18,12 → 18,18 |
format binary as "" |
|
__DEBUG__ = 1 |
__DEBUG_LEVEL__ = 3 ; 1: Everything, including sinsitive information, 2: Debugging, 3: Errors only |
__DEBUG_LEVEL__ = 2 ; 1: Everything, including sensitive information, 2: Debugging, 3: Errors only |
|
BUFFERSIZE = 4096 |
BUFFERSIZE = 64*1024 ; Must be at least 32K according rfc4253#section-6.1 |
PACKETSIZE = 32*1024 ; Must be at least 32K according rfc4253#section-6.1 |
MAX_BITS = 8192 |
|
DH_PRIVATE_KEY_SIZE = 256 |
MAX_INPUT_LENGTH = 255 ;;; WHAT WAS THIS AGAIN ?! |
MAX_USERNAME_LENGTH = 256 |
MAX_PASSWORD_LENGTH = 256 |
MAX_HOSTNAME_LENGTH = 4096 |
MAX_PUBLIC_KEY_SIZE = 4096 |
|
use32 |
|
45,27 → 51,6 |
include '../../network.inc' |
include '../../develop/libraries/libcrash/trunk/libcrash.inc' |
|
include 'mcodes.inc' |
include 'ssh_transport.inc' |
|
include 'dh_gex.inc' |
|
include 'mpint.inc' |
include 'seed.inc' |
include 'random.inc' |
|
include 'aes256.inc' |
include 'aes256-ctr.inc' |
include 'aes256-cbc.inc' |
|
include 'blowfish.inc' |
include 'blowfish-ctr.inc' |
include 'blowfish-cbc.inc' |
|
include 'hmac_sha256.inc' |
include 'hmac_sha1.inc' |
include 'hmac_md5.inc' |
|
; macros for network byte order |
macro dd_n op { |
dd 0 or (((op) and 0FF000000h) shr 24) or \ |
79,6 → 64,15 |
(((op) and 000FFh) shl 8) |
} |
|
macro str string { |
local .start, .stop |
|
dd_n (.stop-.start) |
|
.start db string |
.stop: |
} |
|
proc dump_hex _ptr, _length |
if __DEBUG_LEVEL__ <= 1 |
pushad |
97,93 → 91,43 |
ret |
endp |
|
struct ssh_connection |
macro DEBUGM l, s, m { |
if __DEBUG__ |
DEBUGF l, s |
if l >=__DEBUG_LEVEL__ |
stdcall mpint_print, m |
end if |
end if |
} |
|
; Connection |
include 'mpint.inc' |
include 'seed.inc' |
include 'random.inc' |
|
hostname rb 1024 |
include 'aes256.inc' |
include 'aes256-ctr.inc' |
include 'aes256-cbc.inc' |
|
socketnum dd ? |
include 'blowfish.inc' |
include 'blowfish-ctr.inc' |
include 'blowfish-cbc.inc' |
|
sockaddr dw ? ; Address family |
port dw ? |
ip dd ? |
rb 10 |
include 'hmac_sha256.inc' |
include 'hmac_sha1.inc' |
include 'hmac_md5.inc' |
|
; Encryption/Decryption |
include 'sshlib.inc' |
|
rx_crypt_proc dd ? |
tx_crypt_proc dd ? |
rx_crypt_ctx_ptr dd ? |
tx_crypt_ctx_ptr dd ? |
rx_crypt_blocksize dd ? |
tx_crypt_blocksize dd ? |
include 'sshlib_mcodes.inc' |
include 'sshlib_transport.inc' |
include 'sshlib_connection.inc' |
include 'sshlib_dh_gex.inc' |
include 'sshlib_host.inc' |
include 'sshlib_channel.inc' |
include 'sshlib_userauth.inc' |
|
; Padding |
include 'encodings.inc' ; Unfortunately, we dont have UTF-8 capable console yet :( |
|
; rx_padsize dd ? ; = Max(8, rx_crypt_blocksize) |
tx_pad_size dd ? ; = Max(8, tx_crypt_blocksize) |
tx_pad_proc dd ? |
|
; Message authentication |
|
rx_mac_proc dd ? |
tx_mac_proc dd ? |
rx_mac_ctx hmac_sha256_context |
tx_mac_ctx hmac_sha256_context |
rx_mac_length dd ? |
tx_mac_length dd ? |
|
; Buffers |
|
rx_seq dd ? ; Packet sequence number for MAC |
rx_buffer ssh_packet_header |
rb BUFFERSIZE-sizeof.ssh_packet_header |
|
tx_seq dd ? ; Packet sequence number for MAC |
tx_buffer ssh_packet_header |
rb BUFFERSIZE-sizeof.ssh_packet_header |
|
send_data dw ? |
|
; Output from key exchange |
dh_K dd ? ; Shared Secret (Big endian) |
rb MAX_BITS/8 |
dh_K_length dd ? ; Length in little endian |
|
dh_H rb 32 ; Exchange Hash |
session_id_prefix db ? |
session_id rb 32 |
rx_iv rb 32 ; Rx initialisation vector |
tx_iv rb 32 ; Tx initialisation vector |
rx_enc_key rb 32 ; Rx encryption key |
tx_enc_key rb 32 ; Tx encryption key |
rx_int_key rb 32 ; Rx integrity key |
