@electerm/ssh2 1.5.0 → 1.11.0

package/install.js

@@ -2,19 +2,26 @@
 
 const { spawnSync } = require('child_process');
 
+const forceFailOnNonZero = (process.env.CI_CHECK_FAIL === 'ssh2');
+
 // Attempt to build the bundled optional binding
-const result = spawnSync('node-gyp', [
+const args = [
   `--target=${process.version}`,
-  'rebuild'
-], {
+  `--real_openssl_major=${/^\d+/.exec(process.versions.openssl)[0]}`,
+  'rebuild',
+];
+const result = spawnSync('node-gyp', args, {
   cwd: 'lib/protocol/crypto',
   encoding: 'utf8',
   shell: true,
   stdio: 'inherit',
   windowsHide: true,
 });
-if (result.error || result.status !== 0)
+if (result.error || result.status !== 0) {
   console.log('Failed to build optional crypto binding');
-else
+  if (forceFailOnNonZero)
+    process.exit(1);
+} else {
   console.log('Succeeded in building optional crypto binding');
+}
 process.exit(0);

package/lib/Channel.js

@@ -214,6 +214,7 @@ class Channel extends DuplexStream {
   destroy() {
     this.end();
     this.close();
+    return this;
   }
 
   // Session type-specific methods =============================================

package/lib/protocol/SFTP.js

@@ -1596,6 +1596,91 @@ class SFTP extends EventEmitter {
       this._debug(`SFTP: Outbound: ${status} expand-path@openssh.com`);
     }
   }
+  ext_copy_data(srcHandle, srcOffset, len, dstHandle, dstOffset, cb) {
+    if (this.server)
+      throw new Error('Client-only method called in server mode');
+
+    const ext = this._extensions['copy-data'];
+    if (ext !== '1')
+      throw new Error('Server does not support this extended request');
+
+    if (!Buffer.isBuffer(srcHandle))
+      throw new Error('Source handle is not a Buffer');
+
+    if (!Buffer.isBuffer(dstHandle))
+      throw new Error('Destination handle is not a Buffer');
+
+    /*
+      uint32    id
+      string    "copy-data"
+      string    read-from-handle
+      uint64    read-from-offset
+      uint64    read-data-length
+      string    write-to-handle
+      uint64    write-to-offset
+    */
+    let p = 0;
+    const buf = Buffer.allocUnsafe(
+      4 + 1
+      + 4
+      + 4 + 9
+      + 4 + srcHandle.length
+      + 8
+      + 8
+      + 4 + dstHandle.length
+      + 8
+    );
+
+    writeUInt32BE(buf, buf.length - 4, p);
+    p += 4;
+
+    buf[p] = REQUEST.EXTENDED;
+    ++p;
+
+    const reqid = this._writeReqid = (this._writeReqid + 1) & MAX_REQID;
+    writeUInt32BE(buf, reqid, p);
+    p += 4;
+
+    writeUInt32BE(buf, 9, p);
+    p += 4;
+    buf.utf8Write('copy-data', p, 9);
+    p += 9;
+
+    writeUInt32BE(buf, srcHandle.length, p);
+    p += 4;
+    buf.set(srcHandle, p);
+    p += srcHandle.length;
+
+    for (let i = 7; i >= 0; --i) {
+      buf[p + i] = srcOffset & 0xFF;
+      srcOffset /= 256;
+    }
+    p += 8;
+
+    for (let i = 7; i >= 0; --i) {
+      buf[p + i] = len & 0xFF;
+      len /= 256;
+    }
+    p += 8;
+
+    writeUInt32BE(buf, dstHandle.length, p);
+    p += 4;
+    buf.set(dstHandle, p);
+    p += dstHandle.length;
+
+    for (let i = 7; i >= 0; --i) {
+      buf[p + i] = dstOffset & 0xFF;
+      dstOffset /= 256;
+    }
+
+    this._requests[reqid] = { cb };
+
+    const isBuffered = sendOrBuffer(this, buf);
+    if (this._debug) {
+      const status = (isBuffered ? 'Buffered' : 'Sending');
+      this._debug(`SFTP: Outbound: ${status} copy-data`);
+    }
+  }
   // ===========================================================================
   // Server-specific ===========================================================
   // ===========================================================================
@@ -1922,11 +2007,12 @@ function read_(self, handle, buf, off, len, position, cb, req_) {
         return;
       }
 
+      nb = (nb || 0);
       if (req.origOff === 0 && buf.length === req.nb)
         data = buf;
       else
-        data = bufferSlice(buf, req.origOff, req.origOff + req.nb);
-      cb(undefined, req.nb + (nb || 0), data, req.position);
+        data = bufferSlice(buf, req.origOff, req.origOff + req.nb + nb);
+      cb(undefined, req.nb + nb, data, req.position);
     },
     buffer: undefined,
   });
@@ -2416,7 +2502,8 @@ function tryWritePayload(sftp, payload) {
     return;
 
   if (outgoing.window === 0) {
-    sftp._waitWindow = true; // XXX: Unnecessary?
+    sftp._waitWindow = true;
+    sftp._chunkcb = drainBuffer;
     return payload;
   }
 
@@ -2593,14 +2680,13 @@ const CLIENT_HANDLERS = {
     */
     const errorCode = bufferParser.readUInt32BE();
     const errorMsg = bufferParser.readString(true);
-    const lang = bufferParser.skipString();
     bufferParser.clear();
 
-    if (lang === undefined) {
-      if (reqID !== undefined)
-        delete sftp._requests[reqID];
-      return doFatalSFTPError(sftp, 'Malformed STATUS packet');
-    }
+    // Note: we avoid checking that the error message and language tag are in
+    // the packet because there are some broken implementations that incorrectly
+    // omit them. The language tag in general was never really used amongst ssh
+    // implementations, so in the case of a missing error message we just
+    // default to something sensible.
 
