net-ssh 2.9.2 → 4.0.0

data/lib/net/ssh/test/kex.rb

@@ -31,10 +31,10 @@ module Net; module SSH; module Test
       buffer = @connection.next_message
       raise Net::SSH::Exception, "expected NEWKEYS" unless buffer.type == NEWKEYS
 
-      { :session_id        => "abc-xyz",
-        :server_key        => OpenSSL::PKey::RSA.new(512),
-        :shared_secret     => OpenSSL::BN.new("1234567890", 10),
-        :hashing_algorithm => OpenSSL::Digest::SHA1 }
+      { session_id: "abc-xyz",
+        server_key: OpenSSL::PKey::RSA.new(512),
+        shared_secret: OpenSSL::BN.new("1234567890", 10),
+        hashing_algorithm: OpenSSL::Digest::SHA1 }
     end
   end
 

data/lib/net/ssh/test/packet.rb

@@ -17,6 +17,17 @@ module Net; module SSH; module Test
     include Net::SSH::Transport::Constants
     include Net::SSH::Connection::Constants
 
+    # Register a custom channel request. extra_parts is an array of types
+    # of extra parameters
+    def self.register_channel_request(request, extra_parts)
+      @registered_requests ||= {}
+      @registered_requests[request] = {extra_parts: extra_parts}
+    end
+
+    def self.registered_channel_requests(request)
+      @registered_requests && @registered_requests[request]
+    end
+
     # Ceate a new packet of the given +type+, and with +args+ being a list of
     # data elements in the order expected for packets of the given +type+
     # (see #types).
@@ -70,9 +81,14 @@ module Net; module SSH; module Test
         when CHANNEL_REQUEST
           parts = [:long, :string, :bool]
           case @data[1]
-          when "exec", "subsystem" then parts << :string
+          when "exec", "subsystem","shell" then parts << :string
           when "exit-status" then parts << :long
-          else raise "don't know what to do about #{@data[1]} channel request"
+          when "pty-req" then parts.concat([:string, :long, :long, :long, :long, :string])
+          when "env" then parts.contact([:string,:string])
+          else
+            request = Packet.registered_channel_requests(@data[1])
+            raise "don't know what to do about #{@data[1]} channel request" unless request
+            parts.concat(request[:extra_parts])
           end
         else raise "don't know how to parse packet type #{@type}"
         end

data/lib/net/ssh/test/script.rb

@@ -63,7 +63,8 @@ module Net; module SSH; module Test
     # indicating whether a response to this packet is required , and +data+
     # is any additional request-specific data that this packet should send.
     # +success+ indicates whether the response (if one is required) should be
-    # success or failure.
+    # success or failure. If +data+ is an array it will be treated as multiple
+    # data.
     #
     # If a reply is desired, a remote packet will also be queued, :channel_success
     # if +success+ is true, or :channel_failure if +success+ is false.
@@ -71,7 +72,11 @@ module Net; module SSH; module Test
     # This will typically be called via Net::SSH::Test::Channel#sends_exec or
     # Net::SSH::Test::Channel#sends_subsystem.
     def sends_channel_request(channel, request, reply, data, success=true)
-      events << LocalPacket.new(:channel_request, channel.remote_id, request, reply, data)
+      if data.is_a? Array
+        events << LocalPacket.new(:channel_request, channel.remote_id, request, reply, *data)
+      else
+        events << LocalPacket.new(:channel_request, channel.remote_id, request, reply, data)
+      end
       if reply
         if success
           events << RemotePacket.new(:channel_success, channel.local_id)
@@ -104,6 +109,15 @@ module Net; module SSH; module Test
       events << LocalPacket.new(:channel_close, channel.remote_id)
     end
 
+    # Scripts the sending of a channel request pty packets from the given
+    # Net::SSH::Test::Channel +channel+. This will typically be called via
+    # Net::SSH::Test::Channel#sends_request_pty.
+    def sends_channel_request_pty(channel)
+      data = ['pty-req', false]
+      data += Net::SSH::Connection::Channel::VALID_PTY_OPTIONS.merge(modes: "\0").values
+      events << LocalPacket.new(:channel_request, channel.remote_id, *data)
+    end
+
     # Scripts the reception of a channel data packet from the remote host by
     # the given Net::SSH::Test::Channel +channel+. This will typically be
     # called via Net::SSH::Test::Channel#gets_data.

