22 MSG_USERAUTH_REQUEST = 50,
27 MSG_USERAUTH_PK_OK = 60,
28 MSG_USERAUTH_INFO_REQUEST = 60,
29 MSG_USERAUTH_INFO_RESPONSE = 61,
31 MSG_GLOBAL_REQUEST = 80,
35 MSG_CHANNEL_OPEN = 90,
36 MSG_CHANNEL_OPEN_CONFIRMATION,
37 MSG_CHANNEL_OPEN_FAILURE,
38 MSG_CHANNEL_WINDOW_ADJUST,
40 MSG_CHANNEL_EXTENDED_DATA,
50 Overhead = 256, // enougth for MSG_CHANNEL_DATA header
52 WinPackets = 8, // (1<<15) * 8 = 256K
70 uchar b[Overhead + MaxPacket];
79 char thumb[2*SHA2_256dlen+1];
81 int fd, intr, raw, debug;
82 char *user, *service, *status, *host, *cmd;
90 recv.eof = send.eof = 1;
92 postnote(PNPROC, send.pid, "shutdown");
96 catch(void*, char *msg)
98 if(strstr(msg, "interrupt") != nil){
113 memset(err, 0, sizeof(err));
114 errstr(err, sizeof(err));
115 r = strstr(err, "interrupt") != nil;
116 errstr(err, sizeof(err));
120 #define PUT4(p, u) (p)[0] = (u)>>24, (p)[1] = (u)>>16, (p)[2] = (u)>>8, (p)[3] = (u)
121 #define GET4(p) (u32int)(p)[3] | (u32int)(p)[2]<<8 | (u32int)(p)[1]<<16 | (u32int)(p)[0]<<24
124 vpack(uchar *p, int n, char *fmt, va_list a)
126 uchar *p0 = p, *e = p+n;
137 if(++p > e) goto err;
140 *va_arg(a, void**) = p;
144 *p++ = va_arg(a, int);
147 m = va_arg(a, mpint*);
148 u = (mpsignif(m)+8)/8;
149 if(p+4 > e) goto err;
151 if(u > e-p) goto err;
152 mptober(m, p, u), p += u;
156 s = va_arg(a, void*);
159 if(p+4 > e) goto err;
162 if(u > e-p) goto err;
168 if(p+4 > e) goto err;
178 vunpack(uchar *p, int n, char *fmt, va_list a)
180 uchar *p0 = p, *e = p+n;
190 if(++p > e) goto err;
193 *va_arg(a, void**) = p;
197 *va_arg(a, int*) = *p++;
200 if(p+4 > e) goto err;
202 if(u > e-p) goto err;
203 m = va_arg(a, mpint*);
204 betomp(p, u, m), p += u;
207 if(p+4 > e) goto err;
209 if(u > e-p) goto err;
210 *va_arg(a, void**) = p;
211 *va_arg(a, int*) = u;
215 s = va_arg(a, void*);
217 if(u > e-p) goto err;
222 if(p+4 > e) goto err;
224 *va_arg(a, int*) = u;
234 pack(uchar *p, int n, char *fmt, ...)
238 n = vpack(p, n, fmt, a);
243 unpack(uchar *p, int n, char *fmt, ...)
247 n = vunpack(p, n, fmt, a);
253 setupcs(Oneway *c, uchar otk[32])
258 pack(iv, sizeof(iv), "uu", 0, c->seq);
259 chacha_setiv(&c->cs1, iv);
260 chacha_setiv(&c->cs2, iv);
261 chacha_setblock(&c->cs1, 0);
262 chacha_setblock(&c->cs2, 0);
263 chacha_encrypt(otk, 32, &c->cs2);
267 sendpkt(char *fmt, ...)
