net-ssh 7.1.0 → 7.3.0

data/lib/net/ssh/transport/algorithms.rb

@@ -44,13 +44,22 @@ module Net
                   diffie-hellman-group14-sha256
                   diffie-hellman-group14-sha1],
 
-          encryption: %w[aes256-ctr aes192-ctr aes128-ctr],
+          encryption: %w[aes256-ctr
+                         aes192-ctr
+                         aes128-ctr
+                         aes256-gcm@openssh.com
+                         aes128-gcm@openssh.com],
 
           hmac: %w[hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com
                    hmac-sha2-512 hmac-sha2-256
                    hmac-sha1]
         }.freeze
 
+        if Net::SSH::Transport::ChaCha20Poly1305CipherLoader::LOADED
+          DEFAULT_ALGORITHMS[:encryption].unshift(
+            'chacha20-poly1305@openssh.com'
+          )
+        end
         if Net::SSH::Authentication::ED25519Loader::LOADED
           DEFAULT_ALGORITHMS[:host_key].unshift(
             'ssh-ed25519-cert-v01@openssh.com',
@@ -437,12 +446,13 @@ module Net
         def exchange_keys
           debug { "exchanging keys" }
 
+          need_bytes = kex_byte_requirement
           algorithm = Kex::MAP[kex].new(self, session,
                                         client_version_string: Net::SSH::Transport::ServerVersion::PROTO_VERSION,
                                         server_version_string: session.server_version.version,
                                         server_algorithm_packet: @server_packet,
                                         client_algorithm_packet: @client_packet,
-                                        need_bytes: kex_byte_requirement,
+                                        need_bytes: need_bytes,
                                         minimum_dh_bits: options[:minimum_dh_bits],
                                         logger: logger)
           result = algorithm.exchange_keys
@@ -464,11 +474,30 @@ module Net
 
           parameters = { shared: secret, hash: hash, digester: digester }
 
-          cipher_client = CipherFactory.get(encryption_client, parameters.merge(iv: iv_client, key: key_client, encrypt: true))
-          cipher_server = CipherFactory.get(encryption_server, parameters.merge(iv: iv_server, key: key_server, decrypt: true))
+          cipher_client = CipherFactory.get(
+            encryption_client,
+            parameters.merge(iv: iv_client, key: key_client, encrypt: true)
+          )
+          cipher_server = CipherFactory.get(
+            encryption_server,
+            parameters.merge(iv: iv_server, key: key_server, decrypt: true)
+          )
+
+          mac_client =
+            if cipher_client.implicit_mac?
+              cipher_client.implicit_mac
+            else
+              HMAC.get(hmac_client, mac_key_client, parameters)
+            end
+          mac_server =
+            if cipher_server.implicit_mac?
+              cipher_server.implicit_mac
+            else
+              HMAC.get(hmac_server, mac_key_server, parameters)
+            end
 
-          mac_client = HMAC.get(hmac_client, mac_key_client, parameters)
-          mac_server = HMAC.get(hmac_server, mac_key_server, parameters)
+          cipher_client.nonce = iv_client if mac_client.respond_to?(:aead) && mac_client.aead
+          cipher_server.nonce = iv_server if mac_server.respond_to?(:aead) && mac_client.aead
 
           session.configure_client cipher: cipher_client, hmac: mac_client,
                                    compression: normalize_compression_name(compression_client),