tx_int_key rb 32 ; Tx integrity key |
|
; Diffie Hellman |
dh_p dd ? |
rb MAX_BITS/8 |
dh_g dd ? |
rb MAX_BITS/8 |
dh_x dd ? |
rb MAX_BITS/8 |
dh_e dd ? |
rb MAX_BITS/8 |
dh_f dd ? |
rb MAX_BITS/8 |
|
dh_signature dd ? |
rb MAX_BITS/8 |
|
temp_ctx crash_ctx |
k_h_ctx crash_ctx |
|
mpint_tmp dd ? |
rb MAX_BITS/8 |
|
ends |
|
start: |
mcall 68, 11 ; Init heap |
|
190,7 → 134,7 |
DEBUGF 2, "SSH: Loading libraries\n" |
stdcall dll.Load, @IMPORT |
test eax, eax |
jnz exit |
jnz main.fail |
|
DEBUGF 2, "SSH: Init PRNG\n" |
call create_seed |
198,717 → 142,449 |
|
DEBUGF 2, "SSH: Init Console\n" |
invoke con_start, 1 |
invoke con_init, 80, 25, 80, 25, title |
invoke con_init, 80, 25, 800, 250, title |
|
; Check for parameters TODO |
; cmp byte[params], 0 |
; jne resolve |
cmp byte[params], 0 |
jne main.connect |
|
main: |
invoke con_cls |
; Welcome user |
invoke con_write_asciiz, str1 |
|
prompt: |
; write prompt |
invoke con_write_asciiz, str1a |
.prompt: |
invoke con_write_asciiz, str1b |
; Reset window title |
invoke con_set_title, title |
; Write prompt |
invoke con_write_asciiz, str2 |
; read string |
mov esi, con.hostname |
invoke con_gets, esi, 256 |
mov esi, params |
invoke con_gets, esi, MAX_HOSTNAME_LENGTH |
; check for exit |
test eax, eax |
jz done |
jz .done |
cmp byte[esi], 10 |
jz done |
jz .done |
|
resolve: |
mov [con.sockaddr], AF_INET4 |
mov [con.port], 22 shl 8 |
.connect: |
stdcall sshlib_connect, ssh_con, params |
cmp eax, 0 |
jg .prompt |
jl .error |
|
; delete terminating '\n' |
mov esi, con.hostname |
@@: |
lodsb |
cmp al, ':' |
je .do_port |
cmp al, 0x20 |
ja @r |
mov byte[esi-1], 0 |
jmp .done |
|
.do_port: |
xor eax, eax |
xor ebx, ebx |
mov byte[esi-1], 0 |
.portloop: |
lodsb |
cmp al, 0x20 |
jbe .port_done |
sub al, '0' |
jb hostname_error |
cmp al, 9 |
ja hostname_error |
lea ebx, [ebx*4+ebx] |
shl ebx, 1 |
add ebx, eax |
jmp .portloop |
|
.port_done: |
xchg bl, bh |
mov [con.port], bx |
|
.done: |
|
; resolve name |
push esp ; reserve stack place |
push esp |
invoke getaddrinfo, con.hostname, 0, 0 |
pop esi |
; test for error |
.login: |
mcall 68, 12, (MAX_USERNAME_LENGTH + MAX_PASSWORD_LENGTH) |
test eax, eax |
jnz dns_error |
jz .done ; ERR_NOMEM |
mov esi, eax |
lea edi, [eax + MAX_USERNAME_LENGTH] |
|
invoke con_write_asciiz, str3 |
invoke con_write_asciiz, con.hostname |
|
; write results |
invoke con_write_asciiz, str8 |
|
; convert IP address to decimal notation |
mov eax, [esi+addrinfo.ai_addr] |
mov eax, [eax+sockaddr_in.sin_addr] |
mov [con.ip], eax |
invoke inet_ntoa, eax |
; write result |
invoke con_write_asciiz, eax |
; free allocated memory |
invoke freeaddrinfo, esi |
|
invoke con_write_asciiz, str9 |
|
mcall 40, EVM_STACK + EVM_KEY |
|
; Create socket |
mcall socket, AF_INET4, SOCK_STREAM, 0 |
cmp eax, -1 |
jz socket_err |
mov [con.socketnum], eax |
|
; Connect |
DEBUGF 2, "Connecting to server\n" |
mcall connect, [con.socketnum], con.sockaddr, 18 |
test eax, eax |
jnz socket_err |
|
; Start calculating hash |
invoke sha256_init, con.temp_ctx |
; HASH: string V_C, the client's version string (CR and NL excluded) |
invoke sha256_update, con.temp_ctx, ssh_ident_ha, ssh_ident.length+4-2 |
|
; >> Send our identification string |
DEBUGF 2, "Sending ID string\n" |
mcall send, [con.socketnum], ssh_ident, ssh_ident.length, 0 |
cmp eax, -1 |
je socket_err |
|
; << Check protocol version of server |
mcall recv, [con.socketnum], con.rx_buffer, BUFFERSIZE, 0 |
cmp eax, -1 |
je socket_err |
|
DEBUGF 2, "Received ID string\n" |
cmp dword[con.rx_buffer], "SSH-" |
jne proto_err |
cmp dword[con.rx_buffer+4], "2.0-" |
