コード例 #1
0
ファイル: KexManager.java プロジェクト: maoruilin/sshtunnel
  private void finishKex() throws IOException {
    if (sessionId == null) sessionId = kxs.H;

    establishKeyMaterial();

    /* Tell the other side that we start using the new material */

    PacketNewKeys ign = new PacketNewKeys();
    tm.sendKexMessage(ign.getPayload());

    BlockCipher cbc;
    MAC mac;
    ICompressor comp;

    try {
      cbc =
          BlockCipherFactory.createCipher(
              kxs.np.enc_algo_client_to_server,
              true,
              km.enc_key_client_to_server,
              km.initial_iv_client_to_server);

      mac = new MAC(kxs.np.mac_algo_client_to_server, km.integrity_key_client_to_server);

      comp = CompressionFactory.createCompressor(kxs.np.comp_algo_client_to_server);

    } catch (IllegalArgumentException e1) {
      throw new IOException("Fatal error during MAC startup!");
    }

    tm.changeSendCipher(cbc, mac);
    tm.changeSendCompression(comp);
    tm.kexFinished();
  }
コード例 #2
0
  /**
   * Closes given {@link #transportManagers} of this <tt>Conference</tt> and removes corresponding
   * channel bundle.
   */
  void closeTransportManager(TransportManager transportManager) {
    synchronized (transportManagers) {
      for (Iterator<IceUdpTransportManager> i = transportManagers.values().iterator();
          i.hasNext(); ) {
        if (i.next() == transportManager) {
          i.remove();
          // Presumably, we have a single association for
          // transportManager.
          break;
        }
      }

      // Close manager
      try {
        transportManager.close();
      } catch (Throwable t) {
        logger.warn(
            "Failed to close an IceUdpTransportManager of" + " conference " + getID() + "!", t);
        // The whole point of explicitly closing the
        // transportManagers of this Conference is to prevent memory
        // leaks. Hence, it does not make sense to possibly leave
        // TransportManagers open because a TransportManager has
        // failed to close.
        if (t instanceof InterruptedException) Thread.currentThread().interrupt();
        else if (t instanceof ThreadDeath) throw (ThreadDeath) t;
      }
    }
  }
コード例 #3
0
ファイル: KexManager.java プロジェクト: maoruilin/sshtunnel
  public synchronized void initiateKEX(CryptoWishList cwl, DHGexParameters dhgex)
      throws IOException {
    nextKEXcryptoWishList = cwl;
    nextKEXdhgexParameters = dhgex;

    if (kxs == null) {
      kxs = new KexState();

      kxs.dhgexParameters = nextKEXdhgexParameters;
      PacketKexInit kp = new PacketKexInit(nextKEXcryptoWishList, rnd);
      kxs.localKEX = kp;
      tm.sendKexMessage(kp.getPayload());
    }
  }
コード例 #4
0
ファイル: KexManager.java プロジェクト: maoruilin/sshtunnel
  public ConnectionInfo getOrWaitForConnectionInfo(int minKexCount) throws IOException {
    synchronized (accessLock) {
      while (true) {
        if ((lastConnInfo != null) && (lastConnInfo.keyExchangeCounter >= minKexCount))
          return lastConnInfo;

        if (connectionClosed)
          throw (IOException)
              new IOException("Key exchange was not finished, connection is closed.")
                  .initCause(tm.getReasonClosedCause());

        try {
          accessLock.wait();
        } catch (InterruptedException e) {
        }
      }
    }
  }
コード例 #5
0
ファイル: KexManager.java プロジェクト: maoruilin/sshtunnel
  public synchronized void handleMessage(byte[] msg, int msglen) throws IOException {
    PacketKexInit kip;

    if (msg == null) {
      synchronized (accessLock) {
        connectionClosed = true;
        accessLock.notifyAll();
        return;
      }
    }

    if ((kxs == null) && (msg[0] != Packets.SSH_MSG_KEXINIT))
      throw new IOException("Unexpected KEX message (type " + msg[0] + ")");

