net-ssh 3.3.0.beta1 → 4.0.0.alpha1

data/lib/net/ssh/key_factory.rb

@@ -1,5 +1,6 @@
 require 'net/ssh/transport/openssl'
 require 'net/ssh/prompt'
+require 'net/ssh/authentication/ed25519'
 
 module Net; module SSH
 
@@ -21,6 +22,7 @@ module Net; module SSH
     }
     if defined?(OpenSSL::PKey::EC)
       MAP["ecdsa"] = OpenSSL::PKey::EC
+      MAP["ed25519"] = ED25519::PrivKey
     end
 
     class <<self
@@ -62,6 +64,9 @@ module Net; module SSH
           elsif data.match(/-----BEGIN EC PRIVATE KEY-----/) && defined?(OpenSSL::PKey::EC)
             key_type = OpenSSL::PKey::EC
             error_class = OpenSSL::PKey::ECError
+          elsif data.match(/-----BEGIN OPENSSH PRIVATE KEY-----/)
+            openssh_key = true
+            key_type = ED25519::PrivKey
           elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
             raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"
           else
@@ -70,13 +75,18 @@ module Net; module SSH
         end
 
         encrypted_key = data.match(/ENCRYPTED/)
+        openssh_key = data.match(/-----BEGIN OPENSSH PRIVATE KEY-----/)
         tries = 0
 
         begin
-          if pkey_read
-            return OpenSSL::PKey.read(data, passphrase || 'invalid')
+          if openssh_key
+            ED25519::PrivKey.read(data, passphrase || 'invalid')
           else
-            return key_type.new(data, passphrase || 'invalid')
+            if pkey_read
+              return OpenSSL::PKey.read(data, passphrase || 'invalid')
+            else
+              return key_type.new(data, passphrase || 'invalid')
+            end
           end
         rescue error_class
           if encrypted_key && ask_passphrase
@@ -110,7 +120,7 @@ module Net; module SSH
         blob = nil
         begin
           blob = fields.shift
-        end while !blob.nil? && !/^(ssh-(rsa|dss)|ecdsa-sha2-nistp\d+)$/.match(blob)
+        end while !blob.nil? && !/^(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp\d+)$/.match(blob)
         blob = fields.shift
 
         raise Net::SSH::Exception, "public key at #{filename} is not valid" if blob.nil?

data/lib/net/ssh/proxy/http.rb

@@ -8,7 +8,7 @@ module Net; module SSH; module Proxy
   #
   #   require 'net/ssh/proxy/http'
   #
-  #   proxy = Net::SSH::Proxy::HTTP.new('proxy.host', proxy_port)
+  #   proxy = Net::SSH::Proxy::HTTP.new('proxy_host', proxy_port)
   #   Net::SSH.start('host', 'user', :proxy => proxy) do |ssh|
   #     ...
   #   end
@@ -16,7 +16,7 @@ module Net; module SSH; module Proxy
   # If the proxy requires authentication, you can pass :user and :password
   # to the proxy's constructor:
   #
-  #   proxy = Net::SSH::Proxy::HTTP.new('proxy.host', proxy_port,
+  #   proxy = Net::SSH::Proxy::HTTP.new('proxy_host', proxy_port,
   #      :user => "user", :password => "password")
   #
   # Note that HTTP digest authentication is not supported; Basic only at

data/lib/net/ssh/service/forward.rb

@@ -357,7 +357,7 @@ module Net; module SSH; module Service
         channel[:invisible] = true
 
         begin
-          agent = Authentication::Agent.connect(logger, session.options[:agent_socket_factory])
+          agent = Authentication::Agent.connect(logger)
           if (agent.socket.is_a? ::IO)
             prepare_client(agent.socket, channel, :agent)
           else

data/lib/net/ssh/test/socket.rb

@@ -25,8 +25,8 @@ module Net; module SSH; module Test
 
       @script = Script.new
 
-      script.sends(:kexinit)
       script.gets(:kexinit, 1, 2, 3, 4, "test", "ssh-rsa", "none", "none", "none", "none", "none", "none", "", "", false)
+      script.sends(:kexinit)
       script.sends(:newkeys)
       script.gets(:newkeys)
     end

data/lib/net/ssh/transport/algorithms.rb

@@ -33,14 +33,6 @@ module Net; module SSH; module Transport
                          aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
                          idea-cbc none arcfour128 arcfour256 arcfour
                          aes128-ctr aes192-ctr aes256-ctr
-                         camellia128-cbc camellia192-cbc camellia256-cbc
-                         camellia128-cbc@openssh.org
-                         camellia192-cbc@openssh.org
-                         camellia256-cbc@openssh.org
-                         camellia128-ctr camellia192-ctr camellia256-ctr
-                         camellia128-ctr@openssh.org
-                         camellia192-ctr@openssh.org
-                         camellia256-ctr@openssh.org
                          cast128-ctr blowfish-ctr 3des-ctr
                         ),
 
