summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorRobey Pointer <robey@lag.net>2003-12-24 20:49:38 +0000
committerRobey Pointer <robey@lag.net>2003-12-24 20:49:38 +0000
commit02319afd5ac24ebeed0d4f671179128c4fc39596 (patch)
tree117f99db047e245e72319d655e9f07a1fb49bfc9
parente7715095b649fd9582de4dff9930d9ee42013a6e (diff)
[project @ Arch-1:robey@lag.net--2003-public%secsh--dev--1.0--patch-12]
fix dss key signing (expanded on a patch from fred gansevles) add a demo dss key for server mode, and fix some bugs that had caused the dss signing stuff to never work before. the demo_server is a bit more verbose now, too. both key types (RSAKey & DSSKey) now have a function to return the fingerprint of the key, and both versions of read_private_key_file() now raise exceptions on failure, instead of just silently setting "valid" to false.
-rw-r--r--demo_dss_key12
-rwxr-xr-xdemo_server.py11
-rw-r--r--dsskey.py29
-rw-r--r--kex_gex.py2
-rw-r--r--kex_group1.py2
-rw-r--r--paramiko.py2
-rw-r--r--rsakey.py26
-rw-r--r--transport.py2
8 files changed, 52 insertions, 34 deletions
diff --git a/demo_dss_key b/demo_dss_key
new file mode 100644
index 00000000..e10807f1
--- /dev/null
+++ b/demo_dss_key
@@ -0,0 +1,12 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIBuwIBAAKBgQDngaYDZ30c6/7cJgEEbtl8FgKdwhba1Z7oOrOn4MI/6C42G1bY
+wMuqZf4dBCglsdq39SHrcjbE8Vq54gPSOh3g4+uV9Rcg5IOoPLbwp2jQfF6f1FIb
+sx7hrDCIqUcQccPSxetPBKmXI9RN8rZLaFuQeTnI65BKM98Ruwvq6SI2LwIVAPDP
+hSeawaJI27mKqOfe5PPBSmyHAoGBAJMXxXmPD9sGaQ419DIpmZecJKBUAy9uXD8x
+gbgeDpwfDaFJP8owByCKREocPFfi86LjCuQkyUKOfjYMN6iHIf1oEZjB8uJAatUr
+FzI0ArXtUqOhwTLwTyFuUojE5own2WYsOAGByvgfyWjsGhvckYNhI4ODpNdPlxQ8
+ZamaPGPsAoGARmR7CCPjodxASvRbIyzaVpZoJ/Z6x7dAumV+ysrV1BVYd0lYukmn
+jO1kKBWApqpH1ve9XDQYN8zgxM4b16L21kpoWQnZtXrY3GZ4/it9kUgyB7+NwacI
+BlXa8cMDL7Q/69o0d54U0X/NeX5QxuYR6OMJlrkQB7oiW/P/1mwjQgECFGI9QPSc
+h9pT9XHqn+1rZ4bK+QGA
+-----END DSA PRIVATE KEY-----
diff --git a/demo_server.py b/demo_server.py
index 0c7ec518..90ab9bac 100755
--- a/demo_server.py
+++ b/demo_server.py
@@ -12,8 +12,12 @@ if len(l.handlers) == 0:
lh.setFormatter(logging.Formatter('%(levelname)-.3s [%(asctime)s] %(name)s: %(message)s', '%Y%m%d:%H%M%S'))
l.addHandler(lh)
-host_key = paramiko.RSAKey()
-host_key.read_private_key_file('demo_host_key')
+#host_key = paramiko.RSAKey()
+#host_key.read_private_key_file('demo_host_key')
+
+host_key = paramiko.DSSKey()
+host_key.read_private_key_file('demo_dss_key')
+print 'Read key: ' + paramiko.hexify(host_key.get_fingerprint())
class ServerTransport(paramiko.Transport):
@@ -54,12 +58,15 @@ except Exception, e:
try:
sock.listen(100)
+ print 'Listening for connection ...'
client, addr = sock.accept()
except Exception, e:
print '*** Listen/accept failed: ' + str(e)
traceback.print_exc()
sys.exit(1)
+print 'Got a connection!'
