RubyGems - net-ssh - Versions diffs - 3.2.0 → 7.2.0.rc1 - Mend

net-ssh 3.2.0 → 7.2.0.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (210) hide show

checksums.yaml +5 -5
checksums.yaml.gz.sig +0 -0
data/.dockerignore +6 -0
data/.github/FUNDING.yml +1 -0
data/.github/config/rubocop_linter_action.yml +4 -0
data/.github/workflows/ci-with-docker.yml +44 -0
data/.github/workflows/ci.yml +93 -0
data/.github/workflows/rubocop.yml +16 -0
data/.gitignore +13 -0
data/.rubocop.yml +22 -0
data/.rubocop_todo.yml +1081 -0
data/CHANGES.txt +237 -7
data/DEVELOPMENT.md +23 -0
data/Dockerfile +27 -0
data/Dockerfile.openssl3 +17 -0
data/Gemfile +13 -0
data/Gemfile.noed25519 +12 -0
data/Gemfile.norbnacl +12 -0
data/ISSUE_TEMPLATE.md +30 -0
data/Manifest +4 -5
data/README.md +298 -0
data/Rakefile +125 -74
data/SECURITY.md +4 -0
data/appveyor.yml +58 -0
data/docker-compose.yml +23 -0
data/lib/net/ssh/authentication/agent.rb +279 -18
data/lib/net/ssh/authentication/certificate.rb +183 -0
data/lib/net/ssh/authentication/constants.rb +17 -15
data/lib/net/ssh/authentication/ed25519.rb +186 -0
data/lib/net/ssh/authentication/ed25519_loader.rb +31 -0
data/lib/net/ssh/authentication/key_manager.rb +86 -39
data/lib/net/ssh/authentication/methods/abstract.rb +67 -48
data/lib/net/ssh/authentication/methods/hostbased.rb +34 -37
data/lib/net/ssh/authentication/methods/keyboard_interactive.rb +13 -13
data/lib/net/ssh/authentication/methods/none.rb +16 -19
data/lib/net/ssh/authentication/methods/password.rb +27 -17
data/lib/net/ssh/authentication/methods/publickey.rb +96 -55
data/lib/net/ssh/authentication/pageant.rb +471 -367
data/lib/net/ssh/authentication/pub_key_fingerprint.rb +43 -0
data/lib/net/ssh/authentication/session.rb +131 -121
data/lib/net/ssh/buffer.rb +399 -300
data/lib/net/ssh/buffered_io.rb +154 -150
data/lib/net/ssh/config.rb +308 -185
data/lib/net/ssh/connection/channel.rb +635 -613
data/lib/net/ssh/connection/constants.rb +29 -29
data/lib/net/ssh/connection/event_loop.rb +123 -0
data/lib/net/ssh/connection/keepalive.rb +55 -51
data/lib/net/ssh/connection/session.rb +620 -551
data/lib/net/ssh/connection/term.rb +125 -123
data/lib/net/ssh/errors.rb +101 -99
data/lib/net/ssh/key_factory.rb +197 -105
data/lib/net/ssh/known_hosts.rb +214 -127
data/lib/net/ssh/loggable.rb +50 -49
data/lib/net/ssh/packet.rb +83 -79
data/lib/net/ssh/prompt.rb +50 -81
data/lib/net/ssh/proxy/command.rb +105 -90
data/lib/net/ssh/proxy/errors.rb +12 -10
data/lib/net/ssh/proxy/http.rb +82 -79
data/lib/net/ssh/proxy/https.rb +50 -0
data/lib/net/ssh/proxy/jump.rb +54 -0
data/lib/net/ssh/proxy/socks4.rb +2 -6
data/lib/net/ssh/proxy/socks5.rb +14 -17
data/lib/net/ssh/service/forward.rb +370 -317
data/lib/net/ssh/test/channel.rb +145 -136
data/lib/net/ssh/test/extensions.rb +131 -110
data/lib/net/ssh/test/kex.rb +34 -32
data/lib/net/ssh/test/local_packet.rb +46 -44
data/lib/net/ssh/test/packet.rb +89 -70
data/lib/net/ssh/test/remote_packet.rb +32 -30
data/lib/net/ssh/test/script.rb +156 -142
data/lib/net/ssh/test/socket.rb +49 -48
data/lib/net/ssh/test.rb +82 -77
data/lib/net/ssh/transport/algorithms.rb +462 -359
data/lib/net/ssh/transport/chacha20_poly1305_cipher.rb +117 -0
data/lib/net/ssh/transport/chacha20_poly1305_cipher_loader.rb +17 -0
data/lib/net/ssh/transport/cipher_factory.rb +122 -99
data/lib/net/ssh/transport/constants.rb +32 -24
data/lib/net/ssh/transport/ctr.rb +42 -22
data/lib/net/ssh/transport/hmac/abstract.rb +81 -63
