github.com/glycerine/xcryptossh@v7.0.4+incompatible/common.go (about)

     1  // Copyright 2011 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package ssh
     6  
     7  import (
     8  	"crypto"
     9  	"crypto/rand"
    10  	"fmt"
    11  	"io"
    12  	"math"
    13  	"sync"
    14  
    15  	_ "crypto/sha1"
    16  	_ "crypto/sha256"
    17  	_ "crypto/sha512"
    18  )
    19  
    20  // These are string constants in the SSH protocol.
    21  const (
    22  	compressionNone = "none"
    23  	serviceUserAuth = "ssh-userauth"
    24  	serviceSSH      = "ssh-connection"
    25  )
    26  
    27  // supportedCiphers specifies the supported ciphers in preference order.
    28  var supportedCiphers = []string{
    29  	"aes128-ctr", "aes192-ctr", "aes256-ctr",
    30  	"aes128-gcm@openssh.com",
    31  	"arcfour256", "arcfour128",
    32  }
    33  
    34  // supportedKexAlgos specifies the supported key-exchange algorithms in
    35  // preference order.
    36  var supportedKexAlgos = []string{
    37  	kexAlgoCurve25519SHA256,
    38  	// P384 and P521 are not constant-time yet, but since we don't
    39  	// reuse ephemeral keys, using them for ECDH should be OK.
    40  	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
    41  	kexAlgoDH14SHA1, kexAlgoDH1SHA1,
    42  }
    43  
    44  // supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods
    45  // of authenticating servers) in preference order.
    46  var supportedHostKeyAlgos = []string{
    47  	CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
    48  	CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01,
    49  
    50  	KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
    51  	KeyAlgoRSA, KeyAlgoDSA,
    52  
    53  	KeyAlgoED25519,
    54  }
    55  
    56  // supportedMACs specifies a default set of MAC algorithms in preference order.
    57  // This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
    58  // because they have reached the end of their useful life.
    59  var supportedMACs = []string{
    60  	"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96",
    61  }
    62  
    63  var supportedCompressions = []string{compressionNone}
    64  
    65  // hashFuncs keeps the mapping of supported algorithms to their respective
    66  // hashes needed for signature verification.
    67  var hashFuncs = map[string]crypto.Hash{
    68  	KeyAlgoRSA:          crypto.SHA1,
    69  	KeyAlgoDSA:          crypto.SHA1,
    70  	KeyAlgoECDSA256:     crypto.SHA256,
    71  	KeyAlgoECDSA384:     crypto.SHA384,
    72  	KeyAlgoECDSA521:     crypto.SHA512,
    73  	CertAlgoRSAv01:      crypto.SHA1,
    74  	CertAlgoDSAv01:      crypto.SHA1,
    75  	CertAlgoECDSA256v01: crypto.SHA256,
    76  	CertAlgoECDSA384v01: crypto.SHA384,
    77  	CertAlgoECDSA521v01: crypto.SHA512,
    78  }
    79  
    80  // unexpectedMessageError results when the SSH message that we received didn't
    81  // match what we wanted.
    82  func unexpectedMessageError(expected, got uint8) error {
    83  	return fmt.Errorf("ssh: unexpected message type %d (expected %d)", got, expected)
    84  }
    85  
    86  // parseError results from a malformed SSH message.
    87  func parseError(tag uint8) error {
    88  	return fmt.Errorf("ssh: parse error in message type %d", tag)
    89  }
    90  
    91  func findCommon(what string, client []string, server []string) (common string, err error) {
    92  	for _, c := range client {
    93  		for _, s := range server {
    94  			if c == s {
    95  				return c, nil
    96  			}
    97  		}
    98  	}
    99  	return "", fmt.Errorf("ssh: no common algorithm for %s; client offered: %v, server offered: %v", what, client, server)
   100  }
   101  
   102  type directionAlgorithms struct {
   103  	Cipher      string
   104  	MAC         string
   105  	Compression string
   106  }
   107  
   108  // rekeyBytes returns a rekeying intervals in bytes.
   109  func (a *directionAlgorithms) rekeyBytes() int64 {
   110  	// According to RFC4344 block ciphers should rekey after
   111  	// 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
   112  	// 128.
   113  	switch a.Cipher {
   114  	case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID:
   115  		return 16 * (1 << 32)
   116  
   117  	}
   118  
   119  	// For others, stick with RFC4253 recommendation to rekey after 1 Gb of data.
