AUTH-1557: Short Lived Certs
This commit is contained in:
parent
14f50d0922
commit
fa17b0200f
|
@ -9,3 +9,4 @@ guide/public
|
||||||
\#*\#
|
\#*\#
|
||||||
cscope.*
|
cscope.*
|
||||||
cloudflared
|
cloudflared
|
||||||
|
!cmd/cloudflared/
|
|
@ -376,17 +376,19 @@
|
||||||
|
|
||||||
[[projects]]
|
[[projects]]
|
||||||
branch = "master"
|
branch = "master"
|
||||||
digest = "1:9afbc3e330bd691e0eb0e704d05cc182b5c62ea71c5691c99fa5e82f06b628b6"
|
digest = "1:a84d5ec8b40a827962ea250f2cf03434138ccae9d83fcac12fb49b70c70b80cc"
|
||||||
name = "golang.org/x/crypto"
|
name = "golang.org/x/crypto"
|
||||||
packages = [
|
packages = [
|
||||||
"curve25519",
|
"curve25519",
|
||||||
"ed25519",
|
"ed25519",
|
||||||
"ed25519/internal/edwards25519",
|
"ed25519/internal/edwards25519",
|
||||||
|
"internal/chacha20",
|
||||||
"internal/subtle",
|
"internal/subtle",
|
||||||
"nacl/box",
|
"nacl/box",
|
||||||
"nacl/secretbox",
|
"nacl/secretbox",
|
||||||
"poly1305",
|
"poly1305",
|
||||||
"salsa20/salsa",
|
"salsa20/salsa",
|
||||||
|
"ssh",
|
||||||
"ssh/terminal",
|
"ssh/terminal",
|
||||||
]
|
]
|
||||||
pruneopts = "UT"
|
pruneopts = "UT"
|
||||||
|
@ -588,6 +590,7 @@
|
||||||
"github.com/sirupsen/logrus",
|
"github.com/sirupsen/logrus",
|
||||||
"github.com/stretchr/testify/assert",
|
"github.com/stretchr/testify/assert",
|
||||||
"golang.org/x/crypto/nacl/box",
|
"golang.org/x/crypto/nacl/box",
|
||||||
|
"golang.org/x/crypto/ssh",
|
||||||
"golang.org/x/crypto/ssh/terminal",
|
"golang.org/x/crypto/ssh/terminal",
|
||||||
"golang.org/x/net/context",
|
"golang.org/x/net/context",
|
||||||
"golang.org/x/net/http2",
|
"golang.org/x/net/http2",
|
||||||
|
|
|
@ -12,10 +12,17 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
|
||||||
|
"github.com/cloudflare/cloudflared/sshgen"
|
||||||
"github.com/cloudflare/cloudflared/websocket"
|
"github.com/cloudflare/cloudflared/websocket"
|
||||||
"github.com/sirupsen/logrus"
|
"github.com/sirupsen/logrus"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
type StartOptions struct {
|
||||||
|
OriginURL string
|
||||||
|
Headers http.Header
|
||||||
|
ShouldGenCert bool
|
||||||
|
}
|
||||||
|
|
||||||
// StdinoutStream is empty struct for wrapping stdin/stdout
|
// StdinoutStream is empty struct for wrapping stdin/stdout
|
||||||
// into a single ReadWriter
|
// into a single ReadWriter
|
||||||
type StdinoutStream struct {
|
type StdinoutStream struct {
|
||||||
|
@ -34,27 +41,27 @@ func (c *StdinoutStream) Write(p []byte) (int, error) {
|
||||||
|
|
||||||
// StartClient will copy the data from stdin/stdout over a WebSocket connection
|
// StartClient will copy the data from stdin/stdout over a WebSocket connection
|
||||||
// to the edge (originURL)
|
// to the edge (originURL)
|
||||||
func StartClient(logger *logrus.Logger, originURL string, stream io.ReadWriter, headers http.Header) error {
|
func StartClient(logger *logrus.Logger, stream io.ReadWriter, options *StartOptions) error {
|
||||||
return serveStream(logger, originURL, stream, headers)
|
return serveStream(logger, stream, options)
|
||||||
}
|
}
|
||||||
|
|
||||||
// StartServer will setup a listener on a specified address/port and then
|
// StartServer will setup a listener on a specified address/port and then
|
||||||
// forward connections to the origin by calling `Serve()`.
|
// forward connections to the origin by calling `Serve()`.
|
||||||
func StartServer(logger *logrus.Logger, address, originURL string, shutdownC <-chan struct{}, headers http.Header) error {
|
func StartServer(logger *logrus.Logger, address string, shutdownC <-chan struct{}, options *StartOptions) error {
|
||||||
listener, err := net.Listen("tcp", address)
|
listener, err := net.Listen("tcp", address)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.WithError(err).Error("failed to start forwarding server")
|
logger.WithError(err).Error("failed to start forwarding server")
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
logger.Info("Started listening on ", address)
|
logger.Info("Started listening on ", address)
|
||||||
return Serve(logger, listener, originURL, shutdownC, headers)
|
return Serve(logger, listener, shutdownC, options)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Serve accepts incoming connections on the specified net.Listener.
|
// Serve accepts incoming connections on the specified net.Listener.
|
||||||
// Each connection is handled in a new goroutine: its data is copied over a
|
// Each connection is handled in a new goroutine: its data is copied over a
|
||||||
// WebSocket connection to the edge (originURL).
|
// WebSocket connection to the edge (originURL).
|
||||||
// `Serve` always closes `listener`.
|
// `Serve` always closes `listener`.
|
||||||
func Serve(logger *logrus.Logger, listener net.Listener, originURL string, shutdownC <-chan struct{}, headers http.Header) error {
|
func Serve(logger *logrus.Logger, listener net.Listener, shutdownC <-chan struct{}, options *StartOptions) error {
|
||||||
defer listener.Close()
|
defer listener.Close()
|
||||||
for {
|
for {
|
||||||
select {
|
select {
|
||||||
|
@ -65,22 +72,22 @@ func Serve(logger *logrus.Logger, listener net.Listener, originURL string, shutd
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
go serveConnection(logger, conn, originURL, headers)
|
go serveConnection(logger, conn, options)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// serveConnection handles connections for the Serve() call
|
// serveConnection handles connections for the Serve() call
|
||||||
func serveConnection(logger *logrus.Logger, c net.Conn, originURL string, headers http.Header) {
|
func serveConnection(logger *logrus.Logger, c net.Conn, options *StartOptions) {
|
||||||
defer c.Close()
|
defer c.Close()
|
||||||
serveStream(logger, originURL, c, headers)
|
serveStream(logger, c, options)
|
||||||
}
|
}
|
||||||
|
|
||||||
// serveStream will serve the data over the WebSocket stream
|
// serveStream will serve the data over the WebSocket stream
|
||||||
func serveStream(logger *logrus.Logger, originURL string, conn io.ReadWriter, headers http.Header) error {
|
func serveStream(logger *logrus.Logger, conn io.ReadWriter, options *StartOptions) error {
|
||||||
wsConn, err := createWebsocketStream(originURL, headers)
|
wsConn, err := createWebsocketStream(options)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.WithError(err).Errorf("failed to connect to %s\n", originURL)
|
logger.WithError(err).Errorf("failed to connect to %s\n", options.OriginURL)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
defer wsConn.Close()
|
defer wsConn.Close()
|
||||||
|
@ -93,12 +100,12 @@ func serveStream(logger *logrus.Logger, originURL string, conn io.ReadWriter, he
|
||||||
// createWebsocketStream will create a WebSocket connection to stream data over
|
// createWebsocketStream will create a WebSocket connection to stream data over
|
||||||
// It also handles redirects from Access and will present that flow if
|
// It also handles redirects from Access and will present that flow if
|
||||||
// the token is not present on the request
|
// the token is not present on the request
|
||||||
func createWebsocketStream(originURL string, headers http.Header) (*websocket.Conn, error) {
|
func createWebsocketStream(options *StartOptions) (*websocket.Conn, error) {
|
||||||
req, err := http.NewRequest(http.MethodGet, originURL, nil)
|
req, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
req.Header = headers
|
req.Header = options.Headers
|
||||||
|
|
||||||
wsConn, resp, err := websocket.ClientConnect(req, nil)
|
wsConn, resp, err := websocket.ClientConnect(req, nil)
|
||||||
if err != nil && resp != nil && resp.StatusCode > 300 {
|
if err != nil && resp != nil && resp.StatusCode > 300 {
|
||||||
|
@ -109,11 +116,17 @@ func createWebsocketStream(originURL string, headers http.Header) (*websocket.Co
|
||||||
if !strings.Contains(location.String(), "cdn-cgi/access/login") {
|
if !strings.Contains(location.String(), "cdn-cgi/access/login") {
|
||||||
return nil, errors.New("not an Access redirect")
|
return nil, errors.New("not an Access redirect")
|
||||||
}
|
}
|
||||||
req, err := buildAccessRequest(originURL)
|
req, token, err := buildAccessRequest(options.OriginURL)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if options.ShouldGenCert {
|
||||||
|
if err := sshgen.GenerateShortLivedCertificate(req.URL, token); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
wsConn, _, err = websocket.ClientConnect(req, nil)
|
wsConn, _, err = websocket.ClientConnect(req, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -126,24 +139,24 @@ func createWebsocketStream(originURL string, headers http.Header) (*websocket.Co
|
||||||
}
|
}
|
||||||
|
|
||||||
// buildAccessRequest builds an HTTP request with the Access token set
|
// buildAccessRequest builds an HTTP request with the Access token set
|
||||||
func buildAccessRequest(originURL string) (*http.Request, error) {
|
func buildAccessRequest(originURL string) (*http.Request, string, error) {
|
||||||
req, err := http.NewRequest(http.MethodGet, originURL, nil)
|
req, err := http.NewRequest(http.MethodGet, originURL, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, "", err
|
||||||
}
|
}
|
||||||
|
|
||||||
token, err := token.FetchToken(req.URL)
|
token, err := token.FetchToken(req.URL)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, "", err
|
||||||
}
|
}
|
||||||
|
|
||||||
// We need to create a new request as FetchToken will modify req (boo mutable)
|
// We need to create a new request as FetchToken will modify req (boo mutable)
|
||||||
// as it has to follow redirect on the API and such, so here we init a new one
|
// as it has to follow redirect on the API and such, so here we init a new one
|
||||||
originRequest, err := http.NewRequest(http.MethodGet, originURL, nil)
|
originRequest, err := http.NewRequest(http.MethodGet, originURL, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, "", err
|
||||||
}
|
}
|
||||||
originRequest.Header.Set("cf-access-token", token)
|
originRequest.Header.Set("cf-access-token", token)
|
||||||
|
|
||||||
return originRequest, nil
|
return originRequest, token, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -48,7 +48,12 @@ func TestStartClient(t *testing.T) {
|
||||||
defer ts.Close()
|
defer ts.Close()
|
||||||
|
|
||||||
buf := newTestStream()
|
buf := newTestStream()
|
||||||
err := StartClient(logger, "http://"+ts.Listener.Addr().String(), buf, nil)
|
options := &StartOptions{
|
||||||
|
OriginURL: "http://" + ts.Listener.Addr().String(),
|
||||||
|
Headers: nil,
|
||||||
|
ShouldGenCert: false,
|
||||||
|
}
|
||||||
|
err := StartClient(logger, buf, options)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
buf.Write([]byte(message))
|
buf.Write([]byte(message))
|
||||||
|
|
||||||
|
@ -67,9 +72,14 @@ func TestStartServer(t *testing.T) {
|
||||||
shutdownC := make(chan struct{})
|
shutdownC := make(chan struct{})
|
||||||
ts := newTestWebSocketServer()
|
ts := newTestWebSocketServer()
|
||||||
defer ts.Close()
|
defer ts.Close()
|
||||||
|
options := &StartOptions{
|
||||||
|
OriginURL: "http://" + ts.Listener.Addr().String(),
|
||||||
|
Headers: nil,
|
||||||
|
ShouldGenCert: false,
|
||||||
|
}
|
||||||
|
|
||||||
go func() {
|
go func() {
|
||||||
err := Serve(logger, listener, "http://"+ts.Listener.Addr().String(), shutdownC, nil)
|
err := Serve(logger, listener, shutdownC, options)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("Error running server: %v", err)
|
t.Fatalf("Error running server: %v", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -17,19 +17,32 @@ import (
|
||||||
// useful for proxying other protocols (like ssh) over websockets
|
// useful for proxying other protocols (like ssh) over websockets
|
||||||
// (which you can put Access in front of)
|
// (which you can put Access in front of)
|
||||||
func ssh(c *cli.Context) error {
|
func ssh(c *cli.Context) error {
|
||||||
hostname, err := validation.ValidateHostname(c.String("hostname"))
|
// get the hostname from the cmdline and error out if its not provided
|
||||||
if err != nil || c.String("hostname") == "" {
|
rawHostName := c.String(sshHostnameFlag)
|
||||||
|
hostname, err := validation.ValidateHostname(rawHostName)
|
||||||
|
if err != nil || rawHostName == "" {
|
||||||
return cli.ShowCommandHelp(c, "ssh")
|
return cli.ShowCommandHelp(c, "ssh")
|
||||||
}
|
}
|
||||||
headers := buildRequestHeaders(c.StringSlice("header"))
|
originURL := "https://" + hostname
|
||||||
if c.IsSet("service-token-id") {
|
|
||||||
headers.Add("CF-Access-Client-Id", c.String("service-token-id"))
|
// get the headers from the cmdline and add them
|
||||||
|
headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
|
||||||
|
if c.IsSet(sshTokenIDFlag) {
|
||||||
|
headers.Add("CF-Access-Client-Id", c.String(sshTokenIDFlag))
|
||||||
}
|
}
|
||||||
if c.IsSet("service-token-secret") {
|
if c.IsSet(sshTokenSecretFlag) {
|
||||||
headers.Add("CF-Access-Client-Secret", c.String("service-token-secret"))
|
headers.Add("CF-Access-Client-Secret", c.String(sshTokenSecretFlag))
|
||||||
}
|
}
|
||||||
|
|
||||||
if c.NArg() > 0 || c.IsSet("url") {
|
genCertBool := c.Bool(sshGenCertFlag)
|
||||||
|
|
||||||
|
options := &carrier.StartOptions{
|
||||||
|
OriginURL: originURL,
|
||||||
|
Headers: headers,
|
||||||
|
ShouldGenCert: genCertBool,
|
||||||
|
}
|
||||||
|
|
||||||
|
if c.NArg() > 0 || c.IsSet(sshURLFlag) {
|
||||||
localForwarder, err := config.ValidateUrl(c)
|
localForwarder, err := config.ValidateUrl(c)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.WithError(err).Error("Error validating origin URL")
|
logger.WithError(err).Error("Error validating origin URL")
|
||||||
|
@ -40,10 +53,10 @@ func ssh(c *cli.Context) error {
|
||||||
logger.WithError(err).Error("Error validating origin URL")
|
logger.WithError(err).Error("Error validating origin URL")
|
||||||
return errors.Wrap(err, "error validating origin URL")
|
return errors.Wrap(err, "error validating origin URL")
|
||||||
}
|
}
|
||||||
return carrier.StartServer(logger, forwarder.Host, "https://"+hostname, shutdownC, headers)
|
return carrier.StartServer(logger, forwarder.Host, shutdownC, options)
|
||||||
}
|
}
|
||||||
|
|
||||||
return carrier.StartClient(logger, "https://"+hostname, &carrier.StdinoutStream{}, headers)
|
return carrier.StartClient(logger, &carrier.StdinoutStream{}, options)
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildRequestHeaders(values []string) http.Header {
|
func buildRequestHeaders(values []string) http.Header {
|
||||||
|
|
|
@ -16,6 +16,15 @@ import (
|
||||||
cli "gopkg.in/urfave/cli.v2"
|
cli "gopkg.in/urfave/cli.v2"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
sshHostnameFlag = "hostname"
|
||||||
|
sshURLFlag = "url"
|
||||||
|
sshHeaderFlag = "header"
|
||||||
|
sshTokenIDFlag = "service-token-id"
|
||||||
|
sshTokenSecretFlag = "service-token-secret"
|
||||||
|
sshGenCertFlag = "gen-cert"
|
||||||
|
)
|
||||||
|
|
||||||
const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
|
const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
@ -93,27 +102,31 @@ func Commands() []*cli.Command {
|
||||||
Description: `The ssh subcommand sends data over a proxy to the Cloudflare edge.`,
|
Description: `The ssh subcommand sends data over a proxy to the Cloudflare edge.`,
|
||||||
Flags: []cli.Flag{
|
Flags: []cli.Flag{
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: "hostname",
|
Name: sshHostnameFlag,
|
||||||
Usage: "specifics the hostname of your application.",
|
Usage: "specify the hostname of your application.",
|
||||||
},
|
},
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: "url",
|
Name: sshURLFlag,
|
||||||
Usage: "specifics the host:port to forward data to Cloudflare edge.",
|
Usage: "specify the host:port to forward data to Cloudflare edge.",
|
||||||
},
|
},
|
||||||
&cli.StringSliceFlag{
|
&cli.StringSliceFlag{
|
||||||
Name: "header",
|
Name: sshHeaderFlag,
|
||||||
Aliases: []string{"H"},
|
Aliases: []string{"H"},
|
||||||
Usage: "specific additional headers you wish to send.",
|
Usage: "specify additional headers you wish to send.",
|
||||||
},
|
},
|
||||||
&cli.StringSliceFlag{
|
&cli.StringSliceFlag{
|
||||||
Name: "service-token-id",
|
Name: sshTokenIDFlag,
|
||||||
Aliases: []string{"id"},
|
Aliases: []string{"id"},
|
||||||
Usage: "specific an Access service token ID you wish to use.",
|
Usage: "specify an Access service token ID you wish to use.",
|
||||||
},
|
},
|
||||||
&cli.StringSliceFlag{
|
&cli.StringSliceFlag{
|
||||||
Name: "service-token-secret",
|
Name: sshTokenSecretFlag,
|
||||||
Aliases: []string{"secret"},
|
Aliases: []string{"secret"},
|
||||||
Usage: "specific an Access service token secret you wish to use.",
|
Usage: "specify an Access service token secret you wish to use.",
|
||||||
|
},
|
||||||
|
&cli.BoolFlag{
|
||||||
|
Name: sshGenCertFlag,
|
||||||
|
Usage: "specify if you wish to generate short lived certs.",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
package path
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net/url"
|
||||||
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
||||||
|
"github.com/mitchellh/go-homedir"
|
||||||
|
)
|
||||||
|
|
||||||
|
// GenerateFilePathFromURL will return a filepath for given access application url
|
||||||
|
func GenerateFilePathFromURL(url *url.URL, suffix string) (string, error) {
|
||||||
|
configPath, err := homedir.Expand(config.DefaultConfigDirs[0])
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
ok, err := config.FileExists(configPath)
|
||||||
|
if !ok && err == nil {
|
||||||
|
// create config directory if doesn't already exist
|
||||||
|
err = os.Mkdir(configPath, 0700)
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
name := strings.Replace(fmt.Sprintf("%s%s-%s", url.Hostname(), url.EscapedPath(), suffix), "/", "-", -1)
|
||||||
|
return filepath.Join(configPath, name), nil
|
||||||
|
}
|
|
@ -1,20 +1,19 @@
|
||||||
package token
|
package token
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"net/url"
|
"net/url"
|
||||||
"os"
|
|
||||||
"path/filepath"
|
|
||||||
"strings"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/path"
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/transfer"
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/transfer"
|
||||||
"github.com/cloudflare/cloudflared/log"
|
"github.com/cloudflare/cloudflared/log"
|
||||||
"github.com/coreos/go-oidc/jose"
|
"github.com/coreos/go-oidc/jose"
|
||||||
"github.com/coreos/go-oidc/oidc"
|
"github.com/coreos/go-oidc/oidc"
|
||||||
homedir "github.com/mitchellh/go-homedir"
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
keyName = "token"
|
||||||
)
|
)
|
||||||
|
|
||||||
var logger = log.CreateLogger()
|
var logger = log.CreateLogger()
|
||||||
|
@ -25,7 +24,7 @@ func FetchToken(appURL *url.URL) (string, error) {
|
||||||
return token, nil
|
return token, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
path, err := generateFilePathForTokenURL(appURL)
|
path, err := path.GenerateFilePathFromURL(appURL, keyName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
@ -33,8 +32,7 @@ func FetchToken(appURL *url.URL) (string, error) {
|
||||||
// this weird parameter is the resource name (token) and the key/value
|
// this weird parameter is the resource name (token) and the key/value
|
||||||
// we want to send to the transfer service. the key is token and the value
|
// we want to send to the transfer service. the key is token and the value
|
||||||
// is blank (basically just the id generated in the transfer service)
|
// is blank (basically just the id generated in the transfer service)
|
||||||
const resourceName, key, value = "token", "token", ""
|
token, err := transfer.Run(appURL, keyName, keyName, "", path, true)
|
||||||
token, err := transfer.Run(appURL, resourceName, key, value, path, true)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
@ -44,7 +42,7 @@ func FetchToken(appURL *url.URL) (string, error) {
|
||||||
|
|
||||||
// GetTokenIfExists will return the token from local storage if it exists
|
// GetTokenIfExists will return the token from local storage if it exists
|
||||||
func GetTokenIfExists(url *url.URL) (string, error) {
|
func GetTokenIfExists(url *url.URL) (string, error) {
|
||||||
path, err := generateFilePathForTokenURL(url)
|
path, err := path.GenerateFilePathFromURL(url, keyName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
@ -68,21 +66,3 @@ func GetTokenIfExists(url *url.URL) (string, error) {
|
||||||
}
|
}
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
|
||||||
// generateFilePathForTokenURL will return a filepath for given access application url
|
|
||||||
func generateFilePathForTokenURL(url *url.URL) (string, error) {
|
|
||||||
configPath, err := homedir.Expand(config.DefaultConfigDirs[0])
|
|
||||||
if err != nil {
|
|
||||||
return "", err
|
|
||||||
}
|
|
||||||
ok, err := config.FileExists(configPath)
|
|
||||||
if !ok && err == nil {
|
|
||||||
// create config directory if doesn't already exist
|
|
||||||
err = os.Mkdir(configPath, 0700)
|
|
||||||
}
|
|
||||||
if err != nil {
|
|
||||||
return "", err
|
|
||||||
}
|
|
||||||
name := strings.Replace(fmt.Sprintf("%s%s-token", url.Hostname(), url.EscapedPath()), "/", "-", -1)
|
|
||||||
return filepath.Join(configPath, name), nil
|
|
||||||
}
|
|
||||||
|
|
|
@ -0,0 +1,163 @@
|
||||||
|
package sshgen
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/elliptic"
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/x509"
|
||||||
|
"encoding/json"
|
||||||
|
"encoding/pem"
|
||||||
|
"errors"
|
||||||
|
"io/ioutil"
|
||||||
|
"net/http"
|
||||||
|
"net/url"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
||||||
|
cfpath "github.com/cloudflare/cloudflared/cmd/cloudflared/path"
|
||||||
|
"github.com/coreos/go-oidc/jose"
|
||||||
|
homedir "github.com/mitchellh/go-homedir"
|
||||||
|
gossh "golang.org/x/crypto/ssh"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
signEndpoint = "/cdn-cgi/access/cert_sign"
|
||||||
|
keyName = "cf_key"
|
||||||
|
)
|
||||||
|
|
||||||
|
// signPayload represents the request body sent to the sign handler API
|
||||||
|
type signPayload struct {
|
||||||
|
PublicKey string `json:"public_key"`
|
||||||
|
JWT string `json:"jwt"`
|
||||||
|
Issuer string `json:"issuer"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// signResponse represents the response body from the sign handler API
|
||||||
|
type signResponse struct {
|
||||||
|
KeyID string `json:"id"`
|
||||||
|
Certificate string `json:"certificate"`
|
||||||
|
ExpiresAt time.Time `json:"expires_at"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// GenerateShortLivedCertificate generates and stores a keypair for short lived certs
|
||||||
|
func GenerateShortLivedCertificate(appURL *url.URL, token string) error {
|
||||||
|
fullName, err := cfpath.GenerateFilePathFromURL(appURL, keyName)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
cert, err := handleCertificateGeneration(token, fullName)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
name := fullName + "-cert.pub"
|
||||||
|
if err := writeKey(name, []byte(cert)); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// handleCertificateGeneration takes a JWT and uses it build a signPayload
|
||||||
|
// to send to the Sign endpoint with the public key from the keypair it generated
|
||||||
|
func handleCertificateGeneration(token, fullName string) (string, error) {
|
||||||
|
if token == "" {
|
||||||
|
return "", errors.New("invalid token")
|
||||||
|
}
|
||||||
|
|
||||||
|
jwt, err := jose.ParseJWT(token)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
claims, err := jwt.Claims()
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
issuer, _, err := claims.StringClaim("iss")
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
pub, err := generateKeyPair(fullName)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
buf, err := json.Marshal(&signPayload{
|
||||||
|
PublicKey: string(pub),
|
||||||
|
JWT: token,
|
||||||
|
Issuer: issuer,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
res, err := http.Post(issuer+signEndpoint, "application/json", bytes.NewBuffer(buf))
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
defer res.Body.Close()
|
||||||
|
|
||||||
|
decoder := json.NewDecoder(res.Body)
|
||||||
|
var signRes signResponse
|
||||||
|
if err := decoder.Decode(&signRes); err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return signRes.Certificate, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// generateKeyPair creates a EC keypair (P256) and stores them in the homedir.