jne proto_err |
|
; HASH: string V_S, the server's version string (CR and NL excluded) |
lea edx, [eax+2] |
sub eax, 2 |
bswap eax |
mov dword[con.rx_buffer-4], eax |
invoke sha256_update, con.temp_ctx, con.rx_buffer-4, edx |
|
; >> Key Exchange init |
mov [con.rx_seq], 0 |
mov [con.tx_seq], 0 |
mov [con.rx_crypt_blocksize], 4 ; minimum blocksize |
mov [con.tx_crypt_blocksize], 4 |
mov [con.rx_crypt_proc], 0 |
mov [con.tx_crypt_proc], 0 |
mov [con.rx_mac_proc], 0 |
mov [con.tx_mac_proc], 0 |
mov [con.rx_mac_length], 0 |
mov [con.tx_mac_length], 0 |
; mov [con.rx_padsize], 8 ; minimum padsize |
mov [con.tx_pad_size], 8 |
mov [con.tx_pad_proc], padding_zero |
|
DEBUGF 2, "Sending KEX init\n" |
mov edi, ssh_kex.cookie |
call MBRandom |
stosd |
call MBRandom |
stosd |
call MBRandom |
stosd |
call MBRandom |
stosd |
stdcall ssh_send_packet, con, ssh_kex, ssh_kex.length, 0 |
cmp eax, -1 |
je socket_err |
|
; HASH: string I_C, the payload of the client's SSH_MSG_KEXINIT |
mov eax, dword[con.tx_buffer+ssh_packet_header.packet_length] |
bswap eax |
movzx ebx, [con.tx_buffer+ssh_packet_header.padding_length] |
sub eax, ebx |
dec eax |
lea edx, [eax+4] |
bswap eax |
mov dword[con.tx_buffer+1], eax |
invoke sha256_update, con.temp_ctx, con.tx_buffer+1, edx |
|
; << Check key exchange init of server |
stdcall ssh_recv_packet, con, 0 |
cmp eax, -1 |
je socket_err |
|
cmp [con.rx_buffer.message_code], SSH_MSG_KEXINIT |
jne proto_err |
DEBUGF 2, "Received KEX init\n" |
|
lea esi, [con.rx_buffer+sizeof.ssh_packet_header+16] |
lodsd |
bswap eax |
DEBUGF 1, "kex_algorithms: %s\n", esi |
add esi, eax |
lodsd |
bswap eax |
DEBUGF 1, "server_host_key_algorithms: %s\n", esi |
add esi, eax |
lodsd |
bswap eax |
DEBUGF 1, "encryption_algorithms_client_to_server: %s\n", esi |
add esi, eax |
lodsd |
bswap eax |
DEBUGF 1, "encryption_algorithms_server_to_client: %s\n", esi |
add esi, eax |
lodsd |
bswap eax |
DEBUGF 1, "mac_algorithms_client_to_server: %s\n", esi |
add esi, eax |
lodsd |
bswap eax |
DEBUGF 1, "mac_algorithms_server_to_client: %s\n", esi |
add esi, eax |
lodsd |
bswap eax |
DEBUGF 1, "compression_algorithms_client_to_server: %s\n", esi |
add esi, eax |
lodsd |
bswap eax |
DEBUGF 1, "compression_algorithms_server_to_client: %s\n", esi |
add esi, eax |
lodsd |
bswap eax |
DEBUGF 1, "languages_client_to_server: %s\n", esi |
add esi, eax |
lodsd |
bswap eax |
DEBUGF 1, "languages_server_to_client: %s\n", esi |
add esi, eax |
lodsb |
DEBUGF 1, "KEX First Packet Follows: %u\n", al |
|
; TODO: parse this structure and init procedures accordingly |
|
; HASH: string I_S, the payload of the servers's SSH_MSG_KEXINIT |
mov eax, dword[con.rx_buffer+ssh_packet_header.packet_length] |
movzx ebx, [con.rx_buffer+ssh_packet_header.padding_length] |
sub eax, ebx |
dec eax |
lea edx, [eax+4] |
bswap eax |
mov dword[con.rx_buffer+sizeof.ssh_packet_header-5], eax |
invoke sha256_update, con.temp_ctx, con.rx_buffer+sizeof.ssh_packet_header-5, edx |
|
; Exchange keys with the server |
|
; TODO: host verification |
|
stdcall dh_gex |
test eax, eax |
jnz exit |
|
; Set keys and initialize transport subroutines |
|
DEBUGF 2, "SSH: Setting encryption keys\n" |
|
stdcall aes256_ctr_init, con.rx_iv |
mov [con.rx_crypt_ctx_ptr], eax |
|
stdcall aes256_set_encrypt_key, eax, con.rx_enc_key |
mov [con.rx_crypt_proc], aes256_ctr_crypt |
mov [con.rx_crypt_blocksize], AES256_BLOCKSIZE |
; mov [con.rx_pad_size], AES256_BLOCKSIZE |
|
stdcall aes256_ctr_init, con.tx_iv |
mov [con.tx_crypt_ctx_ptr], eax |
|
stdcall aes256_set_encrypt_key, eax, con.tx_enc_key |