     if (sftp._debug) {
       const jsonMsg = JSON.stringify(errorMsg);
@@ -3387,7 +3473,7 @@ function ReadStream(sftp, path, options) {
   this.autoClose = options.autoClose === undefined ? true : options.autoClose;
   this.pos = 0;
   this.bytesRead = 0;
-  this.closed = false;
+  this.isClosed = false;
 
   this.handle = options.handle === undefined ? null : options.handle;
   this.sftp = sftp;
@@ -3539,7 +3625,7 @@ function closeStream(stream, cb, err) {
   function onclose(er) {
     er = er || err;
     cb(er);
-    stream.closed = true;
+    stream.isClosed = true;
     if (!er)
       stream.emit('close');
   }
@@ -3582,7 +3668,7 @@ function WriteStream(sftp, path, options) {
   this.autoClose = options.autoClose === undefined ? true : options.autoClose;
   this.pos = 0;
   this.bytesWritten = 0;
-  this.closed = false;
+  this.isClosed = false;
 
   this.handle = options.handle === undefined ? null : options.handle;
   this.sftp = sftp;
@@ -3742,7 +3828,7 @@ if (typeof WritableStream.prototype.destroy !== 'function')
 WriteStream.prototype._destroy = ReadStream.prototype._destroy;
 WriteStream.prototype.close = function(cb) {
   if (cb) {
-    if (this.closed) {
+    if (this.isClosed) {
       process.nextTick(cb);
       return;
     }

package/lib/protocol/constants.js

@@ -7,7 +7,7 @@ try {
   cpuInfo = require('cpu-features')();
 } catch {}
 
-const { bindingAvailable } = require('./crypto.js');
+const { bindingAvailable, CIPHER_INFO, MAC_INFO } = require('./crypto.js');
 
 const eddsaSupported = (() => {
   if (typeof crypto.sign === 'function'
@@ -76,7 +76,11 @@ const SUPPORTED_SERVER_HOST_KEY = DEFAULT_SERVER_HOST_KEY.concat([
 ]);
 
 
-const DEFAULT_CIPHER = [
+const canUseCipher = (() => {
+  const ciphers = crypto.getCiphers();
+  return (name) => ciphers.includes(CIPHER_INFO[name].sslName);
+})();
+let DEFAULT_CIPHER = [
   // http://tools.ietf.org/html/rfc5647
   'aes128-gcm@openssh.com',
   'aes256-gcm@openssh.com',
@@ -99,12 +103,15 @@ if (cpuInfo && cpuInfo.flags && !cpuInfo.flags.aes) {
 } else {
   DEFAULT_CIPHER.push('chacha20-poly1305@openssh.com');
 }
+DEFAULT_CIPHER = DEFAULT_CIPHER.filter(canUseCipher);
 const SUPPORTED_CIPHER = DEFAULT_CIPHER.concat([
   'aes256-cbc',
   'aes192-cbc',
   'aes128-cbc',
   'blowfish-cbc',
   '3des-cbc',
+  'aes128-gcm',
+  'aes256-gcm',
 
   // http://tools.ietf.org/html/rfc4345#section-4:
   'arcfour256',
@@ -112,9 +119,13 @@ const SUPPORTED_CIPHER = DEFAULT_CIPHER.concat([
 
   'cast128-cbc',
   'arcfour',
-]);
+].filter(canUseCipher));
 
 
+const canUseMAC = (() => {
+  const hashes = crypto.getHashes();
+  return (name) => hashes.includes(MAC_INFO[name].sslName);
+})();
 const DEFAULT_MAC = [
   'hmac-sha2-256-etm@openssh.com',
   'hmac-sha2-512-etm@openssh.com',
@@ -122,7 +133,7 @@ const DEFAULT_MAC = [
   'hmac-sha2-256',
   'hmac-sha2-512',
   'hmac-sha1',
-];
+].filter(canUseMAC);
 const SUPPORTED_MAC = DEFAULT_MAC.concat([
   'hmac-md5',
   'hmac-sha2-256-96', // first 96 bits of HMAC-SHA256
@@ -130,7 +141,7 @@ const SUPPORTED_MAC = DEFAULT_MAC.concat([
   'hmac-ripemd160',
   'hmac-sha1-96',     // first 96 bits of HMAC-SHA1
   'hmac-md5-96',      // first 96 bits of HMAC-MD5
-]);
+].filter(canUseMAC));
 
 const DEFAULT_COMPRESSION = [
   'none',

package/lib/protocol/crypto/binding.gyp

@@ -1,4 +1,7 @@
 {
+  'variables': {
+    'real_openssl_major%': '0',
+  },
   'targets': [
     {
       'target_name': 'sshcrypto',
@@ -9,6 +12,12 @@
         'src/binding.cc'
       ],
       'cflags': [ '-O3' ],
+
+      # Needed for OpenSSL 3.x/node.js v17.x+
+      'defines': [
+        'OPENSSL_API_COMPAT=0x10100000L',
+        'REAL_OPENSSL_MAJOR=<(real_openssl_major)',
+      ],
     },
   ],
 }

package/lib/protocol/crypto/src/binding.cc

@@ -1,16 +1,49 @@
-// TODO: switch from obsolete EVP_* APIs in CCP
+#if defined(__GNUC__) && __GNUC__ >= 8
+#define DISABLE_WCAST_FUNCTION_TYPE _Pragma("GCC diagnostic push") _Pragma("GCC diagnostic ignored \"-Wcast-function-type\"")
+#define DISABLE_WCAST_FUNCTION_TYPE_END _Pragma("GCC diagnostic pop")
+#else
+#define DISABLE_WCAST_FUNCTION_TYPE
+#define DISABLE_WCAST_FUNCTION_TYPE_END
+#endif
+
 #include <stdio.h>
 #include <string.h>
 #include <assert.h>
 
+DISABLE_WCAST_FUNCTION_TYPE
 #include <node.h>
 #include <node_buffer.h>
 #include <nan.h>
+DISABLE_WCAST_FUNCTION_TYPE_END
+
+#if NODE_MAJOR_VERSION >= 17
+#  include <openssl/configuration.h>
+#endif
 