269 static uchar buf[sizeof(send.b)];
274 n = vpack(send.b, sizeof(send.b), fmt, a);
277 toobig: sysfatal("sendpkt: message too big");
284 fprint(2, "sendpkt: (%d) %.*H\n", send.r[0], (int)(send.w-send.r), send.r);
288 pad = ChachaBsize - ((5+n) % ChachaBsize) + 4;
290 for(pad=4; (5+n+pad) % 8; pad++)
294 n = pack(buf, sizeof(buf)-16, "ub[[", 1+n+pad, pad, send.b, n, send.w, pad);
295 if(n < 0) goto toobig;
300 chacha_encrypt(buf, 4, &send.cs1);
301 chacha_encrypt(buf+4, n-4, &send.cs2);
302 poly1305(buf, n, otk, sizeof(otk), buf+n, nil);
306 if(write(fd, buf, n) != n)
307 sysfatal("write: %r");
313 readall(int fd, uchar *data, int len)
317 for(tot = 0; tot < len; tot += n){
318 n = read(fd, data+tot, len-tot);
320 if(n < 0 && wasintr()){
334 uchar otk[32], tag[16];
335 DigestState *ds = nil;
338 if(readall(fd, recv.b, 4) != 4)
339 sysfatal("read1: %r");
342 ds = poly1305(recv.b, 4, otk, sizeof(otk), nil, nil);
343 chacha_encrypt(recv.b, 4, &recv.cs1);
344 unpack(recv.b, 4, "u", &n);
347 unpack(recv.b, 4, "u", &n);
349 if(n < 8 || n > sizeof(recv.b)){
350 badlen: sysfatal("bad length %d", n);
352 if(readall(fd, recv.b, n) != n)
353 sysfatal("read2: %r");
356 if(n < 0) goto badlen;
357 poly1305(recv.b, n, otk, sizeof(otk), tag, ds);
358 if(tsmemcmp(tag, recv.b+n, 16) != 0)
360 chacha_encrypt(recv.b, n, &recv.cs2);
363 if(n < 1) goto badlen;
370 fprint(2, "recvpkt: (%d) %.*H\n", recv.r[0], (int)(recv.w-recv.r), recv.r);
375 static char sshrsa[] = "ssh-rsa";
378 rsapub2ssh(RSApub *rsa, uchar *data, int len)
380 return pack(data, len, "smm", sshrsa, sizeof(sshrsa)-1, rsa->ek, rsa->n);
384 ssh2rsapub(uchar *data, int len)
393 if(unpack(data, len, "smm", &s, &n, pub->ek, pub->n) < 0
394 || n != sizeof(sshrsa)-1 || memcmp(s, sshrsa, n) != 0){
402 rsasig2ssh(RSApub *pub, mpint *S, uchar *data, int len)
404 int l = (mpsignif(pub->n)+7)/8;
407 mptober(S, data+4+7+4, l);
408 return pack(data, len, "ss", sshrsa, sizeof(sshrsa)-1, data+4+7+4, l);
412 ssh2rsasig(uchar *data, int len)
419 if(unpack(data, len, "sm", &s, &n, m) < 0
420 || n != sizeof(sshrsa)-1 || memcmp(s, sshrsa, n) != 0){
428 extern mpint* pkcs1padbuf(uchar *buf, int len, mpint *modulus, int blocktype);
429 extern int asn1encodedigest(DigestState* (*fun)(uchar*, ulong, uchar*, DigestState*),
430 uchar *digest, uchar *buf, int len);
433 pkcs1digest(uchar *data, int len, RSApub *pub)
435 uchar digest[SHA1dlen], buf[256];
437 sha1(data, len, digest, nil);
438 return pkcs1padbuf(buf, asn1encodedigest(sha1, digest, buf, sizeof(buf)), pub->n, 1);
442 pkcs1verify(uchar *data, int len, RSApub *pub, mpint *S)
447 V = pkcs1digest(data, len, pub);
450 rsaencrypt(pub, S, S);
451 ret = mpcmp(V, S) == 0;
458 hashstr(void *data, ulong len, DigestState *ds)
461 pack(l, 4, "u", len);
462 return sha2_256((uchar*)data, len, nil, sha2_256(l, 4, nil, ds));
466 kdf(uchar *k, int nk, uchar *h, char x, uchar *out, int len)
468 uchar digest[SHA2_256dlen], *out0;
