RubyGems - net-ssh - Versions diffs - 3.2.0 → 7.2.0.rc1 - Mend

net-ssh 3.2.0 → 7.2.0.rc1

Files changed (210) hide show

checksums.yaml +5 -5
checksums.yaml.gz.sig +0 -0
data/.dockerignore +6 -0
data/.github/FUNDING.yml +1 -0
data/.github/config/rubocop_linter_action.yml +4 -0
data/.github/workflows/ci-with-docker.yml +44 -0
data/.github/workflows/ci.yml +93 -0
data/.github/workflows/rubocop.yml +16 -0
data/.gitignore +13 -0
data/.rubocop.yml +22 -0
data/.rubocop_todo.yml +1081 -0
data/CHANGES.txt +237 -7
data/DEVELOPMENT.md +23 -0
data/Dockerfile +27 -0
data/Dockerfile.openssl3 +17 -0
data/Gemfile +13 -0
data/Gemfile.noed25519 +12 -0
data/Gemfile.norbnacl +12 -0
data/ISSUE_TEMPLATE.md +30 -0
data/Manifest +4 -5
data/README.md +298 -0
data/Rakefile +125 -74
data/SECURITY.md +4 -0
data/appveyor.yml +58 -0
data/docker-compose.yml +23 -0
data/lib/net/ssh/authentication/agent.rb +279 -18
data/lib/net/ssh/authentication/certificate.rb +183 -0
data/lib/net/ssh/authentication/constants.rb +17 -15
data/lib/net/ssh/authentication/ed25519.rb +186 -0
data/lib/net/ssh/authentication/ed25519_loader.rb +31 -0
data/lib/net/ssh/authentication/key_manager.rb +86 -39
data/lib/net/ssh/authentication/methods/abstract.rb +67 -48
data/lib/net/ssh/authentication/methods/hostbased.rb +34 -37
data/lib/net/ssh/authentication/methods/keyboard_interactive.rb +13 -13
data/lib/net/ssh/authentication/methods/none.rb +16 -19
data/lib/net/ssh/authentication/methods/password.rb +27 -17
data/lib/net/ssh/authentication/methods/publickey.rb +96 -55
data/lib/net/ssh/authentication/pageant.rb +471 -367
data/lib/net/ssh/authentication/pub_key_fingerprint.rb +43 -0
data/lib/net/ssh/authentication/session.rb +131 -121
data/lib/net/ssh/buffer.rb +399 -300
data/lib/net/ssh/buffered_io.rb +154 -150
data/lib/net/ssh/config.rb +308 -185
data/lib/net/ssh/connection/channel.rb +635 -613
data/lib/net/ssh/connection/constants.rb +29 -29
data/lib/net/ssh/connection/event_loop.rb +123 -0
data/lib/net/ssh/connection/keepalive.rb +55 -51
data/lib/net/ssh/connection/session.rb +620 -551
data/lib/net/ssh/connection/term.rb +125 -123
data/lib/net/ssh/errors.rb +101 -99
data/lib/net/ssh/key_factory.rb +197 -105
data/lib/net/ssh/known_hosts.rb +214 -127
data/lib/net/ssh/loggable.rb +50 -49
data/lib/net/ssh/packet.rb +83 -79
data/lib/net/ssh/prompt.rb +50 -81
data/lib/net/ssh/proxy/command.rb +105 -90
data/lib/net/ssh/proxy/errors.rb +12 -10
data/lib/net/ssh/proxy/http.rb +82 -79
data/lib/net/ssh/proxy/https.rb +50 -0
data/lib/net/ssh/proxy/jump.rb +54 -0
data/lib/net/ssh/proxy/socks4.rb +2 -6
data/lib/net/ssh/proxy/socks5.rb +14 -17
data/lib/net/ssh/service/forward.rb +370 -317
data/lib/net/ssh/test/channel.rb +145 -136
data/lib/net/ssh/test/extensions.rb +131 -110
data/lib/net/ssh/test/kex.rb +34 -32
data/lib/net/ssh/test/local_packet.rb +46 -44
data/lib/net/ssh/test/packet.rb +89 -70
data/lib/net/ssh/test/remote_packet.rb +32 -30
data/lib/net/ssh/test/script.rb +156 -142
data/lib/net/ssh/test/socket.rb +49 -48
data/lib/net/ssh/test.rb +82 -77
data/lib/net/ssh/transport/algorithms.rb +462 -359
data/lib/net/ssh/transport/chacha20_poly1305_cipher.rb +117 -0
data/lib/net/ssh/transport/chacha20_poly1305_cipher_loader.rb +17 -0
data/lib/net/ssh/transport/cipher_factory.rb +122 -99
data/lib/net/ssh/transport/constants.rb +32 -24
data/lib/net/ssh/transport/ctr.rb +42 -22
data/lib/net/ssh/transport/hmac/abstract.rb +81 -63