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 
+#ifndef _WIN32
+#  include <dlfcn.h>
+#endif
+
+typedef int (*ctx_iv_len_func)(const EVP_CIPHER_CTX*);
+typedef int (*ctx_key_len_func)(const EVP_CIPHER_CTX*);
+typedef int (*ctx_get_block_size_func)(const EVP_CIPHER_CTX*);
+typedef int (*cipher_flags_func)(const EVP_CIPHER*);
+ctx_iv_len_func ctx_iv_len = nullptr;
+ctx_key_len_func ctx_key_len = nullptr;
+ctx_get_block_size_func ctx_get_block_size = nullptr;
+cipher_flags_func cipher_flags = nullptr;
+
+#if REAL_OPENSSL_MAJOR < 3
+#  undef EVP_DigestSignUpdate
+#  define EVP_DigestSignUpdate EVP_DigestUpdate
+#  undef EVP_PKEY_OP_SIGNCTX
+#  define EVP_PKEY_OP_SIGNCTX (1 << 6)
+#endif
+
 using namespace node;
 using namespace v8;
 using namespace std;
@@ -62,8 +95,14 @@ class ChaChaPolyCipher : public ObjectWrap {
   explicit ChaChaPolyCipher()
     : ctx_main_(nullptr),
       ctx_pktlen_(nullptr),
+#if REAL_OPENSSL_MAJOR >= 3
+      mac_(nullptr),
+      mac_ctx_(nullptr) {}
+#else
       md_ctx_(nullptr),
-      polykey_(nullptr) {}
+      polykey_(nullptr),
+      polykey_ctx_(nullptr) {}
+#endif
 
   ~ChaChaPolyCipher() {
     clear();
@@ -71,15 +110,23 @@ class ChaChaPolyCipher : public ObjectWrap {
 
   void clear() {
     if (ctx_pktlen_) {
-      EVP_CIPHER_CTX_cleanup(ctx_pktlen_);
       EVP_CIPHER_CTX_free(ctx_pktlen_);
       ctx_pktlen_ = nullptr;
     }
     if (ctx_main_) {
-      EVP_CIPHER_CTX_cleanup(ctx_main_);
       EVP_CIPHER_CTX_free(ctx_main_);
       ctx_main_ = nullptr;
     }
+#if REAL_OPENSSL_MAJOR >= 3
+    if (mac_ctx_) {
+      EVP_MAC_CTX_free(mac_ctx_);
+      mac_ctx_ = nullptr;
+    }
+    if (mac_) {
+      EVP_MAC_free(mac_);
+      mac_ = nullptr;
+    }
+#else
     if (polykey_) {
       EVP_PKEY_free(polykey_);
       polykey_ = nullptr;
@@ -90,6 +137,7 @@ class ChaChaPolyCipher : public ObjectWrap {
     }
     // `polykey_ctx_` is not explicitly freed as it is freed implicitly when
     // `md_ctx_` is freed
+#endif
   }
 
   ErrorType init(unsigned char* keys, size_t keys_len) {
@@ -108,7 +156,14 @@ class ChaChaPolyCipher : public ObjectWrap {
 
     if ((ctx_pktlen_ = EVP_CIPHER_CTX_new()) == nullptr
         || (ctx_main_ = EVP_CIPHER_CTX_new()) == nullptr
+#if REAL_OPENSSL_MAJOR >= 3
+        || (mac_ = EVP_MAC_fetch(nullptr,
+                                 "POLY1305",
+                                 "provider=default")) == nullptr
+        || (mac_ctx_ = EVP_MAC_CTX_new(mac_)) == nullptr
+#else
         || (md_ctx_ = EVP_MD_CTX_new()) == nullptr
+#endif
         || EVP_EncryptInit_ex(ctx_pktlen_,
                               cipher,
                               nullptr,
@@ -122,7 +177,7 @@ class ChaChaPolyCipher : public ObjectWrap {
       r = kErrOpenSSL;
       goto out;
     }
-    if (EVP_CIPHER_CTX_iv_length(ctx_pktlen_) != 16) {
+    if (ctx_iv_len(ctx_pktlen_) != 16) {
       r = kErrBadIVLen;
       goto out;
     }
@@ -206,6 +261,16 @@ out:
     }
 
     // Poly1305 over ciphertext
+#if REAL_OPENSSL_MAJOR >= 3
+    // TODO: check if dup()'ing a "base" context instead of calling init() with
+    //       the key each time is faster
+    if (EVP_MAC_init(mac_ctx_, polykey, sizeof(polykey), nullptr) != 1
+        || EVP_MAC_update(mac_ctx_, packet, data_len) != 1
+        || EVP_MAC_final(mac_ctx_, packet + data_len, &sig_len, sig_len) != 1) {
+      r = kErrOpenSSL;
+      goto out;
+    }
+#else
     if (polykey_) {
       if (EVP_PKEY_CTX_ctrl(polykey_ctx_,
                             -1,
@@ -245,9 +310,10 @@ out:
       r = kErrOpenSSL;
       goto out;
     }
+#endif
 
-  out:
-    return r;
+    out:
+      return r;
   }
 
   static NAN_METHOD(New) {
@@ -328,9 +394,14 @@ out:
 
   EVP_CIPHER_CTX* ctx_main_;
   EVP_CIPHER_CTX* ctx_pktlen_;
+#if REAL_OPENSSL_MAJOR >= 3
+  EVP_MAC* mac_;
+  EVP_MAC_CTX* mac_ctx_;
+#else
   EVP_MD_CTX* md_ctx_;
   EVP_PKEY* polykey_;
   EVP_PKEY_CTX* polykey_ctx_;
+#endif
 };
 
 class AESGCMCipher : public ObjectWrap {
@@ -359,7 +430,6 @@ class AESGCMCipher : public ObjectWrap {
 
   void clear() {
     if (ctx_) {
-      EVP_CIPHER_CTX_cleanup(ctx_);
       EVP_CIPHER_CTX_free(ctx_);
       ctx_ = nullptr;
     }
@@ -394,12 +464,7 @@ class AESGCMCipher : public ObjectWrap {
       goto out;
     }
 
