SSHAlgorithms.all support, Sendability fixes

Author: Joannis

README.md

@@ -325,6 +325,8 @@ let client = try await SSHClient.connect(
 )
 ```
 
+You can also use `SSHAlgorithms.all` to enable all supported algorithms.
+
 ## TODO
 
 A couple of code is held back until further work in SwiftNIO SSH is completed. We're currently working with Apple to resolve these.

Sources/Citadel/Client.swift

@@ -1,7 +1,61 @@
 import NIO
+import CryptoKit
 import Logging
 import NIOSSH
 
+extension SSHAlgorithms.Modification<NIOSSHTransportProtection.Type> {
+    func apply(to configuration: inout [any NIOSSHTransportProtection.Type]) {
+        switch self {
+        case .add(let algorithms):
+            configuration.append(contentsOf: algorithms)
+            
+            for algorithm: any NIOSSHTransportProtection.Type in algorithms {
+                NIOSSHAlgorithms.register(transportProtectionScheme: algorithm)
+            }
+        case .replace(with: let algorithms):
+            configuration = algorithms
+            
+            for algorithm in algorithms {
+                NIOSSHAlgorithms.register(transportProtectionScheme: algorithm)
+            }
+        }
+    }
+}
+
+extension SSHAlgorithms.Modification<NIOSSHKeyExchangeAlgorithmProtocol.Type> {
+    func apply(to configuration: inout [any NIOSSHKeyExchangeAlgorithmProtocol.Type]) {
+        switch self {
+        case .add(let algorithms):
+            configuration.append(contentsOf: algorithms)
+            
+            for algorithm in algorithms {
+                NIOSSHAlgorithms.register(keyExchangeAlgorithm: algorithm)
+            }
+        case .replace(with: let algorithms):
+            configuration = algorithms
+            
+            for algorithm in algorithms {
+                NIOSSHAlgorithms.register(keyExchangeAlgorithm: algorithm)
+            }
+        }
+    }
+}
+
+extension SSHAlgorithms.Modification<(NIOSSHPublicKeyProtocol.Type, NIOSSHSignatureProtocol.Type)>{
+    func register() {
+        switch self {
+        case .add(let algorithms):
+            for (publicKey, signature) in algorithms {
+                NIOSSHAlgorithms.register(publicKey: publicKey, signature: signature)
+            }
+        case .replace(with: let algorithms):
+            for (publicKey, signature) in algorithms {
+                NIOSSHAlgorithms.register(publicKey: publicKey, signature: signature)
+            }
+        }
+    }
+}
+
 public struct SSHAlgorithms {
     /// Represents a modification to a list of items.
     ///
@@ -18,47 +72,40 @@ public struct SSHAlgorithms {
     /// The enabled KeyExchangeAlgorithms
     public var keyExchangeAlgorithms: Modification<NIOSSHKeyExchangeAlgorithmProtocol.Type>?
 
+    public var publicKeyAlgorihtms: Modification<(NIOSSHPublicKeyProtocol.Type, NIOSSHSignatureProtocol.Type)>?
+
     func apply(to clientConfiguration: inout SSHClientConfiguration) {
-        switch transportProtectionSchemes {
-        case .add(let algorithms):
-            clientConfiguration.transportProtectionSchemes.append(contentsOf: algorithms)
-        case .replace(with: let algorithms):
-            clientConfiguration.transportProtectionSchemes = algorithms
-        case .none:
-            ()
-        }
-        
-        switch keyExchangeAlgorithms {
-        case .add(let algorithms):
-            clientConfiguration.keyExchangeAlgorithms.append(contentsOf: algorithms)
-        case .replace(with: let algorithms):
-            clientConfiguration.keyExchangeAlgorithms = algorithms
-        case .none:
-            ()
-        }
+        transportProtectionSchemes?.apply(to: &clientConfiguration.transportProtectionSchemes)
+        keyExchangeAlgorithms?.apply(to: &clientConfiguration.keyExchangeAlgorithms)
+        publicKeyAlgorihtms?.register()
     }
 
     func apply(to serverConfiguration: inout SSHServerConfiguration) {
-        switch transportProtectionSchemes {
-        case .add(let algorithms):
-            serverConfiguration.transportProtectionSchemes.append(contentsOf: algorithms)
-        case .replace(with: let algorithms):
-            serverConfiguration.transportProtectionSchemes = algorithms
-        case .none:
-            ()
-        }
-        
-        switch keyExchangeAlgorithms {
-        case .add(let algorithms):
-            serverConfiguration.keyExchangeAlgorithms.append(contentsOf: algorithms)
-        case .replace(with: let algorithms):
-            serverConfiguration.keyExchangeAlgorithms = algorithms
-        case .none:
-            ()
-        }
+        transportProtectionSchemes?.apply(to: &serverConfiguration.transportProtectionSchemes)
+        keyExchangeAlgorithms?.apply(to: &serverConfiguration.keyExchangeAlgorithms)
+        publicKeyAlgorihtms?.register()
     }
 
     public init() {}
+
+    public static let all: SSHAlgorithms = {
+        var algorithms = SSHAlgorithms()
