1
/* -*-mode:java; c-basic-offset:2; indent-tabs-mode:nil -*- */
3
Copyright (c) 2002-2012 ymnk, JCraft,Inc. All rights reserved.
5
Redistribution and use in source and binary forms, with or without
6
modification, are permitted provided that the following conditions are met:
8
1. Redistributions of source code must retain the above copyright notice,
9
this list of conditions and the following disclaimer.
11
2. Redistributions in binary form must reproduce the above copyright
12
notice, this list of conditions and the following disclaimer in
13
the documentation and/or other materials provided with the distribution.
15
3. The names of the authors may not be used to endorse or promote products
16
derived from this software without specific prior written permission.
18
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
19
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JCRAFT,
21
INC. OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
22
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
23
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
24
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
25
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
26
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
27
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30
package com.jcraft.jsch;
32
public class DHGEX256 extends KeyExchange{
34
private static final int SSH_MSG_KEX_DH_GEX_GROUP= 31;
35
private static final int SSH_MSG_KEX_DH_GEX_INIT= 32;
36
private static final int SSH_MSG_KEX_DH_GEX_REPLY= 33;
37
private static final int SSH_MSG_KEX_DH_GEX_REQUEST= 34;
41
// static int min=512;
42
static int preferred=1024;
45
// static int preferred=1024;
46
// static int max=2000;
48
static final int RSA=0;
49
static final int DSS=1;
54
// com.jcraft.jsch.DH dh;
63
private Packet packet;
70
public void init(Session session,
71
byte[] V_S, byte[] V_C, byte[] I_S, byte[] I_C) throws Exception{
79
Class c=Class.forName(session.getConfig("sha-256"));
80
sha=(HASH)(c.newInstance());
84
System.err.println(e);
88
packet=new Packet(buf);
91
Class c=Class.forName(session.getConfig("dh"));
92
dh=(com.jcraft.jsch.DH)(c.newInstance());
96
// System.err.println(e);
101
buf.putByte((byte)SSH_MSG_KEX_DH_GEX_REQUEST);
103
buf.putInt(preferred);
105
session.write(packet);
107
if(JSch.getLogger().isEnabled(Logger.INFO)){
108
JSch.getLogger().log(Logger.INFO,
109
"SSH_MSG_KEX_DH_GEX_REQUEST("+min+"<"+preferred+"<"+max+") sent");
110
JSch.getLogger().log(Logger.INFO,
111
"expecting SSH_MSG_KEX_DH_GEX_GROUP");
114
state=SSH_MSG_KEX_DH_GEX_GROUP;
117
public boolean next(Buffer _buf) throws Exception{
120
case SSH_MSG_KEX_DH_GEX_GROUP:
121
// byte SSH_MSG_KEX_DH_GEX_GROUP(31)
122
// mpint p, safe prime
123
// mpint g, generator for subgroup in GF (p)
127
if(j!=SSH_MSG_KEX_DH_GEX_GROUP){
128
System.err.println("type: must be SSH_MSG_KEX_DH_GEX_GROUP "+j);
135
for(int iii=0; iii<p.length; iii++){
136
System.err.println("0x"+Integer.toHexString(p[iii]&0xff)+",");
138
System.err.println("");
139
for(int iii=0; iii<g.length; iii++){
140
System.err.println("0x"+Integer.toHexString(g[iii]&0xff)+",");
146
// The client responds with:
147
// byte SSH_MSG_KEX_DH_GEX_INIT(32)
148
// mpint e <- g^x mod p
149
// x is a random number (1 < x < (p-1)/2)
154
buf.putByte((byte)SSH_MSG_KEX_DH_GEX_INIT);
156
session.write(packet);
158
if(JSch.getLogger().isEnabled(Logger.INFO)){
159
JSch.getLogger().log(Logger.INFO,
160
"SSH_MSG_KEX_DH_GEX_INIT sent");
161
JSch.getLogger().log(Logger.INFO,
162
"expecting SSH_MSG_KEX_DH_GEX_REPLY");
165
state=SSH_MSG_KEX_DH_GEX_REPLY;
169
case SSH_MSG_KEX_DH_GEX_REPLY:
170
// The server responds with:
171
// byte SSH_MSG_KEX_DH_GEX_REPLY(33)
172
// string server public host key and certificates (K_S)
174
// string signature of H
178
if(j!=SSH_MSG_KEX_DH_GEX_REPLY){
179
System.err.println("type: must be SSH_MSG_KEX_DH_GEX_REPLY "+j);
183
K_S=_buf.getString();
184
// K_S is server_key_blob, which includes ....