|
||||||
|
// returns the generated public key from the successful keypair generation
|
||||||
|
func generateKeyPair(fullName string) ([]byte, error) {
|
||||||
|
pubKeyName := fullName + ".pub"
|
||||||
|
|
||||||
|
exist, err := config.FileExists(pubKeyName)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if exist {
|
||||||
|
return ioutil.ReadFile(pubKeyName)
|
||||||
|
}
|
||||||
|
|
||||||
|
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
parsed, err := x509.MarshalECPrivateKey(key)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := writeKey(fullName, pem.EncodeToMemory(&pem.Block{
|
||||||
|
Type: "EC PRIVATE KEY",
|
||||||
|
Bytes: parsed,
|
||||||
|
})); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
pub, err := gossh.NewPublicKey(&key.PublicKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
data := gossh.MarshalAuthorizedKey(pub)
|
||||||
|
|
||||||
|
if err := writeKey(pubKeyName, data); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return data, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// writeKey will write a key to disk in DER format (it's a standard pem key)
|
||||||
|
func writeKey(filename string, data []byte) error {
|
||||||
|
filepath, err := homedir.Expand(filename)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return ioutil.WriteFile(filepath, data, 0600)
|
||||||
|
}
|
|
@ -0,0 +1,308 @@
|
||||||
|
// Copyright 2018 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build go1.11
|
||||||
|
// +build !gccgo,!appengine
|
||||||
|
|
||||||
|
#include "textflag.h"
|
||||||
|
|
||||||
|
#define NUM_ROUNDS 10
|
||||||
|
|
||||||
|
// func xorKeyStreamVX(dst, src []byte, key *[8]uint32, nonce *[3]uint32, counter *uint32)
|
||||||
|
TEXT ·xorKeyStreamVX(SB), NOSPLIT, $0
|
||||||
|
MOVD dst+0(FP), R1
|
||||||
|
MOVD src+24(FP), R2
|
||||||
|
MOVD src_len+32(FP), R3
|
||||||
|
MOVD key+48(FP), R4
|
||||||
|
MOVD nonce+56(FP), R6
|
||||||
|
MOVD counter+64(FP), R7
|
||||||
|
|
||||||
|
MOVD $·constants(SB), R10
|
||||||
|
MOVD $·incRotMatrix(SB), R11
|
||||||
|
|
||||||
|
MOVW (R7), R20
|
||||||
|
|
||||||
|
AND $~255, R3, R13
|
||||||
|
ADD R2, R13, R12 // R12 for block end
|
||||||
|
AND $255, R3, R13
|
||||||
|
loop:
|
||||||
|
MOVD $NUM_ROUNDS, R21
|
||||||
|
VLD1 (R11), [V30.S4, V31.S4]
|
||||||
|
|
||||||
|
// load contants
|
||||||
|
// VLD4R (R10), [V0.S4, V1.S4, V2.S4, V3.S4]
|
||||||
|
WORD $0x4D60E940
|
||||||
|
|
||||||
|
// load keys
|
||||||
|
// VLD4R 16(R4), [V4.S4, V5.S4, V6.S4, V7.S4]
|
||||||
|
WORD $0x4DFFE884
|
||||||
|
// VLD4R 16(R4), [V8.S4, V9.S4, V10.S4, V11.S4]
|
||||||
|
WORD $0x4DFFE888
|
||||||
|
SUB $32, R4
|
||||||
|
|
||||||
|
// load counter + nonce
|
||||||
|
// VLD1R (R7), [V12.S4]
|
||||||
|
WORD $0x4D40C8EC
|
||||||
|
|
||||||
|
// VLD3R (R6), [V13.S4, V14.S4, V15.S4]
|
||||||
|
WORD $0x4D40E8CD
|
||||||
|
|
||||||
|
// update counter
|
||||||
|
VADD V30.S4, V12.S4, V12.S4
|
||||||
|
|
||||||
|
chacha:
|
||||||
|
// V0..V3 += V4..V7
|
||||||
|
// V12..V15 <<<= ((V12..V15 XOR V0..V3), 16)
|
||||||
|
VADD V0.S4, V4.S4, V0.S4
|
||||||
|
VADD V1.S4, V5.S4, V1.S4
|
||||||
|
VADD V2.S4, V6.S4, V2.S4
|
||||||
|
VADD V3.S4, V7.S4, V3.S4
|
||||||
|
VEOR V12.B16, V0.B16, V12.B16
|
||||||
|
VEOR V13.B16, V1.B16, V13.B16
|
||||||
|
VEOR V14.B16, V2.B16, V14.B16
|
||||||
|
VEOR V15.B16, V3.B16, V15.B16
|
||||||
|
VREV32 V12.H8, V12.H8
|
||||||
|
VREV32 V13.H8, V13.H8
|
||||||
|
VREV32 V14.H8, V14.H8
|
||||||
|
VREV32 V15.H8, V15.H8
|
||||||
|
// V8..V11 += V12..V15
|
||||||
|
// V4..V7 <<<= ((V4..V7 XOR V8..V11), 12)
|
||||||
|
VADD V8.S4, V12.S4, V8.S4
|
||||||
|
VADD V9.S4, V13.S4, V9.S4
|
||||||
|
VADD V10.S4, V14.S4, V10.S4
|
||||||
|
VADD V11.S4, V15.S4, V11.S4
|
||||||
|
VEOR V8.B16, V4.B16, V16.B16
|
||||||
|
VEOR V9.B16, V5.B16, V17.B16
|
||||||
|
VEOR V10.B16, V6.B16, V18.B16
|
||||||
|
VEOR V11.B16, V7.B16, V19.B16
|
||||||
|
VSHL $12, V16.S4, V4.S4
|
||||||
|
VSHL $12, V17.S4, V5.S4
|
||||||
|
VSHL $12, V18.S4, V6.S4
|
||||||
|
VSHL $12, V19.S4, V7.S4
|
||||||
|
VSRI $20, V16.S4, V4.S4
|
||||||
|
VSRI $20, V17.S4, V5.S4
|
||||||
|
VSRI $20, V18.S4, V6.S4
|
||||||
|
VSRI $20, V19.S4, V7.S4
|
||||||
|
|
||||||
|
// V0..V3 += V4..V7
|
||||||
|
// V12..V15 <<<= ((V12..V15 XOR V0..V3), 8)
|
||||||
|
VADD V0.S4, V4.S4, V0.S4
|
||||||
|
VADD V1.S4, V5.S4, V1.S4
|
||||||
|
VADD V2.S4, V6.S4, V2.S4
|
||||||
|
VADD V3.S4, V7.S4, V3.S4
|
||||||
|
VEOR V12.B16, V0.B16, V12.B16
|
||||||
|
VEOR V13.B16, V1.B16, V13.B16
|
||||||
|
VEOR V14.B16, V2.B16, V14.B16
|
||||||
|
VEOR V15.B16, V3.B16, V15.B16
|
||||||
|
VTBL V31.B16, [V12.B16], V12.B16
|
||||||
|
VTBL V31.B16, [V13.B16], V13.B16
|
||||||
|
VTBL V31.B16, [V14.B16], V14.B16
|
||||||
|
VTBL V31.B16, [V15.B16], V15.B16
|
||||||
|
|
||||||
|
// V8..V11 += V12..V15
|
||||||
|
// V4..V7 <<<= ((V4..V7 XOR V8..V11), 7)
|
||||||
|
VADD V12.S4, V8.S4, V8.S4
|
||||||
|
VADD V13.S4, V9.S4, V9.S4
|
||||||
|
VADD V14.S4, V10.S4, V10.S4
|
||||||
|
VADD V15.S4, V11.S4, V11.S4
|
||||||
|
VEOR V8.B16, V4.B16, V16.B16
|
||||||
|
VEOR V9.B16, V5.B16, V17.B16
|
||||||
|
VEOR V10.B16, V6.B16, V18.B16
|
||||||
|
VEOR V11.B16, V7.B16, V19.B16
|
||||||
|
VSHL $7, V16.S4, V4.S4
|
||||||
|
VSHL $7, V17.S4, V5.S4
|
||||||
|
VSHL $7, V18.S4, V6.S4
|
||||||
|
VSHL $7, V19.S4, V7.S4
|
||||||
|
VSRI $25, V16.S4, V4.S4
|
||||||
|
VSRI $25, V17.S4, V5.S4
|
||||||
|
VSRI $25, V18.S4, V6.S4
|
||||||
|
VSRI $25, V19.S4, V7.S4
|
||||||
|
|
||||||
|
// V0..V3 += V5..V7, V4
|
||||||
|
// V15,V12-V14 <<<= ((V15,V12-V14 XOR V0..V3), 16)
|
||||||
|
VADD V0.S4, V5.S4, V0.S4
|
||||||
|
VADD V1.S4, V6.S4, V1.S4
|
||||||
|
VADD V2.S4, V7.S4, V2.S4
|
||||||
|
VADD V3.S4, V4.S4, V3.S4
|
||||||
|
VEOR V15.B16, V0.B16, V15.B16
|
||||||
|
VEOR V12.B16, V1.B16, V12.B16
|
||||||
|
VEOR V13.B16, V2.B16, V13.B16
|
||||||
|
VEOR V14.B16, V3.B16, V14.B16
|
||||||
|
VREV32 V12.H8, V12.H8
|
||||||
|
VREV32 V13.H8, V13.H8
|
||||||
|
VREV32 V14.H8, V14.H8
|
||||||
|
VREV32 V15.H8, V15.H8
|
||||||
|
|
||||||
|
// V10 += V15; V5 <<<= ((V10 XOR V5), 12)
|
||||||
|
// ...
|
||||||
|
VADD V15.S4, V10.S4, V10.S4
|
||||||
|
VADD V12.S4, V11.S4, V11.S4
|
||||||
|
VADD V13.S4, V8.S4, V8.S4
|
||||||
|
VADD V14.S4, V9.S4, V9.S4
|
||||||
|
VEOR V10.B16, V5.B16, V16.B16
|
||||||
|
VEOR V11.B16, V6.B16, V17.B16
|
||||||
|
VEOR V8.B16, V7.B16, V18.B16
|
||||||
|
VEOR V9.B16, V4.B16, V19.B16
|
||||||
|
VSHL $12, V16.S4, V5.S4
|
||||||
|
VSHL $12, V17.S4, V6.S4
|
||||||
|
VSHL $12, V18.S4, V7.S4
|
||||||
|
VSHL $12, V19.S4, V4.S4
|
||||||
|
VSRI $20, V16.S4, V5.S4
|
||||||
|
VSRI $20, V17.S4, V6.S4
|
||||||
|
VSRI $20, V18.S4, V7.S4
|
||||||
|
VSRI $20, V19.S4, V4.S4
|
||||||
|
|
||||||
|
// V0 += V5; V15 <<<= ((V0 XOR V15), 8)
|
||||||
|
// ...
|
||||||
|
VADD V5.S4, V0.S4, V0.S4
|
||||||
|
VADD V6.S4, V1.S4, V1.S4
|
||||||
|
VADD V7.S4, V2.S4, V2.S4
|
||||||
|
VADD V4.S4, V3.S4, V3.S4
|
||||||
|
VEOR V0.B16, V15.B16, V15.B16
|
||||||
|
VEOR V1.B16, V12.B16, V12.B16
|
||||||
|
VEOR V2.B16, V13.B16, V13.B16
|
||||||
|
VEOR V3.B16, V14.B16, V14.B16
|
||||||
|
VTBL V31.B16, [V12.B16], V12.B16
|
||||||
|
VTBL V31.B16, [V13.B16], V13.B16
|
||||||
|
VTBL V31.B16, [V14.B16], V14.B16
|
||||||
|
VTBL V31.B16, [V15.B16], V15.B16
|
||||||
|
|
||||||
|
// V10 += V15; V5 <<<= ((V10 XOR V5), 7)
|
||||||
|
// ...
