net-ssh 6.1.0 → 6.3.0.beta1

data/lib/net/ssh/test/socket.rb

@@ -3,66 +3,63 @@ require 'stringio'
 require 'net/ssh/test/extensions'
 require 'net/ssh/test/script'
 
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Test
-
       # A mock socket implementation for use in testing. It implements the minimum
       # necessary interface for interacting with the rest of the Net::SSH::Test
       # system.
       class Socket < StringIO
         attr_reader :host, :port
-    
+
         # The Net::SSH::Test::Script object in use by this socket. This is the
         # canonical script instance that should be used for any test depending on
         # this socket instance.
         attr_reader :script
-    
+
         # Create a new test socket. This will also instantiate a new Net::SSH::Test::Script
         # and seed it with the necessary events to power the initialization of the
         # connection.
         def initialize
           extend(Net::SSH::Transport::PacketStream)
           super "SSH-2.0-Test\r\n"
-    
+
           @script = Script.new
-    
+
           script.sends(:kexinit)
           script.gets(:kexinit, 1, 2, 3, 4, "test", "ssh-rsa", "none", "none", "none", "none", "none", "none", "", "", false)
           script.sends(:newkeys)
           script.gets(:newkeys)
         end
-    
+
         # This doesn't actually do anything, since we don't really care what gets
         # written.
         def write(data)
           # black hole, because we don't actually care about what gets written
         end
-    
+
         # Allows the socket to also mimic a socket factory, simply returning
         # +self+.
         def open(host, port, options={})
           @host, @port = host, port
           self
         end
-    
+
         # Returns a sockaddr struct for the port and host that were used when the
         # socket was instantiated.
         def getpeername
           ::Socket.sockaddr_in(port, host)
         end
-    
+
         # Alias to #read, but never returns nil (returns an empty string instead).
         def recv(n)
           read(n) || ""
         end
-    
+
         def readpartial(n)
           recv(n)
         end
-        
       end
-
     end
   end
 end

data/lib/net/ssh/transport/algorithms.rb

@@ -33,12 +33,15 @@ module Net
                        ecdsa-sha2-nistp256
                        ssh-rsa-cert-v01@openssh.com
                        ssh-rsa-cert-v00@openssh.com
-                       ssh-rsa],
+                       ssh-rsa
+                       rsa-sha2-256
+                       rsa-sha2-512],
 
           kex: %w[ecdh-sha2-nistp521
                   ecdh-sha2-nistp384
                   ecdh-sha2-nistp256
                   diffie-hellman-group-exchange-sha256
+                  diffie-hellman-group14-sha256
                   diffie-hellman-group14-sha1],
 
           encryption: %w[aes256-ctr aes192-ctr aes128-ctr],
@@ -275,7 +278,7 @@ module Net
             # existing known key for the host has preference.
 
             existing_keys = session.host_keys
-            host_keys = existing_keys.map { |key| key.ssh_type }.uniq
+            host_keys = existing_keys.flat_map { |key| key.respond_to?(:ssh_types) ? key.ssh_types : [key.ssh_type] }.uniq
             algorithms[:host_key].each do |name|
               host_keys << name unless host_keys.include?(name)
             end

data/lib/net/ssh/transport/cipher_factory.rb

@@ -3,10 +3,9 @@ require 'net/ssh/transport/ctr.rb'
 require 'net/ssh/transport/key_expander'
 require 'net/ssh/transport/identity_cipher'
 
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Transport
-
       # Implements a factory of OpenSSL cipher algorithms.
       class CipherFactory
         # Maps the SSH name of a cipher to it's corresponding OpenSSL name
@@ -22,9 +21,9 @@ module Net
           "3des-ctr"                    => "des-ede3",
           "blowfish-ctr"                => "bf-ecb",
 
-          'aes256-ctr'                  => 'aes-256-ctr',
-          'aes192-ctr'                  => 'aes-192-ctr',
-          'aes128-ctr'                  => 'aes-128-ctr',
+          "aes256-ctr"                  => ::OpenSSL::Cipher.ciphers.include?("aes-256-ctr") ? "aes-256-ctr" : "aes-256-ecb",
+          "aes192-ctr"                  => ::OpenSSL::Cipher.ciphers.include?("aes-192-ctr") ? "aes-192-ctr" : "aes-192-ecb",
+          "aes128-ctr"                  => ::OpenSSL::Cipher.ciphers.include?("aes-128-ctr") ? "aes-128-ctr" : "aes-128-ecb",
           'cast128-ctr'                 => 'cast5-ecb',
 