data/lib/net/ssh/transport/chacha20_poly1305_cipher.rb

@@ -0,0 +1,117 @@
+require 'rbnacl'
+require 'net/ssh/loggable'
+
+module Net
+  module SSH
+    module Transport
+      ## Implements the chacha20-poly1305@openssh cipher
+      class ChaCha20Poly1305Cipher
+        include Net::SSH::Loggable
+
+        # Implicit HMAC, no need to do anything
+        class ImplicitHMac
+          def etm
+            # TODO: ideally this shouln't be called
+            true
+          end
+
+          def key_length
+            64
+          end
+        end
+
+        def initialize(encrypt:, key:)
+          @chacha_hdr = OpenSSL::Cipher.new("chacha20")
+          key_len = @chacha_hdr.key_len
+          @chacha_main = OpenSSL::Cipher.new("chacha20")
+          @poly = RbNaCl::OneTimeAuths::Poly1305
+          if key.size < key_len * 2
+            error { "chacha20_poly1305: keylength doesn't match" }
+            raise "chacha20_poly1305: keylength doesn't match"
+          end
+          if encrypt
+            @chacha_hdr.encrypt
+            @chacha_main.encrypt
+          else
+            @chacha_hdr.decrypt
+            @chacha_main.decrypt
+          end
+          main_key = key[0...key_len]
+          @chacha_main.key = main_key
+          hdr_key = key[key_len...(2 * key_len)]
+          @chacha_hdr.key = hdr_key
+        end
+
+        def update_cipher_mac(payload, sequence_number)
+          iv_data = [0, 0, 0, sequence_number].pack("NNNN")
+          @chacha_main.iv = iv_data
+          poly_key = @chacha_main.update(([0] * 32).pack('C32'))
+
+          packet_length = payload.size
+          length_data = [packet_length].pack("N")
+          @chacha_hdr.iv = iv_data
+          packet = @chacha_hdr.update(length_data)
+
+          iv_data[0] = 1.chr
+          @chacha_main.iv = iv_data
+          unencrypted_data = payload
+          packet += @chacha_main.update(unencrypted_data)
+
+          packet += @poly.auth(poly_key, packet)
+          return packet
+        end
+
+        def read_length(data, sequence_number)
+          iv_data = [0, 0, 0, sequence_number].pack("NNNN")
+          @chacha_hdr.iv = iv_data
+          @chacha_hdr.update(data).unpack1("N")
+        end
+
+        def read_and_mac(data, mac, sequence_number)
+          iv_data = [0, 0, 0, sequence_number].pack("NNNN")
+          @chacha_main.iv = iv_data
+          poly_key = @chacha_main.update(([0] * 32).pack('C32'))
+
+          iv_data[0] = 1.chr
+          @chacha_main.iv = iv_data
+          unencrypted_data = @chacha_main.update(data[4..])
+          begin
+            ok = @poly.verify(poly_key, mac, data[0..])
+            raise Net::SSH::Exception, "corrupted hmac detected #{name}" unless ok
+          rescue RbNaCl::BadAuthenticatorError
+            raise Net::SSH::Exception, "corrupted hmac detected #{name}"
+          end
+          return unencrypted_data
+        end
+
+        def mac_length
+          16
+        end
+
+        def block_size
+          8
+        end
+
+        def name
+          "chacha20-poly1305@openssh.com"
+        end
+
+        def implicit_mac?
+          true
+        end
+
+        def implicit_mac
+          return ImplicitHMac.new
+        end
+
+        def self.block_size
+          8
+        end
+
+        def self.key_length
+          64
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/transport/chacha20_poly1305_cipher_loader.rb

@@ -0,0 +1,17 @@
+module Net
+  module SSH
+    module Transport
+      # Loads chacha20 poly1305 support which requires optinal dependency rbnacl
+      module ChaCha20Poly1305CipherLoader
+        begin
+          require 'net/ssh/transport/chacha20_poly1305_cipher'
+          LOADED = true
+          ERROR = nil
+        rescue LoadError => e
+          ERROR = e
+          LOADED = false
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/transport/cipher_factory.rb

@@ -1,7 +1,11 @@
 require 'openssl'
 require 'net/ssh/transport/ctr.rb'
+require 'net/ssh/transport/aes128_gcm'
+require 'net/ssh/transport/aes256_gcm'
 require 'net/ssh/transport/key_expander'
 require 'net/ssh/transport/identity_cipher'
+require 'net/ssh/transport/chacha20_poly1305_cipher_loader'
+require 'net/ssh/transport/openssl_cipher_extensions'
 
 module Net
   module SSH
@@ -29,13 +33,25 @@ module Net
           'none' => 'none'
         }
 
