bool SshKeyExchange::sendDhInitPacket(const SshIncomingPacket &serverKexInit)
{
#ifdef CREATOR_SSH_DEBUG
qDebug("server requests key exchange");
#endif
serverKexInit.printRawBytes();
SshKeyExchangeInit kexInitParams
= serverKexInit.extractKeyExchangeInitData();
printNameList("Key Algorithms", kexInitParams.keyAlgorithms);
printNameList("Server Host Key Algorithms", kexInitParams.serverHostKeyAlgorithms);
printNameList("Encryption algorithms client to server", kexInitParams.encryptionAlgorithmsClientToServer);
printNameList("Encryption algorithms server to client", kexInitParams.encryptionAlgorithmsServerToClient);
printNameList("MAC algorithms client to server", kexInitParams.macAlgorithmsClientToServer);
printNameList("MAC algorithms server to client", kexInitParams.macAlgorithmsServerToClient);
printNameList("Compression algorithms client to server", kexInitParams.compressionAlgorithmsClientToServer);
printNameList("Compression algorithms client to server", kexInitParams.compressionAlgorithmsClientToServer);
printNameList("Languages client to server", kexInitParams.languagesClientToServer);
printNameList("Languages server to client", kexInitParams.languagesServerToClient);
#ifdef CREATOR_SSH_DEBUG
qDebug("First packet follows: %d", kexInitParams.firstKexPacketFollows);
#endif
const QByteArray &keyAlgo
= SshCapabilities::findBestMatch(SshCapabilities::KeyExchangeMethods,
kexInitParams.keyAlgorithms.names);
m_serverHostKeyAlgo
= SshCapabilities::findBestMatch(SshCapabilities::PublicKeyAlgorithms,
kexInitParams.serverHostKeyAlgorithms.names);
m_encryptionAlgo
= SshCapabilities::findBestMatch(SshCapabilities::EncryptionAlgorithms,
kexInitParams.encryptionAlgorithmsClientToServer.names);
m_decryptionAlgo
= SshCapabilities::findBestMatch(SshCapabilities::EncryptionAlgorithms,
kexInitParams.encryptionAlgorithmsServerToClient.names);
m_c2sHMacAlgo
= SshCapabilities::findBestMatch(SshCapabilities::MacAlgorithms,
kexInitParams.macAlgorithmsClientToServer.names);
m_s2cHMacAlgo
= SshCapabilities::findBestMatch(SshCapabilities::MacAlgorithms,
kexInitParams.macAlgorithmsServerToClient.names);
SshCapabilities::findBestMatch(SshCapabilities::CompressionAlgorithms,
kexInitParams.compressionAlgorithmsClientToServer.names);
SshCapabilities::findBestMatch(SshCapabilities::CompressionAlgorithms,
kexInitParams.compressionAlgorithmsServerToClient.names);
AutoSeeded_RNG rng;
m_dhKey.reset(new DH_PrivateKey(rng,
DL_Group(botanKeyExchangeAlgoName(keyAlgo))));
const AbstractSshPacket::Payload &payload = serverKexInit.payLoad();
m_serverKexInitPayload = QByteArray(payload.data, payload.size);
m_sendFacility.sendKeyDhInitPacket(m_dhKey->get_y());
return kexInitParams.firstKexPacketFollows;
}
void AbstractSshChannel::handleChannelRequest(const SshIncomingPacket &packet)
{
checkChannelActive();
const QByteArray &requestType = packet.extractChannelRequestType();
if (requestType == SshIncomingPacket::ExitStatusType)
handleExitStatus(packet.extractChannelExitStatus());
else if (requestType == SshIncomingPacket::ExitSignalType)
handleExitSignal(packet.extractChannelExitSignal());
else if (requestType != "*****@*****.**") // Suppress warning for this one, as it's sent all the time.