data/lib/net/ssh/transport/hmac/md5.rb +0 -2
data/lib/net/ssh/transport/hmac/md5_96.rb +0 -2
data/lib/net/ssh/transport/hmac/none.rb +0 -2
data/lib/net/ssh/transport/hmac/ripemd160.rb +0 -2
data/lib/net/ssh/transport/hmac/sha1.rb +0 -2
data/lib/net/ssh/transport/hmac/sha1_96.rb +0 -2
data/lib/net/ssh/transport/hmac/sha2_256.rb +7 -11
data/lib/net/ssh/transport/hmac/sha2_256_96.rb +4 -8
data/lib/net/ssh/transport/hmac/sha2_256_etm.rb +12 -0
data/lib/net/ssh/transport/hmac/sha2_512.rb +6 -9
data/lib/net/ssh/transport/hmac/sha2_512_96.rb +4 -8
data/lib/net/ssh/transport/hmac/sha2_512_etm.rb +12 -0
data/lib/net/ssh/transport/hmac.rb +14 -12
data/lib/net/ssh/transport/identity_cipher.rb +54 -44
data/lib/net/ssh/transport/kex/abstract.rb +130 -0
data/lib/net/ssh/transport/kex/abstract5656.rb +72 -0
data/lib/net/ssh/transport/kex/curve25519_sha256.rb +39 -0
data/lib/net/ssh/transport/kex/curve25519_sha256_loader.rb +30 -0
data/lib/net/ssh/transport/kex/diffie_hellman_group14_sha1.rb +33 -40
data/lib/net/ssh/transport/kex/diffie_hellman_group14_sha256.rb +11 -0
data/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb +119 -213
data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha1.rb +53 -61
data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha256.rb +5 -9
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb +36 -90
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp384.rb +18 -10
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp521.rb +18 -10
data/lib/net/ssh/transport/kex.rb +15 -12
data/lib/net/ssh/transport/key_expander.rb +24 -20
data/lib/net/ssh/transport/openssl.rb +161 -124
data/lib/net/ssh/transport/openssl_cipher_extensions.rb +8 -0
data/lib/net/ssh/transport/packet_stream.rb +246 -185
data/lib/net/ssh/transport/server_version.rb +55 -56
data/lib/net/ssh/transport/session.rb +306 -255
data/lib/net/ssh/transport/state.rb +178 -176
data/lib/net/ssh/verifiers/accept_new.rb +33 -0
data/lib/net/ssh/verifiers/accept_new_or_local_tunnel.rb +33 -0
data/lib/net/ssh/verifiers/always.rb +58 -0
data/lib/net/ssh/verifiers/never.rb +19 -0
data/lib/net/ssh/version.rb +55 -53
data/lib/net/ssh.rb +111 -47
data/net-ssh-public_cert.pem +18 -18
data/net-ssh.gemspec +38 -205
data/support/ssh_tunnel_bug.rb +5 -5
data.tar.gz.sig +0 -0
metadata +173 -118
metadata.gz.sig +0 -0
data/.travis.yml +0 -18
data/README.rdoc +0 -182
data/lib/net/ssh/authentication/agent/java_pageant.rb +0 -85
data/lib/net/ssh/authentication/agent/socket.rb +0 -178
data/lib/net/ssh/ruby_compat.rb +0 -46
data/lib/net/ssh/verifiers/lenient.rb +0 -30
data/lib/net/ssh/verifiers/null.rb +0 -12
data/lib/net/ssh/verifiers/secure.rb +0 -52
data/lib/net/ssh/verifiers/strict.rb +0 -24
data/setup.rb +0 -1585
data/support/arcfour_check.rb +0 -20
data/test/README.txt +0 -18
data/test/authentication/methods/common.rb +0 -28
data/test/authentication/methods/test_abstract.rb +0 -51
data/test/authentication/methods/test_hostbased.rb +0 -114
data/test/authentication/methods/test_keyboard_interactive.rb +0 -121
data/test/authentication/methods/test_none.rb +0 -41
data/test/authentication/methods/test_password.rb +0 -95
data/test/authentication/methods/test_publickey.rb +0 -148
data/test/authentication/test_agent.rb +0 -232
data/test/authentication/test_key_manager.rb +0 -240
data/test/authentication/test_session.rb +0 -107
data/test/common.rb +0 -125
data/test/configs/auth_off +0 -5
data/test/configs/auth_on +0 -4