472 ds = hashstr(k, nk, nil);
473 ds = sha2_256(h, sizeof(digest), nil, ds);
474 ds = sha2_256((uchar*)&x, 1, nil, ds);
475 sha2_256(sid, nsid, digest, ds);
478 if(n > sizeof(digest))
480 memmove(out, digest, n);
485 ds = hashstr(k, nk, nil);
486 ds = sha2_256(h, sizeof(digest), nil, ds);
487 sha2_256(out0, out-out0, digest, ds);
494 static char kexalgs[] = "curve25519-sha256,curve25519-sha256@libssh.org";
495 static char hostkeyalgs[] = "ssh-rsa";
496 static char cipheralgs[] = "chacha20-poly1305@openssh.com";
497 static char zipalgs[] = "none";
498 static char macalgs[] = "";
499 static char langs[] = "";
501 uchar cookie[16], x[32], yc[32], z[32], k[32+1], h[SHA2_256dlen], *ys, *ks, *sig;
502 uchar k12[2*ChachaKeylen];
503 int i, nk, nys, nks, nsig;
508 ds = hashstr(send.v, strlen(send.v), nil);
509 ds = hashstr(recv.v, strlen(recv.v), ds);
511 genrandom(cookie, sizeof(cookie));
512 sendpkt("b[ssssssssssbu", MSG_KEXINIT,
513 cookie, sizeof(cookie),
514 kexalgs, sizeof(kexalgs)-1,
515 hostkeyalgs, sizeof(hostkeyalgs)-1,
516 cipheralgs, sizeof(cipheralgs)-1,
517 cipheralgs, sizeof(cipheralgs)-1,
518 macalgs, sizeof(macalgs)-1,
519 macalgs, sizeof(macalgs)-1,
520 zipalgs, sizeof(zipalgs)-1,
521 zipalgs, sizeof(zipalgs)-1,
522 langs, sizeof(langs)-1,
523 langs, sizeof(langs)-1,
526 ds = hashstr(send.r, send.w-send.r, ds);
529 Next0: switch(recvpkt()){
537 ds = hashstr(recv.r, recv.w-recv.r, ds);
541 "kexalgs", "hostalgs",
542 "cipher1", "cipher2",
548 uchar *p = recv.r+17;
550 for(t=tab; *t != nil; t++){
551 if(unpack(p, recv.w-p, "s.", &s, &n, &p) < 0)
553 fprint(2, "%s: %.*s\n", *t, n, s);
557 curve25519_dh_new(x, yc);
560 sendpkt("bs", MSG_ECDH_INIT, yc, sizeof(yc));
561 Next1: switch(recvpkt()){
566 sysfatal("inception");
568 if(unpack(recv.r, recv.w-recv.r, "_sss", &ks, &nks, &ys, &nys, &sig, &nsig) < 0)
569 sysfatal("bad ECDH_REPLY");
574 sysfatal("bad server ECDH ephermal public key length");
576 ds = hashstr(ks, nks, ds);
577 ds = hashstr(yc, 32, ds);
578 ds = hashstr(ys, 32, ds);
580 sha2_256(ks, nks, h, nil);
581 i = snprint(thumb, sizeof(thumb), "%.*[", sizeof(h), h);
582 while(i > 0 && thumb[i-1] == '=')
586 fprint(2, "host fingerprint: %s\n", thumb);
588 if((pub = ssh2rsapub(ks, nks)) == nil)
589 sysfatal("bad server public key");
590 if((S = ssh2rsasig(sig, nsig)) == nil)
591 sysfatal("bad server signature");
593 curve25519_dh_finish(x, ys, z);
595 K = betomp(z, 32, nil);
596 nk = (mpsignif(K)+8)/8;
600 ds = hashstr(k, nk, ds);
601 sha2_256(nil, 0, h, ds);
602 if(!pkcs1verify(h, sizeof(h), pub, S))
603 sysfatal("server verification failed");
607 sendpkt("b", MSG_NEWKEYS);
608 Next2: switch(recvpkt()){
613 sysfatal("inception");
618 /* next key exchange */
619 recv.kex = recv.seq + 100000;
620 send.kex = send.seq + 100000;
623 memmove(sid, h, nsid = sizeof(h));
625 kdf(k, nk, h, 'C', k12, sizeof(k12));
626 setupChachastate(&send.cs1, k12+1*ChachaKeylen, ChachaKeylen, nil, 64/8, 20);
