Mercurial > 510Connectbot
comparison src/ch/ethz/ssh2/ServerConnection.java @ 342:175c7d68f3c4
merge ganymed into mainline
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Thu, 31 Jul 2014 16:33:38 -0700 |
parents | c19b24adf6c9 |
children | 37f4a3b506d9 |
comparison
equal
deleted
inserted
replaced
272:ce2f4e397703 | 342:175c7d68f3c4 |
---|---|
1 /* | |
2 * Copyright (c) 2012-2013 Christian Plattner. All rights reserved. | |
3 * Please refer to the LICENSE.txt for licensing details. | |
4 */ | |
5 | |
6 package ch.ethz.ssh2; | |
7 | |
8 import java.io.CharArrayWriter; | |
9 import java.io.File; | |
10 import java.io.FileReader; | |
11 import java.io.IOException; | |
12 import java.net.Socket; | |
13 import java.util.List; | |
14 import java.util.ArrayList; | |
15 | |
16 import ch.ethz.ssh2.crypto.CryptoWishList; | |
17 import ch.ethz.ssh2.crypto.PEMDecoder; | |
18 import ch.ethz.ssh2.server.ServerConnectionState; | |
19 import java.security.KeyPair; | |
20 import java.security.PrivateKey; | |
21 import java.security.interfaces.DSAPrivateKey; | |
22 import java.security.interfaces.ECPrivateKey; | |
23 import java.security.interfaces.RSAPrivateKey; | |
24 import ch.ethz.ssh2.transport.ServerTransportManager; | |
25 | |
26 /** | |
27 * A server-side SSH-2 connection. | |
28 * | |
29 * @author Christian | |
30 * | |
31 */ | |
32 public class ServerConnection { | |
33 /** | |
34 * The softwareversion presented to the SSH-2 client. | |
35 */ | |
36 private String softwareversion = String.format("Ganymed_SSHD_%s", Version.getSpecification()); | |
37 | |
38 private final ServerConnectionState state = new ServerConnectionState(this); | |
39 | |
40 /** | |
41 * Creates a new <code>ServerConnection</code> that will communicate | |
42 * with the client over the given <code>Socket</code>. | |
43 * <p> | |
44 * Note: you need to call {@link #connect()} or {@link #connect(int)} to | |
45 * perform the initial handshake and establish the encrypted communication. | |
46 * | |
47 * @see #connect(int) | |
48 * | |
49 * @param s The socket | |
50 */ | |
51 public ServerConnection(Socket s) { | |
52 this(s, null, null, null); | |
53 } | |
54 | |
55 public ServerConnection(Socket s, String softwareversion) { | |
56 this(s, null, null, null); | |
57 this.softwareversion = softwareversion; | |
58 } | |
59 | |
60 /** | |
61 * Creates a new <code>ServerConnection</code> that will communicate | |
62 * with the client over the given <code>Socket</code>. | |
63 * <p> | |
64 * Note: you need to call {@link #connect()} or {@link #connect(int)} to | |
65 * perform the initial handshake and establish the encrypted communication. | |
66 * <p> | |
67 * Please read the javadoc for the {@link #connect(int)} method. | |
68 * | |
69 * @see #connect(int) | |
70 * | |
71 * @param s The socket | |
72 * @param dsa_key The DSA hostkey, may be <code>NULL</code> | |
73 * @param rsa_key The RSA hostkey, may be <code>NULL</code> | |
74 * @param ec_key The EC hostkey, may be <code>NULL</code> | |
75 */ | |
76 public ServerConnection(Socket s, KeyPair dsa_key, KeyPair rsa_key, KeyPair ec_key) { | |
77 state.s = s; | |
78 state.softwareversion = softwareversion; | |
79 state.next_dsa_key = dsa_key; | |
80 state.next_rsa_key = rsa_key; | |
81 state.next_ec_key = ec_key; | |
82 fixCryptoWishList(state.next_cryptoWishList, state.next_dsa_key, state.next_rsa_key, state.next_ec_key); | |
83 } | |
84 | |
85 /** | |
86 * Establish the connection and block until the first handshake has completed. | |
87 * <p> | |
88 * Note: this is a wrapper that calls <code>connect(0)</code> (i.e., connect with no timeout). | |
89 * <p> | |
90 * Please read the javadoc for the {@link #connect(int)} method. | |
91 * | |
92 * @see #connect(int) | |
93 * | |
94 * @throws IOException | |
95 */ | |
96 | |
97 public synchronized void connect() throws IOException { | |