data/test/configs/empty +0 -0
data/test/configs/eqsign +0 -3
data/test/configs/exact_match +0 -8
data/test/configs/host_plus +0 -10
data/test/configs/multihost +0 -4
data/test/configs/negative_match +0 -6
data/test/configs/nohost +0 -19
data/test/configs/numeric_host +0 -4
data/test/configs/proxy_remote_user +0 -2
data/test/configs/send_env +0 -2
data/test/configs/substitutes +0 -8
data/test/configs/wild_cards +0 -14
data/test/connection/test_channel.rb +0 -487
data/test/connection/test_session.rb +0 -564
data/test/integration/README.txt +0 -17
data/test/integration/Vagrantfile +0 -12
data/test/integration/common.rb +0 -63
data/test/integration/playbook.yml +0 -56
data/test/integration/test_forward.rb +0 -637
data/test/integration/test_id_rsa_keys.rb +0 -96
data/test/integration/test_proxy.rb +0 -93
data/test/known_hosts/github +0 -1
data/test/known_hosts/github_hash +0 -1
data/test/manual/test_pageant.rb +0 -37
data/test/start/test_connection.rb +0 -53
data/test/start/test_options.rb +0 -57
data/test/start/test_transport.rb +0 -28
data/test/start/test_user_nil.rb +0 -27
data/test/test_all.rb +0 -12
data/test/test_buffer.rb +0 -433
data/test/test_buffered_io.rb +0 -63
data/test/test_config.rb +0 -268
data/test/test_key_factory.rb +0 -191
data/test/test_known_hosts.rb +0 -66
data/test/transport/hmac/test_md5.rb +0 -41
data/test/transport/hmac/test_md5_96.rb +0 -27
data/test/transport/hmac/test_none.rb +0 -34
data/test/transport/hmac/test_ripemd160.rb +0 -36
data/test/transport/hmac/test_sha1.rb +0 -36
data/test/transport/hmac/test_sha1_96.rb +0 -27
data/test/transport/hmac/test_sha2_256.rb +0 -37
data/test/transport/hmac/test_sha2_256_96.rb +0 -27
data/test/transport/hmac/test_sha2_512.rb +0 -37
data/test/transport/hmac/test_sha2_512_96.rb +0 -27
data/test/transport/kex/test_diffie_hellman_group14_sha1.rb +0 -13
data/test/transport/kex/test_diffie_hellman_group1_sha1.rb +0 -150
data/test/transport/kex/test_diffie_hellman_group_exchange_sha1.rb +0 -96
data/test/transport/kex/test_diffie_hellman_group_exchange_sha256.rb +0 -19
data/test/transport/kex/test_ecdh_sha2_nistp256.rb +0 -161
data/test/transport/kex/test_ecdh_sha2_nistp384.rb +0 -38
data/test/transport/kex/test_ecdh_sha2_nistp521.rb +0 -38
data/test/transport/test_algorithms.rb +0 -328
data/test/transport/test_cipher_factory.rb +0 -443
data/test/transport/test_hmac.rb +0 -34
data/test/transport/test_identity_cipher.rb +0 -40
data/test/transport/test_packet_stream.rb +0 -1762
data/test/transport/test_server_version.rb +0 -74
data/test/transport/test_session.rb +0 -331
data/test/transport/test_state.rb +0 -181
data/test/verifiers/test_secure.rb +0 -40

data/lib/net/ssh/transport/chacha20_poly1305_cipher.rb ADDED Viewed

@@ -0,0 +1,117 @@
+require 'rbnacl'
+require 'net/ssh/loggable'
+module Net
+  module SSH
+    module Transport
+      ## Implements the chacha20-poly1305@openssh cipher
+      class ChaCha20Poly1305Cipher
+        include Net::SSH::Loggable
+        # Implicit HMAC, no need to do anything
+        class ImplicitHMac
+          def etm
+            # TODO: ideally this shouln't be called
+            true
+          end
+          def key_length
+            64
+          end
+        end
+        def initialize(encrypt:, key:)
+          @chacha_hdr = OpenSSL::Cipher.new("chacha20")
+          key_len = @chacha_hdr.key_len
+          @chacha_main = OpenSSL::Cipher.new("chacha20")