@@ -124,12 +116,6 @@ module Net; module SSH; module Transport
       prepare_preferred_algorithms!
     end
 
-    # Start the algorithm negotation
-    def start
-      raise ArgumentError, "Cannot call start if it's negoitation started or done" if @pending || @initialized
-      send_kexinit
-    end
-
     # Request a rekey operation. This will return immediately, and does not
     # actually perform the rekey operation. It does cause the session to change
     # state, however--until the key exchange finishes, no new packets will be
@@ -295,8 +281,8 @@ module Net; module SSH; module Transport
 
         Net::SSH::Buffer.from(:byte, KEXINIT,
           :long, [rand(0xFFFFFFFF), rand(0xFFFFFFFF), rand(0xFFFFFFFF), rand(0xFFFFFFFF)],
-          :mstring, [kex, host_key, encryption, encryption, hmac, hmac],
-          :mstring, [compression, compression, language, language],
+          :string, [kex, host_key, encryption, encryption, hmac, hmac],
+          :string, [compression, compression, language, language],
           :bool, false, :long, 0)
       end
 

data/lib/net/ssh/transport/cipher_factory.rb

@@ -21,12 +21,6 @@ module Net; module SSH; module Transport
       "arcfour256"                  => "rc4",
       "arcfour512"                  => "rc4",
       "arcfour"                     => "rc4",
-      "camellia128-cbc"             => "camellia-128-cbc",
-      "camellia192-cbc"             => "camellia-192-cbc",
-      "camellia256-cbc"             => "camellia-256-cbc",
-      "camellia128-cbc@openssh.org" => "camellia-128-cbc",
-      "camellia192-cbc@openssh.org" => "camellia-192-cbc",
-      "camellia256-cbc@openssh.org" => "camellia-256-cbc",
 
       "3des-ctr"                    => "des-ede3",
       "blowfish-ctr"                => "bf-ecb",
@@ -34,12 +28,6 @@ module Net; module SSH; module Transport
       "aes192-ctr"                  => "aes-192-ecb",
       "aes128-ctr"                  => "aes-128-ecb",
       "cast128-ctr"                 => "cast5-ecb",
-      "camellia128-ctr"             => "camellia-128-ecb",
-      "camellia192-ctr"             => "camellia-192-ecb",
-      "camellia256-ctr"             => "camellia-256-ecb",
-      "camellia128-ctr@openssh.org" => "camellia-128-ecb",
-      "camellia192-ctr@openssh.org" => "camellia-192-ecb",
-      "camellia256-ctr@openssh.org" => "camellia-256-ecb",
 
       "none"                        => "none",
     }
@@ -76,11 +64,11 @@ module Net; module SSH; module Transport
       cipher.padding = 0
 
       cipher.extend(Net::SSH::Transport::CTR) if (name =~ /-ctr(@openssh.org)?$/)
-      cipher.iv      = Net::SSH::Transport::KeyExpander.expand_key(cipher.iv_len, options[:iv], options) if ossl_name != "rc4"
+      cipher.iv = Net::SSH::Transport::KeyExpander.expand_key(cipher.iv_len, options[:iv], options) if ossl_name != "rc4"
 
       key_len = KEY_LEN_OVERRIDE[name] || cipher.key_len
       cipher.key_len = key_len
-      cipher.key     = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
+      cipher.key = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
       cipher.update(" " * 1536) if (ossl_name == "rc4" && name != "arcfour")
 
       return cipher
@@ -90,15 +78,21 @@ module Net; module SSH; module Transport
     # block-size ] for the named cipher algorithm. If the cipher
     # algorithm is unknown, or is "none", 0 is returned for both elements
     # of the tuple.
-    def self.get_lengths(name)
+    # if :iv_len option is supplied the third return value will be ivlen
+    def self.get_lengths(name, options = {})
       ossl_name = SSH_TO_OSSL[name]
-      return [0, 0] if ossl_name.nil? || ossl_name == "none"
-
-      cipher = OpenSSL::Cipher::Cipher.new(ossl_name)
-      key_len = KEY_LEN_OVERRIDE[name] || cipher.key_len
-      cipher.key_len = key_len
-      
-      return [key_len, ossl_name=="rc4" ? 8 : cipher.block_size]
+      if ossl_name.nil? || ossl_name == "none"
+        result = [0, 0]
+        result << 0 if options[:iv_len]
+      else
+        cipher = OpenSSL::Cipher::Cipher.new(ossl_name)
+        key_len = KEY_LEN_OVERRIDE[name] || cipher.key_len
+        cipher.key_len = key_len
+
+        result = [key_len, ossl_name=="rc4" ? 8 : cipher.block_size]
+        result << cipher.iv_len if options[:iv_len]
+      end
+      result
     end
   end
 

