github.com/glycerine/xcryptossh@v7.0.4+incompatible/common.go (about) 1 // Copyright 2011 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package ssh 6 7 import ( 8 "crypto" 9 "crypto/rand" 10 "fmt" 11 "io" 12 "math" 13 "sync" 14 15 _ "crypto/sha1" 16 _ "crypto/sha256" 17 _ "crypto/sha512" 18 ) 19 20 // These are string constants in the SSH protocol. 21 const ( 22 compressionNone = "none" 23 serviceUserAuth = "ssh-userauth" 24 serviceSSH = "ssh-connection" 25 ) 26 27 // supportedCiphers specifies the supported ciphers in preference order. 28 var supportedCiphers = []string{ 29 "aes128-ctr", "aes192-ctr", "aes256-ctr", 30 "aes128-gcm@openssh.com", 31 "arcfour256", "arcfour128", 32 } 33 34 // supportedKexAlgos specifies the supported key-exchange algorithms in 35 // preference order. 36 var supportedKexAlgos = []string{ 37 kexAlgoCurve25519SHA256, 38 // P384 and P521 are not constant-time yet, but since we don't 39 // reuse ephemeral keys, using them for ECDH should be OK. 40 kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521, 41 kexAlgoDH14SHA1, kexAlgoDH1SHA1, 42 } 43 44 // supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods 45 // of authenticating servers) in preference order. 46 var supportedHostKeyAlgos = []string{ 47 CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, 48 CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01, 49 50 KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521, 51 KeyAlgoRSA, KeyAlgoDSA, 52 53 KeyAlgoED25519, 54 } 55 56 // supportedMACs specifies a default set of MAC algorithms in preference order. 57 // This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed 58 // because they have reached the end of their useful life. 59 var supportedMACs = []string{ 60 "hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96", 61 } 62 63 var supportedCompressions = []string{compressionNone} 64 65 // hashFuncs keeps the mapping of supported algorithms to their respective 66 // hashes needed for signature verification. 67 var hashFuncs = map[string]crypto.Hash{ 68 KeyAlgoRSA: crypto.SHA1, 69 KeyAlgoDSA: crypto.SHA1, 70 KeyAlgoECDSA256: crypto.SHA256, 71 KeyAlgoECDSA384: crypto.SHA384, 72 KeyAlgoECDSA521: crypto.SHA512, 73 CertAlgoRSAv01: crypto.SHA1, 74 CertAlgoDSAv01: crypto.SHA1, 75 CertAlgoECDSA256v01: crypto.SHA256, 76 CertAlgoECDSA384v01: crypto.SHA384, 77 CertAlgoECDSA521v01: crypto.SHA512, 78 } 79 80 // unexpectedMessageError results when the SSH message that we received didn't 81 // match what we wanted. 82 func unexpectedMessageError(expected, got uint8) error { 83 return fmt.Errorf("ssh: unexpected message type %d (expected %d)", got, expected) 84 } 85 86 // parseError results from a malformed SSH message. 87 func parseError(tag uint8) error { 88 return fmt.Errorf("ssh: parse error in message type %d", tag) 89 } 90 91 func findCommon(what string, client []string, server []string) (common string, err error) { 92 for _, c := range client { 93 for _, s := range server { 94 if c == s { 95 return c, nil 96 } 97 } 98 } 99 return "", fmt.Errorf("ssh: no common algorithm for %s; client offered: %v, server offered: %v", what, client, server) 100 } 101 102 type directionAlgorithms struct { 103 Cipher string 104 MAC string 105 Compression string 106 } 107 108 // rekeyBytes returns a rekeying intervals in bytes. 109 func (a *directionAlgorithms) rekeyBytes() int64 { 110 // According to RFC4344 block ciphers should rekey after 111 // 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is 112 // 128. 