|
||||||
|
VADD V15.S4, V10.S4, V10.S4
|
||||||
|
VADD V12.S4, V11.S4, V11.S4
|
||||||
|
VADD V13.S4, V8.S4, V8.S4
|
||||||
|
VADD V14.S4, V9.S4, V9.S4
|
||||||
|
VEOR V10.B16, V5.B16, V16.B16
|
||||||
|
VEOR V11.B16, V6.B16, V17.B16
|
||||||
|
VEOR V8.B16, V7.B16, V18.B16
|
||||||
|
VEOR V9.B16, V4.B16, V19.B16
|
||||||
|
VSHL $7, V16.S4, V5.S4
|
||||||
|
VSHL $7, V17.S4, V6.S4
|
||||||
|
VSHL $7, V18.S4, V7.S4
|
||||||
|
VSHL $7, V19.S4, V4.S4
|
||||||
|
VSRI $25, V16.S4, V5.S4
|
||||||
|
VSRI $25, V17.S4, V6.S4
|
||||||
|
VSRI $25, V18.S4, V7.S4
|
||||||
|
VSRI $25, V19.S4, V4.S4
|
||||||
|
|
||||||
|
SUB $1, R21
|
||||||
|
CBNZ R21, chacha
|
||||||
|
|
||||||
|
// VLD4R (R10), [V16.S4, V17.S4, V18.S4, V19.S4]
|
||||||
|
WORD $0x4D60E950
|
||||||
|
|
||||||
|
// VLD4R 16(R4), [V20.S4, V21.S4, V22.S4, V23.S4]
|
||||||
|
WORD $0x4DFFE894
|
||||||
|
VADD V30.S4, V12.S4, V12.S4
|
||||||
|
VADD V16.S4, V0.S4, V0.S4
|
||||||
|
VADD V17.S4, V1.S4, V1.S4
|
||||||
|
VADD V18.S4, V2.S4, V2.S4
|
||||||
|
VADD V19.S4, V3.S4, V3.S4
|
||||||
|
// VLD4R 16(R4), [V24.S4, V25.S4, V26.S4, V27.S4]
|
||||||
|
WORD $0x4DFFE898
|
||||||
|
// restore R4
|
||||||
|
SUB $32, R4
|
||||||
|
|
||||||
|
// load counter + nonce
|
||||||
|
// VLD1R (R7), [V28.S4]
|
||||||
|
WORD $0x4D40C8FC
|
||||||
|
// VLD3R (R6), [V29.S4, V30.S4, V31.S4]
|
||||||
|
WORD $0x4D40E8DD
|
||||||
|
|
||||||
|
VADD V20.S4, V4.S4, V4.S4
|
||||||
|
VADD V21.S4, V5.S4, V5.S4
|
||||||
|
VADD V22.S4, V6.S4, V6.S4
|
||||||
|
VADD V23.S4, V7.S4, V7.S4
|
||||||
|
VADD V24.S4, V8.S4, V8.S4
|
||||||
|
VADD V25.S4, V9.S4, V9.S4
|
||||||
|
VADD V26.S4, V10.S4, V10.S4
|
||||||
|
VADD V27.S4, V11.S4, V11.S4
|
||||||
|
VADD V28.S4, V12.S4, V12.S4
|
||||||
|
VADD V29.S4, V13.S4, V13.S4
|
||||||
|
VADD V30.S4, V14.S4, V14.S4
|
||||||
|
VADD V31.S4, V15.S4, V15.S4
|
||||||
|
|
||||||
|
VZIP1 V1.S4, V0.S4, V16.S4
|
||||||
|
VZIP2 V1.S4, V0.S4, V17.S4
|
||||||
|
VZIP1 V3.S4, V2.S4, V18.S4
|
||||||
|
VZIP2 V3.S4, V2.S4, V19.S4
|
||||||
|
VZIP1 V5.S4, V4.S4, V20.S4
|
||||||
|
VZIP2 V5.S4, V4.S4, V21.S4
|
||||||
|
VZIP1 V7.S4, V6.S4, V22.S4
|
||||||
|
VZIP2 V7.S4, V6.S4, V23.S4
|
||||||
|
VZIP1 V9.S4, V8.S4, V24.S4
|
||||||
|
VZIP2 V9.S4, V8.S4, V25.S4
|
||||||
|
VZIP1 V11.S4, V10.S4, V26.S4
|
||||||
|
VZIP2 V11.S4, V10.S4, V27.S4
|
||||||
|
VZIP1 V13.S4, V12.S4, V28.S4
|
||||||
|
VZIP2 V13.S4, V12.S4, V29.S4
|
||||||
|
VZIP1 V15.S4, V14.S4, V30.S4
|
||||||
|
VZIP2 V15.S4, V14.S4, V31.S4
|
||||||
|
VZIP1 V18.D2, V16.D2, V0.D2
|
||||||
|
VZIP2 V18.D2, V16.D2, V4.D2
|
||||||
|
VZIP1 V19.D2, V17.D2, V8.D2
|
||||||
|
VZIP2 V19.D2, V17.D2, V12.D2
|
||||||
|
VLD1.P 64(R2), [V16.B16, V17.B16, V18.B16, V19.B16]
|
||||||
|
|
||||||
|
VZIP1 V22.D2, V20.D2, V1.D2
|
||||||
|
VZIP2 V22.D2, V20.D2, V5.D2
|
||||||
|
VZIP1 V23.D2, V21.D2, V9.D2
|
||||||
|
VZIP2 V23.D2, V21.D2, V13.D2
|
||||||
|
VLD1.P 64(R2), [V20.B16, V21.B16, V22.B16, V23.B16]
|
||||||
|
VZIP1 V26.D2, V24.D2, V2.D2
|
||||||
|
VZIP2 V26.D2, V24.D2, V6.D2
|
||||||
|
VZIP1 V27.D2, V25.D2, V10.D2
|
||||||
|
VZIP2 V27.D2, V25.D2, V14.D2
|
||||||
|
VLD1.P 64(R2), [V24.B16, V25.B16, V26.B16, V27.B16]
|
||||||
|
VZIP1 V30.D2, V28.D2, V3.D2
|
||||||
|
VZIP2 V30.D2, V28.D2, V7.D2
|
||||||
|
VZIP1 V31.D2, V29.D2, V11.D2
|
||||||
|
VZIP2 V31.D2, V29.D2, V15.D2
|
||||||
|
VLD1.P 64(R2), [V28.B16, V29.B16, V30.B16, V31.B16]
|
||||||
|
VEOR V0.B16, V16.B16, V16.B16
|
||||||
|
VEOR V1.B16, V17.B16, V17.B16
|
||||||
|
VEOR V2.B16, V18.B16, V18.B16
|
||||||
|
VEOR V3.B16, V19.B16, V19.B16
|
||||||
|
VST1.P [V16.B16, V17.B16, V18.B16, V19.B16], 64(R1)
|
||||||
|
VEOR V4.B16, V20.B16, V20.B16
|
||||||
|
VEOR V5.B16, V21.B16, V21.B16
|
||||||
|
VEOR V6.B16, V22.B16, V22.B16
|
||||||
|
VEOR V7.B16, V23.B16, V23.B16
|
||||||
|
VST1.P [V20.B16, V21.B16, V22.B16, V23.B16], 64(R1)
|
||||||
|
VEOR V8.B16, V24.B16, V24.B16
|
||||||
|
VEOR V9.B16, V25.B16, V25.B16
|
||||||
|
VEOR V10.B16, V26.B16, V26.B16
|
||||||
|
VEOR V11.B16, V27.B16, V27.B16
|
||||||
|
VST1.P [V24.B16, V25.B16, V26.B16, V27.B16], 64(R1)
|
||||||
|
VEOR V12.B16, V28.B16, V28.B16
|
||||||
|
VEOR V13.B16, V29.B16, V29.B16
|
||||||
|
VEOR V14.B16, V30.B16, V30.B16
|
||||||
|
VEOR V15.B16, V31.B16, V31.B16
|
||||||
|
VST1.P [V28.B16, V29.B16, V30.B16, V31.B16], 64(R1)
|
||||||
|
|
||||||
|
ADD $4, R20
|
||||||
|
MOVW R20, (R7) // update counter
|
||||||
|
|
||||||
|
CMP R2, R12
|
||||||
|
BGT loop
|
||||||
|
|
||||||
|
RET
|
||||||
|
|
||||||
|
|
||||||
|
DATA ·constants+0x00(SB)/4, $0x61707865
|
||||||
|
DATA ·constants+0x04(SB)/4, $0x3320646e
|
||||||
|
DATA ·constants+0x08(SB)/4, $0x79622d32
|
||||||
|
DATA ·constants+0x0c(SB)/4, $0x6b206574
|
||||||
|
GLOBL ·constants(SB), NOPTR|RODATA, $32
|
||||||
|
|
||||||
|
DATA ·incRotMatrix+0x00(SB)/4, $0x00000000
|
||||||
|
DATA ·incRotMatrix+0x04(SB)/4, $0x00000001
|
||||||
|
DATA ·incRotMatrix+0x08(SB)/4, $0x00000002
|
||||||
|
DATA ·incRotMatrix+0x0c(SB)/4, $0x00000003
|
||||||
|
DATA ·incRotMatrix+0x10(SB)/4, $0x02010003
|
||||||
|
DATA ·incRotMatrix+0x14(SB)/4, $0x06050407
|
||||||
|
DATA ·incRotMatrix+0x18(SB)/4, $0x0A09080B
|
||||||
|
DATA ·incRotMatrix+0x1c(SB)/4, $0x0E0D0C0F
|
||||||
|
GLOBL ·incRotMatrix(SB), NOPTR|RODATA, $32
|
|
@ -0,0 +1,31 @@
|
||||||
|
// Copyright 2018 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build go1.11
|
||||||
|
// +build !gccgo
|
||||||
|
|
||||||
|
package chacha20
|
||||||
|
|
||||||
|
const (
|
||||||
|
haveAsm = true
|
||||||
|
bufSize = 256
|
||||||
|
)
|
||||||
|
|
||||||
|
//go:noescape
|
||||||
|
func xorKeyStreamVX(dst, src []byte, key *[8]uint32, nonce *[3]uint32, counter *uint32)
|
||||||
|
|
||||||
|
func (c *Cipher) xorKeyStreamAsm(dst, src []byte) {
|
||||||
|
|
||||||
|
if len(src) >= bufSize {
|
||||||
|
xorKeyStreamVX(dst, src, &c.key, &c.nonce, &c.counter)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(src)%bufSize != 0 {
|
||||||
|
i := len(src) - len(src)%bufSize
|
||||||
|
c.buf = [bufSize]byte{}
|
||||||
|
copy(c.buf[:], src[i:])
|
||||||
|
xorKeyStreamVX(c.buf[:], c.buf[:], &c.key, &c.nonce, &c.counter)
|
||||||
|
c.len = bufSize - copy(dst[i:], c.buf[:len(src)%bufSize])
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,264 @@
|
||||||
|
// Copyright 2016 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// Package ChaCha20 implements the core ChaCha20 function as specified
|
||||||
|
// in https://tools.ietf.org/html/rfc7539#section-2.3.
|
||||||
|
package chacha20
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/cipher"
|
||||||
|
"encoding/binary"
|
||||||
|
|
||||||
|
"golang.org/x/crypto/internal/subtle"
|
||||||
|
)
|
||||||
|
|
||||||
|
// assert that *Cipher implements cipher.Stream
|
||||||
|
var _ cipher.Stream = (*Cipher)(nil)
|
||||||
|
|
||||||
|
// Cipher is a stateful instance of ChaCha20 using a particular key
|
||||||
|
// and nonce. A *Cipher implements the cipher.Stream interface.
|
||||||
|
type Cipher struct {
|
||||||
|
key [8]uint32
|
||||||
|
counter uint32 // incremented after each block
|
||||||
|
nonce [3]uint32
|
||||||
|
buf [bufSize]byte // buffer for unused keystream bytes
|
||||||
|
len int // number of unused keystream bytes at end of buf
|
||||||
|
}
|
||||||
|
|
||||||
|
// New creates a new ChaCha20 stream cipher with the given key and nonce.
|
||||||
|
// The initial counter value is set to 0.
|
||||||
|
func New(key [8]uint32, nonce [3]uint32) *Cipher {
|
||||||
|
return &Cipher{key: key, nonce: nonce}
|
||||||
|
}
|
||||||
|
|
||||||
|
// ChaCha20 constants spelling "expand 32-byte k"
|
||||||
|
const (
|
||||||
|
j0 uint32 = 0x61707865
|
||||||
|
j1 uint32 = 0x3320646e
|
||||||
|
j2 uint32 = 0x79622d32
|
||||||
|
j3 uint32 = 0x6b206574
|
||||||
|
)
|
||||||
|
|
||||||
|
func quarterRound(a, b, c, d uint32) (uint32, uint32, uint32, uint32) {
|
||||||
|
a += b
|
||||||
|
d ^= a
|
||||||
|
d = (d << 16) | (d >> 16)
|
||||||
|
c += d
|
||||||
|
b ^= c
|
||||||
|
b = (b << 12) | (b >> 20)
|
||||||
|
a += b
|
||||||
|
d ^= a
|
||||||
|
d = (d << 8) | (d >> 24)
|
||||||
|
c += d
|
||||||
|
b ^= c
|
||||||
|
b = (b << 7) | (b >> 25)
|
||||||
|
return a, b, c, d
|
||||||
|
}
|
||||||
|
|
||||||
|
// XORKeyStream XORs each byte in the given slice with a byte from the
|
||||||
|
// cipher's key stream. Dst and src must overlap entirely or not at all.
|
||||||
|
//
|
||||||
|
// If len(dst) < len(src), XORKeyStream will panic. It is acceptable
|
||||||
|
// to pass a dst bigger than src, and in that case, XORKeyStream will
|
||||||
|
// only update dst[:len(src)] and will not touch the rest of dst.
|
||||||
|
//
|
||||||
|
// Multiple calls to XORKeyStream behave as if the concatenation of
|
||||||
|
// the src buffers was passed in a single run. That is, Cipher
|
||||||
|
// maintains state and does not reset at each XORKeyStream call.
|
||||||
|
func (s *Cipher) XORKeyStream(dst, src []byte) {
|
||||||
|
if len(dst) < len(src) {
|
||||||
|
panic("chacha20: output smaller than input")
|
||||||
|
}
|
||||||
|
if subtle.InexactOverlap(dst[:len(src)], src) {
|
||||||
|
panic("chacha20: invalid buffer overlap")
|
||||||
|
}
|
||||||
|
|
||||||
|
// xor src with buffered keystream first
|
||||||
|
if s.len != 0 {
|
||||||
|
buf := s.buf[len(s.buf)-s.len:]
|
||||||
|
if len(src) < len(buf) {
|
||||||
|
buf = buf[:len(src)]
|
||||||
|
}
|
||||||
|
td, ts := dst[:len(buf)], src[:len(buf)] // BCE hint
|
||||||
|
for i, b := range buf {
|
||||||
|
td[i] = ts[i] ^ b
|
||||||
|
}
|
||||||
|
s.len -= len(buf)
|
||||||
|
if s.len != 0 {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
s.buf = [len(s.buf)]byte{} // zero the empty buffer
|
||||||
|
src = src[len(buf):]
|
||||||
|
dst = dst[len(buf):]
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(src) == 0 {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if haveAsm {
|
||||||
|
if uint64(len(src))+uint64(s.counter)*64 > (1<<38)-64 {
|
||||||
|
panic("chacha20: counter overflow")
|
||||||
|
}
|
||||||
|
s.xorKeyStreamAsm(dst, src)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// set up a 64-byte buffer to pad out the final block if needed
|
||||||
|
// (hoisted out of the main loop to avoid spills)
|
||||||
|
rem := len(src) % 64 // length of final block
|
||||||
|
fin := len(src) - rem // index of final block
|
||||||
|
if rem > 0 {
|
||||||
|
copy(s.buf[len(s.buf)-64:], src[fin:])
|
||||||
|
}
|
||||||
|
|
||||||
|
// pre-calculate most of the first round
|
||||||
|
s1, s5, s9, s13 := quarterRound(j1, s.key[1], s.key[5], s.nonce[0])
|
||||||
|
s2, s6, s10, s14 := quarterRound(j2, s.key[2], s.key[6], s.nonce[1])
|
||||||
|
s3, s7, s11, s15 := quarterRound(j3, s.key[3], s.key[7], s.nonce[2])
|
||||||
|
|
||||||
|
n := len(src)
|
||||||
|
src, dst = src[:n:n], dst[:n:n] // BCE hint
|
||||||
|
for i := 0; i < n; i += 64 {
|
||||||
|
// calculate the remainder of the first round
|
||||||
|
s0, s4, s8, s12 := quarterRound(j0, s.key[0], s.key[4], s.counter)
|
||||||
|
|
||||||
|
// execute the second round
|
||||||
|
x0, x5, x10, x15 := quarterRound(s0, s5, s10, s15)
|
||||||
|
x1, x6, x11, x12 := quarterRound(s1, s6, s11, s12)
|
||||||
|
x2, x7, x8, x13 := quarterRound(s2, s7, s8, s13)
|
||||||
|
x3, x4, x9, x14 := quarterRound(s3, s4, s9, s14)
|
||||||
|
|
||||||
|
// execute the remaining 18 rounds
|
||||||
|
for i := 0; i < 9; i++ {
|
||||||
|
x0, x4, x8, x12 = quarterRound(x0, x4, x8, x12)
|
||||||
|
x1, x5, x9, x13 = quarterRound(x1, x5, x9, x13)
|
||||||
|
x2, x6, x10, x14 = quarterRound(x2, x6, x10, x14)
|
||||||
|
x3, x7, x11, x15 = quarterRound(x3, x7, x11, x15)
|
||||||
|
|
||||||
|
x0, x5, x10, x15 = quarterRound(x0, x5, x10, x15)
|
||||||
|
x1, x6, x11, x12 = quarterRound(x1, x6, x11, x12)
|
||||||
|
x2, x7, x8, x13 = quarterRound(x2, x7, x8, x13)
|
||||||
|
x3, x4, x9, x14 = quarterRound(x3, x4, x9, x14)
|
||||||
|
}
|
||||||
|
|
||||||
|
x0 += j0
|
||||||
|
x1 += j1
|
||||||
|
x2 += j2
|
||||||
|
x3 += j3
|
||||||
|
|
||||||
|
x4 += s.key[0]
|
||||||
|
x5 += s.key[1]
|
||||||
|
x6 += s.key[2]
|
||||||
|
x7 += s.key[3]
|
||||||
|
x8 += s.key[4]
|
||||||
|
x9 += s.key[5]
|
||||||
|
x10 += s.key[6]
|
||||||
|
x11 += s.key[7]
|
||||||
|
|
||||||
|
x12 += s.counter
|
||||||
|
x13 += s.nonce[0]
|
||||||
|
x14 += s.nonce[1]
|
||||||
|
x15 += s.nonce[2]
|
||||||
|
|
||||||
|
// increment the counter
|
||||||
|
s.counter += 1
|
||||||
|
if s.counter == 0 {
|
||||||
|
panic("chacha20: counter overflow")
|
||||||
|
}
|
||||||
|
|
||||||
|
// pad to 64 bytes if needed
|
||||||
|
in, out := src[i:], dst[i:]
|
||||||
|
if i == fin {
|
||||||
|
// src[fin:] has already been copied into s.buf before
|
||||||
|
// the main loop
|
||||||
|
in, out = s.buf[len(s.buf)-64:], s.buf[len(s.buf)-64:]
|
||||||
|
}
|
||||||
|
in, out = in[:64], out[:64] // BCE hint
|
||||||
|
|
||||||
|
// XOR the key stream with the source and write out the result
|
||||||
|
xor(out[0:], in[0:], x0)
|
||||||
|
xor(out[4:], in[4:], x1)
|
||||||
|
xor(out[8:], in[8:], x2)
|
||||||
|
xor(out[12:], in[12:], x3)
|
||||||
|
xor(out[16:], in[16:], x4)
|
||||||
|
xor(out[20:], in[20:], x5)
|
||||||
|
xor(out[24:], in[24:], x6)
|
||||||
|
xor(out[28:], in[28:], x7)
|
||||||
|
xor(out[32:], in[32:], x8)
|
||||||
|
xor(out[36:], in[36:], x9)
|
||||||
|
xor(out[40:], in[40:], x10)
|
||||||
|
xor(out[44:], in[44:], x11)
|
||||||
|
xor(out[48:], in[48:], x12)
|
||||||
|
xor(out[52:], in[52:], x13)
|
||||||
|
xor(out[56:], in[56:], x14)
|
||||||
|
xor(out[60:], in[60:], x15)
|
||||||
|
}
|
||||||
|
// copy any trailing bytes out of the buffer and into dst
|
||||||
|
if rem != 0 {
|
||||||
|
s.len = 64 - rem
|
||||||
|
copy(dst[fin:], s.buf[len(s.buf)-64:])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Advance discards bytes in the key stream until the next 64 byte block
|
||||||
|
// boundary is reached and updates the counter accordingly. If the key
|
||||||
|
// stream is already at a block boundary no bytes will be discarded and
|
||||||
|
// the counter will be unchanged.
|
||||||
|
func (s *Cipher) Advance() {
|
||||||
|
s.len -= s.len % 64
|
||||||
|
if s.len == 0 {
|
||||||
|
s.buf = [len(s.buf)]byte{}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// XORKeyStream crypts bytes from in to out using the given key and counters.
|
||||||
|
// In and out must overlap entirely or not at all. Counter contains the raw
|
||||||
|
// ChaCha20 counter bytes (i.e. block counter followed by nonce).
|
||||||
|
func XORKeyStream(out, in []byte, counter *[16]byte, key *[32]byte) {
|
||||||
|
s := Cipher{
|
||||||
|
key: [8]uint32{
|
||||||
|
binary.LittleEndian.Uint32(key[0:4]),
|
||||||
|
binary.LittleEndian.Uint32(key[4:8]),
|
||||||
|
binary.LittleEndian.Uint32(key[8:12]),
|
||||||
|
binary.LittleEndian.Uint32(key[12:16]),
|
||||||
|
binary.LittleEndian.Uint32(key[16:20]),
|
||||||
|
binary.LittleEndian.Uint32(key[20:24]),
|
||||||
|
binary.LittleEndian.Uint32(key[24:28]),
|
||||||
|
binary.LittleEndian.Uint32(key[28:32]),
|
||||||
|
},
|
||||||
|
nonce: [3]uint32{
|
||||||
|
binary.LittleEndian.Uint32(counter[4:8]),
|
||||||
|
binary.LittleEndian.Uint32(counter[8:12]),
|
||||||
|
binary.LittleEndian.Uint32(counter[12:16]),
|
||||||
|
},
|
||||||
|
counter: binary.LittleEndian.Uint32(counter[0:4]),
|
||||||
|
}
|
||||||
|
s.XORKeyStream(out, in)
|
||||||
|
}
|
||||||
|
|
||||||
|
// HChaCha20 uses the ChaCha20 core to generate a derived key from a key and a
|
||||||
|
// nonce. It should only be used as part of the XChaCha20 construction.