-    //~ if (iv_len != static_cast<size_t>(EVP_CIPHER_CTX_iv_length(ctx_))) {
-      //~ r = kErrBadIVLen;
-      //~ goto out;
-    //~ }
-
-    if (key_len != static_cast<size_t>(EVP_CIPHER_CTX_key_length(ctx_))) {
+    if (key_len != static_cast<size_t>(ctx_key_len(ctx_))) {
       if (!EVP_CIPHER_CTX_set_key_length(ctx_, key_len)) {
         r = kErrBadKeyLen;
         goto out;
@@ -596,7 +661,12 @@ class GenericCipher : public ObjectWrap {
  private:
   explicit GenericCipher()
     : ctx_(nullptr),
+#if REAL_OPENSSL_MAJOR >= 3
+      mac_(nullptr),
+      mac_ctx_base_(nullptr),
+#else
       ctx_hmac_(nullptr),
+#endif
       hmac_len_(0),
       is_etm_(0) {}
 
@@ -606,14 +676,24 @@ class GenericCipher : public ObjectWrap {
 
   void clear() {
     if (ctx_) {
-      EVP_CIPHER_CTX_cleanup(ctx_);
       EVP_CIPHER_CTX_free(ctx_);
       ctx_ = nullptr;
     }
+#if REAL_OPENSSL_MAJOR >= 3
+    if (mac_ctx_base_) {
+      EVP_MAC_CTX_free(mac_ctx_base_);
+      mac_ctx_base_ = nullptr;
+    }
+    if (mac_) {
+      EVP_MAC_free(mac_);
+      mac_ = nullptr;
+    }
+#else
     if (ctx_hmac_) {
       HMAC_CTX_free(ctx_hmac_);
       ctx_hmac_ = nullptr;
     }
+#endif
   }
 
   ErrorType init(const char* name,
@@ -627,7 +707,11 @@ class GenericCipher : public ObjectWrap {
                  int is_etm) {
     ErrorType r = kErrNone;
 
+#if REAL_OPENSSL_MAJOR >= 3
+    OSSL_PARAM params[2];
+#else
     const EVP_MD* md;
+#endif
     const EVP_CIPHER* const cipher = EVP_get_cipherbyname(name);
     if (cipher == nullptr) {
       r = kErrOpenSSL;
@@ -640,12 +724,12 @@ class GenericCipher : public ObjectWrap {
       goto out;
     }
 
-    if (iv_len != static_cast<size_t>(EVP_CIPHER_CTX_iv_length(ctx_))) {
+    if (iv_len != static_cast<size_t>(ctx_iv_len(ctx_))) {
       r = kErrBadIVLen;
       goto out;
     }
 
-    if (key_len != static_cast<size_t>(EVP_CIPHER_CTX_key_length(ctx_))) {
+    if (key_len != static_cast<size_t>(ctx_key_len(ctx_))) {
       if (!EVP_CIPHER_CTX_set_key_length(ctx_, key_len)) {
         r = kErrBadKeyLen;
         goto out;
@@ -685,6 +769,28 @@ class GenericCipher : public ObjectWrap {
       }
     }
 
+#if REAL_OPENSSL_MAJOR >= 3
+    if ((mac_ = EVP_MAC_fetch(nullptr,
+                              "HMAC",
+                              "provider=default")) == nullptr) {
+      r = kErrOpenSSL;
+      goto out;
+    }
+    if ((mac_ctx_base_ = EVP_MAC_CTX_new(mac_)) == nullptr) {
+      r = kErrOpenSSL;
+      goto out;
+    }
+    params[0] = OSSL_PARAM_construct_utf8_string("digest",
+                                                 const_cast<char*>(hmac_name),
+                                                 0);
+    params[1] = OSSL_PARAM_END;
+    if (EVP_MAC_init(mac_ctx_base_, hmac_key, hmac_key_len, params) != 1) {
+      EVP_MAC_CTX_free(mac_ctx_base_);
+      r = kErrOpenSSL;
+      goto out;
+    }
+    hmac_len_ = EVP_MAC_CTX_get_mac_size(mac_ctx_base_);
+#else
     md = EVP_get_digestbyname(hmac_name);
     if (md == nullptr) {
       r = kErrBadHMACName;
@@ -698,6 +804,7 @@ class GenericCipher : public ObjectWrap {
     }
 
     hmac_len_ = HMAC_size(ctx_hmac_);
+#endif
     is_etm_ = is_etm;
 
 out:
@@ -735,39 +842,51 @@ out:
         r = kErrPartialEncrypt;
         goto out;
       }
+    }
+
+    // Calculate HMAC
+    {
+#if REAL_OPENSSL_MAJOR >= 3
+      size_t outlen = hmac_len_;
 