qWarning("Ignoring unknown request type '%s'", requestType.data());
}
bool SshKeyExchange::sendDhInitPacket(const SshIncomingPacket &serverKexInit)
{
#ifdef CREATOR_SSH_DEBUG
qDebug("server requests key exchange");
#endif
serverKexInit.printRawBytes();
SshKeyExchangeInit kexInitParams
= serverKexInit.extractKeyExchangeInitData();
printNameList("Key Algorithms", kexInitParams.keyAlgorithms);
printNameList("Server Host Key Algorithms", kexInitParams.serverHostKeyAlgorithms);
printNameList("Encryption algorithms client to server", kexInitParams.encryptionAlgorithmsClientToServer);
printNameList("Encryption algorithms server to client", kexInitParams.encryptionAlgorithmsServerToClient);
printNameList("MAC algorithms client to server", kexInitParams.macAlgorithmsClientToServer);
printNameList("MAC algorithms server to client", kexInitParams.macAlgorithmsServerToClient);
printNameList("Compression algorithms client to server", kexInitParams.compressionAlgorithmsClientToServer);
printNameList("Compression algorithms client to server", kexInitParams.compressionAlgorithmsClientToServer);
printNameList("Languages client to server", kexInitParams.languagesClientToServer);
printNameList("Languages server to client", kexInitParams.languagesServerToClient);
#ifdef CREATOR_SSH_DEBUG
qDebug("First packet follows: %d", kexInitParams.firstKexPacketFollows);
#endif
m_kexAlgoName = SshCapabilities::findBestMatch(SshCapabilities::KeyExchangeMethods,
kexInitParams.keyAlgorithms.names);
m_serverHostKeyAlgo = SshCapabilities::findBestMatch(SshCapabilities::PublicKeyAlgorithms,
kexInitParams.serverHostKeyAlgorithms.names);
determineHashingAlgorithm(kexInitParams, true);
determineHashingAlgorithm(kexInitParams, false);
m_encryptionAlgo
= SshCapabilities::findBestMatch(SshCapabilities::EncryptionAlgorithms,
kexInitParams.encryptionAlgorithmsClientToServer.names);
m_decryptionAlgo
= SshCapabilities::findBestMatch(SshCapabilities::EncryptionAlgorithms,
kexInitParams.encryptionAlgorithmsServerToClient.names);
SshCapabilities::findBestMatch(SshCapabilities::CompressionAlgorithms,
kexInitParams.compressionAlgorithmsClientToServer.names);
SshCapabilities::findBestMatch(SshCapabilities::CompressionAlgorithms,
kexInitParams.compressionAlgorithmsServerToClient.names);
AutoSeeded_RNG rng;
if (m_kexAlgoName.startsWith(SshCapabilities::EcdhKexNamePrefix)) {
m_ecdhKey.reset(new ECDH_PrivateKey(rng, EC_Group(botanKeyExchangeAlgoName(m_kexAlgoName))));
m_sendFacility.sendKeyEcdhInitPacket(convertByteArray(m_ecdhKey->public_value()));
} else {
m_dhKey.reset(new DH_PrivateKey(rng, DL_Group(botanKeyExchangeAlgoName(m_kexAlgoName))));
m_sendFacility.sendKeyDhInitPacket(m_dhKey->get_y());
}
m_serverKexInitPayload = serverKexInit.payLoad();
return kexInitParams.firstKexPacketFollows;
}
void SshChannelManager::handleChannelOpenConfirmation(const SshIncomingPacket &packet)
{
const SshChannelOpenConfirmation &confirmation
= packet.extractChannelOpenConfirmation();
lookupChannel(confirmation.localChannel)->handleOpenSuccess(confirmation.remoteChannel,
confirmation.remoteWindowSize, confirmation.remoteMaxPacketSize);
}
void SshChannelManager::handleChannelEof(const SshIncomingPacket &packet)
{
AbstractSshChannel * const channel
= lookupChannel(packet.extractRecipientChannel(), true);
if (channel)
channel->handleChannelEof();
}
void SshKeyExchange::sendNewKeysPacket(const SshIncomingPacket &dhReply,
const QByteArray &clientId)
{
const SshKeyExchangeReply &reply
= dhReply.extractKeyExchangeReply(m_serverHostKeyAlgo);
if (reply.f <= 0 || reply.f >= m_dhKey->group_p()) {