data/lib/net/ssh/test/socket.rb

@@ -25,8 +25,8 @@ module Net; module SSH; module Test
 
       @script = Script.new
 
-      script.gets(:kexinit, 1, 2, 3, 4, "test", "ssh-rsa", "none", "none", "none", "none", "none", "none", "", "", false)
       script.sends(:kexinit)
+      script.gets(:kexinit, 1, 2, 3, 4, "test", "ssh-rsa", "none", "none", "none", "none", "none", "none", "", "", false)
       script.sends(:newkeys)
       script.gets(:newkeys)
     end

data/lib/net/ssh/test.rb

@@ -10,10 +10,10 @@ module Net; module SSH
   # typically include this module in your unit test class, and then build a
   # "story" of expected sends and receives:
   #
-  #   require 'test/unit'
+  #   require 'minitest/autorun'
   #   require 'net/ssh/test'
   #
-  #   class MyTest < Test::Unit::TestCase
+  #   class MyTest < Minitest::Test
   #     include Net::SSH::Test
   #
   #     def test_exec_via_channel_works
@@ -50,7 +50,7 @@ module Net; module SSH
     # If a block is given, yields the script for the test socket (#socket).
     # Otherwise, simply returns the socket's script. See Net::SSH::Test::Script.
     def story
-      yield socket.script if block_given?
+      Net::SSH::Test::Extensions::IO.with_test_extension { yield socket.script if block_given? }
       return socket.script
     end
 
@@ -71,7 +71,7 @@ module Net; module SSH
     # in these tests. It is a fully functional SSH transport session, operating
     # over a mock socket (#socket).
     def transport(options={})
-      @transport ||= Net::SSH::Transport::Session.new(options[:host] || "localhost", options.merge(:kex => "test", :host_key => "ssh-rsa", :paranoid => false, :proxy => socket(options)))
+      @transport ||= Net::SSH::Transport::Session.new(options[:host] || "localhost", options.merge(kex: "test", host_key: "ssh-rsa", paranoid: false, proxy: socket(options)))
     end
 
     # First asserts that a story has been described (see #story). Then yields,
@@ -81,7 +81,7 @@ module Net; module SSH
     # the block passed to this assertion.
     def assert_scripted
       raise "there is no script to be processed" if socket.script.events.empty?
-      yield
+      Net::SSH::Test::Extensions::IO.with_test_extension { yield }
       assert socket.script.events.empty?, "there should not be any remaining scripted events, but there are still #{socket.script.events.length} pending"
     end
   end

data/lib/net/ssh/transport/algorithms.rb

@@ -6,6 +6,7 @@ require 'net/ssh/transport/constants'
 require 'net/ssh/transport/hmac'
 require 'net/ssh/transport/kex'
 require 'net/ssh/transport/server_version'
+require 'net/ssh/authentication/ed25519_loader'
 