+        SSH_TO_CLASS = {
+          'aes256-gcm@openssh.com' => Net::SSH::Transport::AES256_GCM,
+          'aes128-gcm@openssh.com' => Net::SSH::Transport::AES128_GCM
+        }.tap do |hash|
+          if Net::SSH::Transport::ChaCha20Poly1305CipherLoader::LOADED
+            hash['chacha20-poly1305@openssh.com'] =
+              Net::SSH::Transport::ChaCha20Poly1305Cipher
+          end
+        end
+
         # Returns true if the underlying OpenSSL library supports the given cipher,
         # and false otherwise.
         def self.supported?(name)
+          return true if SSH_TO_CLASS.key?(name)
+
           ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
           return true if ossl_name == "none"
 
-          return OpenSSL::Cipher.ciphers.include?(ossl_name)
+          return SSH_TO_CLASS.key?(name) || OpenSSL::Cipher.ciphers.include?(ossl_name)
         end
 
         # Retrieves a new instance of the named algorithm. The new instance
@@ -44,6 +60,13 @@ module Net
         # cipher will be put into encryption or decryption mode, based on the
         # value of the +encrypt+ parameter.
         def self.get(name, options = {})
+          klass = SSH_TO_CLASS[name]
+          unless klass.nil?
+            key_len = klass.key_length
+            key = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
+            return klass.new(encrypt: options[:encrypt], key: key)
+          end
+
           ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
           return IdentityCipher if ossl_name == "none"
 
@@ -53,6 +76,7 @@ module Net
 
           cipher.padding = 0
 
+          cipher.extend(Net::SSH::Transport::OpenSSLCipherExtensions)
           if name =~ /-ctr(@openssh.org)?$/
             if ossl_name !~ /-ctr/
               cipher.extend(Net::SSH::Transport::CTR)
@@ -75,6 +99,9 @@ module Net
         # of the tuple.
         # if :iv_len option is supplied the third return value will be ivlen
         def self.get_lengths(name, options = {})
+          klass = SSH_TO_CLASS[name]
+          return [klass.key_length, klass.block_size] unless klass.nil?
+
           ossl_name = SSH_TO_OSSL[name]
           if ossl_name.nil? || ossl_name == "none"
             result = [0, 0]

