Noratrieb/cluelessh
1
0
Fork 0
mirror of https://github.com/Noratrieb/cluelessh.git synced 2026-01-14 16:35:06 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

stuff

Browse source
This commit is contained in:
nora 2024-08-25 18:42:19 +02:00
parent 8114b5a195
commit d41e474f33
9 changed files with 174 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

104
lib/cluelessh-protocol/src/lib.rs
View file

@ -26,7 +26,7 @@ pub struct ServerConnection {
enum ServerConnectionState {
Setup(HashSet<AuthOption>, Option<String>),
Auth(auth::ServerAuth),
Open(cluelessh_connection::ChannelsState),
Open(cluelessh_connection::ChannelsState, String),
}
impl ServerConnection {
@ -63,7 +63,7 @@ impl ServerConnection {
self.transport.send_plaintext_packet(to_send);
}
}
ServerConnectionState::Open(con) => {
ServerConnectionState::Open(con, _) => {
con.recv_packet(packet)?;
}
}
@ -81,7 +81,7 @@ impl ServerConnection {
pub fn next_channel_update(&mut self) -> Option<cluelessh_connection::ChannelUpdate> {
match &mut self.state {
ServerConnectionState::Setup(..) | ServerConnectionState::Auth(_) => None,
ServerConnectionState::Open(con) => con.next_channel_update(),
ServerConnectionState::Open(con, _) => con.next_channel_update(),
}
}
@ -90,7 +90,7 @@ impl ServerConnection {
ServerConnectionState::Setup(..) | ServerConnectionState::Auth(_) => {
panic!("tried to get connection before it is ready")
}
ServerConnectionState::Open(con) => {
ServerConnectionState::Open(con, _) => {
con.do_operation(op);
self.progress();
}
@ -104,12 +104,14 @@ impl ServerConnection {
for to_send in auth.packets_to_send() {
self.transport.send_plaintext_packet(to_send);
}
if auth.is_authenticated() {
self.state =
ServerConnectionState::Open(cluelessh_connection::ChannelsState::new(true));
if let Some(user) = auth.authenticated_user() {
self.state = ServerConnectionState::Open(
cluelessh_connection::ChannelsState::new(true),
user.to_owned(),
);
}
}
ServerConnectionState::Open(con) => {
ServerConnectionState::Open(con, _) => {
for to_send in con.packets_to_send() {
self.transport.send_plaintext_packet(to_send);
}
@ -119,7 +121,7 @@ impl ServerConnection {
pub fn channels(&mut self) -> Option<&mut cluelessh_connection::ChannelsState> {
match &mut self.state {
ServerConnectionState::Open(channels) => Some(channels),
ServerConnectionState::Open(channels, _) => Some(channels),
_ => None,
}
}
@ -130,6 +132,13 @@ impl ServerConnection {
_ => None,
}
}
pub fn authenticated_user(&self) -> Option<&str> {
match &self.state {
ServerConnectionState::Open(_, user) => Some(user),
_ => None,
}
}
}
pub struct ClientConnection {
@ -263,7 +272,7 @@ pub mod auth {
pub struct ServerAuth {
has_failed: bool,
packets_to_send: VecDeque<Packet>,
is_authenticated: bool,
is_authenticated: Option<String>,
options: HashSet<AuthOption>,
banner: Option<String>,
server_requests: VecDeque<ServerRequest>,
@ -272,14 +281,28 @@ pub mod auth {
pub enum ServerRequest {
VerifyPassword(VerifyPassword),
VerifyPubkey(VerifyPubkey),
/// Check whether a pubkey is usable.
CheckPubkey(CheckPubkey),
/// Verify the signature from a pubkey.
VerifySignature(VerifySignature),
}
#[derive(Debug, Clone)]
pub struct VerifyPassword {
pub user: String,
pub password: String,
}
