[apacheGH-445] Added StrictKexTest

Lyor Goldstein · Lyor Goldstein · commit 91ba60eb059a · 2023-12-22T12:21:21.000+02:00
diff --git a/sshd-common/src/test/java/org/apache/sshd/util/test/JUnitTestSupport.java b/sshd-common/src/test/java/org/apache/sshd/util/test/JUnitTestSupport.java
@@ -703,7 +703,7 @@ public static void outputDebugMessage(String format, Object o) {
 
     public static void outputDebugMessage(String format, Object... args) {
         if (OUTPUT_DEBUG_MESSAGES) {
-            outputDebugMessage(String.format(format, args));
+            outputDebugMessage(GenericUtils.isEmpty(args) ? format : String.format(format, args));
         }
     }
 
@@ -713,6 +713,24 @@ public static void outputDebugMessage(Object message) {
         }
     }
 
+    public static void failWithWrittenErrorMessage(String format, Object... args) {
+        failWithWrittenErrorMessage(GenericUtils.isEmpty(args) ? format : String.format(format, args));
+    }
+
+    public static void failWithWrittenErrorMessage(Object message) {
+        writeErrorMessage(message);
+        fail(Objects.toString(message));
+    }
+
+    public static void writeErrorMessage(String format, Object... args) {
+        writeErrorMessage(GenericUtils.isEmpty(args) ? format : String.format(format, args));
+    }
+
+    public static void writeErrorMessage(Object message) {
+        System.err.append("===[ERROR]=== ").println(message);
+        System.err.flush();
+    }
+
     /* ---------------------------------------------------------------------------- */
 