data/lib/net/ssh/transport/hmac/md5.rb +0 -2
data/lib/net/ssh/transport/hmac/md5_96.rb +0 -2
data/lib/net/ssh/transport/hmac/none.rb +0 -2
data/lib/net/ssh/transport/hmac/ripemd160.rb +0 -2
data/lib/net/ssh/transport/hmac/sha1.rb +0 -2
data/lib/net/ssh/transport/hmac/sha1_96.rb +0 -2
data/lib/net/ssh/transport/hmac/sha2_256.rb +7 -11
data/lib/net/ssh/transport/hmac/sha2_256_96.rb +4 -8
data/lib/net/ssh/transport/hmac/sha2_256_etm.rb +12 -0
data/lib/net/ssh/transport/hmac/sha2_512.rb +6 -9
data/lib/net/ssh/transport/hmac/sha2_512_96.rb +4 -8
data/lib/net/ssh/transport/hmac/sha2_512_etm.rb +12 -0
data/lib/net/ssh/transport/hmac.rb +14 -12
data/lib/net/ssh/transport/identity_cipher.rb +54 -44
data/lib/net/ssh/transport/kex/abstract.rb +130 -0
data/lib/net/ssh/transport/kex/abstract5656.rb +72 -0
data/lib/net/ssh/transport/kex/curve25519_sha256.rb +39 -0
data/lib/net/ssh/transport/kex/curve25519_sha256_loader.rb +30 -0
data/lib/net/ssh/transport/kex/diffie_hellman_group14_sha1.rb +33 -40
data/lib/net/ssh/transport/kex/diffie_hellman_group14_sha256.rb +11 -0
data/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb +119 -213
data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha1.rb +53 -61
data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha256.rb +5 -9
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb +36 -90
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp384.rb +18 -10
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp521.rb +18 -10
data/lib/net/ssh/transport/kex.rb +15 -12
data/lib/net/ssh/transport/key_expander.rb +24 -20
data/lib/net/ssh/transport/openssl.rb +161 -124
data/lib/net/ssh/transport/openssl_cipher_extensions.rb +8 -0
data/lib/net/ssh/transport/packet_stream.rb +246 -185
data/lib/net/ssh/transport/server_version.rb +55 -56
data/lib/net/ssh/transport/session.rb +306 -255
data/lib/net/ssh/transport/state.rb +178 -176
data/lib/net/ssh/verifiers/accept_new.rb +33 -0
data/lib/net/ssh/verifiers/accept_new_or_local_tunnel.rb +33 -0
data/lib/net/ssh/verifiers/always.rb +58 -0
data/lib/net/ssh/verifiers/never.rb +19 -0
data/lib/net/ssh/version.rb +55 -53
data/lib/net/ssh.rb +111 -47
data/net-ssh-public_cert.pem +18 -18
data/net-ssh.gemspec +38 -205
data/support/ssh_tunnel_bug.rb +5 -5
data.tar.gz.sig +0 -0
metadata +173 -118
metadata.gz.sig +0 -0
data/.travis.yml +0 -18
data/README.rdoc +0 -182
data/lib/net/ssh/authentication/agent/java_pageant.rb +0 -85
data/lib/net/ssh/authentication/agent/socket.rb +0 -178
data/lib/net/ssh/ruby_compat.rb +0 -46
data/lib/net/ssh/verifiers/lenient.rb +0 -30
data/lib/net/ssh/verifiers/null.rb +0 -12
data/lib/net/ssh/verifiers/secure.rb +0 -52
data/lib/net/ssh/verifiers/strict.rb +0 -24
data/setup.rb +0 -1585
data/support/arcfour_check.rb +0 -20
data/test/README.txt +0 -18
data/test/authentication/methods/common.rb +0 -28
data/test/authentication/methods/test_abstract.rb +0 -51
data/test/authentication/methods/test_hostbased.rb +0 -114
data/test/authentication/methods/test_keyboard_interactive.rb +0 -121
data/test/authentication/methods/test_none.rb +0 -41
data/test/authentication/methods/test_password.rb +0 -95
data/test/authentication/methods/test_publickey.rb +0 -148
data/test/authentication/test_agent.rb +0 -232
data/test/authentication/test_key_manager.rb +0 -240
data/test/authentication/test_session.rb +0 -107
data/test/common.rb +0 -125
data/test/configs/auth_off +0 -5