           'none'                        => 'none'
@@ -35,9 +34,10 @@ module Net
         def self.supported?(name)
           ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
           return true if ossl_name == "none"
+
           return OpenSSL::Cipher.ciphers.include?(ossl_name)
         end
-    
+
         # Retrieves a new instance of the named algorithm. The new instance
         # will be initialized using an iv and key generated from the given
         # iv, key, shared, hash and digester values. Additionally, the
@@ -46,12 +46,13 @@ module Net
         def self.get(name, options={})
           ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
           return IdentityCipher if ossl_name == "none"
+
           cipher = OpenSSL::Cipher.new(ossl_name)
-    
+
           cipher.send(options[:encrypt] ? :encrypt : :decrypt)
-    
+
           cipher.padding = 0
-    
+
           if name =~ /-ctr(@openssh.org)?$/
             if ossl_name !~ /-ctr/
               cipher.extend(Net::SSH::Transport::CTR)
@@ -60,14 +61,14 @@ module Net
             end
           end
           cipher.iv = Net::SSH::Transport::KeyExpander.expand_key(cipher.iv_len, options[:iv], options)
-    
+
           key_len = cipher.key_len
           cipher.key_len = key_len
           cipher.key = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
-    
+
           return cipher
         end
-    
+
         # Returns a two-element array containing the [ key-length,
         # block-size ] for the named cipher algorithm. If the cipher
         # algorithm is unknown, or is "none", 0 is returned for both elements
@@ -82,7 +83,7 @@ module Net
             cipher = OpenSSL::Cipher.new(ossl_name)
             key_len = cipher.key_len
             cipher.key_len = key_len
-    
+
             block_size =
               case ossl_name
               when /\-ctr/
@@ -90,14 +91,13 @@ module Net
               else
                 cipher.block_size
               end
-    
+
             result = [key_len, block_size]
             result << cipher.iv_len if options[:iv_len]
           end
           result
         end
       end
-
     end
   end
 end

data/lib/net/ssh/transport/constants.rb

@@ -1,5 +1,5 @@
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Transport
       module Constants
         #--
@@ -12,7 +12,7 @@ module Net
         DEBUG                     = 4
         SERVICE_REQUEST           = 5
         SERVICE_ACCEPT            = 6
-    
+
         #--
         # Algorithm negotiation messages
         #++

data/lib/net/ssh/transport/ctr.rb

@@ -32,7 +32,7 @@ module Net::SSH::Transport
   module CTR
     def self.extended(orig)
       orig.instance_eval {
-        @remaining = ""
+        @remaining = String.new
         @counter = nil
         @counter_len = orig.block_size
         orig.encrypt
@@ -67,13 +67,13 @@ module Net::SSH::Transport
         end
 
         def reset
-          @remaining = ""
+          @remaining = String.new
         end
 
         def update(data)
           @remaining += data
 
-          encrypted = ""
+          encrypted = String.new
 
           offset = 0
           while (@remaining.bytesize - offset) >= block_size
@@ -89,7 +89,7 @@ module Net::SSH::Transport
 
         def final
           s = @remaining.empty? ? '' : xor!(@remaining, _update(@counter))
-          @remaining = ""
+          @remaining = String.new
           s
         end
 

data/lib/net/ssh/transport/hmac/abstract.rb

@@ -5,7 +5,6 @@ module Net
   module SSH
     module Transport
       module HMAC
-
         # The base class of all OpenSSL-based HMAC algorithm wrappers.
         class Abstract
           class <<self

data/lib/net/ssh/transport/hmac/md5.rb

@@ -1,12 +1,10 @@
 require 'net/ssh/transport/hmac/abstract'
 
 module Net::SSH::Transport::HMAC
-
   # The MD5 HMAC algorithm.
   class MD5 < Abstract
     mac_length   16
     key_length   16
     digest_class OpenSSL::Digest::MD5
   end
-
 end

data/lib/net/ssh/transport/hmac/md5_96.rb

@@ -1,11 +1,9 @@
 require 'net/ssh/transport/hmac/md5'
 
 module Net::SSH::Transport::HMAC
-
   # The MD5-96 HMAC algorithm. This returns only the first 12 bytes of
   # the digest.
   class MD5_96 < MD5
     mac_length 12
   end
-
 end

data/lib/net/ssh/transport/hmac/none.rb

@@ -1,7 +1,6 @@
 require 'net/ssh/transport/hmac/abstract'
 
 module Net::SSH::Transport::HMAC
-
   # The "none" algorithm. This has a key and mac length of 0.
   class None < Abstract
     key_length 0
@@ -11,5 +10,4 @@ module Net::SSH::Transport::HMAC
       ""
     end
   end
-
 end

data/lib/net/ssh/transport/hmac/ripemd160.rb

@@ -1,7 +1,6 @@
 require 'net/ssh/transport/hmac/abstract'
 
 module Net::SSH::Transport::HMAC
-
   # The RIPEMD-160 HMAC algorithm. This has a mac and key length of 20, and
   # uses the RIPEMD-160 digest algorithm.
   class RIPEMD160 < Abstract
@@ -9,5 +8,4 @@ module Net::SSH::Transport::HMAC
     key_length   20
     digest_class OpenSSL::Digest::RIPEMD160
   end
-
 end