 module Net; module SSH; module Transport
 
@@ -22,40 +23,34 @@ module Net; module SSH; module Transport
     # Define the default algorithms, in order of preference, supported by
     # Net::SSH.
     ALGORITHMS = {
-      :host_key    => %w(ssh-rsa ssh-dss
-                         ssh-rsa-cert-v01@openssh.com
-                         ssh-rsa-cert-v00@openssh.com),
-      :kex         => %w(diffie-hellman-group-exchange-sha1
-                         diffie-hellman-group1-sha1
-                         diffie-hellman-group14-sha1
-                         diffie-hellman-group-exchange-sha256),
-      :encryption  => %w(aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
-                         aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
-                         idea-cbc none arcfour128 arcfour256 arcfour
-                         aes128-ctr aes192-ctr aes256-ctr
-                         camellia128-cbc camellia192-cbc camellia256-cbc
-                         camellia128-cbc@openssh.org
-                         camellia192-cbc@openssh.org
-                         camellia256-cbc@openssh.org
-                         camellia128-ctr camellia192-ctr camellia256-ctr
-                         camellia128-ctr@openssh.org
-                         camellia192-ctr@openssh.org
-                         camellia256-ctr@openssh.org
-                         cast128-ctr blowfish-ctr 3des-ctr
-                        ),
-
-      :hmac        => %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96
-                         hmac-ripemd160 hmac-ripemd160@openssh.com
-                         hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96
-                         hmac-sha2-512-96 none),
-
-      :compression => %w(none zlib@openssh.com zlib),
-      :language    => %w() 
+      host_key: %w(ssh-rsa ssh-dss
+                   ssh-rsa-cert-v01@openssh.com
+                   ssh-rsa-cert-v00@openssh.com),
+      kex: %w(diffie-hellman-group-exchange-sha1
+              diffie-hellman-group1-sha1
+              diffie-hellman-group14-sha1
+              diffie-hellman-group-exchange-sha256),
+      encryption: %w(aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
+                     aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
+                     idea-cbc none arcfour128 arcfour256 arcfour
+                     aes128-ctr aes192-ctr aes256-ctr
+                     cast128-ctr blowfish-ctr 3des-ctr),
+
+      hmac: %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96
+               hmac-ripemd160 hmac-ripemd160@openssh.com
+               hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96
+               hmac-sha2-512-96 none),
+
+      compression: %w(none zlib@openssh.com zlib),
+      language: %w()
     }
     if defined?(OpenSSL::PKey::EC)
       ALGORITHMS[:host_key] += %w(ecdsa-sha2-nistp256
                                   ecdsa-sha2-nistp384
                                   ecdsa-sha2-nistp521)
+      if Net::SSH::Authentication::ED25519Loader::LOADED
+        ALGORITHMS[:host_key] += %w(ssh-ed25519)
+      end
       ALGORITHMS[:kex] += %w(ecdh-sha2-nistp256
                              ecdh-sha2-nistp384
                              ecdh-sha2-nistp521)
@@ -124,6 +119,12 @@ module Net; module SSH; module Transport
       prepare_preferred_algorithms!
     end
 
+    # Start the algorithm negotation
+    def start
+      raise ArgumentError, "Cannot call start if it's negoitation started or done" if @pending || @initialized
+      send_kexinit
+    end
+
     # Request a rekey operation. This will return immediately, and does not
     # actually perform the rekey operation. It does cause the session to change
     # state, however--until the key exchange finishes, no new packets will be
@@ -210,25 +211,8 @@ module Net; module SSH; module Transport
       def prepare_preferred_algorithms!
         options[:compression] = %w(zlib@openssh.com zlib) if options[:compression] == true
 
-        ALGORITHMS.each do |algorithm, list|
-          algorithms[algorithm] = list.dup
-
-          # apply the preferred algorithm order, if any
-          if options[algorithm]
-            algorithms[algorithm] = Array(options[algorithm]).compact.uniq
-            unsupported = []
-            algorithms[algorithm].select! do |name|
-              supported = ALGORITHMS[algorithm].include?(name)
-              unsupported << name unless supported
-              supported
-            end
-            lwarn { "unsupported #{algorithm} algorithm: `#{unsupported}'" } unless unsupported.empty?
-
-            # make sure all of our supported algorithms are tacked onto the
-            # end, so that if the user tries to give a list of which none are
-            # supported, we can still proceed.
-            list.each { |name| algorithms[algorithm] << name unless algorithms[algorithm].include?(name) }
-          end
+        ALGORITHMS.each do |algorithm, supported|
+          algorithms[algorithm] = compose_algorithm_list(supported, options[algorithm], options[:append_all_supported_algorithms])
         end
 
         # for convention, make sure our list has the same keys as the server
@@ -243,7 +227,7 @@ module Net; module SSH; module Transport
           # make sure the host keys are specified in preference order, where any
           # existing known key for the host has preference.
 