data/test/configs/auth_on +0 -4
data/test/configs/empty +0 -0
data/test/configs/eqsign +0 -3
data/test/configs/exact_match +0 -8
data/test/configs/host_plus +0 -10
data/test/configs/multihost +0 -4
data/test/configs/negative_match +0 -6
data/test/configs/nohost +0 -19
data/test/configs/numeric_host +0 -4
data/test/configs/proxy_remote_user +0 -2
data/test/configs/send_env +0 -2
data/test/configs/substitutes +0 -8
data/test/configs/wild_cards +0 -14
data/test/connection/test_channel.rb +0 -487
data/test/connection/test_session.rb +0 -564
data/test/integration/README.txt +0 -17
data/test/integration/Vagrantfile +0 -12
data/test/integration/common.rb +0 -63
data/test/integration/playbook.yml +0 -56
data/test/integration/test_forward.rb +0 -637
data/test/integration/test_id_rsa_keys.rb +0 -96
data/test/integration/test_proxy.rb +0 -93
data/test/known_hosts/github +0 -1
data/test/known_hosts/github_hash +0 -1
data/test/manual/test_pageant.rb +0 -37
data/test/start/test_connection.rb +0 -53
data/test/start/test_options.rb +0 -57
data/test/start/test_transport.rb +0 -28
data/test/start/test_user_nil.rb +0 -27
data/test/test_all.rb +0 -12
data/test/test_buffer.rb +0 -433
data/test/test_buffered_io.rb +0 -63
data/test/test_config.rb +0 -268
data/test/test_key_factory.rb +0 -191
data/test/test_known_hosts.rb +0 -66
data/test/transport/hmac/test_md5.rb +0 -41
data/test/transport/hmac/test_md5_96.rb +0 -27
data/test/transport/hmac/test_none.rb +0 -34
data/test/transport/hmac/test_ripemd160.rb +0 -36
data/test/transport/hmac/test_sha1.rb +0 -36
data/test/transport/hmac/test_sha1_96.rb +0 -27
data/test/transport/hmac/test_sha2_256.rb +0 -37
data/test/transport/hmac/test_sha2_256_96.rb +0 -27
data/test/transport/hmac/test_sha2_512.rb +0 -37
data/test/transport/hmac/test_sha2_512_96.rb +0 -27
data/test/transport/kex/test_diffie_hellman_group14_sha1.rb +0 -13
data/test/transport/kex/test_diffie_hellman_group1_sha1.rb +0 -150
data/test/transport/kex/test_diffie_hellman_group_exchange_sha1.rb +0 -96
data/test/transport/kex/test_diffie_hellman_group_exchange_sha256.rb +0 -19
data/test/transport/kex/test_ecdh_sha2_nistp256.rb +0 -161
data/test/transport/kex/test_ecdh_sha2_nistp384.rb +0 -38
data/test/transport/kex/test_ecdh_sha2_nistp521.rb +0 -38
data/test/transport/test_algorithms.rb +0 -328
data/test/transport/test_cipher_factory.rb +0 -443
data/test/transport/test_hmac.rb +0 -34
data/test/transport/test_identity_cipher.rb +0 -40
data/test/transport/test_packet_stream.rb +0 -1762
data/test/transport/test_server_version.rb +0 -74
data/test/transport/test_session.rb +0 -331
data/test/transport/test_state.rb +0 -181
data/test/verifiers/test_secure.rb +0 -40

data/lib/net/ssh/transport/chacha20_poly1305_cipher.rb ADDED Viewed

@@ -0,0 +1,117 @@
+require 'rbnacl'
+require 'net/ssh/loggable'
+module Net
+  module SSH
+    module Transport
+      ## Implements the chacha20-poly1305@openssh cipher
+      class ChaCha20Poly1305Cipher
+        include Net::SSH::Loggable
+        # Implicit HMAC, no need to do anything
+        class ImplicitHMac
+          def etm
+            # TODO: ideally this shouln't be called
+            true
+          end
+          def key_length
+            64
+          end
+        end
+        def initialize(encrypt:, key:)
+          @chacha_hdr = OpenSSL::Cipher.new("chacha20")
+          key_len = @chacha_hdr.key_len
+          @chacha_main = OpenSSL::Cipher.new("chacha20")
