crussh 0.1.0

data/lib/crussh/channel.rb

@@ -0,0 +1,381 @@
+# frozen_string_literal: true
+
+require "English"
+require "io/stream"
+require "async/semaphore"
+
+module Crussh
+  class Channel
+    DEFAULT_WINDOW_SIZE = 2 * 1024 * 1024
+    DEFAULT_MAX_PACKET_SIZE = 32_768
+
+    Data = ::Data.define(:data) do
+      def each_key(parser: KeyParser.new, &block)
+        return enum_for(:each_key, parser: parser) unless block_given?
+
+        parser.parse(data).each(&block)
+      end
+    end
+    ExtendedData = ::Data.define(:data, :type)
+    WindowChange = ::Data.define(:width, :height, :pixel_width, :pixel_height)
+    Signal = ::Data.define(:name)
+    EOF = ::Data.define
+    Closed = ::Data.define
+
+    Pty = ::Data.define(:term, :width, :height, :pixel_width, :pixel_height, :modes)
+
+    def initialize(session:, id:, remote_id:, remote_window_size:, local_window_size:, max_packet_size:, buffer_size:)
+      @session = session
+      @id = id
+      @remote_id = remote_id
+
+      @reader = Reader.new(
+        session:,
+        remote_id:,
+        window_size: local_window_size,
+        buffer_size:,
+      )
+
+      @writer = Writer.new(
+        session:,
+        remote_id:,
+        max_packet_size:,
+        window_size: remote_window_size,
+        channel: self,
+      )
+
+      @pty = nil
+      @env = {}
+      @events = Async::Queue.new
+      @read_buffer = "".b
+    end
+
+    attr_reader :session, :id, :remote_id, :pty, :env
+    attr_writer :pty
+
+    def pty? = !@pty.nil?
+    def eof? = @reader.eof?
+    def closed? = @writer.closed?
+
+    def read(...) = @reader.read(...)
+    def readpartial(...) = @reader.readpartial(...)
+    def gets(...) = @reader.gets(...)
+    def each(&) = @reader.each(&)
+
+    def write(...) = @writer.write(...)
+    def puts(...) = @writer.puts(...)
+    def print(...) = @writer.print(...)
+    def flush = @writer.flush
+
+    def <<(data)
+      write(data)
+      self
+    end
+
+    def send_eof = @writer.send_eof
+    def close = @writer.close
+
+    def stderr
+      @stderr ||= Stderr.new(session:, remote_id:)
+    end
+
+    def exit_status(code)
+      message = Protocol::ChannelRequest.new(recipient_channel: @remote_id, request_type: "exit-status", want_reply: false, request_data: [code].pack("N"))
+      @session.write_packet(message)
+    end
+
+    def exit_signal(signal_name, core_dumped: false, error_message: "", language: "")
+      writer = Transport::Writer.new
+      writer.string(signal_name)
+      writer.boolean(core_dumped)
+      writer.string(error_message)
+      writer.string(language)
+
+      message = Protocol::ChannelRequest.new(recipient_channel: @remote_id, request_type: "exit-signal", want_reply: false, request_data: writer.to_s)
+      @session.write_packet(message)
+    end
+
+    def push_event(event) = @reader.push_event(event)
+    def adjust_remote_window(bytes) = @writer.adjust_window(bytes)
+
+    def set_env(name, value)
+      @env[name] = value
+    end
+
+    def update_window(window_change)
+      @pty = @pty.with(width: window_change.width, height: window_change.height, pixel_width: window_change.pixel_width, pixel_height: window_change.pixel_height) if @pty
+      push_event(window_change)
+    end
+
+    class Reader
+      def initialize(session:, remote_id:, window_size:, buffer_size:)
+        @session = session
+        @remote_id = remote_id
+        @window_size = window_size
+        @window_threshold = window_size / 2
+        @bytes_consumed = 0
+
+        @events = Async::LimitedQueue.new(buffer_size)
+        @buffer = "".b
+
+        @eof = false
+        @closed = false
+      end
+
+      def eof? = @eof
+      def closed? = @closed
+
+      def push_event(event)
+        @events.enqueue(event)
+      end
+
+      def each
+        return enum_for(:each) unless block_given?
+
+        loop do
+          event = @events.dequeue
+          yield event
+          break if event.is_a?(Closed)
+        end
+      end
+
+      def read(length = nil)
+        return drain_buffer(length) if length && @buffer.bytesize >= length
+
+        loop do
+          event = @events.dequeue
+
+          case event
+          when Data(data:)
+            consume_window(data.bytesize)
+            @buffer << data
+            return drain_buffer(length) if length && @buffer.bytesize >= length
+          when EOF
+            @eof = true
+
+            return @buffer.empty? ? nil : drain_buffer(length)
+          when Closed
+            @closed = true
+
+            return @buffer.empty? ? nil : drain_buffer(length)
+          end
+        end
+      end
+
+      def readpartial(maxlen, outbuf = nil)
+        outbuf ||= "".b
+        outbuf.clear
+
+        if @buffer.bytesize > 0
+          outbuf << drain_buffer(maxlen)
+          return outbuf
+        end
+
+        loop do
+          event = @events.dequeue
+
+          case event
+          when Data(data:)