+          @poly = RbNaCl::OneTimeAuths::Poly1305
+          if key.size < key_len * 2
+            error { "chacha20_poly1305: keylength doesn't match" }
+            raise "chacha20_poly1305: keylength doesn't match"
+          end
+          if encrypt
+            @chacha_hdr.encrypt
+            @chacha_main.encrypt
+          else
+            @chacha_hdr.decrypt
+            @chacha_main.decrypt
+          end
+          main_key = key[0...key_len]
+          @chacha_main.key = main_key
+          hdr_key = key[key_len...(2 * key_len)]
+          @chacha_hdr.key = hdr_key
+        end
+        def update_cipher_mac(payload, sequence_number)
+          iv_data = [0, 0, 0, sequence_number].pack("NNNN")
+          @chacha_main.iv = iv_data
+          poly_key = @chacha_main.update(([0] * 32).pack('C32'))
+          packet_length = payload.size
+          length_data = [packet_length].pack("N")
+          @chacha_hdr.iv = iv_data
+          packet = @chacha_hdr.update(length_data)
+          iv_data[0] = 1.chr
+          @chacha_main.iv = iv_data
+          unencrypted_data = payload
+          packet += @chacha_main.update(unencrypted_data)
+          packet += @poly.auth(poly_key, packet)
+          return packet
+        end
+        def read_length(data, sequence_number)
+          iv_data = [0, 0, 0, sequence_number].pack("NNNN")
+          @chacha_hdr.iv = iv_data
+          @chacha_hdr.update(data).unpack1("N")
+        end
+        def read_and_mac(data, mac, sequence_number)
+          iv_data = [0, 0, 0, sequence_number].pack("NNNN")
+          @chacha_main.iv = iv_data
+          poly_key = @chacha_main.update(([0] * 32).pack('C32'))
+          iv_data[0] = 1.chr
+          @chacha_main.iv = iv_data
+          unencrypted_data = @chacha_main.update(data[4..])
+          begin
+            ok = @poly.verify(poly_key, mac, data[0..])
+            raise Net::SSH::Exception, "corrupted hmac detected #{name}" unless ok
+          rescue RbNaCl::BadAuthenticatorError
+            raise Net::SSH::Exception, "corrupted hmac detected #{name}"
+          end
+          return unencrypted_data
+        end
+        def mac_length
+          16
+        end
+        def block_size
+          8
+        end
+        def name
+          "chacha20-poly1305@openssh.com"
+        end
+        def implicit_mac?
+          true
+        end
+        def implicit_mac
+          return ImplicitHMac.new
+        end
+        def self.block_size
+          8
+        end
+        def self.key_length
+          64
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/transport/chacha20_poly1305_cipher_loader.rb ADDED Viewed

@@ -0,0 +1,17 @@
+module Net
+  module SSH
+    module Transport
+      # Loads chacha20 poly1305 support which requires optinal dependency rbnacl
+      module ChaCha20Poly1305CipherLoader
+        begin
+          require 'net/ssh/transport/chacha20_poly1305_cipher'
+          LOADED = true
+          ERROR = nil
+        rescue LoadError => e
+          ERROR = e
+          LOADED = false
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/transport/cipher_factory.rb CHANGED Viewed

@@ -2,104 +2,127 @@ require 'openssl'
 require 'net/ssh/transport/ctr.rb'
 require 'net/ssh/transport/key_expander'
 require 'net/ssh/transport/identity_cipher'
-module Net; module SSH; module Transport
-  # Implements a factory of OpenSSL cipher algorithms.