    if (ignore_next_kex_packet) {
      ignore_next_kex_packet = false;
      return;
    }

    if (msg[0] == Packets.SSH_MSG_KEXINIT) {
      if ((kxs != null) && (kxs.state != 0))
        throw new IOException("Unexpected SSH_MSG_KEXINIT message during on-going kex exchange!");

      if (kxs == null) {
        /*
         * Ah, OK, peer wants to do KEX. Let's be nice and play
         * together.
         */
        kxs = new KexState();
        kxs.dhgexParameters = nextKEXdhgexParameters;
        kip = new PacketKexInit(nextKEXcryptoWishList, rnd);
        kxs.localKEX = kip;
        tm.sendKexMessage(kip.getPayload());
      }

      kip = new PacketKexInit(msg, 0, msglen);
      kxs.remoteKEX = kip;

      kxs.np =
          mergeKexParameters(kxs.localKEX.getKexParameters(), kxs.remoteKEX.getKexParameters());

      if (kxs.np == null) throw new IOException("Cannot negotiate, proposals do not match.");

      if (kxs.remoteKEX.isFirst_kex_packet_follows() && (kxs.np.guessOK == false)) {
        /*
         * Guess was wrong, we need to ignore the next kex packet.
         */

        ignore_next_kex_packet = true;
      }

      if (kxs.np.kex_algo.equals("diffie-hellman-group-exchange-sha1")) {
        if (kxs.dhgexParameters.getMin_group_len() == 0
            || csh.server_versioncomment.matches("OpenSSH_2\\.([0-4]\\.|5\\.[0-2]).*")) {
          PacketKexDhGexRequestOld dhgexreq = new PacketKexDhGexRequestOld(kxs.dhgexParameters);
          tm.sendKexMessage(dhgexreq.getPayload());

        } else {
          PacketKexDhGexRequest dhgexreq = new PacketKexDhGexRequest(kxs.dhgexParameters);
          tm.sendKexMessage(dhgexreq.getPayload());
        }
        kxs.state = 1;
        return;
      }

      if (kxs.np.kex_algo.equals("diffie-hellman-group1-sha1")
          || kxs.np.kex_algo.equals("diffie-hellman-group14-sha1")) {
        kxs.dhx = new DhExchange();

        if (kxs.np.kex_algo.equals("diffie-hellman-group1-sha1")) kxs.dhx.init(1, rnd);
        else kxs.dhx.init(14, rnd);

        PacketKexDHInit kp = new PacketKexDHInit(kxs.dhx.getE());
        tm.sendKexMessage(kp.getPayload());
        kxs.state = 1;
        return;
      }

      throw new IllegalStateException("Unkown KEX method!");
    }

    if (msg[0] == Packets.SSH_MSG_NEWKEYS) {
      if (km == null)
        throw new IOException("Peer sent SSH_MSG_NEWKEYS, but I have no key material ready!");

      BlockCipher cbc;
      MAC mac;
      ICompressor comp;

      try {
        cbc =
            BlockCipherFactory.createCipher(
                kxs.np.enc_algo_server_to_client,
                false,
                km.enc_key_server_to_client,
                km.initial_iv_server_to_client);

        mac = new MAC(kxs.np.mac_algo_server_to_client, km.integrity_key_server_to_client);

        comp = CompressionFactory.createCompressor(kxs.np.comp_algo_server_to_client);
      } catch (IllegalArgumentException e1) {
        throw new IOException("Fatal error during MAC startup!");
      }

      tm.changeRecvCipher(cbc, mac);
      tm.changeRecvCompression(comp);