data/lib/net/ssh/transport/gcm_cipher.rb

@@ -0,0 +1,207 @@
+require 'net/ssh/loggable'
+
+module Net
+  module SSH
+    module Transport
+      ## Extension module for aes(128|256)gcm ciphers
+      module GCMCipher
+        # rubocop:disable Metrics/AbcSize
+        def self.extended(orig)
+          # rubocop:disable Metrics/BlockLength
+          orig.class_eval do
+            include Net::SSH::Loggable
+
+            attr_reader   :cipher
+            attr_reader   :key
+            attr_accessor :nonce
+
+            #
+            # Semantically gcm cipher supplies the OpenSSL iv interface with a nonce
+            #   as it is not randomly generated due to being supplied from a counter.
+            # The RFC's use IV and nonce interchangeably.
+            #
+            def initialize(encrypt:, key:)
+              @cipher = OpenSSL::Cipher.new(algo_name)
+              @key    = key
+              key_len = @cipher.key_len
+              if key.size != key_len
+                error_message = "#{cipher_name}: keylength does not match"
+                error { error_message }
+                raise error_message
+              end
+              encrypt ? @cipher.encrypt : @cipher.decrypt
+              @cipher.key = key
+
+              @nonce = {
+                fixed: nil,
+                invocation_counter: 0
+              }
+            end
+
+            def update_cipher_mac(payload, _sequence_number)
+              #
+              # --- RFC 5647 7.3 ---
+              # When using AES-GCM with secure shell, the packet_length field is to
+              # be treated as additional authenticated data, not as plaintext.
+              #
+              length_data      = [payload.bytesize].pack('N')
+
+              cipher.auth_data = length_data
+
+              encrypted_data   = cipher.update(payload) << cipher.final
+
+              mac              = cipher.auth_tag
+
+              incr_nonce
+              length_data + encrypted_data + mac
+            end
+
+            #
+            # --- RFC 5647 ---
+            # uint32    packet_length;  // 0 <= packet_length < 2^32
+            #
+            def read_length(data, _sequence_number)
+              data.unpack1('N')
+            end
+
+            #
+            # --- RFC 5647 ---
+            # In AES-GCM secure shell, the inputs to the authenticated encryption
+            # are:
+            #  PT (Plain Text)
+            #      byte      padding_length; // 4 <= padding_length < 256
+            #      byte[n1]  payload;        // n1 = packet_length-padding_length-1
+            #      byte[n2]  random_padding; // n2 = padding_length
+            #  AAD (Additional Authenticated Data)
+            #      uint32    packet_length;  // 0 <= packet_length < 2^32
+            #  IV (Initialization Vector)
+            #      As described in section 7.1.
+            #  BK (Block Cipher Key)
+            #      The appropriate Encryption Key formed during the Key Exchange.
+            #
+            def read_and_mac(data, mac, _sequence_number)
+              # The authentication tag will be placed in the MAC field at the end of the packet
+
+              # OpenSSL does not verify auth tag length
+              # GCM mode allows arbitrary sizes for the auth_tag up to 128 bytes and a single
+              #   byte allows authentication to pass. If single byte auth tags are possible
+              #   an attacker would require no more than 256 attempts to forge a valid tag.
+              #
+              raise 'incorrect auth_tag length' unless mac.to_s.length == mac_length
+
+              packet_length    = data.unpack1('N')
+
+              cipher.auth_tag  = mac.to_s
+              cipher.auth_data = [packet_length].pack('N')
+
+              result = cipher.update(data[4...]) << cipher.final
+              incr_nonce
+              result
+            end
+
+            def mac_length
+              16
+            end
+
+            def block_size
+              16
+            end
+
+            def self.block_size
+              16
+            end
+
+            #
+            # --- RFC 5647 ---
+            # N_MIN       minimum nonce (IV) length        12 octets
+            # N_MAX       maximum nonce (IV) length        12 octets
+            #
+            def iv_len
+              12
+            end
+
+            #
+            # --- RFC 5288 ---
+            # Each value of the nonce_explicit MUST be distinct for each distinct
+            # invocation of the GCM encrypt function for any fixed key. Failure to
+            # meet this uniqueness requirement can significantly degrade security.
+            # The nonce_explicit MAY be the 64-bit sequence number.
+            #
+            # --- RFC 5116 ---
+            # (2.1) Applications that can generate distinct nonces SHOULD use the nonce
+            # formation method defined in Section 3.2, and MAY use any
+            # other method that meets the uniqueness requirement.
+            #
+            # (3.2) The following method to construct nonces is RECOMMENDED.
+            #
+            #  <- variable -> <- variable ->
+            #  - - - - - - -  - - - - - - -
+            # |    fixed     |    counter   |
+            #
+            # Initial octets consist of a fixed field and final octets consist of a
+            # Counter field. Implementations SHOULD support 12-octet nonces in which
+            # the Counter field is four octets long.
+            # The Counter fields of successive nonces form a monotonically increasing
+            # sequence, when those fields are regarded as unsignd integers in network
+            # byte order.
+            # The Counter part SHOULD be equal to zero for the first nonce and increment
+            # by one for each successive nonce that is generated.
+            # The Fixed field MUST remain constant for all nonces that are generated for
+            # a given encryption device.
+            #
+            # --- RFC 5647 ---
+            # The invocation field is treated as a 64-bit integer and is increment after
+            # each invocation of AES-GCM to process a binary packet.
+            # AES-GCM produces a keystream in blocks of 16-octets that is used to
+            # encrypt the plaintext. This keystream is produced by encrypting the
+            # following 16-octet data structure:
+            #
+            # uint32 fixed;              // 4 octets
+            # uint64 invocation_counter; // 8 octets
+            # unit32 block_counter;      // 4 octets
+            #
+            # The block_counter is initially set to one (1) and increment as each block
+            # of key is produced.
+            #
+            # The reader is reminded that SSH requires that the data to be encrypted
+            # MUST be padded out to a multiple of the block size (16-octets for AES-GCM).
+            #
+            def incr_nonce
+              return if nonce[:fixed].nil?
+
+              nonce[:invocation_counter] = [nonce[:invocation_counter].to_s.unpack1('B*').to_i(2) + 1].pack('Q>*')
+
+              apply_nonce
+            end
+
+            def nonce=(iv_s)
+              return if nonce[:fixed]
+
+              nonce[:fixed]              = iv_s[0...4]
+              nonce[:invocation_counter] = iv_s[4...12]
+
+              apply_nonce
+            end
+
+            def apply_nonce
+              cipher.iv = "#{nonce[:fixed]}#{nonce[:invocation_counter]}"
+            end
+
+            #
+            # --- RFC 5647 ---
+            # If AES-GCM is selected as the encryption algorithm for a given
+            # tunnel, AES-GCM MUST also be selected as the Message Authentication
+            # Code (MAC) algorithm.  Conversely, if AES-GCM is selected as the MAC
+            # algorithm, it MUST also be selected as the encryption algorithm.
+            #
+            def implicit_mac?
+              true
+            end
+          end
+        end
+        # rubocop:enable Metrics/BlockLength
+      end
+      # rubocop:enable Metrics/AbcSize
+    end
+  end
+end