+
+        algorithms.transportProtectionSchemes = .add([
+            AES128CTR.self
+        ])
+
+        algorithms.keyExchangeAlgorithms = .add([
+            DiffieHellmanGroup14Sha1.self,
+            DiffieHellmanGroup14Sha256.self
+        ])
+
+        algorithms.publicKeyAlgorihtms = .add([
+            (Insecure.RSA.PublicKey.self, Insecure.RSA.Signature.self),
+        ])
+
+        return algorithms
+    }()
 }
 
 /// Represents an SSH connection.

Sources/Citadel/SFTP/Client/SFTPClient.swift

@@ -7,12 +7,12 @@ import Logging
 /// The SFTP client does not concern itself with the created SSH subsystem channel.
 ///
 /// Per specification, SFTP could be used over other transport layers, too.
-public final class SFTPClient {
+public final class SFTPClient: Sendable {
     /// The SSH child channel created for this connection.
     fileprivate let channel: Channel
 
     /// A monotonically increasing counter for gneerating request IDs.
-    private var _nextRequestId = NIOLockedValueBox<UInt32>(0)
+    private let _nextRequestId = NIOLockedValueBox<UInt32>(0)
 
     private func incrementAndGetNextRequestId() -> UInt32 {
         _nextRequestId.withLockedValue { value in
@@ -34,7 +34,7 @@ public final class SFTPClient {
     }
 
     fileprivate static func setupChannelHanders(channel: Channel, logger: Logger) -> EventLoopFuture<SFTPClient> {
-        let responses = SFTPResponses(initialized: channel.eventLoop.makePromise())
+        let responses = SFTPResponses(sftpVersion: channel.eventLoop.makePromise())
 
         let deserializeHandler = ByteToMessageHandler(SFTPMessageParser())
         let serializeHandler = MessageToByteHandler(SFTPMessageSerializer())
@@ -315,7 +315,9 @@ extension SSHClient {
 
             self.session.sshHandler.createChannel(createChannel) { channel, _ in
                 SFTPClient.setupChannelHanders(channel: channel, logger: logger)
-                    .map(createClient.succeed)
+                    .map { client in
+                        createClient.succeed(client)
+                    }
             }
 
             timeoutCheck.futureResult.whenFailure { _ in
@@ -354,7 +356,7 @@ extension SSHClient {
                 //logger.trace("SFTP OUT: \(initializeMessage.debugRawBytesRepresentation)")
 
                 return client.channel.writeAndFlush(initializeMessage).flatMap {
-                    return client.responses.initialized.futureResult
+                    return client.responses.sftpVersion.futureResult
                 }.flatMapThrowing { serverVersion in
                     guard serverVersion.version >= .v3 else {
                         logger.warning("SFTP ERROR: Server version is unrecognized: \(serverVersion.version.rawValue)")
@@ -370,29 +372,33 @@ extension SSHClient {
 }
 
 /// A tracker for in-flight SFTP requests. Request IDs are allocated by `SFTPClient`.
-final class SFTPResponses {
-    var isInitialized: Bool = false
-    let initialized: EventLoopPromise<SFTPMessage.Version>
+final class SFTPResponses: @unchecked Sendable {
+    let _initialized: NIOLockedValueBox<Bool> = NIOLockedValueBox<Bool>(false)
+    var isInitialized: Bool {
+        get { _initialized.withLockedValue { $0 } }
+        set { _initialized.withLockedValue { $0 = newValue } }
+    }
+    let sftpVersion: EventLoopPromise<SFTPMessage.Version>
     var responses = [UInt32: EventLoopPromise<SFTPResponse>]()
 
-    init(initialized: EventLoopPromise<SFTPMessage.Version>) {
-        self.initialized = initialized
+    init(sftpVersion: EventLoopPromise<SFTPMessage.Version>) {
+        self.sftpVersion = sftpVersion
 
-        initialized.futureResult.whenSuccess { [unowned self] _ in
-            self.isInitialized = true
+        sftpVersion.futureResult.whenSuccess { [weak self] _ in
+            self?.isInitialized = true
         }
     }
 
-    deinit {
-        self.close()
-    }
-    
     func close() {
         self.isInitialized = false
-        self.initialized.fail(SFTPError.connectionClosed)
+        self.sftpVersion.fail(SFTPError.connectionClosed)
 
         for promise in self.responses.values {
             promise.fail(SFTPError.connectionClosed)
         }
     }
+
+    deinit {
+        close()
+    }
 }

Sources/Citadel/SFTP/Client/SFTPClientInboundHandler.swift

@@ -22,7 +22,7 @@ final class SFTPClientInboundHandler: ChannelInboundHandler {
                 logger.warning("SFTP ERROR: Server version is unrecognized or incompatible: \(version.version.rawValue)")
                 context.fireErrorCaught(SFTPError.unsupportedVersion(version.version))
             } else {
-                responses.initialized.succeed(version)
+                responses.sftpVersion.succeed(version)
             }
         } else if let response = SFTPResponse(message: message) {
             if let promise = responses.responses.removeValue(forKey: response.requestId) {