+          @poly = RbNaCl::OneTimeAuths::Poly1305
+          if key.size < key_len * 2
+            error { "chacha20_poly1305: keylength doesn't match" }
+            raise "chacha20_poly1305: keylength doesn't match"
+          end
+          if encrypt
+            @chacha_hdr.encrypt
+            @chacha_main.encrypt
+          else
+            @chacha_hdr.decrypt
+            @chacha_main.decrypt
+          end
+          main_key = key[0...key_len]
+          @chacha_main.key = main_key
+          hdr_key = key[key_len...(2 * key_len)]
+          @chacha_hdr.key = hdr_key
+        end
+        def update_cipher_mac(payload, sequence_number)
+          iv_data = [0, 0, 0, sequence_number].pack("NNNN")
+          @chacha_main.iv = iv_data
+          poly_key = @chacha_main.update(([0] * 32).pack('C32'))
+          packet_length = payload.size
+          length_data = [packet_length].pack("N")
+          @chacha_hdr.iv = iv_data
+          packet = @chacha_hdr.update(length_data)
+          iv_data[0] = 1.chr
+          @chacha_main.iv = iv_data
+          unencrypted_data = payload
+          packet += @chacha_main.update(unencrypted_data)
+          packet += @poly.auth(poly_key, packet)
+          return packet
+        end
+        def read_length(data, sequence_number)
+          iv_data = [0, 0, 0, sequence_number].pack("NNNN")
+          @chacha_hdr.iv = iv_data
+          @chacha_hdr.update(data).unpack1("N")
+        end
+        def read_and_mac(data, mac, sequence_number)
+          iv_data = [0, 0, 0, sequence_number].pack("NNNN")
+          @chacha_main.iv = iv_data
+          poly_key = @chacha_main.update(([0] * 32).pack('C32'))
+          iv_data[0] = 1.chr
+          @chacha_main.iv = iv_data
+          unencrypted_data = @chacha_main.update(data[4..])
+          begin
+            ok = @poly.verify(poly_key, mac, data[0..])
+            raise Net::SSH::Exception, "corrupted hmac detected #{name}" unless ok
+          rescue RbNaCl::BadAuthenticatorError
+            raise Net::SSH::Exception, "corrupted hmac detected #{name}"
+          end
+          return unencrypted_data
+        end
+        def mac_length
+          16
+        end
+        def block_size
+          8
+        end
+        def name
+          "chacha20-poly1305@openssh.com"
+        end
+        def implicit_mac?
+          true
+        end
+        def implicit_mac
+          return ImplicitHMac.new
+        end
+        def self.block_size
+          8
+        end
+        def self.key_length
+          64
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/transport/chacha20_poly1305_cipher_loader.rb ADDED Viewed

@@ -0,0 +1,17 @@
+module Net
+  module SSH
+    module Transport
+      # Loads chacha20 poly1305 support which requires optinal dependency rbnacl
+      module ChaCha20Poly1305CipherLoader
+        begin
+          require 'net/ssh/transport/chacha20_poly1305_cipher'
+          LOADED = true
+          ERROR = nil
+        rescue LoadError => e
+          ERROR = e
+          LOADED = false
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/transport/cipher_factory.rb CHANGED Viewed

@@ -2,104 +2,127 @@ require 'openssl'
 require 'net/ssh/transport/ctr.rb'
 require 'net/ssh/transport/key_expander'
 require 'net/ssh/transport/identity_cipher'
-module Net; module SSH; module Transport
-  # Implements a factory of OpenSSL cipher algorithms.