data/lib/net/ssh/transport/hmac/abstract.rb

@@ -8,6 +8,18 @@ module Net
         # The base class of all OpenSSL-based HMAC algorithm wrappers.
         class Abstract
           class << self
+            def aead(*v)
+              @aead = false if !defined?(@aead)
+              if v.empty?
+                @aead = superclass.aead if @aead.nil? && superclass.respond_to?(:aead)
+                return @aead
+              elsif v.length == 1
+                @aead = v.first
+              else
+                raise ArgumentError, "wrong number of arguments (#{v.length} for 1)"
+              end
+            end
+
             def etm(*v)
               @etm = false if !defined?(@etm)
               if v.empty?
@@ -57,6 +69,10 @@ module Net
             end
           end
 
+          def aead
+            self.class.aead
+          end
+
           def etm
             self.class.etm
           end

data/lib/net/ssh/transport/identity_cipher.rb

@@ -11,6 +11,10 @@ module Net
             8
           end
 
+          def key_length
+            0
+          end
+
           # Returns an arbitrary integer.
           def iv_len
             4
@@ -50,6 +54,10 @@ module Net
           def reset
             self
           end
+
+          def implicit_mac?
+            false
+          end
         end
       end
     end

data/lib/net/ssh/transport/openssl_cipher_extensions.rb

@@ -0,0 +1,8 @@
+module Net::SSH::Transport
+  # we add those mehtods to OpenSSL::Chipher instances
+  module OpenSSLCipherExtensions
+    def implicit_mac?
+      false
+    end
+  end
+end

data/lib/net/ssh/transport/packet_stream.rb

@@ -12,7 +12,7 @@ module Net
       # module. It adds SSH encryption, compression, and packet validation, as
       # per the SSH2 protocol. It also adds an abstraction for polling packets,
       # to allow for both blocking and non-blocking reads.
-      module PacketStream
+      module PacketStream # rubocop:disable Metrics/ModuleLength
         PROXY_COMMAND_HOST_IP = '<no hostip for proxy command>'.freeze
 
         include BufferedIo
@@ -123,12 +123,12 @@ module Net
         # Enqueues a packet to be sent, but does not immediately send the packet.
         # The given payload is pre-processed according to the algorithms specified
         # in the client state (compression, cipher, and hmac).
-        def enqueue_packet(payload)
+        def enqueue_packet(payload) # rubocop:disable Metrics/AbcSize
           # try to compress the packet
           payload = client.compress(payload)
 
           # the length of the packet, minus the padding
-          actual_length = (client.hmac.etm ? 0 : 4) + payload.bytesize + 1
+          actual_length = (client.hmac.etm || client.hmac.aead ? 0 : 4) + payload.bytesize + 1
 
           # compute the padding length
           padding_length = client.block_size - (actual_length % client.block_size)
@@ -144,11 +144,14 @@ module Net
 
           padding = Array.new(padding_length) { rand(256) }.pack("C*")
 
-          if client.hmac.etm
+          if client.cipher.implicit_mac?
+            unencrypted_data = [padding_length, payload, padding].pack("CA*A*")
+            message = client.cipher.update_cipher_mac(unencrypted_data, client.sequence_number)
+          elsif client.hmac.etm
             debug { "using encrypt-then-mac" }
 
             # Encrypt padding_length, payload, and padding. Take MAC
-            # from the unencrypted packet_lenght and the encrypted
+            # from the unencrypted packet_length and the encrypted
             # data.
             length_data = [packet_length].pack("N")
 