   120  	return 1 << 30
   121  }
   122  
   123  type algorithms struct {
   124  	kex     string
   125  	hostKey string
   126  	w       directionAlgorithms
   127  	r       directionAlgorithms
   128  }
   129  
   130  func findAgreedAlgorithms(clientKexInit, serverKexInit *kexInitMsg) (algs *algorithms, err error) {
   131  	result := &algorithms{}
   132  
   133  	result.kex, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos)
   134  	if err != nil {
   135  		return
   136  	}
   137  
   138  	result.hostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos)
   139  	if err != nil {
   140  		return
   141  	}
   142  
   143  	result.w.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer)
   144  	if err != nil {
   145  		return
   146  	}
   147  
   148  	result.r.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient)
   149  	if err != nil {
   150  		return
   151  	}
   152  
   153  	result.w.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer)
   154  	if err != nil {
   155  		return
   156  	}
   157  
   158  	result.r.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient)
   159  	if err != nil {
   160  		return
   161  	}
   162  
   163  	result.w.Compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer)
   164  	if err != nil {
   165  		return
   166  	}
   167  
   168  	result.r.Compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient)
   169  	if err != nil {
   170  		return
   171  	}
   172  
   173  	return result, nil
   174  }
   175  
   176  // If rekeythreshold is too small, we can't make any progress sending
   177  // stuff.
   178  const minRekeyThreshold uint64 = 256
   179  
   180  // Config contains configuration data common to both ServerConfig and
   181  // ClientConfig.
   182  type Config struct {
   183  	// Rand provides the source of entropy for cryptographic
   184  	// primitives. If Rand is nil, the cryptographic random reader
   185  	// in package crypto/rand will be used.
   186  	Rand io.Reader
   187  
   188  	// The maximum number of bytes sent or received after which a
   189  	// new key is negotiated. It must be at least 256. If
   190  	// unspecified, a size suitable for the chosen cipher is used.
   191  	RekeyThreshold uint64
   192  
   193  	// The allowed key exchanges algorithms. If unspecified then a
   194  	// default set of algorithms is used.
   195  	KeyExchanges []string
   196  
   197  	// The allowed cipher algorithms. If unspecified then a sensible
   198  	// default is used.
   199  	Ciphers []string
   200  
   201  	// The allowed MAC algorithms. If unspecified then a sensible default
   202  	// is used.
   203  	MACs []string
   204  
   205  	// Halt is for shutdown
   206  	Halt *Halter
   207  }
   208  
   209  // SetDefaults sets sensible values for unset fields in config. This is
   210  // exported for testing: Configs passed to SSH functions are copied and have
   211  // default values set automatically.
   212  func (c *Config) SetDefaults() {
   213  	if c.Rand == nil {
   214  		c.Rand = rand.Reader
   215  	}
   216  	if c.Ciphers == nil {
   217  		c.Ciphers = supportedCiphers
   218  	}
   219  	var ciphers []string
   220  	for _, c := range c.Ciphers {
   221  		if cipherModes[c] != nil {
   222  			// reject the cipher if we have no cipherModes definition
   223  			ciphers = append(ciphers, c)
   224  		}
   225  	}
   226  	c.Ciphers = ciphers
   227  
   228  	if c.KeyExchanges == nil {
   229  		c.KeyExchanges = supportedKexAlgos
   230  	}
   231  
   232  	if c.MACs == nil {
   233  		c.MACs = supportedMACs
   234  	}
   235  
   236  	if c.RekeyThreshold == 0 {
   237  		// cipher specific default
   238  	} else if c.RekeyThreshold < minRekeyThreshold {
   239  		c.RekeyThreshold = minRekeyThreshold
   240  	} else if c.RekeyThreshold >= math.MaxInt64 {
   241  		// Avoid weirdness if somebody uses -1 as a threshold.
   242  		c.RekeyThreshold = math.MaxInt64
   243  	}
   244  
   245  	if c.Halt == nil {
   246  		c.Halt = NewHalter()
   247  	}
   248  }
   249  
   250  // buildDataSignedForAuth returns the data that is signed in order to prove
   251  // possession of a private key. See RFC 4252, section 7.
