net-ssh 0.5.0

data/lib/net/ssh/transport/packet-stream.rb

@@ -0,0 +1,210 @@
+#--
+# =============================================================================
+# Copyright (c) 2004, Jamis Buck (jgb3@email.byu.edu)
+# All rights reserved.
+#
+# This source file is distributed as part of the Net::SSH Secure Shell Client
+# library for Ruby. This file (and the library as a whole) may be used only as
+# allowed by either the BSD license, or the Ruby license (or, by association
+# with the Ruby license, the GPL). See the "doc" subdirectory of the Net::SSH
+# distribution for the texts of these licenses.
+# -----------------------------------------------------------------------------
+# net-ssh website : http://net-ssh.rubyforge.org
+# project website: http://rubyforge.org/projects/net-ssh
+# =============================================================================
+#++
+
+require 'thread'
+
+require 'net/ssh/errors'
+require 'net/ssh/transport/errors'
+
+module Net
+  module SSH
+    module Transport
+
+      # The abstract parent of IncomingPacketStream and OutgoingPacketStream. It
+      # represents the common interface of its subclasses.
+      class PacketStream
+        
+        # the sequence number of the next packet to be processed.
+        attr_reader :sequence_number
+
+        # the setter for setting the socket to use for IO communication
+        attr_writer :socket
+
+        # Create a new packet stream. The given ciphers and hmacs are factories
+        # that are used to initialize the cipher and mac attributes.
+        def initialize( ciphers, hmacs )
+          @sequence_number = 0
+
+          @cipher = ciphers.get( "none" )
+          @hmac = hmacs.get( "none" )
+        end
+
+        # Set the cipher and mac algorithms to the given arguments.
+        def set_algorithms( cipher, mac )
+          @cipher, @hmac = cipher, mac
+        end
+
+        # Compute the mac for the given payload.
+        def compute_hmac( payload )
+          @hmac.digest( [ @sequence_number, payload ].pack( "NA*" ) )
+        end
+
+        # Increment the sequence number. This handles the (rare) case of a
+        # sequence number overflowing a long integer, and resets it safely to 0
+        # (as required by the SSH2 protocol).
+        def increment_sequence_number
+          @sequence_number += 1
+          @sequence_number = 0 if @sequence_number > 0xFFFFFFFF
+        end
+        private :increment_sequence_number
+
+      end
+
+      # Handles the compression and encryption of outgoing packets.
+      class OutgoingPacketStream < PacketStream
+
+        # Create a new OutgoingPacketStream.
+        def initialize( ciphers, hmacs, compressors )
+          super( ciphers, hmacs )
+          @compressor = compressors.fetch( "none" )
+          @mutex = Mutex.new
+        end
+
+        # Set the cipher, mac, and compressor to the given values.
+        def set_algorithms( cipher, hmac, compressor )
+          super( cipher, hmac )
+          @compressor = compressor
+        end
+
+        # Send the given payload over the socket, after (possibly) compressing
+        # and encrypting it. The payload is converted to a string (using #to_s)
+        # before being manipulated.
+        def send( payload )
+          @mutex.synchronize do
+            # force the payload into a string
+            payload = @compressor.compress( payload.to_s )
+
+            # the length of the packet, minus the padding
+            actual_length = 4 + payload.length + 1
+
+            # compute the padding length
+            padding_length = @cipher.block_size -
+              ( actual_length % @cipher.block_size )
+            padding_length += @cipher.block_size if padding_length < 4
+
+            # compute the packet length (sans the length field itself)
+            packet_length = payload.length + padding_length + 1
+
+            if packet_length < 16
+              padding_length += @cipher.block_size
+              packet_length = payload.length + padding_length + 1
+            end
+
+            padding = Array.new( padding_length ) { rand(256) }.pack("C*")
+
+            unencrypted_data = [ packet_length, padding_length, payload,
+              padding ].pack( "NCA*A*" )
+            mac = compute_hmac( unencrypted_data )
+
+            encrypted_data = @cipher.update( unencrypted_data ) << @cipher.final
+            message = encrypted_data + mac
+            @socket.send message, 0
+
+            increment_sequence_number
+          end
+        end
+
+      end
+
+      # Handles the decompression and dencryption of incoming packets.
+      class IncomingPacketStream < PacketStream
+
+        # A handle to the buffer factory to use when creating buffers
+        attr_writer :buffers
+
+        # A handle to the logger instance to use for writing log messages
+        attr_writer :log
+
+        # Create a new IncomingPacketStream.
