net-ssh 6.1.0 → 7.3.0

data/lib/net/ssh/transport/aes256_gcm.rb

@@ -0,0 +1,40 @@
+require 'net/ssh/transport/hmac/abstract'
+require 'net/ssh/transport/gcm_cipher'
+
+module Net::SSH::Transport
+  ## Implements the aes256-gcm@openssh cipher
+  class AES256_GCM
+    extend ::Net::SSH::Transport::GCMCipher
+
+    ## Implicit HMAC, do need to do anything
+    class ImplicitHMac < ::Net::SSH::Transport::HMAC::Abstract
+      def aead
+        true
+      end
+
+      def key_length
+        32
+      end
+    end
+
+    def implicit_mac
+      ImplicitHMac.new
+    end
+
+    def algo_name
+      'aes-256-gcm'
+    end
+
+    def name
+      'aes256-gcm@openssh.com'
+    end
+
+    #
+    # --- RFC 5647 ---
+    # K_LEN       AES key length                   32 octets
+    #
+    def self.key_length
+      32
+    end
+  end
+end

data/lib/net/ssh/transport/algorithms.rb

@@ -33,21 +33,33 @@ module Net
                        ecdsa-sha2-nistp256
                        ssh-rsa-cert-v01@openssh.com
                        ssh-rsa-cert-v00@openssh.com
-                       ssh-rsa],
+                       ssh-rsa
+                       rsa-sha2-256
+                       rsa-sha2-512],
 
           kex: %w[ecdh-sha2-nistp521
                   ecdh-sha2-nistp384
                   ecdh-sha2-nistp256
                   diffie-hellman-group-exchange-sha256
+                  diffie-hellman-group14-sha256
                   diffie-hellman-group14-sha1],
 
-          encryption: %w[aes256-ctr aes192-ctr aes128-ctr],
+          encryption: %w[aes256-ctr
+                         aes192-ctr
+                         aes128-ctr
+                         aes256-gcm@openssh.com
+                         aes128-gcm@openssh.com],
 
           hmac: %w[hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com
                    hmac-sha2-512 hmac-sha2-256
                    hmac-sha1]
         }.freeze
 
+        if Net::SSH::Transport::ChaCha20Poly1305CipherLoader::LOADED
+          DEFAULT_ALGORITHMS[:encryption].unshift(
+            'chacha20-poly1305@openssh.com'
+          )
+        end
         if Net::SSH::Authentication::ED25519Loader::LOADED
           DEFAULT_ALGORITHMS[:host_key].unshift(
             'ssh-ed25519-cert-v01@openssh.com',
@@ -143,7 +155,7 @@ module Net
 
         # Instantiates a new Algorithms object, and prepares the hash of preferred
         # algorithms based on the options parameter and the ALGORITHMS constant.
-        def initialize(session, options={})
+        def initialize(session, options = {})
           @session = session
           @logger = session.logger
           @options = options
@@ -275,7 +287,7 @@ module Net
             # existing known key for the host has preference.
 
             existing_keys = session.host_keys
-            host_keys = existing_keys.map { |key| key.ssh_type }.uniq
+            host_keys = existing_keys.flat_map { |key| key.respond_to?(:ssh_types) ? key.ssh_types : [key.ssh_type] }.uniq
             algorithms[:host_key].each do |name|
               host_keys << name unless host_keys.include?(name)
             end
@@ -366,10 +378,10 @@ module Net
           language    = algorithms[:language].join(",")
 
           Net::SSH::Buffer.from(:byte, KEXINIT,
-            :long, [rand(0xFFFFFFFF), rand(0xFFFFFFFF), rand(0xFFFFFFFF), rand(0xFFFFFFFF)],
-            :mstring, [kex, host_key, encryption, encryption, hmac, hmac],
-            :mstring, [compression, compression, language, language],
-            :bool, false, :long, 0)
+                                :long, [rand(0xFFFFFFFF), rand(0xFFFFFFFF), rand(0xFFFFFFFF), rand(0xFFFFFFFF)],
+                                :mstring, [kex, host_key, encryption, encryption, hmac, hmac],
+                                :mstring, [compression, compression, language, language],
+                                :bool, false, :long, 0)
         end
 
         # Given the parsed server KEX packet, and the client's preferred algorithm
@@ -434,14 +446,15 @@ module Net
         def exchange_keys
           debug { "exchanging keys" }
 
