ssh/transport.go - crypto - Git at Google

 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 package ssh

 import (
 	"bufio"
 	"errors"
 	"io"
 )

 const (
 	gcmCipherID    = "aes128-gcm@openssh.com"
 	aes128cbcID    = "aes128-cbc"
 	tripledescbcID = "3des-cbc"
 )

 // packetConn represents a transport that implements packet based
 // operations.
 type packetConn interface {
 	// Encrypt and send a packet of data to the remote peer.
 	writePacket(packet []byte) error

 	// Read a packet from the connection
 	readPacket() ([]byte, error)

 	// Close closes the write-side of the connection.
 	Close() error
 }

 // transport is the keyingTransport that implements the SSH packet
 // protocol.
 type transport struct {
 	reader connectionState
 	writer connectionState

 	bufReader *bufio.Reader
 	bufWriter *bufio.Writer
 	rand      io.Reader

 	io.Closer
 }

 // packetCipher represents a combination of SSH encryption/MAC
 // protocol.  A single instance should be used for one direction only.
 type packetCipher interface {
 	// writePacket encrypts the packet and writes it to w. The
 	// contents of the packet are generally scrambled.
 	writePacket(seqnum uint32, w io.Writer, rand io.Reader, packet []byte) error

 	// readPacket reads and decrypts a packet of data. The
 	// returned packet may be overwritten by future calls of
 	// readPacket.
 	readPacket(seqnum uint32, r io.Reader) ([]byte, error)
 }

 // connectionState represents one side (read or write) of the
 // connection. This is necessary because each direction has its own
 // keys, and can even have its own algorithms
 type connectionState struct {
 	packetCipher
 	seqNum           uint32
 	dir              direction
 	pendingKeyChange chan packetCipher
 }

 // prepareKeyChange sets up key material for a keychange. The key changes in
 // both directions are triggered by reading and writing a msgNewKey packet
 // respectively.
 func (t *transport) prepareKeyChange(algs *algorithms, kexResult *kexResult) error {
 	if ciph, err := newPacketCipher(t.reader.dir, algs.r, kexResult); err != nil {
 		return err
 	} else {
 		t.reader.pendingKeyChange <- ciph
 	}

 	if ciph, err := newPacketCipher(t.writer.dir, algs.w, kexResult); err != nil {
 		return err
 	} else {
 		t.writer.pendingKeyChange <- ciph
 	}

 	return nil
 }

 // Read and decrypt next packet.
 func (t *transport) readPacket() ([]byte, error) {
 	return t.reader.readPacket(t.bufReader)
 }

 func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) {
 	packet, err := s.packetCipher.readPacket(s.seqNum, r)
 	s.seqNum++
 	if err == nil && len(packet) == 0 {
 		err = errors.New("ssh: zero length packet")
 	}

 	if len(packet) > 0 {
 		switch packet[0] {
 		case msgNewKeys:
 			select {
 			case cipher := <-s.pendingKeyChange:
 				s.packetCipher = cipher
 			default:
 				return nil, errors.New("ssh: got bogus newkeys message.")
 			}

 		case msgDisconnect:
 			// Transform a disconnect message into an
 			// error. Since this is lowest level at which
 			// we interpret message types, doing it here
 			// ensures that we don't have to handle it
 			// elsewhere.
 			var msg disconnectMsg
 			if err := Unmarshal(packet, &msg); err != nil {
 				return nil, err
 			}
 			return nil, &msg
 		}
 	}