+        def initialize( ciphers, hmacs, decompressors )
+          super( ciphers, hmacs )
+          @decompressor = decompressors.fetch( "none" )
+          @mutex = Mutex.new
+        end
+
+        # Set the cipher, mac, and decompressor algorithms to the given values.
+        def set_algorithms( cipher, mac, decompressor )
+          super( cipher, mac )
+          @decompressor = decompressor
+        end
+
+        # Retrieve the next packet from the string, after (possibly) decrypting
+        # and decompressing it. The packet is returned as a reader buffer.
+        def get
+          @mutex.synchronize do
+            # get the first block of data
+            if @log.debug?
+              @log.debug "reading #{@cipher.block_size} bytes from socket..."
+            end
+            data = @socket.recv( @cipher.block_size )
+
+            # if the data is empty, then the socket was closed
+            if data.length < 1
+              raise Net::SSH::Transport::Disconnect,
+                "connection closed by remote host"
+            end
+
+            # decipher it
+            reader = @buffers.reader( @cipher.update( data ) )
+
+            # determine the packet length and how many bytes remain to be read
+            packet_length = reader.read_long
+            remaining_to_read = packet_length + 4 - @cipher.block_size
+            if @log.debug?
+              @log.debug "packet length(#{packet_length}) " +
+                "remaining(#{remaining_to_read})"
+            end
+
+            # read the remainder of the packet and decrypt it.
+            data = ""
+            loop do
+              data << @socket.recv( remaining_to_read - data.length )
+              break if data.length >= remaining_to_read
+            end
+
+            reader.append @cipher.update( data )
+            reader.append @cipher.final
+
+            padding_length = reader.read_byte
+
+            payload = reader.read( packet_length - padding_length - 1 )
+            padding = reader.read( padding_length ) if padding_length > 0
+
+            # get the hmac from the tail of the packet (if one exists), and
+            # then validate it.
+            hmac = @hmac.mac_length > 0 ? @socket.recv( @hmac.mac_length ) : ""
+
+            my_computed_hmac = compute_hmac( reader.content )
+            raise Net::SSH::Exception,
+              "corrupted mac detected" if hmac != my_computed_hmac
+
+            # decompress the payload
+            payload = @decompressor.decompress( payload )
+
+            increment_sequence_number
+
+            buffer = @buffers.reader( payload )
+            @log.debug "received: #{buffer.content.inspect}" if @log.debug?
+
+            return buffer
+          end
+        end
+
+      end
+
+    end
+  end
+end

data/lib/net/ssh/transport/services.rb

@@ -0,0 +1,146 @@
+#--
+# =============================================================================
+# Copyright (c) 2004, Jamis Buck (jgb3@email.byu.edu)
+# All rights reserved.
+#
+# This source file is distributed as part of the Net::SSH Secure Shell Client
+# library for Ruby. This file (and the library as a whole) may be used only as
+# allowed by either the BSD license, or the Ruby license (or, by association
+# with the Ruby license, the GPL). See the "doc" subdirectory of the Net::SSH
+# distribution for the texts of these licenses.
+# -----------------------------------------------------------------------------
+# net-ssh website : http://net-ssh.rubyforge.org
+# project website: http://rubyforge.org/projects/net-ssh
+# =============================================================================
+#++
+
+module Net
+  module SSH
+    module Transport
+
+      # Register the services that together implement the SSH transport layer.
