sonixlabs-net-ssh 2.3.0

data/test/transport/kex/test_diffie_hellman_group_exchange_sha1.rb

@@ -0,0 +1,92 @@
+require 'common'
+require 'transport/kex/test_diffie_hellman_group1_sha1'
+require 'net/ssh/transport/kex/diffie_hellman_group_exchange_sha1'
+
+module Transport; module Kex
+
+  class TestDiffieHellmanGroupExchangeSHA1 < TestDiffieHellmanGroup1SHA1
+    KEXDH_GEX_GROUP   = 31
+    KEXDH_GEX_INIT    = 32
+    KEXDH_GEX_REPLY   = 33
+    KEXDH_GEX_REQUEST = 34
+
+    def test_exchange_with_fewer_than_minimum_bits_uses_minimum_bits
+      dh_options :need_bytes => 20
+      assert_equal 1024, need_bits
+      assert_nothing_raised { exchange! }
+    end
+
+    def test_exchange_with_fewer_than_maximum_bits_uses_need_bits
+      dh_options :need_bytes => 500
+      need_bits(8001)
+      assert_nothing_raised { exchange! }
+    end
+
+    def test_exchange_with_more_than_maximum_bits_uses_maximum_bits
+      dh_options :need_bytes => 2000
+      need_bits(8192)
+      assert_nothing_raised { exchange! }
+    end
+
+    def test_that_p_and_g_are_provided_by_the_server
+      assert_nothing_raised { exchange! :p => default_p+2, :g => 3 }
+      assert_equal default_p+2, dh.dh.p
+      assert_equal 3, dh.dh.g
+    end
+
+    private
+
+      def need_bits(bits=1024)
+        @need_bits ||= bits
+      end
+
+      def default_p
+        142326151570335518660743995281621698377057354949884468943021767573608899048361360422513557553514790045512299468953431585300812548859419857171094366358158903433167915517332113861059747425408670144201099811846875730766487278261498262568348338476437200556998366087779709990807518291581860338635288400119315130179
+      end
+
+      def exchange!(options={})
+        connection.expect do |t, buffer|
+          assert_equal KEXDH_GEX_REQUEST, buffer.type
+          assert_equal 1024, buffer.read_long
+          assert_equal need_bits, buffer.read_long
+          assert_equal 8192, buffer.read_long
+          t.return(KEXDH_GEX_GROUP, :bignum, bn(options[:p] || default_p), :bignum, bn(options[:g] || 2))
+          t.expect do |t2, buffer2|
+            assert_equal KEXDH_GEX_INIT, buffer2.type
+            assert_equal dh.dh.pub_key, buffer2.read_bignum
+            t2.return(KEXDH_GEX_REPLY, :string, b(:key, server_key), :bignum, server_dh_pubkey, :string, b(:string, options[:key_type] || "ssh-rsa", :string, signature))
+            t2.expect do |t3, buffer3|
+              assert_equal NEWKEYS, buffer3.type
+              t3.return(NEWKEYS)
+            end
+          end
+        end
+
+        dh.exchange_keys
+      end
+
+      def subject
+        Net::SSH::Transport::Kex::DiffieHellmanGroupExchangeSHA1
+      end
+
+      def session_id
+        @session_id ||= begin
+          buffer = Net::SSH::Buffer.from(:string, packet_data[:client_version_string],
+            :string, packet_data[:server_version_string],
+            :string, packet_data[:client_algorithm_packet],
+            :string, packet_data[:server_algorithm_packet],
+            :string, Net::SSH::Buffer.from(:key, server_key),
+            :long,   1024,
+            :long,   need_bits, # need bits, figure this part out,
+            :long,   8192,
+            :bignum, dh.dh.p,
+            :bignum, dh.dh.g,
+            :bignum, dh.dh.pub_key,
+            :bignum, server_dh_pubkey,
+            :bignum, shared_secret)
+          OpenSSL::Digest::SHA1.digest(buffer.to_s)
+        end
+      end
+  end
+
+end; end

data/test/transport/kex/test_diffie_hellman_group_exchange_sha256.rb