@@ -216,7 +219,7 @@ module Net
         # new Packet object.
         # rubocop:disable Metrics/AbcSize
         def poll_next_packet
-          aad_length = server.hmac.etm ? 4 : 0
+          aad_length = server.hmac.etm || server.hmac.aead ? 4 : 0
 
           if @packet.nil?
             minimum = server.block_size < 4 ? 4 : server.block_size
@@ -225,7 +228,11 @@ module Net
             data = read_available(minimum + aad_length)
 
             # decipher it
-            if server.hmac.etm
+            if server.cipher.implicit_mac?
+              @packet_length = server.cipher.read_length(data[0...4], server.sequence_number)
+              @packet = Net::SSH::Buffer.new
+              @mac_data = data
+            elsif server.hmac.etm
               @packet_length = data.unpack("N").first
               @mac_data = data
               @packet = Net::SSH::Buffer.new(server.update_cipher(data[aad_length..-1]))
@@ -238,31 +245,45 @@ module Net
           need = @packet_length + 4 - aad_length - server.block_size
           raise Net::SSH::Exception, "padding error, need #{need} block #{server.block_size}" if need % server.block_size != 0
 
-          return nil if available < need + server.hmac.mac_length
+          if server.cipher.implicit_mac?
+            return nil if available < need + server.cipher.mac_length
+          else
+            return nil if available < need + server.hmac.mac_length # rubocop:disable Style/IfInsideElse
+          end
 
           if need > 0
             # read the remainder of the packet and decrypt it.
             data = read_available(need)
-            @mac_data += data if server.hmac.etm
-            @packet.append(server.update_cipher(data))
+            @mac_data += data if server.hmac.etm || server.cipher.implicit_mac?
+            unless server.cipher.implicit_mac?
+              @packet.append(
+                server.update_cipher(data)
+              )
+            end
           end
 
-          # get the hmac from the tail of the packet (if one exists), and
-          # then validate it.
-          real_hmac = read_available(server.hmac.mac_length) || ""
-
-          @packet.append(server.final_cipher)
-          padding_length = @packet.read_byte
+          if server.cipher.implicit_mac?
+            real_hmac = read_available(server.cipher.mac_length) || ""
+            @packet = Net::SSH::Buffer.new(server.cipher.read_and_mac(@mac_data, real_hmac, server.sequence_number))
+            padding_length = @packet.read_byte
+            payload = @packet.read(@packet_length - padding_length - 1)
+          else
+            # get the hmac from the tail of the packet (if one exists), and
+            # then validate it.
+            real_hmac = read_available(server.hmac.mac_length) || ""
 
-          payload = @packet.read(@packet_length - padding_length - 1)
+            @packet.append(server.final_cipher)
+            padding_length = @packet.read_byte
 
-          my_computed_hmac = if server.hmac.etm
-                               server.hmac.digest([server.sequence_number, @mac_data].pack("NA*"))
-                             else
-                               server.hmac.digest([server.sequence_number, @packet.content].pack("NA*"))
-                             end
-          raise Net::SSH::Exception, "corrupted hmac detected #{server.hmac.class}" if real_hmac != my_computed_hmac
+            payload = @packet.read(@packet_length - padding_length - 1)
 
+            my_computed_hmac = if server.hmac.etm
+                                 server.hmac.digest([server.sequence_number, @mac_data].pack("NA*"))
+                               else
+                                 server.hmac.digest([server.sequence_number, @packet.content].pack("NA*"))
+                               end
+            raise Net::SSH::Exception, "corrupted hmac detected #{server.hmac.class}" if real_hmac != my_computed_hmac
+          end
           # try to decompress the payload, in case compression is active
           payload = server.decompress(payload)
 

data/lib/net/ssh/transport/state.rb

@@ -125,7 +125,7 @@ module Net
           compressor.deflate(data, Zlib::SYNC_FLUSH)
         end
 
-        # Deompresses the data. If no compression is in effect, this will just return
+        # Decompresses the data. If no compression is in effect, this will just return
         # the data unmodified, otherwise it uses #decompressor to decompress the data.
         def decompress(data)
           data = data.to_s