627 setupChachastate(&send.cs2, k12+0*ChachaKeylen, ChachaKeylen, nil, 64/8, 20);
629 kdf(k, nk, h, 'D', k12, sizeof(k12));
630 setupChachastate(&recv.cs1, k12+1*ChachaKeylen, ChachaKeylen, nil, 64/8, 20);
631 setupChachastate(&recv.cs2, k12+0*ChachaKeylen, ChachaKeylen, nil, 64/8, 20);
634 static char *authnext;
639 int ok = authnext == nil || strstr(authnext, meth) != nil;
641 fprint(2, "userauth %s %s\n", meth, ok ? "ok" : "skipped");
646 authfailure(char *meth)
651 if(unpack(recv.r, recv.w-recv.r, "_sb", &s, &n, &partial) < 0)
652 sysfatal("bad auth failure response");
654 authnext = smprint("%.*s", n, s);
656 fprint(2, "userauth %s failed: partial=%d, next=%s\n", meth, partial, authnext);
657 return partial != 0 || !authok(meth);
663 static char authmeth[] = "publickey";
665 uchar pk[4096], sig[4096];
674 if(!authok(authmeth))
677 if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0)
679 if((rpc = auth_allocrpc(afd)) == nil){
684 s = "proto=rsa service=ssh role=client";
685 if(auth_rpc(rpc, "start", s, strlen(s)) != ARok){
695 while(auth_rpc(rpc, "read", nil, 0) == ARok){
697 if(strtomp(s, &s, 16, pub->n) == nil)
701 if(strtomp(s, nil, 16, pub->ek) == nil)
703 npk = rsapub2ssh(pub, pk, sizeof(pk));
705 sendpkt("bsssbss", MSG_USERAUTH_REQUEST,
707 service, strlen(service),
708 authmeth, sizeof(authmeth)-1,
710 sshrsa, sizeof(sshrsa)-1,
712 Next1: switch(recvpkt()){
716 case MSG_USERAUTH_FAILURE:
717 if(authfailure(authmeth))
720 case MSG_USERAUTH_SUCCESS:
721 case MSG_USERAUTH_PK_OK:
725 /* sign sid and the userauth request */
726 n = pack(send.b, sizeof(send.b), "sbsssbss",
728 MSG_USERAUTH_REQUEST,
730 service, strlen(service),
731 authmeth, sizeof(authmeth)-1,
733 sshrsa, sizeof(sshrsa)-1,
735 S = pkcs1digest(send.b, n, pub);
736 n = snprint((char*)send.b, sizeof(send.b), "%B", S);
739 if(auth_rpc(rpc, "write", (char*)send.b, n) != ARok)
741 if(auth_rpc(rpc, "read", nil, 0) != ARok)
744 S = strtomp(rpc->arg, nil, 16, nil);
745 nsig = rsasig2ssh(pub, S, sig, sizeof(sig));
748 /* send final userauth request with the signature */
749 sendpkt("bsssbsss", MSG_USERAUTH_REQUEST,
751 service, strlen(service),
752 authmeth, sizeof(authmeth)-1,
754 sshrsa, sizeof(sshrsa)-1,
757 Next2: switch(recvpkt()){
761 case MSG_USERAUTH_FAILURE:
762 if(authfailure(authmeth))
765 case MSG_USERAUTH_SUCCESS:
783 static char authmeth[] = "password";
786 if(!authok(authmeth))
789 up = auth_getuserpasswd(auth_getkey, "proto=pass servive=ssh user=%q server=%q thumb=%q",
794 sendpkt("bsssbs", MSG_USERAUTH_REQUEST,
796 service, strlen(service),
797 authmeth, sizeof(authmeth)-1,
799 up->passwd, strlen(up->passwd));
801 memset(up->passwd, 0, strlen(up->passwd));
804 Next0: switch(recvpkt()){
808 case MSG_USERAUTH_FAILURE:
809 werrstr("wrong password");
810 authfailure(authmeth);
812 case MSG_USERAUTH_SUCCESS:
820 static char authmeth[] = "keyboard-interactive";
822 char *name, *inst, *s, *a;
827 if(!authok(authmeth))