@@ -0,0 +1,33 @@
+require 'common'
+require 'net/ssh/transport/kex/diffie_hellman_group_exchange_sha1'
+
+module Transport; module Kex
+
+  class TestDiffieHellmanGroupExchangeSHA256 < TestDiffieHellmanGroupExchangeSHA1
+    private
+
+      def subject
+        Net::SSH::Transport::Kex::DiffieHellmanGroupExchangeSHA256
+      end
+
+      def session_id
+        @session_id ||= begin
+          buffer = Net::SSH::Buffer.from(:string, packet_data[:client_version_string],
+            :string, packet_data[:server_version_string],
+            :string, packet_data[:client_algorithm_packet],
+            :string, packet_data[:server_algorithm_packet],
+            :string, Net::SSH::Buffer.from(:key, server_key),
+            :long,   1024,
+            :long,   1024,
+            :long,   8192,
+            :bignum, dh.dh.p,
+            :bignum, dh.dh.g,
+            :bignum, dh.dh.pub_key,
+            :bignum, server_dh_pubkey,
+            :bignum, shared_secret)
+          OpenSSL::Digest::SHA256.digest(buffer.to_s)
+        end
+      end
+  end
+
+end; end

data/test/transport/test_algorithms.rb

@@ -0,0 +1,308 @@
+require 'common'
+require 'net/ssh/transport/algorithms'
+
+module Transport
+
+  class TestAlgorithms < Test::Unit::TestCase
+    include Net::SSH::Transport::Constants
+
+    def test_allowed_packets
+      (0..255).each do |type|
+        packet = stub("packet", :type => type)
+        case type
+        when 1..4, 6..19, 21..49 then assert(Net::SSH::Transport::Algorithms.allowed_packet?(packet), "#{type} should be allowed during key exchange")
+        else assert(!Net::SSH::Transport::Algorithms.allowed_packet?(packet), "#{type} should not be allowed during key exchange")
+        end
+      end
+    end
+
+    def test_constructor_should_build_default_list_of_preferred_algorithms
+      assert_equal %w(ssh-rsa ssh-dss), algorithms[:host_key]
+      assert_equal %w(diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha256), algorithms[:kex]
+      assert_equal %w(aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se idea-cbc none arcfour128 arcfour256), algorithms[:encryption]
+      if defined?(OpenSSL::Digest::SHA256)
+        assert_equal %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96 hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none), algorithms[:hmac]
+      else
+        assert_equal %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96 none), algorithms[:hmac]
+      end
+      assert_equal %w(none zlib@openssh.com zlib), algorithms[:compression]
+      assert_equal %w(), algorithms[:language]
+    end
+
+    def test_constructor_should_set_client_and_server_prefs_identically
+      %w(encryption hmac compression language).each do |key|
+        assert_equal algorithms[key.to_sym], algorithms[:"#{key}_client"], key
+        assert_equal algorithms[key.to_sym], algorithms[:"#{key}_server"], key
+      end
+    end
+
+    def test_constructor_with_preferred_host_key_type_should_put_preferred_host_key_type_first
+      assert_equal %w(ssh-dss ssh-rsa), algorithms(:host_key => "ssh-dss")[:host_key]
+    end
+
+    def test_constructor_with_known_hosts_reporting_known_host_key_should_use_that_host_key_type
+      Net::SSH::KnownHosts.expects(:search_for).with("net.ssh.test,127.0.0.1", {}).returns([stub("key", :ssh_type => "ssh-dss")])
+      assert_equal %w(ssh-dss ssh-rsa), algorithms[:host_key]
+    end
+
+    def test_constructor_with_unrecognized_host_key_type_should_raise_exception