throw SSH_SERVER_EXCEPTION(SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
"Server sent invalid f.");
}
QByteArray concatenatedData = AbstractSshPacket::encodeString(clientId);
concatenatedData += AbstractSshPacket::encodeString(m_serverId);
concatenatedData += AbstractSshPacket::encodeString(m_clientKexInitPayload);
concatenatedData += AbstractSshPacket::encodeString(m_serverKexInitPayload);
concatenatedData += reply.k_s;
concatenatedData += AbstractSshPacket::encodeMpInt(m_dhKey->get_y());
concatenatedData += AbstractSshPacket::encodeMpInt(reply.f);
SymmetricKey k = m_dhKey->derive_key(reply.f);
m_k = AbstractSshPacket::encodeMpInt(BigInt(k.begin(), k.length()));
concatenatedData += m_k;
m_hash.reset(get_hash(botanSha1Name()));
const SecureVector<byte> &hashResult
= m_hash->process(convertByteArray(concatenatedData),
concatenatedData.size());
m_h = convertByteArray(hashResult);
QScopedPointer<Public_Key> sigKey;
QScopedPointer<PK_Verifier> verifier;
if (m_serverHostKeyAlgo == SshCapabilities::PubKeyDss) {
const DL_Group group(reply.parameters.at(0), reply.parameters.at(1),
reply.parameters.at(2));
DSA_PublicKey * const dsaKey
= new DSA_PublicKey(group, reply.parameters.at(3));
sigKey.reset(dsaKey);
verifier.reset(get_pk_verifier(*dsaKey,
botanEmsaAlgoName(SshCapabilities::PubKeyDss)));
} else if (m_serverHostKeyAlgo == SshCapabilities::PubKeyRsa) {
RSA_PublicKey * const rsaKey
= new RSA_PublicKey(reply.parameters.at(1), reply.parameters.at(0));
sigKey.reset(rsaKey);
verifier.reset(get_pk_verifier(*rsaKey,
botanEmsaAlgoName(SshCapabilities::PubKeyRsa)));
} else {
Q_ASSERT(!"Impossible: Neither DSS nor RSA!");
}
const byte * const botanH = convertByteArray(m_h);
const Botan::byte * const botanSig
= convertByteArray(reply.signatureBlob);
if (!verifier->verify_message(botanH, m_h.size(), botanSig,
reply.signatureBlob.size())) {
throw SSH_SERVER_EXCEPTION(SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
"Invalid signature in SSH_MSG_KEXDH_REPLY packet.");
}
m_sendFacility.sendNewKeysPacket();
}
void SshChannelManager::handleChannelClose(const SshIncomingPacket &packet)
{
const quint32 channelId = packet.extractRecipientChannel();
ChannelIterator it = lookupChannelAsIterator(channelId, true);
if (it != m_channels.end()) {
it.value()->handleChannelClose();
removeChannel(it);
}
}
void SshChannelManager::handleChannelOpenFailure(const SshIncomingPacket &packet)
{
const SshChannelOpenFailure &failure = packet.extractChannelOpenFailure();
ChannelIterator it = lookupChannelAsIterator(failure.localChannel);
try {
it.value()->handleOpenFailure(failure.reasonString);
} catch (SshServerException &e) {
removeChannel(it);
throw e;
}
removeChannel(it);
}
bool SshKeyExchange::sendDhInitPacket(const SshIncomingPacket &serverKexInit)
{
#ifdef CREATOR_SSH_DEBUG
qDebug("server requests key exchange");
#endif
serverKexInit.printRawBytes();
SshKeyExchangeInit kexInitParams
= serverKexInit.extractKeyExchangeInitData();
printNameList("Key Algorithms", kexInitParams.keyAlgorithms);
printNameList("Server Host Key Algorithms", kexInitParams.serverHostKeyAlgorithms);
printNameList("Encryption algorithms client to server", kexInitParams.encryptionAlgorithmsClientToServer);
printNameList("Encryption algorithms server to client", kexInitParams.encryptionAlgorithmsServerToClient);
printNameList("MAC algorithms client to server", kexInitParams.macAlgorithmsClientToServer);
printNameList("MAC algorithms server to client", kexInitParams.macAlgorithmsServerToClient);
printNameList("Compression algorithms client to server", kexInitParams.compressionAlgorithmsClientToServer);