 	// The packet may point to an internal buffer, so copy the
 	// packet out here.
 	fresh := make([]byte, len(packet))
 	copy(fresh, packet)

 	return fresh, err
 }

 func (t *transport) writePacket(packet []byte) error {
 	return t.writer.writePacket(t.bufWriter, t.rand, packet)
 }

 func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte) error {
 	changeKeys := len(packet) > 0 && packet[0] == msgNewKeys

 	err := s.packetCipher.writePacket(s.seqNum, w, rand, packet)
 	if err != nil {
 		return err
 	}
 	if err = w.Flush(); err != nil {
 		return err
 	}
 	s.seqNum++
 	if changeKeys {
 		select {
 		case cipher := <-s.pendingKeyChange:
 			s.packetCipher = cipher
 		default:
 			panic("ssh: no key material for msgNewKeys")
 		}
 	}
 	return err
 }

 func newTransport(rwc io.ReadWriteCloser, rand io.Reader, isClient bool) *transport {
 	t := &transport{
 		bufReader: bufio.NewReader(rwc),
 		bufWriter: bufio.NewWriter(rwc),
 		rand:      rand,
 		reader: connectionState{
 			packetCipher:     &streamPacketCipher{cipher: noneCipher{}},
 			pendingKeyChange: make(chan packetCipher, 1),
 		},
 		writer: connectionState{
 			packetCipher:     &streamPacketCipher{cipher: noneCipher{}},
 			pendingKeyChange: make(chan packetCipher, 1),
 		},
 		Closer: rwc,
 	}
 	if isClient {
 		t.reader.dir = serverKeys
 		t.writer.dir = clientKeys
 	} else {
 		t.reader.dir = clientKeys
 		t.writer.dir = serverKeys
 	}

 	return t
 }

 type direction struct {
 	ivTag     []byte
 	keyTag    []byte
 	macKeyTag []byte
 }

 var (
 	serverKeys = direction{[]byte{'B'}, []byte{'D'}, []byte{'F'}}
 	clientKeys = direction{[]byte{'A'}, []byte{'C'}, []byte{'E'}}
 )

 // generateKeys generates key material for IV, MAC and encryption.
 func generateKeys(d direction, algs directionAlgorithms, kex *kexResult) (iv, key, macKey []byte) {
 	cipherMode := cipherModes[algs.Cipher]
 	macMode := macModes[algs.MAC]

 	iv = make([]byte, cipherMode.ivSize)
 	key = make([]byte, cipherMode.keySize)
 	macKey = make([]byte, macMode.keySize)

 	generateKeyMaterial(iv, d.ivTag, kex)
 	generateKeyMaterial(key, d.keyTag, kex)
 	generateKeyMaterial(macKey, d.macKeyTag, kex)
 	return
 }

 // setupKeys sets the cipher and MAC keys from kex.K, kex.H and sessionId, as
 // described in RFC 4253, section 6.4. direction should either be serverKeys
 // (to setup server->client keys) or clientKeys (for client->server keys).
 func newPacketCipher(d direction, algs directionAlgorithms, kex *kexResult) (packetCipher, error) {
 	iv, key, macKey := generateKeys(d, algs, kex)

 	if algs.Cipher == gcmCipherID {
 		return newGCMCipher(iv, key, macKey)
 	}

 	if algs.Cipher == aes128cbcID {
 		return newAESCBCCipher(iv, key, macKey, algs)
 	}

 	if algs.Cipher == tripledescbcID {
 		return newTripleDESCBCCipher(iv, key, macKey, algs)
 	}

 	c := &streamPacketCipher{
 		mac: macModes[algs.MAC].new(macKey),
 	}
 	c.macResult = make([]byte, c.mac.Size())

 	var err error
 	c.cipher, err = cipherModes[algs.Cipher].createStream(key, iv)
 	if err != nil {
 		return nil, err
 	}

 	return c, nil
 }

 // generateKeyMaterial fills out with key material generated from tag, K, H
 // and sessionId, as specified in RFC 4253, section 7.2.
 func generateKeyMaterial(out, tag []byte, r *kexResult) {
 	var digestsSoFar []byte

 	h := r.Hash.New()
 	for len(out) > 0 {
 		h.Reset()
 		h.Write(r.K)
 		h.Write(r.H)

 		if len(digestsSoFar) == 0 {
 			h.Write(tag)
 			h.Write(r.SessionID)
 		} else {
 			h.Write(digestsSoFar)
 		}

 		digest := h.Sum(nil)
 		n := copy(out, digest)
 		out = out[n:]
 		if len(out) > 0 {
 			digestsSoFar = append(digestsSoFar, digest...)
 		}
 	}
 }

 const packageVersion = "SSH-2.0-Go"

