@electerm/ssh2 1.14.0 → 1.16.1

package/lib/protocol/crypto/build/sshcrypto.target.mk

@@ -0,0 +1,194 @@
+# This file is generated by gyp; do not edit.
+
+TOOLSET := target
+TARGET := sshcrypto
+DEFS_Debug := \
+	'-DNODE_GYP_MODULE_NAME=sshcrypto' \
+	'-DUSING_UV_SHARED=1' \
+	'-DUSING_V8_SHARED=1' \
+	'-DV8_DEPRECATION_WARNINGS=1' \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DV8_IMMINENT_DEPRECATION_WARNINGS' \
+	'-D_GLIBCXX_USE_CXX11_ABI=1' \
+	'-D_DARWIN_USE_64_BIT_INODE=1' \
+	'-D_LARGEFILE_SOURCE' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DOPENSSL_NO_PINSHARED' \
+	'-DOPENSSL_THREADS' \
+	'-DOPENSSL_API_COMPAT=0x10100000L' \
+	'-DREAL_OPENSSL_MAJOR=3' \
+	'-DBUILDING_NODE_EXTENSION' \
+	'-DDEBUG' \
+	'-D_DEBUG' \
+	'-DV8_ENABLE_CHECKS'
+
+# Flags passed to all source files.
+CFLAGS_Debug := \
+	-O0 \
+	-gdwarf-2 \
+	-mmacosx-version-min=10.15 \
+	-arch x86_64 \
+	-Wall \
+	-Wendif-labels \
+	-W \
+	-Wno-unused-parameter
+
+# Flags passed to only C files.
+CFLAGS_C_Debug := \
+	-fno-strict-aliasing
+
+# Flags passed to only C++ files.
+CFLAGS_CC_Debug := \
+	-std=gnu++17 \
+	-stdlib=libc++ \
+	-fno-rtti \
+	-fno-exceptions \
+	-fno-strict-aliasing
+
+# Flags passed to only ObjC files.
+CFLAGS_OBJC_Debug :=
+
+# Flags passed to only ObjC++ files.
+CFLAGS_OBJCC_Debug :=
+
+INCS_Debug := \
+	-I/Users/home/Library/Caches/node-gyp/18.17.1/include/node \
+	-I/Users/home/Library/Caches/node-gyp/18.17.1/src \
+	-I/Users/home/Library/Caches/node-gyp/18.17.1/deps/openssl/config \
+	-I/Users/home/Library/Caches/node-gyp/18.17.1/deps/openssl/openssl/include \
+	-I/Users/home/Library/Caches/node-gyp/18.17.1/deps/uv/include \
+	-I/Users/home/Library/Caches/node-gyp/18.17.1/deps/zlib \
+	-I/Users/home/Library/Caches/node-gyp/18.17.1/deps/v8/include \
+	-I$(srcdir)/../../../node_modules/nan
+
+DEFS_Release := \
+	'-DNODE_GYP_MODULE_NAME=sshcrypto' \
+	'-DUSING_UV_SHARED=1' \
+	'-DUSING_V8_SHARED=1' \
+	'-DV8_DEPRECATION_WARNINGS=1' \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DV8_IMMINENT_DEPRECATION_WARNINGS' \
+	'-D_GLIBCXX_USE_CXX11_ABI=1' \
+	'-D_DARWIN_USE_64_BIT_INODE=1' \
+	'-D_LARGEFILE_SOURCE' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DOPENSSL_NO_PINSHARED' \
+	'-DOPENSSL_THREADS' \
+	'-DOPENSSL_API_COMPAT=0x10100000L' \
+	'-DREAL_OPENSSL_MAJOR=3' \
+	'-DBUILDING_NODE_EXTENSION'
+
+# Flags passed to all source files.
+CFLAGS_Release := \
+	-O3 \
+	-gdwarf-2 \
+	-mmacosx-version-min=10.15 \
+	-arch x86_64 \
+	-Wall \
+	-Wendif-labels \
+	-W \
+	-Wno-unused-parameter
+
+# Flags passed to only C files.
+CFLAGS_C_Release := \
+	-fno-strict-aliasing
+
+# Flags passed to only C++ files.
+CFLAGS_CC_Release := \
+	-std=gnu++17 \
+	-stdlib=libc++ \
+	-fno-rtti \
+	-fno-exceptions \
+	-fno-strict-aliasing
+
+# Flags passed to only ObjC files.
+CFLAGS_OBJC_Release :=
+
+# Flags passed to only ObjC++ files.
+CFLAGS_OBJCC_Release :=
+
+INCS_Release := \
+	-I/Users/home/Library/Caches/node-gyp/18.17.1/include/node \
+	-I/Users/home/Library/Caches/node-gyp/18.17.1/src \
+	-I/Users/home/Library/Caches/node-gyp/18.17.1/deps/openssl/config \
+	-I/Users/home/Library/Caches/node-gyp/18.17.1/deps/openssl/openssl/include \
+	-I/Users/home/Library/Caches/node-gyp/18.17.1/deps/uv/include \
+	-I/Users/home/Library/Caches/node-gyp/18.17.1/deps/zlib \
+	-I/Users/home/Library/Caches/node-gyp/18.17.1/deps/v8/include \
+	-I$(srcdir)/../../../node_modules/nan
+
+OBJS := \
+	$(obj).target/$(TARGET)/src/binding.o
+
+# Add to the list of files we specially track dependencies for.
+all_deps += $(OBJS)
+
+# CFLAGS et al overrides must be target-local.
+# See "Target-specific Variable Values" in the GNU Make manual.
+$(OBJS): TOOLSET := $(TOOLSET)
+$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE))  $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE))
+$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE))  $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE))
+$(OBJS): GYP_OBJCFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE))  $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) $(CFLAGS_OBJC_$(BUILDTYPE))
+$(OBJS): GYP_OBJCXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE))  $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) $(CFLAGS_OBJCC_$(BUILDTYPE))
+
+# Suffix rules, putting all outputs into $(obj).
+
+$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.cc FORCE_DO_CMD
+	@$(call do_cmd,cxx,1)
+
+# Try building from generated source, too.
+
+$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.cc FORCE_DO_CMD
+	@$(call do_cmd,cxx,1)
+
+$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.cc FORCE_DO_CMD
+	@$(call do_cmd,cxx,1)
+
+# End of this set of suffix rules
+### Rules for final target.
+LDFLAGS_Debug := \
+	-undefined dynamic_lookup \
+	-Wl,-search_paths_first \
+	-mmacosx-version-min=10.15 \
+	-arch x86_64 \
+	-L$(builddir) \
+	-stdlib=libc++
+
+LIBTOOLFLAGS_Debug := \
+	-undefined dynamic_lookup \
+	-Wl,-search_paths_first
+
+LDFLAGS_Release := \
+	-undefined dynamic_lookup \
+	-Wl,-search_paths_first \
+	-mmacosx-version-min=10.15 \
+	-arch x86_64 \
+	-L$(builddir) \
+	-stdlib=libc++
+
+LIBTOOLFLAGS_Release := \
+	-undefined dynamic_lookup \
+	-Wl,-search_paths_first
+
+LIBS :=
+
+$(builddir)/sshcrypto.node: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE))
+$(builddir)/sshcrypto.node: LIBS := $(LIBS)
+$(builddir)/sshcrypto.node: GYP_LIBTOOLFLAGS := $(LIBTOOLFLAGS_$(BUILDTYPE))
+$(builddir)/sshcrypto.node: TOOLSET := $(TOOLSET)
+$(builddir)/sshcrypto.node: $(OBJS) FORCE_DO_CMD
+	$(call do_cmd,solink_module)
+
+all_deps += $(builddir)/sshcrypto.node
+# Add target alias
+.PHONY: sshcrypto
+sshcrypto: $(builddir)/sshcrypto.node
+
+# Short alias for building this executable.
+.PHONY: sshcrypto.node
+sshcrypto.node: $(builddir)/sshcrypto.node
+
+# Add executable to "all" target.
+.PHONY: all
+all: $(builddir)/sshcrypto.node
+