     public static void replaceJULLoggers() {
diff --git a/sshd-core/src/test/java/org/apache/sshd/common/kex/extension/StrictKexTest.java b/sshd-core/src/test/java/org/apache/sshd/common/kex/extension/StrictKexTest.java
@@ -0,0 +1,262 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.sshd.common.kex.extension;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.util.Map;
+
+import org.apache.sshd.client.SshClient;
+import org.apache.sshd.client.session.ClientSession;
+import org.apache.sshd.common.future.KeyExchangeFuture;
+import org.apache.sshd.common.kex.KexProposalOption;
+import org.apache.sshd.common.session.Session;
+import org.apache.sshd.common.session.SessionListener;
+import org.apache.sshd.common.session.helpers.SessionCountersDetails;
+import org.apache.sshd.common.session.helpers.SessionKexDetails;
+import org.apache.sshd.common.util.net.SshdSocketAddress;
+import org.apache.sshd.core.CoreModuleProperties;
+import org.apache.sshd.server.SshServer;
+import org.apache.sshd.util.test.BaseTestSupport;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.FixMethodOrder;
+import org.junit.Test;
+import org.junit.runners.MethodSorters;
+
+/**
+ * @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
+ * @see <A HREF="https://github.com/apache/mina-sshd/issues/445">Terrapin Mitigation: &quot;strict-kex&quot;</A>
+ */
+@FixMethodOrder(MethodSorters.NAME_ASCENDING)
+public class StrictKexTest extends BaseTestSupport {
+    private SshServer sshd;
+    private SshClient client;
+
+    public StrictKexTest() {
+        super();
+    }
+
+    @Override
+    protected SshServer setupTestServer() {
+        SshServer server = super.setupTestServer();
+        CoreModuleProperties.USE_STRICT_KEX.set(server, true);
+        return server;
+    }
+
+    @Override
+    protected SshClient setupTestClient() {
+        SshClient sshc = super.setupTestClient();
+        CoreModuleProperties.USE_STRICT_KEX.set(sshc, true);
+        return sshc;
+    }
+
+    @Before
+    public void setUp() throws Exception {
+        sshd = setupTestServer();
+        client = setupTestClient();
+    }
+
+    @After
+    public void tearDown() throws Exception {
+        if (sshd != null) {
+            sshd.stop(true);
+        }
+        if (client != null) {
+            client.stop();
+        }
+    }
+
+    @Test
+    public void testConnectionClosedIfFirstPacketNotKexInit() throws Exception {
+        // TODO
+    }
+
+    @Test
+    public void testStrictKexIgnoredIfNotFirstKexInit() throws Exception {
+        // TODO
+    }
+
+    @Test
+    public void testRekeyResetsPacketSequenceNumbers() throws Exception {
+        sshd.addSessionListener(new SessionListener() {
+            private SessionKexDetails beforeDetails;
+            private SessionCountersDetails beforeCounters;
+
+            @Override
+            public void sessionNegotiationEnd(
+                    Session session, Map<KexProposalOption, String> clientProposal,
+                    Map<KexProposalOption, String> serverProposal, Map<KexProposalOption, String> negotiatedOptions,
+                    Throwable reason) {
+                SessionKexDetails details = session.getSessionKexDetails();
+                assertTrue("StrictKexSignalled[server]", details.isStrictKexSignalled());
+
+                SessionCountersDetails counters = session.getSessionCountersDetails();
+                if (beforeDetails == null) {
+                    beforeDetails = details;
+                }
+                if (beforeCounters == null) {
+                    beforeCounters = counters;
+                }
+
+                // Use reference equality to detect if this is the 1st re-key
+                if ((beforeDetails != details) || (beforeCounters != counters)) {
+                    // TODO assertSessionSequenceNumbersReset(session, beforeDetails, beforeCounters);
+                }
+            }
+        });
+
+        try (ClientSession session = obtainInitialTestClientSession()) {
+            SessionKexDetails beforeDetails = session.getSessionKexDetails();
+            assertTrue("StrictKexSignalled[client]", beforeDetails.isStrictKexSignalled());
+
+            /*
+             * Generate some traffic in order to pump-up the sequence numbers enough
+             * so that the re-keying exchange will not reach this number after packets
+             * sequence numbers reset. Usually ~10 extra messages should be enough
+             */
+
+            SessionCountersDetails beforeCounters = session.getSessionCountersDetails();
+            KeyExchangeFuture rekeyFuture = session.reExchangeKeys();
+            boolean exchanged = rekeyFuture.await(AUTH_TIMEOUT);
+            assertTrue("Rekey exchange completed", exchanged);
+            // TODO assertSessionSequenceNumbersReset(session, beforeDetails, beforeCounters);
+        } finally {
+            client.stop();
+        }
+    }
+
+    // NOTE: we use failWithWrittenErrorMessage in order to compensate for session timeout in case of debug breakpoint
+    static void assertSessionSequenceNumbersReset(
+            Session session, SessionKexDetails beforeDetails, SessionCountersDetails beforeCounters) {
+        long incomingPacketSequenceNumberBefore = beforeCounters.getInputPacketSequenceNumber();
