ssh-rs 0.5.0

In addition to encryption library, pure RUST implementation of SSH-2.0 client protocol
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

use super::hash_ctx::HashCtx;
use crate::algorithm::hash;
use crate::algorithm::hash::HashType;
use crate::constant;

/// <https://www.rfc-editor.org/rfc/rfc4253#section-7.2>
///
/// The key exchange produces two values: a shared secret K, and an
/// exchange hash H.  Encryption and authentication keys are derived from
/// these.  The exchange hash H from the first key exchange is
/// additionally used as the session identifier, which is a unique
/// identifier for this connection.  It is used by authentication methods
/// as a part of the data that is signed as a proof of possession of a
/// private key.  Once computed, the session identifier is not changed,
/// even if keys are later re-exchanged.

/// Each key exchange method specifies a hash function that is used in
/// the key exchange.  The same hash algorithm MUST be used in key
/// derivation.  Here, we'll call it HASH.

/// Encryption keys MUST be computed as HASH, of a known value and K, as
/// follows:

/// o  Initial IV client to server: HASH(K || H || "A" || session_id)
///    (Here K is encoded as mpint and "A" as byte and session_id as raw
///    data.  "A" means the single character A, ASCII 65).

/// o  Initial IV server to client: HASH(K || H || "B" || session_id)

/// o  Encryption key client to server: HASH(K || H || "C" || session_id)

/// o  Encryption key server to client: HASH(K || H || "D" || session_id)

/// o  Integrity key client to server: HASH(K || H || "E" || session_id)

/// o  Integrity key server to client: HASH(K || H || "F" || session_id)

/// Key data MUST be taken from the beginning of the hash output.  As
/// many bytes as needed are taken from the beginning of the hash value.
/// If the key length needed is longer than the output of the HASH, the
/// key is extended by computing HASH of the concatenation of K and H and
/// the entire key so far, and appending the resulting bytes (as many as
/// HASH generates) to the key.  This process is repeated until enough
/// key material is available; the key is taken from the beginning of
/// this value.  In other words:

///    K1 = HASH(K || H || X || session_id)   (X is e.g., "A")
///    K2 = HASH(K || H || K1)
///    K3 = HASH(K || H || K1 || K2)
///    ...
///    key = K1 || K2 || K3 || ...

/// This process will lose entropy if the amount of entropy in K is
/// larger than the internal state size of HASH.
pub struct Hash {
    /// reandom number used once
    pub iv_c_s: Vec<u8>,
    pub iv_s_c: Vec<u8>,

    /// key used for data exchange
    pub ek_c_s: Vec<u8>,
    pub ek_s_c: Vec<u8>,

    /// key used for hmac
    pub ik_c_s: Vec<u8>,
    pub ik_s_c: Vec<u8>,

    hash_type: HashType,
    hash_ctx: HashCtx,
}

impl Hash {
    pub fn new(hash_ctx: HashCtx, session_id: &[u8], hash_type: HashType) -> Self {
        let k = hash_ctx.k.as_slice();
        let h = hash::digest(&hash_ctx.as_bytes(), hash_type);
        let mut keys = vec![];
        for v in constant::ALPHABET {
            keys.push(Hash::mix(k, &h, v, session_id, hash_type));
        }
        Hash {
            iv_c_s: keys[0].clone(),
            iv_s_c: keys[1].clone(),

            ek_c_s: keys[2].clone(),
            ek_s_c: keys[3].clone(),

            ik_c_s: keys[4].clone(),
            ik_s_c: keys[5].clone(),

            hash_type,
            hash_ctx,
        }
    }

    fn mix(k: &[u8], h: &[u8], key_char: u8, session_id: &[u8], hash_type: HashType) -> Vec<u8> {
        let mut key: Vec<u8> = Vec::new();
        key.extend(k);
        key.extend(h);
        key.push(key_char);
        key.extend(session_id);
        hash::digest(key.as_slice(), hash_type)
    }

    pub fn mix_ek(&self, key_size: usize) -> (Vec<u8>, Vec<u8>) {
        let mut ck = self.ek_c_s.to_vec();
        let mut sk = self.ek_s_c.to_vec();
        while key_size > ck.len() {
            ck.extend(self.extend(ck.as_slice()));
            sk.extend(self.extend(sk.as_slice()));
        }
        (ck, sk)
    }

    pub fn mix_ik(&self, key_size: usize) -> (Vec<u8>, Vec<u8>) {
        let mut ck = self.ik_c_s.to_vec();
        let mut sk = self.ik_s_c.to_vec();
        while key_size > ck.len() {
            ck.extend(self.extend(ck.as_slice()));
            sk.extend(self.extend(sk.as_slice()));
        }
        (ck, sk)
    }

    fn extend(&self, key: &[u8]) -> Vec<u8> {
        let k = self.hash_ctx.k.clone();
        let h = hash::digest(self.hash_ctx.as_bytes().as_slice(), self.hash_type);
        let mut hash: Vec<u8> = Vec::new();
        hash.extend(k);
        hash.extend(h);
        hash.extend(key);
        hash::digest(hash.as_slice(), self.hash_type)
    }
}