189
// impint pub_key of dsa
190
//System.err.print("K_S: "); dump(K_S, 0, K_S.length);
192
byte[] f=_buf.getMPInt();
193
byte[] sig_of_H=_buf.getString();
196
K=normalize(dh.getK());
198
//The hash H is computed as the HASH hash of the concatenation of the
200
// string V_C, the client's version string (CR and NL excluded)
201
// string V_S, the server's version string (CR and NL excluded)
202
// string I_C, the payload of the client's SSH_MSG_KEXINIT
203
// string I_S, the payload of the server's SSH_MSG_KEXINIT
204
// string K_S, the host key
205
// uint32 min, minimal size in bits of an acceptable group
206
// uint32 n, preferred size in bits of the group the server should send
207
// uint32 max, maximal size in bits of an acceptable group
208
// mpint p, safe prime
209
// mpint g, generator for subgroup
210
// mpint e, exchange value sent by the client
211
// mpint f, exchange value sent by the server
212
// mpint K, the shared secret
213
// This value is called the exchange hash, and it is used to authenti-
214
// cate the key exchange.
217
buf.putString(V_C); buf.putString(V_S);
218
buf.putString(I_C); buf.putString(I_S);
220
buf.putInt(min); buf.putInt(preferred); buf.putInt(max);
221
buf.putMPInt(p); buf.putMPInt(g); buf.putMPInt(e); buf.putMPInt(f);
224
byte[] foo=new byte[buf.getLength()];
226
sha.update(foo, 0, foo.length);
230
// System.err.print("H -> "); dump(H, 0, H.length);
234
j=((K_S[i++]<<24)&0xff000000)|((K_S[i++]<<16)&0x00ff0000)|
235
((K_S[i++]<<8)&0x0000ff00)|((K_S[i++])&0x000000ff);
236
String alg=Util.byte2str(K_S, i, j);
239
boolean result=false;
240
if(alg.equals("ssh-rsa")){
247
j=((K_S[i++]<<24)&0xff000000)|((K_S[i++]<<16)&0x00ff0000)|
248
((K_S[i++]<<8)&0x0000ff00)|((K_S[i++])&0x000000ff);
249
tmp=new byte[j]; System.arraycopy(K_S, i, tmp, 0, j); i+=j;
251
j=((K_S[i++]<<24)&0xff000000)|((K_S[i++]<<16)&0x00ff0000)|
252
((K_S[i++]<<8)&0x0000ff00)|((K_S[i++])&0x000000ff);
253
tmp=new byte[j]; System.arraycopy(K_S, i, tmp, 0, j); i+=j;
256
// SignatureRSA sig=new SignatureRSA();
259
SignatureRSA sig=null;
261
Class c=Class.forName(session.getConfig("signature.rsa"));
262
sig=(SignatureRSA)(c.newInstance());
266
System.err.println(e);
269
sig.setPubKey(ee, n);
271
result=sig.verify(sig_of_H);
273
if(JSch.getLogger().isEnabled(Logger.INFO)){
274
JSch.getLogger().log(Logger.INFO,
275
"ssh_rsa_verify: signature "+result);
279
else if(alg.equals("ssh-dss")){
285
j=((K_S[i++]<<24)&0xff000000)|((K_S[i++]<<16)&0x00ff0000)|
286
((K_S[i++]<<8)&0x0000ff00)|((K_S[i++])&0x000000ff);
287
tmp=new byte[j]; System.arraycopy(K_S, i, tmp, 0, j); i+=j;
289
j=((K_S[i++]<<24)&0xff000000)|((K_S[i++]<<16)&0x00ff0000)|
290
((K_S[i++]<<8)&0x0000ff00)|((K_S[i++])&0x000000ff);
291
tmp=new byte[j]; System.arraycopy(K_S, i, tmp, 0, j); i+=j;
293
j=((K_S[i++]<<24)&0xff000000)|((K_S[i++]<<16)&0x00ff0000)|
294
((K_S[i++]<<8)&0x0000ff00)|((K_S[i++])&0x000000ff);
295
tmp=new byte[j]; System.arraycopy(K_S, i, tmp, 0, j); i+=j;
297
j=((K_S[i++]<<24)&0xff000000)|((K_S[i++]<<16)&0x00ff0000)|
298
((K_S[i++]<<8)&0x0000ff00)|((K_S[i++])&0x000000ff);
299
tmp=new byte[j]; System.arraycopy(K_S, i, tmp, 0, j); i+=j;
302
// SignatureDSA sig=new SignatureDSA();
305
SignatureDSA sig=null;
307
Class c=Class.forName(session.getConfig("signature.dss"));
308
sig=(SignatureDSA)(c.newInstance());
312
System.err.println(e);
315
sig.setPubKey(f, p, q, g);
317
result=sig.verify(sig_of_H);
319
if(JSch.getLogger().isEnabled(Logger.INFO)){
320
JSch.getLogger().log(Logger.INFO,
321
"ssh_dss_verify: signature "+result);
326
System.err.println("unknown alg");
334
public String getKeyType(){
335
if(type==DSS) return "DSA";
339
public int getState(){return state; }