|
||||||
|
func HChaCha20(key *[8]uint32, nonce *[4]uint32) [8]uint32 {
|
||||||
|
x0, x1, x2, x3 := j0, j1, j2, j3
|
||||||
|
x4, x5, x6, x7 := key[0], key[1], key[2], key[3]
|
||||||
|
x8, x9, x10, x11 := key[4], key[5], key[6], key[7]
|
||||||
|
x12, x13, x14, x15 := nonce[0], nonce[1], nonce[2], nonce[3]
|
||||||
|
|
||||||
|
for i := 0; i < 10; i++ {
|
||||||
|
x0, x4, x8, x12 = quarterRound(x0, x4, x8, x12)
|
||||||
|
x1, x5, x9, x13 = quarterRound(x1, x5, x9, x13)
|
||||||
|
x2, x6, x10, x14 = quarterRound(x2, x6, x10, x14)
|
||||||
|
x3, x7, x11, x15 = quarterRound(x3, x7, x11, x15)
|
||||||
|
|
||||||
|
x0, x5, x10, x15 = quarterRound(x0, x5, x10, x15)
|
||||||
|
x1, x6, x11, x12 = quarterRound(x1, x6, x11, x12)
|
||||||
|
x2, x7, x8, x13 = quarterRound(x2, x7, x8, x13)
|
||||||
|
x3, x4, x9, x14 = quarterRound(x3, x4, x9, x14)
|
||||||
|
}
|
||||||
|
|
||||||
|
var out [8]uint32
|
||||||
|
out[0], out[1], out[2], out[3] = x0, x1, x2, x3
|
||||||
|
out[4], out[5], out[6], out[7] = x12, x13, x14, x15
|
||||||
|
return out
|
||||||
|
}
|
|
@ -0,0 +1,16 @@
|
||||||
|
// Copyright 2018 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build !arm64,!s390x arm64,!go1.11 gccgo appengine
|
||||||
|
|
||||||
|
package chacha20
|
||||||
|
|
||||||
|
const (
|
||||||
|
bufSize = 64
|
||||||
|
haveAsm = false
|
||||||
|
)
|
||||||
|
|
||||||
|
func (*Cipher) xorKeyStreamAsm(dst, src []byte) {
|
||||||
|
panic("not implemented")
|
||||||
|
}
|
|
@ -0,0 +1,29 @@
|
||||||
|
// Copyright 2018 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build s390x,!gccgo,!appengine
|
||||||
|
|
||||||
|
package chacha20
|
||||||
|
|
||||||
|
import (
|
||||||
|
"golang.org/x/sys/cpu"
|
||||||
|
)
|
||||||
|
|
||||||
|
var haveAsm = cpu.S390X.HasVX
|
||||||
|
|
||||||
|
const bufSize = 256
|
||||||
|
|
||||||
|
// xorKeyStreamVX is an assembly implementation of XORKeyStream. It must only
|
||||||
|
// be called when the vector facility is available.
|
||||||
|
// Implementation in asm_s390x.s.
|
||||||
|
//go:noescape
|
||||||
|
func xorKeyStreamVX(dst, src []byte, key *[8]uint32, nonce *[3]uint32, counter *uint32, buf *[256]byte, len *int)
|
||||||
|
|
||||||
|
func (c *Cipher) xorKeyStreamAsm(dst, src []byte) {
|
||||||
|
xorKeyStreamVX(dst, src, &c.key, &c.nonce, &c.counter, &c.buf, &c.len)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EXRL targets, DO NOT CALL!
|
||||||
|
func mvcSrcToBuf()
|
||||||
|
func mvcBufToDst()
|
|
@ -0,0 +1,260 @@
|
||||||
|
// Copyright 2018 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build s390x,!gccgo,!appengine
|
||||||
|
|
||||||
|
#include "go_asm.h"
|
||||||
|
#include "textflag.h"
|
||||||
|
|
||||||
|
// This is an implementation of the ChaCha20 encryption algorithm as
|
||||||
|
// specified in RFC 7539. It uses vector instructions to compute
|
||||||
|
// 4 keystream blocks in parallel (256 bytes) which are then XORed
|
||||||
|
// with the bytes in the input slice.
|
||||||
|
|
||||||
|
GLOBL ·constants<>(SB), RODATA|NOPTR, $32
|
||||||
|
// BSWAP: swap bytes in each 4-byte element
|
||||||
|
DATA ·constants<>+0x00(SB)/4, $0x03020100
|
||||||
|
DATA ·constants<>+0x04(SB)/4, $0x07060504
|
||||||
|
DATA ·constants<>+0x08(SB)/4, $0x0b0a0908
|
||||||
|
DATA ·constants<>+0x0c(SB)/4, $0x0f0e0d0c
|
||||||
|
// J0: [j0, j1, j2, j3]
|
||||||
|
DATA ·constants<>+0x10(SB)/4, $0x61707865
|
||||||
|
DATA ·constants<>+0x14(SB)/4, $0x3320646e
|
||||||
|
DATA ·constants<>+0x18(SB)/4, $0x79622d32
|
||||||
|
DATA ·constants<>+0x1c(SB)/4, $0x6b206574
|
||||||
|
|
||||||
|
// EXRL targets:
|
||||||
|
TEXT ·mvcSrcToBuf(SB), NOFRAME|NOSPLIT, $0
|
||||||
|
MVC $1, (R1), (R8)
|
||||||
|
RET
|
||||||
|
|
||||||
|
TEXT ·mvcBufToDst(SB), NOFRAME|NOSPLIT, $0
|
||||||
|
MVC $1, (R8), (R9)
|
||||||
|
RET
|
||||||
|
|
||||||
|
#define BSWAP V5
|
||||||
|
#define J0 V6
|
||||||
|
#define KEY0 V7
|
||||||
|
#define KEY1 V8
|
||||||
|
#define NONCE V9
|
||||||
|
#define CTR V10
|
||||||
|
#define M0 V11
|
||||||
|
#define M1 V12
|
||||||
|
#define M2 V13
|
||||||
|
#define M3 V14
|
||||||
|
#define INC V15
|
||||||
|
#define X0 V16
|
||||||
|
#define X1 V17
|
||||||
|
#define X2 V18
|
||||||
|
#define X3 V19
|
||||||
|
#define X4 V20
|
||||||
|
#define X5 V21
|
||||||
|
#define X6 V22
|
||||||
|
#define X7 V23
|
||||||
|
#define X8 V24
|
||||||
|
#define X9 V25
|
||||||
|
#define X10 V26
|
||||||
|
#define X11 V27
|
||||||
|
#define X12 V28
|
||||||
|
#define X13 V29
|
||||||
|
#define X14 V30
|
||||||
|
#define X15 V31
|
||||||
|
|
||||||
|
#define NUM_ROUNDS 20
|
||||||
|
|
||||||
|
#define ROUND4(a0, a1, a2, a3, b0, b1, b2, b3, c0, c1, c2, c3, d0, d1, d2, d3) \
|
||||||
|
VAF a1, a0, a0 \
|
||||||
|
VAF b1, b0, b0 \
|
||||||
|
VAF c1, c0, c0 \
|
||||||
|
VAF d1, d0, d0 \
|
||||||
|
VX a0, a2, a2 \
|
||||||
|
VX b0, b2, b2 \
|
||||||
|
VX c0, c2, c2 \
|
||||||
|
VX d0, d2, d2 \
|
||||||
|
VERLLF $16, a2, a2 \
|
||||||
|
VERLLF $16, b2, b2 \
|
||||||
|
VERLLF $16, c2, c2 \
|
||||||
|
VERLLF $16, d2, d2 \
|
||||||
|
VAF a2, a3, a3 \
|
||||||
|
VAF b2, b3, b3 \
|
||||||
|
VAF c2, c3, c3 \
|
||||||
|
VAF d2, d3, d3 \
|
||||||
|
VX a3, a1, a1 \
|
||||||
|
VX b3, b1, b1 \
|
||||||
|
VX c3, c1, c1 \
|
||||||
|
VX d3, d1, d1 \
|
||||||
|
VERLLF $12, a1, a1 \
|
||||||
|
VERLLF $12, b1, b1 \
|
||||||
|
VERLLF $12, c1, c1 \
|
||||||
|
VERLLF $12, d1, d1 \
|
||||||
|
VAF a1, a0, a0 \
|
||||||
|
VAF b1, b0, b0 \
|
||||||
|
VAF c1, c0, c0 \
|
||||||
|
VAF d1, d0, d0 \
|
||||||
|
VX a0, a2, a2 \
|
||||||
|
VX b0, b2, b2 \
|
||||||
|
VX c0, c2, c2 \
|
||||||
|
VX d0, d2, d2 \
|
||||||
|
VERLLF $8, a2, a2 \
|
||||||
|
VERLLF $8, b2, b2 \
|
||||||
|
VERLLF $8, c2, c2 \
|
||||||
|
VERLLF $8, d2, d2 \
|
||||||
|
VAF a2, a3, a3 \
|
||||||
|
VAF b2, b3, b3 \
|
||||||
|
VAF c2, c3, c3 \
|
||||||
|
VAF d2, d3, d3 \
|
||||||
|
VX a3, a1, a1 \
|
||||||
|
VX b3, b1, b1 \
|
||||||
|
VX c3, c1, c1 \
|
||||||
|
VX d3, d1, d1 \
|
||||||
|
VERLLF $7, a1, a1 \
|
||||||
|
VERLLF $7, b1, b1 \
|
||||||
|
VERLLF $7, c1, c1 \
|
||||||
|
VERLLF $7, d1, d1
|
||||||
|
|
||||||
|
#define PERMUTE(mask, v0, v1, v2, v3) \
|
||||||
|
VPERM v0, v0, mask, v0 \
|
||||||
|
VPERM v1, v1, mask, v1 \
|
||||||
|
VPERM v2, v2, mask, v2 \
|
||||||
|
VPERM v3, v3, mask, v3
|
||||||
|
|
||||||
|
#define ADDV(x, v0, v1, v2, v3) \
|
||||||
|
VAF x, v0, v0 \
|
||||||
|
VAF x, v1, v1 \
|
||||||
|
VAF x, v2, v2 \
|
||||||
|
VAF x, v3, v3
|
||||||
|
|
||||||
|
#define XORV(off, dst, src, v0, v1, v2, v3) \
|
||||||
|
VLM off(src), M0, M3 \
|
||||||
|
PERMUTE(BSWAP, v0, v1, v2, v3) \
|
||||||
|
VX v0, M0, M0 \
|
||||||
|
VX v1, M1, M1 \
|
||||||
|
VX v2, M2, M2 \
|
||||||
|
VX v3, M3, M3 \
|
||||||
|
VSTM M0, M3, off(dst)
|
||||||
|
|
||||||
|
#define SHUFFLE(a, b, c, d, t, u, v, w) \
|
||||||
|
VMRHF a, c, t \ // t = {a[0], c[0], a[1], c[1]}
|
||||||
|
VMRHF b, d, u \ // u = {b[0], d[0], b[1], d[1]}
|
||||||
|
VMRLF a, c, v \ // v = {a[2], c[2], a[3], c[3]}
|
||||||
|
VMRLF b, d, w \ // w = {b[2], d[2], b[3], d[3]}
|
||||||
|
VMRHF t, u, a \ // a = {a[0], b[0], c[0], d[0]}
|
||||||
|
VMRLF t, u, b \ // b = {a[1], b[1], c[1], d[1]}
|
||||||
|
VMRHF v, w, c \ // c = {a[2], b[2], c[2], d[2]}
|
||||||
|
VMRLF v, w, d // d = {a[3], b[3], c[3], d[3]}
|
||||||
|
|
||||||
|
// func xorKeyStreamVX(dst, src []byte, key *[8]uint32, nonce *[3]uint32, counter *uint32, buf *[256]byte, len *int)
|
||||||
|
TEXT ·xorKeyStreamVX(SB), NOSPLIT, $0
|
||||||
|
MOVD $·constants<>(SB), R1
|
||||||
|
MOVD dst+0(FP), R2 // R2=&dst[0]
|
||||||
|
LMG src+24(FP), R3, R4 // R3=&src[0] R4=len(src)
|
||||||
|
MOVD key+48(FP), R5 // R5=key
|
||||||
|
MOVD nonce+56(FP), R6 // R6=nonce
|
||||||
|
MOVD counter+64(FP), R7 // R7=counter
|
||||||
|
MOVD buf+72(FP), R8 // R8=buf
|
||||||
|
MOVD len+80(FP), R9 // R9=len
|
||||||
|
|
||||||
|
// load BSWAP and J0
|
||||||
|
VLM (R1), BSWAP, J0
|
||||||
|
|
||||||
|
// set up tail buffer
|
||||||
|
ADD $-1, R4, R12
|
||||||
|
MOVBZ R12, R12
|
||||||
|
CMPUBEQ R12, $255, aligned
|
||||||
|
MOVD R4, R1
|
||||||
|
AND $~255, R1
|
||||||
|
MOVD $(R3)(R1*1), R1
|
||||||
|
EXRL $·mvcSrcToBuf(SB), R12
|
||||||
|
MOVD $255, R0
|
||||||
|
SUB R12, R0
|
||||||
|
MOVD R0, (R9) // update len
|
||||||
|
|
||||||
|
aligned:
|
||||||
|
// setup
|
||||||
|
MOVD $95, R0
|
||||||
|
VLM (R5), KEY0, KEY1
|
||||||
|
VLL R0, (R6), NONCE
|
||||||
|
VZERO M0
|
||||||
|
VLEIB $7, $32, M0
|
||||||
|
VSRLB M0, NONCE, NONCE
|
||||||
|
|
||||||
|
// initialize counter values
|
||||||
|
VLREPF (R7), CTR
|
||||||
|
VZERO INC
|
||||||
|
VLEIF $1, $1, INC
|
||||||
|
VLEIF $2, $2, INC
|
||||||
|
VLEIF $3, $3, INC
|
||||||
|
VAF INC, CTR, CTR
|
||||||
|
VREPIF $4, INC
|
||||||
|
|
||||||
|
chacha:
|
||||||
|
VREPF $0, J0, X0
|
||||||
|
VREPF $1, J0, X1
|
||||||
|
VREPF $2, J0, X2
|
||||||
|
VREPF $3, J0, X3
|
||||||
|
VREPF $0, KEY0, X4
|
||||||
|
VREPF $1, KEY0, X5
|
||||||
|
VREPF $2, KEY0, X6
|
||||||
|
VREPF $3, KEY0, X7
|
||||||
|
VREPF $0, KEY1, X8
|
||||||
|
VREPF $1, KEY1, X9
|
||||||
|
VREPF $2, KEY1, X10
|
||||||
|
VREPF $3, KEY1, X11
|
||||||
|
VLR CTR, X12
|
||||||
|
VREPF $1, NONCE, X13
|
||||||
|
VREPF $2, NONCE, X14
|
||||||
|
VREPF $3, NONCE, X15
|
||||||
|
|
||||||
|
MOVD $(NUM_ROUNDS/2), R1
|
||||||
|
|
||||||
|
loop:
|
||||||
|
ROUND4(X0, X4, X12, X8, X1, X5, X13, X9, X2, X6, X14, X10, X3, X7, X15, X11)
|
||||||
|
ROUND4(X0, X5, X15, X10, X1, X6, X12, X11, X2, X7, X13, X8, X3, X4, X14, X9)
|
||||||
|
|
||||||
|
ADD $-1, R1
|
||||||
|
BNE loop
|
||||||
|
|
||||||
|
// decrement length
|
||||||
|
ADD $-256, R4
|
||||||
|
BLT tail
|
||||||
|
|
||||||
|
continue:
|
||||||
|
// rearrange vectors
|
||||||
|
SHUFFLE(X0, X1, X2, X3, M0, M1, M2, M3)
|
||||||
|
ADDV(J0, X0, X1, X2, X3)
|
||||||
|
SHUFFLE(X4, X5, X6, X7, M0, M1, M2, M3)
|
||||||
|
ADDV(KEY0, X4, X5, X6, X7)
|
||||||
|
SHUFFLE(X8, X9, X10, X11, M0, M1, M2, M3)
|
||||||
|
ADDV(KEY1, X8, X9, X10, X11)
|
||||||
|
VAF CTR, X12, X12
|
||||||
|
SHUFFLE(X12, X13, X14, X15, M0, M1, M2, M3)
|
||||||
|
ADDV(NONCE, X12, X13, X14, X15)
|
||||||
|
|
||||||
|
// increment counters
|
||||||
|
VAF INC, CTR, CTR
|
||||||
|
|
||||||
|
// xor keystream with plaintext
|
||||||
|
XORV(0*64, R2, R3, X0, X4, X8, X12)
|
||||||
|
XORV(1*64, R2, R3, X1, X5, X9, X13)
|
||||||
|
XORV(2*64, R2, R3, X2, X6, X10, X14)
|
||||||
|
XORV(3*64, R2, R3, X3, X7, X11, X15)
|
||||||
|
|
||||||
|
// increment pointers
|
||||||
|
MOVD $256(R2), R2
|
||||||
|
MOVD $256(R3), R3
|
||||||
|
|
||||||
|
CMPBNE R4, $0, chacha
|
||||||
|
CMPUBEQ R12, $255, return
|
||||||
|
EXRL $·mvcBufToDst(SB), R12 // len was updated during setup
|
||||||
|
|
||||||
|
return:
|
||||||
|
VSTEF $0, CTR, (R7)
|
||||||
|
RET
|
||||||
|
|
||||||
|
tail:
|
||||||
|
MOVD R2, R9
|
||||||
|
MOVD R8, R2
|
||||||
|
MOVD R8, R3
|
||||||
|
MOVD $0, R4
|
||||||
|
JMP continue
|
|
@ -0,0 +1,43 @@
|
||||||
|
// Copyright 2018 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found src the LICENSE file.
|
||||||
|
|
||||||
|
package chacha20
|
||||||
|
|
||||||
|
import (
|
||||||
|
"runtime"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Platforms that have fast unaligned 32-bit little endian accesses.
|
||||||
|
const unaligned = runtime.GOARCH == "386" ||
|
||||||
|
runtime.GOARCH == "amd64" ||
|
||||||
|
runtime.GOARCH == "arm64" ||
|
||||||
|
runtime.GOARCH == "ppc64le" ||
|
||||||
|
runtime.GOARCH == "s390x"
|
||||||
|
|
||||||
|
// xor reads a little endian uint32 from src, XORs it with u and
|
||||||
|
// places the result in little endian byte order in dst.
|
||||||
|
func xor(dst, src []byte, u uint32) {
|
||||||
|
_, _ = src[3], dst[3] // eliminate bounds checks
|
||||||
|
if unaligned {
|
||||||
|
// The compiler should optimize this code into
|
||||||
|
// 32-bit unaligned little endian loads and stores.
|
||||||
|
// TODO: delete once the compiler does a reliably
|
||||||
|
// good job with the generic code below.
|
||||||
|
// See issue #25111 for more details.
|
||||||
|
v := uint32(src[0])
|
||||||
|
v |= uint32(src[1]) << 8
|
||||||
|
v |= uint32(src[2]) << 16
|
||||||
|
v |= uint32(src[3]) << 24
|
||||||
|
v ^= u
|
||||||
|
dst[0] = byte(v)
|
||||||
|
dst[1] = byte(v >> 8)
|
||||||
|
dst[2] = byte(v >> 16)
|
||||||
|
dst[3] = byte(v >> 24)
|
||||||
|
} else {
|
||||||
|
dst[0] = src[0] ^ byte(u)
|
||||||
|
dst[1] = src[1] ^ byte(u>>8)
|
||||||
|
dst[2] = src[2] ^ byte(u>>16)
|
||||||
|
dst[3] = src[3] ^ byte(u>>24)
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,97 @@
|
||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"io"
|
||||||
|
"sync"
|
||||||
|
)
|
||||||
|
|
||||||
|
// buffer provides a linked list buffer for data exchange
|
||||||
|
// between producer and consumer. Theoretically the buffer is
|
||||||
|
// of unlimited capacity as it does no allocation of its own.
|
||||||
|
type buffer struct {
|
||||||
|
// protects concurrent access to head, tail and closed
|
||||||
|
*sync.Cond
|
||||||
|
|
||||||
|
head *element // the buffer that will be read first
|
||||||
|
tail *element // the buffer that will be read last
|
||||||
|
|
||||||
|
closed bool
|
||||||
|
}
|
||||||
|
|
||||||
|
// An element represents a single link in a linked list.
|
||||||
|
type element struct {
|
||||||
|
buf []byte
|
||||||
|
next *element
|
||||||
|
}
|
||||||
|
|
||||||
|
// newBuffer returns an empty buffer that is not closed.
|
||||||
|
func newBuffer() *buffer {
|
||||||
|
e := new(element)
|
||||||
|
b := &buffer{
|
||||||
|
Cond: newCond(),
|
||||||
|
head: e,
|
||||||
|
tail: e,
|
||||||
|
}
|
||||||
|
return b
|
||||||
|
}
|
||||||
|
|
||||||
|
// write makes buf available for Read to receive.
|
||||||
|
// buf must not be modified after the call to write.
|
||||||
|
func (b *buffer) write(buf []byte) {
|
||||||
|
b.Cond.L.Lock()
|
||||||
|
e := &element{buf: buf}
|
||||||
|
b.tail.next = e
|
||||||
|
b.tail = e
|
||||||
|
b.Cond.Signal()
|
||||||
|
b.Cond.L.Unlock()
|
||||||
|
}
|
||||||
|
|
||||||
|
// eof closes the buffer. Reads from the buffer once all
|
||||||
|
// the data has been consumed will receive io.EOF.
