closed-social
/
gitea

// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package ssh
import (	"crypto"	"crypto/rand"	"fmt"	"io"	"math"	"sync"
	_ "crypto/sha1"	_ "crypto/sha256"	_ "crypto/sha512")
// These are string constants in the SSH protocol.
const (	compressionNone = "none"	serviceUserAuth = "ssh-userauth"	serviceSSH      = "ssh-connection")
// supportedCiphers lists ciphers we support but might not recommend.
var supportedCiphers = []string{	"aes128-ctr", "aes192-ctr", "aes256-ctr",	"aes128-gcm@openssh.com",	chacha20Poly1305ID,	"arcfour256", "arcfour128", "arcfour",	aes128cbcID,	tripledescbcID,}
// preferredCiphers specifies the default preference for ciphers.
var preferredCiphers = []string{	"aes128-gcm@openssh.com",	chacha20Poly1305ID,	"aes128-ctr", "aes192-ctr", "aes256-ctr",}
// supportedKexAlgos specifies the supported key-exchange algorithms in
// preference order.
var supportedKexAlgos = []string{	kexAlgoCurve25519SHA256,	// P384 and P521 are not constant-time yet, but since we don't
	// reuse ephemeral keys, using them for ECDH should be OK.
	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,	kexAlgoDH14SHA1, kexAlgoDH1SHA1,}
// supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods
// of authenticating servers) in preference order.
var supportedHostKeyAlgos = []string{	CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,	CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01,
	KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,	KeyAlgoRSA, KeyAlgoDSA,
	KeyAlgoED25519,}
// supportedMACs specifies a default set of MAC algorithms in preference order.
// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
// because they have reached the end of their useful life.
var supportedMACs = []string{	"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96",}
var supportedCompressions = []string{compressionNone}
// hashFuncs keeps the mapping of supported algorithms to their respective
// hashes needed for signature verification.
var hashFuncs = map[string]crypto.Hash{	KeyAlgoRSA:          crypto.SHA1,	KeyAlgoDSA:          crypto.SHA1,	KeyAlgoECDSA256:     crypto.SHA256,	KeyAlgoECDSA384:     crypto.SHA384,	KeyAlgoECDSA521:     crypto.SHA512,	CertAlgoRSAv01:      crypto.SHA1,	CertAlgoDSAv01:      crypto.SHA1,	CertAlgoECDSA256v01: crypto.SHA256,	CertAlgoECDSA384v01: crypto.SHA384,	CertAlgoECDSA521v01: crypto.SHA512,}
// unexpectedMessageError results when the SSH message that we received didn't
// match what we wanted.
func unexpectedMessageError(expected, got uint8) error {	return fmt.Errorf("ssh: unexpected message type %d (expected %d)", got, expected)}
// parseError results from a malformed SSH message.
func parseError(tag uint8) error {	return fmt.Errorf("ssh: parse error in message type %d", tag)}
func findCommon(what string, client []string, server []string) (common string, err error) {	for _, c := range client {		for _, s := range server {			if c == s {				return c, nil			}		}	}	return "", fmt.Errorf("ssh: no common algorithm for %s; client offered: %v, server offered: %v", what, client, server)}
// directionAlgorithms records algorithm choices in one direction (either read or write)
type directionAlgorithms struct {	Cipher      string	MAC         string	Compression string}
// rekeyBytes returns a rekeying intervals in bytes.
func (a *directionAlgorithms) rekeyBytes() int64 {	// According to RFC4344 block ciphers should rekey after
	// 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
	// 128.
	switch a.Cipher {	case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID:		return 16 * (1 << 32)
	}
	// For others, stick with RFC4253 recommendation to rekey after 1 Gb of data.
	return 1 << 30}
type algorithms struct {	kex     string	hostKey string	w       directionAlgorithms	r       directionAlgorithms}
func findAgreedAlgorithms(isClient bool, clientKexInit, serverKexInit *kexInitMsg) (algs *algorithms, err error) {	result := &algorithms{}
	result.kex, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos)	if err != nil {		return	}
	result.hostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos)	if err != nil {		return	}
	stoc, ctos := &result.w, &result.r	if isClient {		ctos, stoc = stoc, ctos	}
	ctos.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer)	if err != nil {		return	}
	stoc.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient)	if err != nil {		return	}
	ctos.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer)	if err != nil {		return	}
	stoc.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient)	if err != nil {		return	}
	ctos.Compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer)	if err != nil {		return	}
	stoc.Compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient)	if err != nil {		return	}
	return result, nil}
// If rekeythreshold is too small, we can't make any progress sending
// stuff.
const minRekeyThreshold uint64 = 256
// Config contains configuration data common to both ServerConfig and
// ClientConfig.
type Config struct {	// Rand provides the source of entropy for cryptographic
	// primitives. If Rand is nil, the cryptographic random reader
	// in package crypto/rand will be used.
