm mismatch for signature " +
-            "'#{sig_type}' != '#{algorithms.host_key}'"
+require 'net/ssh/transport/kex/abstract'
+module Net
+  module SSH
+    module Transport
+      module Kex
+        # A key-exchange service implementing the "diffie-hellman-group1-sha1"
+        # key-exchange algorithm.
+        class DiffieHellmanGroup1SHA1 < Abstract
+          # The value of 'P', as a string, in hexadecimal
+          P_s = "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" +
+                "C4C6628B" "80DC1CD1" "29024E08" "8A67CC74" +
+                "020BBEA6" "3B139B22" "514A0879" "8E3404DD" +
+                "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" +
+                "4FE1356D" "6D51C245" "E485B576" "625E7EC6" +
+                "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" +
+                "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" +
+                "49286651" "ECE65381" "FFFFFFFF" "FFFFFFFF"
+          # The radix in which P_s represents the value of P
+          P_r = 16
+          # The group constant
+          G = 2
+          def digester
+            OpenSSL::Digest::SHA1
+          end
+          private
+          # Returns the DH key parameters for the current connection. [p, q]
+          def get_parameters
+            [
+              OpenSSL::BN.new(self.class::P_s, self.class::P_r),
+              self.class::G
+            ]
+          end
+          # Returns the INIT/REPLY constants used by this algorithm.
+          def get_message_types
+            [KEXDH_INIT, KEXDH_REPLY]
+          end
+          # Build the signature buffer to use when verifying a signature from
+          # the server.
+          def build_signature_buffer(result)
+            response = Net::SSH::Buffer.new
+            response.write_string data[:client_version_string],
+                                  data[:server_version_string],
+                                  data[:client_algorithm_packet],
+                                  data[:server_algorithm_packet],
+                                  result[:key_blob]
+            response.write_bignum dh.pub_key,
+                                  result[:server_dh_pubkey],
+                                  result[:shared_secret]
+            response
+          end
+          # Generate a DH key with a private key consisting of the given
+          # number of bytes.
+          def generate_key # :nodoc:
+            p, g = get_parameters
+            asn1 = OpenSSL::ASN1::Sequence(
+              [
+                OpenSSL::ASN1::Integer(p),
+                OpenSSL::ASN1::Integer(g)
+              ]
+            )
+            dh_params = OpenSSL::PKey::DH.new(asn1.to_der)
+            # XXX No private key size check! In theory the latter call should work but fails on OpenSSL 3.0 as
+            # dh_paramgen_subprime_len is now reserved for DHX algorithm
+            # key = OpenSSL::PKey.generate_key(dh_params, "dh_paramgen_subprime_len" => data[:need_bytes]/8)
+            if OpenSSL::PKey.respond_to?(:generate_key)
+              OpenSSL::PKey.generate_key(dh_params)
+            else
+              dh_params.generate_key!
+              dh_params
+            end
+          end
+          # Send the KEXDH_INIT message, and expect the KEXDH_REPLY. Return the
+          # resulting buffer.
+          #
+          # Parse the buffer from a KEXDH_REPLY message, returning a hash of
+          # the extracted values.
+          def send_kexinit # :nodoc:
+            init, reply = get_message_types
+            # send the KEXDH_INIT message
+            buffer = Net::SSH::Buffer.from(:byte, init, :bignum, dh.pub_key)
+            connection.send_message(buffer)
+            # expect the KEXDH_REPLY message
+            buffer = connection.next_message
+            raise Net::SSH::Exception, "expected REPLY" unless buffer.type == reply
+            result = Hash.new
+            result[:key_blob] = buffer.read_string
+            result[:server_key] = Net::SSH::Buffer.new(result[:key_blob]).read_key
+            result[:server_dh_pubkey] = buffer.read_bignum
+            result[:shared_secret] = OpenSSL::BN.new(dh.compute_key(result[:server_dh_pubkey]), 2)
+            sig_buffer = Net::SSH::Buffer.new(buffer.read_string)
+            sig_type = sig_buffer.read_string
+            if sig_type != algorithms.host_key_format
+              raise Net::SSH::Exception,
+                    "host key algorithm mismatch for signature " +
+                    "'#{sig_type}' != '#{algorithms.host_key_format}'"
+            end
+            result[:server_sig] = sig_buffer.read_string
+            return result
+          end
         end
-        result[:server_sig] = sig_buffer.read_string
-        return result
-      end
-      # Verify that the given key is of the expected type, and that it
-      # really is the key for the session's host. Raise Net::SSH::Exception
-      # if it is not.
-      def verify_server_key(key) #:nodoc:
-        if key.ssh_type != algorithms.host_key
-          raise Net::SSH::Exception,
-            "host key algorithm mismatch " +
-            "'#{key.ssh_type}' != '#{algorithms.host_key}'"
-        end
-        blob, fingerprint = generate_key_fingerprint(key)
-        unless connection.host_key_verifier.verify(:key => key, :key_blob => blob, :fingerprint => fingerprint, :session => connection)
-          raise Net::SSH::Exception, "host key verification failed"
-        end
-      end
-      def generate_key_fingerprint(key)
-        blob = Net::SSH::Buffer.from(:key, key).to_s
-        fingerprint = OpenSSL::Digest::MD5.hexdigest(blob).scan(/../).join(":")
-        [blob, fingerprint]
-      rescue ::Exception => e
-        [nil, "(could not generate fingerprint: #{e.message})"]
-      end
-      # Verify the signature that was received. Raise Net::SSH::Exception
-      # if the signature could not be verified. Otherwise, return the new
-      # session-id.
-      def verify_signature(result) #:nodoc:
-        response = build_signature_buffer(result)
-        hash = @digester.digest(response.to_s)
-        unless result[:server_key].ssh_do_verify(result[:server_sig], hash)
-          raise Net::SSH::Exception, "could not verify server signature"
-        end
-        return hash
-      end
-      # Send the NEWKEYS message, and expect the NEWKEYS message in
-      # reply.
-      def confirm_newkeys #:nodoc:
-        # send own NEWKEYS message first (the wodSSHServer won't send first)
-        response = Net::SSH::Buffer.new
-        response.write_byte(NEWKEYS)
-        connection.send_message(response)
-        # wait for the server's NEWKEYS message
-        buffer = connection.next_message
-        raise Net::SSH::Exception, "expected NEWKEYS" unless buffer.type == NEWKEYS
       end
+    end
   end
-end; end; end; end
+end

