blob: 04f3620b3d5ebe9252b0c8cabe2c4a54181d1548 [file] [log] [blame]
Russ Cox470549d2012-01-25 15:31:12 -05001// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
Han-Wen Nienhuysd7d50b02013-08-28 10:50:25 -04008 "crypto"
Adam Langleyfa50e742014-04-09 13:57:52 -07009 "crypto/rand"
Dave Cheney1582bf02012-10-30 18:13:59 +110010 "fmt"
Adam Langleyfa50e742014-04-09 13:57:52 -070011 "io"
Han-Wen Nienhuysc78caca2017-04-04 17:27:40 +020012 "math"
Russ Cox470549d2012-01-25 15:31:12 -050013 "sync"
Jonathan Pittman6a743c52013-09-09 13:06:04 -040014
15 _ "crypto/sha1"
16 _ "crypto/sha256"
17 _ "crypto/sha512"
Russ Cox470549d2012-01-25 15:31:12 -050018)
19
20// These are string constants in the SSH protocol.
21const (
Russ Cox470549d2012-01-25 15:31:12 -050022 compressionNone = "none"
23 serviceUserAuth = "ssh-userauth"
24 serviceSSH = "ssh-connection"
25)
26
Han-Wen Nienhuys18353192018-01-10 11:56:48 +010027// supportedCiphers lists ciphers we support but might not recommend.
Adam Langleyfa50e742014-04-09 13:57:52 -070028var supportedCiphers = []string{
29 "aes128-ctr", "aes192-ctr", "aes256-ctr",
30 "aes128-gcm@openssh.com",
Han-Wen Nienhuysee41a252018-01-10 12:42:30 +010031 chacha20Poly1305ID,
Han-Wen Nienhuys18353192018-01-10 11:56:48 +010032 "arcfour256", "arcfour128", "arcfour",
33 aes128cbcID,
34 tripledescbcID,
35}
36
37// preferredCiphers specifies the default preference for ciphers.
38var preferredCiphers = []string{
Han-Wen Nienhuys18353192018-01-10 11:56:48 +010039 "aes128-gcm@openssh.com",
Han-Wen Nienhuysd94f6bc2018-01-22 20:45:19 +010040 chacha20Poly1305ID,
41 "aes128-ctr", "aes192-ctr", "aes256-ctr",
Adam Langleyfa50e742014-04-09 13:57:52 -070042}
43
44// supportedKexAlgos specifies the supported key-exchange algorithms in
45// preference order.
Han-Wen Nienhuysd7d50b02013-08-28 10:50:25 -040046var supportedKexAlgos = []string{
hanwenaca188f2015-08-12 11:17:08 +020047 kexAlgoCurve25519SHA256,
Adam Langleyfa50e742014-04-09 13:57:52 -070048 // P384 and P521 are not constant-time yet, but since we don't
49 // reuse ephemeral keys, using them for ECDH should be OK.
Han-Wen Nienhuysd7d50b02013-08-28 10:50:25 -040050 kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
51 kexAlgoDH14SHA1, kexAlgoDH1SHA1,
52}
53
Brad Fitzpatrick3cb07272017-03-30 16:02:45 +000054// supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods
Adam Langleyfa50e742014-04-09 13:57:52 -070055// of authenticating servers) in preference order.
Han-Wen Nienhuys41400fe2013-10-07 18:30:34 -040056var supportedHostKeyAlgos = []string{
Adam Langleyfa50e742014-04-09 13:57:52 -070057 CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
Peter Moody10c26742016-07-08 11:32:35 -070058 CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01,
Adam Langleyfa50e742014-04-09 13:57:52 -070059
Han-Wen Nienhuys41400fe2013-10-07 18:30:34 -040060 KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
61 KeyAlgoRSA, KeyAlgoDSA,
Martin Garton1e61df82016-04-30 22:10:58 +010062
63 KeyAlgoED25519,
Han-Wen Nienhuys41400fe2013-10-07 18:30:34 -040064}
65
Adam Langleyfa50e742014-04-09 13:57:52 -070066// supportedMACs specifies a default set of MAC algorithms in preference order.
67// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
68// because they have reached the end of their useful life.
