public function authenticate(\fpoirotte\Pssht\Messages\USERAUTH\REQUEST\Base $message, \fpoirotte\Pssht\Transport $transport, array &$context)
{
if (!$message instanceof \fpoirotte\Pssht\Messages\USERAUTH\REQUEST\PublicKey) {
throw new \InvalidArgumentException();
}
if ($message->getSignature() === null) {
return self::AUTH_REJECT;
}
$logging = \Plop\Plop::getInstance();
$reverse = gethostbyaddr($transport->getAddress());
$algos = \fpoirotte\Pssht\Algorithms::factory();
$cls = $algos->getClass('PublicKey', $message->getAlgorithm());
if ($cls === null || !$this->store->exists($message->getUserName(), $message->getKey())) {
$logging->info('Rejected public key connection from remote host "%(reverse)s" ' . 'to "%(luser)s" (unsupported key)', array('luser' => escape($message->getUserName()), 'reverse' => $reverse));
return self::AUTH_REJECT;
}
$key = $cls::loadPublic(base64_encode($message->getKey()));
$encoder = new \fpoirotte\Pssht\Wire\Encoder();
$encoder->encodeString($context['DH']->getExchangeHash());
$encoder->encodeBytes(chr(\fpoirotte\Pssht\Messages\USERAUTH\REQUEST\Base::getMessageId()));
$encoder->encodeString($message->getUserName());
$encoder->encodeString($message->getServiceName());
$encoder->encodeString(static::getName());
$encoder->encodeBoolean(true);
$encoder->encodeString($message->getAlgorithm());
$encoder->encodeString($message->getKey());
if ($key->check($encoder->getBuffer()->get(0), $message->getSignature())) {
$logging->info('Accepted public key connection from remote host "%(reverse)s" ' . 'to "%(luser)s" (using "%(algorithm)s" algorithm)', array('luser' => escape($message->getUserName()), 'reverse' => $reverse, 'algorithm' => escape($message->getAlgorithm())));
return self::AUTH_ACCEPT;
}
$logging->info('Rejected public key connection from remote host "%(reverse)s" ' . 'to "%(luser)s" (invalid signature)', array('luser' => escape($message->getUserName()), 'reverse' => $reverse));
return self::AUTH_REJECT;
}
public function authenticate(\fpoirotte\Pssht\Messages\USERAUTH\REQUEST\Base $message, \fpoirotte\Pssht\Transport $transport, array &$context)
{
if (!$message instanceof \fpoirotte\Pssht\Messages\USERAUTH\REQUEST\HostBased) {
throw new \InvalidArgumentException();
}
$logging = \Plop\Plop::getInstance();
$reverse = gethostbyaddr($transport->getAddress());
$untrustedHost = rtrim($message->getHostname(), '.');
$algos = \fpoirotte\Pssht\Algorithms::factory();
$cls = $algos->getClass('PublicKey', $message->getAlgorithm());
if ($cls === null || !$this->store->exists($message->getUserName(), $message->getKey())) {
$logging->info('Rejected host based connection from %(ruser)s@%(rhost)s ' . '(%(ruser)s@%(reverse)s) to "%(luser)s" ' . '(unsupported key)', array('ruser' => escape($message->getRemoteUser()), 'luser' => escape($message->getUserName()), 'rhost' => escape($untrustedHost), 'reverse' => $reverse));
return self::AUTH_REMOVE;
}
$key = $cls::loadPublic(base64_encode($message->getKey()));
$encoder = new \fpoirotte\Pssht\Wire\Encoder();
$encoder->encodeString($context['DH']->getExchangeHash());
$encoder->encodeBytes(chr(\fpoirotte\Pssht\Messages\USERAUTH\REQUEST\Base::getMessageId()));
$encoder->encodeString($message->getUserName());
$encoder->encodeString($message->getServiceName());
$encoder->encodeString(static::getName());
$encoder->encodeString($message->getAlgorithm());
$encoder->encodeString($message->getKey());
$encoder->encodeString($message->getHostname());
$encoder->encodeString($message->getRemoteUser());
if (!$key->check($encoder->getBuffer()->get(0), $message->getSignature())) {