98 connect(0); | |
99 } | |
100 | |
101 /** | |
102 * Establish the connection and block until the first handshake has completed. | |
103 * <p> | |
104 * Note 1: at least one DSA, RSA or EC hostkey must be set before calling this method. | |
105 * <p> | |
106 * Note 2: You must set the callbacks for authentication ({@link #setAuthenticationCallback(ServerAuthenticationCallback)}) | |
107 * and connection events ({@link #setServerConnectionCallback(ServerConnectionCallback)}). | |
108 * | |
109 * @see #setPEMHostKey(char[], String) | |
110 * @see #setPEMHostKey(File, String) | |
111 * @see #setRsaHostKey(RSAPrivateKey) | |
112 * @see #setDsaHostKey(DSAPrivateKey) | |
113 * | |
114 * @param timeout_milliseconds Timeout in milliseconds, <code>0</code> means no timeout. | |
115 * @throws IOException | |
116 */ | |
117 | |
118 public synchronized void connect(int timeout_milliseconds) throws IOException { | |
119 synchronized (state) { | |
120 if (state.cb_conn == null) | |
121 throw new IllegalStateException("The callback for connection events has not been set."); | |
122 | |
123 if (state.cb_auth == null) | |
124 throw new IllegalStateException("The callback for authentication events has not been set."); | |
125 | |
126 if (state.tm != null) | |
127 throw new IllegalStateException("The initial handshake has already been started."); | |
128 | |
129 if ((state.next_dsa_key == null) && (state.next_rsa_key == null) && (state.next_ec_key == null)) | |
130 throw new IllegalStateException("Neither an RSA nor a DSA nor an EC host key has been specified!"); | |
131 | |
132 state.tm = new ServerTransportManager(state.s); | |
133 } | |
134 | |
135 state.tm.connect(state); | |
136 /* Wait until first KEX has finished */ | |
137 state.tm.getConnectionInfo(1); | |
138 } | |
139 | |
140 /** | |
141 * Retrieve the underlying socket. | |
142 * | |
143 * @return the socket that has been passed to the constructor. | |
144 */ | |
145 public Socket getSocket() { | |
146 return state.s; | |
147 } | |
148 | |
149 /** | |
150 * Force an asynchronous key re-exchange (the call does not block). The | |
151 * latest values set for MAC, Cipher and DH group exchange parameters will | |
152 * be used. If a key exchange is currently in progress, then this method has | |
153 * the only effect that the so far specified parameters will be used for the | |
154 * next (client driven) key exchange. You may call this method only after | |
155 * the initial key exchange has been established. | |
156 * <p> | |
157 * Note: This implementation will never start automatically a key exchange (other than the initial one) | |
158 * unless you or the connected SSH-2 client ask for it. | |
159 * | |
160 * @throws IOException | |
161 * In case of any failure behind the scenes. | |
162 */ | |
163 | |
164 public synchronized void forceKeyExchange() throws IOException { | |
165 synchronized (state) { | |
166 if (state.tm == null) | |
167 throw new IllegalStateException( | |
168 "Cannot force another key exchange, you need to start the key exchange first."); | |
169 | |
170 state.tm.forceKeyExchange(state.next_cryptoWishList, null, state.next_dsa_key, state.next_rsa_key, state.next_ec_key); | |
171 } | |
172 } | |
173 | |
174 /** | |
175 * Returns a {@link ConnectionInfo} object containing the details of | |
176 * the connection. May be called as soon as the first key exchange has been | |
177 * started. The method blocks in case the first key exchange has not been completed. | |
178 * <p> | |
179 * Note: upon return of this method, authentication may still be pending. | |
180 * | |
181 * @return A {@link ConnectionInfo} object. | |
182 * @throws IOException | |
183 * In case of any failure behind the scenes; e.g., first key exchange was aborted. | |
184 */ | |
185 | |
186 public synchronized ConnectionInfo getConnectionInfo() throws IOException { | |