|
||||||
|
func (b *buffer) eof() {
|
||||||
|
b.Cond.L.Lock()
|
||||||
|
b.closed = true
|
||||||
|
b.Cond.Signal()
|
||||||
|
b.Cond.L.Unlock()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read reads data from the internal buffer in buf. Reads will block
|
||||||
|
// if no data is available, or until the buffer is closed.
|
||||||
|
func (b *buffer) Read(buf []byte) (n int, err error) {
|
||||||
|
b.Cond.L.Lock()
|
||||||
|
defer b.Cond.L.Unlock()
|
||||||
|
|
||||||
|
for len(buf) > 0 {
|
||||||
|
// if there is data in b.head, copy it
|
||||||
|
if len(b.head.buf) > 0 {
|
||||||
|
r := copy(buf, b.head.buf)
|
||||||
|
buf, b.head.buf = buf[r:], b.head.buf[r:]
|
||||||
|
n += r
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
// if there is a next buffer, make it the head
|
||||||
|
if len(b.head.buf) == 0 && b.head != b.tail {
|
||||||
|
b.head = b.head.next
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// if at least one byte has been copied, return
|
||||||
|
if n > 0 {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
|
||||||
|
// if nothing was read, and there is nothing outstanding
|
||||||
|
// check to see if the buffer is closed.
|
||||||
|
if b.closed {
|
||||||
|
err = io.EOF
|
||||||
|
break
|
||||||
|
}
|
||||||
|
// out of buffers, wait for producer
|
||||||
|
b.Cond.Wait()
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
|
@ -0,0 +1,535 @@
|
||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"net"
|
||||||
|
"sort"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
// These constants from [PROTOCOL.certkeys] represent the algorithm names
|
||||||
|
// for certificate types supported by this package.
|
||||||
|
const (
|
||||||
|
CertAlgoRSAv01 = "ssh-rsa-cert-v01@openssh.com"
|
||||||
|
CertAlgoDSAv01 = "ssh-dss-cert-v01@openssh.com"
|
||||||
|
CertAlgoECDSA256v01 = "ecdsa-sha2-nistp256-cert-v01@openssh.com"
|
||||||
|
CertAlgoECDSA384v01 = "ecdsa-sha2-nistp384-cert-v01@openssh.com"
|
||||||
|
CertAlgoECDSA521v01 = "ecdsa-sha2-nistp521-cert-v01@openssh.com"
|
||||||
|
CertAlgoED25519v01 = "ssh-ed25519-cert-v01@openssh.com"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Certificate types distinguish between host and user
|
||||||
|
// certificates. The values can be set in the CertType field of
|
||||||
|
// Certificate.
|
||||||
|
const (
|
||||||
|
UserCert = 1
|
||||||
|
HostCert = 2
|
||||||
|
)
|
||||||
|
|
||||||
|
// Signature represents a cryptographic signature.
|
||||||
|
type Signature struct {
|
||||||
|
Format string
|
||||||
|
Blob []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertTimeInfinity can be used for OpenSSHCertV01.ValidBefore to indicate that
|
||||||
|
// a certificate does not expire.
|
||||||
|
const CertTimeInfinity = 1<<64 - 1
|
||||||
|
|
||||||
|
// An Certificate represents an OpenSSH certificate as defined in
|
||||||
|
// [PROTOCOL.certkeys]?rev=1.8. The Certificate type implements the
|
||||||
|
// PublicKey interface, so it can be unmarshaled using
|
||||||
|
// ParsePublicKey.
|
||||||
|
type Certificate struct {
|
||||||
|
Nonce []byte
|
||||||
|
Key PublicKey
|
||||||
|
Serial uint64
|
||||||
|
CertType uint32
|
||||||
|
KeyId string
|
||||||
|
ValidPrincipals []string
|
||||||
|
ValidAfter uint64
|
||||||
|
ValidBefore uint64
|
||||||
|
Permissions
|
||||||
|
Reserved []byte
|
||||||
|
SignatureKey PublicKey
|
||||||
|
Signature *Signature
|
||||||
|
}
|
||||||
|
|
||||||
|
// genericCertData holds the key-independent part of the certificate data.
|
||||||
|
// Overall, certificates contain an nonce, public key fields and
|
||||||
|
// key-independent fields.
|
||||||
|
type genericCertData struct {
|
||||||
|
Serial uint64
|
||||||
|
CertType uint32
|
||||||
|
KeyId string
|
||||||
|
ValidPrincipals []byte
|
||||||
|
ValidAfter uint64
|
||||||
|
ValidBefore uint64
|
||||||
|
CriticalOptions []byte
|
||||||
|
Extensions []byte
|
||||||
|
Reserved []byte
|
||||||
|
SignatureKey []byte
|
||||||
|
Signature []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalStringList(namelist []string) []byte {
|
||||||
|
var to []byte
|
||||||
|
for _, name := range namelist {
|
||||||
|
s := struct{ N string }{name}
|
||||||
|
to = append(to, Marshal(&s)...)
|
||||||
|
}
|
||||||
|
return to
|
||||||
|
}
|
||||||
|
|
||||||
|
type optionsTuple struct {
|
||||||
|
Key string
|
||||||
|
Value []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
type optionsTupleValue struct {
|
||||||
|
Value string
|
||||||
|
}
|
||||||
|
|
||||||
|
// serialize a map of critical options or extensions
|
||||||
|
// issue #10569 - per [PROTOCOL.certkeys] and SSH implementation,
|
||||||
|
// we need two length prefixes for a non-empty string value
|
||||||
|
func marshalTuples(tups map[string]string) []byte {
|
||||||
|
keys := make([]string, 0, len(tups))
|
||||||
|
for key := range tups {
|
||||||
|
keys = append(keys, key)
|
||||||
|
}
|
||||||
|
sort.Strings(keys)
|
||||||
|
|
||||||
|
var ret []byte
|
||||||
|
for _, key := range keys {
|
||||||
|
s := optionsTuple{Key: key}
|
||||||
|
if value := tups[key]; len(value) > 0 {
|
||||||
|
s.Value = Marshal(&optionsTupleValue{value})
|
||||||
|
}
|
||||||
|
ret = append(ret, Marshal(&s)...)
|
||||||
|
}
|
||||||
|
return ret
|
||||||
|
}
|
||||||
|
|
||||||
|
// issue #10569 - per [PROTOCOL.certkeys] and SSH implementation,
|
||||||
|
// we need two length prefixes for a non-empty option value
|
||||||
|
func parseTuples(in []byte) (map[string]string, error) {
|
||||||
|
tups := map[string]string{}
|
||||||
|
var lastKey string
|
||||||
|
var haveLastKey bool
|
||||||
|
|
||||||
|
for len(in) > 0 {
|
||||||
|
var key, val, extra []byte
|
||||||
|
var ok bool
|
||||||
|
|
||||||
|
if key, in, ok = parseString(in); !ok {
|
||||||
|
return nil, errShortRead
|
||||||
|
}
|
||||||
|
keyStr := string(key)
|
||||||
|
// according to [PROTOCOL.certkeys], the names must be in
|
||||||
|
// lexical order.
|
||||||
|
if haveLastKey && keyStr <= lastKey {
|
||||||
|
return nil, fmt.Errorf("ssh: certificate options are not in lexical order")
|
||||||
|
}
|
||||||
|
lastKey, haveLastKey = keyStr, true
|
||||||
|
// the next field is a data field, which if non-empty has a string embedded
|
||||||
|
if val, in, ok = parseString(in); !ok {
|
||||||
|
return nil, errShortRead
|
||||||
|
}
|
||||||
|
if len(val) > 0 {
|
||||||
|
val, extra, ok = parseString(val)
|
||||||
|
if !ok {
|
||||||
|
return nil, errShortRead
|
||||||
|
}
|
||||||
|
if len(extra) > 0 {
|
||||||
|
return nil, fmt.Errorf("ssh: unexpected trailing data after certificate option value")
|
||||||
|
}
|
||||||
|
tups[keyStr] = string(val)
|
||||||
|
} else {
|
||||||
|
tups[keyStr] = ""
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return tups, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseCert(in []byte, privAlgo string) (*Certificate, error) {
|
||||||
|
nonce, rest, ok := parseString(in)
|
||||||
|
if !ok {
|
||||||
|
return nil, errShortRead
|
||||||
|
}
|
||||||
|
|
||||||
|
key, rest, err := parsePubKey(rest, privAlgo)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var g genericCertData
|
||||||
|
if err := Unmarshal(rest, &g); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
c := &Certificate{
|
||||||
|
Nonce: nonce,
|
||||||
|
Key: key,
|
||||||
|
Serial: g.Serial,
|
||||||
|
CertType: g.CertType,
|
||||||
|
KeyId: g.KeyId,
|
||||||
|
ValidAfter: g.ValidAfter,
|
||||||
|
ValidBefore: g.ValidBefore,
|
||||||
|
}
|
||||||
|
|
||||||
|
for principals := g.ValidPrincipals; len(principals) > 0; {
|
||||||
|
principal, rest, ok := parseString(principals)
|
||||||
|
if !ok {
|
||||||
|
return nil, errShortRead
|
||||||
|
}
|
||||||
|
c.ValidPrincipals = append(c.ValidPrincipals, string(principal))
|
||||||
|
principals = rest
|
||||||
|
}
|
||||||
|
|
||||||
|
c.CriticalOptions, err = parseTuples(g.CriticalOptions)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
c.Extensions, err = parseTuples(g.Extensions)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
c.Reserved = g.Reserved
|
||||||
|
k, err := ParsePublicKey(g.SignatureKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
c.SignatureKey = k
|
||||||
|
c.Signature, rest, ok = parseSignatureBody(g.Signature)
|
||||||
|
if !ok || len(rest) > 0 {
|
||||||
|
return nil, errors.New("ssh: signature parse error")
|
||||||
|
}
|
||||||
|
|
||||||
|
return c, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
type openSSHCertSigner struct {
|
||||||
|
pub *Certificate
|
||||||
|
signer Signer
|
||||||
|
}
|
||||||
|
|
||||||
|
type algorithmOpenSSHCertSigner struct {
|
||||||
|
*openSSHCertSigner
|
||||||
|
algorithmSigner AlgorithmSigner
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewCertSigner returns a Signer that signs with the given Certificate, whose
|
||||||
|
// private key is held by signer. It returns an error if the public key in cert
|
||||||
|
// doesn't match the key used by signer.
|
||||||
|
func NewCertSigner(cert *Certificate, signer Signer) (Signer, error) {
|
||||||
|
if bytes.Compare(cert.Key.Marshal(), signer.PublicKey().Marshal()) != 0 {
|
||||||
|
return nil, errors.New("ssh: signer and cert have different public key")
|
||||||
|
}
|
||||||
|
|
||||||
|
if algorithmSigner, ok := signer.(AlgorithmSigner); ok {
|
||||||
|
return &algorithmOpenSSHCertSigner{
|
||||||
|
&openSSHCertSigner{cert, signer}, algorithmSigner}, nil
|
||||||
|
} else {
|
||||||
|
return &openSSHCertSigner{cert, signer}, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *openSSHCertSigner) Sign(rand io.Reader, data []byte) (*Signature, error) {
|
||||||
|
return s.signer.Sign(rand, data)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *openSSHCertSigner) PublicKey() PublicKey {
|
||||||
|
return s.pub
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *algorithmOpenSSHCertSigner) SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error) {
|
||||||
|
return s.algorithmSigner.SignWithAlgorithm(rand, data, algorithm)
|
||||||
|
}
|
||||||
|
|
||||||
|
const sourceAddressCriticalOption = "source-address"
|
||||||
|
|
||||||
|
// CertChecker does the work of verifying a certificate. Its methods
|
||||||
|
// can be plugged into ClientConfig.HostKeyCallback and
|
||||||
|
// ServerConfig.PublicKeyCallback. For the CertChecker to work,
|
||||||
|
// minimally, the IsAuthority callback should be set.
|
||||||
|
type CertChecker struct {
|
||||||
|
// SupportedCriticalOptions lists the CriticalOptions that the
|
||||||
|
// server application layer understands. These are only used
|
||||||
|
// for user certificates.
|
||||||
|
SupportedCriticalOptions []string
|
||||||
|
|
||||||
|
// IsUserAuthority should return true if the key is recognized as an
|
||||||
|
// authority for the given user certificate. This allows for
|
||||||
|
// certificates to be signed by other certificates. This must be set
|
||||||
|
// if this CertChecker will be checking user certificates.
|
||||||
|
IsUserAuthority func(auth PublicKey) bool
|
||||||
|
|
||||||
|
// IsHostAuthority should report whether the key is recognized as
|
||||||
|
// an authority for this host. This allows for certificates to be
|
||||||
|
// signed by other keys, and for those other keys to only be valid
|
||||||
|
// signers for particular hostnames. This must be set if this
|
||||||
|
// CertChecker will be checking host certificates.
|
||||||
|
IsHostAuthority func(auth PublicKey, address string) bool
|
||||||
|
|
||||||
|
// Clock is used for verifying time stamps. If nil, time.Now
|
||||||
|
// is used.
|
||||||
|
Clock func() time.Time
|
||||||
|
|
||||||
|
// UserKeyFallback is called when CertChecker.Authenticate encounters a
|
||||||
|
// public key that is not a certificate. It must implement validation
|
||||||
|
// of user keys or else, if nil, all such keys are rejected.
|
||||||
|
UserKeyFallback func(conn ConnMetadata, key PublicKey) (*Permissions, error)
|
||||||
|
|
||||||
|
// HostKeyFallback is called when CertChecker.CheckHostKey encounters a
|
||||||
|
// public key that is not a certificate. It must implement host key
|
||||||
|
// validation or else, if nil, all such keys are rejected.
|
||||||
|
HostKeyFallback HostKeyCallback
|
||||||
|
|
||||||
|
// IsRevoked is called for each certificate so that revocation checking
|
||||||
|
// can be implemented. It should return true if the given certificate
|
||||||
|
// is revoked and false otherwise. If nil, no certificates are
|
||||||
|
// considered to have been revoked.
|
||||||
|
IsRevoked func(cert *Certificate) bool
|
||||||
|
}
|
||||||
|
|
||||||
|
// CheckHostKey checks a host key certificate. This method can be
|
||||||
|
// plugged into ClientConfig.HostKeyCallback.
|
||||||
|
func (c *CertChecker) CheckHostKey(addr string, remote net.Addr, key PublicKey) error {
|
||||||
|
cert, ok := key.(*Certificate)
|
||||||
|
if !ok {
|
||||||
|
if c.HostKeyFallback != nil {
|
||||||
|
return c.HostKeyFallback(addr, remote, key)
|
||||||
|
}
|
||||||
|
return errors.New("ssh: non-certificate host key")
|
||||||
|
}
|
||||||
|
if cert.CertType != HostCert {
|
||||||
|
return fmt.Errorf("ssh: certificate presented as a host key has type %d", cert.CertType)
|
||||||
|
}
|
||||||
|
if !c.IsHostAuthority(cert.SignatureKey, addr) {
|
||||||
|
return fmt.Errorf("ssh: no authorities for hostname: %v", addr)
|
||||||
|
}
|
||||||
|
|
||||||
|
hostname, _, err := net.SplitHostPort(addr)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Pass hostname only as principal for host certificates (consistent with OpenSSH)
|
||||||
|
return c.CheckCert(hostname, cert)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Authenticate checks a user certificate. Authenticate can be used as
|
||||||
|
// a value for ServerConfig.PublicKeyCallback.
|
||||||
|
func (c *CertChecker) Authenticate(conn ConnMetadata, pubKey PublicKey) (*Permissions, error) {
|
||||||
|
cert, ok := pubKey.(*Certificate)
|
||||||
|
if !ok {
|
||||||
|
if c.UserKeyFallback != nil {
|
||||||
|
return c.UserKeyFallback(conn, pubKey)
|
||||||
|
}
|
||||||
|
return nil, errors.New("ssh: normal key pairs not accepted")
|
||||||
|
}
|
||||||
|
|
||||||
|
if cert.CertType != UserCert {
|
||||||
|
return nil, fmt.Errorf("ssh: cert has type %d", cert.CertType)
|
||||||
|
}
|
||||||
|
if !c.IsUserAuthority(cert.SignatureKey) {
|
||||||
|
return nil, fmt.Errorf("ssh: certificate signed by unrecognized authority")
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := c.CheckCert(conn.User(), cert); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return &cert.Permissions, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// CheckCert checks CriticalOptions, ValidPrincipals, revocation, timestamp and
|
||||||
|
// the signature of the certificate.
|
||||||
|
func (c *CertChecker) CheckCert(principal string, cert *Certificate) error {
|
||||||
|
if c.IsRevoked != nil && c.IsRevoked(cert) {
|
||||||
|
return fmt.Errorf("ssh: certificate serial %d revoked", cert.Serial)
|
||||||
|
}
|
||||||
|
|
||||||
|
for opt := range cert.CriticalOptions {
|
||||||
|
// sourceAddressCriticalOption will be enforced by
|
||||||
|
// serverAuthenticate
|
||||||
|
if opt == sourceAddressCriticalOption {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
found := false
|
||||||
|
for _, supp := range c.SupportedCriticalOptions {
|
||||||
|
if supp == opt {
|
||||||
|
found = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !found {
|
||||||
|
return fmt.Errorf("ssh: unsupported critical option %q in certificate", opt)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(cert.ValidPrincipals) > 0 {
|
||||||
|
// By default, certs are valid for all users/hosts.
|
||||||
|
found := false
|
||||||
|
for _, p := range cert.ValidPrincipals {
|
||||||
|
if p == principal {
|
||||||
|
found = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !found {
|
||||||
|
return fmt.Errorf("ssh: principal %q not in the set of valid principals for given certificate: %q", principal, cert.ValidPrincipals)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
clock := c.Clock
|
||||||
|
if clock == nil {
|
||||||
|
clock = time.Now
|
||||||
|
}
|
||||||
|
|
||||||
|
unixNow := clock().Unix()
|
||||||
|
if after := int64(cert.ValidAfter); after < 0 || unixNow < int64(cert.ValidAfter) {
|
||||||
|
return fmt.Errorf("ssh: cert is not yet valid")
|
||||||
|
}
|
||||||
|
if before := int64(cert.ValidBefore); cert.ValidBefore != uint64(CertTimeInfinity) && (unixNow >= before || before < 0) {
|
||||||
|
return fmt.Errorf("ssh: cert has expired")
|
||||||
|
}
|
||||||
|
if err := cert.SignatureKey.Verify(cert.bytesForSigning(), cert.Signature); err != nil {
|
||||||
|
return fmt.Errorf("ssh: certificate signature does not verify")
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignCert sets c.SignatureKey to the authority's public key and stores a
|
||||||
|
// Signature, by authority, in the certificate.
|
||||||
|
func (c *Certificate) SignCert(rand io.Reader, authority Signer) error {
|
||||||
|
c.Nonce = make([]byte, 32)
|
||||||
|
if _, err := io.ReadFull(rand, c.Nonce); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
c.SignatureKey = authority.PublicKey()
|
||||||
|
|
||||||
|
sig, err := authority.Sign(rand, c.bytesForSigning())
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
c.Signature = sig
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
var certAlgoNames = map[string]string{
|
||||||
|
KeyAlgoRSA: CertAlgoRSAv01,
|
||||||
|
KeyAlgoDSA: CertAlgoDSAv01,
|
||||||
|
KeyAlgoECDSA256: CertAlgoECDSA256v01,
|
||||||
|
KeyAlgoECDSA384: CertAlgoECDSA384v01,
|
||||||
|
KeyAlgoECDSA521: CertAlgoECDSA521v01,
|
||||||
|
KeyAlgoED25519: CertAlgoED25519v01,
|
||||||
|
}
|
||||||
|
|
||||||
|
// certToPrivAlgo returns the underlying algorithm for a certificate algorithm.
|
||||||
|
// Panics if a non-certificate algorithm is passed.
|
||||||
|
func certToPrivAlgo(algo string) string {
|
||||||
|
for privAlgo, pubAlgo := range certAlgoNames {
|
||||||
|
if pubAlgo == algo {
|
||||||
|
return privAlgo
|
||||||
|
}
|
||||||
|
}
|
||||||
|
panic("unknown cert algorithm")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cert *Certificate) bytesForSigning() []byte {
|
||||||
|
c2 := *cert
|
||||||
|
c2.Signature = nil
|
||||||
|
out := c2.Marshal()
|
||||||
|
// Drop trailing signature length.
|
||||||
|
return out[:len(out)-4]
|
||||||
|
}
|
||||||
|
|
||||||
|
// Marshal serializes c into OpenSSH's wire format. It is part of the
|
||||||
|
// PublicKey interface.