113 switch a.Cipher { 114 case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID: 115 return 16 * (1 << 32) 116 117 } 118 119 // For others, stick with RFC4253 recommendation to rekey after 1 Gb of data. 120 return 1 << 30 121 } 122 123 type algorithms struct { 124 kex string 125 hostKey string 126 w directionAlgorithms 127 r directionAlgorithms 128 } 129 130 func findAgreedAlgorithms(clientKexInit, serverKexInit *kexInitMsg) (algs *algorithms, err error) { 131 result := &algorithms{} 132 133 result.kex, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos) 134 if err != nil { 135 return 136 } 137 138 result.hostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos) 139 if err != nil { 140 return 141 } 142 143 result.w.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer) 144 if err != nil { 145 return 146 } 147 148 result.r.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient) 149 if err != nil { 150 return 151 } 152 153 result.w.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer) 154 if err != nil { 155 return 156 } 157 158 result.r.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient) 159 if err != nil { 160 return 161 } 162 163 result.w.Compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer) 164 if err != nil { 165 return 166 } 167 168 result.r.Compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient) 169 if err != nil { 170 return 171 } 172 173 return result, nil 174 } 175 176 // If rekeythreshold is too small, we can't make any progress sending 177 // stuff. 178 const minRekeyThreshold uint64 = 256 179 180 // Config contains configuration data common to both ServerConfig and 181 // ClientConfig. 182 type Config struct { 183 // Rand provides the source of entropy for cryptographic 184 // primitives. If Rand is nil, the cryptographic random reader 185 // in package crypto/rand will be used. 186 Rand io.Reader 187 188 // The maximum number of bytes sent or received after which a 189 // new key is negotiated. It must be at least 256. If 190 // unspecified, a size suitable for the chosen cipher is used. 191 RekeyThreshold uint64 192 193 // The allowed key exchanges algorithms. If unspecified then a 194 // default set of algorithms is used. 195 KeyExchanges []string 196 197 // The allowed cipher algorithms. If unspecified then a sensible 198 // default is used. 199 Ciphers []string 200 201 // The allowed MAC algorithms. If unspecified then a sensible default 202 // is used. 203 MACs []string 204 205 // Halt is for shutdown 206 Halt *Halter 207 } 208 209 // SetDefaults sets sensible values for unset fields in config. This is 210 // exported for testing: Configs passed to SSH functions are copied and have 211 // default values set automatically. 212 func (c *Config) SetDefaults() { 213 if c.Rand == nil { 214 c.Rand = rand.Reader 215 } 216 if c.Ciphers == nil { 217 c.Ciphers = supportedCiphers 218 } 219 var ciphers []string 220 for _, c := range c.Ciphers { 221 if cipherModes[c] != nil { 222 // reject the cipher if we have no cipherModes definition 223 ciphers = append(ciphers, c) 224 } 225 } 226 c.Ciphers = ciphers 227 228 if c.KeyExchanges == nil { 229 c.KeyExchanges = supportedKexAlgos 230 } 231 232 if c.MACs == nil { 233 c.MACs = supportedMACs 234 } 235 236 if c.RekeyThreshold == 0 { 237 // cipher specific default 238 } else if c.RekeyThreshold < minRekeyThreshold { 239 c.RekeyThreshold = minRekeyThreshold 240 } else if c.RekeyThreshold >= math.MaxInt64 { 241 // Avoid weirdness if somebody uses -1 as a threshold. 242 c.RekeyThreshold = math.MaxInt64 243 } 244 245 if c.Halt == nil { 246 c.Halt = NewHalter() 247 } 248 } 249 250 // buildDataSignedForAuth returns the data that is signed in order to prove 251 // possession of a private key. See RFC 4252, section 7. 