Adds support for custom transport protection algorithms #97
Conversation
| @@ -12,6 +12,10 @@ | |||
| // | |||
| //===----------------------------------------------------------------------===// | |||
|
|
|||
| enum Constants { | |||
| public enum Constants { | |||
There was a problem hiding this comment.
Not sure this is the best place, maybe we need to type Defaults or smth?
There was a problem hiding this comment.
I agree with you, I think Defaults would be better.
There was a problem hiding this comment.
Decided to change this a bit, I will rename constant to bundledTransportProtectionSchemes, I quite like this idea from Joannis's PR, wdyt?
Sources/NIOSSH/Constants.swift
Outdated
| static let version = "SSH-2.0-SwiftNIOSSH_1.0" | ||
|
|
||
| public static let defaultTransportProtectionSchemes: [NIOSSHTransportProtection.Type] = [ |
There was a problem hiding this comment.
I made it public so it would be possible both using only custom provided algs and adding new ones in addition to defaults one, but we probably can make it a bit nicer...
There was a problem hiding this comment.
I'm not sure that there's a better alternative than this.
| @@ -79,7 +79,7 @@ extension AESGCMTransportProtection: NIOSSHTransportProtection { | |||
| // unencrypted! | |||
| } | |||
|
|
|||
| func decryptAndVerifyRemainingPacket(_ source: inout ByteBuffer) throws -> ByteBuffer { | |||
| func decryptAndVerifyRemainingPacket(_ source: inout ByteBuffer, sequence: UInt32) throws -> ByteBuffer { | |||
There was a problem hiding this comment.
CTR requires packet sequence number for MAC verification, same for encryption, and it seems that those sequences start when binary protocol starts...
There was a problem hiding this comment.
Can we make it clear that AESGCM doesn't need it, by using sequence _: UInt32 here and below?
Sources/NIOSSH/Connection State Machine/SSHConnectionStateMachine.swift
Outdated
Show resolved
Hide resolved
artemredkin
force-pushed
the
custom_transport_protection_algs_support
branch
3 times, most recently
from
f9170d0
to
48ae0bb
Compare
artemredkin
force-pushed
the
custom_transport_protection_algs_support
branch
2 times, most recently
from
8e8a4f3
to
8bf1a9a
Compare
artemredkin
changed the title
artemredkin
force-pushed
the
custom_transport_protection_algs_support
branch
from
8bf1a9a
to
d056ef3
Compare
artemredkin
force-pushed
the
custom_transport_protection_algs_support
branch
from
d056ef3
to
1e7e46d
Compare
|
Agreed, but at least it should be referenced there, thank you! |
| @@ -12,6 +12,10 @@ | |||
| // | |||
| //===----------------------------------------------------------------------===// | |||
|
|
|||
| enum Constants { | |||
| public enum Constants { | |||
There was a problem hiding this comment.
I agree with you, I think Defaults would be better.
Sources/NIOSSH/Constants.swift
Outdated
| static let version = "SSH-2.0-SwiftNIOSSH_1.0" | ||
|
|
||
| public static let defaultTransportProtectionSchemes: [NIOSSHTransportProtection.Type] = [ |
There was a problem hiding this comment.
I'm not sure that there's a better alternative than this.
Sources/NIOSSH/SSHPacketParser.swift
Outdated
| self.sequence = 0 | ||
| } else { | ||
| self.sequence += 1 | ||
| } |
There was a problem hiding this comment.
This can be more succinctly spelled self.sequence &+= 1.
There was a problem hiding this comment.
done, plus renamed to sequenceNumber as per Joannis Orlandos's PR suggestion
| } else { | ||
| self.sequence += 1 | ||
| } | ||
| } |
| @@ -79,7 +79,7 @@ extension AESGCMTransportProtection: NIOSSHTransportProtection { | |||
| // unencrypted! | |||
| } | |||
|
|
|||
| func decryptAndVerifyRemainingPacket(_ source: inout ByteBuffer) throws -> ByteBuffer { | |||
| func decryptAndVerifyRemainingPacket(_ source: inout ByteBuffer, sequence: UInt32) throws -> ByteBuffer { | |||
There was a problem hiding this comment.