 // Sends and receives a version line.  The versionLine string should
 // be US ASCII, start with "SSH-2.0-", and should not include a
 // newline. exchangeVersions returns the other side's version line.
 func exchangeVersions(rw io.ReadWriter, versionLine []byte) (them []byte, err error) {
 	// Contrary to the RFC, we do not ignore lines that don't
 	// start with "SSH-2.0-" to make the library usable with
 	// nonconforming servers.
 	for _, c := range versionLine {
 		// The spec disallows non US-ASCII chars, and
 		// specifically forbids null chars.
 		if c < 32 {
 			return nil, errors.New("ssh: junk character in version line")
 		}
 	}
 	if _, err = rw.Write(append(versionLine, '\r', '\n')); err != nil {
 		return
 	}

 	them, err = readVersion(rw)
 	return them, err
 }

 // maxVersionStringBytes is the maximum number of bytes that we'll
 // accept as a version string. RFC 4253 section 4.2 limits this at 255
 // chars
 const maxVersionStringBytes = 255

 // Read version string as specified by RFC 4253, section 4.2.
 func readVersion(r io.Reader) ([]byte, error) {
 	versionString := make([]byte, 0, 64)
 	var ok bool
 	var buf [1]byte

 	for len(versionString) < maxVersionStringBytes {
 		_, err := io.ReadFull(r, buf[:])
 		if err != nil {
 			return nil, err
 		}
 		// The RFC says that the version should be terminated with \r\n
 		// but several SSH servers actually only send a \n.
 		if buf[0] == '\n' {
 			ok = true
 			break
 		}

 		// non ASCII chars are disallowed, but we are lenient,
 		// since Go doesn't use null-terminated strings.

 		// The RFC allows a comment after a space, however,
 		// all of it (version and comments) goes into the
 		// session hash.
 		versionString = append(versionString, buf[0])
 	}

 	if !ok {
 		return nil, errors.New("ssh: overflow reading version string")
 	}

 	// There might be a '\r' on the end which we should remove.
 	if len(versionString) > 0 && versionString[len(versionString)-1] == '\r' {
 		versionString = versionString[:len(versionString)-1]
 	}
 	return versionString, nil
 }
	// Copyright 2011 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package ssh

	import (
	"bufio"
	"errors"
	"io"
	)

	const (
	gcmCipherID = "aes128-gcm@openssh.com"
	aes128cbcID = "aes128-cbc"
	tripledescbcID = "3des-cbc"
	)

	// packetConn represents a transport that implements packet based
	// operations.
	type packetConn interface {
	// Encrypt and send a packet of data to the remote peer.
	writePacket(packet []byte) error

	// Read a packet from the connection
	readPacket() ([]byte, error)

	// Close closes the write-side of the connection.
	Close() error
	}

	// transport is the keyingTransport that implements the SSH packet
	// protocol.
	type transport struct {
	reader connectionState
	writer connectionState

	bufReader *bufio.Reader
	bufWriter *bufio.Writer
	rand io.Reader

	io.Closer
	}

	// packetCipher represents a combination of SSH encryption/MAC
	// protocol. A single instance should be used for one direction only.
	type packetCipher interface {
	// writePacket encrypts the packet and writes it to w. The
	// contents of the packet are generally scrambled.
	writePacket(seqnum uint32, w io.Writer, rand io.Reader, packet []byte) error

	// readPacket reads and decrypts a packet of data. The
	// returned packet may be overwritten by future calls of
	// readPacket.
	readPacket(seqnum uint32, r io.Reader) ([]byte, error)
	}

	// connectionState represents one side (read or write) of the
	// connection. This is necessary because each direction has its own
	// keys, and can even have its own algorithms
	type connectionState struct {
	packetCipher
	seqNum uint32
	dir direction
	pendingKeyChange chan packetCipher
	}