-  class CipherFactory
-    # Maps the SSH name of a cipher to it's corresponding OpenSSL name
-    SSH_TO_OSSL = {
-      "3des-cbc"                    => "des-ede3-cbc",
-      "blowfish-cbc"                => "bf-cbc",
-      "aes256-cbc"                  => "aes-256-cbc",
-      "aes192-cbc"                  => "aes-192-cbc",
-      "aes128-cbc"                  => "aes-128-cbc",
-      "idea-cbc"                    => "idea-cbc",
-      "cast128-cbc"                 => "cast-cbc",
-      "rijndael-cbc@lysator.liu.se" => "aes-256-cbc",
-      "arcfour128"                  => "rc4",
-      "arcfour256"                  => "rc4",
-      "arcfour512"                  => "rc4",
-      "arcfour"                     => "rc4",
-      "camellia128-cbc"             => "camellia-128-cbc",
-      "camellia192-cbc"             => "camellia-192-cbc",
-      "camellia256-cbc"             => "camellia-256-cbc",
-      "camellia128-cbc@openssh.org" => "camellia-128-cbc",
-      "camellia192-cbc@openssh.org" => "camellia-192-cbc",
-      "camellia256-cbc@openssh.org" => "camellia-256-cbc",
-      "3des-ctr"                    => "des-ede3",
-      "blowfish-ctr"                => "bf-ecb",
-      "aes256-ctr"                  => "aes-256-ecb",
-      "aes192-ctr"                  => "aes-192-ecb",
-      "aes128-ctr"                  => "aes-128-ecb",
-      "cast128-ctr"                 => "cast5-ecb",
-      "camellia128-ctr"             => "camellia-128-ecb",
-      "camellia192-ctr"             => "camellia-192-ecb",
-      "camellia256-ctr"             => "camellia-256-ecb",
-      "camellia128-ctr@openssh.org" => "camellia-128-ecb",
-      "camellia192-ctr@openssh.org" => "camellia-192-ecb",
-      "camellia256-ctr@openssh.org" => "camellia-256-ecb",
-      "none"                        => "none",
-    }
-    # Ruby's OpenSSL bindings always return a key length of 16 for RC4 ciphers
-    # resulting in the error: OpenSSL::CipherError: key length too short.
-    # The following ciphers will override this key length.
-    KEY_LEN_OVERRIDE = {
-      "arcfour256"                  => 32,
-      "arcfour512"                  => 64
-    }
-    # Returns true if the underlying OpenSSL library supports the given cipher,
-    # and false otherwise.
-    def self.supported?(name)
-      ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
-      return true if ossl_name == "none"
-      return OpenSSL::Cipher.ciphers.include?(ossl_name)
-    end
-    # Retrieves a new instance of the named algorithm. The new instance
-    # will be initialized using an iv and key generated from the given
-    # iv, key, shared, hash and digester values. Additionally, the
-    # cipher will be put into encryption or decryption mode, based on the
-    # value of the +encrypt+ parameter.
-    def self.get(name, options={})
-      ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
-      return IdentityCipher if ossl_name == "none"
-      cipher = OpenSSL::Cipher::Cipher.new(ossl_name)
-      cipher.send(options[:encrypt] ? :encrypt : :decrypt)
-      cipher.padding = 0
-      cipher.extend(Net::SSH::Transport::CTR) if (name =~ /-ctr(@openssh.org)?$/)
-      cipher.iv      = Net::SSH::Transport::KeyExpander.expand_key(cipher.iv_len, options[:iv], options) if ossl_name != "rc4"
-      key_len = KEY_LEN_OVERRIDE[name] || cipher.key_len
-      cipher.key_len = key_len
-      cipher.key     = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
-      cipher.update(" " * 1536) if (ossl_name == "rc4" && name != "arcfour")
-      return cipher
-    end
-    # Returns a two-element array containing the [ key-length,
-    # block-size ] for the named cipher algorithm. If the cipher
-    # algorithm is unknown, or is "none", 0 is returned for both elements
-    # of the tuple.
-    def self.get_lengths(name)
-      ossl_name = SSH_TO_OSSL[name]
-      return [0, 0] if ossl_name.nil? || ossl_name == "none"
-      cipher = OpenSSL::Cipher::Cipher.new(ossl_name)
-      key_len = KEY_LEN_OVERRIDE[name] || cipher.key_len
-      cipher.key_len = key_len
-      return [key_len, ossl_name=="rc4" ? 8 : cipher.block_size]
+require 'net/ssh/transport/chacha20_poly1305_cipher_loader'
+require 'net/ssh/transport/openssl_cipher_extensions'
+module Net
+  module SSH
+    module Transport
+      # Implements a factory of OpenSSL cipher algorithms.