+          need_bytes = kex_byte_requirement
           algorithm = Kex::MAP[kex].new(self, session,
-            client_version_string: Net::SSH::Transport::ServerVersion::PROTO_VERSION,
-            server_version_string: session.server_version.version,
-            server_algorithm_packet: @server_packet,
-            client_algorithm_packet: @client_packet,
-            need_bytes: kex_byte_requirement,
-            minimum_dh_bits: options[:minimum_dh_bits],
-            logger: logger)
+                                        client_version_string: Net::SSH::Transport::ServerVersion::PROTO_VERSION,
+                                        server_version_string: session.server_version.version,
+                                        server_algorithm_packet: @server_packet,
+                                        client_algorithm_packet: @client_packet,
+                                        need_bytes: need_bytes,
+                                        minimum_dh_bits: options[:minimum_dh_bits],
+                                        logger: logger)
           result = algorithm.exchange_keys
 
           secret   = result[:shared_secret].to_ssh
@@ -461,11 +474,30 @@ module Net
 
           parameters = { shared: secret, hash: hash, digester: digester }
 
-          cipher_client = CipherFactory.get(encryption_client, parameters.merge(iv: iv_client, key: key_client, encrypt: true))
-          cipher_server = CipherFactory.get(encryption_server, parameters.merge(iv: iv_server, key: key_server, decrypt: true))
+          cipher_client = CipherFactory.get(
+            encryption_client,
+            parameters.merge(iv: iv_client, key: key_client, encrypt: true)
+          )
+          cipher_server = CipherFactory.get(
+            encryption_server,
+            parameters.merge(iv: iv_server, key: key_server, decrypt: true)
+          )
+
+          mac_client =
+            if cipher_client.implicit_mac?
+              cipher_client.implicit_mac
+            else
+              HMAC.get(hmac_client, mac_key_client, parameters)
+            end
+          mac_server =
+            if cipher_server.implicit_mac?
+              cipher_server.implicit_mac
+            else
+              HMAC.get(hmac_server, mac_key_server, parameters)
+            end
 
-          mac_client = HMAC.get(hmac_client, mac_key_client, parameters)
-          mac_server = HMAC.get(hmac_server, mac_key_server, parameters)
+          cipher_client.nonce = iv_client if mac_client.respond_to?(:aead) && mac_client.aead
+          cipher_server.nonce = iv_server if mac_server.respond_to?(:aead) && mac_client.aead
 
           session.configure_client cipher: cipher_client, hmac: mac_client,
                                    compression: normalize_compression_name(compression_client),

data/lib/net/ssh/transport/chacha20_poly1305_cipher.rb

@@ -0,0 +1,117 @@
+require 'rbnacl'
+require 'net/ssh/loggable'
+
+module Net
+  module SSH
+    module Transport
+      ## Implements the chacha20-poly1305@openssh cipher
+      class ChaCha20Poly1305Cipher
+        include Net::SSH::Loggable
+
+        # Implicit HMAC, no need to do anything
+        class ImplicitHMac
+          def etm
+            # TODO: ideally this shouln't be called
+            true
+          end
+
+          def key_length
+            64
+          end
+        end
+
+        def initialize(encrypt:, key:)
+          @chacha_hdr = OpenSSL::Cipher.new("chacha20")
+          key_len = @chacha_hdr.key_len
+          @chacha_main = OpenSSL::Cipher.new("chacha20")
+          @poly = RbNaCl::OneTimeAuths::Poly1305
+          if key.size < key_len * 2
+            error { "chacha20_poly1305: keylength doesn't match" }
+            raise "chacha20_poly1305: keylength doesn't match"
+          end
+          if encrypt
+            @chacha_hdr.encrypt
+            @chacha_main.encrypt
+          else
+            @chacha_hdr.decrypt
+            @chacha_main.decrypt
+          end
+          main_key = key[0...key_len]
+          @chacha_main.key = main_key
+          hdr_key = key[key_len...(2 * key_len)]
+          @chacha_hdr.key = hdr_key
+        end
+
+        def update_cipher_mac(payload, sequence_number)
+          iv_data = [0, 0, 0, sequence_number].pack("NNNN")
+          @chacha_main.iv = iv_data
+          poly_key = @chacha_main.update(([0] * 32).pack('C32'))
+
+          packet_length = payload.size
+          length_data = [packet_length].pack("N")
+          @chacha_hdr.iv = iv_data
+          packet = @chacha_hdr.update(length_data)
+
+          iv_data[0] = 1.chr
+          @chacha_main.iv = iv_data
+          unencrypted_data = payload
+          packet += @chacha_main.update(unencrypted_data)
+
+          packet += @poly.auth(poly_key, packet)
+          return packet
+        end
+
+        def read_length(data, sequence_number)
+          iv_data = [0, 0, 0, sequence_number].pack("NNNN")
+          @chacha_hdr.iv = iv_data
+          @chacha_hdr.update(data).unpack1("N")
+        end
+
+        def read_and_mac(data, mac, sequence_number)
+          iv_data = [0, 0, 0, sequence_number].pack("NNNN")
+          @chacha_main.iv = iv_data
+          poly_key = @chacha_main.update(([0] * 32).pack('C32'))
+
+          iv_data[0] = 1.chr
+          @chacha_main.iv = iv_data
+          unencrypted_data = @chacha_main.update(data[4..])
+          begin
+            ok = @poly.verify(poly_key, mac, data[0..])
+            raise Net::SSH::Exception, "corrupted hmac detected #{name}" unless ok
+          rescue RbNaCl::BadAuthenticatorError
+            raise Net::SSH::Exception, "corrupted hmac detected #{name}"
+          end
+          return unencrypted_data
+        end
+
+        def mac_length
+          16
+        end
+
+        def block_size
+          8
+        end
+
+        def name
+          "chacha20-poly1305@openssh.com"
+        end
+
+        def implicit_mac?
+          true
+        end
+
+        def implicit_mac
+          return ImplicitHMac.new
+        end
+
+        def self.block_size
+          8
+        end
+
+        def self.key_length
+          64
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/transport/chacha20_poly1305_cipher_loader.rb