+      def register_services( container )
+        container.namespace_define :transport do |b|
+          b.kex_names { Hash.new }
+          b.compression_algorithms { Hash.new }
+          b.decompression_algorithms { Hash.new }
+
+          b.cipher_factories { Hash.new }
+          b.hmac_factories { Hash.new }
+          b.key_factories { Hash.new }
+          b.buffer_factories { Hash.new }
+          b.bn_factories { Hash.new }
+          b.digest_factories { Hash.new }
+
+          b.ciphers( :model => :prototype ) { |c,|
+            c.cipher_factories.fetch( c.crypto_backend ) }
+
+          b.hmacs( :model => :prototype ) { |c,|
+            c.hmac_factories.fetch( c.crypto_backend ) }
+
+          b.keys( :model => :prototype ) { |c,|
+            c.key_factories.fetch( c.crypto_backend ) }
+
+          b.buffers( :model => :prototype ) { |c,|
+            c.buffer_factories.fetch( c.crypto_backend ) }
+
+          b.bns( :model => :prototype ) { |c,|
+            c.bn_factories.fetch( c.crypto_backend ) }
+
+          b.digesters( :model => :prototype ) { |c,|
+            c.digest_factories.fetch( c.crypto_backend ) }
+
+          b.identity_cipher do
+            require 'net/ssh/transport/identity-cipher'
+            IdentityCipher.new
+          end
+
+          b.outgoing_packet_stream :model => :prototype_deferred do |c,|
+            require 'net/ssh/transport/packet-stream'
+            OutgoingPacketStream.new(
+              c.ciphers, c.hmacs, c.compression_algorithms )
+          end
+
+          b.incoming_packet_stream :model => :prototype_deferred do |c,point|
+            require 'net/ssh/transport/packet-stream'
+            stream = IncomingPacketStream.new(
+              c.ciphers, c.hmacs, c.decompression_algorithms )
+            stream.buffers = c.buffers
+            stream.log = c.log_for( point )
+            stream
+          end
+
+          b.algorithms do
+            Hash[
+              :host_key => [ "ssh-dss", "ssh-rsa" ],
+              :kex => [ "diffie-hellman-group-exchange-sha1",
+                        "diffie-hellman-group1-sha1" ],
+              :encryption => [ "3des-cbc",
+                               "aes128-cbc", 
+                               "blowfish-cbc",
+                               "aes256-cbc",
+                               "aes192-cbc",
+                               "idea-cbc",
+                               "none" ],
+              :hmac => [ "hmac-md5",
+                         "hmac-sha1",
+                         "hmac-md5-96",
+                         "hmac-sha1-96",
+                         "none" ],
+              :compression => [ "none", "zlib" ],
+              :languages => []
+            ]
+          end
+
+          b.default_ssh_port { 22 }
+
+          b.socket_factory do
+            require 'socket'
+            TCPSocket
+          end
+
+          b.version_negotiator do |c,point|
+            require 'net/ssh/transport/version-negotiator'
+            VersionNegotiator.new( c.log_for( point ) )
+          end
+
+          b.algorithm_negotiator do |c,point|
+            require 'net/ssh/transport/algorithm-negotiator'
+            AlgorithmNegotiator.new(
+              c.log_for( point ),
+              c.algorithms,
+              c.buffers )
+          end
+
+          b.session do |c,point|
+            require 'net/ssh/transport/session'
+
+            args = [ c[:transport_host] ]
+            args << c[:transport_options] if c.knows_key?(:transport_options)
+
+            Session.new( *args ) do |s|
+              s.logger               = c[:log_for, point]
+              s.default_port         = c[:default_ssh_port]
+              s.version_negotiator   = c[:version_negotiator]
+              s.algorithm_negotiator = c[:algorithm_negotiator]
+              s.socket_factory       = c[:socket_factory]
+              s.packet_sender        = c[:outgoing_packet_stream]
+              s.packet_receiver      = c[:incoming_packet_stream]
+              s.ciphers              = c[:ciphers]
+              s.hmacs                = c[:hmacs]
+              s.kexs                 = c[:kex_names]
+              s.compressors          = c[:compression_algorithms]
+              s.decompressors        = c[:decompression_algorithms]
+            end
+          end
+
+          b.require 'net/ssh/transport/ossl/services', "#{self}::OSSL"
+          b.require 'net/ssh/transport/compress/services', "#{self}::Compress"
+          b.require 'net/ssh/transport/kex/services', "#{self}::Kex"
+        end
+      end
+      module_function :register_services
+
+    end
+  end
+end

data/lib/net/ssh/transport/session.rb

@@ -0,0 +1,296 @@
+#--
+# =============================================================================
+# Copyright (c) 2004, Jamis Buck (jgb3@email.byu.edu)
+# All rights reserved.
+#
+# This source file is distributed as part of the Net::SSH Secure Shell Client
+# library for Ruby. This file (and the library as a whole) may be used only as
+# allowed by either the BSD license, or the Ruby license (or, by association
+# with the Ruby license, the GPL). See the "doc" subdirectory of the Net::SSH
+# distribution for the texts of these licenses.
+# -----------------------------------------------------------------------------
+# net-ssh website : http://net-ssh.rubyforge.org
+# project website: http://rubyforge.org/projects/net-ssh
+# =============================================================================
+#++
+
+require 'socket'
+require 'net/ssh/transport/constants'
+require 'net/ssh/transport/errors'
+require 'net/ssh/version'
+
+module Net
+  module SSH
+    module Transport
+
+      # Represents a low-level SSH session, at the transport protocol level.
