net-ssh 2.7.0 → 7.3.0

data/lib/net/ssh/transport/gcm_cipher.rb

@@ -0,0 +1,207 @@
+require 'net/ssh/loggable'
+
+module Net
+  module SSH
+    module Transport
+      ## Extension module for aes(128|256)gcm ciphers
+      module GCMCipher
+        # rubocop:disable Metrics/AbcSize
+        def self.extended(orig)
+          # rubocop:disable Metrics/BlockLength
+          orig.class_eval do
+            include Net::SSH::Loggable
+
+            attr_reader   :cipher
+            attr_reader   :key
+            attr_accessor :nonce
+
+            #
+            # Semantically gcm cipher supplies the OpenSSL iv interface with a nonce
+            #   as it is not randomly generated due to being supplied from a counter.
+            # The RFC's use IV and nonce interchangeably.
+            #
+            def initialize(encrypt:, key:)
+              @cipher = OpenSSL::Cipher.new(algo_name)
+              @key    = key
+              key_len = @cipher.key_len
+              if key.size != key_len
+                error_message = "#{cipher_name}: keylength does not match"
+                error { error_message }
+                raise error_message
+              end
+              encrypt ? @cipher.encrypt : @cipher.decrypt
+              @cipher.key = key
+
+              @nonce = {
+                fixed: nil,
+                invocation_counter: 0
+              }
+            end
+
+            def update_cipher_mac(payload, _sequence_number)
+              #
+              # --- RFC 5647 7.3 ---
+              # When using AES-GCM with secure shell, the packet_length field is to
+              # be treated as additional authenticated data, not as plaintext.
+              #
+              length_data      = [payload.bytesize].pack('N')
+
+              cipher.auth_data = length_data
+
+              encrypted_data   = cipher.update(payload) << cipher.final
+
+              mac              = cipher.auth_tag
+
+              incr_nonce
+              length_data + encrypted_data + mac
+            end
+
+            #
+            # --- RFC 5647 ---
+            # uint32    packet_length;  // 0 <= packet_length < 2^32
+            #
+            def read_length(data, _sequence_number)
+              data.unpack1('N')
+            end
+
+            #
+            # --- RFC 5647 ---
+            # In AES-GCM secure shell, the inputs to the authenticated encryption
+            # are:
+            #  PT (Plain Text)
+            #      byte      padding_length; // 4 <= padding_length < 256
+            #      byte[n1]  payload;        // n1 = packet_length-padding_length-1
+            #      byte[n2]  random_padding; // n2 = padding_length
+            #  AAD (Additional Authenticated Data)
+            #      uint32    packet_length;  // 0 <= packet_length < 2^32
+            #  IV (Initialization Vector)
+            #      As described in section 7.1.
+            #  BK (Block Cipher Key)
+            #      The appropriate Encryption Key formed during the Key Exchange.
+            #
+            def read_and_mac(data, mac, _sequence_number)
+              # The authentication tag will be placed in the MAC field at the end of the packet
+
+              # OpenSSL does not verify auth tag length
+              # GCM mode allows arbitrary sizes for the auth_tag up to 128 bytes and a single
+              #   byte allows authentication to pass. If single byte auth tags are possible
+              #   an attacker would require no more than 256 attempts to forge a valid tag.
+              #
+              raise 'incorrect auth_tag length' unless mac.to_s.length == mac_length
+
+              packet_length    = data.unpack1('N')
+
+              cipher.auth_tag  = mac.to_s
+              cipher.auth_data = [packet_length].pack('N')
+
+              result = cipher.update(data[4...]) << cipher.final
+              incr_nonce
+              result
+            end
+
+            def mac_length
+              16
+            end
+
+            def block_size
+              16
+            end
+