data/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb

@@ -57,7 +57,7 @@ module Net; module SSH; module Transport; module Kex
       # send the KEXECDH_INIT message
       ## byte     SSH_MSG_KEX_ECDH_INIT
       ## string   Q_C, client's ephemeral public key octet string
-      buffer = Net::SSH::Buffer.from(:byte, init, :mstring, ecdh.public_key.to_bn.to_s(2))
+      buffer = Net::SSH::Buffer.from(:byte, init, :string, ecdh.public_key.to_bn.to_s(2))
       connection.send_message(buffer)
 
       # expect the following KEXECDH_REPLY message

data/lib/net/ssh/transport/key_expander.rb

@@ -9,6 +9,7 @@ module Net; module SSH; module Transport
     end
 
     k = start[0, bytes]
+    return k if k.length >= bytes
 
     digester = options[:digester] or raise 'No digester supplied'
     shared   = options[:shared] or raise 'No shared secret supplied'

data/lib/net/ssh/transport/openssl.rb

@@ -185,7 +185,7 @@ module OpenSSL
         def to_blob
           @blob ||= Net::SSH::Buffer.from(:string, ssh_type,
                                           :string, CurveNameAliasInv[self.group.curve_name],
-                                          :mstring, self.public_key.to_bn.to_s(2)).to_s
+                                          :string, self.public_key.to_bn.to_s(2)).to_s
           @blob
         end
 

data/lib/net/ssh/transport/session.rb

@@ -84,7 +84,6 @@ module Net; module SSH; module Transport
       @server_version = ServerVersion.new(socket, logger, options[:timeout])
 
       @algorithms = Algorithms.new(self, options)
-      @algorithms.start
       wait { algorithms.initialized? }
     rescue Errno::ETIMEDOUT
       raise Net::SSH::ConnectionTimeout

data/lib/net/ssh/version.rb

@@ -45,17 +45,17 @@ module Net; module SSH
     end
 
     # The major component of this version of the Net::SSH library
-    MAJOR = 3
+    MAJOR = 4
 
     # The minor component of this version of the Net::SSH library
-    MINOR = 3
+    MINOR = 0
 
     # The tiny component of this version of the Net::SSH library
     TINY  = 0
 
     # The prerelease component of this version of the Net::SSH library 
     # nil allowed
-    PRE   = 'beta1'
+    PRE   = "alpha1"
 
     # The current version of the Net::SSH library as a Version instance
     CURRENT = new(*[MAJOR, MINOR, TINY, PRE].compact)

data/net-ssh.gemspec

@@ -2,17 +2,17 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: net-ssh 3.3.0.beta1 ruby lib
+# stub: net-ssh 4.0.0.alpha1 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "net-ssh"
-  s.version = "3.3.0.beta1"
+  s.version = "4.0.0.alpha1"
 