+        long outputPacketSequenceNumberBefore = beforeCounters.getOutputPacketSequenceNumber();
+
+        SessionCountersDetails afterCounters = session.getSessionCountersDetails();
+        long incomingPacketSequenceNumberAfter = afterCounters.getInputPacketSequenceNumber();
+        long outputPacketSequenceNumberAfter = afterCounters.getOutputPacketSequenceNumber();
+
+        String sessionType = session.isServerSession() ? "server" : "client";
+        if (incomingPacketSequenceNumberAfter > incomingPacketSequenceNumberBefore) {
+            failWithWrittenErrorMessage(sessionType + ": Incoming packet sequence number not reset: before=" + incomingPacketSequenceNumberBefore + ", after=" + incomingPacketSequenceNumberAfter);
+        }
+
+        if (outputPacketSequenceNumberAfter > outputPacketSequenceNumberBefore) {
+            failWithWrittenErrorMessage(sessionType + ": Outgoing packet sequence number not reset: before=" + incomingPacketSequenceNumberBefore + ", after=" + incomingPacketSequenceNumberAfter);
+        }
+
+        SessionKexDetails afterDetails = session.getSessionKexDetails();
+        int beforeSentNewKeys = beforeDetails.getNewKeysSentCount();
+        int afterSentNewKeys = afterDetails.getNewKeysSentCount();
+        if (beforeSentNewKeys >= afterSentNewKeys) {
+            failWithWrittenErrorMessage(sessionType + ": sent NEWKEY count not updated: before=" + beforeSentNewKeys + ", after=" + afterSentNewKeys);
+        }
+
+        int beforeRcvdNewKeys = beforeDetails.getNewKeysReceivedCount();
+        int afterRcvdNewKeys = afterDetails.getNewKeysReceivedCount();
+        if (beforeRcvdNewKeys >= afterRcvdNewKeys) {
+            failWithWrittenErrorMessage(sessionType + ": received NEWKEY count not updated: before=" + beforeRcvdNewKeys + ", after=" + afterRcvdNewKeys);
+        }
+    }
+
+    @Test
+    public void testStrictKexNotActivatedIfClientDoesNotSupportIt() throws Exception {
+        testStrictKexNotActivatedIfNotSupportByPeer(false);
+    }
+
+    @Test
+    public void testStrictKexNotActivatedIfServerDoesNotSupportIt() throws Exception {
+        testStrictKexNotActivatedIfNotSupportByPeer(true);
+    }
+
+    private void testStrictKexNotActivatedIfNotSupportByPeer(boolean clientSupported) throws Exception {
+        if (clientSupported) {
+            CoreModuleProperties.USE_STRICT_KEX.set(sshd, false);
+        } else {
+            CoreModuleProperties.USE_STRICT_KEX.set(client, false);
+        }
+
+        sshd.addSessionListener(new SessionListener() {
+            @Override
+            public void sessionNegotiationEnd(
+                    Session session, Map<KexProposalOption, String> clientProposal,
+                    Map<KexProposalOption, String> serverProposal, Map<KexProposalOption, String> negotiatedOptions,
+                    Throwable reason) {
+                SessionKexDetails details = session.getSessionKexDetails();
+                assertEquals("StrictKexEnabled[server]", !clientSupported, details.isStrictKexEnabled());
+                assertFalse("StrictKexSignalled[server]", details.isStrictKexSignalled());
+            }
+        });
+
+        try (ClientSession session = obtainInitialTestClientSession()) {
+            SessionKexDetails details = session.getSessionKexDetails();
+            assertEquals("StrictKexEnabled[client]", clientSupported, details.isStrictKexEnabled());
+            assertFalse("StrictKexSignalled[client]", details.isStrictKexSignalled());
+        } finally {
+            client.stop();
+        }
+    }
+
+    private ClientSession obtainInitialTestClientSession() throws IOException {
+        sshd.start();
+        int port = sshd.getPort();
+
+        client.start();
+        return createTestClientSession(port);
+    }
+
+    private ClientSession createTestClientSession(int port) throws IOException {
+        ClientSession session = createTestClientSession(TEST_LOCALHOST, port);
+        try {
+            InetSocketAddress addr = SshdSocketAddress.toInetSocketAddress(session.getConnectAddress());
+            assertEquals("Mismatched connect host", TEST_LOCALHOST, addr.getHostString());
+
+            ClientSession returnValue = session;
+            session = null; // avoid 'finally' close
+            return returnValue;
+        } finally {
+            if (session != null) {
+                session.close();
+            }
+        }
+    }
+
+    private ClientSession createTestClientSession(String host, int port) throws IOException {
+        ClientSession session = client.connect(getCurrentTestName(), host, port)
+                .verify(CONNECT_TIMEOUT).getSession();
+        try {
+            session.addPasswordIdentity(getCurrentTestName());
+            session.auth().verify(AUTH_TIMEOUT);
+
+            InetSocketAddress addr = SshdSocketAddress.toInetSocketAddress(session.getConnectAddress());
+            assertNotNull("No reported connect address", addr);
+            assertEquals("Mismatched connect port", port, addr.getPort());
+
+            ClientSession returnValue = session;
+            session = null; // avoid 'finally' close
+            return returnValue;
+        } finally {
+            if (session != null) {
+                session.close();
+            }
+        }
+    }
+
+}
