Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
removed unimplemented hmac, host_key and we now warn instead of fail …
…for unimplemented algs
  • Loading branch information
mfazekas committed Oct 3, 2014
1 parent 25ac698 commit b7dd7ea
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 46 deletions.
18 changes: 10 additions & 8 deletions lib/net/ssh/transport/algorithms.rb
Expand Up @@ -44,22 +44,19 @@ class Algorithms
cast128-ctr blowfish-ctr 3des-ctr
aes256-gcm@openssh.com aes128-gcm@openssh.com
),

:hmac => %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96
hmac-ripemd160 hmac-ripemd160@openssh.com
hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96
hmac-sha2-512-96 none
hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com
umac-128-etm@openssh.com),
hmac-sha2-512-96 none),

:compression => %w(none zlib@openssh.com zlib),
:language => %w()
}
if defined?(OpenSSL::PKey::EC)
ALGORITHMS[:host_key] += %w(ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ssh-ed25519-cert-v01@openssh.com
ssh-ed25519)
ecdsa-sha2-nistp521)
ALGORITHMS[:kex] += %w(ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
Expand Down Expand Up @@ -221,8 +218,13 @@ def prepare_preferred_algorithms!
# apply the preferred algorithm order, if any
if options[algorithm]
algorithms[algorithm] = Array(options[algorithm]).compact.uniq
invalid = algorithms[algorithm].detect { |name| !ALGORITHMS[algorithm].include?(name) }
raise NotImplementedError, "unsupported #{algorithm} algorithm: `#{invalid}'" if invalid
unsupported = []
algorithms[algorithm].select! do |name|
supported = ALGORITHMS[algorithm].include?(name)
unsupported << name unless supported
supported
end
lwarn { "unsupported #{algorithm} algorithm: `#{unsupported}'" } unless unsupported.empty?

# make sure all of our supported algorithms are tacked onto the
# end, so that if the user tries to give a list of which none are
Expand Down
71 changes: 33 additions & 38 deletions test/transport/test_algorithms.rb
Expand Up @@ -17,16 +17,11 @@ def test_allowed_packets
end

def test_constructor_should_build_default_list_of_preferred_algorithms
if defined?(OpenSSL::PKey::EC)
assert_equal %w(ssh-rsa ssh-dss ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519-cert-v01@openssh.com ssh-ed25519), algorithms[:host_key]
assert_equal %w(diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256@libssh.org), algorithms[:kex]
else
assert_equal %w(ssh-rsa ssh-dss ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com), algorithms[:host_key]
assert_equal %w(diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256 aes256-gcm@openssh.com aes128-gcm@openssh.com), algorithms[:kex]
end
assert_equal %w(ssh-rsa ssh-dss ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com)+ec_host_keys, algorithms[:host_key]
assert_equal %w(diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256)+ec_kex, algorithms[:kex]
assert_equal %w(aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se idea-cbc none arcfour128 arcfour256 arcfour aes128-ctr aes192-ctr aes256-ctr camellia128-cbc camellia192-cbc camellia256-cbc camellia128-cbc@openssh.org camellia192-cbc@openssh.org camellia256-cbc@openssh.org camellia128-ctr camellia192-ctr camellia256-ctr camellia128-ctr@openssh.org camellia192-ctr@openssh.org camellia256-ctr@openssh.org cast128-ctr blowfish-ctr 3des-ctr aes256-gcm@openssh.com aes128-gcm@openssh.com), algorithms[:encryption]
if defined?(OpenSSL::Digest::SHA256)
assert_equal %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com umac-128-etm@openssh.com), algorithms[:hmac]
assert_equal %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none), algorithms[:hmac]
else
assert_equal %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96 hmac-ripemd160 hmac-ripemd160@openssh.com none umac-128-etm@openssh.com), algorithms[:hmac] end
assert_equal %w(none zlib@openssh.com zlib), algorithms[:compression]
Expand All @@ -41,36 +36,40 @@ def test_constructor_should_set_client_and_server_prefs_identically
end

def test_constructor_with_preferred_host_key_type_should_put_preferred_host_key_type_first
if defined?(OpenSSL::PKey::EC)
assert_equal %w(ssh-dss ssh-rsa ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519-cert-v01@openssh.com ssh-ed25519), algorithms(:host_key => "ssh-dss")[:host_key]
else
assert_equal %w(ssh-dss ssh-rsa ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com), algorithms(:host_key => "ssh-dss")[:host_key]
end
assert_equal %w(ssh-dss ssh-rsa ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com)+ec_host_keys, algorithms(:host_key => "ssh-dss")[:host_key]
end