   s.required_rubygems_version = Gem::Requirement.new("> 1.3.1") if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib"]
   s.authors = ["Jamis Buck", "Delano Mandelbaum", "Mikl\u{f3}s Fazekas"]
   s.cert_chain = ["net-ssh-public_cert.pem"]
-  s.date = "2016-11-09"
+  s.date = "2016-03-19"
   s.description = "Net::SSH: a pure-Ruby implementation of the SSH2 client protocol. It allows you to write programs that invoke and interact with processes on remote servers, via SSH2."
   s.email = "net-ssh@solutious.com"
   s.extra_rdoc_files = [
@@ -22,6 +22,7 @@ Gem::Specification.new do |s|
   s.files = [
     ".travis.yml",
     "CHANGES.txt",
+    "Gemfile",
     "LICENSE.txt",
     "Manifest",
     "README.rdoc",
@@ -32,6 +33,7 @@ Gem::Specification.new do |s|
     "lib/net/ssh/authentication/agent/java_pageant.rb",
     "lib/net/ssh/authentication/agent/socket.rb",
     "lib/net/ssh/authentication/constants.rb",
+    "lib/net/ssh/authentication/ed25519.rb",
     "lib/net/ssh/authentication/key_manager.rb",
     "lib/net/ssh/authentication/methods/abstract.rb",
     "lib/net/ssh/authentication/methods/hostbased.rb",
@@ -121,6 +123,7 @@ Gem::Specification.new do |s|
     "test/authentication/methods/test_password.rb",
     "test/authentication/methods/test_publickey.rb",
     "test/authentication/test_agent.rb",
+    "test/authentication/test_ed25519.rb",
     "test/authentication/test_key_manager.rb",
     "test/authentication/test_session.rb",
     "test/common.rb",
@@ -140,11 +143,11 @@ Gem::Specification.new do |s|
     "test/configs/wild_cards",
     "test/connection/test_channel.rb",
     "test/connection/test_session.rb",
-    "test/integration/README.txt",
+    "test/integration/README.md",
     "test/integration/Vagrantfile",
     "test/integration/common.rb",
     "test/integration/playbook.yml",
-    "test/integration/test_encoding.rb",
+    "test/integration/test_ed25519_pkeys.rb",
     "test/integration/test_forward.rb",
     "test/integration/test_id_rsa_keys.rb",
     "test/integration/test_proxy.rb",
@@ -192,7 +195,7 @@ Gem::Specification.new do |s|
   s.licenses = ["MIT"]
   s.required_ruby_version = Gem::Requirement.new(">= 2.0")
   s.rubyforge_project = "net-ssh"
-  s.rubygems_version = "2.5.1"
+  s.rubygems_version = "2.4.6"
   s.signing_key = "/mnt/gem/net-ssh-private_key.pem"
   s.summary = "Net::SSH: a pure-Ruby implementation of the SSH2 client protocol."
 
@@ -200,15 +203,31 @@ Gem::Specification.new do |s|
     s.specification_version = 4
 
     if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_development_dependency(%q<test-unit>, [">= 0"])
+      s.add_runtime_dependency(%q<rbnacl-libsodium>, [">= 1.0.2"])
+      s.add_runtime_dependency(%q<rbnacl>, [">= 3.1.2"])
+      s.add_runtime_dependency(%q<bcrypt_pbkdf>, ["= 1.0.0.alpha1"]) unless RUBY_PLATFORM == "java"
+      s.add_development_dependency(%q<rake>, [">= 0"])
+      s.add_development_dependency(%q<test-unit>, [">= 0.8.5"])
       s.add_development_dependency(%q<mocha>, [">= 0"])
+      s.add_development_dependency(%q<jeweler>, [">= 0"])
     else
-      s.add_dependency(%q<test-unit>, [">= 0"])
+      s.add_dependency(%q<rbnacl-libsodium>, [">= 1.0.2"])
+      s.add_dependency(%q<rbnacl>, [">= 3.1.2"])
+      s.add_dependency(%q<bcrypt_pbkdf>, ["= 1.0.0.alpha1"]) unless RUBY_PLATFORM == "java"
+      s.add_dependency(%q<rake>, [">= 0"])
+      s.add_dependency(%q<test-unit>, [">= 0.8.5"])
       s.add_dependency(%q<mocha>, [">= 0"])
+      s.add_dependency(%q<jeweler>, [">= 0"])
     end
   else
-    s.add_dependency(%q<test-unit>, [">= 0"])
+    s.add_dependency(%q<rbnacl-libsodium>, [">= 1.0.2"])
+    s.add_dependency(%q<rbnacl>, [">= 3.1.2"])
+    s.add_dependency(%q<bcrypt_pbkdf>, ["= 1.0.0.alpha1"]) unless RUBY_PLATFORM == "java"
+    s.add_dependency(%q<rake>, [">= 0"])
+    s.add_dependency(%q<test-unit>, [">= 0.8.5"])
     s.add_dependency(%q<mocha>, [">= 0"])
+    s.add_dependency(%q<jeweler>, [">= 0"])
   end
+  s.add_dependency('jruby-pageant', ['>= 1.1.1']) if RUBY_PLATFORM == 'jruby'
 end
 

data/test/authentication/test_agent.rb

@@ -32,11 +32,6 @@ module Authentication
       agent(false).connect!
     end
 
-    def test_connect_should_use_agent_socket_factory_instead_of_factory
-      assert_equal agent.connect!, socket
-      assert_equal agent.connect!(agent_socket_factory), "/foo/bar.sock"
-    end
-
     def test_connect_should_raise_error_if_connection_could_not_be_established
       factory.expects(:open).raises(SocketError)
       assert_raises(Net::SSH::Authentication::AgentNotAvailable) { agent(false).connect! }
@@ -218,15 +213,12 @@ module Authentication
       def agent(auto=:connect)
         @agent ||= begin
           agent = Net::SSH::Authentication::Agent.new
-          agent.stubs(:socket_class).returns(factory)
+          agent.stubs(:agent_socket_factory).returns(factory)
           agent.connect! if auto == :connect
           agent
         end
       end
 
