diff options
author | Richard Schwab <richard.schwab@valtech.com> | 2021-01-16 00:31:22 +0100 |
---|---|---|
committer | Miklós Fazekas <mfazekas@szemafor.com> | 2021-03-15 09:49:16 +0100 |
commit | ca6d954ae0627570f2efed2bcabb582f27d385ea (patch) | |
tree | c2a9f69485d661c51d2b37fd763420fdd33ef2f6 | |
parent | c6a21e5f0a9f0bc92e9c4eb0e17af40d175a97a5 (diff) | |
download | net-ssh-ca6d954ae0627570f2efed2bcabb582f27d385ea.tar.gz |
Add support for diffie-hellman-group14-sha256, fixes #794mfazekas/diffie-hellman-group14-sha256
-rw-r--r-- | lib/net/ssh/transport/algorithms.rb | 1 | ||||
-rw-r--r-- | lib/net/ssh/transport/kex.rb | 2 | ||||
-rw-r--r-- | lib/net/ssh/transport/kex/diffie_hellman_group14_sha256.rb | 11 | ||||
-rw-r--r-- | test/transport/kex/test_diffie_hellman_group14_sha1.rb | 4 | ||||
-rw-r--r-- | test/transport/kex/test_diffie_hellman_group14_sha256.rb | 17 | ||||
-rw-r--r-- | test/transport/kex/test_diffie_hellman_group1_sha1.rb | 2 | ||||
-rw-r--r-- | test/transport/test_algorithms.rb | 16 |
7 files changed, 42 insertions, 11 deletions
diff --git a/lib/net/ssh/transport/algorithms.rb b/lib/net/ssh/transport/algorithms.rb index 9ab87b6..7408d40 100644 --- a/lib/net/ssh/transport/algorithms.rb +++ b/lib/net/ssh/transport/algorithms.rb @@ -41,6 +41,7 @@ module Net ecdh-sha2-nistp384 ecdh-sha2-nistp256 diffie-hellman-group-exchange-sha256 + diffie-hellman-group14-sha256 diffie-hellman-group14-sha1], encryption: %w[aes256-ctr aes192-ctr aes128-ctr], diff --git a/lib/net/ssh/transport/kex.rb b/lib/net/ssh/transport/kex.rb index b3571c3..a43d713 100644 --- a/lib/net/ssh/transport/kex.rb +++ b/lib/net/ssh/transport/kex.rb @@ -1,5 +1,6 @@ require 'net/ssh/transport/kex/diffie_hellman_group1_sha1' require 'net/ssh/transport/kex/diffie_hellman_group14_sha1' +require 'net/ssh/transport/kex/diffie_hellman_group14_sha256' require 'net/ssh/transport/kex/diffie_hellman_group_exchange_sha1' require 'net/ssh/transport/kex/diffie_hellman_group_exchange_sha256' require 'net/ssh/transport/kex/ecdh_sha2_nistp256' @@ -14,6 +15,7 @@ module Net::SSH::Transport MAP = { 'diffie-hellman-group1-sha1' => DiffieHellmanGroup1SHA1, 'diffie-hellman-group14-sha1' => DiffieHellmanGroup14SHA1, + 'diffie-hellman-group14-sha256' => DiffieHellmanGroup14SHA256, 'diffie-hellman-group-exchange-sha1' => DiffieHellmanGroupExchangeSHA1, 'diffie-hellman-group-exchange-sha256' => DiffieHellmanGroupExchangeSHA256, 'ecdh-sha2-nistp256' => EcdhSHA2NistP256, diff --git a/lib/net/ssh/transport/kex/diffie_hellman_group14_sha256.rb b/lib/net/ssh/transport/kex/diffie_hellman_group14_sha256.rb new file mode 100644 index 0000000..7fd985a --- /dev/null +++ b/lib/net/ssh/transport/kex/diffie_hellman_group14_sha256.rb @@ -0,0 +1,11 @@ +require 'net/ssh/transport/kex/diffie_hellman_group14_sha1' + +module Net::SSH::Transport::Kex + # A key-exchange service implementing the "diffie-hellman-group14-sha256" + # key-exchange algorithm. + class DiffieHellmanGroup14SHA256 < DiffieHellmanGroup14SHA1 + def digester + OpenSSL::Digest::SHA256 + end + end +end diff --git a/test/transport/kex/test_diffie_hellman_group14_sha1.rb b/test/transport/kex/test_diffie_hellman_group14_sha1.rb index 5d006e1..6d5f8f8 100644 --- a/test/transport/kex/test_diffie_hellman_group14_sha1.rb +++ b/test/transport/kex/test_diffie_hellman_group14_sha1.rb @@ -1,6 +1,6 @@ -require 'common' +require_relative '../../common' require 'net/ssh/transport/kex/diffie_hellman_group14_sha1' -require 'transport/kex/test_diffie_hellman_group1_sha1' +require_relative './test_diffie_hellman_group1_sha1' require 'ostruct' module Transport diff --git a/test/transport/kex/test_diffie_hellman_group14_sha256.rb b/test/transport/kex/test_diffie_hellman_group14_sha256.rb new file mode 100644 index 0000000..a64f2f1 --- /dev/null +++ b/test/transport/kex/test_diffie_hellman_group14_sha256.rb @@ -0,0 +1,17 @@ +require_relative '../../common' +require_relative './test_diffie_hellman_group14_sha1' + +module Transport + module Kex + + class TestDiffieHellmanGroup14SHA256 < TestDiffieHellmanGroup14SHA1 + def subject + Net::SSH::Transport::Kex::DiffieHellmanGroup14SHA256 + end + + def digest_type + OpenSSL::Digest::SHA256 + end + end + end +end diff --git a/test/transport/kex/test_diffie_hellman_group1_sha1.rb b/test/transport/kex/test_diffie_hellman_group1_sha1.rb index be51720..60042c2 100644 --- a/test/transport/kex/test_diffie_hellman_group1_sha1.rb +++ b/test/transport/kex/test_diffie_hellman_group1_sha1.rb @@ -151,7 +151,7 @@ module Transport :bignum, dh.dh.pub_key, :bignum, server_dh_pubkey, :bignum, shared_secret) - OpenSSL::Digest::SHA1.digest(buffer.to_s) + digest_type.digest(buffer.to_s) end end diff --git a/test/transport/test_algorithms.rb b/test/transport/test_algorithms.rb