-  class CipherFactory
-    # Maps the SSH name of a cipher to it's corresponding OpenSSL name
-    SSH_TO_OSSL = {
-      "3des-cbc"                    => "des-ede3-cbc",
-      "blowfish-cbc"                => "bf-cbc",
-      "aes256-cbc"                  => "aes-256-cbc",
-      "aes192-cbc"                  => "aes-192-cbc",
-      "aes128-cbc"                  => "aes-128-cbc",
-      "idea-cbc"                    => "idea-cbc",
-      "cast128-cbc"                 => "cast-cbc",
-      "rijndael-cbc@lysator.liu.se" => "aes-256-cbc",
-      "arcfour128"                  => "rc4",
-      "arcfour256"                  => "rc4",
-      "arcfour512"                  => "rc4",
-      "arcfour"                     => "rc4",
-      "camellia128-cbc"             => "camellia-128-cbc",
-      "camellia192-cbc"             => "camellia-192-cbc",
-      "camellia256-cbc"             => "camellia-256-cbc",
-      "camellia128-cbc@openssh.org" => "camellia-128-cbc",
-      "camellia192-cbc@openssh.org" => "camellia-192-cbc",
-      "camellia256-cbc@openssh.org" => "camellia-256-cbc",
-      "3des-ctr"                    => "des-ede3",
-      "blowfish-ctr"                => "bf-ecb",
-      "aes256-ctr"                  => "aes-256-ecb",
-      "aes192-ctr"                  => "aes-192-ecb",
-      "aes128-ctr"                  => "aes-128-ecb",
-      "cast128-ctr"                 => "cast5-ecb",
-      "camellia128-ctr"             => "camellia-128-ecb",
-      "camellia192-ctr"             => "camellia-192-ecb",
-      "camellia256-ctr"             => "camellia-256-ecb",
-      "camellia128-ctr@openssh.org" => "camellia-128-ecb",
-      "camellia192-ctr@openssh.org" => "camellia-192-ecb",
-      "camellia256-ctr@openssh.org" => "camellia-256-ecb",
-      "none"                        => "none",
-    }
-    # Ruby's OpenSSL bindings always return a key length of 16 for RC4 ciphers
-    # resulting in the error: OpenSSL::CipherError: key length too short.
-    # The following ciphers will override this key length.
-    KEY_LEN_OVERRIDE = {
-      "arcfour256"                  => 32,
-      "arcfour512"                  => 64
-    }
-    # Returns true if the underlying OpenSSL library supports the given cipher,
-    # and false otherwise.
-    def self.supported?(name)
-      ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
-      return true if ossl_name == "none"
-      return OpenSSL::Cipher.ciphers.include?(ossl_name)
-    end
-    # Retrieves a new instance of the named algorithm. The new instance
-    # will be initialized using an iv and key generated from the given
-    # iv, key, shared, hash and digester values. Additionally, the
-    # cipher will be put into encryption or decryption mode, based on the
-    # value of the +encrypt+ parameter.
-    def self.get(name, options={})
-      ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
-      return IdentityCipher if ossl_name == "none"
-      cipher = OpenSSL::Cipher::Cipher.new(ossl_name)
-      cipher.send(options[:encrypt] ? :encrypt : :decrypt)
-      cipher.padding = 0
-      cipher.extend(Net::SSH::Transport::CTR) if (name =~ /-ctr(@openssh.org)?$/)
-      cipher.iv      = Net::SSH::Transport::KeyExpander.expand_key(cipher.iv_len, options[:iv], options) if ossl_name != "rc4"
-      key_len = KEY_LEN_OVERRIDE[name] || cipher.key_len
-      cipher.key_len = key_len
-      cipher.key     = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
-      cipher.update(" " * 1536) if (ossl_name == "rc4" && name != "arcfour")
-      return cipher
-    end
-    # Returns a two-element array containing the [ key-length,
-    # block-size ] for the named cipher algorithm. If the cipher
-    # algorithm is unknown, or is "none", 0 is returned for both elements
-    # of the tuple.
-    def self.get_lengths(name)
-      ossl_name = SSH_TO_OSSL[name]
-      return [0, 0] if ossl_name.nil? || ossl_name == "none"
-      cipher = OpenSSL::Cipher::Cipher.new(ossl_name)
-      key_len = KEY_LEN_OVERRIDE[name] || cipher.key_len
-      cipher.key_len = key_len
-      return [key_len, ossl_name=="rc4" ? 8 : cipher.block_size]
+require 'net/ssh/transport/chacha20_poly1305_cipher_loader'
+require 'net/ssh/transport/openssl_cipher_extensions'
+module Net
+  module SSH
+    module Transport
+      # Implements a factory of OpenSSL cipher algorithms.
