Merge pull request #751 from maxfierke/mf-support_algo_subtraction

Support algorithm subtraction syntax from ssh_config
author: Miklós Fazekas <mfazekas@szemafor.com> 2020-04-24 18:17:09 +0200
committer: GitHub <noreply@github.com> 2020-04-24 18:17:09 +0200
commit: 9bed3c7f210ac5de54e6b787cce8498f10ce5c79 (patch)
tree: 828b50dfa472a0f4668e18ee0e8fbe2bddf42d00
parent: f6dda96a5fe4741e2957e0ec879d229fca6f3b53 (diff)
parent: c457c06394c8e182c9b213fa7a2738c37bd47f7d (diff)
download: net-ssh-9bed3c7f210ac5de54e6b787cce8498f10ce5c79.tar.gz
2 files changed, 55 insertions, 4 deletions
diff --git a/lib/net/ssh/transport/algorithms.rb b/lib/net/ssh/transport/algorithms.rb
index 35d9ec6..c03c92a 100644
--- a/lib/net/ssh/transport/algorithms.rb
+++ b/lib/net/ssh/transport/algorithms.rb
@@ -291,10 +291,24 @@ module Net
           list = []
           option = Array(option).compact.uniq
 
-          if option.first && option.first.start_with?('+')
+          if option.first && option.first.start_with?('+', '-')
             list = supported.dup
-            list << option.first[1..-1]
-            list.concat(option[1..-1])
+
+            appends = option.select { |opt| opt.start_with?('+') }.map { |opt| opt[1..-1] }
+            deletions = option.select { |opt| opt.start_with?('-') }.map { |opt| opt[1..-1] }
+
+            list.concat(appends)
+
+            deletions.each do |opt|
+              if opt.include?('*')
+                opt_escaped = Regexp.escape(opt)
+                algo_re = /\A#{opt_escaped.gsub('\*', '[A-Za-z\d\-@\.]*')}\z/
+                list.delete_if { |existing_opt| algo_re.match(existing_opt) }
+              else
+                list.delete(opt)
+              end
+            end
+
             list.uniq!
           else
             list = option
diff --git a/test/transport/test_algorithms.rb b/test/transport/test_algorithms.rb
index 83ea6b0..9f56d05 100644
--- a/test/transport/test_algorithms.rb
+++ b/test/transport/test_algorithms.rb
@@ -99,6 +99,16 @@ module Transport
                    algorithms(kex: %w[bogus diffie-hellman-group1-sha1], append_all_supported_algorithms: true)[:kex]
     end
 
+    def test_constructor_with_preferred_kex_supports_additions
+      assert_equal x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1],
+                   algorithms(kex: %w[+diffie-hellman-group1-sha1])[:kex]
+    end
+
+    def test_constructor_with_preferred_kex_supports_removals_with_wildcard
+      assert_equal x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256],
+                   algorithms(kex: %w[-diffie-hellman-group*-sha1 -diffie-hellman-group-exchange-sha1])[:kex]
+    end
+
     def test_constructor_with_preferred_encryption_should_put_preferred_encryption_first
       assert_equal %w[aes256-cbc aes256-ctr aes192-ctr aes128-ctr aes192-cbc aes128-cbc rijndael-cbc@lysator.liu.se blowfish-ctr blowfish-cbc cast128-ctr cast128-cbc 3des-ctr 3des-cbc idea-cbc none], algorithms(encryption: "aes256-cbc", append_all_supported_algorithms: true)[:encryption]
     end
@@ -111,6 +121,19 @@ module Transport
       assert_equal %w[aes256-cbc aes256-ctr aes192-ctr aes128-ctr aes192-cbc aes128-cbc rijndael-cbc@lysator.liu.se blowfish-ctr blowfish-cbc cast128-ctr cast128-cbc 3des-ctr 3des-cbc idea-cbc none], algorithms(encryption: %w[bogus aes256-cbc], append_all_supported_algorithms: true)[:encryption]
     end
 
