view src/ch/ethz/ssh2/transport/ServerKexManager.java @ 304:abad243cb341 ganymed

add ecdsa key support everywhere
author Carl Byington <carl@five-ten-sg.com>
date Tue, 29 Jul 2014 20:28:01 -0700
parents beaccc9df37b
children d2b303406d63
line wrap: on
line source

/*
 * Copyright (c) 2006-2013 Christian Plattner. All rights reserved.
 * Please refer to the LICENSE.txt for licensing details.
 */
package ch.ethz.ssh2.transport;

import java.io.IOException;
import java.security.DigestException;
import java.security.KeyPair;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import ch.ethz.ssh2.ConnectionInfo;
import ch.ethz.ssh2.PacketTypeException;
import ch.ethz.ssh2.auth.ServerAuthenticationManager;
import ch.ethz.ssh2.crypto.cipher.BlockCipher;
import ch.ethz.ssh2.crypto.cipher.BlockCipherFactory;
import ch.ethz.ssh2.crypto.dh.DhExchange;
import ch.ethz.ssh2.crypto.digest.MAC;
import ch.ethz.ssh2.packets.PacketKexDHInit;
import ch.ethz.ssh2.packets.PacketKexDHReply;
import ch.ethz.ssh2.packets.PacketKexInit;
import ch.ethz.ssh2.packets.Packets;
import ch.ethz.ssh2.server.ServerConnectionState;
import ch.ethz.ssh2.signature.DSASHA1Verify;
import ch.ethz.ssh2.signature.ECDSASHA2Verify;
import ch.ethz.ssh2.signature.RSASHA1Verify;

/**
 * @version $Id: ServerKexManager.java 160 2014-05-01 14:30:26Z dkocher@sudo.ch $
 */
public class ServerKexManager extends KexManager {

    private final ServerConnectionState state;

    private boolean authenticationStarted = false;

    public ServerKexManager(ServerConnectionState state) {
        super(state.tm, state.csh, state.next_cryptoWishList, state.generator);
        this.state = state;
    }

    @Override
    public void handleFailure(final IOException failure) {
        synchronized(accessLock) {
            connectionClosed = true;
            accessLock.notifyAll();
        }
    }

    @Override
    public void handleMessage(byte[] msg) throws IOException {
        PacketKexInit kip;

        if((kxs == null) && (msg[0] != Packets.SSH_MSG_KEXINIT)) {
            throw new PacketTypeException(msg[0]);
        }

        if(ignore_next_kex_packet) {
            ignore_next_kex_packet = false;
            return;
        }

        if(msg[0] == Packets.SSH_MSG_KEXINIT) {
            if((kxs != null) && (kxs.state != 0)) {
                throw new PacketTypeException(msg[0]);
            }

            if(kxs == null) {
                /*
                 * Ah, OK, peer wants to do KEX. Let's be nice and play
				 * together.
				 */
                kxs = new KexState();
                kxs.local_dsa_key = nextKEXdsakey;
                kxs.local_rsa_key = nextKEXrsakey;
                kxs.local_ec_key  = nextKEXeckey;
                kxs.dhgexParameters = nextKEXdhgexParameters;
                kip = new PacketKexInit(nextKEXcryptoWishList, rnd);
                kxs.localKEX = kip;
                tm.sendKexMessage(kip.getPayload());
            }

            kip = new PacketKexInit(msg);
            kxs.remoteKEX = kip;

            kxs.np = mergeKexParameters(kxs.remoteKEX.getKexParameters(), kxs.localKEX.getKexParameters());

            if(kxs.remoteKEX.isFirst_kex_packet_follows() && (kxs.np.guessOK == false)) {
                // Guess was wrong, we need to ignore the next kex packet.
                ignore_next_kex_packet = true;
            }

            if(kxs.np.kex_algo.equals("diffie-hellman-group1-sha1")
                    || kxs.np.kex_algo.equals("diffie-hellman-group14-sha1")) {
                kxs.dhx = new DhExchange();

                if(kxs.np.kex_algo.equals("diffie-hellman-group1-sha1")) {
                    kxs.dhx.serverInit(1, rnd);
                }
                else {
                    kxs.dhx.serverInit(14, rnd);
                }

                kxs.state = 1;
                return;
            }

            throw new IllegalStateException("Unkown KEX method!");
        }

        if(msg[0] == Packets.SSH_MSG_NEWKEYS) {
            if(km == null) {
                throw new IOException("Peer sent SSH_MSG_NEWKEYS, but I have no key material ready!");
            }