+      class CipherFactory
+        # Maps the SSH name of a cipher to it's corresponding OpenSSL name
+        SSH_TO_OSSL = {
+          "3des-cbc" => "des-ede3-cbc",
+          "blowfish-cbc" => "bf-cbc",
+          "aes256-cbc" => "aes-256-cbc",
+          "aes192-cbc" => "aes-192-cbc",
+          "aes128-cbc" => "aes-128-cbc",
+          "idea-cbc" => "idea-cbc",
+          "cast128-cbc" => "cast-cbc",
+          "rijndael-cbc@lysator.liu.se" => "aes-256-cbc",
+          "3des-ctr" => "des-ede3",
+          "blowfish-ctr" => "bf-ecb",
+          "aes256-ctr" => ::OpenSSL::Cipher.ciphers.include?("aes-256-ctr") ? "aes-256-ctr" : "aes-256-ecb",
+          "aes192-ctr" => ::OpenSSL::Cipher.ciphers.include?("aes-192-ctr") ? "aes-192-ctr" : "aes-192-ecb",
+          "aes128-ctr" => ::OpenSSL::Cipher.ciphers.include?("aes-128-ctr") ? "aes-128-ctr" : "aes-128-ecb",
+          'cast128-ctr' => 'cast5-ecb',
+          'none' => 'none'
+        }
+        SSH_TO_CLASS =
+          if Net::SSH::Transport::ChaCha20Poly1305CipherLoader::LOADED
+            {
+              'chacha20-poly1305@openssh.com' => Net::SSH::Transport::ChaCha20Poly1305Cipher
+            }
+          else
+            {
+            }
+          end
+        # Returns true if the underlying OpenSSL library supports the given cipher,
+        # and false otherwise.
+        def self.supported?(name)
+          return true if SSH_TO_CLASS.key?(name)
+          ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
+          return true if ossl_name == "none"
+          return SSH_TO_CLASS.key?(name) || OpenSSL::Cipher.ciphers.include?(ossl_name)
+        end
+        # Retrieves a new instance of the named algorithm. The new instance
+        # will be initialized using an iv and key generated from the given
+        # iv, key, shared, hash and digester values. Additionally, the
+        # cipher will be put into encryption or decryption mode, based on the
+        # value of the +encrypt+ parameter.
+        def self.get(name, options = {})
+          klass = SSH_TO_CLASS[name]
+          unless klass.nil?
+            key_len = klass.key_length
+            key = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
+            return klass.new(encrypt: options[:encrypt], key: key)
+          end
+          ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
+          return IdentityCipher if ossl_name == "none"
+          cipher = OpenSSL::Cipher.new(ossl_name)
+          cipher.send(options[:encrypt] ? :encrypt : :decrypt)
+          cipher.padding = 0
+          cipher.extend(Net::SSH::Transport::OpenSSLCipherExtensions)
+          if name =~ /-ctr(@openssh.org)?$/
+            if ossl_name !~ /-ctr/
+              cipher.extend(Net::SSH::Transport::CTR)
+            else
+              cipher = Net::SSH::Transport::OpenSSLAESCTR.new(cipher)
+            end
+          end
+          cipher.iv = Net::SSH::Transport::KeyExpander.expand_key(cipher.iv_len, options[:iv], options)
+          key_len = cipher.key_len
+          cipher.key_len = key_len
+          cipher.key = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
+          return cipher
+        end
+        # Returns a two-element array containing the [ key-length,
+        # block-size ] for the named cipher algorithm. If the cipher
+        # algorithm is unknown, or is "none", 0 is returned for both elements
+        # of the tuple.
+        # if :iv_len option is supplied the third return value will be ivlen
+        def self.get_lengths(name, options = {})
+          klass = SSH_TO_CLASS[name]
+          return [klass.key_length, klass.block_size] unless klass.nil?