   252  func buildDataSignedForAuth(sessionId []byte, req userAuthRequestMsg, algo, pubKey []byte) []byte {
   253  	data := struct {
   254  		Session []byte
   255  		Type    byte
   256  		User    string
   257  		Service string
   258  		Method  string
   259  		Sign    bool
   260  		Algo    []byte
   261  		PubKey  []byte
   262  	}{
   263  		sessionId,
   264  		msgUserAuthRequest,
   265  		req.User,
   266  		req.Service,
   267  		req.Method,
   268  		true,
   269  		algo,
   270  		pubKey,
   271  	}
   272  	return Marshal(data)
   273  }
   274  
   275  func appendU16(buf []byte, n uint16) []byte {
   276  	return append(buf, byte(n>>8), byte(n))
   277  }
   278  
   279  func appendU32(buf []byte, n uint32) []byte {
   280  	return append(buf, byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
   281  }
   282  
   283  func appendU64(buf []byte, n uint64) []byte {
   284  	return append(buf,
   285  		byte(n>>56), byte(n>>48), byte(n>>40), byte(n>>32),
   286  		byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
   287  }
   288  
   289  func appendInt(buf []byte, n int) []byte {
   290  	return appendU32(buf, uint32(n))
   291  }
   292  
   293  func appendString(buf []byte, s string) []byte {
   294  	buf = appendU32(buf, uint32(len(s)))
   295  	buf = append(buf, s...)
   296  	return buf
   297  }
   298  
   299  func appendBool(buf []byte, b bool) []byte {
   300  	if b {
   301  		return append(buf, 1)
   302  	}
   303  	return append(buf, 0)
   304  }
   305  
   306  // newCond is a helper to hide the fact that there is no usable zero
   307  // value for sync.Cond.
   308  func newCond() *sync.Cond { return sync.NewCond(new(sync.Mutex)) }
   309  
   310  // window represents the buffer available to clients
   311  // wishing to write to a channel.
   312  type window struct {
   313  	*sync.Cond
   314  	win          uint32 // RFC 4254 5.2 says the window size can grow to 2^32-1
   315  	writeWaiters int
   316  	closed       bool
   317  	idle         *IdleTimer
   318  }
   319  
   320  // add adds win to the amount of window available
   321  // for consumers.
   322  func (w *window) add(win uint32) bool {
   323  	// a zero sized window adjust is a noop.
   324  	if win == 0 {
   325  		return true
   326  	}
   327  	w.L.Lock()
   328  	if w.win+win < win {
   329  		w.L.Unlock()
   330  		return false
   331  	}
   332  	w.win += win
   333  	// It is unusual that multiple goroutines would be attempting to reserve
   334  	// window space, but not guaranteed. Use broadcast to notify all waiters
   335  	// that additional window is available.
   336  	w.Broadcast()
   337  	w.L.Unlock()
   338  	return true
   339  }
   340  
   341  // close sets the window to closed, so all reservations fail
   342  // immediately.
   343  func (w *window) close() {
   344  	w.L.Lock()
   345  	w.closed = true
   346  	w.Broadcast()
   347  	w.L.Unlock()
   348  }
   349  
   350  func (w *window) timeout() {
   351  	w.Broadcast()
   352  }
   353  
   354  // check for timeout or shutdown
   355  func (w *window) reserveShouldReturn() (bye bool, err error) {
   356  	timedOut := ""
   357  	select {
   358  	case timedOut = <-w.idle.TimedOut:
   359  		if timedOut != "" {
   360  			return true, newErrTimeout(timedOut, w.idle)
   361  		}
   362  	case <-w.idle.Halt.ReqStopChan():
   363  		// original tests expect io.EOF and not ErrShutDown,
   364  		// so we continue with an EOF here, even though
   365  		// we are shutting down.
   366  		return true, io.EOF
   367  	}
   368  	return false, nil
   369  }
   370  
   371  // reserve reserves win from the available window capacity.
   372  // If no capacity remains, reserve will block. reserve may
   373  // return less than requested.
   374  func (w *window) reserve(win uint32) (num uint32, err error) {
   375  	w.L.Lock()
   376  	defer w.L.Unlock()
   377  
   378  	if bye, err := w.reserveShouldReturn(); bye {
   379  		return 0, err
   380  	}
   381  	w.writeWaiters++
   382  	w.Broadcast()
   383  	for w.win == 0 && !w.closed {
   384  		w.Wait()
   385  		if bye, err := w.reserveShouldReturn(); bye {
   386  			return 0, err
   387  		}
   388  	}
   389  	w.writeWaiters--
   390  	if w.win < win {
   391  		win = w.win
   392  	}
   393  	w.win -= win
   394  	if w.closed {
   395  		err = io.EOF
   396  	}
   397  	return win, err
   398  }
   399  
   400  // waitWriterBlocked waits until some goroutine is blocked for further
   401  // writes. It is used in tests only.
   402  func (w *window) waitWriterBlocked() {
   403  	w.Cond.L.Lock()
   404  	for w.writeWaiters == 0 {
   405  		w.Cond.Wait()
   406  	}
   407  	w.Cond.L.Unlock()
   408  }