| 1 |
; ssh.asm - SSH client for KolibriOS |
1 |
; ssh.asm - SSH client for KolibriOS |
| 2 |
; |
2 |
; |
| 3 |
; Copyright (C) 2015-2016 Jeffrey Amelynck |
3 |
; Copyright (C) 2015-2017 Jeffrey Amelynck |
| 4 |
; |
4 |
; |
| 5 |
; This program is free software: you can redistribute it and/or modify |
5 |
; This program is free software: you can redistribute it and/or modify |
| 6 |
; it under the terms of the GNU General Public License as published by |
6 |
; it under the terms of the GNU General Public License as published by |
| 7 |
; the Free Software Foundation, either version 3 of the License, or |
7 |
; the Free Software Foundation, either version 3 of the License, or |
| 8 |
; (at your option) any later version. |
8 |
; (at your option) any later version. |
| 9 |
; |
9 |
; |
| 10 |
; This program is distributed in the hope that it will be useful, |
10 |
; This program is distributed in the hope that it will be useful, |
| 11 |
; but WITHOUT ANY WARRANTY; without even the implied warranty of |
11 |
; but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 12 |
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
12 |
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 13 |
; GNU General Public License for more details. |
13 |
; GNU General Public License for more details. |
| 14 |
; |
14 |
; |
| 15 |
; You should have received a copy of the GNU General Public License |
15 |
; You should have received a copy of the GNU General Public License |
| 16 |
; along with this program. If not, see . |
16 |
; along with this program. If not, see . |
| 17 |
|
17 |
|
| 18 |
format binary as "" |
18 |
format binary as "" |
| 19 |
|
19 |
|
| 20 |
__DEBUG__ = 1 |
20 |
__DEBUG__ = 1 |
| 21 |
__DEBUG_LEVEL__ = 2 ; 1: Extreme debugging, 2: Debugging, 3: Errors only |
21 |
__DEBUG_LEVEL__ = 2 ; 1: Extreme debugging, 2: Debugging, 3: Errors only |
| 22 |
|
22 |
|
| 23 |
BUFFERSIZE = 4096 |
23 |
BUFFERSIZE = 4096 |
| 24 |
MAX_BITS = 8192 |
24 |
MAX_BITS = 8192 |
| 25 |
|
25 |
|
| 26 |
DH_PRIVATE_KEY_SIZE = 256 |
26 |
DH_PRIVATE_KEY_SIZE = 256 |
| 27 |
|
27 |
|
| 28 |
use32 |
28 |
use32 |
| 29 |
|
29 |
|
| 30 |
db 'MENUET01' ; signature |
30 |
db 'MENUET01' ; signature |
| 31 |
dd 1 ; header version |
31 |
dd 1 ; header version |
| 32 |
dd start ; entry point |
32 |
dd start ; entry point |
| 33 |
dd i_end ; initialized size |
33 |
dd i_end ; initialized size |
| 34 |
dd mem+4096 ; required memory |
34 |
dd mem+65536 ; required memory |
| 35 |
dd mem+4096 ; stack pointer |
35 |
dd mem+65536 ; stack pointer |
| 36 |
dd params ; parameters |
36 |
dd params ; parameters |
| 37 |
dd 0 ; path |
37 |
dd 0 ; path |
| 38 |
|
38 |
|
| 39 |
include '../../macros.inc' |
39 |
include '../../macros.inc' |
| 40 |
;include '../../struct.inc' |
40 |
;include '../../struct.inc' |
| 41 |
purge mov,add,sub |
41 |
purge mov,add,sub |
| 42 |
include '../../proc32.inc' |
42 |
include '../../proc32.inc' |
| 43 |
include '../../dll.inc' |
43 |
include '../../dll.inc' |
| 44 |
include '../../debug-fdo.inc' |
44 |
include '../../debug-fdo.inc' |
| 45 |
include '../../network.inc' |
45 |
include '../../network.inc' |
| 46 |
include '../../develop/libraries/libcrash/trunk/libcrash.inc' |
46 |
include '../../develop/libraries/libcrash/trunk/libcrash.inc' |
| 47 |
|
47 |
|
| 48 |
include 'mcodes.inc' |
48 |
include 'mcodes.inc' |
| 49 |
include 'ssh_transport.inc' |
49 |
include 'ssh_transport.inc' |
| - |
|
50 |
|
| 50 |
include 'dh_gex.inc' |
51 |
include 'dh_gex.inc' |
| 51 |
|
52 |
|
| 52 |
include 'mpint.inc' |
53 |
include 'mpint.inc' |
| 53 |
include 'random.inc' |
54 |
include 'random.inc' |
| - |
|
55 |
|
| 54 |
include 'aes256.inc' |
56 |
include 'aes256.inc' |
| 55 |
include 'aes256-ctr.inc' |
57 |
include 'aes256-ctr.inc' |
| 56 |
include 'aes256-cbc.inc' |
58 |
include 'aes256-cbc.inc' |
| - |
|
59 |
|
| 57 |
include 'hmac_sha256.inc' |
60 |
include 'hmac_sha256.inc' |
| - |
|
61 |
include 'hmac_sha1.inc' |
| - |
|
62 |
include 'hmac_md5.inc' |
| 58 |
|
63 |
|
| 59 |
; macros for network byte order |
64 |
; macros for network byte order |
| 60 |
macro dd_n op { |
65 |
macro dd_n op { |
| 61 |
dd 0 or (((op) and 0FF000000h) shr 24) or \ |
66 |
dd 0 or (((op) and 0FF000000h) shr 24) or \ |
| 62 |
(((op) and 000FF0000h) shr 8) or \ |
67 |
(((op) and 000FF0000h) shr 8) or \ |
| 63 |
(((op) and 00000FF00h) shl 8) or \ |
68 |
(((op) and 00000FF00h) shl 8) or \ |
| 64 |
(((op) and 0000000FFh) shl 24) |
69 |
(((op) and 0000000FFh) shl 24) |
| 65 |
} |
70 |
} |
| 66 |
|
71 |
|
| 67 |
macro dw_n op { |
72 |
macro dw_n op { |
| 68 |
dw 0 or (((op) and 0FF00h) shr 8) or \ |
73 |
dw 0 or (((op) and 0FF00h) shr 8) or \ |
| 69 |
(((op) and 000FFh) shl 8) |
74 |
(((op) and 000FFh) shl 8) |
| 70 |
} |
75 |
} |
| 71 |
|
76 |
|
| 72 |
proc dump_hex _ptr, _length |
77 |
proc dump_hex _ptr, _length |
| 73 |
if __DEBUG_LEVEL__ <= 1 |
78 |
if __DEBUG_LEVEL__ <= 1 |
| 74 |
pushad |
79 |
pushad |
| 75 |
|
80 |
|
| 76 |
mov esi, [_ptr] |
81 |
mov esi, [_ptr] |
| 77 |
mov ecx, [_length] |
82 |
mov ecx, [_length] |
| 78 |
.next_dword: |
83 |
.next_dword: |
| 79 |
lodsd |
84 |
lodsd |
| 80 |
bswap eax |
85 |
bswap eax |
| 81 |
DEBUGF 1,'%x',eax |
86 |
DEBUGF 1,'%x',eax |
| 82 |
loop .next_dword |
87 |
loop .next_dword |
| 83 |
DEBUGF 1,'\n' |
88 |
DEBUGF 1,'\n' |
| 84 |
|
89 |
|
| 85 |
popad |
90 |
popad |
| 86 |
ret |
91 |
ret |
| 87 |
end if |
92 |
end if |
| 88 |
endp |
93 |
endp |
| 89 |
|
94 |
|
| 90 |
struct ssh_connection |
95 |
struct ssh_connection |
| 91 |
|
96 |
|
| 92 |
; Connection |
97 |
; Connection |
| 93 |
|
98 |
|
| 94 |
hostname rb 1024 |
99 |
hostname rb 1024 |
| 95 |
|
100 |
|
| 96 |
socketnum dd ? |
101 |
socketnum dd ? |
| 97 |
|
102 |
|
| 98 |
sockaddr dw ? ; Address family |
103 |
sockaddr dw ? ; Address family |
| 99 |
port dw ? |
104 |
port dw ? |
| 100 |
ip dd ? |
105 |
ip dd ? |
| 101 |
rb 10 |
106 |
rb 10 |
| 102 |
|
107 |
|
| 103 |
; Encryption/Decryption |
108 |
; Encryption/Decryption |
| 104 |
|
109 |
|
| 105 |
rx_crypt_proc dd ? |
110 |
rx_crypt_proc dd ? |
| 106 |
tx_crypt_proc dd ? |
111 |
tx_crypt_proc dd ? |