data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha1.rb CHANGED Viewed

@@ -3,78 +3,70 @@ require 'net/ssh/transport/constants'
 require 'net/ssh/transport/kex/diffie_hellman_group1_sha1'
 module Net::SSH::Transport::Kex
   # A key-exchange service implementing the
   # "diffie-hellman-group-exchange-sha1" key-exchange algorithm.
   class DiffieHellmanGroupExchangeSHA1 < DiffieHellmanGroup1SHA1
     MINIMUM_BITS      = 1024
     MAXIMUM_BITS      = 8192
-    KEXDH_GEX_GROUP   = 31
-    KEXDH_GEX_INIT    = 32
-    KEXDH_GEX_REPLY   = 33
-    KEXDH_GEX_REQUEST = 34
     private
-      # Compute the number of bits needed for the given number of bytes.
-      def compute_need_bits
+    # Compute the number of bits needed for the given number of bytes.
+    def compute_need_bits
+      # for Compatibility: OpenSSH requires (need_bits * 2 + 1) length of parameter
+      need_bits = data[:need_bytes] * 8 * 2 + 1
-        # for Compatibility: OpenSSH requires (need_bits * 2 + 1) length of parameter
-        need_bits = data[:need_bytes] * 8 * 2 + 1
+      data[:minimum_dh_bits] ||= MINIMUM_BITS
-        if need_bits < MINIMUM_BITS
-          need_bits = MINIMUM_BITS
-        elsif need_bits > MAXIMUM_BITS
-          need_bits = MAXIMUM_BITS
-        end
-        data[:need_bits ] = need_bits
-        data[:need_bytes] = need_bits / 8
+      if need_bits < data[:minimum_dh_bits]
+        need_bits = data[:minimum_dh_bits]
+      elsif need_bits > MAXIMUM_BITS
+        need_bits = MAXIMUM_BITS
       end
-      # Returns the DH key parameters for the given session.
-      def get_parameters
-        compute_need_bits
-        # request the DH key parameters for the given number of bits.
-        buffer = Net::SSH::Buffer.from(:byte, KEXDH_GEX_REQUEST, :long, MINIMUM_BITS,
-          :long, data[:need_bits], :long, MAXIMUM_BITS)
-        connection.send_message(buffer)
-        buffer = connection.next_message
-        unless buffer.type == KEXDH_GEX_GROUP
-          raise Net::SSH::Exception, "expected KEXDH_GEX_GROUP, got #{buffer.type}"
-        end
-        p = buffer.read_bignum
-        g = buffer.read_bignum
-        [p, g]
-      end
-      # Returns the INIT/REPLY constants used by this algorithm.
-      def get_message_types
-        [KEXDH_GEX_INIT, KEXDH_GEX_REPLY]
-      end
-      # Build the signature buffer to use when verifying a signature from
-      # the server.
-      def build_signature_buffer(result)
-        response = Net::SSH::Buffer.new
-        response.write_string data[:client_version_string],
-                              data[:server_version_string],
-                              data[:client_algorithm_packet],
-                              data[:server_algorithm_packet],
-                              result[:key_blob]
-        response.write_long MINIMUM_BITS,
-                            data[:need_bits],
-                            MAXIMUM_BITS
-        response.write_bignum dh.p, dh.g, dh.pub_key,
-                              result[:server_dh_pubkey],
-                              result[:shared_secret]
-        response
-      end
+      data[:need_bits] = need_bits
+      data[:need_bytes] = need_bits / 8
+    end
+    # Returns the DH key parameters for the given session.
+    def get_parameters
+      compute_need_bits
+      # request the DH key parameters for the given number of bits.
+      buffer = Net::SSH::Buffer.from(:byte, KEXDH_GEX_REQUEST, :long, data[:minimum_dh_bits],
+                                     :long, data[:need_bits], :long, MAXIMUM_BITS)
+      connection.send_message(buffer)
+      buffer = connection.next_message
+      raise Net::SSH::Exception, "expected KEXDH_GEX_GROUP, got #{buffer.type}" unless buffer.type == KEXDH_GEX_GROUP
+      p = buffer.read_bignum
+      g = buffer.read_bignum
+      [p, g]
+    end
+    # Returns the INIT/REPLY constants used by this algorithm.
+    def get_message_types
+      [KEXDH_GEX_INIT, KEXDH_GEX_REPLY]
+    end
+    # Build the signature buffer to use when verifying a signature from
+    # the server.
+    def build_signature_buffer(result)
+      response = Net::SSH::Buffer.new
+      response.write_string data[:client_version_string],
+                            data[:server_version_string],
+                            data[:client_algorithm_packet],
+                            data[:server_algorithm_packet],
+                            result[:key_blob]
+      response.write_long MINIMUM_BITS,
+                          data[:need_bits],
+                          MAXIMUM_BITS
+      response.write_bignum dh.p, dh.g, dh.pub_key,
+                            result[:server_dh_pubkey],
+                            result[:shared_secret]
+      response
+    end
   end
 end