mov [con.tx_crypt_proc], aes256_ctr_crypt |
mov [con.tx_crypt_blocksize], AES256_BLOCKSIZE |
|
mov [con.tx_pad_size], AES256_BLOCKSIZE |
mov [con.tx_pad_proc], MBRandom |
|
stdcall hmac_sha256_setkey, con.rx_mac_ctx, con.rx_int_key, SHA256_HASH_SIZE |
mov [con.rx_mac_proc], hmac_sha256 |
mov [con.rx_mac_length], SHA256_HASH_SIZE |
|
stdcall hmac_sha256_setkey, con.tx_mac_ctx, con.tx_int_key, SHA256_HASH_SIZE |
mov [con.tx_mac_proc], hmac_sha256 |
mov [con.tx_mac_length], SHA256_HASH_SIZE |
|
; Re-seed RNG for padding bytes |
call create_seed |
call init_random |
|
; TODO: erase all keys from memory and free the memory |
|
; >> Request service (user-auth) |
|
DEBUGF 2, "SSH: Requesting service\n" |
|
stdcall ssh_send_packet, con, ssh_request_service, ssh_request_service.length, 0 |
cmp eax, -1 |
je socket_err |
|
; << Check for service acceptance |
|
stdcall ssh_msg_handler, con, 0 |
cmp eax, -1 |
je socket_err |
|
cmp [con.rx_buffer.message_code], SSH_MSG_SERVICE_ACCEPT |
jne proto_err |
|
; >> Request user authentication |
|
DEBUGF 2, "SSH: User authentication\n" |
|
mcall 68, 12, 1024 ; FIXME |
test eax, eax |
jz done ; FIXME |
mov edi, eax |
mov ebx, eax |
mov byte[edi], SSH_MSG_USERAUTH_REQUEST |
inc edi |
|
; Get username |
add edi, 4 |
invoke con_write_asciiz, str12 |
invoke con_gets, edi, 256 ; FIXME |
invoke con_gets, esi, MAX_USERNAME_LENGTH |
test eax, eax |
jz done ; FIXME |
;; jz .con_closed_must_clear |
|
mov edx, eax |
mov ecx, 256 |
xor al, al |
repne scasb |
|
dec edi ; \0 |
dec edi ; \n |
push edi |
sub edi, edx |
bswap edi |
mov [edx-4], edi |
pop edi |
|
mov dword[edi], 0x0e000000 ; 14 Bswapped |
mov dword[edi+4], "ssh-" |
mov dword[edi+8], "conn" |
mov dword[edi+12], "ecti" |
mov word[edi+16], "on" |
add edi, 18 |
|
mov dword[edi], 0x08000000 ; 8 Bswapped |
mov dword[edi+4], "pass" |
mov dword[edi+8], "word" |
|
mov byte[edi+12], 0 ; bool |
add edi, 13 |
|
; Get password |
add edi, 4 |
invoke con_write_asciiz, str13 |
push eax |
invoke con_gets, edi, 256 ; FIXME |
invoke con_write_asciiz, str13a |
invoke con_gets, edi, MAX_PASSWORD_LENGTH |
test eax, eax |
jz done ; FIXME |
;; jz .con_closed_must_clear |
invoke con_write_asciiz, str13b |
|
mov edx, eax |
mov ecx, 256 |
xor al, al |
repne scasb |
|
dec edi ; \0 |
dec edi ; \n |
push edi |
sub edi, edx |
bswap edi |
mov [edx-4], edi |
pop edi |
sub edi, ebx |
|
push ebx |
stdcall ssh_send_packet, con, ebx, edi, 0 |
|
; Clear used buffer and free |
pop edx |
mov edi, edx |
; Authenticate |
stdcall sshlib_userauth_password, ssh_con, esi, edi |
; Clear and free username and password |
.clear: |
push eax |
mov ecx, 1024/4 ; FIXME |
mov edx, edi |
xor eax, eax |
mov ecx, (MAX_USERNAME_LENGTH + MAX_PASSWORD_LENGTH)/4 |
rep stosd |
mcall 68, 13, edx |
pop eax |
|
cmp eax, -1 |
je socket_err |
cmp eax, 0 |
jg .login ; Authentication failed |
jl .error ; An error occured |
|
invoke con_write_asciiz, str14 |
; Open a channel |
stdcall sshlib_chan_open, ssh_con |
cmp eax, 0 |
jg .prompt ; Authentication failed |
jl .error ; An error occured |
|
; << Check for userauth acceptance |
|
stdcall ssh_msg_handler, con, 0 |
cmp eax, -1 |
je socket_err |
|
cmp [con.rx_buffer.message_code], SSH_MSG_USERAUTH_SUCCESS |
jne proto_err |
|
; >> Open channel |
|
DEBUGF 2, "SSH: Open channel\n" |
|
stdcall ssh_send_packet, con, ssh_channel_open, ssh_channel_open.length, 0 |
cmp eax, -1 |
je socket_err |
|
; << Check for channel open confirmation |
|
stdcall ssh_msg_handler, con, 0 |
cmp eax, -1 |
je socket_err |
|
cmp [con.rx_buffer.message_code], SSH_MSG_CHANNEL_OPEN_CONFIRMATION |