| 107 |
rx_crypt_ctx_ptr dd ? |
112 |
rx_crypt_ctx_ptr dd ? |
| 108 |
tx_crypt_ctx_ptr dd ? |
113 |
tx_crypt_ctx_ptr dd ? |
| 109 |
rx_crypt_blocksize dd ? |
114 |
rx_crypt_blocksize dd ? |
| 110 |
tx_crypt_blocksize dd ? |
115 |
tx_crypt_blocksize dd ? |
| 111 |
|
116 |
|
| 112 |
; Message authentication |
117 |
; Message authentication |
| 113 |
|
118 |
|
| 114 |
rx_mac_proc dd ? |
119 |
rx_mac_proc dd ? |
| 115 |
tx_mac_proc dd ? |
120 |
tx_mac_proc dd ? |
| 116 |
rx_mac_ctx hmac_sha256_context |
121 |
rx_mac_ctx hmac_sha256_context |
| 117 |
tx_mac_ctx hmac_sha256_context |
122 |
tx_mac_ctx hmac_sha256_context |
| 118 |
rx_mac_length dd ? |
123 |
rx_mac_length dd ? |
| 119 |
tx_mac_length dd ? |
124 |
tx_mac_length dd ? |
| 120 |
|
125 |
|
| 121 |
; Buffers |
126 |
; Buffers |
| 122 |
|
127 |
|
| 123 |
rx_seq dd ? ; Packet sequence number for MAC |
128 |
rx_seq dd ? ; Packet sequence number for MAC |
| 124 |
rx_buffer ssh_packet_header |
129 |
rx_buffer ssh_packet_header |
| 125 |
rb BUFFERSIZE-sizeof.ssh_packet_header |
130 |
rb BUFFERSIZE-sizeof.ssh_packet_header |
| 126 |
|
131 |
|
| 127 |
tx_seq dd ? ; Packet sequence number for MAC |
132 |
tx_seq dd ? ; Packet sequence number for MAC |
| 128 |
tx_buffer ssh_packet_header |
133 |
tx_buffer ssh_packet_header |
| 129 |
rb BUFFERSIZE-sizeof.ssh_packet_header |
134 |
rb BUFFERSIZE-sizeof.ssh_packet_header |
| 130 |
|
135 |
|
| 131 |
send_data dw ? |
136 |
send_data dw ? |
| 132 |
|
137 |
|
| 133 |
; Output from key exchange |
138 |
; Output from key exchange |
| 134 |
dh_K dd ? ; Shared Secret (Big endian) |
139 |
dh_K dd ? ; Shared Secret (Big endian) |
| 135 |
rb MAX_BITS/8 |
140 |
rb MAX_BITS/8 |
| 136 |
dh_K_length dd ? ; Length in little endian |
141 |
dh_K_length dd ? ; Length in little endian |
| 137 |
|
142 |
|
| 138 |
dh_H rb 32 ; Exchange Hash |
143 |
dh_H rb 32 ; Exchange Hash |
| 139 |
session_id_prefix db ? |
144 |
session_id_prefix db ? |
| 140 |
session_id rb 32 |
145 |
session_id rb 32 |
| 141 |
rx_iv rb 32 ; Rx initialisation vector |
146 |
rx_iv rb 32 ; Rx initialisation vector |
| 142 |
tx_iv rb 32 ; Tx initialisation vector |
147 |
tx_iv rb 32 ; Tx initialisation vector |
| 143 |
rx_enc_key rb 32 ; Rx encryption key |
148 |
rx_enc_key rb 32 ; Rx encryption key |
| 144 |
tx_enc_key rb 32 ; Tx encryption key |
149 |
tx_enc_key rb 32 ; Tx encryption key |
| 145 |
rx_int_key rb 32 ; Rx integrity key |
150 |
rx_int_key rb 32 ; Rx integrity key |
| 146 |
tx_int_key rb 32 ; Tx integrity key |
151 |
tx_int_key rb 32 ; Tx integrity key |
| 147 |
|
152 |
|
| 148 |
; Diffie Hellman |
153 |
; Diffie Hellman |
| 149 |
dh_p dd ? |
154 |
dh_p dd ? |
| 150 |
rb MAX_BITS/8 |
155 |
rb MAX_BITS/8 |
| 151 |
dh_g dd ? |
156 |
dh_g dd ? |
| 152 |
rb MAX_BITS/8 |
157 |
rb MAX_BITS/8 |
| 153 |
dh_x dd ? |
158 |
dh_x dd ? |
| 154 |
rb MAX_BITS/8 |
159 |
rb MAX_BITS/8 |
| 155 |
dh_e dd ? |
160 |
dh_e dd ? |
| 156 |
rb MAX_BITS/8 |
161 |
rb MAX_BITS/8 |
| 157 |
dh_f dd ? |
162 |
dh_f dd ? |
| 158 |
rb MAX_BITS/8 |
163 |
rb MAX_BITS/8 |
| 159 |
|
164 |
|
| 160 |
dh_signature dd ? |
165 |
dh_signature dd ? |
| 161 |
rb MAX_BITS/8 |
166 |
rb MAX_BITS/8 |
| 162 |
|
167 |
|
| 163 |
temp_ctx ctx_sha224256 |
168 |
temp_ctx ctx_sha224256 |
| 164 |
k_h_ctx ctx_sha224256 |
169 |
k_h_ctx ctx_sha224256 |
| - |
|
170 |
|
| - |
|
171 |
mpint_tmp dd ? |
| - |
|
172 |
rb MAX_BITS/8 |
| 165 |
|
173 |
|
| 166 |
ends |
174 |
ends |
| 167 |
|
175 |
|
| 168 |
start: |
176 |
start: |
| 169 |
mcall 68, 11 ; Init heap |
177 |
mcall 68, 11 ; Init heap |
| 170 |
|
178 |
|
| 171 |
DEBUGF 2, "SSH: Loading libraries\n" |
179 |
DEBUGF 2, "SSH: Loading libraries\n" |
| 172 |
stdcall dll.Load, @IMPORT |
180 |
stdcall dll.Load, @IMPORT |
| 173 |
test eax, eax |
181 |
test eax, eax |
| 174 |
jnz exit |
182 |
jnz exit |
| 175 |
|
183 |
|
| 176 |
DEBUGF 2, "SSH: Init PRNG\n" |
184 |
DEBUGF 2, "SSH: Init PRNG\n" |
| 177 |
call init_random |
185 |
call init_random |
| 178 |
|
186 |
|
| 179 |
DEBUGF 2, "SSH: Init Console\n" |
187 |
DEBUGF 2, "SSH: Init Console\n" |
| 180 |
invoke con_start, 1 |
188 |
invoke con_start, 1 |
| 181 |
invoke con_init, 80, 25, 80, 25, title |
189 |
invoke con_init, 80, 25, 80, 25, title |
| 182 |
|
190 |
|
| 183 |
; Check for parameters TODO |
191 |
; Check for parameters TODO |
| 184 |
; cmp byte[params], 0 |
192 |
; cmp byte[params], 0 |
| 185 |
; jne resolve |
193 |
; jne resolve |
| 186 |
|
194 |
|
| 187 |
main: |
195 |
main: |
| 188 |
invoke con_cls |
196 |
invoke con_cls |
| 189 |
; Welcome user |
197 |
; Welcome user |
| 190 |
invoke con_write_asciiz, str1 |
198 |
invoke con_write_asciiz, str1 |
| 191 |
|
199 |
|
| 192 |
prompt: |
200 |
prompt: |
| 193 |
; write prompt |
201 |
; write prompt |
| 194 |
invoke con_write_asciiz, str2 |
202 |
invoke con_write_asciiz, str2 |
| 195 |
; read string |
203 |
; read string |
| 196 |
mov esi, con.hostname |
204 |
mov esi, con.hostname |
| 197 |
invoke con_gets, esi, 256 |
205 |
invoke con_gets, esi, 256 |
| 198 |
; check for exit |
206 |
; check for exit |
| 199 |
test eax, eax |
207 |
test eax, eax |
| 200 |
jz done |
208 |
jz done |
| 201 |
cmp byte[esi], 10 |
209 |
cmp byte[esi], 10 |
| 202 |
jz done |
210 |
jz done |
| 203 |
|
211 |
|
| 204 |
resolve: |
212 |
resolve: |
| 205 |
mov [con.sockaddr], AF_INET4 |
213 |
mov [con.sockaddr], AF_INET4 |
| 206 |
mov [con.port], 22 shl 8 |
214 |
mov [con.port], 22 shl 8 |
| 207 |
|
215 |
|
| 208 |
; delete terminating '\n' |
216 |
; delete terminating '\n' |
| 209 |
mov esi, con.hostname |
217 |
mov esi, con.hostname |
| 210 |
@@: |
218 |
@@: |
| 211 |
lodsb |
219 |
lodsb |
| 212 |
cmp al, ':' |
220 |
cmp al, ':' |
| 213 |
je .do_port |
221 |
je .do_port |
| 214 |
cmp al, 0x20 |
222 |
cmp al, 0x20 |
| 215 |
ja @r |
223 |
ja @r |
| 216 |
mov byte[esi-1], 0 |
224 |
mov byte[esi-1], 0 |
| 217 |
jmp .done |
225 |
jmp .done |
| 218 |
|
226 |
|
| 219 |
.do_port: |
227 |
.do_port: |
| 220 |
xor eax, eax |
228 |
xor eax, eax |
| 221 |
xor ebx, ebx |
229 |
xor ebx, ebx |
| 222 |
mov byte[esi-1], 0 |
230 |
mov byte[esi-1], 0 |
| 223 |
.portloop: |
231 |