+            def self.block_size
+              16
+            end
+
+            #
+            # --- RFC 5647 ---
+            # N_MIN       minimum nonce (IV) length        12 octets
+            # N_MAX       maximum nonce (IV) length        12 octets
+            #
+            def iv_len
+              12
+            end
+
+            #
+            # --- RFC 5288 ---
+            # Each value of the nonce_explicit MUST be distinct for each distinct
+            # invocation of the GCM encrypt function for any fixed key. Failure to
+            # meet this uniqueness requirement can significantly degrade security.
+            # The nonce_explicit MAY be the 64-bit sequence number.
+            #
+            # --- RFC 5116 ---
+            # (2.1) Applications that can generate distinct nonces SHOULD use the nonce
+            # formation method defined in Section 3.2, and MAY use any
+            # other method that meets the uniqueness requirement.
+            #
+            # (3.2) The following method to construct nonces is RECOMMENDED.
+            #
+            #  <- variable -> <- variable ->
+            #  - - - - - - -  - - - - - - -
+            # |    fixed     |    counter   |
+            #
+            # Initial octets consist of a fixed field and final octets consist of a
+            # Counter field. Implementations SHOULD support 12-octet nonces in which
+            # the Counter field is four octets long.
+            # The Counter fields of successive nonces form a monotonically increasing
+            # sequence, when those fields are regarded as unsignd integers in network
+            # byte order.
+            # The Counter part SHOULD be equal to zero for the first nonce and increment
+            # by one for each successive nonce that is generated.
+            # The Fixed field MUST remain constant for all nonces that are generated for
+            # a given encryption device.
+            #
+            # --- RFC 5647 ---
+            # The invocation field is treated as a 64-bit integer and is increment after
+            # each invocation of AES-GCM to process a binary packet.
+            # AES-GCM produces a keystream in blocks of 16-octets that is used to
+            # encrypt the plaintext. This keystream is produced by encrypting the
+            # following 16-octet data structure:
+            #
+            # uint32 fixed;              // 4 octets
+            # uint64 invocation_counter; // 8 octets
+            # unit32 block_counter;      // 4 octets
+            #
+            # The block_counter is initially set to one (1) and increment as each block
+            # of key is produced.
+            #
+            # The reader is reminded that SSH requires that the data to be encrypted
+            # MUST be padded out to a multiple of the block size (16-octets for AES-GCM).
+            #
+            def incr_nonce
+              return if nonce[:fixed].nil?
+
+              nonce[:invocation_counter] = [nonce[:invocation_counter].to_s.unpack1('B*').to_i(2) + 1].pack('Q>*')
+
+              apply_nonce
+            end
+
+            def nonce=(iv_s)
+              return if nonce[:fixed]
+
+              nonce[:fixed]              = iv_s[0...4]
+              nonce[:invocation_counter] = iv_s[4...12]
+
+              apply_nonce
+            end
+
+            def apply_nonce
+              cipher.iv = "#{nonce[:fixed]}#{nonce[:invocation_counter]}"
+            end
+
+            #
+            # --- RFC 5647 ---
+            # If AES-GCM is selected as the encryption algorithm for a given
+            # tunnel, AES-GCM MUST also be selected as the Message Authentication
+            # Code (MAC) algorithm.  Conversely, if AES-GCM is selected as the MAC
+            # algorithm, it MUST also be selected as the encryption algorithm.
+            #
+            def implicit_mac?
+              true
+            end
+          end
+        end
+        # rubocop:enable Metrics/BlockLength
+      end
+      # rubocop:enable Metrics/AbcSize
+    end
+  end
+end