|
||||||
|
func (c *Certificate) Marshal() []byte {
|
||||||
|
generic := genericCertData{
|
||||||
|
Serial: c.Serial,
|
||||||
|
CertType: c.CertType,
|
||||||
|
KeyId: c.KeyId,
|
||||||
|
ValidPrincipals: marshalStringList(c.ValidPrincipals),
|
||||||
|
ValidAfter: uint64(c.ValidAfter),
|
||||||
|
ValidBefore: uint64(c.ValidBefore),
|
||||||
|
CriticalOptions: marshalTuples(c.CriticalOptions),
|
||||||
|
Extensions: marshalTuples(c.Extensions),
|
||||||
|
Reserved: c.Reserved,
|
||||||
|
SignatureKey: c.SignatureKey.Marshal(),
|
||||||
|
}
|
||||||
|
if c.Signature != nil {
|
||||||
|
generic.Signature = Marshal(c.Signature)
|
||||||
|
}
|
||||||
|
genericBytes := Marshal(&generic)
|
||||||
|
keyBytes := c.Key.Marshal()
|
||||||
|
_, keyBytes, _ = parseString(keyBytes)
|
||||||
|
prefix := Marshal(&struct {
|
||||||
|
Name string
|
||||||
|
Nonce []byte
|
||||||
|
Key []byte `ssh:"rest"`
|
||||||
|
}{c.Type(), c.Nonce, keyBytes})
|
||||||
|
|
||||||
|
result := make([]byte, 0, len(prefix)+len(genericBytes))
|
||||||
|
result = append(result, prefix...)
|
||||||
|
result = append(result, genericBytes...)
|
||||||
|
return result
|
||||||
|
}
|
||||||
|
|
||||||
|
// Type returns the key name. It is part of the PublicKey interface.
|
||||||
|
func (c *Certificate) Type() string {
|
||||||
|
algo, ok := certAlgoNames[c.Key.Type()]
|
||||||
|
if !ok {
|
||||||
|
panic("unknown cert key type " + c.Key.Type())
|
||||||
|
}
|
||||||
|
return algo
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify verifies a signature against the certificate's public
|
||||||
|
// key. It is part of the PublicKey interface.
|
||||||
|
func (c *Certificate) Verify(data []byte, sig *Signature) error {
|
||||||
|
return c.Key.Verify(data, sig)
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseSignatureBody(in []byte) (out *Signature, rest []byte, ok bool) {
|
||||||
|
format, in, ok := parseString(in)
|
||||||
|
if !ok {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
out = &Signature{
|
||||||
|
Format: string(format),
|
||||||
|
}
|
||||||
|
|
||||||
|
if out.Blob, in, ok = parseString(in); !ok {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
return out, in, ok
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseSignature(in []byte) (out *Signature, rest []byte, ok bool) {
|
||||||
|
sigBytes, rest, ok := parseString(in)
|
||||||
|
if !ok {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
out, trailing, ok := parseSignatureBody(sigBytes)
|
||||||
|
if !ok || len(trailing) > 0 {
|
||||||
|
return nil, nil, false
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
|
@ -0,0 +1,633 @@
|
||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/binary"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"log"
|
||||||
|
"sync"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
minPacketLength = 9
|
||||||
|
// channelMaxPacket contains the maximum number of bytes that will be
|
||||||
|
// sent in a single packet. As per RFC 4253, section 6.1, 32k is also
|
||||||
|
// the minimum.
|
||||||
|
channelMaxPacket = 1 << 15
|
||||||
|
// We follow OpenSSH here.
|
||||||
|
channelWindowSize = 64 * channelMaxPacket
|
||||||
|
)
|
||||||
|
|
||||||
|
// NewChannel represents an incoming request to a channel. It must either be
|
||||||
|
// accepted for use by calling Accept, or rejected by calling Reject.
|
||||||
|
type NewChannel interface {
|
||||||
|
// Accept accepts the channel creation request. It returns the Channel
|
||||||
|
// and a Go channel containing SSH requests. The Go channel must be
|
||||||
|
// serviced otherwise the Channel will hang.
|
||||||
|
Accept() (Channel, <-chan *Request, error)
|
||||||
|
|
||||||
|
// Reject rejects the channel creation request. After calling
|
||||||
|
// this, no other methods on the Channel may be called.
|
||||||
|
Reject(reason RejectionReason, message string) error
|
||||||
|
|
||||||
|
// ChannelType returns the type of the channel, as supplied by the
|
||||||
|
// client.
|
||||||
|
ChannelType() string
|
||||||
|
|
||||||
|
// ExtraData returns the arbitrary payload for this channel, as supplied
|
||||||
|
// by the client. This data is specific to the channel type.
|
||||||
|
ExtraData() []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
// A Channel is an ordered, reliable, flow-controlled, duplex stream
|
||||||
|
// that is multiplexed over an SSH connection.
|
||||||
|
type Channel interface {
|
||||||
|
// Read reads up to len(data) bytes from the channel.
|
||||||
|
Read(data []byte) (int, error)
|
||||||
|
|
||||||
|
// Write writes len(data) bytes to the channel.
|
||||||
|
Write(data []byte) (int, error)
|
||||||
|
|
||||||
|
// Close signals end of channel use. No data may be sent after this
|
||||||
|
// call.
|
||||||
|
Close() error
|
||||||
|
|
||||||
|
// CloseWrite signals the end of sending in-band
|
||||||
|
// data. Requests may still be sent, and the other side may
|
||||||
|
// still send data
|
||||||
|
CloseWrite() error
|
||||||
|
|
||||||
|
// SendRequest sends a channel request. If wantReply is true,
|
||||||
|
// it will wait for a reply and return the result as a
|
||||||
|
// boolean, otherwise the return value will be false. Channel
|
||||||
|
// requests are out-of-band messages so they may be sent even
|
||||||
|
// if the data stream is closed or blocked by flow control.
|
||||||
|
// If the channel is closed before a reply is returned, io.EOF
|
||||||
|
// is returned.
|
||||||
|
SendRequest(name string, wantReply bool, payload []byte) (bool, error)
|
||||||
|
|
||||||
|
// Stderr returns an io.ReadWriter that writes to this channel
|
||||||
|
// with the extended data type set to stderr. Stderr may
|
||||||
|
// safely be read and written from a different goroutine than
|
||||||
|
// Read and Write respectively.
|
||||||
|
Stderr() io.ReadWriter
|
||||||
|
}
|
||||||
|
|
||||||
|
// Request is a request sent outside of the normal stream of
|
||||||
|
// data. Requests can either be specific to an SSH channel, or they
|
||||||
|
// can be global.
|
||||||
|
type Request struct {
|
||||||
|
Type string
|
||||||
|
WantReply bool
|
||||||
|
Payload []byte
|
||||||
|
|
||||||
|
ch *channel
|
||||||
|
mux *mux
|
||||||
|
}
|
||||||
|
|
||||||
|
// Reply sends a response to a request. It must be called for all requests
|
||||||
|
// where WantReply is true and is a no-op otherwise. The payload argument is
|
||||||
|
// ignored for replies to channel-specific requests.
|
||||||
|
func (r *Request) Reply(ok bool, payload []byte) error {
|
||||||
|
if !r.WantReply {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if r.ch == nil {
|
||||||
|
return r.mux.ackRequest(ok, payload)
|
||||||
|
}
|
||||||
|
|
||||||
|
return r.ch.ackRequest(ok)
|
||||||
|
}
|
||||||
|
|
||||||
|
// RejectionReason is an enumeration used when rejecting channel creation
|
||||||
|
// requests. See RFC 4254, section 5.1.
|
||||||
|
type RejectionReason uint32
|
||||||
|
|
||||||
|
const (
|
||||||
|
Prohibited RejectionReason = iota + 1
|
||||||
|
ConnectionFailed
|
||||||
|
UnknownChannelType
|
||||||
|
ResourceShortage
|
||||||
|
)
|
||||||
|
|
||||||
|
// String converts the rejection reason to human readable form.
|
||||||
|
func (r RejectionReason) String() string {
|
||||||
|
switch r {
|
||||||
|
case Prohibited:
|
||||||
|
return "administratively prohibited"
|
||||||
|
case ConnectionFailed:
|
||||||
|
return "connect failed"
|
||||||
|
case UnknownChannelType:
|
||||||
|
return "unknown channel type"
|
||||||
|
case ResourceShortage:
|
||||||
|
return "resource shortage"
|
||||||
|
}
|
||||||
|
return fmt.Sprintf("unknown reason %d", int(r))
|
||||||
|
}
|
||||||
|
|
||||||
|
func min(a uint32, b int) uint32 {
|
||||||
|
if a < uint32(b) {
|
||||||
|
return a
|
||||||
|
}
|
||||||
|
return uint32(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
type channelDirection uint8
|
||||||
|
|
||||||
|
const (
|
||||||
|
channelInbound channelDirection = iota
|
||||||
|
channelOutbound
|
||||||
|
)
|
||||||
|
|
||||||
|
// channel is an implementation of the Channel interface that works
|
||||||
|
// with the mux class.
|
||||||
|
type channel struct {
|
||||||
|
// R/O after creation
|
||||||
|
chanType string
|
||||||
|
extraData []byte
|
||||||
|
localId, remoteId uint32
|
||||||
|
|
||||||
|
// maxIncomingPayload and maxRemotePayload are the maximum
|
||||||
|
// payload sizes of normal and extended data packets for
|
||||||
|
// receiving and sending, respectively. The wire packet will
|
||||||
|
// be 9 or 13 bytes larger (excluding encryption overhead).
|
||||||
|
maxIncomingPayload uint32
|
||||||
|
maxRemotePayload uint32
|
||||||
|
|
||||||
|
mux *mux
|
||||||
|
|
||||||
|
// decided is set to true if an accept or reject message has been sent
|
||||||
|
// (for outbound channels) or received (for inbound channels).
|
||||||
|
decided bool
|
||||||
|
|
||||||
|
// direction contains either channelOutbound, for channels created
|
||||||
|
// locally, or channelInbound, for channels created by the peer.
|
||||||
|
direction channelDirection
|
||||||
|
|
||||||
|
// Pending internal channel messages.
|
||||||
|
msg chan interface{}
|
||||||
|
|
||||||
|
// Since requests have no ID, there can be only one request
|
||||||
|
// with WantReply=true outstanding. This lock is held by a
|
||||||
|
// goroutine that has such an outgoing request pending.
|
||||||
|
sentRequestMu sync.Mutex
|
||||||
|
|
||||||
|
incomingRequests chan *Request
|
||||||
|
|
||||||
|
sentEOF bool
|
||||||
|
|
||||||
|
// thread-safe data
|
||||||
|
remoteWin window
|
||||||
|
pending *buffer
|
||||||
|
extPending *buffer
|
||||||
|
|
||||||
|
// windowMu protects myWindow, the flow-control window.
|
||||||
|
windowMu sync.Mutex
|
||||||
|
myWindow uint32
|
||||||
|
|
||||||
|
// writeMu serializes calls to mux.conn.writePacket() and
|
||||||
|
// protects sentClose and packetPool. This mutex must be
|
||||||
|
// different from windowMu, as writePacket can block if there
|
||||||
|
// is a key exchange pending.
|
||||||
|
writeMu sync.Mutex
|
||||||
|
sentClose bool
|
||||||
|
|
||||||
|
// packetPool has a buffer for each extended channel ID to
|
||||||
|
// save allocations during writes.
|
||||||
|
packetPool map[uint32][]byte
|
||||||
|
}
|
||||||
|
|
||||||
|
// writePacket sends a packet. If the packet is a channel close, it updates
|
||||||
|
// sentClose. This method takes the lock c.writeMu.
|
||||||
|
func (ch *channel) writePacket(packet []byte) error {
|
||||||
|
ch.writeMu.Lock()
|
||||||
|
if ch.sentClose {
|
||||||
|
ch.writeMu.Unlock()
|
||||||
|
return io.EOF
|
||||||
|
}
|
||||||
|
ch.sentClose = (packet[0] == msgChannelClose)
|
||||||
|
err := ch.mux.conn.writePacket(packet)
|
||||||
|
ch.writeMu.Unlock()
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ch *channel) sendMessage(msg interface{}) error {
|
||||||
|
if debugMux {
|
||||||
|
log.Printf("send(%d): %#v", ch.mux.chanList.offset, msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
p := Marshal(msg)
|
||||||
|
binary.BigEndian.PutUint32(p[1:], ch.remoteId)
|
||||||
|
return ch.writePacket(p)
|
||||||
|
}
|
||||||
|
|
||||||
|
// WriteExtended writes data to a specific extended stream. These streams are
|
||||||
|
// used, for example, for stderr.
|
||||||
|
func (ch *channel) WriteExtended(data []byte, extendedCode uint32) (n int, err error) {
|
||||||
|
if ch.sentEOF {
|
||||||
|
return 0, io.EOF
|
||||||
|
}
|
||||||
|
// 1 byte message type, 4 bytes remoteId, 4 bytes data length
|
||||||
|
opCode := byte(msgChannelData)
|
||||||
|
headerLength := uint32(9)
|
||||||
|
if extendedCode > 0 {
|
||||||
|
headerLength += 4
|
||||||
|
opCode = msgChannelExtendedData
|
||||||
|
}
|
||||||
|
|
||||||
|
ch.writeMu.Lock()
|
||||||
|
packet := ch.packetPool[extendedCode]
|
||||||
|
// We don't remove the buffer from packetPool, so
|
||||||
|
// WriteExtended calls from different goroutines will be
|
||||||
|
// flagged as errors by the race detector.
|
||||||
|
ch.writeMu.Unlock()
|
||||||
|
|
||||||
|
for len(data) > 0 {
|
||||||
|
space := min(ch.maxRemotePayload, len(data))
|
||||||
|
if space, err = ch.remoteWin.reserve(space); err != nil {
|
||||||
|
return n, err
|
||||||
|
}
|
||||||
|
if want := headerLength + space; uint32(cap(packet)) < want {
|
||||||
|
packet = make([]byte, want)
|
||||||
|
} else {
|
||||||
|
packet = packet[:want]
|
||||||
|
}
|
||||||
|
|
||||||
|
todo := data[:space]
|
||||||
|
|
||||||
|
packet[0] = opCode
|
||||||
|
binary.BigEndian.PutUint32(packet[1:], ch.remoteId)
|
||||||
|
if extendedCode > 0 {
|
||||||
|
binary.BigEndian.PutUint32(packet[5:], uint32(extendedCode))
|
||||||
|
}
|
||||||
|
binary.BigEndian.PutUint32(packet[headerLength-4:], uint32(len(todo)))
|
||||||
|
copy(packet[headerLength:], todo)
|
||||||
|
if err = ch.writePacket(packet); err != nil {
|
||||||
|
return n, err
|
||||||
|
}
|
||||||
|
|
||||||
|
n += len(todo)
|
||||||
|
data = data[len(todo):]
|
||||||
|
}
|
||||||
|
|
||||||
|
ch.writeMu.Lock()
|
||||||
|
ch.packetPool[extendedCode] = packet
|
||||||
|
ch.writeMu.Unlock()
|
||||||
|
|
||||||
|
return n, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ch *channel) handleData(packet []byte) error {
|
||||||
|
headerLen := 9
|
||||||
|
isExtendedData := packet[0] == msgChannelExtendedData
|
||||||
|
if isExtendedData {
|
||||||
|
headerLen = 13
|
||||||
|
}
|
||||||
|
if len(packet) < headerLen {
|
||||||
|
// malformed data packet
|
||||||
|
return parseError(packet[0])
|
||||||
|
}
|
||||||
|
|
||||||
|
var extended uint32
|
||||||
|
if isExtendedData {
|
||||||
|
extended = binary.BigEndian.Uint32(packet[5:])
|
||||||
|
}
|
||||||
|
|
||||||
|
length := binary.BigEndian.Uint32(packet[headerLen-4 : headerLen])
|
||||||
|
if length == 0 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
if length > ch.maxIncomingPayload {
|
||||||
|
// TODO(hanwen): should send Disconnect?
|
||||||
|
return errors.New("ssh: incoming packet exceeds maximum payload size")
|
||||||
|
}
|
||||||
|
|
||||||
|
data := packet[headerLen:]
|
||||||
|
if length != uint32(len(data)) {
|
||||||
|
return errors.New("ssh: wrong packet length")
|
||||||
|
}
|
||||||
|
|
||||||
|
ch.windowMu.Lock()
|
||||||
|
if ch.myWindow < length {
|
||||||
|
ch.windowMu.Unlock()
|
||||||
|
// TODO(hanwen): should send Disconnect with reason?
|
||||||
|
return errors.New("ssh: remote side wrote too much")
|
||||||
|
}
|
||||||
|
ch.myWindow -= length
|
||||||
|
ch.windowMu.Unlock()
|
||||||
|
|
||||||
|
if extended == 1 {
|
||||||
|
ch.extPending.write(data)
|
||||||
|
} else if extended > 0 {
|
||||||
|
// discard other extended data.
|
||||||
|
} else {
|
||||||
|
ch.pending.write(data)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *channel) adjustWindow(n uint32) error {
|
||||||
|
c.windowMu.Lock()
|
||||||
|
// Since myWindow is managed on our side, and can never exceed
|
||||||
|
// the initial window setting, we don't worry about overflow.
|
||||||
|
c.myWindow += uint32(n)
|
||||||
|
c.windowMu.Unlock()
|
||||||
|
return c.sendMessage(windowAdjustMsg{
|
||||||
|
AdditionalBytes: uint32(n),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *channel) ReadExtended(data []byte, extended uint32) (n int, err error) {
|
||||||
|
switch extended {
|
||||||
|
case 1:
|
||||||
|
n, err = c.extPending.Read(data)
|
||||||
|
case 0:
|
||||||
|
n, err = c.pending.Read(data)
|
||||||
|
default:
|
||||||
|
return 0, fmt.Errorf("ssh: extended code %d unimplemented", extended)
|
||||||
|
}
|
||||||
|
|
||||||
|
if n > 0 {
|
||||||
|
err = c.adjustWindow(uint32(n))
|
||||||
|
// sendWindowAdjust can return io.EOF if the remote
|
||||||
|
// peer has closed the connection, however we want to
|
||||||
|
// defer forwarding io.EOF to the caller of Read until
|
||||||
|
// the buffer has been drained.
|
||||||
|
if n > 0 && err == io.EOF {
|
||||||
|
err = nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return n, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *channel) close() {
|
||||||
|
c.pending.eof()
|
||||||
|
c.extPending.eof()
|
||||||
|
close(c.msg)
|
||||||
|
close(c.incomingRequests)
|
||||||
|
c.writeMu.Lock()
|
||||||
|
// This is not necessary for a normal channel teardown, but if
|
||||||
|
// there was another error, it is.
|
||||||
|
c.sentClose = true
|
||||||
|
c.writeMu.Unlock()
|
||||||
|
// Unblock writers.
|
||||||
|
c.remoteWin.close()
|
||||||
|
}
|
||||||
|
|
||||||
|
// responseMessageReceived is called when a success or failure message is
|
||||||
|
// received on a channel to check that such a message is reasonable for the
|
||||||
|
// given channel.
|
||||||
|
func (ch *channel) responseMessageReceived() error {
|
||||||
|
if ch.direction == channelInbound {
|
||||||
|
return errors.New("ssh: channel response message received on inbound channel")
|
||||||
|
}
|
||||||
|
if ch.decided {
|
||||||
|
return errors.New("ssh: duplicate response received for channel")
|
||||||
|
}
|
||||||
|
ch.decided = true
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ch *channel) handlePacket(packet []byte) error {
|
||||||
|
switch packet[0] {
|
||||||
|
case msgChannelData, msgChannelExtendedData:
|
||||||
|
return ch.handleData(packet)
|
||||||
|
case msgChannelClose:
|
||||||
|
ch.sendMessage(channelCloseMsg{PeersID: ch.remoteId})
|
||||||
|
ch.mux.chanList.remove(ch.localId)
|
||||||
|
ch.close()
|
||||||
|
return nil
|
||||||
|
case msgChannelEOF:
|
||||||
|
// RFC 4254 is mute on how EOF affects dataExt messages but
|
||||||
|
// it is logical to signal EOF at the same time.