830 sendpkt("bsssss", MSG_USERAUTH_REQUEST,
832 service, strlen(service),
833 authmeth, sizeof(authmeth)-1,
837 Next0: switch(recvpkt()){
841 case MSG_USERAUTH_FAILURE:
842 authfailure(authmeth);
844 case MSG_USERAUTH_SUCCESS:
846 case MSG_USERAUTH_INFO_REQUEST:
850 if((fd = open("/dev/cons", OWRITE)) < 0)
853 if(unpack(recv.r, recv.w-recv.r, "_ss.", &name, &n, &inst, &m, &recv.r) < 0)
854 sysfatal("bad info request: name, inst");
856 while(n > 0 && strchr("\r\n\t ", name[n-1]) != nil)
858 while(m > 0 && strchr("\r\n\t ", inst[m-1]) != nil)
862 fprint(fd, "%.*s\n", n, name);
864 fprint(fd, "%.*s\n", m, inst);
867 if(unpack(recv.r, recv.w-recv.r, "su.", &s, &n, &nquest, &recv.r) < 0)
868 sysfatal("bad info request: lang, #quest");
871 for(i = 0; i < nquest; i++){
872 if(unpack(recv.r, recv.w-recv.r, "sb.", &s, &n, &echo, &recv.r) < 0)
873 sysfatal("bad info request: question [%d]", i);
875 while(n > 0 && strchr("\r\n\t :", s[n-1]) != nil)
879 if((a = readcons(s, nil, !echo)) == nil)
880 sysfatal("readcons: %r");
884 if((s = realloc(ans, n + m)) == nil)
885 sysfatal("realloc: %r");
888 answ += pack(answ, m, "s", a, m-4);
891 sendpkt("bu[", MSG_USERAUTH_INFO_RESPONSE, i, ans, answ - ans);
895 Next1: switch(recvpkt()){
899 case MSG_USERAUTH_INFO_REQUEST:
901 case MSG_USERAUTH_FAILURE:
902 authfailure(authmeth);
904 case MSG_USERAUTH_SUCCESS:
918 case MSG_GLOBAL_REQUEST:
921 if(unpack(recv.r, recv.w-recv.r, "_us", &c, &s, &n) < 0)
923 sysfatal("disconnect: (%d) %.*s", c, n, s);
926 if(unpack(recv.r, recv.w-recv.r, "__sb", &s, &n, &c) < 0)
928 if(c != 0 || debug) fprint(2, "%s: %.*s\n", argv0, n, s);
930 case MSG_USERAUTH_BANNER:
931 if(unpack(recv.r, recv.w-recv.r, "_s", &s, &n) < 0)
933 if(raw) write(2, s, n);
935 case MSG_CHANNEL_DATA:
936 if(unpack(recv.r, recv.w-recv.r, "_us", &c, &s, &n) < 0)
940 if(write(1, s, n) != n)
941 sysfatal("write out: %r");
944 if(recv.win < recv.pkt){
945 n = WinPackets*recv.pkt;
947 sendpkt("buu", MSG_CHANNEL_WINDOW_ADJUST, send.chan, n);
950 case MSG_CHANNEL_EXTENDED_DATA:
951 if(unpack(recv.r, recv.w-recv.r, "_uus", &c, &b, &s, &n) < 0)
955 if(b == 1) write(2, s, n);
957 case MSG_CHANNEL_WINDOW_ADJUST:
958 if(unpack(recv.r, recv.w-recv.r, "_uu", &c, &n) < 0)
963 if(send.win >= send.pkt)
966 case MSG_CHANNEL_REQUEST:
967 if(unpack(recv.r, recv.w-recv.r, "_usb.", &c, &s, &n, &b, &p) < 0)
971 if(n == 11 && memcmp(s, "exit-signal", n) == 0){
972 if(unpack(p, recv.w-p, "s", &s, &n) < 0)
974 if(n != 0 && status == nil)
975 status = smprint("%.*s", n, s);
976 } else if(n == 11 && memcmp(s, "exit-status", n) == 0){
977 if(unpack(p, recv.w-p, "u", &n) < 0)
979 if(n != 0 && status == nil)
980 status = smprint("%d", n);
982 fprint(2, "%s: channel request: %.*s\n", argv0, n, s);
985 case MSG_CHANNEL_EOF:
987 if(!raw) write(1, "", 0);
989 case MSG_CHANNEL_CLOSE:
996 sysfatal("got: %.*H", (int)(recv.w - recv.r), recv.r);
1004 for(p = send.b; p < &send.b[sizeof(send.b)-1]; p++){
