Add SFTP support

.git-blame-ignore-revs

@@ -0,0 +1,4 @@
+# Refactor code to use lazy logging
+ef9c3a141a76a9d86f1fbb8d1183d62b44c3c146
+0ecd981eabda518bd1dcc5a5595186d64f6f8836
+3d40f371eb823aa7463882eeedd71486d8959346

.gitignore

@@ -21,3 +21,13 @@ nbactions.xml
 # VS Code
 .factorypath
 .vscode
+
+### IntelliJ IDEA ###
+.idea/*
+!.idea/inspectionProfiles
+!.idea/runConfigurations
+*.iws
+*.iml
+*.ipr
+
+

Attacks/src/main/java/de/rub/nds/sshattacker/attacks/general/KeyFetcher.java

@@ -67,9 +67,7 @@ private static RSAPublicKey fetchRsaTransientKey(Config config, int attempt, int
         } catch (IOException e) {
             if (attempt < maxAttempts) {
                 LOGGER.debug(
-                        String.format(
-                                "Encountered IOException on socket in attempt %d, retrying...",
-                                attempt));
+                        "Encountered IOException on socket in attempt {}, retrying...", attempt);
                 return fetchRsaTransientKey(config, attempt + 1, maxAttempts);
             } else {
                 LOGGER.warn("Could not fetch server's RSA host key, encountered IOException");
@@ -87,10 +85,7 @@ private static RSAPublicKey fetchRsaTransientKey(Config config, int attempt, int
                     .getPublicKey();
         } else {
             if (attempt < maxAttempts) {
-                LOGGER.debug(
-                        String.format(
-                                "Did not receive PubkeyMessage in attempt %d, retrying...",
-                                attempt));
+                LOGGER.debug("Did not receive PubkeyMessage in attempt {}, retrying...", attempt);
                 return fetchRsaTransientKey(config, attempt + 1, maxAttempts);
             } else {
                 LOGGER.warn(

Attacks/src/main/java/de/rub/nds/sshattacker/attacks/impl/MangerAttacker.java

@@ -266,10 +266,9 @@ private RSAPublicKey getServerPublicKey() {
             return null;
         }
         LOGGER.info(
-                String.format(
-                        "Fetched server public key with exponent %s and modulus: %s",
-                        publicKey.getPublicExponent().toString(16),
-                        publicKey.getModulus().toString(16)));
+                "Fetched server public key with exponent {} and modulus: {}",
+                publicKey.getPublicExponent().toString(16),
+                publicKey.getModulus().toString(16));
         return publicKey;
     }
 
@@ -330,10 +329,9 @@ public void executeAttack() {
         }
 
         LOGGER.info(
-                String.format(
-                        "Fetched server public key with exponent %s and modulus: %s",
-                        publicKey.getPublicExponent().toString(16),
-                        publicKey.getModulus().toString(16)));
+                "Fetched server public key with exponent {} and modulus: {}",
+                publicKey.getPublicExponent().toString(16),
+                publicKey.getModulus().toString(16));
         byte[] encryptedSecret = ArrayConverter.hexStringToByteArray(config.getEncryptedSecret());
         if (encryptedSecret.length * Byte.SIZE != publicKey.getModulus().bitLength()) {
             throw new ConfigurationException(

Attacks/src/main/java/de/rub/nds/sshattacker/attacks/pkcs1/Manger.java

@@ -40,7 +40,7 @@ public Manger(byte[] msg, Pkcs1Oracle pkcsOracle) {
         tmp = (MathHelper.intCeilDiv(tmp, 8) - 1) * 8;
         bigB = BigInteger.ONE.shiftLeft(tmp);
         c0 = new BigInteger(1, encryptedMsg);
-        LOGGER.debug("b: {}", ArrayConverter.bytesToHexString(bigB.toByteArray()));
+        LOGGER.debug("b: {}", () -> ArrayConverter.bytesToHexString(bigB.toByteArray()));
     }
 
     /**
@@ -66,7 +66,8 @@ public void attack() throws OracleException {
         }
 
         LOGGER.debug(
-                "Ciphertext after step 0: {}", ArrayConverter.bytesToHexString(c0.toByteArray()));
+                "Ciphertext after step 0: {}",
+                () -> ArrayConverter.bytesToHexString(c0.toByteArray()));
 
         LOGGER.debug("Step 1");
         BigInteger f1 = new BigInteger("2");
@@ -124,9 +125,10 @@ public void attack() throws OracleException {
         }
 
         if (!interrupted) {
+            BigInteger finalMmin = mmin;
             LOGGER.debug(
                     "Manger's attack solution (before inverse computation, if any): {}",
-                    ArrayConverter.bytesToHexString(mmin.toByteArray()));
+                    () -> ArrayConverter.bytesToHexString(finalMmin.toByteArray()));
 
             if (fx.equals(BigInteger.ONE)) {
                 solution = mmin;
@@ -136,7 +138,7 @@ public void attack() throws OracleException {
             }
             LOGGER.debug(
                     "Manger's attack solution (after inverse computation, if any): {}",
-                    ArrayConverter.bytesToHexString(solution.toByteArray()));
+                    () -> ArrayConverter.bytesToHexString(solution.toByteArray()));
         }
     }
 