-      // HMAC over unencrypted packet length and ciphertext
-      {
-        unsigned int outlen = hmac_len_;
-        if (HMAC_Init_ex(ctx_hmac_, nullptr, 0, nullptr, nullptr) != 1
-            || HMAC_Update(ctx_hmac_, seqbuf, sizeof(seqbuf)) != 1
-            || HMAC_Update(ctx_hmac_, packet, data_len) != 1
-            || HMAC_Final(ctx_hmac_, packet + data_len, &outlen) != 1) {
-          r = kErrOpenSSL;
-          goto out;
-        }
-        if (outlen != hmac_len_) {
-          r = kErrBadHMACLen;
-          goto out;
-        }
+      EVP_MAC_CTX* mac_ctx = EVP_MAC_CTX_dup(mac_ctx_base_);
+      if (mac_ctx == nullptr) {
+        r = kErrOpenSSL;
+        goto out;
       }
-    } else {
-      // HMAC over plaintext
-      {
-        unsigned int outlen = hmac_len_;
-        if (HMAC_Init_ex(ctx_hmac_, nullptr, 0, nullptr, nullptr) != 1
-            || HMAC_Update(ctx_hmac_, seqbuf, sizeof(seqbuf)) != 1
-            || HMAC_Update(ctx_hmac_, packet, data_len) != 1
-            || HMAC_Final(ctx_hmac_, packet + data_len, &outlen) != 1) {
-          r = kErrOpenSSL;
-          goto out;
-        }
-        if (outlen != hmac_len_) {
-          r = kErrBadHMACLen;
-          goto out;
-        }
+      if (EVP_MAC_update(mac_ctx, seqbuf, sizeof(seqbuf)) != 1
+          || EVP_MAC_update(mac_ctx, packet, data_len) != 1
+          || EVP_MAC_final(mac_ctx,
+                           packet + data_len,
+                           reinterpret_cast<size_t*>(&outlen),
+                           outlen) != 1) {
+        EVP_MAC_CTX_free(mac_ctx);
+        r = kErrOpenSSL;
+        goto out;
+      }
+      if (outlen != hmac_len_) {
+        EVP_MAC_CTX_free(mac_ctx);
+        r = kErrBadHMACLen;
+        goto out;
       }
+      EVP_MAC_CTX_free(mac_ctx);
+#else
+      unsigned int outlen = hmac_len_;
+      if (HMAC_Init_ex(ctx_hmac_, nullptr, 0, nullptr, nullptr) != 1
+          || HMAC_Update(ctx_hmac_, seqbuf, sizeof(seqbuf)) != 1
+          || HMAC_Update(ctx_hmac_, packet, data_len) != 1
+          || HMAC_Final(ctx_hmac_, packet + data_len, &outlen) != 1) {
+        r = kErrOpenSSL;
+        goto out;
+      }
+      if (outlen != hmac_len_) {
+        r = kErrBadHMACLen;
+        goto out;
+      }
+#endif
+    }
 
+    if (!is_etm_) {
       // Encrypt packet
       if (EVP_EncryptUpdate(ctx_,
                             packet,
@@ -901,8 +1020,14 @@ out:
   }
 
   EVP_CIPHER_CTX* ctx_;
+#if REAL_OPENSSL_MAJOR >= 3
+  EVP_MAC* mac_;
+  EVP_MAC_CTX* mac_ctx_base_;
+  size_t hmac_len_;
+#else
   HMAC_CTX* ctx_hmac_;
   unsigned int hmac_len_;
+#endif
   int is_etm_;
 };
 
@@ -930,8 +1055,14 @@ class ChaChaPolyDecipher : public ObjectWrap {
   explicit ChaChaPolyDecipher()
     : ctx_main_(nullptr),
       ctx_pktlen_(nullptr),
+#if REAL_OPENSSL_MAJOR >= 3
+      mac_(nullptr),
+      mac_ctx_(nullptr) {}
+#else
       md_ctx_(nullptr),
-      polykey_(nullptr) {}
+      polykey_(nullptr),
+      polykey_ctx_(nullptr) {}
+#endif
 
   ~ChaChaPolyDecipher() {
     clear();
@@ -939,15 +1070,23 @@ class ChaChaPolyDecipher : public ObjectWrap {
 
   void clear() {
     if (ctx_pktlen_) {
-      EVP_CIPHER_CTX_cleanup(ctx_pktlen_);
       EVP_CIPHER_CTX_free(ctx_pktlen_);
       ctx_pktlen_ = nullptr;
     }
     if (ctx_main_) {
-      EVP_CIPHER_CTX_cleanup(ctx_main_);
       EVP_CIPHER_CTX_free(ctx_main_);
       ctx_main_ = nullptr;
     }
+#if REAL_OPENSSL_MAJOR >= 3
+    if (mac_ctx_) {
+      EVP_MAC_CTX_free(mac_ctx_);
+      mac_ctx_ = nullptr;
+    }
+    if (mac_) {
+      EVP_MAC_free(mac_);
+      mac_ = nullptr;
+    }
+#else
     if (polykey_) {
       EVP_PKEY_free(polykey_);
       polykey_ = nullptr;
@@ -958,6 +1097,7 @@ class ChaChaPolyDecipher : public ObjectWrap {
     }
     // `polykey_ctx_` is not explicitly freed as it is freed implicitly when
     // `md_ctx_` is freed
+#endif
   }
 
   ErrorType init(unsigned char* keys, size_t keys_len) {
@@ -976,7 +1116,14 @@ class ChaChaPolyDecipher : public ObjectWrap {
 
     if ((ctx_pktlen_ = EVP_CIPHER_CTX_new()) == nullptr
         || (ctx_main_ = EVP_CIPHER_CTX_new()) == nullptr
+#if REAL_OPENSSL_MAJOR >= 3
+        || (mac_ = EVP_MAC_fetch(nullptr,
+                                 "POLY1305",
+                                 "provider=default")) == nullptr
+        || (mac_ctx_ = EVP_MAC_CTX_new(mac_)) == nullptr
+#else
         || (md_ctx_ = EVP_MD_CTX_new()) == nullptr
+#endif
         || EVP_DecryptInit_ex(ctx_pktlen_,
                               cipher,
                               nullptr,
@@ -990,7 +1137,7 @@ class ChaChaPolyDecipher : public ObjectWrap {
       r = kErrOpenSSL;
       goto out;
     }
-    if (EVP_CIPHER_CTX_iv_length(ctx_pktlen_) != 16) {
+    if (ctx_iv_len(ctx_pktlen_) != 16) {
       r = kErrBadIVLen;
       goto out;
     }
@@ -1083,6 +1230,17 @@ out:
     }
 