def test_constructor_with_known_hosts_reporting_known_host_key_should_use_that_host_key_type
Net::SSH::KnownHosts.expects(:search_for).with("net.ssh.test,127.0.0.1", {}).returns([stub("key", :ssh_type => "ssh-dss")])
assert_equal %w(ssh-dss ssh-rsa ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com )+ec_host_keys, algorithms[:host_key]
end

def ec_host_keys
if defined?(OpenSSL::PKey::EC)
assert_equal %w(ssh-dss ssh-rsa ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519-cert-v01@openssh.com ssh-ed25519), algorithms[:host_key]
%w(ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521)
else
assert_equal %w(ssh-dss ssh-rsa), algorithms[:host_key]
[]
end
end

def test_constructor_with_unrecognized_host_key_type_should_raise_exception
assert_raises(NotImplementedError) { algorithms(:host_key => "bogus") }
def test_constructor_with_unrecognized_host_key_type_should_return_whats_supported
assert_equal %w(ssh-rsa ssh-dss ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com )+ec_host_keys, algorithms(:host_key => "bogus ssh-rsa")[:host_key]
end

def test_constructor_with_preferred_kex_should_put_preferred_kex_first
def ec_kex
if defined?(OpenSSL::PKey::EC)
assert_equal %w(diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256@libssh.org), algorithms(:kex => "diffie-hellman-group1-sha1")[:kex]
%w(ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256@libssh.org)
else
assert_equal %w(diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256), algorithms(:kex => "diffie-hellman-group1-sha1")[:kex]
[]
end
end

def test_constructor_with_preferred_kex_should_put_preferred_kex_first
assert_equal %w(diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256)+ec_kex, algorithms(:kex => "diffie-hellman-group1-sha1")[:kex]
end

def test_constructor_with_unrecognized_kex_should_raise_exception
assert_raises(NotImplementedError) { algorithms(:kex => "bogus") }
assert_equal %w(diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256)+ec_kex, algorithms(:kex => %w(bogus diffie-hellman-group1-sha1))[:kex]
end

def test_constructor_with_preferred_encryption_should_put_preferred_encryption_first
Expand All @@ -81,20 +80,21 @@ def test_constructor_with_multiple_preferred_encryption_should_put_all_preferred
assert_equal %w(aes256-cbc 3des-cbc idea-cbc aes128-cbc blowfish-cbc cast128-cbc aes192-cbc rijndael-cbc@lysator.liu.se none arcfour128 arcfour256 arcfour aes128-ctr aes192-ctr aes256-ctr camellia128-cbc camellia192-cbc camellia256-cbc camellia128-cbc@openssh.org camellia192-cbc@openssh.org camellia256-cbc@openssh.org camellia128-ctr camellia192-ctr camellia256-ctr camellia128-ctr@openssh.org camellia192-ctr@openssh.org camellia256-ctr@openssh.org cast128-ctr blowfish-ctr 3des-ctr aes256-gcm@openssh.com aes128-gcm@openssh.com), algorithms(:encryption => %w(aes256-cbc 3des-cbc idea-cbc))[:encryption]
end

def test_constructor_with_unrecognized_encryption_should_raise_exception
assert_raises(NotImplementedError) { algorithms(:encryption => "bogus") }
def test_constructor_with_unrecognized_encryption_should_keep_whats_supported
assert_equal %w(aes256-cbc aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc rijndael-cbc@lysator.liu.se idea-cbc none arcfour128 arcfour256 arcfour aes128-ctr aes192-ctr aes256-ctr camellia128-cbc camellia192-cbc camellia256-cbc camellia128-cbc@openssh.org camellia192-cbc@openssh.org camellia256-cbc@openssh.org camellia128-ctr camellia192-ctr camellia256-ctr camellia128-ctr@openssh.org camellia192-ctr@openssh.org camellia256-ctr@openssh.org cast128-ctr blowfish-ctr 3des-ctr aes256-gcm@openssh.com aes128-gcm@openssh.com), algorithms(:encryption => %w(bogus aes256-cbc))[:encryption]
end

def test_constructor_with_preferred_hmac_should_put_preferred_hmac_first
assert_equal %w(hmac-md5-96 hmac-sha1 hmac-md5 hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com umac-128-etm@openssh.com), algorithms(:hmac => "hmac-md5-96")[:hmac]
assert_equal %w(hmac-md5-96 hmac-sha1 hmac-md5 hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none), algorithms(:hmac => "hmac-md5-96")[:hmac]
end