index aac8b9a..53262a1 100644 --- a/test/transport/test_algorithms.rb +++ b/test/transport/test_algorithms.rb @@ -19,7 +19,7 @@ module Transport def test_constructor_should_build_default_list_of_preferred_algorithms assert_equal ed_ec_host_keys + %w[ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com ssh-rsa rsa-sha2-256 rsa-sha2-512], algorithms[:host_key] - assert_equal x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1], algorithms[:kex] + assert_equal x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1], algorithms[:kex] assert_equal %w[aes256-ctr aes192-ctr aes128-ctr], algorithms[:encryption] assert_equal %w[hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha1], algorithms[:hmac] assert_equal %w[none zlib@openssh.com zlib], algorithms[:compression] @@ -28,7 +28,7 @@ module Transport def test_constructor_should_build_complete_list_of_algorithms_with_append_all_supported_algorithms assert_equal ed_ec_host_keys + %w[ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com ssh-rsa rsa-sha2-256 rsa-sha2-512 ssh-dss], algorithms(append_all_supported_algorithms: true)[:host_key] - assert_equal x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1], algorithms(append_all_supported_algorithms: true)[:kex] + assert_equal x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1], algorithms(append_all_supported_algorithms: true)[:kex] assert_equal %w[aes256-ctr aes192-ctr aes128-ctr aes256-cbc aes192-cbc aes128-cbc rijndael-cbc@lysator.liu.se blowfish-ctr blowfish-cbc cast128-ctr cast128-cbc 3des-ctr 3des-cbc idea-cbc none], algorithms(append_all_supported_algorithms: true)[:encryption] assert_equal %w[hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha1 hmac-sha2-512-96 hmac-sha2-256-96 hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-md5 hmac-md5-96 none], algorithms(append_all_supported_algorithms: true)[:hmac] assert_equal %w[none zlib@openssh.com zlib], algorithms(append_all_supported_algorithms: true)[:compression] @@ -90,22 +90,22 @@ module Transport end def test_constructor_with_preferred_kex_should_put_preferred_kex_first - assert_equal %w[diffie-hellman-group1-sha1] + x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1], + assert_equal %w[diffie-hellman-group1-sha1] + x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1], algorithms(kex: "diffie-hellman-group1-sha1", append_all_supported_algorithms: true)[:kex] end def test_constructor_with_unrecognized_kex_should_not_raise_exception - assert_equal %w[diffie-hellman-group1-sha1] + x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1], + assert_equal %w[diffie-hellman-group1-sha1] + x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1], algorithms(kex: %w[bogus diffie-hellman-group1-sha1], append_all_supported_algorithms: true)[:kex] end def test_constructor_with_preferred_kex_supports_additions - assert_equal x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1], + assert_equal x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1], algorithms(kex: %w[+diffie-hellman-group1-sha1])[:kex] end def test_constructor_with_preferred_kex_supports_removals_with_wildcard - assert_equal x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256], + assert_equal x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha256], algorithms(kex: %w[-diffie-hellman-group*-sha1 -diffie-hellman-group-exchange-sha1])[:kex] end @@ -390,7 +390,7 @@ module Transport def kexinit(options={}) @kexinit ||= P(:byte, KEXINIT, :long, rand(0xFFFFFFFF), :long, rand(0xFFFFFFFF), :long, rand(0xFFFFFFFF), :long, rand(0xFFFFFFFF), - :string, options[:kex] || "diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1", + :string, options[:kex] || "diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1", :string, options[:host_key] || "ssh-rsa,ssh-dss", :string, options[:encryption_client] || "aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,idea-cbc", :string, options[:encryption_server] || "aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,idea-cbc", @@ -406,7 +406,7 @@ module Transport def assert_kexinit(buffer, options={}) assert_equal KEXINIT, buffer.type assert_equal 16, buffer.read(16).length - assert_equal options[:kex] || (x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1]).join(','), buffer.read_string + assert_equal options[:kex] || (x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1]).join(','), buffer.read_string assert_equal options[:host_key] || (ed_ec_host_keys + %w[ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com ssh-rsa rsa-sha2-256 rsa-sha2-512]).join(','), buffer.read_string assert_equal options[:encryption_client] || 'aes256-ctr,aes192-ctr,aes128-ctr', buffer.read_string assert_equal options[:encryption_server] || 'aes256-ctr,aes192-ctr,aes128-ctr', buffer.read_string |