diff options
author | Miklos Fazkeas <mfazekas@szemafor.com> | 2014-10-03 10:15:47 +0200 |
---|---|---|
committer | Miklos Fazkeas <mfazekas@szemafor.com> | 2014-10-03 10:15:47 +0200 |
commit | b7dd7ea6dc045934f6e9aa13498ec2f63af23515 (patch) | |
tree | d75af039dce0cebeb5d010e71006fab47b477147 | |
parent | 25ac6987c922c462af0611f2e570f2c971879143 (diff) | |
download | net-ssh-b7dd7ea6dc045934f6e9aa13498ec2f63af23515.tar.gz |
removed unimplemented hmac, host_key and we now warn instead of fail for unimplemented algs
-rw-r--r-- | lib/net/ssh/transport/algorithms.rb | 18 | ||||
-rw-r--r-- | test/transport/test_algorithms.rb | 71 |
2 files changed, 43 insertions, 46 deletions
diff --git a/lib/net/ssh/transport/algorithms.rb b/lib/net/ssh/transport/algorithms.rb index f4aec2f..cf6f523 100644 --- a/lib/net/ssh/transport/algorithms.rb +++ b/lib/net/ssh/transport/algorithms.rb @@ -44,12 +44,11 @@ module Net; module SSH; module Transport cast128-ctr blowfish-ctr 3des-ctr aes256-gcm@openssh.com aes128-gcm@openssh.com ), + :hmac => %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 - hmac-sha2-512-96 none - hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com - umac-128-etm@openssh.com), + hmac-sha2-512-96 none), :compression => %w(none zlib@openssh.com zlib), :language => %w() @@ -57,9 +56,7 @@ module Net; module SSH; module Transport if defined?(OpenSSL::PKey::EC) ALGORITHMS[:host_key] += %w(ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 - ecdsa-sha2-nistp521 - ssh-ed25519-cert-v01@openssh.com - ssh-ed25519) + ecdsa-sha2-nistp521) ALGORITHMS[:kex] += %w(ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 @@ -221,8 +218,13 @@ module Net; module SSH; module Transport # apply the preferred algorithm order, if any if options[algorithm] algorithms[algorithm] = Array(options[algorithm]).compact.uniq - invalid = algorithms[algorithm].detect { |name| !ALGORITHMS[algorithm].include?(name) } - raise NotImplementedError, "unsupported #{algorithm} algorithm: `#{invalid}'" if invalid + unsupported = [] + algorithms[algorithm].select! do |name| + supported = ALGORITHMS[algorithm].include?(name) + unsupported << name unless supported + supported + end + lwarn { "unsupported #{algorithm} algorithm: `#{unsupported}'" } unless unsupported.empty? # make sure all of our supported algorithms are tacked onto the # end, so that if the user tries to give a list of which none are diff --git a/test/transport/test_algorithms.rb b/test/transport/test_algorithms.rb index 630c348..aacb0a4 100644 --- a/test/transport/test_algorithms.rb +++ b/test/transport/test_algorithms.rb @@ -17,16 +17,11 @@ module Transport end def test_constructor_should_build_default_list_of_preferred_algorithms - if defined?(OpenSSL::PKey::EC) - assert_equal %w(ssh-rsa ssh-dss ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519-cert-v01@openssh.com ssh-ed25519), algorithms[:host_key] - assert_equal %w(diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256@libssh.org), algorithms[:kex] - else - assert_equal %w(ssh-rsa ssh-dss ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com), algorithms[:host_key] - assert_equal %w(diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256 aes256-gcm@openssh.com aes128-gcm@openssh.com), algorithms[:kex] - end + assert_equal %w(ssh-rsa ssh-dss ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com)+ec_host_keys, algorithms[:host_key] + assert_equal %w(diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256)+ec_kex, algorithms[:kex] assert_equal %w(aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se idea-cbc none arcfour128 arcfour256 arcfour aes128-ctr aes192-ctr aes256-ctr camellia128-cbc camellia192-cbc camellia256-cbc camellia128-cbc@openssh.org camellia192-cbc@openssh.org camellia256-cbc@openssh.org camellia128-ctr camellia192-ctr camellia256-ctr camellia128-ctr@openssh.org camellia192-ctr@openssh.org camellia256-ctr@openssh.org cast128-ctr blowfish-ctr 3des-ctr aes256-gcm@openssh.com aes128-gcm@openssh.com), algorithms[:encryption] if defined?(OpenSSL::Digest::SHA256) - assert_equal %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com umac-128-etm@openssh.com), algorithms[:hmac] + assert_equal %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none), algorithms[:hmac] else assert_equal %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96 hmac-ripemd160 hmac-ripemd160@openssh.com none umac-128-etm@openssh.com), algorithms[:hmac] end assert_equal %w(none zlib@openssh.com zlib), algorithms[:compression] @@ -41,36 +36,40 @@ module Transport end def test_constructor_with_preferred_host_key_type_should_put_preferred_host_key_type_first - if defined?