+            consume_window(data.bytesize)
+            @buffer << data
+            outbuf << drain_buffer(maxlen)
+            return outbuf
+          when EOF
+            @eof = true
+            raise ::EOFError, "end of file reached"
+          when Closed
+            @closed = true
+            raise ::IOError, "channel closed"
+          end
+        end
+      end
+
+      def gets(sep = $INPUT_RECORD_SEPARATOR, limit = nil)
+        loop do
+          if (index = @buffer.index(sep))
+            return @buffer.slice!(0, index + sep.bytesize)
+          end
+
+          return drain_buffer if limit && @buffer.bytesize >= limit
+
+          event = @events.dequeue
+
+          case event
+          when Data
+            consume_window(event.data.bytesize)
+            @buffer << event.data
+          when EOF
+            @eof = true
+            return @buffer.empty? ? nil : @buffer.slice!(0..-1)
+          when Closed
+            @closed = true
+            return @buffer.empty? ? nil : @buffer.slice!(0..-1)
+          end
+        end
+      end
+
+      private
+
+      def drain_buffer(length = nil)
+        @buffer.slice!(0, length || @buffer.bytesize)
+      end
+
+      def consume_window(bytes)
+        @bytes_consumed += bytes
+
+        return if @bytes_consumed < @window_threshold
+
+        message = Protocol::ChannelWindowAdjust.new(
+          recipient_channel: @remote_id,
+          bytes_to_add: @bytes_consumed,
+        )
+
+        @session.write_packet(message)
+        @bytes_consumed = 0
+      end
+    end
+
+    module WriteMethods
+      def line_ending
+        "\n"
+      end
+
+      def puts(*args)
+        if args.empty?
+          write(line_ending)
+          return
+        end
+
+        buffer = "".b
+        args.each do |arg|
+          line = arg.to_s
+          buffer << line
+          buffer << line_ending unless line.end_with?("\n")
+        end
+        write(buffer)
+        nil
+      end
+
+      def print(*args)
+        args.each { |arg| write(arg.to_s) }
+        nil
+      end
+
+      def <<(data)
+        write(data)
+        self
+      end
+
+      def flush = self
+    end
+
+    class Writer
+      include WriteMethods
+
+      def initialize(session:, remote_id:, max_packet_size:, window_size:, channel:)
+        @session = session
+        @remote_id = remote_id
+        @max_packet_size = max_packet_size
+        @window_size = window_size
+        @channel = channel
+
+        @window_condition = Async::Condition.new
+        @semaphore = Async::Semaphore.new(1)
+
+        @eof_sent = false
+        @closed = false
+      end
+
+      def closed? = @closed
+
+      def line_ending
+        @channel.pty? ? "\r\n" : "\n"
+      end
+
+      def adjust_window(...) = @semaphore.acquire { adjust_window_inner(...) }
+      def write(...) = @semaphore.acquire { write_inner(...) }
+      def send_eof = @semaphore.acquire { send_eof_inner }
+      def close = @semaphore.acquire { close_inner }
+
+      private
+
+      def adjust_window_inner(bytes)
+        @window_size += bytes
+        @window_condition.signal
+      end
+
+      def close_inner
+        return if @closed
+
+        send_eof_inner unless @eof_sent
+        @closed = true
+
+        message = Protocol::ChannelClose.new(recipient_channel: @remote_id)
+        @session.write_packet(message)
+      end
+
+      def send_eof_inner
+        return if @eof_sent
+
+        @eof_sent = true
+
+        message = Protocol::ChannelEof.new(recipient_channel: @remote_id)
+        @session.write_packet(message)
+      end
+
+      def write_inner(data)
+        raise ::IOError, "channel closed" if @closed
+        raise ::IOError, "EOF already sent" if @eof_sent
+
+        data = data.to_s.b
+        bytes_written = 0
+
+        while bytes_written < data.bytesize
+          @window_condition.wait if @window_size <= 0
+
+          chunk_size = [
+            @max_packet_size,
+            @window_size,
+            data.bytesize - bytes_written,
+          ].min
+          chunk = data.byteslice(bytes_written, chunk_size)
+
+          message = Protocol::ChannelData.new(recipient_channel: @remote_id, data: chunk)
+          @session.write_packet(message)
+
+          @window_size -= chunk_size
+          bytes_written += chunk_size
+        end
+
+        bytes_written
+      end
+    end
+
+    class Stderr
+      include WriteMethods
+
+      def initialize(session:, remote_id:)
+        @session = session
+        @remote_id = remote_id
+        @semaphore = Async::Semaphore.new(1)
+      end
+
+      def write(...) = @semaphore.acquire { write_inner(...) }
+
+      private
+
+      def write_inner(data)
+        data = data.to_s.b
+
+        message = Protocol::ChannelExtendedData.new(
+          recipient_channel: @remote_id,
+          data_type_code: 1,
+          data: data,
+        )
+        @session.write_packet(message)
+
+        data.bytesize
+      end
+    end
+  end
+end