+      # This handles the algorithm negotiation and key exchange for any SSH
+      # connection.
+      class Session
+        include Constants
+        
+        # the unique session identifier
+        attr_reader :session_id
+
+        # the collection of algorithms currently being used
+        attr_reader :algorithms
+
+        attr_writer :logger
+        attr_writer :default_port
+        attr_writer :version_negotiator
+        attr_writer :algorithm_negotiator
+        attr_writer :socket_factory
+        attr_writer :packet_sender
+        attr_writer :packet_receiver
+        attr_writer :ciphers
+        attr_writer :hmacs
+        attr_writer :kexs
+        attr_writer :compressors
+        attr_writer :decompressors
+
+        # The name that Net::SSH reports for itself
+        NAME = "Ruby/Net::SSH"
+
+        # The SSH protocol supported by Net::SSH.
+        PROTOCOL = "SSH-2.0"
+
+        # Returns the version string of this client.
+        def self.version
+          "#{PROTOCOL}-#{NAME}_#{Net::SSH::Version::STRING}"
+        end
+
+        VALID_OPTIONS = [ :port, :host_key, :kex, :encryption, :hmac,
+                          :compression, :languages, :compression_level, :proxy ]
+
+        # Create a new connection to the given host. This will negotiate the
+        # algorithms to use and exchange the keys. A block must be given. The
+        # uninitialized +self+ will be passed to the block, so that dependencies
+        # may be injected.
+        def initialize( host, options={} )
+          @saved_message = nil
+          @session_id = nil
+
+          yield self
+
+          invalid_options = options.keys - VALID_OPTIONS
+
+          unless invalid_options.empty?
+            raise ArgumentError,
+              "invalid option(s) to #{self.class}: #{invalid_options.inspect}"
+          end
+
+          @port = options[ :port ] || @default_port
+          @socket = ( options[:proxy] || @socket_factory ).open( host, @port )
+
+          @packet_sender.socket = @socket
+          @packet_receiver.socket = @socket
+
+          @kex_info = {
+            :client_version_string => self.class.version,
+            :server_version_string =>
+              @version_negotiator.negotiate( @socket, self.class.version ) }
+
+          @options = options
+          kexinit
+        end
+
+        # Returns the name of the client's host, as reported by the socket.
+        def client_name
+          return @hostname if defined? @hostname
+
+          sockaddr = @socket.getsockname
+          begin
+            @hostname =
+              Socket.getnameinfo( sockaddr, Socket::NI_NAMEREQD ).first
+          rescue
+            @hostname = Socket.getnameinfo( sockaddr ).first
+          end
+
+          return @hostname
+        end
+
+        def kexinit
+          @doing_kexinit = true
+          @algorithms = @algorithm_negotiator.negotiate( self, @options )
+
+          @kex_info[ :server_algorithm_packet ] = @algorithms.server_packet
+          @kex_info[ :client_algorithm_packet ] = @algorithms.client_packet
+
+          exchange_keys
+          @doing_kexinit = false
+        end
+        private :kexinit
+
+        # Closes the connection.
+        def close
+          # TODO: send a DISCONNECT message to the server to close gracefully
+          @socket.shutdown
+        end
+
+        def get_kex_byte_requirement
+          need = 0
+
+          [ @algorithms.encryption_s2c,
+            @algorithms.encryption_c2s
+          ].each do |alg|
+            key_len, block_size = @ciphers.get_lengths( alg )
+            need = key_len if need < key_len
+            need = block_size if need < block_size
+          end
+
+          [ @algorithms.mac_c2s, @algorithms.mac_s2c ].each do |alg|
+            key_len = @hmacs.get_key_length( alg )
+            need = key_len if need < key_len
+          end
+
+          return need
+        end
+        private :get_kex_byte_requirement
+        
+        # Exchanges keys with the server, using the kex algorithm negotiated
+        # during the algorithm negotiation phase. After finishing this phase,
+        # further packets sent to or from the server will be encrypted and
+        # (possibly) compressed.
+        def exchange_keys
+          @kex_info[ :need_bytes ] = get_kex_byte_requirement
+
+          kex = @kexs.fetch( @algorithms.kex )
+          result = kex.exchange_keys( self, @kex_info )
+
+          @shared_secret = result[ :shared_secret ]
+          hash = result[ :session_id ]
+          @session_id = hash unless @session_id
+          @server_key = result[ :server_key ]
+          @hashing_algorithm = result[ :hashing_algorithm ]
+
+          # prepare the ciphers, et. al.