pub struct VerifyPubkey {
#[derive(Debug, Clone)]
pub struct CheckPubkey {
pub user: String,
pub session_identifier: [u8; 32],
pub pubkey_alg_name: Vec<u8>,
pub pubkey: Vec<u8>,
}
#[derive(Debug, Clone)]
pub struct VerifySignature {
pub user: String,
pub session_identifier: [u8; 32],
pub pubkey_alg_name: Vec<u8>,
@ -303,7 +326,7 @@ pub mod auth {
has_failed: false,
packets_to_send: VecDeque::new(),
options,
is_authenticated: false,
is_authenticated: None,
session_ident,
banner,
server_requests: VecDeque::new(),
@ -311,7 +334,7 @@ pub mod auth {
}
pub fn recv_packet(&mut self, packet: Packet) -> Result<()> {
assert!(!self.is_authenticated, "Must not feed more packets to authentication after authentication is been completed, check with .is_authenticated()");
assert!(self.is_authenticated.is_none(), "Must not feed more packets to authentication after authentication is been completed, check with .is_authenticated()");
// This is a super simplistic implementation of RFC4252 SSH authentication.
// We ask for a public key, and always let that one pass.
@ -366,24 +389,31 @@ pub mod auth {
self.send_failure();
}
// Whether the client is just checking whether the public key is allowed.
let is_check = p.bool()?;
if is_check {
todo!();
}
let has_signature = p.bool()?;
let pubkey_alg_name = p.string()?;
let public_key_blob = p.string()?;
let signature = p.string()?;
self.server_requests
.push_back(ServerRequest::VerifyPubkey(VerifyPubkey {
user: username.to_owned(),
session_identifier: self.session_ident,
pubkey_alg_name: pubkey_alg_name.to_vec(),
pubkey: public_key_blob.to_vec(),
signature: signature.to_vec(),
}));
// Whether the client is just checking whether the public key is allowed.
if !has_signature {
self.server_requests
.push_back(ServerRequest::CheckPubkey(CheckPubkey {
user: username.to_owned(),
session_identifier: self.session_ident,
pubkey_alg_name: pubkey_alg_name.to_vec(),
pubkey: public_key_blob.to_vec(),
}));
} else {
let signature = p.string()?;
self.server_requests
.push_back(ServerRequest::VerifySignature(VerifySignature {
user: username.to_owned(),
session_identifier: self.session_ident,
pubkey_alg_name: pubkey_alg_name.to_vec(),
pubkey: public_key_blob.to_vec(),
signature: signature.to_vec(),
}));
}
}
_ if self.has_failed => {
return Err(peer_error!(
@ -402,10 +432,20 @@ pub mod auth {
Ok(())
}
pub fn verification_result(&mut self, is_ok: bool) {
pub fn pubkey_check_result(&mut self, is_ok: bool, alg: &[u8], key_blob: &[u8]) {
if is_ok {
self.queue_packet(Packet::new_msg_userauth_pk_ok(alg, key_blob));
} else {
self.send_failure();
// It's ok, don't treat this as a fatal failure.
}
}
// TODO: improve types with a newtype around an authenticated user
pub fn verification_result(&mut self, is_ok: bool, user: String) {
if is_ok {
self.queue_packet(Packet::new_msg_userauth_success());
self.is_authenticated = true;
self.is_authenticated = Some(user);
} else {
self.send_failure();
self.has_failed = true;
@ -416,8 +456,8 @@ pub mod auth {
self.packets_to_send.drain(..)
}
pub fn is_authenticated(&self) -> bool {
self.is_authenticated
pub fn authenticated_user(&self) -> Option<&str> {
self.is_authenticated.as_deref()
}
pub fn server_requests(&mut self) -> impl Iterator<Item = ServerRequest> + '_ {