69var supportedMACs = []string{
MiLk84bacda2017-01-20 08:44:06 +090070 "hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96",
Adam Langleyfa50e742014-04-09 13:57:52 -070071}
72
Russ Cox470549d2012-01-25 15:31:12 -050073var supportedCompressions = []string{compressionNone}
74
Jonathan Pittman6a743c52013-09-09 13:06:04 -040075// hashFuncs keeps the mapping of supported algorithms to their respective
76// hashes needed for signature verification.
77var hashFuncs = map[string]crypto.Hash{
78 KeyAlgoRSA: crypto.SHA1,
79 KeyAlgoDSA: crypto.SHA1,
80 KeyAlgoECDSA256: crypto.SHA256,
81 KeyAlgoECDSA384: crypto.SHA384,
82 KeyAlgoECDSA521: crypto.SHA512,
83 CertAlgoRSAv01: crypto.SHA1,
84 CertAlgoDSAv01: crypto.SHA1,
85 CertAlgoECDSA256v01: crypto.SHA256,
86 CertAlgoECDSA384v01: crypto.SHA384,
87 CertAlgoECDSA521v01: crypto.SHA512,
88}
89
Adam Langleyfa50e742014-04-09 13:57:52 -070090// unexpectedMessageError results when the SSH message that we received didn't
Russ Cox470549d2012-01-25 15:31:12 -050091// match what we wanted.
Adam Langleyfa50e742014-04-09 13:57:52 -070092func unexpectedMessageError(expected, got uint8) error {
93 return fmt.Errorf("ssh: unexpected message type %d (expected %d)", got, expected)
Russ Cox470549d2012-01-25 15:31:12 -050094}
95
Adam Langleyfa50e742014-04-09 13:57:52 -070096// parseError results from a malformed SSH message.
97func parseError(tag uint8) error {
98 return fmt.Errorf("ssh: parse error in message type %d", tag)
Russ Cox470549d2012-01-25 15:31:12 -050099}
100
Thomas Desrosiers6c2080b2015-08-21 21:25:57 -0400101func findCommon(what string, client []string, server []string) (common string, err error) {
102 for _, c := range client {
103 for _, s := range server {
104 if c == s {
105 return c, nil
Russ Cox470549d2012-01-25 15:31:12 -0500106 }
107 }
108 }
Thomas Desrosiers6c2080b2015-08-21 21:25:57 -0400109 return "", fmt.Errorf("ssh: no common algorithm for %s; client offered: %v, server offered: %v", what, client, server)
Russ Cox470549d2012-01-25 15:31:12 -0500110}
111
Adam Langleyfa50e742014-04-09 13:57:52 -0700112type directionAlgorithms struct {
113 Cipher string
114 MAC string
115 Compression string
116}
117
Han-Wen Nienhuysa59c1272017-01-17 18:15:27 +0100118// rekeyBytes returns a rekeying intervals in bytes.
119func (a *directionAlgorithms) rekeyBytes() int64 {
120 // According to RFC4344 block ciphers should rekey after
121 // 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
122 // 128.
123 switch a.Cipher {
124 case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID:
125 return 16 * (1 << 32)
126
127 }
128
129 // For others, stick with RFC4253 recommendation to rekey after 1 Gb of data.