$logging->warn('Rejected host based connection from %(ruser)s@%(rhost)s ' . '(%(ruser)s@%(reverse)s) to "%(luser)s" (invalid signature)', array('ruser' => escape($message->getRemoteUser()), 'luser' => escape($message->getUserName()), 'rhost' => escape($untrustedHost), 'reverse' => $reverse));
return self::AUTH_REJECT;
}
if ($reverse !== $untrustedHost) {
$logging->warning('Ignored reverse lookup mismatch for %(address)s (' . '"%(reverse)s" vs. "%(untrusted)s")', array('address' => $transport->getAddress(), 'reverse' => $reverse, 'untrusted' => escape($untrustedHost)));
}
if ($message->getUserName() !== $message->getRemoteUser()) {
$logging->warning('Rejected host based connection from %(ruser)s@%(rhost)s ' . '(%(ruser)s@%(reverse)s): remote user does not match ' . 'local user (%(luser)s)', array('ruser' => escape($message->getRemoteUser()), 'luser' => escape($message->getUserName()), 'rhost' => escape($untrustedHost), 'reverse' => $reverse));
return self::AUTH_REMOVE;
}
$logging->info('Accepted host based connection ' . 'from "%(ruser)s@%(rhost)s" (%(ruser)s@%(reverse)s) ' . 'to "%(luser)s" (using "%(algorithm)s" algorithm)', array('ruser' => escape($message->getRemoteUser()), 'luser' => escape($message->getUserName()), 'rhost' => escape($untrustedHost), 'reverse' => $reverse, 'algorithm' => escape($message->getAlgorithm())));
return self::AUTH_ACCEPT;
}
/**
* Construct a new SSH_MSG_KEXDH_REPLY message.
*
* \param fpoirotte::Pssht::Messages::KEXDH::INIT $kexDHInit
* Client's contribution to the Diffie-Hellman Key Exchange.
*
* \param fpoirotte::Pssht::PublicKeyInterface $key
* Server's public key.
*
* \param fpoirotte::Pssht::EncryptionInterface $encryptionAlgo
* Encryption algorithm in use.
*
* \param fpoirotte::Pssht::KEXInterface $kexAlgo
* Key exchange algorithm to use.
*
* \param fpoirotte::Pssht::Messages::KEXINIT $serverKEX
* Algorithms supported by the server.
*
* \param fpoirotte::Pssht::Messages::KEXINIT $clientKEX
* Algorithms supported by the client.
*
* \param string $serverIdent
* Server's identification string
*
* \param string $clientIdent
* Client's identification string
*/
public function __construct(\fpoirotte\Pssht\Messages\KEXDH\INIT $kexDHInit, \fpoirotte\Pssht\PublicKeyInterface $key, \fpoirotte\Pssht\EncryptionInterface $encryptionAlgo, \fpoirotte\Pssht\KEXInterface $kexAlgo, \fpoirotte\Pssht\Messages\KEXINIT $serverKEX, \fpoirotte\Pssht\Messages\KEXINIT $clientKEX, $serverIdent, $clientIdent)
{
if (!is_string($serverIdent)) {
throw new \InvalidArgumentException();
}
if (!is_string($clientIdent)) {
throw new \InvalidArgumentException();
}
$keyLength = min(20, max($encryptionAlgo->getKeySize(), 16));
$randBytes = openssl_random_pseudo_bytes(2 * $keyLength);
$y = gmp_init(bin2hex($randBytes), 16);
$prime = gmp_init($kexAlgo::getPrime(), 16);
$this->f = gmp_powm($kexAlgo::getGenerator(), $y, $prime);
$this->K = gmp_powm($kexDHInit->getE(), $y, $prime);
$this->K_S = $key;
$this->kexDHInit = $kexDHInit;
$this->kexAlgo = $kexAlgo;
$this->serverKEX = $serverKEX;
$this->clientKEX = $clientKEX;
$this->serverIdent = $serverIdent;
$this->clientIdent = $clientIdent;
$msgId = chr(\fpoirotte\Pssht\Messages\KEXINIT::getMessageId());
// $sub is used to create the structure for the hashing function.
$sub = new \fpoirotte\Pssht\Wire\Encoder(new \fpoirotte\Pssht\Buffer());
$this->K_S->serialize($sub);
$K_S = $sub->getBuffer()->get(0);
$sub->encodeString($this->clientIdent);
$sub->encodeString($this->serverIdent);
// $sub2 is used to compute the value
// of various fields inside the structure.
$sub2 = new \fpoirotte\Pssht\Wire\Encoder(new \fpoirotte\Pssht\Buffer());
$sub2->encodeBytes($msgId);
// Add message identifier.