(OpenSSL::PKey::EC) - assert_equal %w(ssh-dss ssh-rsa ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519-cert-v01@openssh.com ssh-ed25519), algorithms(:host_key => "ssh-dss")[:host_key] - else - assert_equal %w(ssh-dss ssh-rsa ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com), algorithms(:host_key => "ssh-dss")[:host_key] - end + assert_equal %w(ssh-dss ssh-rsa ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com)+ec_host_keys, algorithms(:host_key => "ssh-dss")[:host_key] end def test_constructor_with_known_hosts_reporting_known_host_key_should_use_that_host_key_type Net::SSH::KnownHosts.expects(:search_for).with("net.ssh.test,127.0.0.1", {}).returns([stub("key", :ssh_type => "ssh-dss")]) + assert_equal %w(ssh-dss ssh-rsa ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com )+ec_host_keys, algorithms[:host_key] + end + + def ec_host_keys if defined?(OpenSSL::PKey::EC) - assert_equal %w(ssh-dss ssh-rsa ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519-cert-v01@openssh.com ssh-ed25519), algorithms[:host_key] + %w(ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521) else - assert_equal %w(ssh-dss ssh-rsa), algorithms[:host_key] + [] end end - def test_constructor_with_unrecognized_host_key_type_should_raise_exception - assert_raises(NotImplementedError) { algorithms(:host_key => "bogus") } + def test_constructor_with_unrecognized_host_key_type_should_return_whats_supported + assert_equal %w(ssh-rsa ssh-dss ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com )+ec_host_keys, algorithms(:host_key => "bogus ssh-rsa")[:host_key] end - def test_constructor_with_preferred_kex_should_put_preferred_kex_first + def ec_kex if defined?(OpenSSL::PKey::EC) - assert_equal %w(diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256@libssh.org), algorithms(:kex => "diffie-hellman-group1-sha1")[:kex] + %w(ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256@libssh.org) else - assert_equal %w(diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256), algorithms(:kex => "diffie-hellman-group1-sha1")[:kex] + [] end end + def test_constructor_with_preferred_kex_should_put_preferred_kex_first + assert_equal %w(diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256)+ec_kex, algorithms(:kex => "diffie-hellman-group1-sha1")[:kex] + end + def test_constructor_with_unrecognized_kex_should_raise_exception - assert_raises(NotImplementedError) { algorithms(:kex => "bogus") } + assert_equal %w(diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256)+ec_kex, algorithms(:kex => %w(bogus diffie-hellman-group1-sha1))[:kex] end def test_constructor_with_preferred_encryption_should_put_preferred_encryption_first @@ -81,20 +80,21 @@ module Transport assert_equal %w(aes256-cbc 3des-cbc idea-cbc aes128-cbc blowfish-cbc cast128-cbc aes192-cbc rijndael-cbc@lysator.liu.se none arcfour128 arcfour256 arcfour aes128-ctr aes192-ctr aes256-ctr camellia128-cbc camellia192-cbc camellia256-cbc camellia128-cbc@openssh.org camellia192-cbc@openssh.org camellia256-cbc@openssh.org camellia128-ctr camellia192-ctr camellia256-ctr camellia128-ctr@openssh.org camellia192-ctr@openssh.org camellia256-ctr@openssh.org cast128-ctr blowfish-ctr 3des-ctr aes256-gcm@openssh.com aes128-gcm@openssh.com), algorithms(:encryption => %w(aes256-cbc 3des-cbc idea-cbc))[:encryption] end - def test_constructor_with_unrecognized_encryption_should_raise_exception - assert_raises(NotImplementedError) { algorithms(:encryption => "bogus") } + def test_constructor_with_unrecognized_encryption_should_keep_whats_supported + assert_equal %w(aes256-cbc aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc rijndael-cbc@lysator.liu.se idea-cbc none arcfour128 arcfour256 arcfour aes128-ctr aes192-ctr aes256-ctr camellia128-cbc camellia192-cbc camellia256-cbc camellia128-cbc@openssh.org camellia192-cbc@openssh.org camellia256-cbc@openssh.org camellia128-ctr camellia192-ctr camellia256-ctr camellia128-ctr@openssh.org camellia192-ctr@openssh.org camellia256-ctr@openssh.org cast128-ctr blowfish-ctr 3des-ctr aes256-gcm@openssh.com aes128-gcm@openssh.com), algorithms(:encryption => %w(bogus aes256-cbc))[:encryption] end def test_constructor_with_preferred_hmac_should_put_preferred_hmac_first - assert_equal %w(hmac-md5-96 hmac-sha1 hmac-md5 hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com umac-128-etm@openssh.com), algorithms(:hmac => "hmac-md5-96")[:hmac] + assert_equal %w(hmac-md5-96 hmac-sha1 hmac-md5 hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none), algorithms(:hmac => "hmac-md5-96")[:hmac] end def test_constructor_with_multiple_preferred_hmac_should_put_all_preferred_hmac_first - assert_equal %w(hmac-md5-96 hmac-sha1-96 hmac-sha1 hmac-md5 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com umac-128-etm@openssh.com), algorithms(:hmac => %w(hmac-md5-96 hmac-sha1-96))[:hmac] + assert_equal %w(hmac-md5-96 hmac-sha1-96 hmac-sha1 hmac-md5 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none), algorithms(:hmac => %w(hmac-md5-96 hmac-sha1-96))[:hmac] end - def test_constructor_with_unrecognized_hmac_should_raise_exception - assert_raises(NotImplementedError) { algorithms(:hmac => "bogus") } + def test_constructor_with_unrecognized_hmac_should_ignore_those + assert_equal %w(hmac-md5-96 hmac-sha1 hmac-md5 hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 hmac-sha2-512-96 none), + algorithms(:hmac => "hmac-md5-96")[:hmac] end def test_constructor_with_preferred_compression_should_put_preferred_compression_first @@ -109,8 +109,8 @@ module Transport assert_equal %w(zlib@openssh.com zlib none), algorithms(:compression => true)[:compression] end - def test_constructor_with_unrecognized_compression_should_raise_exception - assert_raises(NotImplementedError) { algorithms(:compression => "bogus") } + def test_constructor_with_unrecognized_compression_should_return_whats_supported + assert_equal %w(none zlib zlib@openssh.com), algorithms(:compression => %w(bogus none zlib))[:compression] end def test_initial_state_should_be_neither_pending_nor_initialized @@ -288,17 +288,12 @@ module Transport def assert_kexinit(buffer, options={}) assert_equal KEXINIT, buffer.type assert_equal 16, buffer.read(16).length - if defined?(OpenSSL::PKey::EC) - assert_equal options[:kex] || "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256@libssh.org", buffer.read_string - assert_equal options[:host_key] || "ssh-rsa,ssh-dss,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-ed25519", buffer.read_string - else - assert_equal options[:kex] || "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256", buffer.read_string - assert_equal options[:host_key] || "ssh-rsa,ssh-dss", buffer.read_string - end + assert_equal options[:kex] || (%w(diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha256)+ec_kex).join(','), buffer.read_string + assert_equal options[:host_key] || (%w(ssh-rsa ssh-dss ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com)+ec_host_keys).join(','), buffer.read_string assert_equal options[:encryption_client] || "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,idea-cbc,none,arcfour128,arcfour256,arcfour,aes128-ctr,aes192-ctr,aes256-ctr,camellia128-cbc,camellia192-cbc,camellia256-cbc,camellia128-cbc@openssh.org,camellia192-cbc@openssh.org,camellia256-cbc@openssh.org,camellia128-ctr,camellia192-ctr,camellia256-ctr,camellia128-ctr@openssh.org,camellia192-ctr@openssh.org,camellia256-ctr@openssh.org,cast128-ctr,blowfish-ctr,3des-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com", buffer.read_string assert_equal options[:encryption_server] || "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,idea-cbc,none,arcfour128,arcfour256,arcfour,aes128-ctr,aes192-ctr,aes256-ctr,camellia128-cbc,camellia192-cbc,camellia256-cbc,camellia128-cbc@openssh.org,camellia192-cbc@openssh.org,camellia256-cbc@openssh.org,camellia128-ctr,camellia192-ctr,camellia256-ctr,camellia128-ctr@openssh.org,camellia192-ctr@openssh.org,camellia256-ctr@openssh.org,cast128-ctr,blowfish-ctr,3des-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com", buffer.read_string - assert_equal options[:hmac_client] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-512-96,none,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com", buffer.read_string - assert_equal options[:hmac_server] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-512-96,none,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com", buffer.read_string + assert_equal options[:hmac_client] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-512-96,none", buffer.read_string + assert_equal options[:hmac_server] || "hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-512-96,none", buffer.read_string assert_equal options[:compression_client] || "none,zlib@openssh.com,zlib", buffer.read_string assert_equal options[:compression_server] || "none,zlib@openssh.com,zlib", buffer.read_string assert_equal options[:language_client] || "", buffer.read_string |