Can we make it clear that AESGCM doesn't need it, by using sequence _: UInt32 here and below?
artemredkin
force-pushed
the
custom_transport_protection_algs_support
branch
2 times, most recently
from
0d7cf3a
to
7dba735
Compare
artemredkin
force-pushed
the
custom_transport_protection_algs_support
branch
from
7dba735
to
89de739
Compare
artemredkin
force-pushed
the
custom_transport_protection_algs_support
branch
from
89de739
to
a4d3621
Compare
| @@ -60,11 +60,11 @@ struct SSHConnectionStateMachine { | |||
| /// The state of this state machine. | |||
| private var state: State | |||
|
|
|||
| private static let defaultTransportProtectionSchemes: [NIOSSHTransportProtection.Type] = [ | |||
| public static let bundledTransportProtectionSchemes: [NIOSSHTransportProtection.Type] = [ | |||
There was a problem hiding this comment.
I decided to make this public so clients can have an ability to specify a fully custom set of algorithms (i.e. exclude bundled). But if they need to add custom, they will be able to specify bundled + custom
There was a problem hiding this comment.
Ah, NIOSSHConnectionStateMachine is not public, moved to SSHConnectionRole
artemredkin
force-pushed
the
custom_transport_protection_algs_support
branch
2 times, most recently
from
6bfb945
to
a7e248c
Compare
|
|
||
| /// Encrypt an entire outbound packet | ||
| func encryptPacket(_ packet: NIOSSHEncryptablePayload, to outboundBuffer: inout ByteBuffer) throws | ||
| func encryptPacket(_ packet: NIOSSHEncryptablePayload, sequenceNumber: UInt32, to outboundBuffer: inout ByteBuffer) throws |
There was a problem hiding this comment.
One thing I haven't solved yet, is how to use NIOSSHEncryptablePayload to write tests for custom transport implementations. It uses internal type (SSHMessage), so there is no way to initialize it. I see three options:
- Make it a protocol
- Make it an enum (`SSHMessage|ByteBuffer)
- Make
encryptPacketsimilar to decrypt, where we will be passing aninoutbuffer with message already written there expecting client to encrypt it inplace
wdyt?
There was a problem hiding this comment.
(right now I'm in favour of 3 tbh)
There was a problem hiding this comment.
I think many implementation will begin with:
let packetLengthIndex = outboundBuffer.writerIndex
let packetLengthLength = MemoryLayout<UInt32>.size
let packetPaddingIndex = outboundBuffer.writerIndex + packetLengthLength
let packetPaddingLength = MemoryLayout<UInt8>.size
outboundBuffer.moveWriterIndex(forwardBy: packetLengthLength + packetPaddingLength)
maybe we should abstract in serializer?
There was a problem hiding this comment.
I suspect (3) is the right approach, yes. We can also abstract the write pattern in the serializer as well. Can I suggest that we do that as a separate PR though to avoid this one growing further?
| @@ -87,10 +87,10 @@ protocol NIOSSHTransportProtection: AnyObject { | |||
| /// length, the padding, or the MAC), and update source to indicate the consumed bytes. | |||
| /// It must also perform any integrity checking that | |||
| /// is required and throw if the integrity check fails. | |||
| func decryptAndVerifyRemainingPacket(_ source: inout ByteBuffer) throws -> ByteBuffer | |||
| func decryptAndVerifyRemainingPacket(_ source: inout ByteBuffer, sequenceNumber: UInt32) throws -> ByteBuffer | |||
There was a problem hiding this comment.
Actually, two additional questions before we make this API public:
- Why do we return a
ByteBufferhere instead of in-place mutation? - There is a bit of a lost symmetry here, in plaintext mode padding and packet length are consumed by parser, but in ciphertext mode we have to do it manually, should this be handled by parser instead? And decryptors should only decrypt data in place and leave it? (Maybe we should drop mac bytes here?)
There was a problem hiding this comment.
I think parser can handle mac bytes, we have macBytes property, we can use it to remove last bytes from the packet
There was a problem hiding this comment.
- As the doc comment says: it is expected to update the buffer to indicate what it consumed, and return the decrypted buffer. We avoid in-place mutation because we do not want to guarantee that all encryption algorithms have the exact same size input and output.
- The absence of symmetry is because in the input case we need to be able to decrypt just the length so we know how much further data to read, and we wanted to minimise the number of times we need to do that operation. I don't think the parser can do it for us because the actual length is affected by the protection scheme.