package/lib/protocol/kex.js

@@ -232,13 +232,37 @@ function handleKexInit(self, payload) {
     clientList = localKex;
     remoteExtInfoEnabled = (serverList.indexOf('ext-info-s') !== -1);
   }
+  if (self._strictMode === undefined) {
+    if (self._server) {
+      self._strictMode =
+        (clientList.indexOf('kex-strict-c-v00@openssh.com') !== -1);
+    } else {
+      self._strictMode =
+        (serverList.indexOf('kex-strict-s-v00@openssh.com') !== -1);
+    }
+    // Note: We check for seqno of 1 instead of 0 since we increment before
+    //       calling the packet handler
+    if (self._strictMode) {
+      debug && debug('Handshake: strict KEX mode enabled');
+      if (self._decipher.inSeqno !== 1) {
+        if (debug)
+          debug('Handshake: KEXINIT not first packet in strict KEX mode');
+        return doFatalError(
+          self,
+          'Handshake failed: KEXINIT not first packet in strict KEX mode',
+          'handshake',
+          DISCONNECT_REASON.KEY_EXCHANGE_FAILED
+        );
+      }
+    }
+  }
   // Check for agreeable key exchange algorithm
   for (i = 0;
        i < clientList.length && serverList.indexOf(clientList[i]) === -1;
        ++i);
   if (i === clientList.length) {
     // No suitable match found!
-    debug && debug('Handshake: No matching key exchange algorithm');
+    debug && debug('Handshake: no matching key exchange algorithm');
     return doFatalError(
       self,
       'Handshake failed: no matching key exchange algorithm',
@@ -1236,6 +1260,8 @@ const createKeyExchange = (() => {
             'Inbound: NEWKEYS'
           );
           this._receivedNEWKEYS = true;
+          if (this._protocol._strictMode)
+            this._protocol._decipher.inSeqno = 0;
           ++this._step;
 
           return this.finish(!this._protocol._server && !this._hostVerified);
@@ -1756,11 +1782,20 @@ function onKEXPayload(state, payload) {
   payload = this._packetRW.read.read(payload);
 