|
||||||
|
ch.extPending.eof()
|
||||||
|
ch.pending.eof()
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
decoded, err := decode(packet)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
switch msg := decoded.(type) {
|
||||||
|
case *channelOpenFailureMsg:
|
||||||
|
if err := ch.responseMessageReceived(); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
ch.mux.chanList.remove(msg.PeersID)
|
||||||
|
ch.msg <- msg
|
||||||
|
case *channelOpenConfirmMsg:
|
||||||
|
if err := ch.responseMessageReceived(); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if msg.MaxPacketSize < minPacketLength || msg.MaxPacketSize > 1<<31 {
|
||||||
|
return fmt.Errorf("ssh: invalid MaxPacketSize %d from peer", msg.MaxPacketSize)
|
||||||
|
}
|
||||||
|
ch.remoteId = msg.MyID
|
||||||
|
ch.maxRemotePayload = msg.MaxPacketSize
|
||||||
|
ch.remoteWin.add(msg.MyWindow)
|
||||||
|
ch.msg <- msg
|
||||||
|
case *windowAdjustMsg:
|
||||||
|
if !ch.remoteWin.add(msg.AdditionalBytes) {
|
||||||
|
return fmt.Errorf("ssh: invalid window update for %d bytes", msg.AdditionalBytes)
|
||||||
|
}
|
||||||
|
case *channelRequestMsg:
|
||||||
|
req := Request{
|
||||||
|
Type: msg.Request,
|
||||||
|
WantReply: msg.WantReply,
|
||||||
|
Payload: msg.RequestSpecificData,
|
||||||
|
ch: ch,
|
||||||
|
}
|
||||||
|
|
||||||
|
ch.incomingRequests <- &req
|
||||||
|
default:
|
||||||
|
ch.msg <- msg
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *mux) newChannel(chanType string, direction channelDirection, extraData []byte) *channel {
|
||||||
|
ch := &channel{
|
||||||
|
remoteWin: window{Cond: newCond()},
|
||||||
|
myWindow: channelWindowSize,
|
||||||
|
pending: newBuffer(),
|
||||||
|
extPending: newBuffer(),
|
||||||
|
direction: direction,
|
||||||
|
incomingRequests: make(chan *Request, chanSize),
|
||||||
|
msg: make(chan interface{}, chanSize),
|
||||||
|
chanType: chanType,
|
||||||
|
extraData: extraData,
|
||||||
|
mux: m,
|
||||||
|
packetPool: make(map[uint32][]byte),
|
||||||
|
}
|
||||||
|
ch.localId = m.chanList.add(ch)
|
||||||
|
return ch
|
||||||
|
}
|
||||||
|
|
||||||
|
var errUndecided = errors.New("ssh: must Accept or Reject channel")
|
||||||
|
var errDecidedAlready = errors.New("ssh: can call Accept or Reject only once")
|
||||||
|
|
||||||
|
type extChannel struct {
|
||||||
|
code uint32
|
||||||
|
ch *channel
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *extChannel) Write(data []byte) (n int, err error) {
|
||||||
|
return e.ch.WriteExtended(data, e.code)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *extChannel) Read(data []byte) (n int, err error) {
|
||||||
|
return e.ch.ReadExtended(data, e.code)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ch *channel) Accept() (Channel, <-chan *Request, error) {
|
||||||
|
if ch.decided {
|
||||||
|
return nil, nil, errDecidedAlready
|
||||||
|
}
|
||||||
|
ch.maxIncomingPayload = channelMaxPacket
|
||||||
|
confirm := channelOpenConfirmMsg{
|
||||||
|
PeersID: ch.remoteId,
|
||||||
|
MyID: ch.localId,
|
||||||
|
MyWindow: ch.myWindow,
|
||||||
|
MaxPacketSize: ch.maxIncomingPayload,
|
||||||
|
}
|
||||||
|
ch.decided = true
|
||||||
|
if err := ch.sendMessage(confirm); err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return ch, ch.incomingRequests, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ch *channel) Reject(reason RejectionReason, message string) error {
|
||||||
|
if ch.decided {
|
||||||
|
return errDecidedAlready
|
||||||
|
}
|
||||||
|
reject := channelOpenFailureMsg{
|
||||||
|
PeersID: ch.remoteId,
|
||||||
|
Reason: reason,
|
||||||
|
Message: message,
|
||||||
|
Language: "en",
|
||||||
|
}
|
||||||
|
ch.decided = true
|
||||||
|
return ch.sendMessage(reject)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ch *channel) Read(data []byte) (int, error) {
|
||||||
|
if !ch.decided {
|
||||||
|
return 0, errUndecided
|
||||||
|
}
|
||||||
|
return ch.ReadExtended(data, 0)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ch *channel) Write(data []byte) (int, error) {
|
||||||
|
if !ch.decided {
|
||||||
|
return 0, errUndecided
|
||||||
|
}
|
||||||
|
return ch.WriteExtended(data, 0)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ch *channel) CloseWrite() error {
|
||||||
|
if !ch.decided {
|
||||||
|
return errUndecided
|
||||||
|
}
|
||||||
|
ch.sentEOF = true
|
||||||
|
return ch.sendMessage(channelEOFMsg{
|
||||||
|
PeersID: ch.remoteId})
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ch *channel) Close() error {
|
||||||
|
if !ch.decided {
|
||||||
|
return errUndecided
|
||||||
|
}
|
||||||
|
|
||||||
|
return ch.sendMessage(channelCloseMsg{
|
||||||
|
PeersID: ch.remoteId})
|
||||||
|
}
|
||||||
|
|
||||||
|
// Extended returns an io.ReadWriter that sends and receives data on the given,
|
||||||
|
// SSH extended stream. Such streams are used, for example, for stderr.
|
||||||
|
func (ch *channel) Extended(code uint32) io.ReadWriter {
|
||||||
|
if !ch.decided {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return &extChannel{code, ch}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ch *channel) Stderr() io.ReadWriter {
|
||||||
|
return ch.Extended(1)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ch *channel) SendRequest(name string, wantReply bool, payload []byte) (bool, error) {
|
||||||
|
if !ch.decided {
|
||||||
|
return false, errUndecided
|
||||||
|
}
|
||||||
|
|
||||||
|
if wantReply {
|
||||||
|
ch.sentRequestMu.Lock()
|
||||||
|
defer ch.sentRequestMu.Unlock()
|
||||||
|
}
|
||||||
|
|
||||||
|
msg := channelRequestMsg{
|
||||||
|
PeersID: ch.remoteId,
|
||||||
|
Request: name,
|
||||||
|
WantReply: wantReply,
|
||||||
|
RequestSpecificData: payload,
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := ch.sendMessage(msg); err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if wantReply {
|
||||||
|
m, ok := (<-ch.msg)
|
||||||
|
if !ok {
|
||||||
|
return false, io.EOF
|
||||||
|
}
|
||||||
|
switch m.(type) {
|
||||||
|
case *channelRequestFailureMsg:
|
||||||
|
return false, nil
|
||||||
|
case *channelRequestSuccessMsg:
|
||||||
|
return true, nil
|
||||||
|
default:
|
||||||
|
return false, fmt.Errorf("ssh: unexpected response to channel request: %#v", m)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// ackRequest either sends an ack or nack to the channel request.
|
||||||
|
func (ch *channel) ackRequest(ok bool) error {
|
||||||
|
if !ch.decided {
|
||||||
|
return errUndecided
|
||||||
|
}
|
||||||
|
|
||||||
|
var msg interface{}
|
||||||
|
if !ok {
|
||||||
|
msg = channelRequestFailureMsg{
|
||||||
|
PeersID: ch.remoteId,
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
msg = channelRequestSuccessMsg{
|
||||||
|
PeersID: ch.remoteId,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return ch.sendMessage(msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ch *channel) ChannelType() string {
|
||||||
|
return ch.chanType
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ch *channel) ExtraData() []byte {
|
||||||
|
return ch.extraData
|
||||||
|
}
|
|
@ -0,0 +1,770 @@
|
||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/aes"
|
||||||
|
"crypto/cipher"
|
||||||
|
"crypto/des"
|
||||||
|
"crypto/rc4"
|
||||||
|
"crypto/subtle"
|
||||||
|
"encoding/binary"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"hash"
|
||||||
|
"io"
|
||||||
|
"io/ioutil"
|
||||||
|
"math/bits"
|
||||||
|
|
||||||
|
"golang.org/x/crypto/internal/chacha20"
|
||||||
|
"golang.org/x/crypto/poly1305"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
packetSizeMultiple = 16 // TODO(huin) this should be determined by the cipher.
|
||||||
|
|
||||||
|
// RFC 4253 section 6.1 defines a minimum packet size of 32768 that implementations
|
||||||
|
// MUST be able to process (plus a few more kilobytes for padding and mac). The RFC
|
||||||
|
// indicates implementations SHOULD be able to handle larger packet sizes, but then
|
||||||
|
// waffles on about reasonable limits.
|
||||||
|
//
|
||||||
|
// OpenSSH caps their maxPacket at 256kB so we choose to do
|
||||||
|
// the same. maxPacket is also used to ensure that uint32
|
||||||
|
// length fields do not overflow, so it should remain well
|
||||||
|
// below 4G.
|
||||||
|
maxPacket = 256 * 1024
|
||||||
|
)
|
||||||
|
|
||||||
|
// noneCipher implements cipher.Stream and provides no encryption. It is used
|
||||||
|
// by the transport before the first key-exchange.
|
||||||
|
type noneCipher struct{}
|
||||||
|
|
||||||
|
func (c noneCipher) XORKeyStream(dst, src []byte) {
|
||||||
|
copy(dst, src)
|
||||||
|
}
|
||||||
|
|
||||||
|
func newAESCTR(key, iv []byte) (cipher.Stream, error) {
|
||||||
|
c, err := aes.NewCipher(key)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return cipher.NewCTR(c, iv), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func newRC4(key, iv []byte) (cipher.Stream, error) {
|
||||||
|
return rc4.NewCipher(key)
|
||||||
|
}
|
||||||
|
|
||||||
|
type cipherMode struct {
|
||||||
|
keySize int
|
||||||
|
ivSize int
|
||||||
|
create func(key, iv []byte, macKey []byte, algs directionAlgorithms) (packetCipher, error)
|
||||||
|
}
|
||||||
|
|
||||||
|
func streamCipherMode(skip int, createFunc func(key, iv []byte) (cipher.Stream, error)) func(key, iv []byte, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
|
||||||
|
return func(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
|
||||||
|
stream, err := createFunc(key, iv)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var streamDump []byte
|
||||||
|
if skip > 0 {
|
||||||
|
streamDump = make([]byte, 512)
|
||||||
|
}
|
||||||
|
|
||||||
|
for remainingToDump := skip; remainingToDump > 0; {
|
||||||
|
dumpThisTime := remainingToDump
|
||||||
|
if dumpThisTime > len(streamDump) {
|
||||||
|
dumpThisTime = len(streamDump)
|
||||||
|
}
|
||||||
|
stream.XORKeyStream(streamDump[:dumpThisTime], streamDump[:dumpThisTime])
|
||||||
|
remainingToDump -= dumpThisTime
|
||||||
|
}
|
||||||
|
|
||||||
|
mac := macModes[algs.MAC].new(macKey)
|
||||||
|
return &streamPacketCipher{
|
||||||
|
mac: mac,
|
||||||
|
etm: macModes[algs.MAC].etm,
|
||||||
|
macResult: make([]byte, mac.Size()),
|
||||||
|
cipher: stream,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// cipherModes documents properties of supported ciphers. Ciphers not included
|
||||||
|
// are not supported and will not be negotiated, even if explicitly requested in
|
||||||
|
// ClientConfig.Crypto.Ciphers.
|
||||||
|
var cipherModes = map[string]*cipherMode{
|
||||||
|
// Ciphers from RFC4344, which introduced many CTR-based ciphers. Algorithms
|
||||||
|
// are defined in the order specified in the RFC.
|
||||||
|
"aes128-ctr": {16, aes.BlockSize, streamCipherMode(0, newAESCTR)},
|
||||||
|
"aes192-ctr": {24, aes.BlockSize, streamCipherMode(0, newAESCTR)},
|
||||||
|
"aes256-ctr": {32, aes.BlockSize, streamCipherMode(0, newAESCTR)},
|
||||||
|
|
||||||
|
// Ciphers from RFC4345, which introduces security-improved arcfour ciphers.
|
||||||
|
// They are defined in the order specified in the RFC.
|
||||||
|
"arcfour128": {16, 0, streamCipherMode(1536, newRC4)},
|
||||||
|
"arcfour256": {32, 0, streamCipherMode(1536, newRC4)},
|
||||||
|
|
||||||
|
// Cipher defined in RFC 4253, which describes SSH Transport Layer Protocol.
|
||||||
|
// Note that this cipher is not safe, as stated in RFC 4253: "Arcfour (and
|
||||||
|
// RC4) has problems with weak keys, and should be used with caution."
|
||||||
|
// RFC4345 introduces improved versions of Arcfour.
|
||||||
|
"arcfour": {16, 0, streamCipherMode(0, newRC4)},
|
||||||
|
|
||||||
|
// AEAD ciphers
|
||||||
|
gcmCipherID: {16, 12, newGCMCipher},
|
||||||
|
chacha20Poly1305ID: {64, 0, newChaCha20Cipher},
|
||||||
|
|
||||||
|
// CBC mode is insecure and so is not included in the default config.
|
||||||
|
// (See http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf). If absolutely
|
||||||
|
// needed, it's possible to specify a custom Config to enable it.
|
||||||
|
// You should expect that an active attacker can recover plaintext if
|
||||||
|
// you do.
|
||||||
|
aes128cbcID: {16, aes.BlockSize, newAESCBCCipher},
|
||||||
|
|
||||||
|
// 3des-cbc is insecure and is not included in the default
|
||||||
|
// config.
|
||||||
|
tripledescbcID: {24, des.BlockSize, newTripleDESCBCCipher},
|
||||||
|
}
|
||||||
|
|
||||||
|
// prefixLen is the length of the packet prefix that contains the packet length
|
||||||
|
// and number of padding bytes.
|
||||||
|
const prefixLen = 5
|
||||||
|
|
||||||
|
// streamPacketCipher is a packetCipher using a stream cipher.
|
||||||
|
type streamPacketCipher struct {
|
||||||
|
mac hash.Hash
|
||||||
|
cipher cipher.Stream
|
||||||
|
etm bool
|
||||||
|
|
||||||
|
// The following members are to avoid per-packet allocations.
|
||||||
|
prefix [prefixLen]byte
|
||||||
|
seqNumBytes [4]byte
|
||||||
|
padding [2 * packetSizeMultiple]byte
|
||||||
|
packetData []byte
|
||||||
|
macResult []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
// readCipherPacket reads and decrypt a single packet from the reader argument.
|
||||||
|
func (s *streamPacketCipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error) {
|
||||||
|
if _, err := io.ReadFull(r, s.prefix[:]); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var encryptedPaddingLength [1]byte
|
||||||
|
if s.mac != nil && s.etm {
|
||||||
|
copy(encryptedPaddingLength[:], s.prefix[4:5])
|
||||||
|
s.cipher.XORKeyStream(s.prefix[4:5], s.prefix[4:5])
|
||||||
|
} else {
|
||||||
|
s.cipher.XORKeyStream(s.prefix[:], s.prefix[:])
|
||||||
|
}
|
||||||
|
|
||||||
|
length := binary.BigEndian.Uint32(s.prefix[0:4])
|
||||||
|
paddingLength := uint32(s.prefix[4])
|
||||||
|
|
||||||
|
var macSize uint32
|
||||||
|
if s.mac != nil {
|
||||||
|
s.mac.Reset()
|
||||||
|
binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum)
|
||||||
|
s.mac.Write(s.seqNumBytes[:])
|
||||||
|
if s.etm {
|
||||||
|
s.mac.Write(s.prefix[:4])
|
||||||
|
s.mac.Write(encryptedPaddingLength[:])
|
||||||
|
} else {
|
||||||
|
s.mac.Write(s.prefix[:])
|
||||||
|
}
|
||||||
|
macSize = uint32(s.mac.Size())
|
||||||
|
}
|
||||||
|
|
||||||
|
if length <= paddingLength+1 {
|
||||||
|
return nil, errors.New("ssh: invalid packet length, packet too small")
|
||||||
|
}
|
||||||
|
|
||||||
|
if length > maxPacket {
|
||||||
|
return nil, errors.New("ssh: invalid packet length, packet too large")
|
||||||
|
}
|
||||||
|
|
||||||
|
// the maxPacket check above ensures that length-1+macSize
|
||||||
|
// does not overflow.
|
||||||
|
if uint32(cap(s.packetData)) < length-1+macSize {
|
||||||
|
s.packetData = make([]byte, length-1+macSize)
|
||||||
|
} else {
|
||||||
|
s.packetData = s.packetData[:length-1+macSize]
|
||||||
|
}
|
||||||
|
|
||||||
|
if _, err := io.ReadFull(r, s.packetData); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
mac := s.packetData[length-1:]
|
||||||
|
data := s.packetData[:length-1]
|
||||||
|
|
||||||
|
if s.mac != nil && s.etm {
|
||||||
|
s.mac.Write(data)
|
||||||
|
}
|
||||||
|
|
||||||
|
s.cipher.XORKeyStream(data, data)
|
||||||
|
|
||||||
|
if s.mac != nil {
|
||||||
|
if !s.etm {
|
||||||
|
s.mac.Write(data)
|
||||||
|
}
|
||||||
|
s.macResult = s.mac.Sum(s.macResult[:0])
|
||||||
|
if subtle.ConstantTimeCompare(s.macResult, mac) != 1 {
|
||||||
|
return nil, errors.New("ssh: MAC failure")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return s.packetData[:length-paddingLength-1], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// writeCipherPacket encrypts and sends a packet of data to the writer argument
|
||||||
|
func (s *streamPacketCipher) writeCipherPacket(seqNum uint32, w io.Writer, rand io.Reader, packet []byte) error {
|
||||||
|
if len(packet) > maxPacket {
|
||||||
|
return errors.New("ssh: packet too large")
|
||||||
|
}
|
||||||
|
|
||||||
|
aadlen := 0
|
||||||
|
if s.mac != nil && s.etm {
|
||||||
|
// packet length is not encrypted for EtM modes
|
||||||
|
aadlen = 4
|
||||||
|
}
|
||||||
|
|
||||||
|
paddingLength := packetSizeMultiple - (prefixLen+len(packet)-aadlen)%packetSizeMultiple
|
||||||
|
if paddingLength < 4 {
|
||||||
|
paddingLength += packetSizeMultiple
|
||||||
|
}
|
||||||
|
|
||||||
|
length := len(packet) + 1 + paddingLength
|
||||||
|
binary.BigEndian.PutUint32(s.prefix[:], uint32(length))
|
||||||
|
s.prefix[4] = byte(paddingLength)
|
||||||
|
padding := s.padding[:paddingLength]
|
||||||
|
if _, err := io.ReadFull(rand, padding); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if s.mac != nil {
|
||||||
|
s.mac.Reset()
|
||||||
|
binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum)
|
||||||
|
s.mac.Write(s.seqNumBytes[:])
|
||||||
|
|
||||||
|
if s.etm {
|
||||||
|
// For EtM algorithms, the packet length must stay unencrypted,
|
||||||
|
// but the following data (padding length) must be encrypted
|
||||||
|
s.cipher.XORKeyStream(s.prefix[4:5], s.prefix[4:5])
|
||||||
|
}
|
||||||
|
|
||||||
|
s.mac.Write(s.prefix[:])
|
||||||
|
|
||||||
|
if !s.etm {
|
||||||
|
// For non-EtM algorithms, the algorithm is applied on unencrypted data
|
||||||
|
s.mac.Write(packet)
|
||||||
|
s.mac.Write(padding)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if !(s.mac != nil && s.etm) {
|
||||||
|
// For EtM algorithms, the padding length has already been encrypted
|
||||||
|
// and the packet length must remain unencrypted
|
||||||
|
s.cipher.XORKeyStream(s.prefix[:], s.prefix[:])
|
||||||
|
}
|
||||||
|
|
||||||
|
s.cipher.XORKeyStream(packet, packet)
|
||||||
|
s.cipher.XORKeyStream(padding, padding)
|
||||||
|
|
||||||
|
if s.mac != nil && s.etm {
|
||||||
|
// For EtM algorithms, packet and padding must be encrypted
|
||||||
|
s.mac.Write(packet)
|
||||||
|
s.mac.Write(padding)
|
||||||
|
}
|
||||||
|
|
||||||
|
if _, err := w.Write(s.prefix[:]); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if _, err := w.Write(packet); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if _, err := w.Write(padding); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if s.mac != nil {
|
||||||
|
s.macResult = s.mac.Sum(s.macResult[:0])
|
||||||
|
if _, err := w.Write(s.macResult); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
type gcmCipher struct {
|
||||||
|
aead cipher.AEAD
|
||||||
|
prefix [4]byte
|
||||||
|
iv []byte
|
||||||
|
buf []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
func newGCMCipher(key, iv, unusedMacKey []byte, unusedAlgs directionAlgorithms) (packetCipher, error) {
|
||||||
|
c, err := aes.NewCipher(key)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
aead, err := cipher.NewGCM(c)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return &gcmCipher{
|
||||||
|
aead: aead,
|
||||||
|
iv: iv,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
const gcmTagSize = 16
|
||||||
|
|
||||||
|
func (c *gcmCipher) writeCipherPacket(seqNum uint32, w io.Writer, rand io.Reader, packet []byte) error {
|
||||||
|
// Pad out to multiple of 16 bytes. This is different from the
|
||||||
|
// stream cipher because that encrypts the length too.