def test_constructor_with_multiple_preferred_hmac_should_put_all_preferred_hmac_first
assert_equal %w(hmac-md5-96 hmac-sha1-96 hmac-sha1 hmac-md5 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com umac-128-etm@openssh.com), algorithms(:hmac => %w(hmac-md5-96 hmac-sha1-96))[:hmac]
assert_equal %w(hmac-md5-96 hmac-sha1-96 hmac-sha1 hmac-md5 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none), algorithms(:hmac => %w(hmac-md5-96 hmac-sha1-96))[:hmac]
end

def test_constructor_with_unrecognized_hmac_should_raise_exception
assert_raises(NotImplementedError) { algorithms(:hmac => "bogus") }
def test_constructor_with_unrecognized_hmac_should_ignore_those
assert_equal %w(hmac-md5-96 hmac-sha1 hmac-md5 hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none),
algorithms(:hmac => "hmac-md5-96")[:hmac]
end

def test_constructor_with_preferred_compression_should_put_preferred_compression_first
Expand All @@ -109,8 +109,8 @@ def test_constructor_with_general_preferred_compression_should_put_none_last
assert_equal %w(zlib@openssh.com zlib none), algorithms(:compression => true)[:compression]
end

def test_constructor_with_unrecognized_compression_should_raise_exception
assert_raises(NotImplementedError) { algorithms(:compression => "bogus") }
def test_constructor_with_unrecognized_compression_should_return_whats_supported
assert_equal %w(none zlib zlib@openssh.com), algorithms(:compression => %w(bogus none zlib))[:compression]
end

def test_initial_state_should_be_neither_pending_nor_initialized
Expand Down Expand Up @@ -288,17 +288,12 @@ def kexinit(options={})
def assert_kexinit(buffer, options={})
assert_equal KEXINIT, buffer.type
assert_equal 16, buffer.read(16).length
if defined?(OpenSSL::PKey::EC)
assert_equal options[:kex] || "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256@libssh.org", buffer.read_string
assert_equal options[:host_key] || "ssh-rsa,ssh-dss,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-ed25519", buffer.read_string
else
assert_equal options[:kex] || "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256", buffer.read_string
assert_equal options[:host_key] || "ssh-rsa,ssh-dss", buffer.read_string
end
assert_equal options[:kex] || (%w(diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256)+ec_kex).join(','), buffer.read_string
assert_equal options[:host_key] || (%w(ssh-rsa ssh-dss ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com)+ec_host_keys).join(','), buffer.read_string
assert_equal options[:encryption_client] || "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,idea-cbc,none,arcfour128,arcfour256,arcfour,aes128-ctr,aes192-ctr,aes256-ctr,camellia128-cbc,camellia192-cbc,camellia256-cbc,camellia128-cbc@openssh.org,camellia192-cbc@openssh.org,camellia256-cbc@openssh.org,camellia128-ctr,camellia192-ctr,camellia256-ctr,camellia128-ctr@openssh.org,camellia192-ctr@openssh.org,camellia256-ctr@openssh.org,cast128-ctr,blowfish-ctr,3des-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com", buffer.read_string
assert_equal options[:encryption_server] || "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,idea-cbc,none,arcfour128,arcfour256,arcfour,aes128-ctr,aes192-ctr,aes256-ctr,camellia128-cbc,camellia192-cbc,camellia256-cbc,camellia128-cbc@openssh.org,camellia192-cbc@openssh.org,camellia256-cbc@openssh.org,camellia128-ctr,camellia192-ctr,camellia256-ctr,camellia128-ctr@openssh.org,camellia192-ctr@openssh.org,camellia256-ctr@openssh.org,cast128-ctr,blowfish-ctr,3des-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com", buffer.read_string
assert_equal options[:hmac_client] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-512-96,none,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com", buffer.read_string
assert_equal options[:hmac_server] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-512-96,none,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com", buffer.read_string
assert_equal options[:hmac_client] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-512-96,none", buffer.read_string
assert_equal options[:hmac_server] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-512-96,none", buffer.read_string
assert_equal options[:compression_client] || "none,zlib@openssh.com,zlib", buffer.read_string
assert_equal options[:compression_server] || "none,zlib@openssh.com,zlib", buffer.read_string
assert_equal options[:language_client] || "", buffer.read_string
Expand Down

0 comments on commit b7dd7ea

Please sign in to comment.