@@ -0,0 +1,17 @@
+module Net
+  module SSH
+    module Transport
+      # Loads chacha20 poly1305 support which requires optinal dependency rbnacl
+      module ChaCha20Poly1305CipherLoader
+        begin
+          require 'net/ssh/transport/chacha20_poly1305_cipher'
+          LOADED = true
+          ERROR = nil
+        rescue LoadError => e
+          ERROR = e
+          LOADED = false
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/transport/cipher_factory.rb

@@ -1,57 +1,82 @@
 require 'openssl'
 require 'net/ssh/transport/ctr.rb'
+require 'net/ssh/transport/aes128_gcm'
+require 'net/ssh/transport/aes256_gcm'
 require 'net/ssh/transport/key_expander'
 require 'net/ssh/transport/identity_cipher'
+require 'net/ssh/transport/chacha20_poly1305_cipher_loader'
+require 'net/ssh/transport/openssl_cipher_extensions'
 
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Transport
-
       # Implements a factory of OpenSSL cipher algorithms.
       class CipherFactory
         # Maps the SSH name of a cipher to it's corresponding OpenSSL name
         SSH_TO_OSSL = {
-          "3des-cbc"                    => "des-ede3-cbc",
-          "blowfish-cbc"                => "bf-cbc",
-          "aes256-cbc"                  => "aes-256-cbc",
-          "aes192-cbc"                  => "aes-192-cbc",
-          "aes128-cbc"                  => "aes-128-cbc",
-          "idea-cbc"                    => "idea-cbc",
-          "cast128-cbc"                 => "cast-cbc",
+          "3des-cbc" => "des-ede3-cbc",
+          "blowfish-cbc" => "bf-cbc",
+          "aes256-cbc" => "aes-256-cbc",
+          "aes192-cbc" => "aes-192-cbc",
+          "aes128-cbc" => "aes-128-cbc",
+          "idea-cbc" => "idea-cbc",
+          "cast128-cbc" => "cast-cbc",
           "rijndael-cbc@lysator.liu.se" => "aes-256-cbc",
-          "3des-ctr"                    => "des-ede3",
-          "blowfish-ctr"                => "bf-ecb",
+          "3des-ctr" => "des-ede3",
+          "blowfish-ctr" => "bf-ecb",
 
-          'aes256-ctr'                  => 'aes-256-ctr',
-          'aes192-ctr'                  => 'aes-192-ctr',
-          'aes128-ctr'                  => 'aes-128-ctr',
-          'cast128-ctr'                 => 'cast5-ecb',
+          "aes256-ctr" => ::OpenSSL::Cipher.ciphers.include?("aes-256-ctr") ? "aes-256-ctr" : "aes-256-ecb",
+          "aes192-ctr" => ::OpenSSL::Cipher.ciphers.include?("aes-192-ctr") ? "aes-192-ctr" : "aes-192-ecb",
+          "aes128-ctr" => ::OpenSSL::Cipher.ciphers.include?("aes-128-ctr") ? "aes-128-ctr" : "aes-128-ecb",
+          'cast128-ctr' => 'cast5-ecb',
 
-          'none'                        => 'none'
+          'none' => 'none'
         }
 