+    def test_constructor_with_preferred_encryption_supports_additions
+      # There's nothing we can really append to the set since the default algos
+      # are frozen so this is really just testing that it doesn't do anything
+      # unexpected.
+      assert_equal %w[aes256-ctr aes192-ctr aes128-ctr aes256-cbc aes192-cbc aes128-cbc rijndael-cbc@lysator.liu.se blowfish-ctr blowfish-cbc cast128-ctr cast128-cbc 3des-ctr 3des-cbc idea-cbc none],
+                   algorithms(encryption: %w[+3des-cbc])[:encryption]
+    end
+
+    def test_constructor_with_preferred_encryption_supports_removals_with_wildcard
+      assert_equal %w[aes256-ctr aes192-ctr aes128-ctr cast128-ctr],
+                   algorithms(encryption: %w[-rijndael-cbc@lysator.liu.se -blowfish-* -3des-* -*-cbc -none])[:encryption]
+    end
+
     def test_constructor_with_preferred_hmac_should_put_preferred_hmac_first
       assert_equal %w[hmac-md5-96 hmac-sha2-512 hmac-sha2-256 hmac-sha1 hmac-sha2-512-96 hmac-sha2-256-96 hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-md5 none hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com], algorithms(hmac: "hmac-md5-96", append_all_supported_algorithms: true)[:hmac]
     end
@@ -124,6 +147,16 @@ module Transport
         algorithms(hmac: "unknown hmac-md5-96", append_all_supported_algorithms: true)[:hmac]
     end
 
+    def test_constructor_with_preferred_hmac_supports_additions
+      assert_equal %w[hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha1 hmac-sha2-512-96 hmac-sha2-256-96 hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-md5 hmac-md5-96],
+                   algorithms(hmac: %w[+hmac-md5-96 -none])[:hmac]
+    end
+
+    def test_constructor_with_preferred_hmac_supports_removals_with_wildcard
+      assert_equal %w[hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha2-512-96 hmac-sha2-256-96 hmac-ripemd160 hmac-ripemd160@openssh.com],
+                   algorithms(hmac: %w[-hmac-sha1* -hmac-md5* -none])[:hmac]
+    end
+
     def test_constructor_with_preferred_compression_should_put_preferred_compression_first
       assert_equal %w[zlib none zlib@openssh.com], algorithms(compression: "zlib", append_all_supported_algorithms: true)[:compression]
     end
@@ -143,11 +176,15 @@ module Transport
       assert_equal %w[none zlib zlib@openssh.com], algorithms(compression: %w[bogus none zlib], append_all_supported_algorithms: true)[:compression]
     end
 
-    def test_constructor_with_append_to_default
+    def test_constructor_with_host_key_append_to_default
       default_host_keys = Net::SSH::Transport::Algorithms::ALGORITHMS[:host_key]
       assert_equal default_host_keys, algorithms(host_key: '+ssh-dss')[:host_key]
     end
 
+    def test_constructor_with_host_key_removals_with_wildcard
+      assert_equal ed_host_keys + %w[ecdsa-sha2-nistp521-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp521 ecdsa-sha2-nistp384 ecdsa-sha2-nistp256], algorithms(host_key: %w[-ssh-rsa* -ssh-dss])[:host_key]
+    end
+
     def test_initial_state_should_be_neither_pending_nor_initialized
       assert !algorithms.pending?
       assert !algorithms.initialized?
author	Miklós Fazekas <mfazekas@szemafor.com>	2020-04-24 18:17:09 +0200
committer	GitHub <noreply@github.com>	2020-04-24 18:17:09 +0200
commit	9bed3c7f210ac5de54e6b787cce8498f10ce5c79 (patch)
tree	828b50dfa472a0f4668e18ee0e8fbe2bddf42d00
parent	f6dda96a5fe4741e2957e0ec879d229fca6f3b53 (diff)
parent	c457c06394c8e182c9b213fa7a2738c37bd47f7d (diff)
download	net-ssh-9bed3c7f210ac5de54e6b787cce8498f10ce5c79.tar.gz