+      assert_raises(NotImplementedError) { algorithms(:host_key => "bogus") }
+    end
+
+    def test_constructor_with_preferred_kex_should_put_preferred_kex_first
+      assert_equal %w(diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256), algorithms(:kex => "diffie-hellman-group1-sha1")[:kex]
+    end
+
+    def test_constructor_with_unrecognized_kex_should_raise_exception
+      assert_raises(NotImplementedError) { algorithms(:kex => "bogus") }
+    end
+
+    def test_constructor_with_preferred_encryption_should_put_preferred_encryption_first
+      assert_equal %w(aes256-cbc aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc rijndael-cbc@lysator.liu.se idea-cbc none arcfour128 arcfour256), algorithms(:encryption => "aes256-cbc")[:encryption]
+    end
+
+    def test_constructor_with_multiple_preferred_encryption_should_put_all_preferred_encryption_first
+      assert_equal %w(aes256-cbc 3des-cbc idea-cbc aes128-cbc blowfish-cbc cast128-cbc aes192-cbc rijndael-cbc@lysator.liu.se none arcfour128 arcfour256), algorithms(:encryption => %w(aes256-cbc 3des-cbc idea-cbc))[:encryption]
+    end
+
+    def test_constructor_with_unrecognized_encryption_should_raise_exception
+      assert_raises(NotImplementedError) { algorithms(:encryption => "bogus") }
+    end
+
+    def test_constructor_with_preferred_hmac_should_put_preferred_hmac_first
+      assert_equal %w(hmac-md5-96 hmac-sha1 hmac-md5 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none), algorithms(:hmac => "hmac-md5-96")[:hmac]
+    end
+
+    def test_constructor_with_multiple_preferred_hmac_should_put_all_preferred_hmac_first
+      assert_equal %w(hmac-md5-96 hmac-sha1-96 hmac-sha1 hmac-md5 hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none), algorithms(:hmac => %w(hmac-md5-96 hmac-sha1-96))[:hmac]
+    end
+
+    def test_constructor_with_unrecognized_hmac_should_raise_exception
+      assert_raises(NotImplementedError) { algorithms(:hmac => "bogus") }
+    end
+
+    def test_constructor_with_preferred_compression_should_put_preferred_compression_first
+      assert_equal %w(zlib none zlib@openssh.com), algorithms(:compression => "zlib")[:compression]
+    end
+
+    def test_constructor_with_multiple_preferred_compression_should_put_all_preferred_compression_first
+      assert_equal %w(zlib@openssh.com zlib none), algorithms(:compression => %w(zlib@openssh.com zlib))[:compression]
+    end
+
+    def test_constructor_with_general_preferred_compression_should_put_none_last
+      assert_equal %w(zlib@openssh.com zlib none), algorithms(:compression => true)[:compression]
+    end
+
+    def test_constructor_with_unrecognized_compression_should_raise_exception
+      assert_raises(NotImplementedError) { algorithms(:compression => "bogus") }
+    end
+
+    def test_initial_state_should_be_neither_pending_nor_initialized
+      assert !algorithms.pending?
+      assert !algorithms.initialized?
+    end
+
+    def test_key_exchange_when_initiated_by_server
+      transport.expect do |t, buffer|
+        assert_kexinit(buffer)
+        install_mock_key_exchange(buffer)
+      end
+
+      install_mock_algorithm_lookups
+      algorithms.accept_kexinit(kexinit)
+
+      assert_exchange_results
+    end
+
+    def test_key_exchange_when_initiated_by_client
+      state = nil
+      transport.expect do |t, buffer|
+        assert_kexinit(buffer)
+        state = :sent_kexinit
+        install_mock_key_exchange(buffer)
+      end
+
+      algorithms.rekey!
+      assert_equal state, :sent_kexinit
+      assert algorithms.pending?