data/lib/net/ssh/transport/hmac/abstract.rb

@@ -1,79 +1,113 @@
 require 'openssl'
 require 'openssl/digest'
 
-module Net; module SSH; module Transport; module HMAC
+module Net
+  module SSH
+    module Transport
+      module HMAC
+        # The base class of all OpenSSL-based HMAC algorithm wrappers.
+        class Abstract
+          class << self
+            def aead(*v)
+              @aead = false if !defined?(@aead)
+              if v.empty?
+                @aead = superclass.aead if @aead.nil? && superclass.respond_to?(:aead)
+                return @aead
+              elsif v.length == 1
+                @aead = v.first
+              else
+                raise ArgumentError, "wrong number of arguments (#{v.length} for 1)"
+              end
+            end
 
-  # The base class of all OpenSSL-based HMAC algorithm wrappers.
-  class Abstract
+            def etm(*v)
+              @etm = false if !defined?(@etm)
+              if v.empty?
+                @etm = superclass.etm if @etm.nil? && superclass.respond_to?(:etm)
+                return @etm
+              elsif v.length == 1
+                @etm = v.first
+              else
+                raise ArgumentError, "wrong number of arguments (#{v.length} for 1)"
+              end
+            end
 
-    class <<self
-      def key_length(*v)
-        @key_length = nil if !defined?(@key_length)
-        if v.empty?
-          @key_length = superclass.key_length if @key_length.nil? && superclass.respond_to?(:key_length)
-          return @key_length
-        elsif v.length == 1
-          @key_length = v.first
-        else
-          raise ArgumentError, "wrong number of arguments (#{v.length} for 1)"
-        end
-      end
+            def key_length(*v)
+              @key_length = nil if !defined?(@key_length)
+              if v.empty?
+                @key_length = superclass.key_length if @key_length.nil? && superclass.respond_to?(:key_length)
+                return @key_length
+              elsif v.length == 1
+                @key_length = v.first
+              else
+                raise ArgumentError, "wrong number of arguments (#{v.length} for 1)"
+              end
+            end
 
-      def mac_length(*v)
-        @mac_length = nil if !defined?(@mac_length)
-        if v.empty?
-          @mac_length = superclass.mac_length if @mac_length.nil? && superclass.respond_to?(:mac_length)
-          return @mac_length
-        elsif v.length == 1
-          @mac_length = v.first
-        else
-          raise ArgumentError, "wrong number of arguments (#{v.length} for 1)"
-        end
-      end
+            def mac_length(*v)
+              @mac_length = nil if !defined?(@mac_length)
+              if v.empty?
+                @mac_length = superclass.mac_length if @mac_length.nil? && superclass.respond_to?(:mac_length)
+                return @mac_length
+              elsif v.length == 1
+                @mac_length = v.first
+              else
+                raise ArgumentError, "wrong number of arguments (#{v.length} for 1)"
+              end
+            end
 
-      def digest_class(*v)
-        @digest_class = nil if !defined?(@digest_class)
-        if v.empty?
-          @digest_class = superclass.digest_class if @digest_class.nil? && superclass.respond_to?(:digest_class)
-          return @digest_class
-        elsif v.length == 1
-          @digest_class = v.first
-        else
-          raise ArgumentError, "wrong number of arguments (#{v.length} for 1)"
-        end
-      end
-    end
+            def digest_class(*v)
+              @digest_class = nil if !defined?(@digest_class)
+              if v.empty?
+                @digest_class = superclass.digest_class if @digest_class.nil? && superclass.respond_to?(:digest_class)
+                return @digest_class
+              elsif v.length == 1
+                @digest_class = v.first
+              else
+                raise ArgumentError, "wrong number of arguments (#{v.length} for 1)"
+              end
+            end
+          end
 
-    def key_length
-      self.class.key_length
-    end
+          def aead
+            self.class.aead
+          end
 
-    def mac_length
-      self.class.mac_length
-    end
+          def etm
+            self.class.etm
+          end
 
-    def digest_class
-      self.class.digest_class
-    end
+          def key_length
+            self.class.key_length
+          end
 
-    # The key in use for this instance.
-    attr_reader :key
+          def mac_length
+            self.class.mac_length
+          end
 
-    def initialize(key=nil)
-      self.key = key
-    end
+          def digest_class
+            self.class.digest_class
+          end
 
-    # Sets the key to the given value, truncating it so that it is the correct
-    # length.
-    def key=(value)
-      @key = value ? value.to_s[0,key_length] : nil
-    end
+          # The key in use for this instance.
+          attr_reader :key
 
-    # Compute the HMAC digest for the given data string.
-    def digest(data)
-      OpenSSL::HMAC.digest(digest_class.new, key, data)[0,mac_length]
-    end
+          def initialize(key = nil)
+            self.key = key
+          end
 
-  end
+          # Sets the key to the given value, truncating it so that it is the correct
+          # length.
+          def key=(value)
+            @key = value ? value.to_s[0, key_length] : nil
+          end
 
-end; end; end; end
+          # Compute the HMAC digest for the given data string.
+          def digest(data)
+            OpenSSL::HMAC.digest(digest_class.new, key, data)[0, mac_length]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/transport/hmac/md5.rb

@@ -1,12 +1,10 @@
 require 'net/ssh/transport/hmac/abstract'
 
 module Net::SSH::Transport::HMAC
-
   # The MD5 HMAC algorithm.
   class MD5 < Abstract
     mac_length   16
     key_length   16
     digest_class OpenSSL::Digest::MD5
   end
-
 end

data/lib/net/ssh/transport/hmac/md5_96.rb

@@ -1,11 +1,9 @@
 require 'net/ssh/transport/hmac/md5'
 
 module Net::SSH::Transport::HMAC
-
   # The MD5-96 HMAC algorithm. This returns only the first 12 bytes of
   # the digest.
   class MD5_96 < MD5
     mac_length 12
   end
-
 end

data/lib/net/ssh/transport/hmac/none.rb

@@ -1,7 +1,6 @@
 require 'net/ssh/transport/hmac/abstract'
 