.portloop: |
| 224 |
lodsb |
232 |
lodsb |
| 225 |
cmp al, 0x20 |
233 |
cmp al, 0x20 |
| 226 |
jbe .port_done |
234 |
jbe .port_done |
| 227 |
sub al, '0' |
235 |
sub al, '0' |
| 228 |
jb hostname_error |
236 |
jb hostname_error |
| 229 |
cmp al, 9 |
237 |
cmp al, 9 |
| 230 |
ja hostname_error |
238 |
ja hostname_error |
| 231 |
lea ebx, [ebx*4+ebx] |
239 |
lea ebx, [ebx*4+ebx] |
| 232 |
shl ebx, 1 |
240 |
shl ebx, 1 |
| 233 |
add ebx, eax |
241 |
add ebx, eax |
| 234 |
jmp .portloop |
242 |
jmp .portloop |
| 235 |
|
243 |
|
| 236 |
.port_done: |
244 |
.port_done: |
| 237 |
xchg bl, bh |
245 |
xchg bl, bh |
| 238 |
mov [con.port], bx |
246 |
mov [con.port], bx |
| 239 |
|
247 |
|
| 240 |
.done: |
248 |
.done: |
| 241 |
|
249 |
|
| 242 |
; resolve name |
250 |
; resolve name |
| 243 |
push esp ; reserve stack place |
251 |
push esp ; reserve stack place |
| 244 |
push esp |
252 |
push esp |
| 245 |
invoke getaddrinfo, con.hostname, 0, 0 |
253 |
invoke getaddrinfo, con.hostname, 0, 0 |
| 246 |
pop esi |
254 |
pop esi |
| 247 |
; test for error |
255 |
; test for error |
| 248 |
test eax, eax |
256 |
test eax, eax |
| 249 |
jnz dns_error |
257 |
jnz dns_error |
| 250 |
|
258 |
|
| 251 |
invoke con_cls |
259 |
invoke con_cls |
| 252 |
invoke con_write_asciiz, str3 |
260 |
invoke con_write_asciiz, str3 |
| 253 |
invoke con_write_asciiz, con.hostname |
261 |
invoke con_write_asciiz, con.hostname |
| 254 |
|
262 |
|
| 255 |
; write results |
263 |
; write results |
| 256 |
invoke con_write_asciiz, str8 |
264 |
invoke con_write_asciiz, str8 |
| 257 |
|
265 |
|
| 258 |
; convert IP address to decimal notation |
266 |
; convert IP address to decimal notation |
| 259 |
mov eax, [esi+addrinfo.ai_addr] |
267 |
mov eax, [esi+addrinfo.ai_addr] |
| 260 |
mov eax, [eax+sockaddr_in.sin_addr] |
268 |
mov eax, [eax+sockaddr_in.sin_addr] |
| 261 |
mov [con.ip], eax |
269 |
mov [con.ip], eax |
| 262 |
invoke inet_ntoa, eax |
270 |
invoke inet_ntoa, eax |
| 263 |
; write result |
271 |
; write result |
| 264 |
invoke con_write_asciiz, eax |
272 |
invoke con_write_asciiz, eax |
| 265 |
; free allocated memory |
273 |
; free allocated memory |
| 266 |
invoke freeaddrinfo, esi |
274 |
invoke freeaddrinfo, esi |
| 267 |
|
275 |
|
| 268 |
invoke con_write_asciiz, str9 |
276 |
invoke con_write_asciiz, str9 |
| 269 |
|
277 |
|
| 270 |
mcall 40, EVM_STACK + EVM_KEY |
278 |
mcall 40, EVM_STACK + EVM_KEY |
| 271 |
invoke con_cls |
279 |
invoke con_cls |
| 272 |
|
280 |
|
| 273 |
; Create socket |
281 |
; Create socket |
| 274 |
mcall socket, AF_INET4, SOCK_STREAM, 0 |
282 |
mcall socket, AF_INET4, SOCK_STREAM, 0 |
| 275 |
cmp eax, -1 |
283 |
cmp eax, -1 |
| 276 |
jz socket_err |
284 |
jz socket_err |
| 277 |
mov [con.socketnum], eax |
285 |
mov [con.socketnum], eax |
| 278 |
|
286 |
|
| 279 |
; Connect |
287 |
; Connect |
| 280 |
DEBUGF 2, "Connecting to server\n" |
288 |
DEBUGF 2, "Connecting to server\n" |
| 281 |
mcall connect, [con.socketnum], con.sockaddr, 18 |
289 |
mcall connect, [con.socketnum], con.sockaddr, 18 |
| 282 |
test eax, eax |
290 |
test eax, eax |
| 283 |
jnz socket_err |
291 |
jnz socket_err |
| 284 |
|
292 |
|
| 285 |
; Start calculating hash |
293 |
; Start calculating hash |
| 286 |
invoke sha256_init, con.temp_ctx |
294 |
invoke sha256_init, con.temp_ctx |
| 287 |
; HASH: string V_C, the client's version string (CR and NL excluded) |
295 |
; HASH: string V_C, the client's version string (CR and NL excluded) |
| 288 |
invoke sha256_update, con.temp_ctx, ssh_ident_ha, ssh_ident.length+4-2 |
296 |
invoke sha256_update, con.temp_ctx, ssh_ident_ha, ssh_ident.length+4-2 |
| 289 |
|
297 |
|
| 290 |
; >> Send our identification string |
298 |
; >> Send our identification string |
| 291 |
DEBUGF 2, "Sending ID string\n" |
299 |
DEBUGF 2, "Sending ID string\n" |
| 292 |
mcall send, [con.socketnum], ssh_ident, ssh_ident.length, 0 |
300 |
mcall send, [con.socketnum], ssh_ident, ssh_ident.length, 0 |
| 293 |
cmp eax, -1 |
301 |
cmp eax, -1 |
| 294 |
je socket_err |
302 |
je socket_err |
| 295 |
|
303 |
|
| 296 |
; << Check protocol version of server |
304 |
; << Check protocol version of server |
| 297 |
mcall recv, [con.socketnum], con.rx_buffer, BUFFERSIZE, 0 |
305 |
mcall recv, [con.socketnum], con.rx_buffer, BUFFERSIZE, 0 |
| 298 |
cmp eax, -1 |
306 |
cmp eax, -1 |
| 299 |
je socket_err |
307 |
je socket_err |
| 300 |
|
308 |
|
| 301 |
DEBUGF 2, "Received ID string\n" |
309 |
DEBUGF 2, "Received ID string\n" |
| 302 |
cmp dword[con.rx_buffer], "SSH-" |
310 |
cmp dword[con.rx_buffer], "SSH-" |
| 303 |
jne proto_err |
311 |
jne proto_err |
| 304 |
cmp dword[con.rx_buffer+4], "2.0-" |
312 |
cmp dword[con.rx_buffer+4], "2.0-" |
| 305 |
jne proto_err |
313 |
jne proto_err |
| 306 |
|
314 |
|
| 307 |
; HASH: string V_S, the server's version string (CR and NL excluded) |
315 |
; HASH: string V_S, the server's version string (CR and NL excluded) |
| 308 |
lea edx, [eax+2] |
316 |
lea edx, [eax+2] |
| 309 |
sub eax, 2 |
317 |
sub eax, 2 |
| 310 |
bswap eax |
318 |
bswap eax |
| 311 |
mov dword[con.rx_buffer-4], eax |
319 |
mov dword[con.rx_buffer-4], eax |
| 312 |
invoke sha256_update, con.temp_ctx, con.rx_buffer-4, edx |
320 |
invoke sha256_update, con.temp_ctx, con.rx_buffer-4, edx |
| 313 |
|
321 |
|
| 314 |
; >> Key Exchange init |
322 |
; >> Key Exchange init |
| 315 |
mov [con.rx_seq], 0 |
323 |
mov [con.rx_seq], 0 |
| 316 |
mov [con.tx_seq], 0 |
324 |
mov [con.tx_seq], 0 |
| 317 |
mov [con.rx_crypt_blocksize], 4 ; minimum blocksize |
325 |
mov [con.rx_crypt_blocksize], 4 ; minimum blocksize |
| 318 |
mov [con.tx_crypt_blocksize], 4 |
326 |
mov [con.tx_crypt_blocksize], 4 |
| 319 |
mov [con.rx_crypt_proc], 0 |
327 |
mov [con.rx_crypt_proc], 0 |
| 320 |
mov [con.tx_crypt_proc], 0 |
328 |
mov [con.tx_crypt_proc], 0 |
| 321 |
mov [con.rx_mac_proc], 0 |
329 |
mov [con.rx_mac_proc], 0 |
| 322 |
mov [con.tx_mac_proc], 0 |
330 |
mov [con.tx_mac_proc], 0 |
| 323 |
mov [con.rx_mac_length], 0 |
331 |
mov [con.rx_mac_length], 0 |
| 324 |
mov [con.tx_mac_length], 0 |
332 |
mov [con.tx_mac_length], 0 |
| 325 |
|