+
+      install_mock_algorithm_lookups
+      algorithms.accept_kexinit(kexinit)
+
+      assert_exchange_results
+    end
+
+    def test_key_exchange_when_server_does_not_support_preferred_kex_should_fallback_to_secondary
+      kexinit :kex => "diffie-hellman-group1-sha1"
+      transport.expect do |t,buffer|
+        assert_kexinit(buffer)
+        install_mock_key_exchange(buffer, :kex => Net::SSH::Transport::Kex::DiffieHellmanGroup1SHA1)
+      end
+      algorithms.accept_kexinit(kexinit)
+    end
+
+    def test_key_exchange_when_server_does_not_support_any_preferred_kex_should_raise_error
+      kexinit :kex => "something-obscure"
+      transport.expect { |t,buffer| assert_kexinit(buffer) }
+      assert_raises(Net::SSH::Exception) { algorithms.accept_kexinit(kexinit) }
+    end
+
+    def test_allow_when_not_pending_should_be_true_for_all_packets
+      (0..255).each do |type|
+        packet = stub("packet", :type => type)
+        assert algorithms.allow?(packet), type.to_s
+      end
+    end
+
+    def test_allow_when_pending_should_be_true_only_for_packets_valid_during_key_exchange
+      transport.expect!
+      algorithms.rekey!
+      assert algorithms.pending?
+
+      (0..255).each do |type|
+        packet = stub("packet", :type => type)
+        case type
+        when 1..4, 6..19, 21..49 then assert(algorithms.allow?(packet), "#{type} should be allowed during key exchange")
+        else assert(!algorithms.allow?(packet), "#{type} should not be allowed during key exchange")
+        end
+      end
+    end
+
+    def test_exchange_with_zlib_compression_enabled_sets_compression_to_standard
+      algorithms :compression => "zlib"
+
+      transport.expect do |t, buffer|
+        assert_kexinit(buffer, :compression_client => "zlib,none,zlib@openssh.com", :compression_server => "zlib,none,zlib@openssh.com")
+        install_mock_key_exchange(buffer)
+      end
+
+      install_mock_algorithm_lookups
+      algorithms.accept_kexinit(kexinit)
+
+      assert_equal :standard, transport.client_options[:compression]
+      assert_equal :standard, transport.server_options[:compression]
+    end
+
+    def test_exchange_with_zlib_at_openssh_dot_com_compression_enabled_sets_compression_to_delayed
+      algorithms :compression => "zlib@openssh.com"
+
+      transport.expect do |t, buffer|
+        assert_kexinit(buffer, :compression_client => "zlib@openssh.com,none,zlib", :compression_server => "zlib@openssh.com,none,zlib")
+        install_mock_key_exchange(buffer)
+      end
+
+      install_mock_algorithm_lookups
+      algorithms.accept_kexinit(kexinit)
+
+      assert_equal :delayed, transport.client_options[:compression]
+      assert_equal :delayed, transport.server_options[:compression]
+    end
+
+    private
+
+      def install_mock_key_exchange(buffer, options={})
+        kex = options[:kex] || Net::SSH::Transport::Kex::DiffieHellmanGroupExchangeSHA1
+
+        Net::SSH::Transport::Kex::MAP.each do |name, klass|
+          next if klass == kex
+          klass.expects(:new).never
+        end
+
+        kex.expects(:new).
+          with(algorithms, transport,
+            :client_version_string => Net::SSH::Transport::ServerVersion::PROTO_VERSION,
+            :server_version_string => transport.server_version.version,
+            :server_algorithm_packet => kexinit.to_s,
+            :client_algorithm_packet => buffer.to_s,
+            :need_bytes => 20,
+            :logger => nil).
+          returns(stub("kex", :exchange_keys => { :shared_secret => shared_secret, :session_id => session_id, :hashing_algorithm => hashing_algorithm }))
+      end
+
+      def install_mock_algorithm_lookups(options={})
+        params = { :shared => shared_secret.to_ssh, :hash => session_id, :digester => hashing_algorithm }
+        Net::SSH::Transport::CipherFactory.expects(:get).
+          with(options[:client_cipher] || "aes128-cbc", params.merge(:iv => key("A"), :key => key("C"), :encrypt => true)).