-          existing_keys = KnownHosts.search_for(options[:host_key_alias] || session.host_as_string, options)
+          existing_keys = session.host_keys
           host_keys = existing_keys.map { |key| key.ssh_type }.uniq
           algorithms[:host_key].each do |name|
             host_keys << name unless host_keys.include?(name)
@@ -252,9 +236,41 @@ module Net; module SSH; module Transport
         end
       end
 
+      # Composes the list of algorithms by taking supported algorithms and matching with supplied options.
+      def compose_algorithm_list(supported, option, append_all_supported_algorithms = false)
+        return supported.dup unless option
+
+        list = []
+        option = Array(option).compact.uniq
+
+        if option.first && option.first.start_with?('+')
+          list = supported.dup
+          list << option.first[1..-1]
+          list.concat(option[1..-1])
+          list.uniq!
+        else
+          list = option
+
+          if append_all_supported_algorithms
+            supported.each { |name| list << name unless list.include?(name) }
+          end
+        end
+
+        unsupported = []
+        list.select! do |name|
+          is_supported = supported.include?(name)
+          unsupported << name unless is_supported
+          is_supported
+        end
+
+        lwarn { "unsupported #{algorithm} algorithm: `#{unsupported}'" } unless unsupported.empty?
+
+        list
+      end
+
       # Parses a KEXINIT packet from the server.
       def parse_server_algorithm_packet(packet)
-        data = { :raw => packet.content }
+        data = { raw: packet.content }
 
         packet.read(16) # skip the cookie value
 
@@ -290,8 +306,8 @@ module Net; module SSH; module Transport
 
         Net::SSH::Buffer.from(:byte, KEXINIT,
           :long, [rand(0xFFFFFFFF), rand(0xFFFFFFFF), rand(0xFFFFFFFF), rand(0xFFFFFFFF)],
-          :string, [kex, host_key, encryption, encryption, hmac, hmac],
-          :string, [compression, compression, language, language],
+          :mstring, [kex, host_key, encryption, encryption, hmac, hmac],
+          :mstring, [compression, compression, language, language],
           :bool, false, :long, 0)
       end
 
@@ -355,12 +371,13 @@ module Net; module SSH; module Transport
         debug { "exchanging keys" }
 
         algorithm = Kex::MAP[kex].new(self, session,
-          :client_version_string => Net::SSH::Transport::ServerVersion::PROTO_VERSION,
-          :server_version_string => session.server_version.version,
-          :server_algorithm_packet => @server_packet,
-          :client_algorithm_packet => @client_packet,
-          :need_bytes => kex_byte_requirement,
-          :logger => logger)
+          client_version_string: Net::SSH::Transport::ServerVersion::PROTO_VERSION,
+          server_version_string: session.server_version.version,
+          server_algorithm_packet: @server_packet,
+          client_algorithm_packet: @client_packet,
+          need_bytes: kex_byte_requirement,
+          minimum_dh_bits: options[:minimum_dh_bits],
+          logger: logger)
         result = algorithm.exchange_keys
 
         secret   = result[:shared_secret].to_ssh
@@ -370,7 +387,7 @@ module Net; module SSH; module Transport
         @session_id ||= hash
 
         key = Proc.new { |salt| digester.digest(secret + hash + salt + @session_id) }
-        
+
         iv_client = key["A"]
         iv_server = key["B"]
         key_client = key["C"]
@@ -378,26 +395,26 @@ module Net; module SSH; module Transport
         mac_key_client = key["E"]
         mac_key_server = key["F"]
 
-        parameters = { :shared => secret, :hash => hash, :digester => digester }
-        
-        cipher_client = CipherFactory.get(encryption_client, parameters.merge(:iv => iv_client, :key => key_client, :encrypt => true))
-        cipher_server = CipherFactory.get(encryption_server, parameters.merge(:iv => iv_server, :key => key_server, :decrypt => true))
+        parameters = { shared: secret, hash: hash, digester: digester }
+
+        cipher_client = CipherFactory.get(encryption_client, parameters.merge(iv: iv_client, key: key_client, encrypt: true))
+        cipher_server = CipherFactory.get(encryption_server, parameters.merge(iv: iv_server, key: key_server, decrypt: true))
 
         mac_client = HMAC.get(hmac_client, mac_key_client, parameters)
         mac_server = HMAC.get(hmac_server, mac_key_server, parameters)
 