     // Poly1305 over ciphertext
+#if REAL_OPENSSL_MAJOR >= 3
+    // TODO: check if dup()'ing a "base" context instead of calling init() with
+    //       the key each time is faster
+    if (EVP_MAC_init(mac_ctx_, polykey, sizeof(polykey), nullptr) != 1
+        || EVP_MAC_update(mac_ctx_, length_bytes, sizeof(length_bytes)) != 1
+        || EVP_MAC_update(mac_ctx_, packet, packet_len) != 1
+        || EVP_MAC_final(mac_ctx_, calc_mac, &sig_len, sig_len) != 1) {
+      r = kErrOpenSSL;
+      goto out;
+    }
+#else
     if (polykey_) {
       if (EVP_PKEY_CTX_ctrl(polykey_ctx_,
                             -1,
@@ -1128,6 +1286,7 @@ out:
       r = kErrOpenSSL;
       goto out;
     }
+#endif
 
     // Compare MACs
     if (CRYPTO_memcmp(mac, calc_mac, sizeof(calc_mac))) {
@@ -1289,9 +1448,14 @@ out:
   unsigned char length_bytes[4];
   EVP_CIPHER_CTX* ctx_main_;
   EVP_CIPHER_CTX* ctx_pktlen_;
+#if REAL_OPENSSL_MAJOR >= 3
+  EVP_MAC* mac_;
+  EVP_MAC_CTX* mac_ctx_;
+#else
   EVP_MD_CTX* md_ctx_;
   EVP_PKEY* polykey_;
   EVP_PKEY_CTX* polykey_ctx_;
+#endif
 };
 
 class AESGCMDecipher : public ObjectWrap {
@@ -1320,7 +1484,6 @@ class AESGCMDecipher : public ObjectWrap {
 
   void clear() {
     if (ctx_) {
-      EVP_CIPHER_CTX_cleanup(ctx_);
       EVP_CIPHER_CTX_free(ctx_);
       ctx_ = nullptr;
     }
@@ -1355,12 +1518,7 @@ class AESGCMDecipher : public ObjectWrap {
       goto out;
     }
 
-    //~ if (iv_len != static_cast<size_t>(EVP_CIPHER_CTX_iv_length(ctx_))) {
-      //~ r = kErrBadIVLen;
-      //~ goto out;
-    //~ }
-
-    if (key_len != static_cast<size_t>(EVP_CIPHER_CTX_key_length(ctx_))) {
+    if (key_len != static_cast<size_t>(ctx_key_len(ctx_))) {
       if (!EVP_CIPHER_CTX_set_key_length(ctx_, key_len)) {
         r = kErrBadKeyLen;
         goto out;
@@ -1568,7 +1726,12 @@ class GenericDecipher : public ObjectWrap {
  private:
   explicit GenericDecipher()
     : ctx_(nullptr),
+#if REAL_OPENSSL_MAJOR >= 3
+      mac_(nullptr),
+      mac_ctx_base_(nullptr),
+#else
       ctx_hmac_(nullptr),
+#endif
       hmac_len_(0),
       is_etm_(0) {}
 
@@ -1578,14 +1741,24 @@ class GenericDecipher : public ObjectWrap {
 
   void clear() {
     if (ctx_) {
-      EVP_CIPHER_CTX_cleanup(ctx_);
       EVP_CIPHER_CTX_free(ctx_);
       ctx_ = nullptr;
     }
+#if REAL_OPENSSL_MAJOR >= 3
+    if (mac_ctx_base_) {
+      EVP_MAC_CTX_free(mac_ctx_base_);
+      mac_ctx_base_ = nullptr;
+    }
+    if (mac_) {
+      EVP_MAC_free(mac_);
+      mac_ = nullptr;
+    }
+#else
     if (ctx_hmac_) {
       HMAC_CTX_free(ctx_hmac_);
       ctx_hmac_ = nullptr;
     }
+#endif
   }
 
   ErrorType init(const char* name,
@@ -1600,7 +1773,11 @@ class GenericDecipher : public ObjectWrap {
                  size_t hmac_actual_len) {
     ErrorType r = kErrNone;
 
+#if REAL_OPENSSL_MAJOR >= 3
+    OSSL_PARAM params[2];
+#else
     const EVP_MD* md;
+#endif
     const EVP_CIPHER* const cipher = EVP_get_cipherbyname(name);
     if (cipher == nullptr) {
       r = kErrOpenSSL;
@@ -1613,12 +1790,12 @@ class GenericDecipher : public ObjectWrap {
       goto out;
     }
 
-    if (iv_len != static_cast<size_t>(EVP_CIPHER_CTX_iv_length(ctx_))) {
+    if (iv_len != static_cast<size_t>(ctx_iv_len(ctx_))) {
       r = kErrBadIVLen;
       goto out;
     }
 
-    if (key_len != static_cast<size_t>(EVP_CIPHER_CTX_key_length(ctx_))) {
+    if (key_len != static_cast<size_t>(ctx_key_len(ctx_))) {
       if (!EVP_CIPHER_CTX_set_key_length(ctx_, key_len)) {
         r = kErrBadKeyLen;
         goto out;
@@ -1658,6 +1835,28 @@ class GenericDecipher : public ObjectWrap {
       }
     }
 
+#if REAL_OPENSSL_MAJOR >= 3
+    if ((mac_ = EVP_MAC_fetch(nullptr,
+                              "HMAC",
+                              "provider=default")) == nullptr) {
+      r = kErrOpenSSL;
+      goto out;
+    }
+    if ((mac_ctx_base_ = EVP_MAC_CTX_new(mac_)) == nullptr) {
+      r = kErrOpenSSL;
+      goto out;
+    }
+    params[0] = OSSL_PARAM_construct_utf8_string("digest",
+                                                 const_cast<char*>(hmac_name),
+                                                 0);
+    params[1] = OSSL_PARAM_END;
+    if (EVP_MAC_init(mac_ctx_base_, hmac_key, hmac_key_len, params) != 1) {
+      EVP_MAC_CTX_free(mac_ctx_base_);
+      r = kErrOpenSSL;
+      goto out;
+    }
+    hmac_len_ = EVP_MAC_CTX_get_mac_size(mac_ctx_base_);
+#else
     md = EVP_get_digestbyname(hmac_name);
     if (md == nullptr) {
       r = kErrBadHMACName;
@@ -1671,9 +1870,14 @@ class GenericDecipher : public ObjectWrap {
     }
 