data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha256.rb CHANGED Viewed

@@ -1,15 +1,11 @@
 require 'net/ssh/transport/kex/diffie_hellman_group_exchange_sha1'
 module Net::SSH::Transport::Kex
-  if defined?(OpenSSL::Digest::SHA256)
-    # A key-exchange service implementing the
-    # "diffie-hellman-group-exchange-sha256" key-exchange algorithm.
-    class DiffieHellmanGroupExchangeSHA256 < DiffieHellmanGroupExchangeSHA1
-      def initialize(*args)
-        super(*args)
-        @digester = OpenSSL::Digest::SHA256
-      end
+  # A key-exchange service implementing the
+  # "diffie-hellman-group-exchange-sha256" key-exchange algorithm.
+  class DiffieHellmanGroupExchangeSHA256 < DiffieHellmanGroupExchangeSHA1
+    def digester
+      OpenSSL::Digest::SHA256
     end
   end
 end

data/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb CHANGED Viewed

@@ -1,93 +1,39 @@
-require 'net/ssh/transport/constants'
-require 'net/ssh/transport/kex/diffie_hellman_group1_sha1'
-module Net; module SSH; module Transport; module Kex
-  # A key-exchange service implementing the "ecdh-sha2-nistp256"
-  # key-exchange algorithm. (defined in RFC 5656)
-  class EcdhSHA2NistP256 < DiffieHellmanGroup1SHA1
-    include Constants, Loggable
-    attr_reader :ecdh
-    def digester
-      OpenSSL::Digest::SHA256
-    end
-    def curve_name
-      OpenSSL::PKey::EC::CurveNameAlias['nistp256']
-    end
-    def initialize(algorithms, connection, data)
-      @algorithms = algorithms
-      @connection = connection
-      @digester = digester
-      @data = data.dup
-      @ecdh = generate_key
-      @logger = @data.delete(:logger)
-    end
-    private
-    def get_message_types
-      [KEXECDH_INIT, KEXECDH_REPLY]
-    end
-    def build_signature_buffer(result)
-      response = Net::SSH::Buffer.new
-      response.write_string data[:client_version_string],
-                            data[:server_version_string],
-                            data[:client_algorithm_packet],
-                            data[:server_algorithm_packet],
-                            result[:key_blob],
-                            ecdh.public_key.to_bn.to_s(2),
-                            result[:server_ecdh_pubkey]
-      response.write_bignum result[:shared_secret]
-      response
-    end
-    def generate_key #:nodoc:
-      OpenSSL::PKey::EC.new(curve_name).generate_key
-    end
-    def send_kexinit #:nodoc:
-      init, reply = get_message_types
-      # send the KEXECDH_INIT message
-      ## byte     SSH_MSG_KEX_ECDH_INIT
-      ## string   Q_C, client's ephemeral public key octet string
-      buffer = Net::SSH::Buffer.from(:byte, init, :string, ecdh.public_key.to_bn.to_s(2))
-      connection.send_message(buffer)
-      # expect the following KEXECDH_REPLY message
-      ## byte     SSH_MSG_KEX_ECDH_REPLY
-      ## string   K_S, server's public host key
-      ## string   Q_S, server's ephemeral public key octet string
-      ## string   the signature on the exchange hash
-      buffer = connection.next_message
-      raise Net::SSH::Exception, "expected REPLY" unless buffer.type == reply