+          returns(:client_cipher)
+
+        Net::SSH::Transport::CipherFactory.expects(:get).
+          with(options[:server_cipher] || "aes128-cbc", params.merge(:iv => key("B"), :key => key("D"), :decrypt => true)).
+          returns(:server_cipher)
+
+        Net::SSH::Transport::HMAC.expects(:get).with(options[:client_hmac] || "hmac-sha1", key("E"), params).returns(:client_hmac)
+        Net::SSH::Transport::HMAC.expects(:get).with(options[:server_hmac] || "hmac-sha1", key("F"), params).returns(:server_hmac)
+      end
+
+      def shared_secret
+        @shared_secret ||= OpenSSL::BN.new("1234567890", 10)
+      end
+
+      def session_id
+        @session_id ||= "this is the session id"
+      end
+
+      def hashing_algorithm
+        OpenSSL::Digest::SHA1
+      end
+
+      def key(salt)
+        hashing_algorithm.digest(shared_secret.to_ssh + session_id + salt + session_id)
+      end
+
+      def cipher(type, options={})
+        Net::SSH::Transport::CipherFactory.get(type, options)
+      end
+
+      def kexinit(options={})
+        @kexinit ||= P(:byte, KEXINIT,
+          :long, rand(0xFFFFFFFF), :long, rand(0xFFFFFFFF), :long, rand(0xFFFFFFFF), :long, rand(0xFFFFFFFF),
+          :string, options[:kex] || "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha256",
+          :string, options[:host_key] || "ssh-rsa,ssh-dss",
+          :string, options[:encryption_client] || "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,idea-cbc",
+          :string, options[:encryption_server] || "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,idea-cbc",
+          :string, options[:hmac_client] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96",
+          :string, options[:hmac_server] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96",
+          :string, options[:compmression_client] || "none,zlib@openssh.com,zlib",
+          :string, options[:compmression_server] || "none,zlib@openssh.com,zlib",
+          :string, options[:language_client] || "",
+          :string, options[:langauge_server] || "",
+          :bool, options[:first_kex_follows])
+      end
+
+      def assert_kexinit(buffer, options={})
+        assert_equal KEXINIT, buffer.type
+        assert_equal 16, buffer.read(16).length
+        assert_equal options[:kex] || "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha256", buffer.read_string
+        assert_equal options[:host_key] || "ssh-rsa,ssh-dss", buffer.read_string
+        assert_equal options[:encryption_client] || "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,idea-cbc,none,arcfour128,arcfour256", buffer.read_string
+        assert_equal options[:encryption_server] || "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,idea-cbc,none,arcfour128,arcfour256", buffer.read_string
+        assert_equal options[:hmac_client] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-512-96,none", buffer.read_string
+        assert_equal options[:hmac_server] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-512-96,none", buffer.read_string
+        assert_equal options[:compression_client] || "none,zlib@openssh.com,zlib", buffer.read_string
+        assert_equal options[:compression_server] || "none,zlib@openssh.com,zlib", buffer.read_string
+        assert_equal options[:language_client] || "", buffer.read_string
+        assert_equal options[:language_server] || "", buffer.read_string
+        assert_equal options[:first_kex_follows] || false, buffer.read_bool
+      end
+
+      def assert_exchange_results
+        assert algorithms.initialized?
+        assert !algorithms.pending?