74
lib/cluelessh-tokio/src/server.rs
View file

@ -12,7 +12,7 @@ use tokio::{
};
use cluelessh_protocol::{
auth::{AuthOption, VerifyPassword, VerifyPubkey},
auth::{AuthOption, CheckPubkey, VerifyPassword, VerifySignature},
ChannelUpdateKind, SshStatus,
};
use eyre::{eyre, ContextCompat, OptionExt, Result, WrapErr};
@ -49,16 +49,18 @@ pub struct ServerConnection<S> {
}
enum Operation {
VerifyPassword(Result<()>),
VerifyPubkey(Result<()>),
VerifyPassword(String, Result<bool>),
CheckPubkey(Result<bool>, Vec<u8>, Vec<u8>),
VerifySignature(String, Result<bool>),
}
pub type AuthFn<A, R> = Arc<dyn Fn(A) -> BoxFuture<'static, R> + Send + Sync>;
#[derive(Clone)]
pub struct ServerAuthVerify {
pub verify_password:
Option<Arc<dyn Fn(VerifyPassword) -> BoxFuture<'static, Result<()>> + Send + Sync>>,
pub verify_pubkey:
Option<Arc<dyn Fn(VerifyPubkey) -> BoxFuture<'static, Result<()>> + Send + Sync>>,
pub verify_password: Option<AuthFn<VerifyPassword, Result<bool>>>,
pub verify_signature: Option<AuthFn<VerifySignature, Result<bool>>>,
pub check_pubkey: Option<AuthFn<CheckPubkey, Result<bool>>>,
pub auth_banner: Option<String>,
}
fn _assert_send_sync() {
@ -104,13 +106,18 @@ impl<S: AsyncRead + AsyncWrite> ServerConnection<S> {
if auth_verify.verify_password.is_some() {
options.insert(AuthOption::Password);
}
if auth_verify.verify_pubkey.is_some() {
if auth_verify.verify_signature.is_some() {
options.insert(AuthOption::PublicKey);
}
if options.is_empty() {
panic!("no auth options provided");
}
assert_eq!(
auth_verify.check_pubkey.is_some(),
auth_verify.verify_signature.is_some(),
"Public key auth only partially supported"
);
Self {
stream: Box::pin(stream),
@ -151,20 +158,42 @@ impl<S: AsyncRead + AsyncWrite> ServerConnection<S> {
.clone()
.ok_or_eyre("password auth not supported")?;
tokio::spawn(async move {
let result = verify(password_verify).await;
let _ = send.send(Operation::VerifyPassword(result)).await;
let result = verify(password_verify.clone()).await;
let _ = send
.send(Operation::VerifyPassword(password_verify.user, result))
.await;
});
}
cluelessh_protocol::auth::ServerRequest::VerifyPubkey(pubkey_verify) => {
cluelessh_protocol::auth::ServerRequest::CheckPubkey(check_pubkey) => {
let send = self.operations_send.clone();
let verify = self
let check = self
.auth_verify
.verify_pubkey
.check_pubkey
.clone()
.ok_or_eyre("pubkey auth not supported")?;
tokio::spawn(async move {
let result = verify(pubkey_verify).await;
let _ = send.send(Operation::VerifyPubkey(result)).await;
let result = check(check_pubkey.clone()).await;
let _ = send
.send(Operation::CheckPubkey(
result,
check_pubkey.pubkey_alg_name,
check_pubkey.pubkey,
))
.await;
});
}
cluelessh_protocol::auth::ServerRequest::VerifySignature(pubkey_verify) => {
let send = self.operations_send.clone();
let verify = self
.auth_verify
.verify_signature
.clone()
.ok_or_eyre("pubkey auth not supported")?;
tokio::spawn(async move {
let result = verify(pubkey_verify.clone()).await;
let _ = send
.send(Operation::VerifySignature(pubkey_verify.user, result))
.await;
});
}
}
@ -279,11 +308,14 @@ impl<S: AsyncRead + AsyncWrite> ServerConnection<S> {
}
op = self.operations_recv.recv() => {
match op {
Some(Operation::VerifyPubkey(result)) => if let Some(auth) = self.proto.auth() {
auth.verification_result(result.is_ok());
Some(Operation::VerifySignature(user, result)) => if let Some(auth) = self.proto.auth() {
auth.verification_result(result?, user);
},
Some(Operation::VerifyPassword(result)) => if let Some(auth) = self.proto.auth() {
auth.verification_result(result.is_ok());
Some(Operation::CheckPubkey(result, alg, key_blob)) => if let Some(auth) = self.proto.auth() {
auth.pubkey_check_result(result?, &alg, &key_blob);
},
Some(Operation::VerifyPassword(user, result)) => if let Some(auth) = self.proto.auth() {
auth.verification_result(result?, user);
},
None => {}
}
@ -336,4 +368,8 @@ impl<S: AsyncRead + AsyncWrite> ServerConnection<S> {
pub fn next_new_channel(&mut self) -> Option<Channel> {
self.new_channels.pop_front()
}
pub fn inner(&self) -> &cluelessh_protocol::ServerConnection {
&self.proto
}
}

2
lib/cluelessh-transport/src/numbers.rs
View file

@ -32,6 +32,7 @@ pub const SSH_MSG_USERAUTH_SUCCESS: u8 = 52;
pub const SSH_MSG_USERAUTH_BANNER: u8 = 53;
// 60 to 79 User authentication method specific (numbers can be reused for different authentication methods)
pub const SSH_MSG_USERAUTH_PK_OK: u8 = 60;
// -----
// Connection protocol:
@ -70,6 +71,7 @@ pub fn packet_type_to_string(packet_type: u8) -> &'static str {
51 => "SSH_MSG_USERAUTH_FAILURE",
52 => "SSH_MSG_USERAUTH_SUCCESS",
53 => "SSH_MSG_USERAUTH_BANNER",
60 => "SSH_MSG_USERAUTH_PK_OK",
80 => "SSH_MSG_GLOBAL_REQUEST",
81 => "SSH_MSG_REQUEST_SUCCESS",
82 => "SSH_MSG_REQUEST_FAILURE",

4
lib/cluelessh-transport/src/packet/ctors.rs
View file

@ -92,6 +92,10 @@ ctors! {
fn new_msg_userauth_banner(SSH_MSG_USERAUTH_BANNER; msg: string, language_tag: string);
// 60 to 79 User authentication method specific (numbers can be reused for different authentication methods)
fn new_msg_userauth_pk_ok(SSH_MSG_USERAUTH_PK_OK;
key_alg: string,
key_blob: string,
);
// -----
// Connection protocol: