1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
|
require 'net/ssh/buffer'
require 'net/ssh/known_hosts'
require 'net/ssh/loggable'
require 'net/ssh/transport/cipher_factory'
require 'net/ssh/transport/constants'
require 'net/ssh/transport/hmac'
require 'net/ssh/transport/kex'
require 'net/ssh/transport/kex/curve25519_sha256_loader'
require 'net/ssh/transport/server_version'
require 'net/ssh/authentication/ed25519_loader'
module Net
module SSH
module Transport
# Implements the higher-level logic behind an SSH key-exchange. It handles
# both the initial exchange, as well as subsequent re-exchanges (as needed).
# It also encapsulates the negotiation of the algorithms, and provides a
# single point of access to the negotiated algorithms.
#
# You will never instantiate or reference this directly. It is used
# internally by the transport layer.
class Algorithms
include Loggable
include Constants
# Define the default algorithms, in order of preference, supported by Net::SSH.
DEFAULT_ALGORITHMS = {
host_key: %w[ecdsa-sha2-nistp521-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp521
ecdsa-sha2-nistp384
ecdsa-sha2-nistp256
ssh-rsa-cert-v01@openssh.com
ssh-rsa-cert-v00@openssh.com
ssh-rsa
rsa-sha2-256
rsa-sha2-512],
kex: %w[ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
diffie-hellman-group-exchange-sha256
diffie-hellman-group14-sha256
diffie-hellman-group14-sha1],
encryption: %w[aes256-ctr aes192-ctr aes128-ctr],
hmac: %w[hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com
hmac-sha2-512 hmac-sha2-256
hmac-sha1]
}.freeze
if Net::SSH::Authentication::ED25519Loader::LOADED
DEFAULT_ALGORITHMS[:host_key].unshift(
'ssh-ed25519-cert-v01@openssh.com',
'ssh-ed25519'
)
end
if Net::SSH::Transport::Kex::Curve25519Sha256Loader::LOADED
DEFAULT_ALGORITHMS[:kex].unshift(
'curve25519-sha256',
'curve25519-sha256@libssh.org'
)
end
# Define all algorithms, with the deprecated, supported by Net::SSH.
ALGORITHMS = {
host_key: DEFAULT_ALGORITHMS[:host_key] + %w[ssh-dss],
kex: DEFAULT_ALGORITHMS[:kex] +
%w[diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1],
encryption: DEFAULT_ALGORITHMS[:encryption] +
%w[aes256-cbc aes192-cbc aes128-cbc
rijndael-cbc@lysator.liu.se
blowfish-ctr blowfish-cbc
cast128-ctr cast128-cbc
3des-ctr 3des-cbc
idea-cbc
none],
hmac: DEFAULT_ALGORITHMS[:hmac] +
%w[hmac-sha2-512-96 hmac-sha2-256-96
hmac-sha1-96
hmac-ripemd160 hmac-ripemd160@openssh.com
hmac-md5 hmac-md5-96
none],
compression: %w[none zlib@openssh.com zlib],
language: %w[]
}.freeze
# The underlying transport layer session that supports this object
attr_reader :session
# The hash of options used to initialize this object
attr_reader :options
# The kex algorithm to use settled on between the client and server.
attr_reader :kex
# The type of host key that will be used for this session.
attr_reader :host_key
# The type of the cipher to use to encrypt packets sent from the client to
# the server.
attr_reader :encryption_client
# The type of the cipher to use to decrypt packets arriving from the server.
attr_reader :encryption_server
# The type of HMAC to use to sign packets sent by the client.
attr_reader :hmac_client
# The type of HMAC to use to validate packets arriving from the server.
attr_reader :hmac_server
# The type of compression to use to compress packets being sent by the client.
attr_reader :compression_client
# The type of compression to use to decompress packets arriving from the server.
attr_reader :compression_server
# The language that will be used in messages sent by the client.
attr_reader :language_client
# The language that will be used in messages sent from the server.
attr_reader :language_server
# The hash of algorithms preferred by the client, which will be told to
# the server during algorithm negotiation.
attr_reader :algorithms
# The session-id for this session, as decided during the initial key exchange.
attr_reader :session_id
# Returns true if the given packet can be processed during a key-exchange.
def self.allowed_packet?(packet)
(1..4).include?(packet.type) ||
(6..19).include?(packet.type) ||
(21..49).include?(packet.type)
end
# Instantiates a new Algorithms object, and prepares the hash of preferred
# algorithms based on the options parameter and the ALGORITHMS constant.
def initialize(session, options = {})
@session = session
@logger = session.logger
@options = options
@algorithms = {}
@pending = @initialized = false
@client_packet = @server_packet = nil
prepare_preferred_algorithms!
end
# Start the algorithm negotation
def start
raise ArgumentError, "Cannot call start if it's negotiation started or done" if @pending || @initialized
send_kexinit
end
# Request a rekey operation. This will return immediately, and does not
# actually perform the rekey operation. It does cause the session to change
# state, however--until the key exchange finishes, no new packets will be
# processed.
def rekey!
@client_packet = @server_packet = nil
@initialized = false
send_kexinit
end
# Called by the transport layer when a KEXINIT packet is received, indicating
# that the server wants to exchange keys. This can be spontaneous, or it
# can be in response to a client-initiated rekey request (see #rekey!). Either
# way, this will block until the key exchange completes.
def accept_kexinit(packet)
info { "got KEXINIT from server" }
@server_data = parse_server_algorithm_packet(packet)
@server_packet = @server_data[:raw]
if !pending?
send_kexinit
else
proceed!
end
end
# A convenience method for accessing the list of preferred types for a
# specific algorithm (see #algorithms).
def [](key)
algorithms[key]
end
# Returns +true+ if a key-exchange is pending. This will be true from the
# moment either the client or server requests the key exchange, until the
# exchange completes. While an exchange is pending, only a limited number
# of packets are allowed, so event processing essentially stops during this
# period.
def pending?
@pending
end
# Returns true if no exchange is pending, and otherwise returns true or
# false depending on whether the given packet is of a type that is allowed
# during a key exchange.
def allow?(packet)
!pending? || Algorithms.allowed_packet?(packet)
end
# Returns true if the algorithms have been negotiated at all.
def initialized?
@initialized
end
def host_key_format
case host_key
when /^([a-z0-9-]+)-cert-v\d{2}@openssh.com$/
Regexp.last_match[1]
else
host_key
end
end
private
# Sends a KEXINIT packet to the server. If a server KEXINIT has already
# been received, this will then invoke #proceed! to proceed with the key
# exchange, otherwise it returns immediately (but sets the object to the
# pending state).
def send_kexinit
info { "sending KEXINIT" }
@pending = true
packet = build_client_algorithm_packet
@client_packet = packet.to_s
session.send_message(packet)
proceed! if @server_packet
end
# After both client and server have sent their KEXINIT packets, this
# will do the algorithm negotiation and key exchange. Once both finish,
# the object leaves the pending state and the method returns.
def proceed!
info { "negotiating algorithms" }
negotiate_algorithms
exchange_keys
@pending = false
end
# Prepares the list of preferred algorithms, based on the options hash
# that was given when the object was constructed, and the ALGORITHMS
# constant. Also, when determining the host_key type to use, the known
# hosts files are examined to see if the host has ever sent a host_key
# before, and if so, that key type is used as the preferred type for
# communicating with this server.
def prepare_preferred_algorithms!