252 func buildDataSignedForAuth(sessionId []byte, req userAuthRequestMsg, algo, pubKey []byte) []byte { 253 data := struct { 254 Session []byte 255 Type byte 256 User string 257 Service string 258 Method string 259 Sign bool 260 Algo []byte 261 PubKey []byte 262 }{ 263 sessionId, 264 msgUserAuthRequest, 265 req.User, 266 req.Service, 267 req.Method, 268 true, 269 algo, 270 pubKey, 271 } 272 return Marshal(data) 273 } 274 275 func appendU16(buf []byte, n uint16) []byte { 276 return append(buf, byte(n>>8), byte(n)) 277 } 278 279 func appendU32(buf []byte, n uint32) []byte { 280 return append(buf, byte(n>>24), byte(n>>16), byte(n>>8), byte(n)) 281 } 282 283 func appendU64(buf []byte, n uint64) []byte { 284 return append(buf, 285 byte(n>>56), byte(n>>48), byte(n>>40), byte(n>>32), 286 byte(n>>24), byte(n>>16), byte(n>>8), byte(n)) 287 } 288 289 func appendInt(buf []byte, n int) []byte { 290 return appendU32(buf, uint32(n)) 291 } 292 293 func appendString(buf []byte, s string) []byte { 294 buf = appendU32(buf, uint32(len(s))) 295 buf = append(buf, s...) 296 return buf 297 } 298 299 func appendBool(buf []byte, b bool) []byte { 300 if b { 301 return append(buf, 1) 302 } 303 return append(buf, 0) 304 } 305 306 // newCond is a helper to hide the fact that there is no usable zero 307 // value for sync.Cond. 308 func newCond() *sync.Cond { return sync.NewCond(new(sync.Mutex)) } 309 310 // window represents the buffer available to clients 311 // wishing to write to a channel. 312 type window struct { 313 *sync.Cond 314 win uint32 // RFC 4254 5.2 says the window size can grow to 2^32-1 315 writeWaiters int 316 closed bool 317 idle *IdleTimer 318 } 319 320 // add adds win to the amount of window available 321 // for consumers. 322 func (w *window) add(win uint32) bool { 323 // a zero sized window adjust is a noop. 324 if win == 0 { 325 return true 326 } 327 w.L.Lock() 328 if w.win+win < win { 329 w.L.Unlock() 330 return false 331 } 332 w.win += win 333 // It is unusual that multiple goroutines would be attempting to reserve 334 // window space, but not guaranteed. Use broadcast to notify all waiters 335 // that additional window is available. 336 w.Broadcast() 337 w.L.Unlock() 338 return true 339 } 340 341 // close sets the window to closed, so all reservations fail 342 // immediately. 343 func (w *window) close() { 344 w.L.Lock() 345 w.closed = true 346 w.Broadcast() 347 w.L.Unlock() 348 } 349 350 func (w *window) timeout() { 351 w.Broadcast() 352 } 353 354 // check for timeout or shutdown 355 func (w *window) reserveShouldReturn() (bye bool, err error) { 356 timedOut := "" 357 select { 358 case timedOut = <-w.idle.TimedOut: 359 if timedOut != "" { 360 return true, newErrTimeout(timedOut, w.idle) 361 } 362 case <-w.idle.Halt.ReqStopChan(): 363 // original tests expect io.EOF and not ErrShutDown, 364 // so we continue with an EOF here, even though 365 // we are shutting down. 366 return true, io.EOF 367 } 368 return false, nil 369 } 370 371 // reserve reserves win from the available window capacity. 372 // If no capacity remains, reserve will block. reserve may 373 // return less than requested. 374 func (w *window) reserve(win uint32) (num uint32, err error) { 375 w.L.Lock() 376 defer w.L.Unlock() 377 378 if bye, err := w.reserveShouldReturn(); bye { 379 return 0, err 380 } 381 w.writeWaiters++ 382 w.Broadcast() 383 for w.win == 0 && !w.closed { 384 w.Wait() 385 if bye, err := w.reserveShouldReturn(); bye { 386 return 0, err 387 } 388 } 389 w.writeWaiters-- 390 if w.win < win { 391 win = w.win 392 } 393 w.win -= win 394 if w.closed { 395 err = io.EOF 396 } 397 return win, err 398 } 399 400 // waitWriterBlocked waits until some goroutine is blocked for further 401 // writes. It is used in tests only. 402 func (w *window) waitWriterBlocked() { 403 w.Cond.L.Lock() 404 for w.writeWaiters == 0 { 405 w.Cond.Wait() 406 } 407 w.Cond.L.Unlock() 408 }