130 return 1 << 30
131}
132
Han-Wen Nienhuys41472562013-10-08 15:47:04 -0400133type algorithms struct {
Adam Langleyfa50e742014-04-09 13:57:52 -0700134 kex string
135 hostKey string
136 w directionAlgorithms
137 r directionAlgorithms
Han-Wen Nienhuys41472562013-10-08 15:47:04 -0400138}
139
Thomas Desrosiers6c2080b2015-08-21 21:25:57 -0400140func findAgreedAlgorithms(clientKexInit, serverKexInit *kexInitMsg) (algs *algorithms, err error) {
Han-Wen Nienhuys41472562013-10-08 15:47:04 -0400141 result := &algorithms{}
Thomas Desrosiers6c2080b2015-08-21 21:25:57 -0400142
143 result.kex, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos)
144 if err != nil {
Russ Cox470549d2012-01-25 15:31:12 -0500145 return
146 }
147
Thomas Desrosiers6c2080b2015-08-21 21:25:57 -0400148 result.hostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos)
149 if err != nil {
Russ Cox470549d2012-01-25 15:31:12 -0500150 return
151 }
152
Thomas Desrosiers6c2080b2015-08-21 21:25:57 -0400153 result.w.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer)
154 if err != nil {
Russ Cox470549d2012-01-25 15:31:12 -0500155 return
156 }
157
Thomas Desrosiers6c2080b2015-08-21 21:25:57 -0400158 result.r.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient)
159 if err != nil {
Russ Cox470549d2012-01-25 15:31:12 -0500160 return
161 }
162
Thomas Desrosiers6c2080b2015-08-21 21:25:57 -0400163 result.w.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer)
164 if err != nil {
Russ Cox470549d2012-01-25 15:31:12 -0500165 return
166 }
167
Thomas Desrosiers6c2080b2015-08-21 21:25:57 -0400168 result.r.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient)
169 if err != nil {
Russ Cox470549d2012-01-25 15:31:12 -0500170 return
171 }
172
Thomas Desrosiers6c2080b2015-08-21 21:25:57 -0400173 result.w.Compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer)
174 if err != nil {
Russ Cox470549d2012-01-25 15:31:12 -0500175 return
176 }
177
Thomas Desrosiers6c2080b2015-08-21 21:25:57 -0400178 result.r.Compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient)
179 if err != nil {
Russ Cox470549d2012-01-25 15:31:12 -0500180 return
181 }
182
Thomas Desrosiers6c2080b2015-08-21 21:25:57 -0400183 return result, nil
Russ Cox470549d2012-01-25 15:31:12 -0500184}
185
Adam Langleyfa50e742014-04-09 13:57:52 -0700186// If rekeythreshold is too small, we can't make any progress sending
187// stuff.
188const minRekeyThreshold uint64 = 256
189
190// Config contains configuration data common to both ServerConfig and
191// ClientConfig.
192type Config struct {
193 // Rand provides the source of entropy for cryptographic
194 // primitives. If Rand is nil, the cryptographic random reader
195 // in package crypto/rand will be used.
196 Rand io.Reader
197
198 // The maximum number of bytes sent or received after which a
199 // new key is negotiated. It must be at least 256. If
Han-Wen Nienhuysc78caca2017-04-04 17:27:40 +0200200 // unspecified, a size suitable for the chosen cipher is used.
Adam Langleyfa50e742014-04-09 13:57:52 -0700201 RekeyThreshold uint64
202
Han-Wen Nienhuysd7d50b02013-08-28 10:50:25 -0400203 // The allowed key exchanges algorithms. If unspecified then a
204 // default set of algorithms is used.
205 KeyExchanges []string
206
Adam Langleyfa50e742014-04-09 13:57:52 -0700207 // The allowed cipher algorithms. If unspecified then a sensible
208 // default is used.
Russ Cox470549d2012-01-25 15:31:12 -0500209 Ciphers []string
Dave Cheney6de97b52012-02-27 19:40:52 -0500210
Adam Langleyfa50e742014-04-09 13:57:52 -0700211 // The allowed MAC algorithms. If unspecified then a sensible default
212 // is used.
Dave Cheney6de97b52012-02-27 19:40:52 -0500213 MACs []string
Russ Cox470549d2012-01-25 15:31:12 -0500214}
215
Adam Langleyfa50e742014-04-09 13:57:52 -0700216// SetDefaults sets sensible values for unset fields in config. This is
217// exported for testing: Configs passed to SSH functions are copied and have
218// default values set automatically.