We could pass the MAC separately, but I'm not sure we gain much do we?
There was a problem hiding this comment.
let me think about this further, I'll revisit this together with refactoring encryptPacket
There was a problem hiding this comment.
Just for my clarification, did this work get done?
There was a problem hiding this comment.
I opened a draft here:
artemredkin#1
but so far I only refactored encryptPacket, we probably should have two separate PRs for encryptPacket and decryptAndVerifyRemainingPacket
There was a problem hiding this comment.
Ok great, so you'd like to have this PR merged without further changes to this and we'll revisit in a follow-on PR?
There was a problem hiding this comment.
yes! otherwise it's already quite large
Sources/NIOSSH/Role.swift
Outdated
| @@ -14,6 +14,10 @@ | |||
|
|
|||
| /// The role of a given party in an SSH connection. | |||
| public enum SSHConnectionRole { | |||
| public static let bundledTransportProtectionSchemes: [NIOSSHTransportProtection.Type] = [ | |||
There was a problem hiding this comment.
I don't think this makes sense on SSHConnectionRole. This should go on config objects. We can avoid some duplication by using an internal central location.
There was a problem hiding this comment.
moved to Constants
| @@ -87,10 +87,10 @@ protocol NIOSSHTransportProtection: AnyObject { | |||
| /// length, the padding, or the MAC), and update source to indicate the consumed bytes. | |||
| /// It must also perform any integrity checking that | |||
| /// is required and throw if the integrity check fails. | |||
| func decryptAndVerifyRemainingPacket(_ source: inout ByteBuffer) throws -> ByteBuffer | |||
| func decryptAndVerifyRemainingPacket(_ source: inout ByteBuffer, sequenceNumber: UInt32) throws -> ByteBuffer | |||
There was a problem hiding this comment.
- As the doc comment says: it is expected to update the buffer to indicate what it consumed, and return the decrypted buffer. We avoid in-place mutation because we do not want to guarantee that all encryption algorithms have the exact same size input and output.
- The absence of symmetry is because in the input case we need to be able to decrypt just the length so we know how much further data to read, and we wanted to minimise the number of times we need to do that operation. I don't think the parser can do it for us because the actual length is affected by the protection scheme.
We could pass the MAC separately, but I'm not sure we gain much do we?
|
|
||
| /// Encrypt an entire outbound packet | ||
| func encryptPacket(_ packet: NIOSSHEncryptablePayload, to outboundBuffer: inout ByteBuffer) throws | ||
| func encryptPacket(_ packet: NIOSSHEncryptablePayload, sequenceNumber: UInt32, to outboundBuffer: inout ByteBuffer) throws |
There was a problem hiding this comment.
I suspect (3) is the right approach, yes. We can also abstract the write pattern in the serializer as well. Can I suggest that we do that as a separate PR though to avoid this one growing further?
artemredkin
force-pushed
the
custom_transport_protection_algs_support
branch
2 times, most recently
from
9a27935
to
e312215
Compare
artemredkin
force-pushed
the
custom_transport_protection_algs_support
branch
from
e312215
to
2ced9ad
Compare
artemredkin
force-pushed
the
custom_transport_protection_algs_support
branch
from
2ced9ad
to
0ac56ea
Compare
artemredkin
force-pushed
the
custom_transport_protection_algs_support
branch
from
0ac56ea
to
0987147
Compare
artemredkin
force-pushed
the
custom_transport_protection_algs_support
branch
2 times, most recently
from
43d91e4
to
c776967
Compare
Motivation: In some cases AES GCM might not be supported by a server/client, and clients might require custom algorithms to be implemented in their projects. Modifications: - Makes NIOSSHTransportProtection, NIOSSHSessionKeys and ExpectedKeySizes public - Makes transport algorithms list configurable - Adds sequence number of incoming and outgoing messages to parser and serializer - Tests
artemredkin
force-pushed
the
custom_transport_protection_algs_support
branch
from
c776967
to
01e5a89
Compare
Lukasa
added
the
🔼 needs-minor-version-bump
Motivation:
In some cases AES GCM might not be supported by a server/client, and
clients might require custom algorithms to be implemented in their
projects.
Modifications:
serializer