1006 if(read(fd, p, 1) != 1 || *p == '\n')
1009 while(p >= send.b && (*p == '\n' || *p == '\r'))
1011 return (char*)send.b;
1035 if(open("/dev/cons", OREAD) != 0)
1036 sysfatal("open: %r");
1038 if(open("/dev/cons", OWRITE) != 1)
1039 sysfatal("open: %r");
1041 if((ctl = open("/dev/consctl", OWRITE)) >= 0)
1042 write(ctl, "rawon", 5);
1043 if(s = getenv("TERM")){
1045 if(s = getenv("XPIXELS")){
1046 tty.xpixels = atoi(s);
1049 if(s = getenv("YPIXELS")){
1050 tty.ypixels = atoi(s);
1053 if(s = getenv("LINES")){
1054 tty.lines = atoi(s);
1057 if(s = getenv("COLS")){
1067 fprint(2, "usage: %s [-dR] [-u user] [user@]host [cmd]\n", argv0);
1072 main(int argc, char *argv[])
1079 fmtinstall('B', mpfmt);
1080 fmtinstall('H', encodefmt);
1081 fmtinstall('[', encodefmt);
1084 raw = s != nil && strcmp(s, "dumb") != 0;
1095 user = EARGF(usage());
1104 s = strchr(host, '@');
1111 for(cmd = nil; *argv != nil; argv++){
1113 cmd = strdup(*argv);
1115 s = smprint("%s %q", cmd, *argv);
1123 if((fd = dial(netmkaddr(host, nil, "ssh"), nil, nil, nil)) < 0)
1124 sysfatal("dial: %r");
1126 send.v = "SSH-2.0-(9)";
1127 fprint(fd, "%s\r\n", send.v);
1128 recv.v = readline();
1130 fprint(2, "server verison: %s\n", recv.v);
1131 if(strncmp("SSH-2.0-", recv.v, 8) != 0)
1132 sysfatal("bad server version: %s", recv.v);
1133 recv.v = strdup(recv.v);
1135 send.l = recv.l = &sl;
1141 service = "ssh-connection";
1143 sendpkt("bs", MSG_SERVICE_REQUEST, "ssh-userauth", 12);
1144 Next0: switch(recvpkt()){
1148 case MSG_SERVICE_ACCEPT:
1152 if(pubkeyauth() < 0 && passauth() < 0 && kbintauth() < 0)
1153 sysfatal("auth: %r");
1155 recv.pkt = MaxPacket;
1156 recv.win = WinPackets*recv.pkt;
1159 /* open hailing frequencies */
1160 sendpkt("bsuuu", MSG_CHANNEL_OPEN,
1166 Next1: switch(recvpkt()){
1170 case MSG_CHANNEL_OPEN_FAILURE:
1171 if(unpack(recv.r, recv.w-recv.r, "_uus", &c, &b, &s, &n) < 0)
1172 n = strlen(s = "???");
1173 sysfatal("channel open failure: (%d) %.*s", b, n, s);
1174 case MSG_CHANNEL_OPEN_CONFIRMATION:
1178 if(unpack(recv.r, recv.w-recv.r, "_uuuu", &recv.chan, &send.chan, &send.win, &send.pkt) < 0)
1179 sysfatal("bad channel open confirmation");
1180 if(send.pkt <= 0 || send.pkt > MaxPacket)
1181 send.pkt = MaxPacket;
1186 recv.pid = getpid();
1187 n = rfork(RFPROC|RFMEM);
1189 sysfatal("fork: %r");
1191 /* parent reads and dispatches packets */
1194 while((send.eof|recv.eof) == 0){
1198 if((int)(send.kex - send.seq) <= 0 || (int)(recv.kex - recv.seq) <= 0)
1205 /* child reads input and sends packets */
1209 sendpkt("busbsuuuus", MSG_CHANNEL_REQUEST,
1213 tty.term, strlen(tty.term),
1221 sendpkt("busb", MSG_CHANNEL_REQUEST,
1226 sendpkt("busbs", MSG_CHANNEL_REQUEST,
1233 static uchar buf[MaxPacket];
1235 n = read(0, buf, send.pkt);
1239 if(n < 0 && wasintr()){
1241 sendpkt("busbs", MSG_CHANNEL_REQUEST,
1254 sendpkt("bus", MSG_CHANNEL_DATA,
1259 sendpkt("bu", raw ? MSG_CHANNEL_CLOSE : MSG_CHANNEL_EOF, send.chan);