data/lib/crussh/cipher/algorithm.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Crussh
+  module Cipher
+    class Algorithm
+      def key_length
+        raise NotImplementedError
+      end
+
+      def nonce_length
+        0
+      end
+
+      def block_size
+        8
+      end
+
+      def needs_mac?
+        true
+      end
+
+      def make_opening_key(key:, nonce:, mac_key:, mac:)
+        raise NotImplementedError
+      end
+
+      def make_sealing_key(key:, nonce:, mac_key:, mac:)
+        raise NotImplementedError
+      end
+    end
+  end
+end

data/lib/crussh/cipher/chacha20poly1305.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+module Crussh
+  module Cipher
+    class ChaCha20Poly1305 < Algorithm
+      KEY_LENGTH = 64
+
+      def key_length = KEY_LENGTH
+      def nonce_length = 0
+      def block_size = 8
+      def tag_length = 16
+
+      def needs_mac? = false
+
+      def make_opening_key(key:, nonce: nil, mac_key: nil, mac: nil)
+        OpeningKey.new(key)
+      end
+
+      def make_sealing_key(key:, nonce: nil, mac_key: nil, mac: nil)
+        SealingKey.new(key)
+      end
+
+      class Key
+        def initialize(key)
+          raise ArgumentError, "Key must be exactly #{KEY_LENGTH} bytes" unless key.bytesize == KEY_LENGTH
+
+          @main_key = key[0, 32]
+          @header_key = key[32, 32]
+        end
+
+        private
+
+        def build_nonce(sequence)
+          "\x00\x00\x00\x00" + [sequence].pack("Q>")
+        end
+
+        def chacha20_cipher
+          cipher = OpenSSL::Cipher.new("chacha20")
+          cipher.encrypt
+          cipher
+        end
+
+        def chacha20_block(key, nonce, counter)
+          cipher = chacha20_cipher
+          cipher.key = key
+          cipher.iv = [counter].pack("V") + nonce
+          cipher
+        end
+
+        def generate_poly_key(sequence)
+          nonce = build_nonce(sequence)
+          cipher = chacha20_block(@main_key, nonce, 0)
+          cipher.update("\x00" * 64)[0, 32]
+        end
+      end
+
+      class OpeningKey < Key
+        def decrypt_length(sequence, encrypted_length)
+          nonce = build_nonce(sequence)
+          cipher = chacha20_block(@header_key, nonce, 0)
+          cipher.update(encrypted_length)
+        end
+
+        def open(sequence, encrypted_length, ciphertext, tag)
+          poly_key = generate_poly_key(sequence)
+          data = encrypted_length + ciphertext
+
+          unless Crypto::Poly1305.verify(poly_key, tag, data)
+            raise DecryptionError, "Poly1305 authentication failed"
+          end
+
+          nonce = build_nonce(sequence)
+          cipher = chacha20_block(@main_key, nonce, 1)
+          cipher.update(ciphertext)
+        end
+      end
+
+      class SealingKey < Key
+        def encrypt_length(sequence, length_bytes)
+          nonce = build_nonce(sequence)
+          cipher = chacha20_block(@header_key, nonce, 0)
+          cipher.update(length_bytes)
+        end
+
+        def seal(sequence, encrypted_length, plaintext)
+          nonce = build_nonce(sequence)
+          cipher = chacha20_block(@main_key, nonce, 1)
+          ciphertext = cipher.update(plaintext)
+
+          poly_key = generate_poly_key(sequence)
+          tag = Crypto::Poly1305.auth(poly_key, encrypted_length + ciphertext)
+
+          [ciphertext, tag]
+        end
+      end
+    end
+  end
+end