+        assert !transport.client_options[:compression]
+        assert !transport.server_options[:compression]
+        assert_equal :client_cipher, transport.client_options[:cipher]
+        assert_equal :server_cipher, transport.server_options[:cipher]
+        assert_equal :client_hmac, transport.client_options[:hmac]
+        assert_equal :server_hmac, transport.server_options[:hmac]
+      end
+
+      def algorithms(options={})
+        @algorithms ||= Net::SSH::Transport::Algorithms.new(transport, options)
+      end
+
+      def transport
+        @transport ||= MockTransport.new
+      end
+  end
+
+end

data/test/transport/test_cipher_factory.rb

@@ -0,0 +1,213 @@
+require 'common'
+require 'net/ssh/transport/cipher_factory'
+
+module Transport
+
+  class TestCipherFactory < Test::Unit::TestCase
+    def self.if_supported?(name)
+      yield if Net::SSH::Transport::CipherFactory.supported?(name)
+    end
+
+    def test_lengths_for_none
+      assert_equal [0,0], factory.get_lengths("none")
+      assert_equal [0,0], factory.get_lengths("bogus")
+    end
+
+    def test_lengths_for_blowfish_cbc
+      assert_equal [16,8], factory.get_lengths("blowfish-cbc")
+    end
+
+    if_supported?("idea-cbc") do
+      def test_lengths_for_idea_cbc
+        assert_equal [16,8], factory.get_lengths("idea-cbc")
+      end
+    end
+
+    def test_lengths_for_rijndael_cbc
+      assert_equal [32,16], factory.get_lengths("rijndael-cbc@lysator.liu.se")
+    end
+
+    def test_lengths_for_cast128_cbc
+      assert_equal [16,8], factory.get_lengths("cast128-cbc")
+    end
+
+    def test_lengths_for_3des_cbc
+      assert_equal [24,8], factory.get_lengths("3des-cbc")
+    end
+
+    def test_lengths_for_aes192_cbc
+      assert_equal [24,16], factory.get_lengths("aes192-cbc")
+    end
+
+    def test_lengths_for_aes128_cbc
+      assert_equal [16,16], factory.get_lengths("aes128-cbc")
+    end
+
+    def test_lengths_for_aes256_cbc
+      assert_equal [32,16], factory.get_lengths("aes256-cbc")
+    end
+
+    def test_lengths_for_arcfour128
+      assert_equal [16,8], factory.get_lengths("arcfour128")
+    end
+    
+    def test_lengths_for_arcfour256
+      assert_equal [32,8], factory.get_lengths("arcfour256")
+    end
+    
+    def test_lengths_for_arcfour512
+      assert_equal [64,8], factory.get_lengths("arcfour512")
+    end
+    
+    BLOWFISH = "\210\021\200\315\240_\026$\352\204g\233\244\242x\332e\370\001\327\224Nv@9_\323\037\252kb\037\036\237\375]\343/y\037\237\312Q\f7]\347Y\005\275%\377\0010$G\272\250B\265Nd\375\342\372\025r6}+Y\213y\n\237\267\\\374^\346BdJ$\353\220Ik\023<\236&H\277=\225"
+
+    def test_blowfish_cbc_for_encryption
+      assert_equal BLOWFISH, encrypt("blowfish-cbc")
+    end
+
+    def test_blowfish_cbc_for_decryption
+      assert_equal TEXT, decrypt("blowfish-cbc", BLOWFISH)
+    end
+
+    if_supported?("idea-cbc") do