219func (c *Config) SetDefaults() {
220 if c.Rand == nil {
221 c.Rand = rand.Reader
222 }
Russ Cox470549d2012-01-25 15:31:12 -0500223 if c.Ciphers == nil {
Han-Wen Nienhuys18353192018-01-10 11:56:48 +0100224 c.Ciphers = preferredCiphers
Russ Cox470549d2012-01-25 15:31:12 -0500225 }
Nathan(yinian) Hu5c68cfd2015-04-08 12:39:14 +1000226 var ciphers []string
227 for _, c := range c.Ciphers {
228 if cipherModes[c] != nil {
229 // reject the cipher if we have no cipherModes definition
230 ciphers = append(ciphers, c)
231 }
232 }
233 c.Ciphers = ciphers
Russ Cox470549d2012-01-25 15:31:12 -0500234
Han-Wen Nienhuysd7d50b02013-08-28 10:50:25 -0400235 if c.KeyExchanges == nil {
Adam Langleyfa50e742014-04-09 13:57:52 -0700236 c.KeyExchanges = supportedKexAlgos
Han-Wen Nienhuysd7d50b02013-08-28 10:50:25 -0400237 }
Han-Wen Nienhuysd7d50b02013-08-28 10:50:25 -0400238
Dave Cheney6de97b52012-02-27 19:40:52 -0500239 if c.MACs == nil {
Adam Langleyfa50e742014-04-09 13:57:52 -0700240 c.MACs = supportedMACs
Dave Cheney6de97b52012-02-27 19:40:52 -0500241 }
Dave Cheney6de97b52012-02-27 19:40:52 -0500242
Adam Langleyfa50e742014-04-09 13:57:52 -0700243 if c.RekeyThreshold == 0 {
Han-Wen Nienhuysc78caca2017-04-04 17:27:40 +0200244 // cipher specific default
245 } else if c.RekeyThreshold < minRekeyThreshold {
Adam Langleyfa50e742014-04-09 13:57:52 -0700246 c.RekeyThreshold = minRekeyThreshold
Han-Wen Nienhuysc78caca2017-04-04 17:27:40 +0200247 } else if c.RekeyThreshold >= math.MaxInt64 {
248 // Avoid weirdness if somebody uses -1 as a threshold.
249 c.RekeyThreshold = math.MaxInt64
Adam Langleyfa50e742014-04-09 13:57:52 -0700250 }
Jonathan Pittman6a743c52013-09-09 13:06:04 -0400251}
252
Russ Cox470549d2012-01-25 15:31:12 -0500253// buildDataSignedForAuth returns the data that is signed in order to prove
Jonathan Pittman44256fa2013-10-10 11:35:15 -0400254// possession of a private key. See RFC 4252, section 7.
Kevin Burkee8f22982017-11-27 20:39:32 -0800255func buildDataSignedForAuth(sessionID []byte, req userAuthRequestMsg, algo, pubKey []byte) []byte {
Adam Langleyfa50e742014-04-09 13:57:52 -0700256 data := struct {
257 Session []byte
258 Type byte
259 User string
260 Service string
261 Method string
262 Sign bool
263 Algo []byte
264 PubKey []byte
265 }{
Kevin Burkee8f22982017-11-27 20:39:32 -0800266 sessionID,
Adam Langleyfa50e742014-04-09 13:57:52 -0700267 msgUserAuthRequest,
268 req.User,
269 req.Service,
270 req.Method,
271 true,
272 algo,
273 pubKey,
Russ Cox470549d2012-01-25 15:31:12 -0500274 }
Adam Langleyfa50e742014-04-09 13:57:52 -0700275 return Marshal(data)
Russ Cox470549d2012-01-25 15:31:12 -0500276}
Dave Cheney79d53bd2012-03-04 14:34:24 -0800277
278func appendU16(buf []byte, n uint16) []byte {
279 return append(buf, byte(n>>8), byte(n))
280}
281
282func appendU32(buf []byte, n uint32) []byte {
283 return append(buf, byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
284}
285
Adam Langleyfa50e742014-04-09 13:57:52 -0700286func appendU64(buf []byte, n uint64) []byte {
287 return append(buf,
288 byte(n>>56), byte(n>>48), byte(n>>40), byte(n>>32),
289 byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
290}
291
Dave Cheney79d53bd2012-03-04 14:34:24 -0800292func appendInt(buf []byte, n int) []byte {
293 return appendU32(buf, uint32(n))
294}
Dave Cheney8a2e7c92012-05-11 05:56:44 +1000295
Han-Wen Nienhuysc7df5652013-06-06 10:44:12 -0400296func appendString(buf []byte, s string) []byte {
297 buf = appendU32(buf, uint32(len(s)))
298 buf = append(buf, s...)