options[:compression] = %w[zlib@openssh.com zlib] if options[:compression] == true
ALGORITHMS.each do |algorithm, supported|
algorithms[algorithm] = compose_algorithm_list(
supported, options[algorithm] || DEFAULT_ALGORITHMS[algorithm],
options[:append_all_supported_algorithms]
)
end
# for convention, make sure our list has the same keys as the server
# list
algorithms[:encryption_client ] = algorithms[:encryption_server ] = algorithms[:encryption]
algorithms[:hmac_client ] = algorithms[:hmac_server ] = algorithms[:hmac]
algorithms[:compression_client] = algorithms[:compression_server] = algorithms[:compression]
algorithms[:language_client ] = algorithms[:language_server ] = algorithms[:language]
if !options.key?(:host_key)
# make sure the host keys are specified in preference order, where any
# existing known key for the host has preference.
existing_keys = session.host_keys
host_keys = existing_keys.flat_map { |key| key.respond_to?(:ssh_types) ? key.ssh_types : [key.ssh_type] }.uniq
algorithms[:host_key].each do |name|
host_keys << name unless host_keys.include?(name)
end
algorithms[:host_key] = host_keys
end
end
# Composes the list of algorithms by taking supported algorithms and matching with supplied options.
def compose_algorithm_list(supported, option, append_all_supported_algorithms = false)
return supported.dup unless option
list = []
option = Array(option).compact.uniq
if option.first && option.first.start_with?('+', '-')
list = supported.dup
appends = option.select { |opt| opt.start_with?('+') }.map { |opt| opt[1..-1] }
deletions = option.select { |opt| opt.start_with?('-') }.map { |opt| opt[1..-1] }
list.concat(appends)
deletions.each do |opt|
if opt.include?('*')
opt_escaped = Regexp.escape(opt)
algo_re = /\A#{opt_escaped.gsub('\*', '[A-Za-z\d\-@\.]*')}\z/
list.delete_if { |existing_opt| algo_re.match(existing_opt) }
else
list.delete(opt)
end
end
list.uniq!
else
list = option
if append_all_supported_algorithms
supported.each { |name| list << name unless list.include?(name) }
end
end
unsupported = []
list.select! do |name|
is_supported = supported.include?(name)
unsupported << name unless is_supported
is_supported
end
lwarn { %(unsupported algorithm: `#{unsupported}') } unless unsupported.empty?
list
end
# Parses a KEXINIT packet from the server.
def parse_server_algorithm_packet(packet)
data = { raw: packet.content }
packet.read(16) # skip the cookie value
data[:kex] = packet.read_string.split(/,/)
data[:host_key] = packet.read_string.split(/,/)
data[:encryption_client] = packet.read_string.split(/,/)
data[:encryption_server] = packet.read_string.split(/,/)
data[:hmac_client] = packet.read_string.split(/,/)
data[:hmac_server] = packet.read_string.split(/,/)
data[:compression_client] = packet.read_string.split(/,/)
data[:compression_server] = packet.read_string.split(/,/)
data[:language_client] = packet.read_string.split(/,/)
data[:language_server] = packet.read_string.split(/,/)
# TODO: if first_kex_packet_follows, we need to try to skip the
# actual kexinit stuff and try to guess what the server is doing...
# need to read more about this scenario.
# first_kex_packet_follows = packet.read_bool
return data
end
# Given the #algorithms map of preferred algorithm types, this constructs
# a KEXINIT packet to send to the server. It does not actually send it,
# it simply builds the packet and returns it.
def build_client_algorithm_packet
kex = algorithms[:kex].join(",")
host_key = algorithms[:host_key].join(",")
encryption = algorithms[:encryption].join(",")
hmac = algorithms[:hmac].join(",")
compression = algorithms[:compression].join(",")
language = algorithms[:language].join(",")
Net::SSH::Buffer.from(:byte, KEXINIT,
:long, [rand(0xFFFFFFFF), rand(0xFFFFFFFF), rand(0xFFFFFFFF), rand(0xFFFFFFFF)],
:mstring, [kex, host_key, encryption, encryption, hmac, hmac],
:mstring, [compression, compression, language, language],
:bool, false, :long, 0)