printNameList("Compression algorithms client to server", kexInitParams.compressionAlgorithmsClientToServer);
printNameList("Languages client to server", kexInitParams.languagesClientToServer);
printNameList("Languages server to client", kexInitParams.languagesServerToClient);
#ifdef CREATOR_SSH_DEBUG
qDebug("First packet follows: %d", kexInitParams.firstKexPacketFollows);
#endif
m_kexAlgoName = SshCapabilities::findBestMatch(SshCapabilities::KeyExchangeMethods,
kexInitParams.keyAlgorithms.names);
const QList<QByteArray> &commonHostKeyAlgos
= SshCapabilities::commonCapabilities(SshCapabilities::PublicKeyAlgorithms,
kexInitParams.serverHostKeyAlgorithms.names);
const bool ecdh = m_kexAlgoName.startsWith(SshCapabilities::EcdhKexNamePrefix);
foreach (const QByteArray &possibleHostKeyAlgo, commonHostKeyAlgos) {
if (ecdh && possibleHostKeyAlgo == SshCapabilities::PubKeyEcdsa) {
m_serverHostKeyAlgo = possibleHostKeyAlgo;
break;
}
if (!ecdh && (possibleHostKeyAlgo == SshCapabilities::PubKeyDss
|| possibleHostKeyAlgo == SshCapabilities::PubKeyRsa)) {
m_serverHostKeyAlgo = possibleHostKeyAlgo;
break;
}
}
if (m_serverHostKeyAlgo.isEmpty()) {
throw SshServerException(SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
"Invalid combination of key exchange and host key algorithms.",
QCoreApplication::translate("SshConnection",
"No matching host key algorithm available for key exchange algorithm \"%1\".")
.arg(QString::fromLatin1(m_kexAlgoName)));
}
determineHashingAlgorithm(kexInitParams, true);
determineHashingAlgorithm(kexInitParams, false);
m_encryptionAlgo
= SshCapabilities::findBestMatch(SshCapabilities::EncryptionAlgorithms,
kexInitParams.encryptionAlgorithmsClientToServer.names);
m_decryptionAlgo
= SshCapabilities::findBestMatch(SshCapabilities::EncryptionAlgorithms,
kexInitParams.encryptionAlgorithmsServerToClient.names);
SshCapabilities::findBestMatch(SshCapabilities::CompressionAlgorithms,
kexInitParams.compressionAlgorithmsClientToServer.names);
SshCapabilities::findBestMatch(SshCapabilities::CompressionAlgorithms,
kexInitParams.compressionAlgorithmsServerToClient.names);
AutoSeeded_RNG rng;
if (ecdh) {
m_ecdhKey.reset(new ECDH_PrivateKey(rng, EC_Group(botanKeyExchangeAlgoName(m_kexAlgoName))));
m_sendFacility.sendKeyEcdhInitPacket(convertByteArray(m_ecdhKey->public_value()));
} else {
m_dhKey.reset(new DH_PrivateKey(rng, DL_Group(botanKeyExchangeAlgoName(m_kexAlgoName))));
m_sendFacility.sendKeyDhInitPacket(m_dhKey->get_y());
}
m_serverKexInitPayload = serverKexInit.payLoad();
return kexInitParams.firstKexPacketFollows;
}
void SshKeyExchange::sendNewKeysPacket(const SshIncomingPacket &dhReply,
const QByteArray &clientId)
{
const SshKeyExchangeReply &reply
= dhReply.extractKeyExchangeReply(m_serverHostKeyAlgo);
if (m_dhKey && (reply.f <= 0 || reply.f >= m_dhKey->group_p())) {
throw SSH_SERVER_EXCEPTION(SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
"Server sent invalid f.");
}
QByteArray concatenatedData = AbstractSshPacket::encodeString(clientId);
concatenatedData += AbstractSshPacket::encodeString(m_serverId);
concatenatedData += AbstractSshPacket::encodeString(m_clientKexInitPayload);
concatenatedData += AbstractSshPacket::encodeString(m_serverKexInitPayload);
concatenatedData += reply.k_s;
SecureVector<byte> encodedK;
if (m_dhKey) {
concatenatedData += AbstractSshPacket::encodeMpInt(m_dhKey->get_y());
concatenatedData += AbstractSshPacket::encodeMpInt(reply.f);
DH_KA_Operation dhOp(*m_dhKey);
SecureVector<byte> encodedF = BigInt::encode(reply.f);
encodedK = dhOp.agree(encodedF, encodedF.size());
} else {
Q_ASSERT(m_ecdhKey);
concatenatedData // Q_C.