      ConnectionInfo sci = new ConnectionInfo();

      kexCount++;

      sci.keyExchangeAlgorithm = kxs.np.kex_algo;
      sci.keyExchangeCounter = kexCount;
      sci.clientToServerCryptoAlgorithm = kxs.np.enc_algo_client_to_server;
      sci.serverToClientCryptoAlgorithm = kxs.np.enc_algo_server_to_client;
      sci.clientToServerMACAlgorithm = kxs.np.mac_algo_client_to_server;
      sci.serverToClientMACAlgorithm = kxs.np.mac_algo_server_to_client;
      sci.serverHostKeyAlgorithm = kxs.np.server_host_key_algo;
      sci.serverHostKey = kxs.hostkey;

      synchronized (accessLock) {
        lastConnInfo = sci;
        accessLock.notifyAll();
      }

      kxs = null;
      return;
    }

    if ((kxs == null) || (kxs.state == 0)) throw new IOException("Unexpected Kex submessage!");

    if (kxs.np.kex_algo.equals("diffie-hellman-group-exchange-sha1")) {
      if (kxs.state == 1) {
        PacketKexDhGexGroup dhgexgrp = new PacketKexDhGexGroup(msg, 0, msglen);
        kxs.dhgx = new DhGroupExchange(dhgexgrp.getP(), dhgexgrp.getG());
        kxs.dhgx.init(rnd);
        PacketKexDhGexInit dhgexinit = new PacketKexDhGexInit(kxs.dhgx.getE());
        tm.sendKexMessage(dhgexinit.getPayload());
        kxs.state = 2;
        return;
      }

      if (kxs.state == 2) {
        PacketKexDhGexReply dhgexrpl = new PacketKexDhGexReply(msg, 0, msglen);

        kxs.hostkey = dhgexrpl.getHostKey();

        if (verifier != null) {
          boolean vres = false;

          try {
            vres =
                verifier.verifyServerHostKey(
                    hostname, port, kxs.np.server_host_key_algo, kxs.hostkey);
          } catch (Exception e) {
            throw (IOException)
                new IOException("The server hostkey was not accepted by the verifier callback.")
                    .initCause(e);
          }

          if (vres == false)
            throw new IOException("The server hostkey was not accepted by the verifier callback");
        }

        kxs.dhgx.setF(dhgexrpl.getF());

        try {
          kxs.H =
              kxs.dhgx.calculateH(
                  csh.getClientString(),
                  csh.getServerString(),
                  kxs.localKEX.getPayload(),
                  kxs.remoteKEX.getPayload(),
                  dhgexrpl.getHostKey(),
                  kxs.dhgexParameters);
        } catch (IllegalArgumentException e) {
          throw (IOException) new IOException("KEX error.").initCause(e);
        }

        boolean res = verifySignature(dhgexrpl.getSignature(), kxs.hostkey);

        if (res == false) throw new IOException("Hostkey signature sent by remote is wrong!");

        kxs.K = kxs.dhgx.getK();

        finishKex();
        kxs.state = -1;
        return;
      }

      throw new IllegalStateException("Illegal State in KEX Exchange!");
    }

    if (kxs.np.kex_algo.equals("diffie-hellman-group1-sha1")
        || kxs.np.kex_algo.equals("diffie-hellman-group14-sha1")) {
      if (kxs.state == 1) {

        PacketKexDHReply dhr = new PacketKexDHReply(msg, 0, msglen);

        kxs.hostkey = dhr.getHostKey();

        if (verifier != null) {
          boolean vres = false;

          try {
            vres =
                verifier.verifyServerHostKey(
                    hostname, port, kxs.np.server_host_key_algo, kxs.hostkey);
          } catch (Exception e) {
            throw (IOException)
                new IOException("The server hostkey was not accepted by the verifier callback.")
                    .initCause(e);
          }

          if (vres == false)
            throw new IOException("The server hostkey was not accepted by the verifier callback");
        }

        kxs.dhx.setF(dhr.getF());

        try {
          kxs.H =
              kxs.dhx.calculateH(
                  csh.getClientString(),
                  csh.getServerString(),
                  kxs.localKEX.getPayload(),
                  kxs.remoteKEX.getPayload(),
                  dhr.getHostKey());
        } catch (IllegalArgumentException e) {
          throw (IOException) new IOException("KEX error.").initCause(e);
        }