+      IDEA = "W\234\017G\231\b\357\370H\b\256U]\343M\031k\233]~\023C\363\263\177\262-\261\341$\022\376mv\217\322\b\2763\270H\306\035\343z\313\312\3531\351\t\201\302U\022\360\300\354ul7$z\320O]\360g\024\305\005`V\005\335A\351\312\270c\320D\232\eQH1\340\265\2118\031g*\303v"
+
+      def test_idea_cbc_for_encryption
+        assert_equal IDEA, encrypt("idea-cbc")
+      end
+
+      def test_idea_cbc_for_decryption
+        assert_equal TEXT, decrypt("idea-cbc", IDEA)
+      end
+    end
+
+    RIJNDAEL = "$\253\271\255\005Z\354\336&\312\324\221\233\307Mj\315\360\310Fk\241EfN\037\231\213\361{'\310\204\347I\343\271\005\240`\325;\034\346uM>#\241\231C`\374\261\vo\226;Z\302:\b\250\366T\330\\#V\330\340\226\363\374!\bm\266\232\207!\232\347\340\t\307\370\356z\236\343=v\210\206y"
+
+    def test_rijndael_cbc_for_encryption
+      assert_equal RIJNDAEL, encrypt("rijndael-cbc@lysator.liu.se")
+    end
+
+    def test_rijndael_cbc_for_decryption
+      assert_equal TEXT, decrypt("rijndael-cbc@lysator.liu.se", RIJNDAEL)
+    end
+
+    CAST128 = "qW\302\331\333P\223t[9 ~(sg\322\271\227\272\022I\223\373p\255>k\326\314\260\2003\236C_W\211\227\373\205>\351\334\322\227\223\e\236\202Ii\032!P\214\035:\017\360h7D\371v\210\264\317\236a\262w1\2772\023\036\331\227\240:\f/X\351\324I\t[x\350\323E\2301\016m"
+
+    def test_cast128_cbc_for_encryption
+      assert_equal CAST128, encrypt("cast128-cbc")
+    end
+
+    def test_cast128_cbc_for_decryption
+      assert_equal TEXT, decrypt("cast128-cbc", CAST128)
+    end
+
+    TRIPLE_DES = "\322\252\216D\303Q\375gg\367A{\177\313\3436\272\353%\223K?\257\206|\r&\353/%\340\336 \203E8rY\206\234\004\274\267\031\233T/{\"\227/B!i?[qGaw\306T\206\223\213n \212\032\244%]@\355\250\334\312\265E\251\017\361\270\357\230\274KP&^\031r+r%\370"
+
+    def test_3des_cbc_for_encryption
+      assert_equal TRIPLE_DES, encrypt("3des-cbc")
+    end
+
+    def test_3des_cbc_for_decryption
+      assert_equal TEXT, decrypt("3des-cbc", TRIPLE_DES)
+    end
+
+    AES128 = "k\026\350B\366-k\224\313\3277}B\035\004\200\035\r\233\024$\205\261\231Q\2214r\245\250\360\315\237\266hg\262C&+\321\346Pf\267v\376I\215P\327\345-\232&HK\375\326_\030<\a\276\212\303g\342C\242O\233\260\006\001a&V\345`\\T\e\236.\207\223l\233ri^\v\252\363\245"
+
+    def test_aes128_cbc_for_encryption
+      assert_equal AES128, encrypt("aes128-cbc")
+    end
+
+    def test_aes128_cbc_for_decryption
+      assert_equal TEXT, decrypt("aes128-cbc", AES128)
+    end
+
+    AES192 = "\256\017)x\270\213\336\303L\003f\235'jQ\3231k9\225\267\242\364C4\370\224\201\302~\217I\202\374\2167='\272\037\225\223\177Y\r\212\376(\275\n\3553\377\177\252C\254\236\016MA\274Z@H\331<\rL\317\205\323[\305X8\376\237=\374\352bH9\244\0231\353\204\352p\226\326~J\242"
+
+    def test_aes192_cbc_for_encryption
+      assert_equal AES192, encrypt("aes192-cbc")
+    end
+
+    def test_aes192_cbc_for_decryption
+      assert_equal TEXT, decrypt("aes192-cbc", AES192)
+    end
+