   const type = payload[0];
+
+  if (!this._strictMode) {
+    switch (type) {
+      case MESSAGE.IGNORE:
+      case MESSAGE.UNIMPLEMENTED:
+      case MESSAGE.DEBUG:
+        if (!MESSAGE_HANDLERS)
+          MESSAGE_HANDLERS = require('./handlers.js');
+        return MESSAGE_HANDLERS[type](this, payload);
+    }
+  }
+
   switch (type) {
     case MESSAGE.DISCONNECT:
-    case MESSAGE.IGNORE:
-    case MESSAGE.UNIMPLEMENTED:
-    case MESSAGE.DEBUG:
       if (!MESSAGE_HANDLERS)
         MESSAGE_HANDLERS = require('./handlers.js');
       return MESSAGE_HANDLERS[type](this, payload);
@@ -1776,6 +1811,8 @@ function onKEXPayload(state, payload) {
       state.firstPacket = false;
       return handleKexInit(this, payload);
     default:
+      // Ensure packet is either an algorithm negotiation or KEX
+      // algorithm-specific packet
       if (type < 20 || type > 49) {
         return doFatalError(
           this,
@@ -1824,6 +1861,8 @@ function trySendNEWKEYS(kex) {
       kex._protocol._packetRW.write.finalize(packet, true)
     );
     kex._sentNEWKEYS = true;
+    if (kex._protocol._strictMode)
+      kex._protocol._cipher.outSeqno = 0;
   }
 }
 
@@ -1832,7 +1871,7 @@ module.exports = {
   kexinit,
   onKEXPayload,
   DEFAULT_KEXINIT_CLIENT: new KexInit({
-    kex: DEFAULT_KEX.concat(['ext-info-c']),
+    kex: DEFAULT_KEX.concat(['ext-info-c', 'kex-strict-c-v00@openssh.com']),
     serverHostKey: DEFAULT_SERVER_HOST_KEY,
     cs: {
       cipher: DEFAULT_CIPHER,
@@ -1848,7 +1887,7 @@ module.exports = {
     },
   }),
   DEFAULT_KEXINIT_SERVER: new KexInit({
-    kex: DEFAULT_KEX,
+    kex: DEFAULT_KEX.concat(['kex-strict-s-v00@openssh.com']),
     serverHostKey: DEFAULT_SERVER_HOST_KEY,
     cs: {
       cipher: DEFAULT_CIPHER,

package/lib/protocol/keyParser.js

@@ -446,7 +446,7 @@ const BaseKey = {
       this.type === parsed.type
       && this[SYM_PRIV_PEM] === parsed[SYM_PRIV_PEM]
       && this[SYM_PUB_PEM] === parsed[SYM_PUB_PEM]
-      && this[SYM_PUB_SSH] === parsed[SYM_PUB_SSH]
+      && this[SYM_PUB_SSH].equals(parsed[SYM_PUB_SSH])
     );
   },
 };

package/lib/protocol/zlib.js

@@ -69,8 +69,9 @@ class Zlib {
 
   writeSync(chunk, retChunks) {
     const handle = this._handle;
-    if (!handle)
-      throw new Error('Invalid Zlib instance');
+    if (!handle) {
+      return;
+    }
 
     let availInBefore = chunk.length;
     let availOutBefore = this._chunkSize - this._outOffset;
@@ -188,6 +189,9 @@ class ZlibPacketWriter {
   finalize(payload, force) {
     if (this._protocol._kexinit === undefined || force) {
       const output = this._zlib.writeSync(payload, true);
+      if (!output) {
+        return;
+      }
       const packet = this._protocol._cipher.allocPacket(output.totalLen);
       if (output.push === undefined) {
         packet.set(output, 5);

package/lib/server.js

@@ -294,7 +294,11 @@ class Server extends EventEmitter {
     }
 
     const algorithms = {
-      kex: generateAlgorithmList(cfgAlgos.kex, DEFAULT_KEX, SUPPORTED_KEX),
+      kex: generateAlgorithmList(
+        cfgAlgos.kex,
+        DEFAULT_KEX,
+        SUPPORTED_KEX
+      ).concat(['kex-strict-s-v00@openssh.com']),
       serverHostKey: hostKeyAlgoOrder,
       cs: {
         cipher: generateAlgorithmList(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@electerm/ssh2",
-  "version": "1.14.0",
+  "version": "1.16.1",
   "author": "Brian White <mscdex@mscdex.net>",
   "description": "SSH2 client and server modules written in pure JavaScript for node.js",
   "main": "./lib/index.js",
@@ -13,8 +13,11 @@
   },
   "devDependencies": {
     "@mscdex/eslint-config": "^1.1.0",
-    "eslint": "^7.32.0",
-    "nan": "^2.17.0"
+    "eslint": "^7.32.0"
+  },
+  "optionalDependencies": {
+    "cpu-features": "~0.0.10",
+    "nan": "^2.20.0"
   },
   "scripts": {
     "install": "node install.js",