+        SSH_TO_CLASS = {
+          'aes256-gcm@openssh.com' => Net::SSH::Transport::AES256_GCM,
+          'aes128-gcm@openssh.com' => Net::SSH::Transport::AES128_GCM
+        }.tap do |hash|
+          if Net::SSH::Transport::ChaCha20Poly1305CipherLoader::LOADED
+            hash['chacha20-poly1305@openssh.com'] =
+              Net::SSH::Transport::ChaCha20Poly1305Cipher
+          end
+        end
+
         # Returns true if the underlying OpenSSL library supports the given cipher,
         # and false otherwise.
         def self.supported?(name)
+          return true if SSH_TO_CLASS.key?(name)
+
           ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
           return true if ossl_name == "none"
-          return OpenSSL::Cipher.ciphers.include?(ossl_name)
+
+          return SSH_TO_CLASS.key?(name) || OpenSSL::Cipher.ciphers.include?(ossl_name)
         end
-    
+
         # Retrieves a new instance of the named algorithm. The new instance
         # will be initialized using an iv and key generated from the given
         # iv, key, shared, hash and digester values. Additionally, the
         # cipher will be put into encryption or decryption mode, based on the
         # value of the +encrypt+ parameter.
-        def self.get(name, options={})
+        def self.get(name, options = {})
+          klass = SSH_TO_CLASS[name]
+          unless klass.nil?
+            key_len = klass.key_length
+            key = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
+            return klass.new(encrypt: options[:encrypt], key: key)
+          end
+
           ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
           return IdentityCipher if ossl_name == "none"
+
           cipher = OpenSSL::Cipher.new(ossl_name)
-    
+
           cipher.send(options[:encrypt] ? :encrypt : :decrypt)
-    
+
           cipher.padding = 0
-    
+
+          cipher.extend(Net::SSH::Transport::OpenSSLCipherExtensions)
           if name =~ /-ctr(@openssh.org)?$/
             if ossl_name !~ /-ctr/
               cipher.extend(Net::SSH::Transport::CTR)
@@ -60,20 +85,23 @@ module Net
             end
           end
           cipher.iv = Net::SSH::Transport::KeyExpander.expand_key(cipher.iv_len, options[:iv], options)
-    
+
           key_len = cipher.key_len
           cipher.key_len = key_len
           cipher.key = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
-    
+
           return cipher
         end
-    
+
         # Returns a two-element array containing the [ key-length,
         # block-size ] for the named cipher algorithm. If the cipher
         # algorithm is unknown, or is "none", 0 is returned for both elements
         # of the tuple.
         # if :iv_len option is supplied the third return value will be ivlen
         def self.get_lengths(name, options = {})
+          klass = SSH_TO_CLASS[name]
+          return [klass.key_length, klass.block_size] unless klass.nil?
+
           ossl_name = SSH_TO_OSSL[name]
           if ossl_name.nil? || ossl_name == "none"
             result = [0, 0]
@@ -82,7 +110,7 @@ module Net
             cipher = OpenSSL::Cipher.new(ossl_name)
             key_len = cipher.key_len
             cipher.key_len = key_len
-    
+
             block_size =
               case ossl_name
               when /\-ctr/
@@ -90,14 +118,13 @@ module Net
               else
                 cipher.block_size
               end
-    
+
             result = [key_len, block_size]
             result << cipher.iv_len if options[:iv_len]
           end
           result
         end
       end
-
     end
   end
 end

data/lib/net/ssh/transport/constants.rb

@@ -1,5 +1,5 @@
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Transport
       module Constants
         #--
@@ -12,7 +12,7 @@ module Net
         DEBUG                     = 4
         SERVICE_REQUEST           = 5
         SERVICE_ACCEPT            = 6
-    
+
         #--
         # Algorithm negotiation messages
         #++

data/lib/net/ssh/transport/ctr.rb

@@ -2,7 +2,7 @@ require 'openssl'
 require 'delegate'
 
 module Net::SSH::Transport
-  #:nodoc:
+  # :nodoc:
   class OpenSSLAESCTR < SimpleDelegator
     def initialize(original)
       super
@@ -26,13 +26,13 @@ module Net::SSH::Transport
     end
   end
 
-  #:nodoc:
+  # :nodoc:
   # Pure-Ruby implementation of Stateful Decryption Counter(SDCTR) Mode
   # for Block Ciphers. See RFC4344 for detail.
   module CTR
     def self.extended(orig)
       orig.instance_eval {
-        @remaining = ""
+        @remaining = String.new
         @counter = nil
         @counter_len = orig.block_size
         orig.encrypt
@@ -67,13 +67,13 @@ module Net::SSH::Transport
         end
 
         def reset
-          @remaining = ""
+          @remaining = String.new
         end
 
         def update(data)
           @remaining += data
 
-          encrypted = ""
+          encrypted = String.new
 
           offset = 0
           while (@remaining.bytesize - offset) >= block_size
@@ -89,13 +89,13 @@ module Net::SSH::Transport
 
         def final
           s = @remaining.empty? ? '' : xor!(@remaining, _update(@counter))
-          @remaining = ""
+          @remaining = String.new
           s
         end
 
         def xor!(s1, s2)
           s = []
-          s1.unpack('Q*').zip(s2.unpack('Q*')) {|a,b| s.push(a ^ b) }
+          s1.unpack('Q*').zip(s2.unpack('Q*')) {|a, b| s.push(a ^ b) }
           s.pack('Q*')
         end
         singleton_class.send(:private, :xor!)