+      class CipherFactory
+        # Maps the SSH name of a cipher to it's corresponding OpenSSL name
+        SSH_TO_OSSL = {
+          "3des-cbc" => "des-ede3-cbc",
+          "blowfish-cbc" => "bf-cbc",
+          "aes256-cbc" => "aes-256-cbc",
+          "aes192-cbc" => "aes-192-cbc",
+          "aes128-cbc" => "aes-128-cbc",
+          "idea-cbc" => "idea-cbc",
+          "cast128-cbc" => "cast-cbc",
+          "rijndael-cbc@lysator.liu.se" => "aes-256-cbc",
+          "3des-ctr" => "des-ede3",
+          "blowfish-ctr" => "bf-ecb",
+          "aes256-ctr" => ::OpenSSL::Cipher.ciphers.include?("aes-256-ctr") ? "aes-256-ctr" : "aes-256-ecb",
+          "aes192-ctr" => ::OpenSSL::Cipher.ciphers.include?("aes-192-ctr") ? "aes-192-ctr" : "aes-192-ecb",
+          "aes128-ctr" => ::OpenSSL::Cipher.ciphers.include?("aes-128-ctr") ? "aes-128-ctr" : "aes-128-ecb",
+          'cast128-ctr' => 'cast5-ecb',
+          'none' => 'none'
+        }
+        SSH_TO_CLASS =
+          if Net::SSH::Transport::ChaCha20Poly1305CipherLoader::LOADED
+            {
+              'chacha20-poly1305@openssh.com' => Net::SSH::Transport::ChaCha20Poly1305Cipher
+            }
+          else
+            {
+            }
+          end
+        # Returns true if the underlying OpenSSL library supports the given cipher,
+        # and false otherwise.
+        def self.supported?(name)
+          return true if SSH_TO_CLASS.key?(name)
+          ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
+          return true if ossl_name == "none"
+          return SSH_TO_CLASS.key?(name) || OpenSSL::Cipher.ciphers.include?(ossl_name)
+        end
+        # Retrieves a new instance of the named algorithm. The new instance
+        # will be initialized using an iv and key generated from the given
+        # iv, key, shared, hash and digester values. Additionally, the
+        # cipher will be put into encryption or decryption mode, based on the
+        # value of the +encrypt+ parameter.
+        def self.get(name, options = {})
+          klass = SSH_TO_CLASS[name]
+          unless klass.nil?
+            key_len = klass.key_length
+            key = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
+            return klass.new(encrypt: options[:encrypt], key: key)
+          end
+          ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
+          return IdentityCipher if ossl_name == "none"
+          cipher = OpenSSL::Cipher.new(ossl_name)
+          cipher.send(options[:encrypt] ? :encrypt : :decrypt)
+          cipher.padding = 0
+          cipher.extend(Net::SSH::Transport::OpenSSLCipherExtensions)
+          if name =~ /-ctr(@openssh.org)?$/
+            if ossl_name !~ /-ctr/
+              cipher.extend(Net::SSH::Transport::CTR)
+            else
+              cipher = Net::SSH::Transport::OpenSSLAESCTR.new(cipher)
+            end
+          end
+          cipher.iv = Net::SSH::Transport::KeyExpander.expand_key(cipher.iv_len, options[:iv], options)
+          key_len = cipher.key_len
+          cipher.key_len = key_len
+          cipher.key = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
+          return cipher
+        end
+        # Returns a two-element array containing the [ key-length,
+        # block-size ] for the named cipher algorithm. If the cipher
+        # algorithm is unknown, or is "none", 0 is returned for both elements
+        # of the tuple.
+        # if :iv_len option is supplied the third return value will be ivlen
+        def self.get_lengths(name, options = {})
+          klass = SSH_TO_CLASS[name]
+          return [klass.key_length, klass.block_size] unless klass.nil?