+    AES256 = "$\253\271\255\005Z\354\336&\312\324\221\233\307Mj\315\360\310Fk\241EfN\037\231\213\361{'\310\204\347I\343\271\005\240`\325;\034\346uM>#\241\231C`\374\261\vo\226;Z\302:\b\250\366T\330\\#V\330\340\226\363\374!\bm\266\232\207!\232\347\340\t\307\370\356z\236\343=v\210\206y"
+
+    def test_aes256_cbc_for_encryption
+      assert_equal AES256, encrypt("aes256-cbc")
+    end
+
+    def test_aes256_cbc_for_decryption
+      assert_equal TEXT, decrypt("aes256-cbc", AES256)
+    end
+    
+    ARCFOUR128 = "\n\x90\xED*\xD4\xBE\xCBg5\xA5\a\xEC]\x97\xB7L\x06)6\x12FL\x90@\xF4Sqxqh\r\x11\x1Aq \xC8\xE6v\xC6\x12\xD9<A\xDAZ\xFE\x7F\x88\x19f.\x06\xA7\xFE:\xFF\x93\x9B\x8D\xA0\\\x9E\xCA\x03\x15\xE1\xE2\f\xC0\b\xA2C\xE1\xBD\xB6\x13D\xD1\xB4'g\x89\xDC\xEB\f\x19Z)U"
+
+    def test_arcfour128_for_encryption
+      assert_equal ARCFOUR128, encrypt("arcfour128")
+    end
+    
+    def test_arcfour128_for_decryption
+      assert_equal TEXT, decrypt("arcfour128", ARCFOUR128)
+    end
+    
+    ARCFOUR256 = "|g\xCCw\xF5\xC1y\xEB\xF0\v\xF7\x83\x14\x03\xC8\xAB\xE8\xC2\xFCY\xDC,\xB8\xD4dVa\x8B\x18%\xA4S\x00\xE0at\x86\xE8\xA6W\xAB\xD2\x9D\xA8\xDE[g\aZy.\xFB\xFC\x82c\x04h\f\xBFYq\xB7U\x80\x0EG\x91\x88\xDF\xA3\xA2\xFA(\xEC\xDB\xA4\xE7\xFE)\x12u\xAF\x0EZ\xA0\xBA\x97\n\xFC"
+
+    def test_arcfour256_for_encryption
+      assert_equal ARCFOUR256, encrypt("arcfour256")
+    end
+    
+    def test_arcfour256_for_decryption
+      assert_equal TEXT, decrypt("arcfour256", ARCFOUR256)
+    end
+    
+    ARCFOUR512 = "|8\"v\xE7\xE3\b\xA8\x19\x9Aa\xB6Vv\x00\x11\x8A$C\xB6xE\xEF\xF1j\x90\xA8\xFA\x10\xE4\xA1b8\xF6\x04\xF2+\xC0\xD1(8\xEBT]\xB0\xF3/\xD9\xE0@\x83\a\x93\x9D\xCA\x04RXS\xB7A\x0Fj\x94\bE\xEB\x84j\xB4\xDF\nU\xF7\x83o\n\xE8\xF9\x01{jH\xEE\xCDQym\x9E"
+
+    def test_arcfour512_for_encryption
+      assert_equal ARCFOUR512, encrypt("arcfour512")
+    end
+    
+    def test_arcfour512_for_decryption
+      assert_equal TEXT, decrypt("arcfour512", ARCFOUR512)
+    end
+    
+    def test_none_for_encryption
+      assert_equal TEXT, encrypt("none").strip
+    end
+
+    def test_none_for_decryption
+      assert_equal TEXT, decrypt("none", TEXT)
+    end
+    
+    private
+
+      TEXT = "But soft! What light through yonder window breaks? It is the east, and Juliet is the sun!"
+
+      OPTIONS = { :iv => "ABC",
+        :key => "abc",
+        :digester => OpenSSL::Digest::MD5,
+        :shared => "1234567890123456780",
+        :hash => '!@#$%#$^%$&^&%#$@$'
+      }
+
+      def factory
+        Net::SSH::Transport::CipherFactory
+      end
+
+      def encrypt(type)
+        cipher = factory.get(type, OPTIONS.merge(:encrypt => true))
+        padding = TEXT.length % cipher.block_size
+        result = cipher.update(TEXT.dup)
+        result << cipher.update(" " * (cipher.block_size - padding)) if padding > 0
+        result << cipher.final
+      end
+
+      def decrypt(type, data)
+        cipher = factory.get(type, OPTIONS.merge(:decrypt => true))
+        result = cipher.update(data.dup)
+        result << cipher.final
+        result.strip
+      end
+  end
+
+end