	// prepareKeyChange sets up key material for a keychange. The key changes in
	// both directions are triggered by reading and writing a msgNewKey packet
	// respectively.
	func (t transport) prepareKeyChange(algs algorithms, kexResult *kexResult) error {
	if ciph, err := newPacketCipher(t.reader.dir, algs.r, kexResult); err != nil {
	return err
	} else {
	t.reader.pendingKeyChange <- ciph
	}

	if ciph, err := newPacketCipher(t.writer.dir, algs.w, kexResult); err != nil {
	return err
	} else {
	t.writer.pendingKeyChange <- ciph
	}

	return nil
	}

	// Read and decrypt next packet.
	func (t *transport) readPacket() ([]byte, error) {
	return t.reader.readPacket(t.bufReader)
	}

	func (s connectionState) readPacket(r bufio.Reader) ([]byte, error) {
	packet, err := s.packetCipher.readPacket(s.seqNum, r)
	s.seqNum++
	if err == nil && len(packet) == 0 {
	err = errors.New("ssh: zero length packet")
	}

	if len(packet) > 0 {
	switch packet[0] {
	case msgNewKeys:
	select {
	case cipher := <-s.pendingKeyChange:
	s.packetCipher = cipher
	default:
	return nil, errors.New("ssh: got bogus newkeys message.")
	}

	case msgDisconnect:
	// Transform a disconnect message into an
	// error. Since this is lowest level at which
	// we interpret message types, doing it here
	// ensures that we don't have to handle it
	// elsewhere.
	var msg disconnectMsg
	if err := Unmarshal(packet, &msg); err != nil {
	return nil, err
	}
	return nil, &msg
	}
	}

	// The packet may point to an internal buffer, so copy the
	// packet out here.
	fresh := make([]byte, len(packet))
	copy(fresh, packet)

	return fresh, err
	}

	func (t *transport) writePacket(packet []byte) error {
	return t.writer.writePacket(t.bufWriter, t.rand, packet)
	}

	func (s connectionState) writePacket(w bufio.Writer, rand io.Reader, packet []byte) error {
	changeKeys := len(packet) > 0 && packet[0] == msgNewKeys

	err := s.packetCipher.writePacket(s.seqNum, w, rand, packet)
	if err != nil {
	return err
	}
	if err = w.Flush(); err != nil {
	return err
	}
	s.seqNum++
	if changeKeys {
	select {
	case cipher := <-s.pendingKeyChange:
	s.packetCipher = cipher
	default:
	panic("ssh: no key material for msgNewKeys")
	}
	}
	return err
	}

	func newTransport(rwc io.ReadWriteCloser, rand io.Reader, isClient bool) *transport {
	t := &transport{
	bufReader: bufio.NewReader(rwc),
	bufWriter: bufio.NewWriter(rwc),
	rand: rand,
	reader: connectionState{
	packetCipher: &streamPacketCipher{cipher: noneCipher{}},
	pendingKeyChange: make(chan packetCipher, 1),
	},
	writer: connectionState{
	packetCipher: &streamPacketCipher{cipher: noneCipher{}},
	pendingKeyChange: make(chan packetCipher, 1),
	},
	Closer: rwc,
	}
	if isClient {
	t.reader.dir = serverKeys
	t.writer.dir = clientKeys
	} else {
	t.reader.dir = clientKeys
	t.writer.dir = serverKeys
	}

	return t
	}

	type direction struct {
	ivTag []byte
	keyTag []byte
	macKeyTag []byte
	}

	var (
	serverKeys = direction{[]byte{'B'}, []byte{'D'}, []byte{'F'}}
	clientKeys = direction{[]byte{'A'}, []byte{'C'}, []byte{'E'}}
	)

	// generateKeys generates key material for IV, MAC and encryption.
	func generateKeys(d direction, algs directionAlgorithms, kex *kexResult) (iv, key, macKey []byte) {
	cipherMode := cipherModes[algs.Cipher]
	macMode := macModes[algs.MAC]

	iv = make([]byte, cipherMode.ivSize)
	key = make([]byte, cipherMode.keySize)
	macKey = make([]byte, macMode.keySize)

	generateKeyMaterial(iv, d.ivTag, kex)
	generateKeyMaterial(key, d.keyTag, kex)
	generateKeyMaterial(macKey, d.macKeyTag, kex)
	return
	}