+= AbstractSshPacket::encodeString(convertByteArray(m_ecdhKey->public_value()));
concatenatedData += AbstractSshPacket::encodeString(reply.q_s);
ECDH_KA_Operation ecdhOp(*m_ecdhKey);
encodedK = ecdhOp.agree(convertByteArray(reply.q_s), reply.q_s.count());
}
const BigInt k = BigInt::decode(encodedK);
m_k = AbstractSshPacket::encodeMpInt(k); // Roundtrip, as Botan encodes BigInts somewhat differently.
concatenatedData += m_k;
m_hash.reset(get_hash(botanHMacAlgoName(hashAlgoForKexAlgo())));
const SecureVector<byte> &hashResult = m_hash->process(convertByteArray(concatenatedData),
concatenatedData.size());
m_h = convertByteArray(hashResult);
#ifdef CREATOR_SSH_DEBUG
printData("Client Id", AbstractSshPacket::encodeString(clientId));
printData("Server Id", AbstractSshPacket::encodeString(m_serverId));
printData("Client Payload", AbstractSshPacket::encodeString(m_clientKexInitPayload));
printData("Server payload", AbstractSshPacket::encodeString(m_serverKexInitPayload));
printData("K_S", reply.k_s);
printData("y", AbstractSshPacket::encodeMpInt(m_dhKey->get_y()));
printData("f", AbstractSshPacket::encodeMpInt(reply.f));
printData("K", m_k);
printData("Concatenated data", concatenatedData);
printData("H", m_h);
#endif // CREATOR_SSH_DEBUG
QScopedPointer<Public_Key> sigKey;
if (m_serverHostKeyAlgo == SshCapabilities::PubKeyDss) {
const DL_Group group(reply.parameters.at(0), reply.parameters.at(1),
reply.parameters.at(2));
DSA_PublicKey * const dsaKey
= new DSA_PublicKey(group, reply.parameters.at(3));
sigKey.reset(dsaKey);
} else if (m_serverHostKeyAlgo == SshCapabilities::PubKeyRsa) {
RSA_PublicKey * const rsaKey
= new RSA_PublicKey(reply.parameters.at(1), reply.parameters.at(0));
sigKey.reset(rsaKey);
} else if (m_serverHostKeyAlgo == SshCapabilities::PubKeyEcdsa) {
const PointGFp point = OS2ECP(convertByteArray(reply.q), reply.q.count(),
m_ecdhKey->domain().get_curve());
ECDSA_PublicKey * const ecdsaKey = new ECDSA_PublicKey(m_ecdhKey->domain(), point);
sigKey.reset(ecdsaKey);
} else {
Q_ASSERT(!"Impossible: Neither DSS nor RSA nor ECDSA!");
}
const byte * const botanH = convertByteArray(m_h);
const Botan::byte * const botanSig = convertByteArray(reply.signatureBlob);
PK_Verifier verifier(*sigKey, botanEmsaAlgoName(m_serverHostKeyAlgo));
if (!verifier.verify_message(botanH, m_h.size(), botanSig, reply.signatureBlob.size())) {
throw SSH_SERVER_EXCEPTION(SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
"Invalid signature in key exchange reply packet.");
}
checkHostKey(reply.k_s);
m_sendFacility.sendNewKeysPacket();
m_dhKey.reset(nullptr);
m_ecdhKey.reset(nullptr);
}
void SshKeyExchange::sendNewKeysPacket(const SshIncomingPacket &dhReply,
const QByteArray &clientId)
{
const SshKeyExchangeReply &reply
= dhReply.extractKeyExchangeReply(m_serverHostKeyAlgo);
if (reply.f <= 0 || reply.f >= m_dhKey->group_p()) {
throw SSH_SERVER_EXCEPTION(SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
"Server sent invalid f.");
}