+
try:
event = threading.Event()
t = ServerTransport(client)
diff --git a/dsskey.py b/dsskey.py
index f87b7a96..a5e5c9a1 100644
--- a/dsskey.py
+++ b/dsskey.py
@@ -1,11 +1,12 @@
#!/usr/bin/python
import base64
+from paramiko import SSHException
from message import Message
from transport import MSG_USERAUTH_REQUEST
from util import inflate_long, deflate_long
from Crypto.PublicKey import DSA
-from Crypto.Hash import SHA
+from Crypto.Hash import SHA, MD5
from ber import BER
from util import format_binary
@@ -38,6 +39,9 @@ class DSSKey(object):
def get_name(self):
return 'ssh-dss'
+ def get_fingerprint(self):
+ return MD5.new(str(self)).digest()
+
def verify_ssh_sig(self, data, msg):
if not self.valid:
return 0
@@ -58,7 +62,7 @@ class DSSKey(object):
dss = DSA.construct((long(self.y), long(self.g), long(self.p), long(self.q)))
return dss.verify(sigM, (sigR, sigS))
- def sign_ssh_data(self, data):
+ def sign_ssh_data(self, randpool, data):
hash = SHA.new(data).digest()
dss = DSA.construct((long(self.y), long(self.g), long(self.p), long(self.q), long(self.x)))
# generate a suitable k
@@ -74,24 +78,19 @@ class DSSKey(object):
return str(m)
def read_private_key_file(self, filename):
+ "throws a file exception, or SSHException (on invalid key, or base64 decoding exception"
# private key file contains:
# DSAPrivateKey = { version = 0, p, q, g, y, x }
self.valid = 0
- try:
- f = open(filename, 'r')
- lines = f.readlines()
- f.close()
- except:
- return
+ f = open(filename, 'r')
+ lines = f.readlines()
+ f.close()
if lines[0].strip() != '-----BEGIN DSA PRIVATE KEY-----':
- return
- try:
- data = base64.decodestring(''.join(lines[1:-1]))
- except:
- return
+ raise SSHException('not a valid DSA private key file')
+ data = base64.decodestring(''.join(lines[1:-1]))
keylist = BER(data).decode()
if (type(keylist) != type([])) or (len(keylist) < 6) or (keylist[0] != 0):
- return
+ raise SSHException('not a valid DSA private key file (bad ber encoding)')
self.p = keylist[1]
self.q = keylist[2]
self.g = keylist[3]
@@ -110,4 +109,4 @@ class DSSKey(object):
m.add_boolean(1)
m.add_string('ssh-dss')
m.add_string(str(self))
- return self.sign_ssh_data(str(m))
+ return self.sign_ssh_data(randpool, str(m))
diff --git a/kex_gex.py b/kex_gex.py
index 5fd67968..19bc699a 100644
--- a/kex_gex.py
+++ b/kex_gex.py
@@ -138,7 +138,7 @@ class KexGex(object):
H = SHA.new(str(hm)).digest()
self.transport.set_K_H(K, H)
# sign it
- sig = self.transport.get_server_key().sign_ssh_data(H)
+ sig = self.transport.get_server_key().sign_ssh_data(self.transport.randpool, H)
# send reply
m = Message()
m.add_byte(chr(MSG_KEXDH_GEX_REPLY))
diff --git a/kex_group1.py b/kex_group1.py
index b507d88f..00988b2a 100644
--- a/kex_group1.py
+++ b/kex_group1.py
@@ -92,7 +92,7 @@ class KexGroup1(object):
H = SHA.new(str(hm)).digest()
self.transport.set_K_H(K, H)
# sign it
- sig = self.transport.get_server_key().sign_ssh_data(H)
+ sig = self.transport.get_server_key().sign_ssh_data(self.transport.randpool, H)
# send reply
m = Message()
m.add_byte(chr(MSG_KEXDH_REPLY))
diff --git a/paramiko.py b/paramiko.py
index 2b18981e..cc5fbfaa 100644
--- a/paramiko.py
+++ b/paramiko.py
@@ -14,6 +14,8 @@ from channel import Channel
from rsakey import RSAKey
from dsskey import DSSKey
+from util import hexify
+
__author__ = "Robey Pointer <robey@lag.net>"
__date__ = "10 Nov 2003"
diff --git a/rsakey.py b/rsakey.py
index 49c1c285..74502aa2 100644
--- a/rsakey.py
+++ b/rsakey.py
@@ -31,6 +31,9 @@ class RSAKey(object):
def get_name(self):
return 'ssh-rsa'
+ def get_fingerprint(self):
+ return MD5.new(str(self)).digest()
+
def pkcs1imify(self, data):
"""
turn a 20-byte SHA1 hash into a blob of data as large as the key's N,
@@ -51,7 +54,7 @@ class RSAKey(object):
rsa = RSA.construct((long(self.n), long(self.e)))
return rsa.verify(hash, (sig,))
- def sign_ssh_data(self, data):
+ def sign_ssh_data(self, randpool, data):
hash = SHA.new(data).digest()
rsa = RSA.construct((long(self.n), long(self.e), long(self.d)))
sig = deflate_long(rsa.sign(self.pkcs1imify(hash), '')[0], 0)
@@ -61,24 +64,19 @@ class RSAKey(object):
return str(m)
def read_private_key_file(self, filename):
+ "throws a file exception, or SSHException (on invalid key), or base64 decoding exception"
# private key file contains:
# RSAPrivateKey = { version = 0, n, e, d, p, q, d mod p-1, d mod q-1, q**-1 mod p }
self.valid = 0
- try:
- f = open(filename, 'r')
- lines = f.readlines()
- f.close()
- except:
- return
+ f = open(filename, 'r')
+ lines = f.readlines()
+ f.close()
if lines[0].strip() != '-----BEGIN RSA PRIVATE KEY-----':
- return
- try:
- data = base64.decodestring(''.join(lines[1:-1]))
- except:
- return
+ raise SSHException('not a valid DSA private key file')
+ data = base64.decodestring(''.join(lines[1:-1]))
keylist = BER(data).decode()
if (type(keylist) != type([])) or (len(keylist) < 4) or (keylist[0] != 0):
- return
+ raise SSHException('not a valid DSA private key file (bad ber encoding)')
self.n = keylist[1]
self.e = keylist[2]
self.d = keylist[3]
@@ -98,5 +96,5 @@ class RSAKey(object):
m.add_boolean(1)
m.add_string('ssh-rsa')
m.add_string(str(self))
- return self.sign_ssh_data(str(m))
+ return self.sign_ssh_data(randpool, str(m))
diff --git a/transport.py b/transport.py
index 9e439344..a646b58f 100644
--- a/transport.py
+++ b/transport.py
@@ -532,7 +532,7 @@ class BaseTransport(threading.Thread):
m.add_byte(chr(MSG_KEXINIT))
m.add_bytes(randpool.get_bytes(16))
m.add(','.join(self.preferred_kex))
- m.add(','.join(self.available_server_keys))
+ m.add(','.join(available_server_keys))
m.add(','.join(self.preferred_ciphers))
m.add(','.join(self.preferred_ciphers))
m.add(','.join(self.preferred_macs))