	// setupKeys sets the cipher and MAC keys from kex.K, kex.H and sessionId, as
	// described in RFC 4253, section 6.4. direction should either be serverKeys
	// (to setup server->client keys) or clientKeys (for client->server keys).
	func newPacketCipher(d direction, algs directionAlgorithms, kex *kexResult) (packetCipher, error) {
	iv, key, macKey := generateKeys(d, algs, kex)

	if algs.Cipher == gcmCipherID {
	return newGCMCipher(iv, key, macKey)
	}

	if algs.Cipher == aes128cbcID {
	return newAESCBCCipher(iv, key, macKey, algs)
	}

	if algs.Cipher == tripledescbcID {
	return newTripleDESCBCCipher(iv, key, macKey, algs)
	}

	c := &streamPacketCipher{
	mac: macModes[algs.MAC].new(macKey),
	}
	c.macResult = make([]byte, c.mac.Size())

	var err error
	c.cipher, err = cipherModes[algs.Cipher].createStream(key, iv)
	if err != nil {
	return nil, err
	}

	return c, nil
	}

	// generateKeyMaterial fills out with key material generated from tag, K, H
	// and sessionId, as specified in RFC 4253, section 7.2.
	func generateKeyMaterial(out, tag []byte, r *kexResult) {
	var digestsSoFar []byte

	h := r.Hash.New()
	for len(out) > 0 {
	h.Reset()
	h.Write(r.K)
	h.Write(r.H)

	if len(digestsSoFar) == 0 {
	h.Write(tag)
	h.Write(r.SessionID)
	} else {
	h.Write(digestsSoFar)
	}

	digest := h.Sum(nil)
	n := copy(out, digest)
	out = out[n:]
	if len(out) > 0 {
	digestsSoFar = append(digestsSoFar, digest...)
	}
	}
	}

	const packageVersion = "SSH-2.0-Go"

	// Sends and receives a version line. The versionLine string should
	// be US ASCII, start with "SSH-2.0-", and should not include a
	// newline. exchangeVersions returns the other side's version line.
	func exchangeVersions(rw io.ReadWriter, versionLine []byte) (them []byte, err error) {
	// Contrary to the RFC, we do not ignore lines that don't
	// start with "SSH-2.0-" to make the library usable with
	// nonconforming servers.
	for _, c := range versionLine {
	// The spec disallows non US-ASCII chars, and
	// specifically forbids null chars.
	if c < 32 {
	return nil, errors.New("ssh: junk character in version line")
	}
	}
	if _, err = rw.Write(append(versionLine, '\r', '\n')); err != nil {
	return
	}

	them, err = readVersion(rw)
	return them, err
	}

	// maxVersionStringBytes is the maximum number of bytes that we'll
	// accept as a version string. RFC 4253 section 4.2 limits this at 255
	// chars
	const maxVersionStringBytes = 255

	// Read version string as specified by RFC 4253, section 4.2.
	func readVersion(r io.Reader) ([]byte, error) {
	versionString := make([]byte, 0, 64)
	var ok bool
	var buf [1]byte

	for len(versionString) < maxVersionStringBytes {
	_, err := io.ReadFull(r, buf[:])
	if err != nil {
	return nil, err
	}
	// The RFC says that the version should be terminated with \r\n
	// but several SSH servers actually only send a \n.
	if buf[0] == '\n' {
	ok = true
	break
	}

	// non ASCII chars are disallowed, but we are lenient,
	// since Go doesn't use null-terminated strings.

	// The RFC allows a comment after a space, however,
	// all of it (version and comments) goes into the
	// session hash.
	versionString = append(versionString, buf[0])
	}

	if !ok {
	return nil, errors.New("ssh: overflow reading version string")
	}

	// There might be a '\r' on the end which we should remove.
	if len(versionString) > 0 && versionString[len(versionString)-1] == '\r' {
	versionString = versionString[:len(versionString)-1]
	}
	return versionString, nil
	}