$this->clientKEX->serialize($sub2);
$sub->encodeString($sub2->getBuffer()->get(0));
$sub2->encodeBytes($msgId);
// Add message identifier.
$this->serverKEX->serialize($sub2);
$sub->encodeString($sub2->getBuffer()->get(0));
$sub->encodeString($K_S);
$sub->encodeMpint($this->kexDHInit->getE());
$sub->encodeMpint($this->f);
$sub->encodeMpint($this->K);
$logging = \Plop\Plop::getInstance();
$origData = $sub->getBuffer()->get(0);
$data = wordwrap(bin2hex($origData), 4, ' ', true);
$data = wordwrap($data, 32 + 7, PHP_EOL, true);
$logging->debug("Signature payload:\r\n%s", array($data));
$this->H = $this->kexAlgo->hash($origData);
}
/**
* Write an SSH message into the output buffer.
*
* \param fpoirotte::Pssht::MessageInterface $message
* Message to write into the output buffer.
*
* \retval Transport
* Returns this transport layer.
*/
public function writeMessage(\fpoirotte\Pssht\MessageInterface $message)
{
$logging = \Plop\Plop::getInstance();
// Serialize the message.
$encoder = new \fpoirotte\Pssht\Wire\Encoder();
$encoder->encodeBytes(chr($message::getMessageId()));
$message->serialize($encoder);
$payload = $encoder->getBuffer()->get(0);
$logging->debug('Sending payload: %s', array(\escape($payload)));
// Compress the payload if necessary.
$payload = $this->compressor->update($payload);
$size = strlen($payload);
$blockSize = max(8, $this->encryptor->getBlockSize());
// Compute padding requirements.
// See http://api.libssh.org/rfc/PROTOCOL
// for more information on EtM (Encrypt-then-MAC)
// and RFCs 5116 & 5647 for AEAD & AES-GCM.
if ($this->outMAC instanceof \fpoirotte\Pssht\MAC\OpensshCom\EtM\EtMInterface) {
$padSize = $blockSize - (1 + $size) % $blockSize;
} elseif ($this->encryptor instanceof \fpoirotte\Pssht\AEADInterface) {
$padSize = $blockSize - (1 + $size) % $blockSize;
} else {
$padSize = $blockSize - (1 + 4 + $size) % $blockSize;
}
if ($padSize < 4) {
$padSize = ($padSize + $blockSize) % 256;
}
$padding = openssl_random_pseudo_bytes($padSize);
// Create the packet. Every content passed to $encoder
// will be encrypted, except possibly for the packet
// length (see below).
$encoder->encodeUint32(1 + $size + $padSize);
if ($this->outMAC instanceof \fpoirotte\Pssht\MAC\OpensshCom\EtM\EtMInterface) {
// Send the packet length in plaintext.
$encSize = $encoder->getBuffer()->get(0);
$this->encoder->encodeBytes($encSize);
}
$encoder->encodeBytes(chr($padSize));
$encoder->encodeBytes($payload);
$encoder->encodeBytes($padding);
$packet = $encoder->getBuffer()->get(0);
$encrypted = $this->encryptor->encrypt($this->outSeqNo, $packet);
// Compute the MAC.
if ($this->outMAC instanceof \fpoirotte\Pssht\MAC\OpensshCom\EtM\EtMInterface) {
$mac = $this->outMAC->compute($this->outSeqNo, $encSize . $encrypted);
} else {
$mac = $this->outMAC->compute($this->outSeqNo, $packet);
}
// Send the packet on the wire.
$this->encoder->encodeBytes($encrypted);
$this->encoder->encodeBytes($mac);
$this->outSeqNo = ++$this->outSeqNo & 0xffffffff;
$logging->debug('Sending %(type)s packet ' . '(size: %(size)d, payload: %(payload)d, ' . 'block: %(block)d, padding: %(padding)d)', array('type' => get_class($message), 'size' => strlen($encrypted), 'payload' => $size, 'block' => $blockSize, 'padding' => $padSize));
return $this;
}
/**
* Construct a new SSH_MSG_KEXDH_REPLY message.
*
* \param fpoirotte::Pssht::ECC::Curve $curve
* Elliptic curve in use.
*
* \param fpoirotte::Pssht::Messages::KEX::ECDH::INIT::RFC5656 $kexDHInit
* Client's contribution to the Diffie-Hellman Key Exchange.