333 |
|
| 326 |
DEBUGF 2, "Sending KEX init\n" |
334 |
DEBUGF 2, "Sending KEX init\n" |
| 327 |
mov edi, ssh_kex.cookie |
335 |
mov edi, ssh_kex.cookie |
| 328 |
call MBRandom |
336 |
call MBRandom |
| 329 |
stosd |
337 |
stosd |
| 330 |
call MBRandom |
338 |
call MBRandom |
| 331 |
stosd |
339 |
stosd |
| 332 |
call MBRandom |
340 |
call MBRandom |
| 333 |
stosd |
341 |
stosd |
| 334 |
call MBRandom |
342 |
call MBRandom |
| 335 |
stosd |
343 |
stosd |
| 336 |
stdcall ssh_send_packet, con, ssh_kex, ssh_kex.length, 0 |
344 |
stdcall ssh_send_packet, con, ssh_kex, ssh_kex.length, 0 |
| 337 |
cmp eax, -1 |
345 |
cmp eax, -1 |
| 338 |
je socket_err |
346 |
je socket_err |
| 339 |
|
347 |
|
| 340 |
; HASH: string I_C, the payload of the client's SSH_MSG_KEXINIT |
348 |
; HASH: string I_C, the payload of the client's SSH_MSG_KEXINIT |
| 341 |
mov eax, dword[con.tx_buffer+ssh_packet_header.packet_length] |
349 |
mov eax, dword[con.tx_buffer+ssh_packet_header.packet_length] |
| 342 |
bswap eax |
350 |
bswap eax |
| 343 |
movzx ebx, [con.tx_buffer+ssh_packet_header.padding_length] |
351 |
movzx ebx, [con.tx_buffer+ssh_packet_header.padding_length] |
| 344 |
sub eax, ebx |
352 |
sub eax, ebx |
| 345 |
dec eax |
353 |
dec eax |
| 346 |
lea edx, [eax+4] |
354 |
lea edx, [eax+4] |
| 347 |
bswap eax |
355 |
bswap eax |
| 348 |
mov dword[con.tx_buffer+1], eax |
356 |
mov dword[con.tx_buffer+1], eax |
| 349 |
invoke sha256_update, con.temp_ctx, con.tx_buffer+1, edx |
357 |
invoke sha256_update, con.temp_ctx, con.tx_buffer+1, edx |
| 350 |
|
358 |
|
| 351 |
; << Check key exchange init of server |
359 |
; << Check key exchange init of server |
| 352 |
stdcall ssh_recv_packet, con, 0 |
360 |
stdcall ssh_recv_packet, con, 0 |
| 353 |
cmp eax, -1 |
361 |
cmp eax, -1 |
| 354 |
je socket_err |
362 |
je socket_err |
| 355 |
|
363 |
|
| 356 |
cmp [con.rx_buffer.message_code], SSH_MSG_KEXINIT |
364 |
cmp [con.rx_buffer.message_code], SSH_MSG_KEXINIT |
| 357 |
jne proto_err |
365 |
jne proto_err |
| 358 |
DEBUGF 2, "Received KEX init\n" |
366 |
DEBUGF 2, "Received KEX init\n" |
| 359 |
|
367 |
|
| 360 |
lea esi, [con.rx_buffer+sizeof.ssh_packet_header+16] |
368 |
lea esi, [con.rx_buffer+sizeof.ssh_packet_header+16] |
| 361 |
lodsd |
369 |
lodsd |
| 362 |
bswap eax |
370 |
bswap eax |
| 363 |
DEBUGF 1, "kex_algorithms: %s\n", esi |
371 |
DEBUGF 1, "kex_algorithms: %s\n", esi |
| 364 |
add esi, eax |
372 |
add esi, eax |
| 365 |
lodsd |
373 |
lodsd |
| 366 |
bswap eax |
374 |
bswap eax |
| 367 |
DEBUGF 1, "server_host_key_algorithms: %s\n", esi |
375 |
DEBUGF 1, "server_host_key_algorithms: %s\n", esi |
| 368 |
add esi, eax |
376 |
add esi, eax |
| 369 |
lodsd |
377 |
lodsd |
| 370 |
bswap eax |
378 |
bswap eax |
| 371 |
DEBUGF 1, "encryption_algorithms_client_to_server: %s\n", esi |
379 |
DEBUGF 1, "encryption_algorithms_client_to_server: %s\n", esi |
| 372 |
add esi, eax |
380 |
add esi, eax |
| 373 |
lodsd |
381 |
lodsd |
| 374 |
bswap eax |
382 |
bswap eax |
| 375 |
DEBUGF 1, "encryption_algorithms_server_to_client: %s\n", esi |
383 |
DEBUGF 1, "encryption_algorithms_server_to_client: %s\n", esi |
| 376 |
add esi, eax |
384 |
add esi, eax |
| 377 |
lodsd |
385 |
lodsd |
| 378 |
bswap eax |
386 |
bswap eax |
| 379 |
DEBUGF 1, "mac_algorithms_client_to_server: %s\n", esi |
387 |
DEBUGF 1, "mac_algorithms_client_to_server: %s\n", esi |
| 380 |
add esi, eax |
388 |
add esi, eax |
| 381 |
lodsd |
389 |
lodsd |
| 382 |
bswap eax |
390 |
bswap eax |
| 383 |
DEBUGF 1, "mac_algorithms_server_to_client: %s\n", esi |
391 |
DEBUGF 1, "mac_algorithms_server_to_client: %s\n", esi |
| 384 |
add esi, eax |
392 |
add esi, eax |
| 385 |
lodsd |
393 |
lodsd |
| 386 |
bswap eax |
394 |
bswap eax |
| 387 |
DEBUGF 1, "compression_algorithms_client_to_server: %s\n", esi |
395 |
DEBUGF 1, "compression_algorithms_client_to_server: %s\n", esi |
| 388 |
add esi, eax |
396 |
add esi, eax |
| 389 |
lodsd |
397 |
lodsd |
| 390 |
bswap eax |
398 |
bswap eax |
| 391 |
DEBUGF 1, "compression_algorithms_server_to_client: %s\n", esi |
399 |
DEBUGF 1, "compression_algorithms_server_to_client: %s\n", esi |
| 392 |
add esi, eax |
400 |
add esi, eax |
| 393 |
lodsd |
401 |
lodsd |
| 394 |
bswap eax |
402 |
bswap eax |
| 395 |
DEBUGF 1, "languages_client_to_server: %s\n", esi |
403 |
DEBUGF 1, "languages_client_to_server: %s\n", esi |
| 396 |
add esi, eax |
404 |
add esi, eax |
| 397 |
lodsd |
405 |
lodsd |
| 398 |
bswap eax |
406 |
bswap eax |
| 399 |
DEBUGF 1, "languages_server_to_client: %s\n", esi |
407 |
DEBUGF 1, "languages_server_to_client: %s\n", esi |
| 400 |
add esi, eax |
408 |
add esi, eax |
| 401 |
lodsb |
409 |
lodsb |
| 402 |
DEBUGF 1, "KEX First Packet Follows: %u\n", al |
410 |
DEBUGF 1, "KEX First Packet Follows: %u\n", al |
| 403 |
|
411 |
|
| 404 |
; TODO: parse this structure and init procedures accordingly |
412 |
; TODO: parse this structure and init procedures accordingly |
| 405 |
|
413 |
|
| 406 |
; HASH: string I_S, the payload of the servers's SSH_MSG_KEXINIT |
414 |
; HASH: string I_S, the payload of the servers's SSH_MSG_KEXINIT |
| 407 |
mov eax, dword[con.rx_buffer+ssh_packet_header.packet_length] |
415 |
mov eax, dword[con.rx_buffer+ssh_packet_header.packet_length] |
| 408 |
movzx ebx, [con.rx_buffer+ssh_packet_header.padding_length] |
416 |
movzx ebx, [con.rx_buffer+ssh_packet_header.padding_length] |
| 409 |
sub eax, ebx |
417 |
sub eax, ebx |
| 410 |
dec eax |
418 |
dec eax |
| 411 |
lea edx, [eax+4] |
419 |
lea edx, [eax+4] |
| 412 |
bswap eax |
420 |
bswap eax |
| 413 |
mov dword[con.rx_buffer+sizeof.ssh_packet_header-5], eax |
421 |
mov dword[con.rx_buffer+sizeof.ssh_packet_header-5], eax |
| 414 |
invoke sha256_update, con.temp_ctx, con.rx_buffer+sizeof.ssh_packet_header-5, edx |
422 |
invoke sha256_update, con.temp_ctx, con.rx_buffer+sizeof.ssh_packet_header-5, edx |
| 415 |
|
423 |
|
| 416 |
; Exchange keys with the server |
424 |
; Exchange keys with the server |
| 417 |
|
425 |
|
| 418 |
stdcall dh_gex |
426 |
stdcall dh_gex |
| 419 |
test eax, eax |
427 |
test eax, eax |
| 420 |
jnz exit |
428 |