+          secret_bin = @shared_secret.to_ssh
+
+          iv_c2s = @hashing_algorithm.digest( secret_bin +
+                                              hash +
+                                              "A" +
+                                              @session_id )
+          iv_s2c = @hashing_algorithm.digest( secret_bin +
+                                              hash +
+                                              "B" +
+                                              @session_id )
+          key_c2s = @hashing_algorithm.digest( secret_bin +
+                                               hash +
+                                               "C" +
+                                               @session_id )
+          key_s2c = @hashing_algorithm.digest( secret_bin +
+                                               hash +
+                                               "D" +
+                                               @session_id )
+          mac_key_c2s = @hashing_algorithm.digest( secret_bin +
+                                                   hash +
+                                                   "E" +
+                                                   @session_id )
+          mac_key_s2c = @hashing_algorithm.digest( secret_bin +
+                                                   hash +
+                                                   "F" +
+                                                   @session_id )
+
+          cipher_c2s = @ciphers.get( 
+                            @algorithms.encryption_c2s, iv_c2s, key_c2s,
+                            secret_bin, hash, @hashing_algorithm,
+                            true )
+
+          cipher_s2c = @ciphers.get( 
+                            @algorithms.encryption_s2c, iv_s2c, key_s2c,
+                            secret_bin, hash, @hashing_algorithm,
+                            false )
+
+          mac_c2s = @hmacs.get( @algorithms.mac_c2s, mac_key_c2s );
+          mac_s2c = @hmacs.get( @algorithms.mac_s2c, mac_key_s2c );
+
+          compression_c2s = @compressors[ @algorithms.compression_c2s ].new(
+              :level => @algorithms.compression_level )
+          compression_s2c = @decompressors[ @algorithms.compression_s2c ].new
+
+          @packet_sender.set_algorithms cipher_c2s, mac_c2s, compression_c2s
+          @packet_receiver.set_algorithms cipher_s2c, mac_s2c, compression_s2c
+        end
+        private :exchange_keys
+
+        # Waits for the next message from the server, handling common requests
+        # like DISCONNECT, IGNORE, DEBUG, and KEXINIT in the background. The
+        # next message is returned as a [ type, buffer ] tuple, where the buffer
+        # is a Net::SSH::Util::ReaderBuffer.
+        def wait_for_message
+          buffer = type = nil
+
+          if @saved_message
+            type, buffer = @saved_message
+            @logger.debug "returning saved message: #{type}" if @logger.debug?
+            @saved_message = nil
+          else
+            loop do
+              if @logger.debug?
+                @logger.debug "waiting for packet from server..."
+              end
+
+              buffer = @packet_receiver.get
+              type = buffer.read_byte
+              @logger.debug "got packet of type #{type}" if @logger.debug?
+
+              case type
+                when DISCONNECT
+                  reason_code = buffer.read_long
+                  description = buffer.read_string
+                  language = buffer.read_string
+                  raise Net::SSH::Transport::Disconnect,
+                    "disconnected: #{description} (#{reason_code})"
+
+                when IGNORE
+                  # do nothing
+                  @logger.info "received IGNORE message " +
+                    "(#{buffer.read_string.inspect})" if @logger.debug?
+
+                when DEBUG
+                  # do nothing
+                  @logger.info "received DEBUG message" if @logger.debug?
+                  always_display = buffer.read_bool
+                  message = buffer.read_string
+                  language = buffer.read_string
+                  if always_display
+                    @logger.warn "#{message} (#{language})" if @logger.warn?
+                  else
+                    @logger.debug "#{message} (#{language})" if @logger.debug?
+                  end
+
+                when KEXINIT
+                  # unless we're already doing a key-exchange, do key
+                  # re-exchange
+                  if !@doing_kexinit
+                    @logger.info "re-key requested" if @logger.info?
+                    @saved_message = [ type, buffer ]
+                    kexinit
+                  else
+                    break
+                  end
+
+                else
+                  break
+              end
+            end
+          end
+
+          return type, buffer
+        end
+
+        # Sends the given payload, using the currently configured
+        # OutgoingPacketStream.
+        def send_message( message )
+          if @logger.debug?
+            @logger.debug "sending message >>#{message.to_s.inspect}<<"
+          end
+
+          @packet_sender.send message
+        end
+
+      end
+
+    end
+  end
+end