data/lib/net/ssh/transport/hmac/sha1.rb

@@ -1,7 +1,6 @@
 require 'net/ssh/transport/hmac/abstract'
 
 module Net::SSH::Transport::HMAC
-
   # The SHA1 HMAC algorithm. This has a mac and key length of 20, and
   # uses the SHA1 digest algorithm.
   class SHA1 < Abstract
@@ -9,5 +8,4 @@ module Net::SSH::Transport::HMAC
     key_length   20
     digest_class OpenSSL::Digest::SHA1
   end
-
 end

data/lib/net/ssh/transport/hmac/sha1_96.rb

@@ -1,11 +1,9 @@
 require 'net/ssh/transport/hmac/sha1'
 
 module Net::SSH::Transport::HMAC
-
   # The SHA1-96 HMAC algorithm. This returns only the first 12 bytes of
   # the digest.
   class SHA1_96 < SHA1
     mac_length 12
   end
-
 end

data/lib/net/ssh/transport/identity_cipher.rb

@@ -1,7 +1,6 @@
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Transport
-
       # A cipher that does nothing but pass the data through, unchanged. This
       # keeps things in the code nice and clean when a cipher has not yet been
       # determined (i.e., during key exchange).
@@ -11,49 +10,48 @@ module Net
           def block_size
             8
           end
-    
+
           # Returns an arbitrary integer.
           def iv_len
             4
           end
-    
+
           # Does nothing. Returns self.
           def encrypt
             self
           end
-    
+
           # Does nothing. Returns self.
           def decrypt
             self
           end
-    
+
           # Passes its single argument through unchanged.
           def update(text)
             text
           end
-    
+
           # Returns the empty string.
           def final
             ""
           end
-    
+
           # The name of this cipher, which is "identity".
           def name
             "identity"
           end
-    
+
           # Does nothing. Returns nil.
           def iv=(v)
             nil
           end
-    
+
           # Does nothing. Returns self.
           def reset
             self
           end
         end
       end
-
     end
   end
 end

data/lib/net/ssh/transport/kex.rb

@@ -1,5 +1,6 @@
 require 'net/ssh/transport/kex/diffie_hellman_group1_sha1'
 require 'net/ssh/transport/kex/diffie_hellman_group14_sha1'
+require 'net/ssh/transport/kex/diffie_hellman_group14_sha256'
 require 'net/ssh/transport/kex/diffie_hellman_group_exchange_sha1'
 require 'net/ssh/transport/kex/diffie_hellman_group_exchange_sha256'
 require 'net/ssh/transport/kex/ecdh_sha2_nistp256'
@@ -14,6 +15,7 @@ module Net::SSH::Transport
     MAP = {
       'diffie-hellman-group1-sha1'           => DiffieHellmanGroup1SHA1,
       'diffie-hellman-group14-sha1'          => DiffieHellmanGroup14SHA1,
+      'diffie-hellman-group14-sha256'        => DiffieHellmanGroup14SHA256,
       'diffie-hellman-group-exchange-sha1'   => DiffieHellmanGroupExchangeSHA1,
       'diffie-hellman-group-exchange-sha256' => DiffieHellmanGroupExchangeSHA256,
       'ecdh-sha2-nistp256'                   => EcdhSHA2NistP256,

data/lib/net/ssh/transport/kex/abstract.rb

@@ -64,11 +64,16 @@ module Net
 
           private
 
+          def matching?(key_ssh_type, host_key_alg)
+            return true if key_ssh_type == host_key_alg
+            return true if key_ssh_type == 'ssh-rsa' && ['rsa-sha2-512', 'rsa-sha2-256'].include?(host_key_alg)
+          end
+
           # Verify that the given key is of the expected type, and that it
           # really is the key for the session's host. Raise Net::SSH::Exception
           # if it is not.
           def verify_server_key(key) #:nodoc:
-            if key.ssh_type != algorithms.host_key
+            unless matching?(key.ssh_type, algorithms.host_key)
               raise Net::SSH::Exception, "host key algorithm mismatch '#{key.ssh_type}' != '#{algorithms.host_key}'"
             end
 
@@ -97,7 +102,9 @@ module Net
 
             hash = digester.digest(response.to_s)
 
-            unless connection.host_key_verifier.verify_signature { result[:server_key].ssh_do_verify(result[:server_sig], hash) }
+            server_key = result[:server_key]
+            server_sig = result[:server_sig]
+            unless connection.host_key_verifier.verify_signature { server_key.ssh_do_verify(server_sig, hash, host_key: algorithms.host_key) }
               raise Net::SSH::Exception, 'could not verify server signature'
             end