187 synchronized (state) { | |
188 if (state.tm == null) | |
189 throw new IllegalStateException( | |
190 "Cannot get details of connection, you need to start the key exchange first."); | |
191 } | |
192 | |
193 return state.tm.getConnectionInfo(1); | |
194 } | |
195 | |
196 /** | |
197 * Change the current DSA hostkey. Either a DSA or RSA or EC private key must be set for a successful handshake with | |
198 * the client. | |
199 * <p> | |
200 * Note: You can change an existing DSA hostkey after the initial kex exchange (the new value will | |
201 * be used during the next server initiated key exchange), but you cannot remove (i.e., set to <code>null</code>) the | |
202 * current DSA key, otherwise the next key exchange may fail in case the client supports only DSA hostkeys. | |
203 * | |
204 * @param dsa_hostkey | |
205 */ | |
206 | |
207 public synchronized void setDsaHostKey(KeyPair dsa_hostkey) { | |
208 synchronized (state) { | |
209 if ((dsa_hostkey == null) && (state.next_dsa_key != null) && (state.tm != null)) | |
210 throw new IllegalStateException("Cannot remove DSA hostkey after first key exchange."); | |
211 | |
212 state.next_dsa_key = dsa_hostkey; | |
213 fixCryptoWishList(state.next_cryptoWishList, state.next_dsa_key, state.next_rsa_key, state.next_ec_key); | |
214 } | |
215 } | |
216 | |
217 /** | |
218 * Change the current RSA hostkey. Either a DSA or RSA or EC private key must be set for a successful handshake with | |
219 * the client. | |
220 * <p> | |
221 * Note: You can change an existing RSA hostkey after the initial kex exchange (the new value will | |
222 * be used during the next server initiated key exchange), but you cannot remove (i.e., set to <code>null</code>) the | |
223 * current RSA key, otherwise the next key exchange may fail in case the client supports only RSA hostkeys. | |
224 * | |
225 * @param rsa_hostkey | |
226 */ | |
227 | |
228 public synchronized void setRsaHostKey(KeyPair rsa_hostkey) { | |
229 synchronized (state) { | |
230 if ((rsa_hostkey == null) && (state.next_rsa_key != null) && (state.tm != null)) | |
231 throw new IllegalStateException("Cannot remove RSA hostkey after first key exchange."); | |
232 | |
233 state.next_rsa_key = rsa_hostkey; | |
234 fixCryptoWishList(state.next_cryptoWishList, state.next_dsa_key, state.next_rsa_key, state.next_ec_key); | |
235 } | |
236 } | |
237 | |
238 /** | |
239 * Change the current EC hostkey. Either a DSA or RSA or EC private key must be set for a successful handshake with | |
240 * the client. | |
241 * <p> | |
242 * Note: You can change an existing EC hostkey after the initial kex exchange (the new value will | |
243 * be used during the next server initiated key exchange), but you cannot remove (i.e., set to <code>null</code>) the | |
244 * current EC key, otherwise the next key exchange may fail in case the client supports only EC hostkeys. | |
245 * | |
246 * @param rsa_hostkey | |
247 */ | |
248 | |
249 public synchronized void setEcHostKey(KeyPair ec_hostkey) { | |
250 synchronized (state) { | |
251 if ((ec_hostkey == null) && (state.next_ec_key != null) && (state.tm != null)) | |
252 throw new IllegalStateException("Cannot remove EC hostkey after first key exchange."); | |
253 | |
254 state.next_ec_key = ec_hostkey; | |
255 fixCryptoWishList(state.next_cryptoWishList, state.next_dsa_key, state.next_rsa_key, state.next_ec_key); | |
256 } | |
257 } | |
258 | |
259 /** | |
260 * Utility method that loads a PEM based hostkey (either RSA or DSA based) and | |
261 * calls either <code>setRsaHostKey()</code> or <code>setDsaHostKey()</code>. | |
262 * | |
263 * @param pemdata The PEM data | |
264 * @param password Password, may be null in case the PEM data is not password protected | |
265 * @throws IOException In case of any error. | |
266 */ | |