*
* \param fpoirotte::Pssht::PublicKeyInterface $key
* Server's public key.
*
* \param fpoirotte::Pssht::EncryptionInterface $encryptionAlgo
* Encryption algorithm in use.
*
* \param fpoirotte::Pssht::KEXInterface $kexAlgo
* Key exchange algorithm to use.
*
* \param fpoirotte::Pssht::Messages::KEXINIT $serverKEX
* Algorithms supported by the server.
*
* \param fpoirotte::Pssht::Messages::KEXINIT $clientKEX
* Algorithms supported by the client.
*
* \param string $serverIdent
* Server's identification string
*
* \param string $clientIdent
* Client's identification string
*/
public function __construct(\fpoirotte\Pssht\ECC\Curve $curve, \fpoirotte\Pssht\Messages\KEX\ECDH\INIT\RFC5656 $kexDHInit, \fpoirotte\Pssht\PublicKeyInterface $key, \fpoirotte\Pssht\EncryptionInterface $encryptionAlgo, \fpoirotte\Pssht\KEXInterface $kexAlgo, \fpoirotte\Pssht\Messages\KEXINIT $serverKEX, \fpoirotte\Pssht\Messages\KEXINIT $clientKEX, $serverIdent, $clientIdent)
{
if (!is_string($serverIdent)) {
throw new \InvalidArgumentException();
}
if (!is_string($clientIdent)) {
throw new \InvalidArgumentException();
}
$len = strlen(gmp_strval($curve->getOrder(), 2));
$len = ceil($len / 8);
$randBytes = openssl_random_pseudo_bytes($len);
$d_S = gmp_mod(gmp_init(bin2hex($randBytes), 16), $curve->getModulus());
$this->Q_S = $curve->getGenerator()->multiply($curve, $d_S);
$Q_C = $kexDHInit->getQ();
/// @FIXME this is not optimal...
$algorithms = \fpoirotte\Pssht\Algorithms::factory();
$cls = $algorithms->getClass('PublicKey', 'ecdsa-sha2-' . $curve->getName());
$clientPK = new $cls($Q_C);
if (!$clientPK->isValid()) {
throw new \InvalidArgumentException();
}
// EC Co-factor DH (sec1-v2, section 3.3.2).
$P = $Q_C->multiply($curve, gmp_mul($curve->getCofactor(), $d_S));
if ($P->isIdentity($curve)) {
throw new \InvalidArgumentException();
}
$this->K = $P->x;
$this->curve = $curve;
$this->K_S = $key;
$this->kexDHInit = $kexDHInit;
$this->kexAlgo = $kexAlgo;
$this->serverKEX = $serverKEX;
$this->clientKEX = $clientKEX;
$this->serverIdent = $serverIdent;
$this->clientIdent = $clientIdent;
$msgId = chr(\fpoirotte\Pssht\Messages\KEXINIT::getMessageId());
// $sub is used to create the structure for the hashing function.
$sub = new \fpoirotte\Pssht\Wire\Encoder(new \fpoirotte\Pssht\Buffer());
$this->K_S->serialize($sub);
$K_S = $sub->getBuffer()->get(0);
$sub->encodeString($this->clientIdent);
$sub->encodeString($this->serverIdent);
// $sub2 is used to compute the value
// of various fields inside the structure.
$sub2 = new \fpoirotte\Pssht\Wire\Encoder(new \fpoirotte\Pssht\Buffer());
$sub2->encodeBytes($msgId);
// Add message identifier.
$this->clientKEX->serialize($sub2);
$sub->encodeString($sub2->getBuffer()->get(0));
$sub2->encodeBytes($msgId);
// Add message identifier.
$this->serverKEX->serialize($sub2);
$sub->encodeString($sub2->getBuffer()->get(0));
$sub->encodeString($K_S);
$sub->encodeString($Q_C->serialize($curve));
$sub->encodeString($this->Q_S->serialize($curve));
$sub->encodeMpint($this->K);
$logging = \Plop\Plop::getInstance();
$origData = $sub->getBuffer()->get(0);
$data = wordwrap(bin2hex($origData), 4, ' ', true);
$data = wordwrap($data, 32 + 7, PHP_EOL, true);
$logging->debug("Signature payload:\r\n%s", array($data));
$this->H = $this->kexAlgo->hash($origData);
}