-        session.configure_client :cipher => cipher_client, :hmac => mac_client,
-          :compression => normalize_compression_name(compression_client),
-          :compression_level => options[:compression_level],
-          :rekey_limit => options[:rekey_limit],
-          :max_packets => options[:rekey_packet_limit],
-          :max_blocks => options[:rekey_blocks_limit]
-
-        session.configure_server :cipher => cipher_server, :hmac => mac_server,
-          :compression => normalize_compression_name(compression_server),
-          :rekey_limit => options[:rekey_limit],
-          :max_packets => options[:rekey_packet_limit],
-          :max_blocks  => options[:rekey_blocks_limit]
+        session.configure_client cipher: cipher_client, hmac: mac_client,
+          compression: normalize_compression_name(compression_client),
+          compression_level: options[:compression_level],
+          rekey_limit: options[:rekey_limit],
+          max_packets: options[:rekey_packet_limit],
+          max_blocks: options[:rekey_blocks_limit]
+
+        session.configure_server cipher: cipher_server, hmac: mac_server,
+          compression: normalize_compression_name(compression_server),
+          rekey_limit: options[:rekey_limit],
+          max_packets: options[:rekey_packet_limit],
+          max_blocks: options[:rekey_blocks_limit]
 
         @initialized = true
       end

data/lib/net/ssh/transport/cipher_factory.rb

@@ -21,12 +21,6 @@ module Net; module SSH; module Transport
       "arcfour256"                  => "rc4",
       "arcfour512"                  => "rc4",
       "arcfour"                     => "rc4",
-      "camellia128-cbc"             => "camellia-128-cbc",
-      "camellia192-cbc"             => "camellia-192-cbc",
-      "camellia256-cbc"             => "camellia-256-cbc",
-      "camellia128-cbc@openssh.org" => "camellia-128-cbc",
-      "camellia192-cbc@openssh.org" => "camellia-192-cbc",
-      "camellia256-cbc@openssh.org" => "camellia-256-cbc",
 
       "3des-ctr"                    => "des-ede3",
       "blowfish-ctr"                => "bf-ecb",
@@ -34,19 +28,13 @@ module Net; module SSH; module Transport
       "aes192-ctr"                  => "aes-192-ecb",
       "aes128-ctr"                  => "aes-128-ecb",
       "cast128-ctr"                 => "cast5-ecb",
-      "camellia128-ctr"             => "camellia-128-ecb",
-      "camellia192-ctr"             => "camellia-192-ecb",
-      "camellia256-ctr"             => "camellia-256-ecb",
-      "camellia128-ctr@openssh.org" => "camellia-128-ecb",
-      "camellia192-ctr@openssh.org" => "camellia-192-ecb",
-      "camellia256-ctr@openssh.org" => "camellia-256-ecb",
 
       "none"                        => "none",
     }
 
     # Ruby's OpenSSL bindings always return a key length of 16 for RC4 ciphers
-    # resulting in the error: OpenSSL::CipherError: key length too short. 
-    # The following ciphers will override this key length. 
+    # resulting in the error: OpenSSL::CipherError: key length too short.
+    # The following ciphers will override this key length.
     KEY_LEN_OVERRIDE = {
       "arcfour256"                  => 32,
       "arcfour512"                  => 64
@@ -69,19 +57,18 @@ module Net; module SSH; module Transport
     def self.get(name, options={})
       ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
       return IdentityCipher if ossl_name == "none"
-      cipher = OpenSSL::Cipher::Cipher.new(ossl_name)
+      cipher = OpenSSL::Cipher.new(ossl_name)
 
       cipher.send(options[:encrypt] ? :encrypt : :decrypt)
 
       cipher.padding = 0
 
       cipher.extend(Net::SSH::Transport::CTR) if (name =~ /-ctr(@openssh.org)?$/)
-
-      cipher.iv      = Net::SSH::Transport::KeyExpander.expand_key(cipher.iv_len, options[:iv], options) if ossl_name != "rc4"
+      cipher.iv = Net::SSH::Transport::KeyExpander.expand_key(cipher.iv_len, options[:iv], options) if ossl_name != "rc4"
 