jnz exit |
| 421 |
|
429 |
|
| 422 |
; Set keys |
430 |
; Set keys |
| 423 |
|
431 |
|
| 424 |
DEBUGF 2, "SSH: Setting encryption keys\n" |
432 |
DEBUGF 2, "SSH: Setting encryption keys\n" |
| 425 |
|
433 |
|
| 426 |
stdcall aes256_cbc_init, con.rx_iv |
434 |
stdcall aes256_cbc_init, con.rx_iv |
| 427 |
mov [con.rx_crypt_ctx_ptr], eax |
435 |
mov [con.rx_crypt_ctx_ptr], eax |
| 428 |
|
436 |
|
| 429 |
stdcall aes256_set_decrypt_key, eax, con.rx_enc_key |
437 |
stdcall aes256_set_decrypt_key, eax, con.rx_enc_key |
| 430 |
mov [con.rx_crypt_proc], aes256_cbc_decrypt |
438 |
mov [con.rx_crypt_proc], aes256_cbc_decrypt |
| 431 |
mov [con.rx_crypt_blocksize], AES256_BLOCKSIZE |
439 |
mov [con.rx_crypt_blocksize], AES256_BLOCKSIZE |
| 432 |
|
440 |
|
| 433 |
stdcall aes256_cbc_init, con.tx_iv |
441 |
stdcall aes256_cbc_init, con.tx_iv |
| 434 |
mov [con.tx_crypt_ctx_ptr], eax |
442 |
mov [con.tx_crypt_ctx_ptr], eax |
| 435 |
|
443 |
|
| 436 |
stdcall aes256_set_encrypt_key, eax, con.tx_enc_key |
444 |
stdcall aes256_set_encrypt_key, eax, con.tx_enc_key |
| 437 |
mov [con.tx_crypt_proc], aes256_cbc_encrypt |
445 |
mov [con.tx_crypt_proc], aes256_cbc_encrypt |
| 438 |
mov [con.tx_crypt_blocksize], AES256_BLOCKSIZE |
446 |
mov [con.tx_crypt_blocksize], AES256_BLOCKSIZE |
| 439 |
|
447 |
|
| 440 |
stdcall hmac_sha256_setkey, con.rx_mac_ctx, con.rx_int_key, SHA256_HASH_SIZE |
448 |
stdcall hmac_sha256_setkey, con.rx_mac_ctx, con.rx_int_key, SHA256_HASH_SIZE |
| 441 |
mov [con.rx_mac_proc], hmac_sha256 |
449 |
mov [con.rx_mac_proc], hmac_sha256 |
| 442 |
mov [con.rx_mac_length], SHA256_HASH_SIZE |
450 |
mov [con.rx_mac_length], SHA256_HASH_SIZE |
| 443 |
|
451 |
|
| 444 |
stdcall hmac_sha256_setkey, con.tx_mac_ctx, con.tx_int_key, SHA256_HASH_SIZE |
452 |
stdcall hmac_sha256_setkey, con.tx_mac_ctx, con.tx_int_key, SHA256_HASH_SIZE |
| 445 |
mov [con.tx_mac_proc], hmac_sha256 |
453 |
mov [con.tx_mac_proc], hmac_sha256 |
| 446 |
mov [con.tx_mac_length], SHA256_HASH_SIZE |
454 |
mov [con.tx_mac_length], SHA256_HASH_SIZE |
| 447 |
|
455 |
|
| 448 |
; TODO: erase all keys from memory and free the memory |
456 |
; TODO: erase all keys from memory and free the memory |
| 449 |
|
457 |
|
| 450 |
; >> Request service (user-auth) |
458 |
; >> Request service (user-auth) |
| 451 |
|
459 |
|
| 452 |
DEBUGF 2, "SSH: Requesting service\n" |
460 |
DEBUGF 2, "SSH: Requesting service\n" |
| 453 |
|
461 |
|
| 454 |
stdcall ssh_send_packet, con, ssh_request_service, ssh_request_service.length, 0 |
462 |
stdcall ssh_send_packet, con, ssh_request_service, ssh_request_service.length, 0 |
| 455 |
cmp eax, -1 |
463 |
cmp eax, -1 |
| 456 |
je socket_err |
464 |
je socket_err |
| 457 |
|
465 |
|
| 458 |
; << Check for service acceptance |
466 |
; << Check for service acceptance |
| 459 |
|
467 |
|
| 460 |
stdcall ssh_recv_packet, con, 0 |
468 |
stdcall ssh_recv_packet, con, 0 |
| 461 |
cmp eax, -1 |
469 |
cmp eax, -1 |
| 462 |
je socket_err |
470 |
je socket_err |
| 463 |
|
471 |
|
| 464 |
cmp [con.rx_buffer.message_code], SSH_MSG_SERVICE_ACCEPT |
472 |
cmp [con.rx_buffer.message_code], SSH_MSG_SERVICE_ACCEPT |
| 465 |
jne proto_err |
473 |
jne proto_err |
| 466 |
|
474 |
|
| 467 |
; >> Request user authentication |
475 |
; >> Request user authentication |
| 468 |
|
476 |
|
| 469 |
; TODO: Request username from the user |
477 |
; TODO: Request username from the user |
| 470 |
; invoke con_write_asciiz, str12 |
478 |
; invoke con_write_asciiz, str12 |
| 471 |
; invoke con_gets, username, 256 |
479 |
; invoke con_gets, username, 256 |
| 472 |
; test eax, eax |
480 |
; test eax, eax |
| 473 |
; jz done |
481 |
; jz done |
| 474 |
|
482 |
|
| 475 |
; TODO: implement password authentication |
483 |
; TODO: implement password authentication |
| 476 |
|
484 |
|
| 477 |
DEBUGF 2, "SSH: User authentication\n" |
485 |
DEBUGF 2, "SSH: User authentication\n" |
| 478 |
|
486 |
|
| 479 |
stdcall ssh_send_packet, con, ssh_request_userauth, ssh_request_userauth.length, 0 |
487 |
stdcall ssh_send_packet, con, ssh_request_userauth, ssh_request_userauth.length, 0 |
| 480 |
cmp eax, -1 |
488 |
cmp eax, -1 |
| 481 |
je socket_err |
489 |
je socket_err |
| 482 |
|
490 |
|
| 483 |
; << Check for userauth acceptance |
491 |
; << Check for userauth acceptance |
| 484 |
|
492 |
|
| 485 |
stdcall ssh_recv_packet, con, 0 |
493 |
stdcall ssh_recv_packet, con, 0 |
| 486 |
cmp eax, -1 |
494 |
cmp eax, -1 |
| 487 |
je socket_err |
495 |
je socket_err |
| 488 |
|
496 |
|
| 489 |
cmp [con.rx_buffer.message_code], SSH_MSG_USERAUTH_SUCCESS |
497 |
cmp [con.rx_buffer.message_code], SSH_MSG_USERAUTH_SUCCESS |
| 490 |
jne proto_err |
498 |
jne proto_err |
| 491 |
|
499 |
|
| 492 |
; >> Open channel |
500 |
; >> Open channel |
| 493 |
|
501 |
|
| 494 |
DEBUGF 2, "SSH: Open channel\n" |
502 |
DEBUGF 2, "SSH: Open channel\n" |
| 495 |
|
503 |
|
| 496 |
stdcall ssh_send_packet, con, ssh_channel_open, ssh_channel_open.length, 0 |
504 |
stdcall ssh_send_packet, con, ssh_channel_open, ssh_channel_open.length, 0 |
| 497 |
cmp eax, -1 |
505 |
cmp eax, -1 |
| 498 |
je socket_err |
506 |
je socket_err |
| 499 |
|
507 |
|
| 500 |
; << Check for channel open confirmation |
508 |
; << Check for channel open confirmation |
| 501 |
|
509 |
|
| 502 |
stdcall ssh_recv_packet, con, 0 |
510 |
stdcall ssh_recv_packet, con, 0 |
| 503 |
cmp eax, -1 |
511 |
cmp eax, -1 |
| 504 |
je socket_err |
512 |
je socket_err |
| 505 |
|
513 |
|
| 506 |
cmp [con.rx_buffer.message_code], SSH_MSG_CHANNEL_OPEN_CONFIRMATION |
514 |
cmp [con.rx_buffer.message_code], SSH_MSG_CHANNEL_OPEN_CONFIRMATION |
| 507 |
jne proto_err |
515 |
jne proto_err |
| 508 |
|
516 |
|
| 509 |
; >> Channel request: pty |
517 |
; >> Channel request: pty |
| 510 |
|
518 |
|
| 511 |
DEBUGF 2, "SSH: Request pty\n" |
519 |
DEBUGF 2, "SSH: Request pty\n" |
| 512 |
|
520 |
|
| 513 |
stdcall ssh_send_packet, con, ssh_channel_request, ssh_channel_request.length, 0 |
521 |
stdcall ssh_send_packet, con, ssh_channel_request, ssh_channel_request.length, 0 |
| 514 |
cmp eax, -1 |
522 |
cmp eax, -1 |
| 515 |
je socket_err |
523 |
je socket_err |