+          ossl_name = SSH_TO_OSSL[name]
+          if ossl_name.nil? || ossl_name == "none"
+            result = [0, 0]
+            result << 0 if options[:iv_len]
+          else
+            cipher = OpenSSL::Cipher.new(ossl_name)
+            key_len = cipher.key_len
+            cipher.key_len = key_len
+            block_size =
+              case ossl_name
+              when /\-ctr/
+                Net::SSH::Transport::OpenSSLAESCTR.block_size
+              else
+                cipher.block_size
+              end
+            result = [key_len, block_size]
+            result << cipher.iv_len if options[:iv_len]
+          end
+          result
+        end
+      end
     end
   end
-end; end; end
+end

data/lib/net/ssh/transport/constants.rb CHANGED Viewed

@@ -1,32 +1,40 @@
-module Net; module SSH; module Transport
-  module Constants
+module Net
+  module SSH
+    module Transport
+      module Constants
+        #--
+        # Transport layer generic messages
+        #++
-    #--
-    # Transport layer generic messages
-    #++
+        DISCONNECT                = 1
+        IGNORE                    = 2
+        UNIMPLEMENTED             = 3
+        DEBUG                     = 4
+        SERVICE_REQUEST           = 5
+        SERVICE_ACCEPT            = 6
-    DISCONNECT                = 1
-    IGNORE                    = 2
-    UNIMPLEMENTED             = 3
-    DEBUG                     = 4
-    SERVICE_REQUEST           = 5
-    SERVICE_ACCEPT            = 6
+        #--
+        # Algorithm negotiation messages
+        #++
-    #--
-    # Algorithm negotiation messages
-    #++
+        KEXINIT                   = 20
+        NEWKEYS                   = 21
-    KEXINIT                   = 20
-    NEWKEYS                   = 21
+        #--
+        # Key exchange method specific messages
+        #++
-    #--
-    # Key exchange method specific messages
-    #++
+        KEXDH_INIT                = 30
+        KEXDH_REPLY               = 31
-    KEXDH_INIT                = 30
-    KEXDH_REPLY               = 31
+        KEXECDH_INIT              = 30
+        KEXECDH_REPLY             = 31
-    KEXECDH_INIT              = 30
-    KEXECDH_REPLY             = 31
+        KEXDH_GEX_GROUP           = 31
+        KEXDH_GEX_INIT            = 32
+        KEXDH_GEX_REPLY           = 33
+        KEXDH_GEX_REQUEST         = 34
+      end
+    end
   end
-end; end; end
+end

data/lib/net/ssh/transport/ctr.rb CHANGED Viewed

@@ -1,23 +1,46 @@
 require 'openssl'
+require 'delegate'
 module Net::SSH::Transport
+  # :nodoc:
+  class OpenSSLAESCTR < SimpleDelegator
+    def initialize(original)
+      super
+      @was_reset = false
+    end
+    def block_size
+      16
+    end
+    def self.block_size
+      16
+    end
+    def reset
+      @was_reset = true
+    end
+    def iv=(iv_s)
+      super unless @was_reset
+    end
+  end
+  # :nodoc:
   # Pure-Ruby implementation of Stateful Decryption Counter(SDCTR) Mode
   # for Block Ciphers. See RFC4344 for detail.
   module CTR
     def self.extended(orig)
       orig.instance_eval {
-        @remaining = ""
+        @remaining = String.new
         @counter = nil
         @counter_len = orig.block_size
         orig.encrypt
         orig.padding = 0
-      }
-      class <<orig
-        alias :_update :update
-        private :_update
-        undef :update
+        singleton_class.send(:alias_method, :_update, :update)
+        singleton_class.send(:private, :_update)
+        singleton_class.send(:undef_method, :update)
         def iv
           @counter
@@ -44,42 +67,38 @@ module Net::SSH::Transport
         end
         def reset
-          @remaining = ""
+          @remaining = String.new
         end
         def update(data)
           @remaining += data
-          encrypted = ""
+          encrypted = String.new
-          while @remaining.bytesize >= block_size
-            encrypted += xor!(@remaining.slice!(0, block_size),
+          offset = 0
+          while (@remaining.bytesize - offset) >= block_size
+            encrypted += xor!(@remaining.slice(offset, block_size),
                               _update(@counter))
             increment_counter!
+            offset += block_size
           end
+          @remaining = @remaining.slice(offset..-1)
           encrypted
         end
         def final
-          unless @remaining.empty?
-            s = xor!(@remaining, _update(@counter))
-          else
-            s = ""
-          end
-          @remaining = ""
+          s = @remaining.empty? ? '' : xor!(@remaining, _update(@counter))
+          @remaining = String.new
           s
         end
-        private
         def xor!(s1, s2)
           s = []
-          s1.unpack('Q*').zip(s2.unpack('Q*')) {|a,b| s.push(a^b) }
+          s1.unpack('Q*').zip(s2.unpack('Q*')) {|a, b| s.push(a ^ b) }
           s.pack('Q*')
         end
+        singleton_class.send(:private, :xor!)
         def increment_counter!
           c = @counter_len
@@ -89,7 +108,8 @@ module Net::SSH::Transport
             end
           end
         end
-      end
+        singleton_class.send(:private, :increment_counter!)
+      }
     end
   end
 end