     hmac_len_ = HMAC_size(ctx_hmac_);
+#endif
     hmac_actual_len_ = hmac_actual_len;
     is_etm_ = is_etm;
+#if REAL_OPENSSL_MAJOR >= 3
     switch (EVP_CIPHER_CTX_mode(ctx_)) {
+#else
+    switch (cipher_flags(EVP_CIPHER_CTX_cipher(ctx_)) & EVP_CIPH_MODE) {
+#endif
       case EVP_CIPH_STREAM_CIPHER:
       case EVP_CIPH_CTR_MODE:
         is_stream_ = 1;
@@ -1681,7 +1885,7 @@ class GenericDecipher : public ObjectWrap {
       default:
         is_stream_ = 0;
     }
-    block_size_ = EVP_CIPHER_CTX_block_size(ctx_);
+    block_size_ = ctx_get_block_size(ctx_);
 
 out:
     return r;
@@ -1729,47 +1933,7 @@ out:
     ((uint8_t*)(seqbuf))[2] = (seqno >> 8) & 0xff;
     ((uint8_t*)(seqbuf))[3] = seqno & 0xff;
 
-    if (is_etm_) {
-      // `first_block` for ETM should just be the unencrypted packet length
-      if (first_block_len != 4) {
-        r = kErrBadBlockLen;
-        goto out;
-      }
-
-      // HMAC over unencrypted packet length and ciphertext
-      {
-        unsigned int outlen = hmac_len_;
-        if (HMAC_Init_ex(ctx_hmac_, nullptr, 0, nullptr, nullptr) != 1
-            || HMAC_Update(ctx_hmac_, seqbuf, sizeof(seqbuf)) != 1
-            || HMAC_Update(ctx_hmac_, first_block, 4) != 1
-            || HMAC_Update(ctx_hmac_, packet, packet_len) != 1
-            || HMAC_Final(ctx_hmac_, calc_mac, &outlen) != 1) {
-          r = kErrOpenSSL;
-          goto out;
-        }
-
-        if (outlen != hmac_len_ || mac_len != hmac_len_) {
-          r = kErrBadHMACLen;
-          goto out;
-        }
-
-        // Compare MACs
-        if (CRYPTO_memcmp(mac, calc_mac, hmac_len_)) {
-          r = kErrInvalidMAC;
-          goto out;
-        }
-      }
-
-      // Decrypt packet
-      if (EVP_DecryptUpdate(ctx_, packet, &outlen, packet, packet_len) != 1) {
-        r = kErrOpenSSL;
-        goto out;
-      }
-      if (static_cast<size_t>(outlen) != packet_len) {
-        r = kErrPartialDecrypt;
-        goto out;
-      }
-    } else {
+    if (!is_etm_) {
       // `first_block` for non-ETM should be a completely decrypted first block
       if (!is_stream_ && first_block_len != block_size_) {
         r = kErrBadBlockLen;
@@ -1790,29 +1954,73 @@ out:
         r = kErrPartialDecrypt;
         goto out;
       }
+    }
+
+    // Calculate and compare HMAC
+    {
+#if REAL_OPENSSL_MAJOR >= 3
+      size_t outlen = hmac_len_;
+
+      EVP_MAC_CTX* mac_ctx = EVP_MAC_CTX_dup(mac_ctx_base_);
+      if (mac_ctx == nullptr) {
+        r = kErrOpenSSL;
+        goto out;
+      }
+      if (EVP_MAC_update(mac_ctx, seqbuf, sizeof(seqbuf)) != 1
+          || EVP_MAC_update(mac_ctx, first_block, 4) != 1
+          || EVP_MAC_update(mac_ctx, packet, packet_len) != 1
+          || EVP_MAC_final(mac_ctx,
+                           calc_mac,
+                           &outlen,
+                           outlen) != 1) {
+        EVP_MAC_CTX_free(mac_ctx);
+        r = kErrOpenSSL;
+        goto out;
+      }
+      if (outlen != hmac_len_ || mac_len != hmac_actual_len_) {
+        EVP_MAC_CTX_free(mac_ctx);
+        r = kErrBadHMACLen;
+        goto out;
+      }
+      EVP_MAC_CTX_free(mac_ctx);
+#else
+      unsigned int outlen = hmac_len_;
+      if (HMAC_Init_ex(ctx_hmac_, nullptr, 0, nullptr, nullptr) != 1
+          || HMAC_Update(ctx_hmac_, seqbuf, sizeof(seqbuf)) != 1
+          || HMAC_Update(ctx_hmac_, first_block, 4) != 1
+          || HMAC_Update(ctx_hmac_, packet, packet_len) != 1
+          || HMAC_Final(ctx_hmac_, calc_mac, &outlen) != 1) {
+        r = kErrOpenSSL;
+        goto out;
+      }
+      if (outlen != hmac_len_ || mac_len != hmac_actual_len_) {
+        r = kErrBadHMACLen;
+        goto out;
+      }
+#endif
+
+      // Compare MACs
+      if (CRYPTO_memcmp(mac, calc_mac, hmac_actual_len_)) {
+        r = kErrInvalidMAC;
+        goto out;
+      }
+    }
 