jne proto_err |
|
; >> Channel request: pty |
|
DEBUGF 2, "SSH: Request pty\n" |
|
stdcall ssh_send_packet, con, ssh_channel_request, ssh_channel_request.length, 0 |
cmp eax, -1 |
je socket_err |
|
; << Check for channel request confirmation |
|
stdcall ssh_msg_handler, con, 0 |
cmp eax, -1 |
je socket_err |
|
cmp [con.rx_buffer.message_code], SSH_MSG_CHANNEL_SUCCESS |
jne proto_err |
|
; >> Channel request: shell |
|
DEBUGF 2, "SSH: Request shell\n" |
|
stdcall ssh_send_packet, con, ssh_shell_request, ssh_shell_request.length, 0 |
cmp eax, -1 |
je socket_err |
|
; << Check for channel request confirmation (FIXME: this may not be first packet!) |
|
; TODO |
; |
; stdcall ssh_msg_handler, con, 0 |
; cmp eax, -1 |
; je socket_err |
|
; cmp [con.rx_buffer.message_code], SSH_MSG_CHANNEL_SUCCESS |
; jne proto_err |
|
; Launch network thread |
; Start console input handler thread without deactivating the current window |
; Get active window ID |
mcall 18, 7 |
push eax |
mcall 51, 1, thread, mem - 2048 |
; Create thread |
mcall 51, 1, con_in_thread, mem - 2048 |
; Activate window with given ID |
pop ecx |
mcall 18, 3 |
|
mainloop: |
call [con_get_flags] |
test eax, 0x200 ; con window closed? |
jnz exit |
.loop: |
invoke con_get_flags |
test eax, 0x200 ; console window closed? |
jnz .con_closed |
|
stdcall ssh_msg_handler, con, 0 |
stdcall sshlib_msg_handler, ssh_con, 0 |
cmp eax, 0 |
jbe closed |
jle .check_err |
|
cmp [con.rx_buffer.message_code], SSH_MSG_CHANNEL_DATA |
cmp [ssh_con.rx_buffer.message_code], SSH_MSG_CHANNEL_DATA |
jne .dump |
|
mov eax, dword[con.rx_buffer.message_code+5] |
mov eax, dword[ssh_con.rx_buffer.message_code+5] |
bswap eax |
DEBUGF 1, 'SSH: got %u bytes of data !\n', eax |
|
lea esi, [con.rx_buffer.message_code+5+4] |
mov ecx, eax |
lea edi, [esi + eax] |
mov byte [edi], 0 |
lea esi, [ssh_con.rx_buffer.message_code+5+4] |
lea edx, [esi+eax] |
lea edi, [ssh_con.rx_buffer] |
@@: |
call get_byte_utf8 |
stosb |
cmp esi, edx |
jb @r |
xor al, al |
stosb |
|
lea esi, [ssh_con.rx_buffer] |
DEBUGF 3, 'SSH msg: %s\n', esi |
|
invoke con_write_asciiz, esi |
jmp mainloop |
jmp .loop |
|
.dump: |
lea esi, [con.rx_buffer] |
DEBUGF 3, "SSH: Unsupported message: " |
lea esi, [ssh_con.rx_buffer.message_code] |
mov ecx, eax |
pusha |
@@: |
lodsb |
DEBUGF 1, "%x ", eax:2 |
DEBUGF 3, "%x ", eax:2 |
dec ecx |
jnz @r |
popa |
DEBUGF 1, "\n" |
jmp mainloop |
DEBUGF 3, "\n" |
jmp .loop |
|
.check_err: |
jz .err_conn_closed |
cmp ebx, EWOULDBLOCK |
je .loop |
jmp .err_sock |
|
proto_err: |
mov eax, con.rx_buffer |
int3 |
.con_closed: |
; Send close message on the active channel |
stdcall sshlib_send_packet, ssh_con, ssh_msg_channel_close, ssh_msg_channel_close.length, 0 |
jmp .done |
|
DEBUGF 3, "SSH: protocol error\n" |
.error: |
|
; TODO: proper cleanup after error |
|
cmp eax, SSHLIB_ERR_NOMEM |
je .done |
cmp eax, SSHLIB_ERR_SOCKET |
je .err_sock |
cmp eax, SSHLIB_ERR_PROTOCOL |
je .err_proto |
cmp eax, SSHLIB_ERR_HOSTNAME |
je .err_hostname |
cmp eax, SSHLIB_ERR_HKEY_VERIFY_FAIL |
je .err_hostkey_fail |
cmp eax, SSHLIB_ERR_HKEY_SIGNATURE |
je .err_hostkey_signature |
cmp eax, SSHLIB_ERR_HKEY_PUBLIC_KEY |
je .err_hostkey |
|
jmp .done |
|
|
.err_proto: |
; lea eax, [ssh_con.rx_buffer] |
; int3 |
invoke con_write_asciiz, str7 |
jmp prompt |
jmp .prompt |
|
socket_err: |
DEBUGF 3, "SSH: socket error %d\n", ebx |
.err_sock: |
invoke con_write_asciiz, str6 |
jmp prompt |
|
dns_error: |
DEBUGF 3, "SSH: DNS error %d\n", eax |
invoke con_write_asciiz, str5 |
jmp prompt |
mov eax, str14 |
cmp ebx, ETIMEDOUT |
je .err_sock_detail |
