diff options
author | Miklos Fazekas <mfazekas@szemafor.com> | 2020-04-24 15:43:34 +0200 |
---|---|---|
committer | Miklos Fazekas <mfazekas@szemafor.com> | 2020-04-24 15:57:08 +0200 |
commit | 1c4fa7ea91cb2e94b9f03094f403e128b9a9fcf6 (patch) | |
tree | f0bcae217f98d9a2d3948944e5138c109d2a1f9d | |
parent | 36ce409a8fd9f5984030e188b7f8c5b9601377ba (diff) | |
download | net-ssh-1c4fa7ea91cb2e94b9f03094f403e128b9a9fcf6.tar.gz |
Make hmac-md5-96 hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com opt in instead of default because of the currpoted hmac issue
-rw-r--r-- | CHANGES.txt | 11 | ||||
-rw-r--r-- | lib/net/ssh/transport/algorithms.rb | 7 | ||||
-rw-r--r-- | test/transport/test_algorithms.rb | 14 |
3 files changed, 21 insertions, 11 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index a84ac7c..6707307 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,5 +1,14 @@ +=== 6.0.1 + + * Make sha2-{256,512}-etm@openssh.com MAC opt-in as they seems to have issues [#757] + +=== 6.0.0 + + * Support empty lines and comments in known_hosts [donoghuc, #742] + * Add sha2-{256,512}-etm@openssh.com MAC algorithms [graaff, #714] + === 6.0.0 beta2 - + * Support :certkeys and CertificateFile configuration option [Anders Carling, #722] === 6.0.0 beta1 diff --git a/lib/net/ssh/transport/algorithms.rb b/lib/net/ssh/transport/algorithms.rb index ed656ee..35d9ec6 100644 --- a/lib/net/ssh/transport/algorithms.rb +++ b/lib/net/ssh/transport/algorithms.rb @@ -43,8 +43,7 @@ module Net encryption: %w[aes256-ctr aes192-ctr aes128-ctr], - hmac: %w[hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com - hmac-sha2-512 hmac-sha2-256 + hmac: %w[hmac-sha2-512 hmac-sha2-256 hmac-sha1] }.freeze @@ -84,7 +83,9 @@ module Net hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-md5 hmac-md5-96 - none], + none] + + %w[hmac-sha2-256-etm@openssh.com + hmac-sha2-512-etm@openssh.com], compression: %w[none zlib@openssh.com zlib], language: %w[] diff --git a/test/transport/test_algorithms.rb b/test/transport/test_algorithms.rb index 54f5774..83ea6b0 100644 --- a/test/transport/test_algorithms.rb +++ b/test/transport/test_algorithms.rb @@ -21,7 +21,7 @@ module Transport assert_equal ed_ec_host_keys + %w[ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com ssh-rsa], algorithms[:host_key] assert_equal x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1], algorithms[:kex] assert_equal %w[aes256-ctr aes192-ctr aes128-ctr], algorithms[:encryption] - assert_equal %w[hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha1], algorithms[:hmac] + assert_equal %w[hmac-sha2-512 hmac-sha2-256 hmac-sha1], algorithms[:hmac] assert_equal %w[none zlib@openssh.com zlib], algorithms[:compression] assert_equal %w[], algorithms[:language] end @@ -30,7 +30,7 @@ module Transport assert_equal ed_ec_host_keys + %w[ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com ssh-rsa ssh-dss], algorithms(append_all_supported_algorithms: true)[:host_key] assert_equal x25519_kex + ec_kex + %w[diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1], algorithms(append_all_supported_algorithms: true)[:kex] assert_equal %w[aes256-ctr aes192-ctr aes128-ctr aes256-cbc aes192-cbc aes128-cbc rijndael-cbc@lysator.liu.se blowfish-ctr blowfish-cbc cast128-ctr cast128-cbc 3des-ctr 3des-cbc idea-cbc none], algorithms(append_all_supported_algorithms: true)[:encryption] - assert_equal %w[hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha1 hmac-sha2-512-96 hmac-sha2-256-96 hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-md5 hmac-md5-96 none], algorithms(append_all_supported_algorithms: true)[:hmac] + assert_equal %w[hmac-sha2-512 hmac-sha2-256 hmac-sha1 hmac-sha2-512-96 hmac-sha2-256-96 hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-md5 hmac-md5-96 none hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com], algorithms(append_all_supported_algorithms: true)[:hmac] assert_equal %w[none zlib@openssh.com zlib], algorithms(append_all_supported_algorithms: true)[:compression] assert_equal %w[], algorithms[:language] end @@ -112,15 +112,15 @@ module Transport end def test_constructor_with_preferred_hmac_should_put_preferred_hmac_first - assert_equal %w[hmac-md5-96 hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha1 hmac-sha2-512-96 hmac-sha2-256-96 hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-md5 none], algorithms(hmac: "hmac-md5-96", append_all_supported_algorithms: true)[:hmac] + assert_equal %w[hmac-md5-96 hmac-sha2-512 hmac-sha2-256 hmac-sha1 hmac-sha2-512-96 hmac-sha2-256-96 hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-md5 none hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com], algorithms(hmac: "hmac-md5-96", append_all_supported_algorithms: true)[:hmac] end def test_constructor_with_multiple_preferred_hmac_should_put_all_preferred_hmac_first - assert_equal %w[hmac-md5-96 hmac-sha1-96 hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha1 hmac-sha2-512-96 hmac-sha2-256-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-md5 none], algorithms(hmac: %w[hmac-md5-96 hmac-sha1-96], append_all_supported_algorithms: true)[:hmac] + assert_equal %w[hmac-md5-96 hmac-sha1-96 hmac-sha2-512 hmac-sha2-256 hmac-sha1 hmac-sha2-512-96 hmac-sha2-256-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-md5 none hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com], algorithms(hmac: %w[hmac-md5-96 hmac-sha1-96], append_all_supported_algorithms: true)[:hmac] end def test_constructor_with_unrecognized_hmac_should_ignore_those - assert_equal %w[hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha1 hmac-sha2-512-96 hmac-sha2-256-96 hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-md5 hmac-md5-96 none], + assert_equal %w[hmac-sha2-512 hmac-sha2-256 hmac-sha1 hmac-sha2-512-96 hmac-sha2-256-96 hmac-sha1-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-md5 hmac-md5-96 none hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com], algorithms(hmac: "unknown hmac-md5-96", append_all_supported_algorithms: true)[:hmac] end @@ -373,8 +373,8 @@ module Transport assert_equal options[:host_key] || (ed_ec_host_keys + %w[ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com ssh-rsa]).join(','), buffer.read_string assert_equal options[:encryption_client] || 'aes256-ctr,aes192-ctr,aes128-ctr', buffer.read_string assert_equal options[:encryption_server] || 'aes256-ctr,aes192-ctr,aes128-ctr', buffer.read_string - assert_equal options[:hmac_client] || 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1', buffer.read_string - assert_equal options[:hmac_server] || 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1', buffer.read_string + assert_equal options[:hmac_client] || 'hmac-sha2-512,hmac-sha2-256,hmac-sha1', buffer.read_string + assert_equal options[:hmac_server] || 'hmac-sha2-512,hmac-sha2-256,hmac-sha1', buffer.read_string assert_equal options[:compression_client] || 'none,zlib@openssh.com,zlib', buffer.read_string assert_equal options[:compression_server] || 'none,zlib@openssh.com,zlib', buffer.read_string assert_equal options[:language_client] || '', buffer.read_string |