       key_len = KEY_LEN_OVERRIDE[name] || cipher.key_len
       cipher.key_len = key_len
-      cipher.key     = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
+      cipher.key = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
       cipher.update(" " * 1536) if (ossl_name == "rc4" && name != "arcfour")
 
       return cipher
@@ -91,15 +78,21 @@ module Net; module SSH; module Transport
     # block-size ] for the named cipher algorithm. If the cipher
     # algorithm is unknown, or is "none", 0 is returned for both elements
     # of the tuple.
-    def self.get_lengths(name)
+    # if :iv_len option is supplied the third return value will be ivlen
+    def self.get_lengths(name, options = {})
       ossl_name = SSH_TO_OSSL[name]
-      return [0, 0] if ossl_name.nil? || ossl_name == "none"
-
-      cipher = OpenSSL::Cipher::Cipher.new(ossl_name)
-      key_len = KEY_LEN_OVERRIDE[name] || cipher.key_len
-      cipher.key_len = key_len
-      
-      return [key_len, ossl_name=="rc4" ? 8 : cipher.block_size]
+      if ossl_name.nil? || ossl_name == "none"
+        result = [0, 0]
+        result << 0 if options[:iv_len]
+      else
+        cipher = OpenSSL::Cipher.new(ossl_name)
+        key_len = KEY_LEN_OVERRIDE[name] || cipher.key_len
+        cipher.key_len = key_len
+
+        result = [key_len, ossl_name=="rc4" ? 8 : cipher.block_size]
+        result << cipher.iv_len if options[:iv_len]
+      end
+      result
     end
   end
 

data/lib/net/ssh/transport/ctr.rb

@@ -12,12 +12,10 @@ module Net::SSH::Transport
         @counter_len = orig.block_size
         orig.encrypt
         orig.padding = 0
-      }
-
-      class <<orig
-        alias :_update :update
-        private :_update
-        undef :update
+        
+        singleton_class.send(:alias_method, :_update, :update)
+        singleton_class.send(:private, :_update)
+        singleton_class.send(:undef_method, :update)
 
         def iv
           @counter
@@ -73,13 +71,12 @@ module Net::SSH::Transport
           s
         end
 
-        private
-
         def xor!(s1, s2)
           s = []
           s1.unpack('Q*').zip(s2.unpack('Q*')) {|a,b| s.push(a^b) }
           s.pack('Q*')
         end
+        singleton_class.send(:private, :xor!)
 
         def increment_counter!
           c = @counter_len
@@ -89,7 +86,8 @@ module Net::SSH::Transport
             end
           end
         end
-      end
+        singleton_class.send(:private, :increment_counter!)
+      }
     end
   end
 end

data/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb

@@ -69,10 +69,10 @@ module Net; module SSH; module Transport; module Kex
       session_id = verify_signature(result)
       confirm_newkeys
 
-      return { :session_id        => session_id, 
-               :server_key        => result[:server_key],
-               :shared_secret     => result[:shared_secret],
-               :hashing_algorithm => digester }
+      return { session_id: session_id,
+               server_key: result[:server_key],
+               shared_secret: result[:shared_secret],
+               hashing_algorithm: digester }
     end
 
     private
@@ -115,11 +115,22 @@ module Net; module SSH; module Transport; module Kex
       def generate_key #:nodoc:
         dh = OpenSSL::PKey::DH.new
 
-        dh.p, dh.g = get_parameters
-        dh.priv_key = OpenSSL::BN.rand(data[:need_bytes] * 8)
-
-        dh.generate_key! until dh.valid?
+        if dh.respond_to?(:set_pqg)
+          p, g = get_parameters
+          dh.set_pqg(p, nil, g)
+        else
+          dh.p, dh.g = get_parameters
+        end
 
+        dh.generate_key!
+        until dh.valid? && dh.priv_key.num_bytes == data[:need_bytes]
+          if dh.respond_to?(:set_key)
+            dh.set_key(nil, OpenSSL::BN.rand(data[:need_bytes] * 8))
+          else
+            dh.priv_key = OpenSSL::BN.rand(data[:need_bytes] * 8)
+          end
+          dh.generate_key!
+        end
         dh
       end
 