| 516 |
|
524 |
|
| 517 |
; << Check for channel request confirmation |
525 |
; << Check for channel request confirmation |
| 518 |
|
526 |
|
| 519 |
stdcall ssh_recv_packet, con, 0 |
527 |
stdcall ssh_recv_packet, con, 0 |
| 520 |
cmp eax, -1 |
528 |
cmp eax, -1 |
| 521 |
je socket_err |
529 |
je socket_err |
| 522 |
|
530 |
|
| 523 |
cmp [con.rx_buffer.message_code], SSH_MSG_CHANNEL_SUCCESS |
531 |
cmp [con.rx_buffer.message_code], SSH_MSG_CHANNEL_SUCCESS |
| 524 |
jne proto_err |
532 |
jne proto_err |
| 525 |
|
533 |
|
| 526 |
; >> Channel request: shell |
534 |
; >> Channel request: shell |
| 527 |
|
535 |
|
| 528 |
DEBUGF 2, "SSH: Request shell\n" |
536 |
DEBUGF 2, "SSH: Request shell\n" |
| 529 |
|
537 |
|
| 530 |
stdcall ssh_send_packet, con, ssh_shell_request, ssh_shell_request.length, 0 |
538 |
stdcall ssh_send_packet, con, ssh_shell_request, ssh_shell_request.length, 0 |
| 531 |
cmp eax, -1 |
539 |
cmp eax, -1 |
| 532 |
je socket_err |
540 |
je socket_err |
| 533 |
|
541 |
|
| 534 |
; << Check for channel request confirmation (FIXME: this may not be first packet!) |
542 |
; << Check for channel request confirmation (FIXME: this may not be first packet!) |
| 535 |
|
543 |
|
| 536 |
; stdcall ssh_recv_packet, con, 0 |
544 |
; stdcall ssh_recv_packet, con, 0 |
| 537 |
; cmp eax, -1 |
545 |
; cmp eax, -1 |
| 538 |
; je socket_err |
546 |
; je socket_err |
| 539 |
|
547 |
|
| 540 |
; cmp [con.rx_buffer.message_code], SSH_MSG_CHANNEL_SUCCESS |
548 |
; cmp [con.rx_buffer.message_code], SSH_MSG_CHANNEL_SUCCESS |
| 541 |
; jne proto_err |
549 |
; jne proto_err |
| 542 |
|
550 |
|
| 543 |
; Launch network thread |
551 |
; Launch network thread |
| 544 |
mcall 18, 7 |
552 |
mcall 18, 7 |
| 545 |
push eax |
553 |
push eax |
| 546 |
mcall 51, 1, thread, mem - 2048 |
554 |
mcall 51, 1, thread, mem - 2048 |
| 547 |
pop ecx |
555 |
pop ecx |
| 548 |
mcall 18, 3 |
556 |
mcall 18, 3 |
| 549 |
|
557 |
|
| 550 |
mainloop: |
558 |
mainloop: |
| 551 |
call [con_get_flags] |
559 |
call [con_get_flags] |
| 552 |
test eax, 0x200 ; con window closed? |
560 |
test eax, 0x200 ; con window closed? |
| 553 |
jnz exit |
561 |
jnz exit |
| 554 |
|
562 |
|
| 555 |
stdcall ssh_recv_packet, con, 0 |
563 |
stdcall ssh_recv_packet, con, 0 |
| 556 |
cmp eax, 0 |
564 |
cmp eax, 0 |
| 557 |
jbe closed |
565 |
jbe closed |
| 558 |
|
566 |
|
| 559 |
cmp [con.rx_buffer.message_code], SSH_MSG_CHANNEL_DATA |
567 |
cmp [con.rx_buffer.message_code], SSH_MSG_CHANNEL_DATA |
| 560 |
jne .dump |
568 |
jne .dump |
| 561 |
|
569 |
|
| 562 |
mov eax, dword[con.rx_buffer.message_code+5] |
570 |
mov eax, dword[con.rx_buffer.message_code+5] |
| 563 |
bswap eax |
571 |
bswap eax |
| 564 |
DEBUGF 1, 'SSH: got %u bytes of data !\n', eax |
572 |
DEBUGF 1, 'SSH: got %u bytes of data !\n', eax |
| 565 |
|
573 |
|
| 566 |
lea esi, [con.rx_buffer.message_code+5+4] |
574 |
lea esi, [con.rx_buffer.message_code+5+4] |
| 567 |
mov ecx, eax |
575 |
mov ecx, eax |
| 568 |
lea edi, [esi + eax] |
576 |
lea edi, [esi + eax] |
| 569 |
mov byte [edi], 0 |
577 |
mov byte [edi], 0 |
| 570 |
invoke con_write_asciiz, esi |
578 |
invoke con_write_asciiz, esi |
| 571 |
jmp mainloop |
579 |
jmp mainloop |
| 572 |
|
580 |
|
| 573 |
.dump: |
581 |
.dump: |
| 574 |
lea esi, [con.rx_buffer] |
582 |
lea esi, [con.rx_buffer] |
| 575 |
mov ecx, eax |
583 |
mov ecx, eax |
| 576 |
pusha |
584 |
pusha |
| 577 |
@@: |
585 |
@@: |
| 578 |
lodsb |
586 |
lodsb |
| 579 |
DEBUGF 1, "%x ", eax:2 |
587 |
DEBUGF 1, "%x ", eax:2 |
| 580 |
dec ecx |
588 |
dec ecx |
| 581 |
jnz @r |
589 |
jnz @r |
| 582 |
popa |
590 |
popa |
| 583 |
DEBUGF 1, "\n" |
591 |
DEBUGF 1, "\n" |
| 584 |
jmp mainloop |
592 |
jmp mainloop |
| 585 |
|
593 |
|
| 586 |
|
594 |
|
| 587 |
proto_err: |
595 |
proto_err: |
| 588 |
DEBUGF 3, "SSH: protocol error\n" |
596 |
DEBUGF 3, "SSH: protocol error\n" |
| 589 |
invoke con_write_asciiz, str7 |
597 |
invoke con_write_asciiz, str7 |
| 590 |
jmp prompt |
598 |
jmp prompt |
| 591 |
|
599 |
|
| 592 |
socket_err: |
600 |
socket_err: |
| 593 |
DEBUGF 3, "SSH: socket error %d\n", ebx |
601 |
DEBUGF 3, "SSH: socket error %d\n", ebx |
| 594 |
invoke con_write_asciiz, str6 |
602 |
invoke con_write_asciiz, str6 |
| 595 |
jmp prompt |
603 |
jmp prompt |
| 596 |
|
604 |
|
| 597 |
dns_error: |
605 |
dns_error: |
| 598 |
DEBUGF 3, "SSH: DNS error %d\n", eax |
606 |
DEBUGF 3, "SSH: DNS error %d\n", eax |
| 599 |
invoke con_write_asciiz, str5 |
607 |
invoke con_write_asciiz, str5 |
| 600 |
jmp prompt |
608 |
jmp prompt |
| 601 |
|
609 |
|
| 602 |
hostname_error: |
610 |
hostname_error: |
| 603 |
invoke con_write_asciiz, str10 |
611 |
invoke con_write_asciiz, str10 |
| 604 |
jmp prompt |
612 |
jmp prompt |
| 605 |
|
613 |
|
| 606 |
closed: |
614 |
closed: |
| 607 |
invoke con_write_asciiz, str11 |
615 |
invoke con_write_asciiz, str11 |
| 608 |
jmp prompt |
616 |
jmp prompt |
| 609 |
|
617 |
|
| 610 |
done: |
618 |
done: |
| 611 |
invoke con_exit, 1 |
619 |
invoke con_exit, 1 |
| 612 |
exit: |
620 |
exit: |
| 613 |
DEBUGF 3, "SSH: Exiting\n" |
621 |
DEBUGF 3, "SSH: Exiting\n" |
| 614 |
mcall close, [con.socketnum] |
622 |
mcall close, [con.socketnum] |
| 615 |
mcall -1 |
623 |
mcall -1 |
| 616 |
|
624 |
|
| 617 |
|
625 |
|
| 618 |
thread: |
626 |
thread: |
| 619 |
mcall 40, 0 |
627 |
mcall 40, 0 |
| 620 |
.loop: |
628 |
.loop: |
| 621 |
invoke con_getch2 |
629 |
invoke con_getch2 |
| 622 |
mov [ssh_channel_data+9], al |
630 |
mov [ssh_channel_data+9], al |
| 623 |
stdcall ssh_send_packet, con, ssh_channel_data, ssh_channel_data.length, 0 |
631 |
stdcall ssh_send_packet, con, ssh_channel_data, ssh_channel_data.length, 0 |
| 624 |
|
632 |
|
| 625 |
invoke con_get_flags |
633 |
invoke con_get_flags |
| 626 |
test eax, 0x200 ; con window closed? |
634 |
test eax, 0x200 ; con window closed? |
| 627 |
jz .loop |
635 |
jz .loop |
| 628 |
mcall -1 |
636 |
mcall -1 |
| 629 |
|
637 |
|
| 630 |
; data |
638 |
; data |
| 631 |
title db 'Secure Shell',0 |
639 |
title db 'Secure Shell',0 |
| 632 |
str1 db 'SSH client for KolibriOS',10,10,\ |
640 |
str1 db 'SSH client for KolibriOS',10,10,\ |