            BlockCipher cbc;
            MAC mac;

            try {
                cbc = BlockCipherFactory.createCipher(kxs.np.enc_algo_client_to_server, false,
                        km.enc_key_client_to_server, km.initial_iv_client_to_server);

                try {
                    mac = new MAC(kxs.np.mac_algo_client_to_server, km.integrity_key_client_to_server);
                }
                catch(DigestException e) {
                    throw new IOException(e);
                }

            }
            catch(IllegalArgumentException e) {
                throw new IOException(e);
            }

            tm.changeRecvCipher(cbc, mac);

            ConnectionInfo sci = new ConnectionInfo();

            kexCount++;

            sci.keyExchangeAlgorithm = kxs.np.kex_algo;
            sci.keyExchangeCounter = kexCount;
            sci.clientToServerCryptoAlgorithm = kxs.np.enc_algo_client_to_server;
            sci.serverToClientCryptoAlgorithm = kxs.np.enc_algo_server_to_client;
            sci.clientToServerMACAlgorithm = kxs.np.mac_algo_client_to_server;
            sci.serverToClientMACAlgorithm = kxs.np.mac_algo_server_to_client;
            sci.serverHostKeyAlgorithm = kxs.np.server_host_key_algo;
            sci.serverHostKey = kxs.remote_hostkey;

            synchronized(accessLock) {
                lastConnInfo = sci;
                accessLock.notifyAll();
            }

            kxs = null;
            return;
        }

        if((kxs == null) || (kxs.state == 0)) {
            throw new IOException("Unexpected Kex submessage!");
        }

        if(kxs.np.kex_algo.equals("diffie-hellman-group1-sha1")
                || kxs.np.kex_algo.equals("diffie-hellman-group14-sha1")) {
            if(kxs.state == 1) {
                PacketKexDHInit dhi = new PacketKexDHInit(msg);

                kxs.dhx.setE(dhi.getE());

                byte[] hostKey = null;

                if (kxs.np.server_host_key_algo.startsWith("ecdsa-sha2-")) {
                    hostKey = ECDSASHA2Verify.encodeSSHECDSAPublicKey((ECPublicKey)kxs.local_ec_key.getPublic());
                }

                if(kxs.np.server_host_key_algo.equals("ssh-rsa")) {
                    hostKey = RSASHA1Verify.encodeSSHRSAPublicKey((RSAPublicKey)kxs.local_rsa_key.getPublic());
                }

                if(kxs.np.server_host_key_algo.equals("ssh-dss")) {
                    hostKey = DSASHA1Verify.encodeSSHDSAPublicKey((DSAPublicKey)kxs.local_dsa_key.getPublic());
                }

                try {
                    kxs.H = kxs.dhx.calculateH(csh.getClientString(), csh.getServerString(),
                            kxs.remoteKEX.getPayload(), kxs.localKEX.getPayload(), hostKey);
                }
                catch(IllegalArgumentException e) {
                    throw new IOException("KEX error.", e);
                }

                kxs.K = kxs.dhx.getK();

                byte[] signature = null;

                if (kxs.np.server_host_key_algo.startsWith("ecdsa-sha2-")) {
                    ECPrivateKey pk = (ECPrivateKey)kxs.local_ec_key.getPrivate();
                    byte[] es = ECDSASHA2Verify.generateSignature(kxs.H, pk);
                    signature = ECDSASHA2Verify.encodeSSHECDSASignature(es, pk.getParams());
                }

                if (kxs.np.server_host_key_algo.equals("ssh-rsa")) {
                    byte[] rs = RSASHA1Verify.generateSignature(kxs.H, (RSAPrivateKey)kxs.local_rsa_key.getPrivate());
                    signature = RSASHA1Verify.encodeSSHRSASignature(rs);
                }

                if (kxs.np.server_host_key_algo.equals("ssh-dss")) {
                    byte[] ds = DSASHA1Verify.generateSignature(kxs.H, (DSAPrivateKey)kxs.local_dsa_key.getPrivate(), rnd);
                    signature = DSASHA1Verify.encodeSSHDSASignature(ds);
                }

                PacketKexDHReply dhr = new PacketKexDHReply(hostKey, kxs.dhx.getF(), signature);
                tm.sendKexMessage(dhr.getPayload());

                finishKex(false);
                kxs.state = -1;

                if(authenticationStarted == false) {
                    authenticationStarted = true;
                    state.am = new ServerAuthenticationManager(state);
                }

                return;
            }
        }
        throw new IllegalStateException(String.format("Unknown KEX method %s", kxs.np.kex_algo));
    }
}