-      // HMAC over plaintext
-      {
-        unsigned int outlen = hmac_len_;
-        if (HMAC_Init_ex(ctx_hmac_, nullptr, 0, nullptr, nullptr) != 1
-            || HMAC_Update(ctx_hmac_, seqbuf, sizeof(seqbuf)) != 1
-            || HMAC_Update(ctx_hmac_, first_block, 4) != 1
-            || HMAC_Update(ctx_hmac_, packet, packet_len) != 1
-            || HMAC_Final(ctx_hmac_, calc_mac, &outlen) != 1) {
-          r = kErrOpenSSL;
-          goto out;
-        }
-
-        if (outlen != hmac_len_ || mac_len != hmac_actual_len_) {
-          r = kErrBadHMACLen;
-          goto out;
-        }
-
-        // Compare MACs
-        if (CRYPTO_memcmp(mac, calc_mac, hmac_actual_len_)) {
-          r = kErrInvalidMAC;
-          goto out;
-        }
+    if (is_etm_) {
+      // `first_block` for ETM should just be the unencrypted packet length
+      if (first_block_len != 4) {
+        r = kErrBadBlockLen;
+        goto out;
+      }
+
+      // Decrypt packet
+      if (EVP_DecryptUpdate(ctx_, packet, &outlen, packet, packet_len) != 1) {
+        r = kErrOpenSSL;
+        goto out;
+      }
+      if (static_cast<size_t>(outlen) != packet_len) {
+        r = kErrPartialDecrypt;
+        goto out;
       }
     }
 
@@ -1981,8 +2189,14 @@ out:
   }
 
   EVP_CIPHER_CTX* ctx_;
+#if REAL_OPENSSL_MAJOR >= 3
+  EVP_MAC* mac_;
+  EVP_MAC_CTX* mac_ctx_base_;
+  size_t hmac_len_;
+#else
   HMAC_CTX* ctx_hmac_;
   unsigned int hmac_len_;
+#endif
   unsigned int hmac_actual_len_;
   uint8_t is_etm_;
   uint8_t is_stream_;
@@ -1991,6 +2205,63 @@ out:
 
 
 NAN_MODULE_INIT(init) {
+  // These are needed because node-gyp (as of this writing) does not use the
+  // proper (OpenSSL) system headers when node was built against a shared
+  // version of OpenSSL. Usually this isn't an issue because OSes that build
+  // node in this way typically use the same version of OpenSSL as was bundled
+  // with node for a particular node version for the best compatibility. However
+  // with the inclusion of OpenSSL 3.x in node v17.x, some OSes are still
+  // linking with a shared OpenSSL 1.x, which can cause both compilation and
+  // runtime errors because of changes in OpenSSL's code.
+  //
+  // For that reason, we need to make sure we need to resolve some specific
+  // symbols at runtime to workaround these buggy situations.
+#ifdef _WIN32
+#  define load_sym(name) GetProcAddress(GetModuleHandle(NULL), name)
+#else
+#  define load_sym(name) dlsym(RTLD_DEFAULT, name)
+#endif
+  if (!ctx_iv_len) {
+    ctx_iv_len = reinterpret_cast<ctx_iv_len_func>(
+      load_sym("EVP_CIPHER_CTX_get_iv_length")
+    );
+    if (!ctx_iv_len) {
+      ctx_iv_len = reinterpret_cast<ctx_iv_len_func>(
+        load_sym("EVP_CIPHER_CTX_iv_length")
+      );
+    }
+  }
+  if (!ctx_key_len) {
+    ctx_key_len = reinterpret_cast<ctx_key_len_func>(
+      load_sym("EVP_CIPHER_CTX_get_key_length")
+    );
+    if (!ctx_key_len) {
+      ctx_key_len = reinterpret_cast<ctx_key_len_func>(
+        load_sym("EVP_CIPHER_CTX_key_length")
+      );
+    }
+  }
+  if (!cipher_flags) {
+    cipher_flags = reinterpret_cast<cipher_flags_func>(
+      load_sym("EVP_CIPHER_get_flags")
+    );
+    if (!cipher_flags) {
+      cipher_flags = reinterpret_cast<cipher_flags_func>(
+        load_sym("EVP_CIPHER_flags")
+      );
+    }
+  }
+  if (!ctx_get_block_size) {
+    ctx_get_block_size = reinterpret_cast<ctx_get_block_size_func>(
+      load_sym("EVP_CIPHER_CTX_get_block_size")
+    );
+    if (!ctx_get_block_size) {
+      ctx_get_block_size = reinterpret_cast<ctx_get_block_size_func>(
+        load_sym("EVP_CIPHER_CTX_block_size")
+      );
+    }
+  }
+
   ChaChaPolyCipher::Init(target);
   AESGCMCipher::Init(target);
   GenericCipher::Init(target);
@@ -2000,4 +2271,6 @@ NAN_MODULE_INIT(init) {
   GenericDecipher::Init(target);
 }
 
-NODE_MODULE(sshcrypto, init)
+DISABLE_WCAST_FUNCTION_TYPE
+NAN_MODULE_WORKER_ENABLED(sshcrypto, init)
+DISABLE_WCAST_FUNCTION_TYPE_END

package/lib/protocol/keyParser.js

@@ -595,6 +595,8 @@ OpenSSH_Private.prototype = BaseKey;
     } else {
       ret = [];
     }
+    if (ret instanceof Error)
+      return ret;
     // This will need to change if/when OpenSSH ever starts storing multiple
     // keys in their key files
     return ret[0];

package/lib/protocol/utils.js

@@ -171,7 +171,7 @@ module.exports = {
   doFatalError: (protocol, msg, level, reason) => {
     let err;
     if (DISCONNECT_REASON === undefined)
-      ({ DISCONNECT_REASON } = require('./utils.js'));
+      ({ DISCONNECT_REASON } = require('./constants.js'));
     if (msg instanceof Error) {
       // doFatalError(protocol, err[, reason])
       err = msg;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@electerm/ssh2",
-  "version": "1.5.0",
+  "version": "1.11.0",
   "author": "Brian White <mscdex@mscdex.net>",
   "description": "SSH2 client and server modules written in pure JavaScript for node.js",
   "main": "./lib/index.js",
@@ -12,13 +12,9 @@
     "bcrypt-pbkdf": "^1.0.2"
   },
   "devDependencies": {
-    "@mscdex/eslint-config": "^1.0.0",
+    "@mscdex/eslint-config": "^1.1.0",
     "eslint": "^7.0.0"
   },
-  "peerDependencies": {
-    "cpu-features": "0.0.2",
-    "nan": "^2.15.0"
-  },
   "scripts": {
     "install": "node install.js",
     "rebuild": "node install.js",