| 633 |
'Please enter URL of SSH server (host:port)',10,10,0 |
641 |
'Please enter URL of SSH server (host:port)',10,10,0 |
| 634 |
str2 db '> ',0 |
642 |
str2 db '> ',0 |
| 635 |
str3 db 'Connecting to ',0 |
643 |
str3 db 'Connecting to ',0 |
| 636 |
str4 db 10,0 |
644 |
str4 db 10,0 |
| 637 |
str5 db 'Name resolution failed.',10,10,0 |
645 |
str5 db 'Name resolution failed.',10,10,0 |
| 638 |
str6 db 'A socket error occured.',10,10,0 |
646 |
str6 db 'A socket error occured.',10,10,0 |
| 639 |
str7 db 'A protocol error occured.',10,10,0 |
647 |
str7 db 'A protocol error occured.',10,10,0 |
| 640 |
str8 db ' (',0 |
648 |
str8 db ' (',0 |
| 641 |
str9 db ')',10,0 |
649 |
str9 db ')',10,0 |
| 642 |
str10 db 'Invalid hostname.',10,10,0 |
650 |
str10 db 'Invalid hostname.',10,10,0 |
| 643 |
str11 db 10,'Remote host closed the connection.',10,10,0 |
651 |
str11 db 10,'Remote host closed the connection.',10,10,0 |
| 644 |
str12 db 'Enter username: ',0 |
652 |
str12 db 'Enter username: ',0 |
| 645 |
|
653 |
|
| 646 |
ssh_ident_ha: |
654 |
ssh_ident_ha: |
| 647 |
dd_n (ssh_ident.length-2) |
655 |
dd_n (ssh_ident.length-2) |
| 648 |
ssh_ident: |
656 |
ssh_ident: |
| 649 |
db "SSH-2.0-KolibriOS_SSH_0.02",13,10 |
657 |
db "SSH-2.0-KolibriOS_SSH_0.02",13,10 |
| 650 |
.length = $ - ssh_ident |
658 |
.length = $ - ssh_ident |
| 651 |
|
659 |
|
| 652 |
ssh_kex: |
660 |
ssh_kex: |
| 653 |
db SSH_MSG_KEXINIT |
661 |
db SSH_MSG_KEXINIT |
| 654 |
.cookie: |
662 |
.cookie: |
| 655 |
rd 4 |
663 |
rd 4 |
| 656 |
.kex_algorithms: |
664 |
.kex_algorithms: |
| 657 |
dd_n .server_host_key_algorithms - .kex_algorithms - 4 |
665 |
dd_n .server_host_key_algorithms - .kex_algorithms - 4 |
| 658 |
db "diffie-hellman-group-exchange-sha256" ; diffie-hellman-group-exchange-sha1 |
666 |
db "diffie-hellman-group-exchange-sha256" ; diffie-hellman-group-exchange-sha1 |
| 659 |
.server_host_key_algorithms: |
667 |
.server_host_key_algorithms: |
| 660 |
dd_n .encryption_algorithms_client_to_server - .server_host_key_algorithms - 4 |
668 |
dd_n .encryption_algorithms_client_to_server - .server_host_key_algorithms - 4 |
| 661 |
db "ssh-rsa" ;,ssh-dss |
669 |
db "ssh-rsa" ;,ssh-dss |
| 662 |
.encryption_algorithms_client_to_server: |
670 |
.encryption_algorithms_client_to_server: |
| 663 |
dd_n .encryption_algorithms_server_to_client - .encryption_algorithms_client_to_server - 4 |
671 |
dd_n .encryption_algorithms_server_to_client - .encryption_algorithms_client_to_server - 4 |
| 664 |
db "aes256-cbc" ;,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128" |
672 |
db "aes256-cbc" ;,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128" |
| 665 |
.encryption_algorithms_server_to_client: |
673 |
.encryption_algorithms_server_to_client: |
| 666 |
dd_n .mac_algorithms_client_to_server - .encryption_algorithms_server_to_client - 4 |
674 |
dd_n .mac_algorithms_client_to_server - .encryption_algorithms_server_to_client - 4 |
| 667 |
db "aes256-cbc" ;,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128" |
675 |
db "aes256-cbc" ;,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128" |
| 668 |
.mac_algorithms_client_to_server: |
676 |
.mac_algorithms_client_to_server: |
| 669 |
dd_n .mac_algorithms_server_to_client - .mac_algorithms_client_to_server - 4 |
677 |
dd_n .mac_algorithms_server_to_client - .mac_algorithms_client_to_server - 4 |
| 670 |
db "hmac-sha2-256" ;,hmac-sha1,hmac-sha1-96,hmac-md5" |
678 |
db "hmac-sha2-256" ;,hmac-sha1,hmac-sha1-96,hmac-md5" |
| 671 |
.mac_algorithms_server_to_client: |
679 |
.mac_algorithms_server_to_client: |
| 672 |
dd_n .compression_algorithms_client_to_server - .mac_algorithms_server_to_client - 4 |
680 |
dd_n .compression_algorithms_client_to_server - .mac_algorithms_server_to_client - 4 |
| 673 |
db "hmac-sha2-256" ;,hmac-sha1,hmac-sha1-96,hmac-md5" |
681 |
db "hmac-sha2-256" ;,hmac-sha1,hmac-sha1-96,hmac-md5" |
| 674 |
.compression_algorithms_client_to_server: |
682 |
.compression_algorithms_client_to_server: |
| 675 |
dd_n .compression_algorithms_server_to_client - .compression_algorithms_client_to_server - 4 |
683 |
dd_n .compression_algorithms_server_to_client - .compression_algorithms_client_to_server - 4 |
| 676 |
db "none" ;,zlib" |
684 |
db "none" ;,zlib" |
| 677 |
.compression_algorithms_server_to_client: |
685 |
.compression_algorithms_server_to_client: |
| 678 |
dd_n .languages_client_to_server - .compression_algorithms_server_to_client - 4 |
686 |
dd_n .languages_client_to_server - .compression_algorithms_server_to_client - 4 |
| 679 |
db "none" ;,zlib" |
687 |
db "none" ;,zlib" |
| 680 |
.languages_client_to_server: |
688 |
.languages_client_to_server: |
| 681 |
dd_n .languages_server_to_client - .languages_client_to_server - 4 |
689 |
dd_n .languages_server_to_client - .languages_client_to_server - 4 |
| 682 |
db "" |
690 |
db "" |
| 683 |
.languages_server_to_client: |
691 |
.languages_server_to_client: |
| 684 |
dd_n .first_kex_packet_follows - .languages_server_to_client - 4 |
692 |
dd_n .first_kex_packet_follows - .languages_server_to_client - 4 |
| 685 |
db "" |
693 |
db "" |
| 686 |
.first_kex_packet_follows: |
694 |
.first_kex_packet_follows: |
| 687 |
db 0 |
695 |
db 0 |
| 688 |
.reserved: |
696 |
.reserved: |
| 689 |
dd_n 0 |
697 |
dd_n 0 |
| 690 |
.length = $ - ssh_kex |
698 |
.length = $ - ssh_kex |
| 691 |
|
699 |
|
| 692 |
|
700 |
|
| 693 |
ssh_gex_req: |
701 |
ssh_gex_req: |
| 694 |
db SSH_MSG_KEX_DH_GEX_REQUEST |
702 |
db SSH_MSG_KEX_DH_GEX_REQUEST |
| 695 |
dd_n 128 ; DH GEX min |
703 |
dd_n 8192/4 ; DH GEX min |
| 696 |
dd_n 256 ; DH GEX number of bits |
704 |
dd_n 8192/2 ; DH GEX number of bits |
| 697 |
dd_n 512 ; DH GEX Max |
705 |
dd_n 8192 ; DH GEX Max |
| 698 |
.length = $ - ssh_gex_req |
706 |
.length = $ - ssh_gex_req |
| 699 |
|
707 |
|
| 700 |
|
708 |
|
| 701 |
ssh_new_keys: |
709 |
ssh_new_keys: |
| 702 |
db SSH_MSG_NEWKEYS |
710 |
db SSH_MSG_NEWKEYS |
| 703 |
.length = $ - ssh_new_keys |
711 |
.length = $ - ssh_new_keys |
| 704 |
|
712 |
|
| 705 |
|
713 |
|
| 706 |
ssh_request_service: |
714 |
ssh_request_service: |
| 707 |