 module Net::SSH::Transport::HMAC
-
   # The "none" algorithm. This has a key and mac length of 0.
   class None < Abstract
     key_length 0
@@ -11,5 +10,4 @@ module Net::SSH::Transport::HMAC
       ""
     end
   end
-
 end

data/lib/net/ssh/transport/hmac/ripemd160.rb

@@ -1,7 +1,6 @@
 require 'net/ssh/transport/hmac/abstract'
 
 module Net::SSH::Transport::HMAC
-
   # The RIPEMD-160 HMAC algorithm. This has a mac and key length of 20, and
   # uses the RIPEMD-160 digest algorithm.
   class RIPEMD160 < Abstract
@@ -9,5 +8,4 @@ module Net::SSH::Transport::HMAC
     key_length   20
     digest_class OpenSSL::Digest::RIPEMD160
   end
-
 end

data/lib/net/ssh/transport/hmac/sha1.rb

@@ -1,7 +1,6 @@
 require 'net/ssh/transport/hmac/abstract'
 
 module Net::SSH::Transport::HMAC
-
   # The SHA1 HMAC algorithm. This has a mac and key length of 20, and
   # uses the SHA1 digest algorithm.
   class SHA1 < Abstract
@@ -9,5 +8,4 @@ module Net::SSH::Transport::HMAC
     key_length   20
     digest_class OpenSSL::Digest::SHA1
   end
-
 end

data/lib/net/ssh/transport/hmac/sha1_96.rb

@@ -1,11 +1,9 @@
 require 'net/ssh/transport/hmac/sha1'
 
 module Net::SSH::Transport::HMAC
-
   # The SHA1-96 HMAC algorithm. This returns only the first 12 bytes of
   # the digest.
   class SHA1_96 < SHA1
     mac_length 12
   end
-
 end

data/lib/net/ssh/transport/hmac/sha2_256.rb

@@ -1,15 +1,11 @@
 require 'net/ssh/transport/hmac/abstract'
 
-if defined?(OpenSSL::Digest::SHA256) # need openssl support
-  module Net::SSH::Transport::HMAC
-
-    # The SHA-256 HMAC algorithm. This has a mac and key length of 32, and
-    # uses the SHA-256 digest algorithm.
-    class SHA2_256 < Abstract
-      mac_length   32
-      key_length   32
-      digest_class OpenSSL::Digest::SHA256
-    end
-
+module Net::SSH::Transport::HMAC
+  # The SHA-256 HMAC algorithm. This has a mac and key length of 32, and
+  # uses the SHA-256 digest algorithm.
+  class SHA2_256 < Abstract
+    mac_length   32
+    key_length   32
+    digest_class OpenSSL::Digest::SHA256
   end
 end

data/lib/net/ssh/transport/hmac/sha2_256_96.rb

@@ -1,13 +1,9 @@
 require 'net/ssh/transport/hmac/abstract'
 
 module Net::SSH::Transport::HMAC
-
-  if defined?(SHA2_256) # need openssl support
-    # The SHA256-96 HMAC algorithm. This returns only the first 12 bytes of
-    # the digest.
-    class SHA2_256_96 < SHA2_256
-      mac_length   12
-    end
+  # The SHA256-96 HMAC algorithm. This returns only the first 12 bytes of
+  # the digest.
+  class SHA2_256_96 < SHA2_256
+    mac_length 12
   end
-
 end

data/lib/net/ssh/transport/hmac/sha2_256_etm.rb

@@ -0,0 +1,12 @@
+require 'net/ssh/transport/hmac/abstract'
+
+module Net::SSH::Transport::HMAC
+  # The SHA-256 Encrypt-Then-Mac HMAC algorithm. This has a mac and
+  # key length of 32, and uses the SHA-256 digest algorithm.
+  class SHA2_256_Etm < Abstract
+    etm          true
+    mac_length   32
+    key_length   32
+    digest_class OpenSSL::Digest::SHA256
+  end
+end

data/lib/net/ssh/transport/hmac/sha2_512.rb

@@ -1,14 +1,11 @@
 require 'net/ssh/transport/hmac/abstract'
 
 module Net::SSH::Transport::HMAC
-
-  if defined?(OpenSSL::Digest::SHA512) # need openssl support
-    # The SHA-512 HMAC algorithm. This has a mac and key length of 64, and
-    # uses the SHA-512 digest algorithm.
-    class SHA2_512 < Abstract
-      mac_length   64
-      key_length   64
-      digest_class OpenSSL::Digest::SHA512
-    end
+  # The SHA-512 HMAC algorithm. This has a mac and key length of 64, and
+  # uses the SHA-512 digest algorithm.
+  class SHA2_512 < Abstract
+    mac_length   64
+    key_length   64
+    digest_class OpenSSL::Digest::SHA512
   end
 end

