From 02319afd5ac24ebeed0d4f671179128c4fc39596 Mon Sep 17 00:00:00 2001 From: Robey Pointer Date: Wed, 24 Dec 2003 20:49:38 +0000 Subject: [PATCH] [project @ Arch-1:robey@lag.net--2003-public%secsh--dev--1.0--patch-12] fix dss key signing (expanded on a patch from fred gansevles) add a demo dss key for server mode, and fix some bugs that had caused the dss signing stuff to never work before. the demo_server is a bit more verbose now, too. both key types (RSAKey & DSSKey) now have a function to return the fingerprint of the key, and both versions of read_private_key_file() now raise exceptions on failure, instead of just silently setting "valid" to false. --- demo_dss_key | 12 ++++++++++++ demo_server.py | 11 +++++++++-- dsskey.py | 29 ++++++++++++++--------------- kex_gex.py | 2 +- kex_group1.py | 2 +- paramiko.py | 2 ++ rsakey.py | 26 ++++++++++++-------------- transport.py | 2 +- 8 files changed, 52 insertions(+), 34 deletions(-) create mode 100644 demo_dss_key diff --git a/demo_dss_key b/demo_dss_key new file mode 100644 index 0000000..e10807f --- /dev/null +++ b/demo_dss_key @@ -0,0 +1,12 @@ +-----BEGIN DSA PRIVATE KEY----- +MIIBuwIBAAKBgQDngaYDZ30c6/7cJgEEbtl8FgKdwhba1Z7oOrOn4MI/6C42G1bY +wMuqZf4dBCglsdq39SHrcjbE8Vq54gPSOh3g4+uV9Rcg5IOoPLbwp2jQfF6f1FIb +sx7hrDCIqUcQccPSxetPBKmXI9RN8rZLaFuQeTnI65BKM98Ruwvq6SI2LwIVAPDP +hSeawaJI27mKqOfe5PPBSmyHAoGBAJMXxXmPD9sGaQ419DIpmZecJKBUAy9uXD8x +gbgeDpwfDaFJP8owByCKREocPFfi86LjCuQkyUKOfjYMN6iHIf1oEZjB8uJAatUr +FzI0ArXtUqOhwTLwTyFuUojE5own2WYsOAGByvgfyWjsGhvckYNhI4ODpNdPlxQ8 +ZamaPGPsAoGARmR7CCPjodxASvRbIyzaVpZoJ/Z6x7dAumV+ysrV1BVYd0lYukmn +jO1kKBWApqpH1ve9XDQYN8zgxM4b16L21kpoWQnZtXrY3GZ4/it9kUgyB7+NwacI +BlXa8cMDL7Q/69o0d54U0X/NeX5QxuYR6OMJlrkQB7oiW/P/1mwjQgECFGI9QPSc +h9pT9XHqn+1rZ4bK+QGA +-----END DSA PRIVATE KEY----- diff --git a/demo_server.py b/demo_server.py index 0c7ec51..90ab9ba 100755 --- a/demo_server.py +++ b/demo_server.py @@ -12,8 +12,12 @@ if len(l.handlers) == 0: lh.setFormatter(logging.Formatter('%(levelname)-.3s [%(asctime)s] %(name)s: %(message)s', '%Y%m%d:%H%M%S')) l.addHandler(lh) -host_key = paramiko.RSAKey() -host_key.read_private_key_file('demo_host_key') +#host_key = paramiko.RSAKey() +#host_key.read_private_key_file('demo_host_key') + +host_key = paramiko.DSSKey() +host_key.read_private_key_file('demo_dss_key') +print 'Read key: ' + paramiko.hexify(host_key.get_fingerprint()) class ServerTransport(paramiko.Transport): @@ -54,12 +58,15 @@ except Exception, e: try: sock.listen(100) + print 'Listening for connection ...' client, addr = sock.accept() except Exception, e: print '*** Listen/accept failed: ' + str(e) traceback.print_exc() sys.exit(1) +print 'Got a connection!' + try: event = threading.Event() t = ServerTransport(client) diff --git a/dsskey.py b/dsskey.py index f87b7a9..a5e5c9a 100644 --- a/dsskey.py +++ b/dsskey.py @@ -1,11 +1,12 @@ #!/usr/bin/python import base64 +from paramiko import SSHException from message import Message from transport import MSG_USERAUTH_REQUEST from util import inflate_long, deflate_long from Crypto.PublicKey import DSA -from Crypto.Hash import SHA +from Crypto.Hash import SHA, MD5 from ber import BER from util import format_binary @@ -38,6 +39,9 @@ class DSSKey(object): def get_name(self): return 'ssh-dss' + def get_fingerprint(self): + return MD5.new(str(self)).digest() + def verify_ssh_sig(self, data, msg): if not self.valid: return 0 @@ -58,7 +62,7 @@ class DSSKey(object): dss = DSA.construct((long(self.y), long(self.g), long(self.p), long(self.q))) return dss.verify(sigM, (sigR, sigS)) - def sign_ssh_data(self, data): + def sign_ssh_data(self, randpool, data): hash = SHA.new(data).digest() dss = DSA.construct((long(self.y), long(self.g), long(self.p), long(self.q), long(self.x))) # generate a suitable k @@ -74,24 +78,19 @@ class DSSKey(object): return str(m) def read_private_key_file(self, filename): + "throws a file exception, or SSHException (on invalid key, or base64 decoding exception" # private key file contains: # DSAPrivateKey = { version = 0, p, q, g, y, x } self.valid = 0 - try: - f = open(filename, 'r') - lines = f.readlines() - f.close() - except: - return + f = open(filename, 