mov eax, str15 |
cmp ebx, ECONNREFUSED |
je .err_sock_detail |
mov eax, str16 |
cmp ebx, ECONNRESET |
je .err_sock_detail |
mov eax, str17 |
.err_sock_detail: |
invoke con_write_asciiz, eax |
jmp .prompt |
|
hostname_error: |
.err_hostname: |
invoke con_write_asciiz, str10 |
jmp prompt |
jmp .prompt |
|
closed: |
.err_conn_closed: |
invoke con_write_asciiz, str11 |
jmp prompt |
jmp .prompt |
|
done: |
.err_hostkey: |
invoke con_write_asciiz, str19 |
jmp .prompt |
|
.err_hostkey_signature: |
invoke con_write_asciiz, str20 |
jmp .prompt |
|
.err_hostkey_fail: |
invoke con_write_asciiz, str21 |
jmp .prompt |
|
.done: |
invoke con_exit, 1 |
exit: |
.exit: |
DEBUGF 3, "SSH: Exiting\n" |
mcall close, [con.socketnum] |
mcall close, [ssh_con.socketnum] |
.fail: |
mcall -1 |
|
|
thread: |
mcall 40, 0 |
.loop: |
invoke con_getch2 |
mov [ssh_channel_data+9], al |
stdcall ssh_send_packet, con, ssh_channel_data, ssh_channel_data.length, MSG_DONTWAIT |
proc sshlib_callback_connecting, con_ptr, connstring_sz |
|
invoke con_get_flags |
test eax, 0x200 ; con window closed? |
jz .loop |
mcall -1 |
invoke con_write_asciiz, str3 |
mov eax, [con_ptr] |
lea eax, [eax+sshlib_connection.hostname_sz] |
invoke con_write_asciiz, eax |
invoke con_write_asciiz, str8 |
invoke con_write_asciiz, [connstring_sz] |
invoke con_write_asciiz, str9 |
|
ret |
endp |
|
; Handle common messages and return from specific ones |
proc ssh_msg_handler, con, flags |
|
.recv: |
stdcall ssh_recv_packet, [con], [flags] |
cmp eax, -1 |
je .ret |
proc sshlib_callback_hostkey_problem, con_ptr, problem_type, hostkey_sz |
|
cmp [con.rx_buffer.message_code], SSH_MSG_DISCONNECT |
je .disc |
cmp [con.rx_buffer.message_code], SSH_MSG_IGNORE |
je .ign |
cmp [con.rx_buffer.message_code], SSH_MSG_DEBUG |
je .dbg |
cmp [con.rx_buffer.message_code], SSH_MSG_GLOBAL_REQUEST |
je .glob |
cmp [problem_type], SSHLIB_HOSTKEY_PROBLEM_UNKNOWN |
je .unknown |
cmp [problem_type], SSHLIB_HOSTKEY_PROBLEM_MISMATCH |
je .mismatch |
|
.ret: |
ret |
|
.disc: |
mov eax, -1 |
ret |
|
.ign: |
jmp .recv |
.unknown: |
invoke con_write_asciiz, str22 |
jmp .ask |
|
.dbg: |
.glob: |
; TODO |
.mismatch: |
invoke con_write_asciiz, str23 |
; jmp .ask |
.ask: |
;;; TODO: print hostkey |
invoke con_write_asciiz, str24 |
.getansw: |
invoke con_getch2 |
or al, 0x20 ; convert to lowercase |
cmp al, 'a' |
je .accept |
cmp al, 'c' |
je .once |
cmp al, 'x' |
je .refuse |
jmp .getansw |
|
jmp .recv |
.accept: |
mov eax, SSHLIB_HOSTKEY_ACCEPT |
ret |
.once: |
mov eax, SSHLIB_HOSTKEY_ONCE |
ret |
.refuse: |
mov eax, SSHLIB_HOSTKEY_REFUSE |
ret |
|
endp |
|
|
|
align 16 |
con_in_thread: |
|
.loop: |
; TODO: check if channel is still open somehow |
|
invoke con_get_input, ssh_msg_channel_data.data, MAX_INPUT_LENGTH |
test eax, eax |
jz .no_input |
|
lea ecx, [eax + ssh_msg_channel_data.data - ssh_msg_channel_data] |
bswap eax |
mov [ssh_msg_channel_data.len], eax |
stdcall sshlib_send_packet, ssh_con, ssh_msg_channel_data, ecx, 0 |
cmp eax, 0 |
jle .exit |
|
.no_input: |
invoke con_get_flags |
test eax, 0x200 ; con window closed? |
jz .loop |
|
.exit: |
mcall -1 |
|
|
; data |
title db 'Secure Shell',0 |
str1 db 'SSH client for KolibriOS',10,10,\ |
'Please enter URL of SSH server (hostname:port)',10,10,0 |
str1a db 'SSHv2 client for KolibriOS',10,0 |
str1b db 10,'Please enter URL of SSH server (hostname:port)',10,0 |
str2 db '> ',0 |
str3 db 'Connecting to ',0 |
str4 db 10,0 |
str5 db 'Name resolution failed.',10,10,0 |
str6 db 'A socket error occured.',10,10,0 |
str7 db 'A protocol error occured.',10,10,0 |