data/lib/crussh/cipher.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Crussh
+  module Cipher
+    CHACHA20_POLY1305 = "chacha20-poly1305@openssh.com"
+
+    DEFAULT = [CHACHA20_POLY1305]
+
+    ALL = [CHACHA20_POLY1305]
+
+    REGISTRY = {
+      CHACHA20_POLY1305 => ChaCha20Poly1305,
+    }
+
+    class << self
+      def from_name(name)
+        algorithm_class = REGISTRY[name]
+
+        raise UnknownAlgorithm, "Unknown cipher algorithm: #{name}" if algorithm_class.nil?
+
+        algorithm_class.new
+      end
+    end
+  end
+end

data/lib/crussh/compression.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require "zlib"
+
+module Crussh
+  module Compression
+    NONE = "none"
+    ZLIB = "zlib@openssh.com"
+
+    DEFAULT = [ZLIB, NONE].freeze
+
+    class << self
+      def from_name(name)
+        case name
+        when NONE
+          None.new
+        when ZLIB
+          Zlib.new
+        else
+          raise UnknownAlgorithm, "Unknown compression: #{name}"
+        end
+      end
+    end
+
+    class Compressor
+      def deflate(data) = data
+      def inflate(data) = data
+    end
+
+    class None < Compressor; end
+
+    class Zlib
+      def initialize
+        @deflator = ::Zlib::Deflate.new
+        @inflator = ::Zlib::Inflate.new
+      end
+
+      def deflate(data) = @deflator.deflate(data, ::Zlib::SYNC_FLUSH)
+      def inflate(data) = @inflator.inflate(data)
+    end
+  end
+end

data/lib/crussh/gatekeeper.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Crussh
+  class Gatekeeper
+    def initialize(max_connections:, max_unauthenticated:)
+      @max_connections = max_connections
+      @max_unauthenticated = max_unauthenticated
+
+      @mutex = Mutex.new
+      @total = 0
+      @unauthenticated = 0
+    end
+
+    attr_reader :total, :unauthenticated
+
+    def block? = !allowed?
+
+    def authenticate!
+      @mutex.synchronize do
+        @unauthenticated -= 1 if @unauthenticated > 0
+      end
+    end
+
+    def disconnect!(was_authenticated:)
+      @mutex.synchronize do
+        @total -= 1 if @total > 0
+        @unauthenticated -= 1 if !was_authenticated && @unauthenticated > 0
+      end
+    end
+
+    def stats
+      @mutex.synchronize do
+        { total: @total, unauthenticated: @unauthenticated }
+      end
+    end
+
+    private
+
+    def allowed?
+      @mutex.synchronize do
+        return false if @max_connections && @total >= @max_connections
+        return false if @max_unauthenticated && @unauthenticated >= @max_unauthenticated
+
+        @total += 1
+        @unauthenticated += 1
+        true
+      end
+    end
+  end
+end