'r') + lines = f.readlines() + f.close() if lines[0].strip() != '-----BEGIN DSA PRIVATE KEY-----': - return - try: - data = base64.decodestring(''.join(lines[1:-1])) - except: - return + raise SSHException('not a valid DSA private key file') + data = base64.decodestring(''.join(lines[1:-1])) keylist = BER(data).decode() if (type(keylist) != type([])) or (len(keylist) < 6) or (keylist[0] != 0): - return + raise SSHException('not a valid DSA private key file (bad ber encoding)') self.p = keylist[1] self.q = keylist[2] self.g = keylist[3] @@ -110,4 +109,4 @@ class DSSKey(object): m.add_boolean(1) m.add_string('ssh-dss') m.add_string(str(self)) - return self.sign_ssh_data(str(m)) + return self.sign_ssh_data(randpool, str(m)) diff --git a/kex_gex.py b/kex_gex.py index 5fd6796..19bc699 100644 --- a/kex_gex.py +++ b/kex_gex.py @@ -138,7 +138,7 @@ class KexGex(object): H = SHA.new(str(hm)).digest() self.transport.set_K_H(K, H) # sign it - sig = self.transport.get_server_key().sign_ssh_data(H) + sig = self.transport.get_server_key().sign_ssh_data(self.transport.randpool, H) # send reply m = Message() m.add_byte(chr(MSG_KEXDH_GEX_REPLY)) diff --git a/kex_group1.py b/kex_group1.py index b507d88..00988b2 100644 --- a/kex_group1.py +++ b/kex_group1.py @@ -92,7 +92,7 @@ class KexGroup1(object): H = SHA.new(str(hm)).digest() self.transport.set_K_H(K, H) # sign it - sig = self.transport.get_server_key().sign_ssh_data(H) + sig = self.transport.get_server_key().sign_ssh_data(self.transport.randpool, H) # send reply m = Message() m.add_byte(chr(MSG_KEXDH_REPLY)) diff --git a/paramiko.py b/paramiko.py index 2b18981..cc5fbfa 100644 --- a/paramiko.py +++ b/paramiko.py @@ -14,6 +14,8 @@ from channel import Channel from rsakey import RSAKey from dsskey import DSSKey +from util import hexify + __author__ = "Robey Pointer " __date__ = "10 Nov 2003" diff --git a/rsakey.py b/rsakey.py index 49c1c28..74502aa 100644 --- a/rsakey.py +++ b/rsakey.py @@ -31,6 +31,9 @@ class RSAKey(object): def get_name(self): return 'ssh-rsa' + def get_fingerprint(self): + return MD5.new(str(self)).digest() + def pkcs1imify(self, data): """ turn a 20-byte SHA1 hash into a blob of data as large as the key's N, @@ -51,7 +54,7 @@ class RSAKey(object): rsa = RSA.construct((long(self.n), long(self.e))) return rsa.verify(hash, (sig,)) - def sign_ssh_data(self, data): + def sign_ssh_data(self, randpool, data): hash = SHA.new(data).digest() rsa = RSA.construct((long(self.n), long(self.e), long(self.d))) sig = deflate_long(rsa.sign(self.pkcs1imify(hash), '')[0], 0) @@ -61,24 +64,19 @@ class RSAKey(object): return str(m) def read_private_key_file(self, filename): + "throws a file exception, or SSHException (on invalid key), or base64 decoding exception" # private key file contains: # RSAPrivateKey = { version = 0, n, e, d, p, q, d mod p-1, d mod q-1, q**-1 mod p } self.valid = 0 - try: - f = open(filename, 'r') - lines = f.readlines() - f.close() - except: - return + f = open(filename, 'r') + lines = f.readlines() + f.close() if lines[0].strip() != '-----BEGIN RSA PRIVATE KEY-----': - return - try: - data = base64.decodestring(''.join(lines[1:-1])) - except: - return + raise SSHException('not a valid DSA private key file') + data = base64.decodestring(''.join(lines[1:-1])) keylist = BER(data).decode() if (type(keylist) != type([])) or (len(keylist) < 4) or (keylist[0] != 0): - return + raise SSHException('not a valid DSA private key file (bad ber encoding)') self.n = keylist[1] self.e = keylist[2] self.d = keylist[3] @@ -98,5 +96,5 @@ class RSAKey(object): m.add_boolean(1) m.add_string('ssh-rsa') m.add_string(str(self)) - return self.sign_ssh_data(str(m)) + return self.sign_ssh_data(randpool, str(m)) diff --git a/transport.py b/transport.py index 9e43934..a646b58 100644 --- a/transport.py +++ b/transport.py @@ -532,7 +532,7 @@ class BaseTransport(threading.Thread): m.add_byte(chr(MSG_KEXINIT)) m.add_bytes(randpool.get_bytes(16)) m.add(','.join(self.preferred_kex)) - m.add(','.join(self.available_server_keys)) + m.add(','.join(available_server_keys)) m.add(','.join(self.preferred_ciphers)) m.add(','.join(self.preferred_ciphers)) m.add(','.join(self.preferred_macs))