@@ -170,7 +181,7 @@ module Net; module SSH; module Transport; module Kex
 
         blob, fingerprint = generate_key_fingerprint(key)
 
-        unless connection.host_key_verifier.verify(:key => key, :key_blob => blob, :fingerprint => fingerprint, :session => connection)
+        unless connection.host_key_verifier.verify(key: key, key_blob: blob, fingerprint: fingerprint, session: connection)
           raise Net::SSH::Exception, "host key verification failed"
         end
       end

data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha1.rb

@@ -23,8 +23,10 @@ module Net::SSH::Transport::Kex
         # for Compatibility: OpenSSH requires (need_bits * 2 + 1) length of parameter
         need_bits = data[:need_bytes] * 8 * 2 + 1
 
-        if need_bits < MINIMUM_BITS
-          need_bits = MINIMUM_BITS
+        data[:minimum_dh_bits] ||= MINIMUM_BITS
+
+        if need_bits < data[:minimum_dh_bits]
+          need_bits = data[:minimum_dh_bits]
         elsif need_bits > MAXIMUM_BITS
           need_bits = MAXIMUM_BITS
         end
@@ -38,7 +40,7 @@ module Net::SSH::Transport::Kex
         compute_need_bits
 
         # request the DH key parameters for the given number of bits.
-        buffer = Net::SSH::Buffer.from(:byte, KEXDH_GEX_REQUEST, :long, MINIMUM_BITS,
+        buffer = Net::SSH::Buffer.from(:byte, KEXDH_GEX_REQUEST, :long, data[:minimum_dh_bits],
           :long, data[:need_bits], :long, MAXIMUM_BITS)
         connection.send_message(buffer)
 

data/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb

@@ -57,7 +57,7 @@ module Net; module SSH; module Transport; module Kex
       # send the KEXECDH_INIT message
       ## byte     SSH_MSG_KEX_ECDH_INIT
       ## string   Q_C, client's ephemeral public key octet string
-      buffer = Net::SSH::Buffer.from(:byte, init, :string, ecdh.public_key.to_bn.to_s(2))
+      buffer = Net::SSH::Buffer.from(:byte, init, :mstring, ecdh.public_key.to_bn.to_s(2))
       connection.send_message(buffer)
 
       # expect the following KEXECDH_REPLY message

data/lib/net/ssh/transport/key_expander.rb

@@ -9,6 +9,7 @@ module Net; module SSH; module Transport
     end
 
     k = start[0, bytes]
+    return k if k.length >= bytes
 
     digester = options[:digester] or raise 'No digester supplied'
     shared   = options[:shared] or raise 'No shared secret supplied'

data/lib/net/ssh/transport/openssl.rb

@@ -185,7 +185,7 @@ module OpenSSL
         def to_blob
           @blob ||= Net::SSH::Buffer.from(:string, ssh_type,
                                           :string, CurveNameAliasInv[self.group.curve_name],
-                                          :string, self.public_key.to_bn.to_s(2)).to_s
+                                          :mstring, self.public_key.to_bn.to_s(2)).to_s
           @blob
         end
 

data/lib/net/ssh/transport/packet_stream.rb

@@ -69,13 +69,13 @@ module Net; module SSH; module Transport
           PROXY_COMMAND_HOST_IP
         end
     end
-    
+
     # Returns true if the IO is available for reading, and false otherwise.
     def available_for_read?
       result = Net::SSH::Compat.io_select([self], nil, nil, 0)
       result && result.first.any?
     end
-    
+
     # Returns the next full packet. If the mode parameter is :nonblock (the
     # default), then this will return immediately, whether a packet is
     # available or not, and will return nil if there is no packet ready to be
@@ -84,9 +84,17 @@ module Net; module SSH; module Transport
     def next_packet(mode=:nonblock)
       case mode
       when :nonblock then
+        packet = poll_next_packet
+        return packet if packet
+
         if available_for_read?
           if fill <= 0
-            raise Net::SSH::Disconnect, "connection closed by remote host"
+            result = poll_next_packet
+            if result.nil?
+              raise Net::SSH::Disconnect, "connection closed by remote host"
+            else
+              return result
+            end
           end
         end
         poll_next_packet