data/lib/net/ssh/transport/hmac/sha2_512_96.rb

@@ -1,13 +1,9 @@
 require 'net/ssh/transport/hmac/abstract'
 
 module Net::SSH::Transport::HMAC
-
-  if defined?(SHA2_512) # need openssl support
-    # The SHA2-512-96 HMAC algorithm. This returns only the first 12 bytes of
-    # the digest.
-    class SHA2_512_96 < SHA2_512
-      mac_length   12
-    end
+  # The SHA2-512-96 HMAC algorithm. This returns only the first 12 bytes of
+  # the digest.
+  class SHA2_512_96 < SHA2_512
+    mac_length 12
   end
-
 end

data/lib/net/ssh/transport/hmac/sha2_512_etm.rb

@@ -0,0 +1,12 @@
+require 'net/ssh/transport/hmac/abstract'
+
+module Net::SSH::Transport::HMAC
+  # The SHA-512 Encrypt-Then-Mac HMAC algorithm. This has a mac and
+  # key length of 64, and uses the SHA-512 digest algorithm.
+  class SHA2_512_Etm < Abstract
+    etm          true
+    mac_length   64
+    key_length   64
+    digest_class OpenSSL::Digest::SHA512
+  end
+end

data/lib/net/ssh/transport/hmac.rb

@@ -7,6 +7,8 @@ require 'net/ssh/transport/hmac/sha2_256'
 require 'net/ssh/transport/hmac/sha2_256_96'
 require 'net/ssh/transport/hmac/sha2_512'
 require 'net/ssh/transport/hmac/sha2_512_96'
+require 'net/ssh/transport/hmac/sha2_256_etm'
+require 'net/ssh/transport/hmac/sha2_512_etm'
 require 'net/ssh/transport/hmac/ripemd160'
 require 'net/ssh/transport/hmac/none'
 
@@ -15,24 +17,24 @@ require 'net/ssh/transport/hmac/none'
 module Net::SSH::Transport::HMAC
   # The mapping of SSH hmac algorithms to their implementations
   MAP = {
-    'hmac-md5'       => MD5,
-    'hmac-md5-96'    => MD5_96,
-    'hmac-sha1'      => SHA1,
-    'hmac-sha1-96'   => SHA1_96,
+    'hmac-md5' => MD5,
+    'hmac-md5-96' => MD5_96,
+    'hmac-sha1' => SHA1,
+    'hmac-sha1-96' => SHA1_96,
+    'hmac-sha2-256' => SHA2_256,
+    'hmac-sha2-256-96' => SHA2_256_96,
+    'hmac-sha2-512' => SHA2_512,
+    'hmac-sha2-512-96' => SHA2_512_96,
+    'hmac-sha2-256-etm@openssh.com' => SHA2_256_Etm,
+    'hmac-sha2-512-etm@openssh.com' => SHA2_512_Etm,
     'hmac-ripemd160' => RIPEMD160,
     'hmac-ripemd160@openssh.com' => RIPEMD160,
-    'none'           => None
+    'none' => None
   }
 
-  # add mapping to sha2 hmac algorithms if they're available
-  MAP['hmac-sha2-256']    = SHA2_256    if defined?(::Net::SSH::Transport::HMAC::SHA2_256)
-  MAP['hmac-sha2-256-96'] = SHA2_256_96 if defined?(::Net::SSH::Transport::HMAC::SHA2_256_96)
-  MAP['hmac-sha2-512']    = SHA2_512    if defined?(::Net::SSH::Transport::HMAC::SHA2_512)
-  MAP['hmac-sha2-512-96'] = SHA2_512_96 if defined?(::Net::SSH::Transport::HMAC::SHA2_512_96)
-
   # Retrieves a new hmac instance of the given SSH type (+name+). If +key+ is
   # given, the new instance will be initialized with that key.
-  def self.get(name, key="", parameters = {})
+  def self.get(name, key = "", parameters = {})
     impl = MAP[name] or raise ArgumentError, "hmac not found: #{name.inspect}"
     impl.new(Net::SSH::Transport::KeyExpander.expand_key(impl.key_length, key, parameters))
   end