        boolean res = verifySignature(dhr.getSignature(), kxs.hostkey);

        if (res == false) throw new IOException("Hostkey signature sent by remote is wrong!");

        kxs.K = kxs.dhx.getK();

        finishKex();
        kxs.state = -1;
        return;
      }
    }

    throw new IllegalStateException("Unkown KEX method! (" + kxs.np.kex_algo + ")");
  }
コード例 #6
0
  public static Socket open(
      final String hostname, final int port, final ProxyData proxyData, final int connectTimeout)
      throws IOException {
    final Socket sock = new Socket();
    if (proxyData == null) {
      InetAddress addr = TransportManager.createInetAddress(hostname);
      sock.connect(new InetSocketAddress(addr, port), connectTimeout);
      sock.setSoTimeout(0);
      return sock;
    }

    if (proxyData instanceof SelfConnectionProxyData) {
      // already connected
      return ((SelfConnectionProxyData) proxyData).connect();
    }

    if (proxyData instanceof HTTPProxyData) {
      HTTPProxyData pd = (HTTPProxyData) proxyData;

      /* At the moment, we only support HTTP proxies */

      InetAddress addr = TransportManager.createInetAddress(pd.proxyHost);
      sock.connect(new InetSocketAddress(addr, pd.proxyPort), connectTimeout);
      sock.setSoTimeout(0);

      /* OK, now tell the proxy where we actually want to connect to */

      StringBuffer sb = new StringBuffer();

      sb.append("CONNECT ");
      sb.append(hostname);
      sb.append(':');
      sb.append(port);
      sb.append(" HTTP/1.0\r\n");

      if ((pd.proxyUser != null) && (pd.proxyPass != null)) {
        String credentials = pd.proxyUser + ":" + pd.proxyPass;
        char[] encoded = Base64.encode(credentials.getBytes("ISO-8859-1"));
        sb.append("Proxy-Authorization: Basic ");
        sb.append(encoded);
        sb.append("\r\n");
      }

      if (pd.requestHeaderLines != null) {
        for (int i = 0; i < pd.requestHeaderLines.length; i++) {
          if (pd.requestHeaderLines[i] != null) {
            sb.append(pd.requestHeaderLines[i]);
            sb.append("\r\n");
          }
        }
      }

      sb.append("\r\n");

      OutputStream out = sock.getOutputStream();

      out.write(sb.toString().getBytes("ISO-8859-1"));
      out.flush();

      /* Now parse the HTTP response */

      byte[] buffer = new byte[1024];
      InputStream in = sock.getInputStream();

      int len = ClientServerHello.readLineRN(in, buffer);

      String httpReponse = new String(buffer, 0, len, "ISO-8859-1");

      if (httpReponse.startsWith("HTTP/") == false)
        throw new IOException("The proxy did not send back a valid HTTP response.");

      /* "HTTP/1.X XYZ X" => 14 characters minimum */

      if ((httpReponse.length() < 14)
          || (httpReponse.charAt(8) != ' ')
          || (httpReponse.charAt(12) != ' '))
        throw new IOException("The proxy did not send back a valid HTTP response.");

      int errorCode = 0;

      try {
        errorCode = Integer.parseInt(httpReponse.substring(9, 12));
      } catch (NumberFormatException ignore) {
        throw new IOException("The proxy did not send back a valid HTTP response.");
      }

      if ((errorCode < 0) || (errorCode > 999))
        throw new IOException("The proxy did not send back a valid HTTP response.");

      if (errorCode != 200) {
        throw new HTTPProxyException(httpReponse.substring(13), errorCode);
      }

      /* OK, read until empty line */

      while (true) {
        len = ClientServerHello.readLineRN(in, buffer);
        if (len == 0) break;
      }
      return sock;
    }

    throw new IOException("Unsupported ProxyData");
  }