Attacks/src/main/java/de/rub/nds/sshattacker/attacks/pkcs1/MangerWorkflowGenerator.java

@@ -7,8 +7,7 @@
  */
 package de.rub.nds.sshattacker.attacks.pkcs1;
 
-import de.rub.nds.modifiablevariable.bytearray.ByteArrayModificationFactory;
-import de.rub.nds.modifiablevariable.bytearray.ModifiableByteArray;
+import de.rub.nds.modifiablevariable.util.Modifiable;
 import de.rub.nds.sshattacker.core.config.Config;
 import de.rub.nds.sshattacker.core.constants.RunningModeType;
 import de.rub.nds.sshattacker.core.protocol.transport.message.KeyExchangeInitMessage;
@@ -39,10 +38,7 @@ public static WorkflowTrace generateWorkflow(Config sshConfig, byte[] encryptedS
         trace.addSshAction(
                 new ReceiveAction(new KeyExchangeInitMessage(), new RsaKeyExchangePubkeyMessage()));
         RsaKeyExchangeSecretMessage secretMessage = new RsaKeyExchangeSecretMessage();
-        ModifiableByteArray encryptedSecretArray = new ModifiableByteArray();
-        encryptedSecretArray.setModification(
-                ByteArrayModificationFactory.explicitValue(encryptedSecret));
-        secretMessage.setEncryptedSecret(encryptedSecretArray, true);
+        secretMessage.setEncryptedSecret(Modifiable.explicit(encryptedSecret), true);
         trace.addSshAction(new SendAction(secretMessage));
         trace.addSshAction(new ReceiveAction());
         return trace;

Attacks/src/main/java/de/rub/nds/sshattacker/attacks/pkcs1/Pkcs1VectorGenerator.java

@@ -167,7 +167,7 @@ private static byte[] getSecretWrongFirstByte(
         paddedSecret[0] = (byte) 1;
         LOGGER.debug(
                 "Generated a PKCS1 padded message with a wrong first byte: {}",
-                ArrayConverter.bytesToHexString(paddedSecret));
+                () -> ArrayConverter.bytesToHexString(paddedSecret));
         return paddedSecret;
     }
 
@@ -178,7 +178,7 @@ private static byte[] getSecretWrongSecondByte(
         paddedSecret[1] = (byte) (paddedSecret[1] ^ (byte) 255);
         LOGGER.debug(
                 "Generated a PKCS1 padded message with a wrong second byte: {}",
-                ArrayConverter.bytesToHexString(paddedSecret));
+                () -> ArrayConverter.bytesToHexString(paddedSecret));
         return paddedSecret;
     }
 

Attacks/src/main/java/de/rub/nds/sshattacker/attacks/pkcs1/util/OaepConverter.java

@@ -10,6 +10,7 @@
 import static de.rub.nds.tlsattacker.util.ConsoleLogger.CONSOLE;
 
 import de.rub.nds.modifiablevariable.util.ArrayConverter;
+import de.rub.nds.sshattacker.core.util.Converter;
 import java.math.BigInteger;
 import java.nio.ByteBuffer;
 import java.security.MessageDigest;
@@ -166,7 +167,7 @@ public static byte[] mgf1(byte[] seed, int maskLen, String digestName)
         for (int counter = 0; counter < maxIterations; counter++) {
 
             // Step a: Convert counter using I2OSP
-            byte[] counterBytes = ArrayConverter.intToBytes(counter, 4);
+            byte[] counterBytes = Converter.intToFourBytes(counter);
 
             // Step b: Concatenate hash of seed and counterBytes with intermediate result
             ByteBuffer digestInputBuffer = ByteBuffer.allocate(seed.length + 4);
@@ -220,8 +221,10 @@ public static BigInteger decodeSolution(
 
             byte[] result = doOaepDecoding(solutionBytes, hashInstance, publicKeyByteLength);
 
-            CONSOLE.debug("Secret with length field as byte array: {}", Arrays.toString(result));
-            CONSOLE.debug("Secret with length field: {}", new BigInteger(result));
+            CONSOLE.debug(
+                    "Secret with length field as byte array: {}",
+                    () -> ArrayConverter.bytesToRawHexString(result));
+            CONSOLE.debug("Secret with length field: {}", () -> new BigInteger(result));
 
             // Cut off length field to get secret as decimal number
             ByteBuffer secretBuffer = ByteBuffer.wrap(result);

README.md

@@ -160,7 +160,7 @@ SSH-Attacker uses the concept of Modifiable Variables to allow runtime modificat
 ```java
 ModifiableInteger i = new ModifiableInteger();
 i.setOriginalValue(30);
-i.setModification(new AddModification(20));
+i.addModification(new AddModification(20));
 System.out.println(i.getValue());  // 50
 ```
 
@@ -172,7 +172,7 @@ We can of course use this concept by constructing our SSH workflows. Imagine you
 ChannelOpenSessionMessage channelOpenSessionMessage = new ChannelOpenSessionMessage();
         ModifiableInteger i = new ModifiableInteger();
         channelOpenSessionMessage.setConfigSenderChannelId(1337);
-        i.setModification(new IntegerAddModification(100));
+        i.setModifications(new IntegerAddModification(100));
         channelOpenSessionMessage.setSenderChannelId(i);//1437
 ```