	Rand io.Reader
	// The maximum number of bytes sent or received after which a
	// new key is negotiated. It must be at least 256. If
	// unspecified, a size suitable for the chosen cipher is used.
	RekeyThreshold uint64
	// The allowed key exchanges algorithms. If unspecified then a
	// default set of algorithms is used.
	KeyExchanges []string
	// The allowed cipher algorithms. If unspecified then a sensible
	// default is used.
	Ciphers []string
	// The allowed MAC algorithms. If unspecified then a sensible default
	// is used.
	MACs []string}
// SetDefaults sets sensible values for unset fields in config. This is
// exported for testing: Configs passed to SSH functions are copied and have
// default values set automatically.
func (c *Config) SetDefaults() {	if c.Rand == nil {		c.Rand = rand.Reader	}	if c.Ciphers == nil {		c.Ciphers = preferredCiphers	}	var ciphers []string	for _, c := range c.Ciphers {		if cipherModes[c] != nil {			// reject the cipher if we have no cipherModes definition
			ciphers = append(ciphers, c)		}	}	c.Ciphers = ciphers
	if c.KeyExchanges == nil {		c.KeyExchanges = supportedKexAlgos	}
	if c.MACs == nil {		c.MACs = supportedMACs	}
	if c.RekeyThreshold == 0 {		// cipher specific default
	} else if c.RekeyThreshold < minRekeyThreshold {		c.RekeyThreshold = minRekeyThreshold	} else if c.RekeyThreshold >= math.MaxInt64 {		// Avoid weirdness if somebody uses -1 as a threshold.
		c.RekeyThreshold = math.MaxInt64	}}
// buildDataSignedForAuth returns the data that is signed in order to prove
// possession of a private key. See RFC 4252, section 7.
func buildDataSignedForAuth(sessionID []byte, req userAuthRequestMsg, algo, pubKey []byte) []byte {	data := struct {		Session []byte		Type    byte		User    string		Service string		Method  string		Sign    bool		Algo    []byte		PubKey  []byte	}{		sessionID,		msgUserAuthRequest,		req.User,		req.Service,		req.Method,		true,		algo,		pubKey,	}	return Marshal(data)}
func appendU16(buf []byte, n uint16) []byte {	return append(buf, byte(n>>8), byte(n))}
func appendU32(buf []byte, n uint32) []byte {	return append(buf, byte(n>>24), byte(n>>16), byte(n>>8), byte(n))}
func appendU64(buf []byte, n uint64) []byte {	return append(buf,		byte(n>>56), byte(n>>48), byte(n>>40), byte(n>>32),		byte(n>>24), byte(n>>16), byte(n>>8), byte(n))}
func appendInt(buf []byte, n int) []byte {	return appendU32(buf, uint32(n))}
func appendString(buf []byte, s string) []byte {	buf = appendU32(buf, uint32(len(s)))	buf = append(buf, s...)	return buf}
func appendBool(buf []byte, b bool) []byte {	if b {		return append(buf, 1)	}	return append(buf, 0)}
// newCond is a helper to hide the fact that there is no usable zero
// value for sync.Cond.
func newCond() *sync.Cond { return sync.NewCond(new(sync.Mutex)) }
// window represents the buffer available to clients
// wishing to write to a channel.
type window struct {	*sync.Cond	win          uint32 // RFC 4254 5.2 says the window size can grow to 2^32-1
	writeWaiters int	closed       bool}
// add adds win to the amount of window available
// for consumers.
func (w *window) add(win uint32) bool {	// a zero sized window adjust is a noop.
	if win == 0 {		return true	}	w.L.Lock()	if w.win+win < win {		w.L.Unlock()		return false	}	w.win += win	// It is unusual that multiple goroutines would be attempting to reserve
	// window space, but not guaranteed. Use broadcast to notify all waiters
	// that additional window is available.
	w.Broadcast()	w.L.Unlock()	return true}
// close sets the window to closed, so all reservations fail
// immediately.
func (w *window) close() {	w.L.Lock()	w.closed = true	w.Broadcast()	w.L.Unlock()}
// reserve reserves win from the available window capacity.
// If no capacity remains, reserve will block. reserve may
// return less than requested.
func (w *window) reserve(win uint32) (uint32, error) {	var err error	w.L.Lock()	w.writeWaiters++	w.Broadcast()	for w.win == 0 && !w.closed {		w.Wait()	}	w.writeWaiters--	if w.win < win {		win = w.win	}	w.win -= win	if w.closed {		err = io.EOF	}	w.L.Unlock()	return win, err}
// waitWriterBlocked waits until some goroutine is blocked for further
// writes. It is used in tests only.
func (w *window) waitWriterBlocked() {	w.Cond.L.Lock()	for w.writeWaiters == 0 {		w.Cond.Wait()	}	w.Cond.L.Unlock()}