267 public void setPEMHostKey(char[] pemdata, String password) throws IOException { | |
268 KeyPair pair = PEMDecoder.decode(pemdata, password); | |
269 PrivateKey key = pair.getPrivate(); | |
270 | |
271 if (key instanceof DSAPrivateKey) setDsaHostKey(pair); | |
272 | |
273 if (key instanceof RSAPrivateKey) setRsaHostKey(pair); | |
274 | |
275 if (key instanceof ECPrivateKey) setEcHostKey(pair); | |
276 } | |
277 | |
278 /** | |
279 * Utility method that loads a hostkey from a PEM file (either RSA or DSA based) and | |
280 * calls either <code>setRsaHostKey()</code> or <code>setDsaHostKey()</code>. | |
281 * | |
282 * @param pemFile The PEM file | |
283 * @param password Password, may be null in case the PEM file is not password protected | |
284 * @throws IOException | |
285 */ | |
286 public void setPEMHostKey(File pemFile, String password) throws IOException { | |
287 if (pemFile == null) | |
288 throw new IllegalArgumentException("pemfile argument is null"); | |
289 | |
290 char[] buff = new char[256]; | |
291 CharArrayWriter cw = new CharArrayWriter(); | |
292 FileReader fr = new FileReader(pemFile); | |
293 | |
294 while (true) { | |
295 int len = fr.read(buff); | |
296 | |
297 if (len < 0) | |
298 break; | |
299 | |
300 cw.write(buff, 0, len); | |
301 } | |
302 | |
303 fr.close(); | |
304 setPEMHostKey(cw.toCharArray(), password); | |
305 } | |
306 | |
307 private void fixCryptoWishList(CryptoWishList next_cryptoWishList, KeyPair next_dsa_key, KeyPair next_rsa_key, KeyPair next_ec_key) { | |
308 List<String> algos = new ArrayList<String>(); | |
309 | |
310 if (next_ec_key != null) algos.add("ecdsa-sha2-nistp521"); | |
311 | |
312 if (next_ec_key != null) algos.add("ecdsa-sha2-nistp384"); | |
313 | |
314 if (next_ec_key != null) algos.add("ecdsa-sha2-nistp256"); | |
315 | |
316 if (next_dsa_key != null) algos.add("ssh-dss"); | |
317 | |
318 if (next_rsa_key != null) algos.add("ssh-rsa"); | |
319 | |
320 next_cryptoWishList.serverHostKeyAlgorithms = new String[algos.size()]; | |
321 algos.toArray(next_cryptoWishList.serverHostKeyAlgorithms); | |
322 } | |
323 | |
324 /** | |
325 * Callback interface with methods that will be called upon events | |
326 * generated by the client (e.g., client opens a new Session which results in a <code>ServerSession</code>). | |
327 * <p> | |
328 * Note: This must be set before the first handshake. | |
329 * | |
330 * @param cb The callback implementation | |
331 */ | |
332 | |
333 public synchronized void setServerConnectionCallback(ServerConnectionCallback cb) { | |
334 synchronized (state) { | |
335 state.cb_conn = cb; | |
336 } | |
337 } | |
338 | |
339 /** | |
340 * Callback interface with methods that will be called upon authentication events. | |
341 * <p> | |
342 * Note: This must be set before the first handshake. | |
343 * | |
344 * @param cb The callback implementation | |
345 */ | |
346 | |
347 public synchronized void setAuthenticationCallback(ServerAuthenticationCallback cb) { | |
348 synchronized (state) { | |
349 state.cb_auth = cb; | |
350 } | |
351 } | |
352 | |
353 /** | |
354 * Close the connection to the SSH-2 server. All assigned sessions will be | |
355 * closed, too. Can be called at any time. Don't forget to call this once | |
356 * you don't need a connection anymore - otherwise the receiver thread may | |
357 * run forever. | |
358 */ | |
359 public void close() { | |
360 synchronized (state) { | |
361 if (state.cm != null) | |
362 state.cm.closeAllChannels(); | |
363 | |
364 if (state.tm != null) { | |
365 state.tm.close(new Throwable("Closed due to user request."), false); | |
366 } | |
367 } | |
368 } | |
369 | |
370 public void close(IOException t) { | |
371 synchronized (state) { | |
372 if (state.cm != null) | |
373 state.cm.closeAllChannels(); | |
374 | |
375 if (state.tm != null) { | |
376 state.tm.close(t, false); | |
377 } | |
378 } | |
379 } | |
380 } |