end
# Given the parsed server KEX packet, and the client's preferred algorithm
# lists in #algorithms, determine which preferred algorithms each has
# in common and set those as the selected algorithms. If, for any algorithm,
# no type can be settled on, an exception is raised.
def negotiate_algorithms
@kex = negotiate(:kex)
@host_key = negotiate(:host_key)
@encryption_client = negotiate(:encryption_client)
@encryption_server = negotiate(:encryption_server)
@hmac_client = negotiate(:hmac_client)
@hmac_server = negotiate(:hmac_server)
@compression_client = negotiate(:compression_client)
@compression_server = negotiate(:compression_server)
@language_client = negotiate(:language_client) rescue ""
@language_server = negotiate(:language_server) rescue ""
debug do
"negotiated:\n" +
%i[kex host_key encryption_server encryption_client hmac_client hmac_server
compression_client compression_server language_client language_server].map do |key|
"* #{key}: #{instance_variable_get("@#{key}")}"
end.join("\n")
end
end
# Negotiates a single algorithm based on the preferences reported by the
# server and those set by the client. This is called by
# #negotiate_algorithms.
def negotiate(algorithm)
match = self[algorithm].find { |item| @server_data[algorithm].include?(item) }
if match.nil?
raise Net::SSH::Exception, "could not settle on #{algorithm} algorithm\n"\
"Server #{algorithm} preferences: #{@server_data[algorithm].join(',')}\n"\
"Client #{algorithm} preferences: #{self[algorithm].join(',')}"
end
return match
end
# Considers the sizes of the keys and block-sizes for the selected ciphers,
# and the lengths of the hmacs, and returns the largest as the byte requirement
# for the key-exchange algorithm.
def kex_byte_requirement
sizes = [8] # require at least 8 bytes
sizes.concat(CipherFactory.get_lengths(encryption_client))
sizes.concat(CipherFactory.get_lengths(encryption_server))
sizes << HMAC.key_length(hmac_client)
sizes << HMAC.key_length(hmac_server)
sizes.max
end
# Instantiates one of the Transport::Kex classes (based on the negotiated
# kex algorithm), and uses it to exchange keys. Then, the ciphers and
# HMACs are initialized and fed to the transport layer, to be used in
# further communication with the server.
def exchange_keys
debug { "exchanging keys" }
algorithm = Kex::MAP[kex].new(self, session,
client_version_string: Net::SSH::Transport::ServerVersion::PROTO_VERSION,
server_version_string: session.server_version.version,
server_algorithm_packet: @server_packet,
client_algorithm_packet: @client_packet,
need_bytes: kex_byte_requirement,
minimum_dh_bits: options[:minimum_dh_bits],
logger: logger)
result = algorithm.exchange_keys
secret = result[:shared_secret].to_ssh
hash = result[:session_id]
digester = result[:hashing_algorithm]
@session_id ||= hash
key = Proc.new { |salt| digester.digest(secret + hash + salt + @session_id) }
iv_client = key["A"]
iv_server = key["B"]
key_client = key["C"]
key_server = key["D"]
mac_key_client = key["E"]
mac_key_server = key["F"]
parameters = { shared: secret, hash: hash, digester: digester }
cipher_client = CipherFactory.get(encryption_client, parameters.merge(iv: iv_client, key: key_client, encrypt: true))
cipher_server = CipherFactory.get(encryption_server, parameters.merge(iv: iv_server, key: key_server, decrypt: true))
mac_client = HMAC.get(hmac_client, mac_key_client, parameters)
mac_server = HMAC.get(hmac_server, mac_key_server, parameters)
session.configure_client cipher: cipher_client, hmac: mac_client,
compression: normalize_compression_name(compression_client),
compression_level: options[:compression_level],
rekey_limit: options[:rekey_limit],
max_packets: options[:rekey_packet_limit],
max_blocks: options[:rekey_blocks_limit]
session.configure_server cipher: cipher_server, hmac: mac_server,
compression: normalize_compression_name(compression_server),
rekey_limit: options[:rekey_limit],
max_packets: options[:rekey_packet_limit],
max_blocks: options[:rekey_blocks_limit]
@initialized = true
end
# Given the SSH name for some compression algorithm, return a normalized
# name as a symbol.
def normalize_compression_name(name)
case name
when "none" then false
when "zlib" then :standard
when "zlib@openssh.com" then :delayed
else raise ArgumentError, "unknown compression type `#{name}'"
end
end
end
end
end
end
|