db SSH_MSG_SERVICE_REQUEST |
715 |
db SSH_MSG_SERVICE_REQUEST |
| 708 |
dd_n 12 ; String length |
716 |
dd_n 12 ; String length |
| 709 |
db "ssh-userauth" ; Service name |
717 |
db "ssh-userauth" ; Service name |
| 710 |
.length = $ - ssh_request_service |
718 |
.length = $ - ssh_request_service |
| 711 |
|
719 |
|
| 712 |
|
720 |
|
| 713 |
ssh_request_userauth: |
721 |
ssh_request_userauth: |
| 714 |
db SSH_MSG_USERAUTH_REQUEST |
722 |
db SSH_MSG_USERAUTH_REQUEST |
| 715 |
dd_n 12 |
723 |
dd_n 12 |
| 716 |
dd_n 8 |
724 |
dd_n 8 |
| 717 |
db "username" ; user name in ISO-10646 UTF-8 encoding [RFC3629] |
725 |
db "username" ; user name in ISO-10646 UTF-8 encoding [RFC3629] |
| 718 |
dd_n 14 |
726 |
dd_n 14 |
| 719 |
db "ssh-connection" ; service name in US-ASCII |
727 |
db "ssh-connection" ; service name in US-ASCII |
| 720 |
dd_n 4 |
728 |
dd_n 4 |
| 721 |
db "none" ; method name in US-ASCII |
729 |
db "none" ; method name in US-ASCII |
| 722 |
; Other options: publickey, password, hostbased |
730 |
; Other options: publickey, password, hostbased |
| 723 |
.length = $ - ssh_request_userauth |
731 |
.length = $ - ssh_request_userauth |
| 724 |
|
732 |
|
| 725 |
|
733 |
|
| 726 |
ssh_channel_open: |
734 |
ssh_channel_open: |
| 727 |
db SSH_MSG_CHANNEL_OPEN |
735 |
db SSH_MSG_CHANNEL_OPEN |
| 728 |
dd_n 7 |
736 |
dd_n 7 |
| 729 |
db "session" |
737 |
db "session" |
| 730 |
dd_n 0 ; Sender channel |
738 |
dd_n 0 ; Sender channel |
| 731 |
dd_n 1024 ; Initial window size |
739 |
dd_n 1024 ; Initial window size |
| 732 |
dd_n 1024 ; maximum packet size |
740 |
dd_n 1024 ; maximum packet size |
| 733 |
.length = $ - ssh_channel_open |
741 |
.length = $ - ssh_channel_open |
| 734 |
|
742 |
|
| 735 |
ssh_channel_request: |
743 |
ssh_channel_request: |
| 736 |
db SSH_MSG_CHANNEL_REQUEST |
744 |
db SSH_MSG_CHANNEL_REQUEST |
| 737 |
dd_n 0 ; Recipient channel |
745 |
dd_n 0 ; Recipient channel |
| 738 |
dd_n 7 |
746 |
dd_n 7 |
| 739 |
db "pty-req" |
747 |
db "pty-req" |
| 740 |
db 1 ; Bool: want reply |
748 |
db 1 ; Bool: want reply |
| 741 |
dd_n 5 |
749 |
dd_n 5 |
| 742 |
db "xterm" |
750 |
db "xterm" |
| 743 |
dd_n 80 ; terminal width (rows) |
751 |
dd_n 80 ; terminal width (rows) |
| 744 |
dd_n 25 ; terminal height (rows) |
752 |
dd_n 25 ; terminal height (rows) |
| 745 |
dd_n 0 ; terminal width (pixels) |
753 |
dd_n 0 ; terminal width (pixels) |
| 746 |
dd_n 0 ; terminal height (pixels) |
754 |
dd_n 0 ; terminal height (pixels) |
| 747 |
|
755 |
|
| 748 |
dd_n 0 ; list of supported opcodes |
756 |
dd_n 0 ; list of supported opcodes |
| 749 |
.length = $ - ssh_channel_request |
757 |
.length = $ - ssh_channel_request |
| 750 |
|
758 |
|
| 751 |
ssh_shell_request: |
759 |
ssh_shell_request: |
| 752 |
db SSH_MSG_CHANNEL_REQUEST |
760 |
db SSH_MSG_CHANNEL_REQUEST |
| 753 |
dd_n 0 ; Recipient channel |
761 |
dd_n 0 ; Recipient channel |
| 754 |
dd_n 5 |
762 |
dd_n 5 |
| 755 |
db "shell" |
763 |
db "shell" |
| 756 |
db 1 ; Bool: want reply |
764 |
db 1 ; Bool: want reply |
| 757 |
.length = $ - ssh_shell_request |
765 |
.length = $ - ssh_shell_request |
| 758 |
|
766 |
|
| 759 |
ssh_channel_data: |
767 |
ssh_channel_data: |
| 760 |
db SSH_MSG_CHANNEL_DATA |
768 |
db SSH_MSG_CHANNEL_DATA |
| 761 |
dd_n 0 ; Sender channel |
769 |
dd_n 0 ; Sender channel |
| 762 |
dd_n 1 |
770 |
dd_n 1 |
| 763 |
db ? |
771 |
db ? |
| 764 |
.length = $ - ssh_channel_data |
772 |
.length = $ - ssh_channel_data |
| 765 |
|
773 |
|
| 766 |
|
774 |
|
| 767 |
include_debug_strings |
775 |
include_debug_strings |
| 768 |
|
776 |
|
| 769 |
align 4 |
777 |
align 4 |
| 770 |
@IMPORT: |
778 |
@IMPORT: |
| 771 |
|
779 |
|
| 772 |
library network, 'network.obj', \ |
780 |
library network, 'network.obj', \ |
| 773 |
console, 'console.obj', \ |
781 |
console, 'console.obj', \ |
| 774 |
libcrash, 'libcrash.obj' |
782 |
libcrash, 'libcrash.obj' |
| 775 |
|
783 |
|
| 776 |
import network, \ |
784 |
import network, \ |
| 777 |
getaddrinfo, 'getaddrinfo', \ |
785 |
getaddrinfo, 'getaddrinfo', \ |
| 778 |
freeaddrinfo, 'freeaddrinfo', \ |
786 |
freeaddrinfo, 'freeaddrinfo', \ |
| 779 |
inet_ntoa, 'inet_ntoa' |
787 |
inet_ntoa, 'inet_ntoa' |
| 780 |
|
788 |
|
| 781 |
import console, \ |
789 |
import console, \ |
| 782 |
con_start, 'START', \ |
790 |
con_start, 'START', \ |
| 783 |
con_init, 'con_init', \ |
791 |
con_init, 'con_init', \ |
| 784 |
con_write_asciiz, 'con_write_asciiz', \ |
792 |
con_write_asciiz, 'con_write_asciiz', \ |
| 785 |
con_exit, 'con_exit', \ |
793 |
con_exit, 'con_exit', \ |
| 786 |
con_gets, 'con_gets', \ |
794 |
con_gets, 'con_gets', \ |
| 787 |
con_cls, 'con_cls', \ |
795 |
con_cls, 'con_cls', \ |
| 788 |
con_getch2, 'con_getch2', \ |
796 |
con_getch2, 'con_getch2', \ |
| 789 |
con_set_cursor_pos, 'con_set_cursor_pos', \ |
797 |
con_set_cursor_pos, 'con_set_cursor_pos', \ |
| 790 |
con_write_string, 'con_write_string', \ |
798 |
con_write_string, 'con_write_string', \ |
| 791 |
con_get_flags, 'con_get_flags' |
799 |
con_get_flags, 'con_get_flags' |
| 792 |
|
800 |
|
| 793 |
import libcrash, \ |
801 |
import libcrash, \ |
| 794 |
sha256_init, 'sha256_init', \ |
802 |
sha256_init, 'sha256_init', \ |
| 795 |
sha256_update, 'sha256_update', \ |
803 |
sha256_update, 'sha256_update', \ |
| 796 |
sha256_final, 'sha256_final' |
804 |
sha256_final, 'sha256_final',\ |
| - |
|
805 |
sha1_init, 'sha1_init', \ |
| - |
|
806 |
sha1_update, 'sha1_update', \ |
| - |
|
807 |
sha1_final, 'sha1_final', \ |
| - |
|
808 |
md5_init, 'md5_init', \ |
| - |
|
809 |
md5_update, 'md5_update', \ |
| - |
|
810 |
md5_final, 'md5_final' |
| 797 |
|
811 |
|
| 798 |
IncludeIGlobals |
812 |
IncludeIGlobals |
| 799 |
|
813 |
|
| 800 |
i_end: |
814 |
i_end: |
| 801 |
|
815 |
|
| 802 |
IncludeUGlobals |
816 |
IncludeUGlobals |
| 803 |
|
817 |
|
| 804 |
params rb 1024 |
818 |
params rb 1024 |
| 805 |
|
819 |
|
| 806 |
con ssh_connection |
820 |
con ssh_connection |
| 807 |
|
- |
|
| 808 |
; Temporary values ; To be removed FIXME |
- |
|
| 809 |
mpint_tmp rb MPINT_MAX_LEN+4 |
- |
|
| 810 |
|
- |
|
| 811 |
|
821 |
|
| 812 |
mem: |
822 |
mem: |