299 return buf
300}
301
302func appendBool(buf []byte, b bool) []byte {
303 if b {
Adam Langleyfa50e742014-04-09 13:57:52 -0700304 return append(buf, 1)
Han-Wen Nienhuysc7df5652013-06-06 10:44:12 -0400305 }
Adam Langleyfa50e742014-04-09 13:57:52 -0700306 return append(buf, 0)
Han-Wen Nienhuysc7df5652013-06-06 10:44:12 -0400307}
308
Adam Langley4002be22012-12-10 18:12:36 -0500309// newCond is a helper to hide the fact that there is no usable zero
Dave Cheney8a2e7c92012-05-11 05:56:44 +1000310// value for sync.Cond.
311func newCond() *sync.Cond { return sync.NewCond(new(sync.Mutex)) }
312
Adam Langley4002be22012-12-10 18:12:36 -0500313// window represents the buffer available to clients
Dave Cheney8a2e7c92012-05-11 05:56:44 +1000314// wishing to write to a channel.
315type window struct {
316 *sync.Cond
Adam Langleyfa50e742014-04-09 13:57:52 -0700317 win uint32 // RFC 4254 5.2 says the window size can grow to 2^32-1
318 writeWaiters int
319 closed bool
Dave Cheney8a2e7c92012-05-11 05:56:44 +1000320}
321
322// add adds win to the amount of window available
323// for consumers.
324func (w *window) add(win uint32) bool {
Dave Cheney55aa0812012-05-22 12:04:51 +1000325 // a zero sized window adjust is a noop.
Dave Cheney8a2e7c92012-05-11 05:56:44 +1000326 if win == 0 {
Dave Cheney55aa0812012-05-22 12:04:51 +1000327 return true
Dave Cheney8a2e7c92012-05-11 05:56:44 +1000328 }
329 w.L.Lock()
330 if w.win+win < win {
331 w.L.Unlock()
332 return false
333 }
334 w.win += win
335 // It is unusual that multiple goroutines would be attempting to reserve
Adam Langley4002be22012-12-10 18:12:36 -0500336 // window space, but not guaranteed. Use broadcast to notify all waiters
Dave Cheney8a2e7c92012-05-11 05:56:44 +1000337 // that additional window is available.
338 w.Broadcast()
339 w.L.Unlock()
340 return true
341}
342
Adam Langleyfa50e742014-04-09 13:57:52 -0700343// close sets the window to closed, so all reservations fail
344// immediately.
345func (w *window) close() {
346 w.L.Lock()
347 w.closed = true
348 w.Broadcast()
349 w.L.Unlock()
350}
351
Dave Cheney8a2e7c92012-05-11 05:56:44 +1000352// reserve reserves win from the available window capacity.
353// If no capacity remains, reserve will block. reserve may
354// return less than requested.
Adam Langleyfa50e742014-04-09 13:57:52 -0700355func (w *window) reserve(win uint32) (uint32, error) {
356 var err error
Dave Cheney8a2e7c92012-05-11 05:56:44 +1000357 w.L.Lock()
Adam Langleyfa50e742014-04-09 13:57:52 -0700358 w.writeWaiters++
359 w.Broadcast()
360 for w.win == 0 && !w.closed {
Dave Cheney8a2e7c92012-05-11 05:56:44 +1000361 w.Wait()
362 }
Adam Langleyfa50e742014-04-09 13:57:52 -0700363 w.writeWaiters--
Dave Cheney8a2e7c92012-05-11 05:56:44 +1000364 if w.win < win {
365 win = w.win
366 }
367 w.win -= win
Adam Langleyfa50e742014-04-09 13:57:52 -0700368 if w.closed {
369 err = io.EOF
370 }
Dave Cheney8a2e7c92012-05-11 05:56:44 +1000371 w.L.Unlock()
Adam Langleyfa50e742014-04-09 13:57:52 -0700372 return win, err
373}
374
375// waitWriterBlocked waits until some goroutine is blocked for further
376// writes. It is used in tests only.
377func (w *window) waitWriterBlocked() {
378 w.Cond.L.Lock()
379 for w.writeWaiters == 0 {
380 w.Cond.Wait()
381 }
382 w.Cond.L.Unlock()
Dave Cheney8a2e7c92012-05-11 05:56:44 +1000383}