-      def agent_socket_factory
-        @agent_socket_factory ||= ->{"/foo/bar.sock"}
-      end
   end
 
 end

data/test/authentication/test_ed25519.rb

@@ -0,0 +1,77 @@
+require 'common'
+require 'net/ssh/authentication/ed25519'
+require 'base64'
+
+module Authentication
+
+  class TestED25519 < Test::Unit::TestCase
+    def test_no_pwd_key
+      pub = Net::SSH::Buffer.new(Base64.decode64(public_key_no_pwd.split(' ')[1]))
+      _type = pub.read_string
+      pub_data = pub.read_string
+      priv = private_key_no_pwd
+
+      pub_key = ED25519::PubKey.new(pub_data)
+      priv_key = ED25519::PrivKey.new(priv,nil)
+
+      shared_secret = "Hello"
+      signed = priv_key.ssh_do_sign(shared_secret)
+      self.assert_equal(true,pub_key.ssh_do_verify(signed,shared_secret))
+      self.assert_equal(priv_key.public_key.fingerprint, pub_key.fingerprint)
+    end
+
+    def test_pwd_key
+      if defined?(JRUBY_VERSION)
+        puts "Skipping password protected ED25519 for JRuby"
+        return
+      end
+      pub = Net::SSH::Buffer.new(Base64.decode64(public_key_pwd.split(' ')[1]))
+      _type = pub.read_string
+      pub_data = pub.read_string
+      priv = private_key_pwd
+
+      pub_key = ED25519::PubKey.new(pub_data)
+      priv_key = ED25519::PrivKey.new(priv,'pwd')
+
+      shared_secret = "Hello"
+      signed = priv_key.ssh_do_sign(shared_secret)
+      self.assert_equal(true,pub_key.ssh_do_verify(signed,shared_secret))
+      self.assert_equal(priv_key.public_key.fingerprint, pub_key.fingerprint)
+    end
+
+    def private_key_pwd
+      @pwd_key = <<-EOF
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABBxwCvr3V
+/8pWhC/xvTnGJhAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAICaHkFaGXqYhUVFc
+aZ10TPUbkIvmaFXwYRoOS5qE8MciAAAAsNUAhbNQKwNcOr0eNq3nhtjoyeVyH8hRrpWsiY
+46vPiECi6R6OdYGSd7W3fdzUDeyOYCY9ZVIjAzENG+9FsygYzMi6XCuw00OuDFLUp4fL4K
+i/coUIVqouB4TPQAmsCVXiIRVTWQtRG0kWfFaV3qRt/bc22ZCvCT6ZZ1UmtulqqfUhSlKM
+oPcTikV1iWH5Xc+GxRFRRGTN/6HvBf0AKDB1kMXlDhGnBnHGeNH1pk44xG
+-----END OPENSSH PRIVATE KEY-----
+      EOF
+    end
+
+    def public_key_pwd
+      'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaHkFaGXqYhUVFcaZ10TPUbkIvmaFXwYRoOS5qE8Mci vagrant@vagrant-ubuntu-trusty-64'
+    end
+
+    def private_key_no_pwd
+      @anonymous_key = <<-EOF
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAwdjQYeBiTz1DdZFzzLvG+t913L+eVqCgtzpAYxQG8yQAAAKjlHzLo5R8y
+6AAAAAtzc2gtZWQyNTUxOQAAACAwdjQYeBiTz1DdZFzzLvG+t913L+eVqCgtzpAYxQG8yQ
+AAAEBPrD+n4901Y+NYJ2sry+EWRdltGFhMISvp91TywJ//mTB2NBh4GJPPUN1kXPMu8b63
+3Xcv55WoKC3OkBjFAbzJAAAAIHZhZ3JhbnRAdmFncmFudC11YnVudHUtdHJ1c3R5LTY0AQ
+IDBAU=
+-----END OPENSSH PRIVATE KEY-----
+      EOF
+    end
+
+    def public_key_no_pwd
+      'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDB2NBh4GJPPUN1kXPMu8b633Xcv55WoKC3OkBjFAbzJ vagrant@vagrant-ubuntu-trusty-64'
+    end
+  end
+
+end