str6 db 10, 27, '[2J',27,'[mA network error has occured.',10,0 |
str7 db 10, 27, '[2J',27,'[mAn SSH protocol error has occured.',10,0 |
str8 db ' (',0 |
str9 db ')',10,0 |
str10 db 'Invalid hostname.',10,10,0 |
str11 db 10,'Remote host closed the connection.',10,10,0 |
str10 db 'Host does not exist.',10,10,0 |
str11 db 10, 27, '[2J',27,'[mThe remote host closed the connection.',10,0 |
str12 db 'Login as: ',0 |
str13 db 'Password: ', 27, '[?25l', 27, '[30;40m', 0 |
str14 db 10, 27, '[?25h', 27, '[0m', 0 |
str13a db 'Password: ', 27, '[?25l', 27, '[30;40m', 0 |
str13b db 10, 27, '[?25h', 27, '[0m', 27, '[2J', 0 |
str14 db 'The connection timed out',10,0 |
str15 db 'The connection was refused',10,0 |
str16 db 'The connection was reset',10,0 |
str17 db 'No details available',10,0 |
;str18 db 'User authentication failed',10,0;;;; |
str19 db "The remote host's public key is invalid.", 10, 0 |
str20 db "The remote host's signature is invalid.", 10, 0 |
str21 db "The remote host failed to verify it's own public key.", 10, 0 |
str22 db "The host key for the server was not found in the cache.", 10 |
db "There is no guarantee to the servers identity !",10, 0 |
|
str23 db "The host key provided by the host does not match the cached one.", 10 |
db "This may indicate that the remote server has been compromised!", 10, 0 |
|
str24 db 10, "If you trust this host, press A to accept and store the (new) key.", 10 |
db "Press C to connect to the host but don't store the (new) key.", 10 |
db "Press X to abort.", 10, 0 |
|
|
ssh_ident_ha: |
dd_n (ssh_ident.length-2) |
ssh_ident: |
db "SSH-2.0-KolibriOS_SSH_0.04",13,10 |
.length = $ - ssh_ident |
dd_n (ssh_msg_ident.length-2) |
ssh_msg_ident: |
db "SSH-2.0-KolibriOS_SSH_0.05",13,10 |
.length = $ - ssh_msg_ident |
|
ssh_kex: |
|
ssh_msg_kex: |
db SSH_MSG_KEXINIT |
.cookie: |
rd 4 |
.kex_algorithms: |
dd_n .server_host_key_algorithms - .kex_algorithms - 4 |
db "diffie-hellman-group-exchange-sha256" ; diffie-hellman-group-exchange-sha1 |
str "diffie-hellman-group-exchange-sha256" ; diffie-hellman-group-exchange-sha1 |
.server_host_key_algorithms: |
dd_n .encryption_algorithms_client_to_server - .server_host_key_algorithms - 4 |
db "ssh-rsa" ;,ssh-dss |
str "ssh-rsa" ;,ssh-dss |
.encryption_algorithms_client_to_server: |
dd_n .encryption_algorithms_server_to_client - .encryption_algorithms_client_to_server - 4 |
db "aes256-ctr" ;,aes256-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128" |
str "aes256-ctr" ;,aes256-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128" |
.encryption_algorithms_server_to_client: |
dd_n .mac_algorithms_client_to_server - .encryption_algorithms_server_to_client - 4 |
db "aes256-ctr" ;,aes256-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128" |
str "aes256-ctr" ;,aes256-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128" |
.mac_algorithms_client_to_server: |
dd_n .mac_algorithms_server_to_client - .mac_algorithms_client_to_server - 4 |
db "hmac-sha2-256" ;,hmac-sha1,hmac-sha1-96,hmac-md5" |
str "hmac-sha2-256" ;,hmac-sha1,hmac-sha1-96,hmac-md5" |
.mac_algorithms_server_to_client: |
dd_n .compression_algorithms_client_to_server - .mac_algorithms_server_to_client - 4 |
db "hmac-sha2-256" ;,hmac-sha1,hmac-sha1-96,hmac-md5" |
str "hmac-sha2-256" ;,hmac-sha1,hmac-sha1-96,hmac-md5" |
.compression_algorithms_client_to_server: |
dd_n .compression_algorithms_server_to_client - .compression_algorithms_client_to_server - 4 |
db "none" ;,zlib" |
str "none" ;,zlib" |
.compression_algorithms_server_to_client: |
dd_n .languages_client_to_server - .compression_algorithms_server_to_client - 4 |