+          ossl_name = SSH_TO_OSSL[name]
+          if ossl_name.nil? || ossl_name == "none"
+            result = [0, 0]
+            result << 0 if options[:iv_len]
+          else
+            cipher = OpenSSL::Cipher.new(ossl_name)
+            key_len = cipher.key_len
+            cipher.key_len = key_len
+            block_size =
+              case ossl_name
+              when /\-ctr/
+                Net::SSH::Transport::OpenSSLAESCTR.block_size
+              else
+                cipher.block_size
+              end
+            result = [key_len, block_size]
+            result << cipher.iv_len if options[:iv_len]
+          end
+          result
+        end
+      end
     end
   end
-end; end; end
+end

data/lib/net/ssh/transport/constants.rb CHANGED Viewed

@@ -1,32 +1,40 @@
-module Net; module SSH; module Transport
-  module Constants
+module Net
+  module SSH
+    module Transport
+      module Constants
+        #--
+        # Transport layer generic messages
+        #++
-    #--
-    # Transport layer generic messages
-    #++
+        DISCONNECT                = 1
+        IGNORE                    = 2
+        UNIMPLEMENTED             = 3
+        DEBUG                     = 4
+        SERVICE_REQUEST           = 5
+        SERVICE_ACCEPT            = 6
-    DISCONNECT                = 1
-    IGNORE                    = 2
-    UNIMPLEMENTED             = 3
-    DEBUG                     = 4
-    SERVICE_REQUEST           = 5
-    SERVICE_ACCEPT            = 6
+        #--
+        # Algorithm negotiation messages
+        #++
-    #--
-    # Algorithm negotiation messages
-    #++
+        KEXINIT                   = 20
+        NEWKEYS                   = 21
-    KEXINIT                   = 20
-    NEWKEYS                   = 21
+        #--
+        # Key exchange method specific messages
+        #++
-    #--
-    # Key exchange method specific messages
-    #++
+        KEXDH_INIT                = 30
+        KEXDH_REPLY               = 31
-    KEXDH_INIT                = 30
-    KEXDH_REPLY               = 31
+        KEXECDH_INIT              = 30
+        KEXECDH_REPLY             = 31
-    KEXECDH_INIT              = 30
-    KEXECDH_REPLY             = 31
+        KEXDH_GEX_GROUP           = 31
+        KEXDH_GEX_INIT            = 32
+        KEXDH_GEX_REPLY           = 33
+        KEXDH_GEX_REQUEST         = 34
+      end
+    end
   end
-end; end; end
+end

data/lib/net/ssh/transport/ctr.rb CHANGED Viewed

@@ -1,23 +1,46 @@
 require 'openssl'
+require 'delegate'
 module Net::SSH::Transport
+  # :nodoc:
+  class OpenSSLAESCTR < SimpleDelegator
+    def initialize(original)
+      super
+      @was_reset = false
+    end
+    def block_size
+      16
+    end
+    def self.block_size
+      16
+    end
+    def reset
+      @was_reset = true
+    end
+    def iv=(iv_s)
+      super unless @was_reset
+    end
+  end
+  # :nodoc:
   # Pure-Ruby implementation of Stateful Decryption Counter(SDCTR) Mode
   # for Block Ciphers. See RFC4344 for detail.
   module CTR
     def self.extended(orig)
       orig.instance_eval {
-        @remaining = ""
+        @remaining = String.new
         @counter = nil
         @counter_len = orig.block_size
         orig.encrypt
         orig.padding = 0
-      }
-      class <<orig
-        alias :_update :update
-        private :_update
-        undef :update
+        singleton_class.send(:alias_method, :_update, :update)
+        singleton_class.send(:private, :_update)
+        singleton_class.send(:undef_method, :update)
         def iv
           @counter
@@ -44,42 +67,38 @@ module Net::SSH::Transport
         end
         def reset
-          @remaining = ""
+          @remaining = String.new
         end
         def update(data)
           @remaining += data
-          encrypted = ""
+          encrypted = String.new
-          while @remaining.bytesize >= block_size
-            encrypted += xor!(@remaining.slice!(0, block_size),
+          offset = 0
+          while (@remaining.bytesize - offset) >= block_size
+            encrypted += xor!(@remaining.slice(offset, block_size),
                               _update(@counter))
             increment_counter!
+            offset += block_size
           end
+          @remaining = @remaining.slice(offset..-1)
           encrypted
         end
         def final
-          unless @remaining.empty?
-            s = xor!(@remaining, _update(@counter))
-          else
-            s = ""
-          end
-          @remaining = ""
+          s = @remaining.empty? ? '' : xor!(@remaining, _update(@counter))
+          @remaining = String.new
           s
         end
-        private
         def xor!(s1, s2)
           s = []
-          s1.unpack('Q*').zip(s2.unpack('Q*')) {|a,b| s.push(a^b) }
+          s1.unpack('Q*').zip(s2.unpack('Q*')) {|a, b| s.push(a ^ b) }
           s.pack('Q*')
         end
+        singleton_class.send(:private, :xor!)
         def increment_counter!
           c = @counter_len
@@ -89,7 +108,8 @@ module Net::SSH::Transport
             end
           end
         end
-      end
+        singleton_class.send(:private, :increment_counter!)
+      }
     end
   end
 end