-      result = Hash.new
-      result[:key_blob] = buffer.read_string
-      result[:server_key] = Net::SSH::Buffer.new(result[:key_blob]).read_key
-      result[:server_ecdh_pubkey] = buffer.read_string
-      # compute shared secret from server's public key and client's private key
-      pk = OpenSSL::PKey::EC::Point.new(OpenSSL::PKey::EC.new(curve_name).group,
-                                        OpenSSL::BN.new(result[:server_ecdh_pubkey], 2))
-      result[:shared_secret] = OpenSSL::BN.new(ecdh.dh_compute_key(pk), 2)
-      sig_buffer = Net::SSH::Buffer.new(buffer.read_string)
-      sig_type = sig_buffer.read_string
-      if sig_type != algorithms.host_key
-        raise Net::SSH::Exception,
-        "host key algorithm mismatch for signature " +
-          "'#{sig_type}' != '#{algorithms.host_key}'"
+require 'net/ssh/transport/kex/abstract5656'
+module Net
+  module SSH
+    module Transport
+      module Kex
+        # A key-exchange service implementing the "ecdh-sha2-nistp256"
+        # key-exchange algorithm. (defined in RFC 5656)
+        class EcdhSHA2NistP256 < Abstract5656
+          def digester
+            OpenSSL::Digest::SHA256
+          end
+          def curve_name
+            OpenSSL::PKey::EC::CurveNameAlias['nistp256']
+          end
+          private
+          def generate_key # :nodoc:
+            OpenSSL::PKey::EC.generate(curve_name)
+          end
+          # compute shared secret from server's public key and client's private key
+          def compute_shared_secret(server_ecdh_pubkey)
+            pk = OpenSSL::PKey::EC::Point.new(OpenSSL::PKey::EC.new(curve_name).group,
+                                              OpenSSL::BN.new(server_ecdh_pubkey, 2))
+            OpenSSL::BN.new(ecdh.dh_compute_key(pk), 2)
+          end
+          ## string   Q_C, client's ephemeral public key octet string
+          def ecdh_public_key_bytes
+            ecdh.public_key.to_bn.to_s(2)
+          end
+        end
       end
-      result[:server_sig] = sig_buffer.read_string
-      return result
     end
   end
-end; end; end; end
+end

data/lib/net/ssh/transport/kex/ecdh_sha2_nistp384.rb CHANGED Viewed

@@ -1,13 +1,21 @@
-module Net; module SSH; module Transport; module Kex
+require 'net/ssh/transport/kex/ecdh_sha2_nistp256'
-  # A key-exchange service implementing the "ecdh-sha2-nistp256"
-  # key-exchange algorithm. (defined in RFC 5656)
-  class EcdhSHA2NistP384 < EcdhSHA2NistP256
-    def digester
-      OpenSSL::Digest::SHA384
-    end
-    def curve_name
-      OpenSSL::PKey::EC::CurveNameAlias['nistp384']
+module Net
+  module SSH
+    module Transport
+      module Kex
+        # A key-exchange service implementing the "ecdh-sha2-nistp256"
+        # key-exchange algorithm. (defined in RFC 5656)
+        class EcdhSHA2NistP384 < EcdhSHA2NistP256
+          def digester
+            OpenSSL::Digest::SHA384
+          end
+          def curve_name
+            OpenSSL::PKey::EC::CurveNameAlias['nistp384']
+          end
+        end
+      end
     end
   end
-end; end; end; end
+end