db "none" ;,zlib" |
str "none" ;,zlib" |
.languages_client_to_server: |
dd_n .languages_server_to_client - .languages_client_to_server - 4 |
db "" |
str "" |
.languages_server_to_client: |
dd_n .first_kex_packet_follows - .languages_server_to_client - 4 |
db "" |
str "" |
.first_kex_packet_follows: |
db 0 |
.reserved: |
dd_n 0 |
.length = $ - ssh_kex |
.length = $ - ssh_msg_kex |
|
|
ssh_gex_req: |
ssh_msg_gex_req: |
db SSH_MSG_KEX_DH_GEX_REQUEST |
dd_n 4096/4 ; DH GEX min |
dd_n 4096/2 ; DH GEX number of bits |
dd_n 4096 ; DH GEX Max |
.length = $ - ssh_gex_req |
.length = $ - ssh_msg_gex_req |
|
|
ssh_new_keys: |
ssh_msg_new_keys: |
db SSH_MSG_NEWKEYS |
.length = $ - ssh_new_keys |
.length = $ - ssh_msg_new_keys |
|
|
ssh_request_service: |
ssh_msg_request_service: |
db SSH_MSG_SERVICE_REQUEST |
dd_n 12 ; String length |
db "ssh-userauth" ; Service name |
.length = $ - ssh_request_service |
str "ssh-userauth" ; Service name |
.length = $ - ssh_msg_request_service |
|
|
ssh_request_userauth: |
db SSH_MSG_USERAUTH_REQUEST |
dd_n 9 |
db "user123" ; user name in ISO-10646 UTF-8 encoding [RFC3629] |
dd_n 14 |
db "ssh-connection" ; service name in US-ASCII |
dd_n 8 |
db "password" ; method name in US-ASCII: none, publickey, password, hostbased |
db 0 ; bool: false |
dd_n 14 |
db "pass123" |
.length = $ - ssh_request_userauth |
ssh_msg_channel_open: |
db SSH_MSG_CHANNEL_OPEN |
str "session" |
dd_n 0 ; Sender channel |
dd_n BUFFERSIZE ; Initial window size |
dd_n PACKETSIZE ; maximum packet size |
.length = $ - ssh_msg_channel_open |
|
|
ssh_channel_open: |
db SSH_MSG_CHANNEL_OPEN |
dd_n 7 |
db "session" |
ssh_msg_channel_close: |
db SSH_MSG_CHANNEL_CLOSE |
dd_n 0 ; Sender channel |
dd_n 1024 ; Initial window size |
dd_n 1024 ; maximum packet size |
.length = $ - ssh_channel_open |
.length = $ - ssh_msg_channel_close |
|
ssh_channel_request: |
|
ssh_msg_channel_request: |
db SSH_MSG_CHANNEL_REQUEST |
dd_n 0 ; Recipient channel |
dd_n 7 |
db "pty-req" |
str "pty-req" |
db 1 ; Bool: want reply |
dd_n 5 |
db "xterm" |
str "xterm" |
dd_n 80 ; terminal width (rows) |
dd_n 25 ; terminal height (rows) |
dd_n 0 ; terminal width (pixels) |
dd_n 0 ; terminal height (pixels) |
dd_n 80*8 ; terminal width (pixels) |
dd_n 25*16 ; terminal height (pixels) |
|
dd_n 0 ; list of supported opcodes |
.length = $ - ssh_channel_request |
.length = $ - ssh_msg_channel_request |
|
ssh_shell_request: |
|
ssh_msg_shell_request: |
db SSH_MSG_CHANNEL_REQUEST |
dd_n 0 ; Recipient channel |
dd_n 5 |
db "shell" |
str "shell" |
db 1 ; Bool: want reply |
.length = $ - ssh_shell_request |
.length = $ - ssh_msg_shell_request |
|
ssh_channel_data: |
|
ssh_msg_channel_data: |
db SSH_MSG_CHANNEL_DATA |
dd_n 0 ; Sender channel |
dd_n 1 |
db ? |
.length = $ - ssh_channel_data |
.len dd ? |
.data rb MAX_INPUT_LENGTH + 1 |
|
|
ssh_msg_channel_window_adjust: |
db SSH_MSG_CHANNEL_WINDOW_ADJUST |
dd_n 0 ; Sender channel |
.wnd dd ? |
.length = $ - ssh_msg_channel_window_adjust |
|
|
include_debug_strings |
|
align 4 |
931,10 → 607,9 |
con_gets, 'con_gets', \ |
con_cls, 'con_cls', \ |
con_getch2, 'con_getch2', \ |
con_set_cursor_pos, 'con_set_cursor_pos', \ |
con_write_string, 'con_write_string', \ |
con_get_flags, 'con_get_flags', \ |
con_set_flags, 'con_set_flags' |
con_set_title, 'con_set_title', \ |
con_get_input, 'con_get_input' |
|
import libcrash, \ |
sha256_init, 'sha256_init', \ |
953,8 → 628,9 |
|
IncludeUGlobals |
|
params rb 1024 |
params rb MAX_HOSTNAME_LENGTH |
|
con ssh_connection |
ssh_con sshlib_connection |
ssh_chan sshlib_channel |
|
mem: |