QByteArray concatenatedData = AbstractSshPacket::encodeString(clientId);
concatenatedData += AbstractSshPacket::encodeString(m_serverId);
concatenatedData += AbstractSshPacket::encodeString(m_clientKexInitPayload);
concatenatedData += AbstractSshPacket::encodeString(m_serverKexInitPayload);
concatenatedData += reply.k_s;
concatenatedData += AbstractSshPacket::encodeMpInt(m_dhKey->get_y());
concatenatedData += AbstractSshPacket::encodeMpInt(reply.f);
const BigInt k = power_mod(reply.f, m_dhKey->get_x(), m_dhKey->get_domain().get_p());
m_k = AbstractSshPacket::encodeMpInt(k);
concatenatedData += m_k;
m_hash.reset(get_hash(botanSha1Name()));
const SecureVector<byte> &hashResult
= m_hash->process(convertByteArray(concatenatedData),
concatenatedData.size());
m_h = convertByteArray(hashResult);
#ifdef CREATOR_SSH_DEBUG
printData("Client Id", AbstractSshPacket::encodeString(clientId));
printData("Server Id", AbstractSshPacket::encodeString(m_serverId));
printData("Client Payload", AbstractSshPacket::encodeString(m_clientKexInitPayload));
printData("Server payload", AbstractSshPacket::encodeString(m_serverKexInitPayload));
printData("K_S", reply.k_s);
printData("y", AbstractSshPacket::encodeMpInt(m_dhKey->get_y()));
printData("f", AbstractSshPacket::encodeMpInt(reply.f));
printData("K", m_k);
printData("Concatenated data", concatenatedData);
printData("H", m_h);
#endif // CREATOR_SSH_DEBUG
QSharedPointer<Public_Key> publicKey;
QByteArray algorithm;
if (m_serverHostKeyAlgo == SshCapabilities::PubKeyDss) {
const DL_Group group(reply.parameters.at(0), reply.parameters.at(1),
reply.parameters.at(2));
publicKey = createDsaPublicKey(group, reply.parameters.at(3));
algorithm = SshCapabilities::PubKeyDss;
} else if (m_serverHostKeyAlgo == SshCapabilities::PubKeyRsa) {
publicKey = createRsaPublicKey(reply.parameters.at(1), reply.parameters.at(0));
algorithm = SshCapabilities::PubKeyRsa;
} else {
Q_ASSERT(!"Impossible: Neither DSS nor RSA!");
}
const byte * const botanH = convertByteArray(m_h);
const Botan::byte * const botanSig
= convertByteArray(reply.signatureBlob);
if (!PK_Verifier(*publicKey, botanEmsaAlgoName(algorithm)).verify_message(botanH, m_h.size(),
botanSig, reply.signatureBlob.size())) {
throw SSH_SERVER_EXCEPTION(SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
"Invalid signature in SSH_MSG_KEXDH_REPLY packet.");
}
m_sendFacility.sendNewKeysPacket();
}
void SshChannelManager::handleChannelWindowAdjust(const SshIncomingPacket &packet)
{
const SshChannelWindowAdjust adjust = packet.extractWindowAdjust();
lookupChannel(adjust.localChannel)->handleWindowAdjust(adjust.bytesToAdd);
}
void SshChannelManager::handleChannelFailure(const SshIncomingPacket &packet)
{
lookupChannel(packet.extractRecipientChannel())->handleChannelFailure();
}
void SshChannelManager::handleChannelExtendedData(const SshIncomingPacket &packet)
{
const SshChannelExtendedData &data = packet.extractChannelExtendedData();
lookupChannel(data.localChannel)->handleChannelExtendedData(data.type, data.data);
}