|
||||||
|
padding := byte(packetSizeMultiple - (1+len(packet))%packetSizeMultiple)
|
||||||
|
if padding < 4 {
|
||||||
|
padding += packetSizeMultiple
|
||||||
|
}
|
||||||
|
|
||||||
|
length := uint32(len(packet) + int(padding) + 1)
|
||||||
|
binary.BigEndian.PutUint32(c.prefix[:], length)
|
||||||
|
if _, err := w.Write(c.prefix[:]); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if cap(c.buf) < int(length) {
|
||||||
|
c.buf = make([]byte, length)
|
||||||
|
} else {
|
||||||
|
c.buf = c.buf[:length]
|
||||||
|
}
|
||||||
|
|
||||||
|
c.buf[0] = padding
|
||||||
|
copy(c.buf[1:], packet)
|
||||||
|
if _, err := io.ReadFull(rand, c.buf[1+len(packet):]); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
c.buf = c.aead.Seal(c.buf[:0], c.iv, c.buf, c.prefix[:])
|
||||||
|
if _, err := w.Write(c.buf); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
c.incIV()
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *gcmCipher) incIV() {
|
||||||
|
for i := 4 + 7; i >= 4; i-- {
|
||||||
|
c.iv[i]++
|
||||||
|
if c.iv[i] != 0 {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *gcmCipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error) {
|
||||||
|
if _, err := io.ReadFull(r, c.prefix[:]); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
length := binary.BigEndian.Uint32(c.prefix[:])
|
||||||
|
if length > maxPacket {
|
||||||
|
return nil, errors.New("ssh: max packet length exceeded")
|
||||||
|
}
|
||||||
|
|
||||||
|
if cap(c.buf) < int(length+gcmTagSize) {
|
||||||
|
c.buf = make([]byte, length+gcmTagSize)
|
||||||
|
} else {
|
||||||
|
c.buf = c.buf[:length+gcmTagSize]
|
||||||
|
}
|
||||||
|
|
||||||
|
if _, err := io.ReadFull(r, c.buf); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
plain, err := c.aead.Open(c.buf[:0], c.iv, c.buf, c.prefix[:])
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
c.incIV()
|
||||||
|
|
||||||
|
padding := plain[0]
|
||||||
|
if padding < 4 {
|
||||||
|
// padding is a byte, so it automatically satisfies
|
||||||
|
// the maximum size, which is 255.
|
||||||
|
return nil, fmt.Errorf("ssh: illegal padding %d", padding)
|
||||||
|
}
|
||||||
|
|
||||||
|
if int(padding+1) >= len(plain) {
|
||||||
|
return nil, fmt.Errorf("ssh: padding %d too large", padding)
|
||||||
|
}
|
||||||
|
plain = plain[1 : length-uint32(padding)]
|
||||||
|
return plain, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// cbcCipher implements aes128-cbc cipher defined in RFC 4253 section 6.1
|
||||||
|
type cbcCipher struct {
|
||||||
|
mac hash.Hash
|
||||||
|
macSize uint32
|
||||||
|
decrypter cipher.BlockMode
|
||||||
|
encrypter cipher.BlockMode
|
||||||
|
|
||||||
|
// The following members are to avoid per-packet allocations.
|
||||||
|
seqNumBytes [4]byte
|
||||||
|
packetData []byte
|
||||||
|
macResult []byte
|
||||||
|
|
||||||
|
// Amount of data we should still read to hide which
|
||||||
|
// verification error triggered.
|
||||||
|
oracleCamouflage uint32
|
||||||
|
}
|
||||||
|
|
||||||
|
func newCBCCipher(c cipher.Block, key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
|
||||||
|
cbc := &cbcCipher{
|
||||||
|
mac: macModes[algs.MAC].new(macKey),
|
||||||
|
decrypter: cipher.NewCBCDecrypter(c, iv),
|
||||||
|
encrypter: cipher.NewCBCEncrypter(c, iv),
|
||||||
|
packetData: make([]byte, 1024),
|
||||||
|
}
|
||||||
|
if cbc.mac != nil {
|
||||||
|
cbc.macSize = uint32(cbc.mac.Size())
|
||||||
|
}
|
||||||
|
|
||||||
|
return cbc, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func newAESCBCCipher(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
|
||||||
|
c, err := aes.NewCipher(key)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
cbc, err := newCBCCipher(c, key, iv, macKey, algs)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return cbc, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func newTripleDESCBCCipher(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
|
||||||
|
c, err := des.NewTripleDESCipher(key)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
cbc, err := newCBCCipher(c, key, iv, macKey, algs)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return cbc, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func maxUInt32(a, b int) uint32 {
|
||||||
|
if a > b {
|
||||||
|
return uint32(a)
|
||||||
|
}
|
||||||
|
return uint32(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
const (
|
||||||
|
cbcMinPacketSizeMultiple = 8
|
||||||
|
cbcMinPacketSize = 16
|
||||||
|
cbcMinPaddingSize = 4
|
||||||
|
)
|
||||||
|
|
||||||
|
// cbcError represents a verification error that may leak information.
|
||||||
|
type cbcError string
|
||||||
|
|
||||||
|
func (e cbcError) Error() string { return string(e) }
|
||||||
|
|
||||||
|
func (c *cbcCipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error) {
|
||||||
|
p, err := c.readCipherPacketLeaky(seqNum, r)
|
||||||
|
if err != nil {
|
||||||
|
if _, ok := err.(cbcError); ok {
|
||||||
|
// Verification error: read a fixed amount of
|
||||||
|
// data, to make distinguishing between
|
||||||
|
// failing MAC and failing length check more
|
||||||
|
// difficult.
|
||||||
|
io.CopyN(ioutil.Discard, r, int64(c.oracleCamouflage))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return p, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *cbcCipher) readCipherPacketLeaky(seqNum uint32, r io.Reader) ([]byte, error) {
|
||||||
|
blockSize := c.decrypter.BlockSize()
|
||||||
|
|
||||||
|
// Read the header, which will include some of the subsequent data in the
|
||||||
|
// case of block ciphers - this is copied back to the payload later.
|
||||||
|
// How many bytes of payload/padding will be read with this first read.
|
||||||
|
firstBlockLength := uint32((prefixLen + blockSize - 1) / blockSize * blockSize)
|
||||||
|
firstBlock := c.packetData[:firstBlockLength]
|
||||||
|
if _, err := io.ReadFull(r, firstBlock); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
c.oracleCamouflage = maxPacket + 4 + c.macSize - firstBlockLength
|
||||||
|
|
||||||
|
c.decrypter.CryptBlocks(firstBlock, firstBlock)
|
||||||
|
length := binary.BigEndian.Uint32(firstBlock[:4])
|
||||||
|
if length > maxPacket {
|
||||||
|
return nil, cbcError("ssh: packet too large")
|
||||||
|
}
|
||||||
|
if length+4 < maxUInt32(cbcMinPacketSize, blockSize) {
|
||||||
|
// The minimum size of a packet is 16 (or the cipher block size, whichever
|
||||||
|
// is larger) bytes.
|
||||||
|
return nil, cbcError("ssh: packet too small")
|
||||||
|
}
|
||||||
|
// The length of the packet (including the length field but not the MAC) must
|
||||||
|
// be a multiple of the block size or 8, whichever is larger.
|
||||||
|
if (length+4)%maxUInt32(cbcMinPacketSizeMultiple, blockSize) != 0 {
|
||||||
|
return nil, cbcError("ssh: invalid packet length multiple")
|
||||||
|
}
|
||||||
|
|
||||||
|
paddingLength := uint32(firstBlock[4])
|
||||||
|
if paddingLength < cbcMinPaddingSize || length <= paddingLength+1 {
|
||||||
|
return nil, cbcError("ssh: invalid packet length")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Positions within the c.packetData buffer:
|
||||||
|
macStart := 4 + length
|
||||||
|
paddingStart := macStart - paddingLength
|
||||||
|
|
||||||
|
// Entire packet size, starting before length, ending at end of mac.
|
||||||
|
entirePacketSize := macStart + c.macSize
|
||||||
|
|
||||||
|
// Ensure c.packetData is large enough for the entire packet data.
|
||||||
|
if uint32(cap(c.packetData)) < entirePacketSize {
|
||||||
|
// Still need to upsize and copy, but this should be rare at runtime, only
|
||||||
|
// on upsizing the packetData buffer.
|
||||||
|
c.packetData = make([]byte, entirePacketSize)
|
||||||
|
copy(c.packetData, firstBlock)
|
||||||
|
} else {
|
||||||
|
c.packetData = c.packetData[:entirePacketSize]
|
||||||
|
}
|
||||||
|
|
||||||
|
n, err := io.ReadFull(r, c.packetData[firstBlockLength:])
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
c.oracleCamouflage -= uint32(n)
|
||||||
|
|
||||||
|
remainingCrypted := c.packetData[firstBlockLength:macStart]
|
||||||
|
c.decrypter.CryptBlocks(remainingCrypted, remainingCrypted)
|
||||||
|
|
||||||
|
mac := c.packetData[macStart:]
|
||||||
|
if c.mac != nil {
|
||||||
|
c.mac.Reset()
|
||||||
|
binary.BigEndian.PutUint32(c.seqNumBytes[:], seqNum)
|
||||||
|
c.mac.Write(c.seqNumBytes[:])
|
||||||
|
c.mac.Write(c.packetData[:macStart])
|
||||||
|
c.macResult = c.mac.Sum(c.macResult[:0])
|
||||||
|
if subtle.ConstantTimeCompare(c.macResult, mac) != 1 {
|
||||||
|
return nil, cbcError("ssh: MAC failure")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.packetData[prefixLen:paddingStart], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *cbcCipher) writeCipherPacket(seqNum uint32, w io.Writer, rand io.Reader, packet []byte) error {
|
||||||
|
effectiveBlockSize := maxUInt32(cbcMinPacketSizeMultiple, c.encrypter.BlockSize())
|
||||||
|
|
||||||
|
// Length of encrypted portion of the packet (header, payload, padding).
|
||||||
|
// Enforce minimum padding and packet size.
|
||||||
|
encLength := maxUInt32(prefixLen+len(packet)+cbcMinPaddingSize, cbcMinPaddingSize)
|
||||||
|
// Enforce block size.
|
||||||
|
encLength = (encLength + effectiveBlockSize - 1) / effectiveBlockSize * effectiveBlockSize
|
||||||
|
|
||||||
|
length := encLength - 4
|
||||||
|
paddingLength := int(length) - (1 + len(packet))
|
||||||
|
|
||||||
|
// Overall buffer contains: header, payload, padding, mac.
|
||||||
|
// Space for the MAC is reserved in the capacity but not the slice length.
|
||||||
|
bufferSize := encLength + c.macSize
|
||||||
|
if uint32(cap(c.packetData)) < bufferSize {
|
||||||
|
c.packetData = make([]byte, encLength, bufferSize)
|
||||||
|
} else {
|
||||||
|
c.packetData = c.packetData[:encLength]
|
||||||
|
}
|
||||||
|
|
||||||
|
p := c.packetData
|
||||||
|
|
||||||
|
// Packet header.
|
||||||
|
binary.BigEndian.PutUint32(p, length)
|
||||||
|
p = p[4:]
|
||||||
|
p[0] = byte(paddingLength)
|
||||||
|
|
||||||
|
// Payload.
|
||||||
|
p = p[1:]
|
||||||
|
copy(p, packet)
|
||||||
|
|
||||||
|
// Padding.
|
||||||
|
p = p[len(packet):]
|
||||||
|
if _, err := io.ReadFull(rand, p); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if c.mac != nil {
|
||||||
|
c.mac.Reset()
|
||||||
|
binary.BigEndian.PutUint32(c.seqNumBytes[:], seqNum)
|
||||||
|
c.mac.Write(c.seqNumBytes[:])
|
||||||
|
c.mac.Write(c.packetData)
|
||||||
|
// The MAC is now appended into the capacity reserved for it earlier.
|
||||||
|
c.packetData = c.mac.Sum(c.packetData)
|
||||||
|
}
|
||||||
|
|
||||||
|
c.encrypter.CryptBlocks(c.packetData[:encLength], c.packetData[:encLength])
|
||||||
|
|
||||||
|
if _, err := w.Write(c.packetData); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
const chacha20Poly1305ID = "chacha20-poly1305@openssh.com"
|
||||||
|
|
||||||
|
// chacha20Poly1305Cipher implements the chacha20-poly1305@openssh.com
|
||||||
|
// AEAD, which is described here:
|
||||||
|
//
|
||||||
|
// https://tools.ietf.org/html/draft-josefsson-ssh-chacha20-poly1305-openssh-00
|
||||||
|
//
|
||||||
|
// the methods here also implement padding, which RFC4253 Section 6
|
||||||
|
// also requires of stream ciphers.
|
||||||
|
type chacha20Poly1305Cipher struct {
|
||||||
|
lengthKey [8]uint32
|
||||||
|
contentKey [8]uint32
|
||||||
|
buf []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
func newChaCha20Cipher(key, unusedIV, unusedMACKey []byte, unusedAlgs directionAlgorithms) (packetCipher, error) {
|
||||||
|
if len(key) != 64 {
|
||||||
|
panic(len(key))
|
||||||
|
}
|
||||||
|
|
||||||
|
c := &chacha20Poly1305Cipher{
|
||||||
|
buf: make([]byte, 256),
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := range c.contentKey {
|
||||||
|
c.contentKey[i] = binary.LittleEndian.Uint32(key[i*4 : (i+1)*4])
|
||||||
|
}
|
||||||
|
for i := range c.lengthKey {
|
||||||
|
c.lengthKey[i] = binary.LittleEndian.Uint32(key[(i+8)*4 : (i+9)*4])
|
||||||
|
}
|
||||||
|
return c, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *chacha20Poly1305Cipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error) {
|
||||||
|
nonce := [3]uint32{0, 0, bits.ReverseBytes32(seqNum)}
|
||||||
|
s := chacha20.New(c.contentKey, nonce)
|
||||||
|
var polyKey [32]byte
|
||||||
|
s.XORKeyStream(polyKey[:], polyKey[:])
|
||||||
|
s.Advance() // skip next 32 bytes
|
||||||
|
|
||||||
|
encryptedLength := c.buf[:4]
|
||||||
|
if _, err := io.ReadFull(r, encryptedLength); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var lenBytes [4]byte
|
||||||
|
chacha20.New(c.lengthKey, nonce).XORKeyStream(lenBytes[:], encryptedLength)
|
||||||
|
|
||||||
|
length := binary.BigEndian.Uint32(lenBytes[:])
|
||||||
|
if length > maxPacket {
|
||||||
|
return nil, errors.New("ssh: invalid packet length, packet too large")
|
||||||
|
}
|
||||||
|
|
||||||
|
contentEnd := 4 + length
|
||||||
|
packetEnd := contentEnd + poly1305.TagSize
|
||||||
|
if uint32(cap(c.buf)) < packetEnd {
|
||||||
|
c.buf = make([]byte, packetEnd)
|
||||||
|
copy(c.buf[:], encryptedLength)
|
||||||
|
} else {
|
||||||
|
c.buf = c.buf[:packetEnd]
|
||||||
|
}
|
||||||
|
|
||||||
|
if _, err := io.ReadFull(r, c.buf[4:packetEnd]); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var mac [poly1305.TagSize]byte
|
||||||
|
copy(mac[:], c.buf[contentEnd:packetEnd])
|
||||||
|
if !poly1305.Verify(&mac, c.buf[:contentEnd], &polyKey) {
|
||||||
|
return nil, errors.New("ssh: MAC failure")
|
||||||
|
}
|
||||||
|
|
||||||
|
plain := c.buf[4:contentEnd]
|
||||||
|
s.XORKeyStream(plain, plain)
|
||||||
|
|
||||||
|
padding := plain[0]
|
||||||
|
if padding < 4 {
|
||||||
|
// padding is a byte, so it automatically satisfies
|
||||||
|
// the maximum size, which is 255.
|
||||||
|
return nil, fmt.Errorf("ssh: illegal padding %d", padding)
|
||||||
|
}
|
||||||
|
|
||||||
|
if int(padding)+1 >= len(plain) {
|
||||||
|
return nil, fmt.Errorf("ssh: padding %d too large", padding)
|
||||||
|
}
|
||||||
|
|
||||||
|
plain = plain[1 : len(plain)-int(padding)]
|
||||||
|
|
||||||
|
return plain, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *chacha20Poly1305Cipher) writeCipherPacket(seqNum uint32, w io.Writer, rand io.Reader, payload []byte) error {
|
||||||
|
nonce := [3]uint32{0, 0, bits.ReverseBytes32(seqNum)}
|
||||||
|
s := chacha20.New(c.contentKey, nonce)
|
||||||
|
var polyKey [32]byte
|
||||||
|
s.XORKeyStream(polyKey[:], polyKey[:])
|
||||||
|
s.Advance() // skip next 32 bytes
|
||||||
|
|
||||||
|
// There is no blocksize, so fall back to multiple of 8 byte
|
||||||
|
// padding, as described in RFC 4253, Sec 6.
|
||||||
|
const packetSizeMultiple = 8
|
||||||
|
|
||||||
|
padding := packetSizeMultiple - (1+len(payload))%packetSizeMultiple
|
||||||
|
if padding < 4 {
|
||||||
|
padding += packetSizeMultiple
|
||||||
|
}
|
||||||
|
|
||||||
|
// size (4 bytes), padding (1), payload, padding, tag.
|
||||||
|
totalLength := 4 + 1 + len(payload) + padding + poly1305.TagSize
|
||||||
|
if cap(c.buf) < totalLength {
|
||||||
|
c.buf = make([]byte, totalLength)
|
||||||
|
} else {
|
||||||
|
c.buf = c.buf[:totalLength]
|
||||||
|
}
|
||||||
|
|
||||||
|
binary.BigEndian.PutUint32(c.buf, uint32(1+len(payload)+padding))
|
||||||
|
chacha20.New(c.lengthKey, nonce).XORKeyStream(c.buf, c.buf[:4])
|
||||||
|
c.buf[4] = byte(padding)
|
||||||
|
copy(c.buf[5:], payload)
|
||||||
|
packetEnd := 5 + len(payload) + padding
|
||||||
|
if _, err := io.ReadFull(rand, c.buf[5+len(payload):packetEnd]); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
s.XORKeyStream(c.buf[4:], c.buf[4:packetEnd])
|
||||||
|
|
||||||
|
var mac [poly1305.TagSize]byte
|
||||||
|
poly1305.Sum(&mac, c.buf[:packetEnd], &polyKey)
|
||||||
|
|
||||||
|
copy(c.buf[packetEnd:], mac[:])
|
||||||
|
|
||||||
|
if _, err := w.Write(c.buf); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
|
@ -0,0 +1,278 @@
|
||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"net"
|
||||||
|
"os"
|
||||||
|
"sync"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Client implements a traditional SSH client that supports shells,
|
||||||
|
// subprocesses, TCP port/streamlocal forwarding and tunneled dialing.
|
||||||
|
type Client struct {
|
||||||
|
Conn
|
||||||
|
|
||||||
|
handleForwardsOnce sync.Once // guards calling (*Client).handleForwards
|
||||||
|
|
||||||
|
forwards forwardList // forwarded tcpip connections from the remote side
|
||||||
|
mu sync.Mutex
|
||||||
|
channelHandlers map[string]chan NewChannel
|
||||||
|
}
|
||||||
|
|
||||||
|
// HandleChannelOpen returns a channel on which NewChannel requests
|
||||||
|
// for the given type are sent. If the type already is being handled,
|
||||||
|
// nil is returned. The channel is closed when the connection is closed.
|
||||||
|
func (c *Client) HandleChannelOpen(channelType string) <-chan NewChannel {
|
||||||
|
c.mu.Lock()
|
||||||
|
defer c.mu.Unlock()
|
||||||
|
if c.channelHandlers == nil {
|
||||||
|
// The SSH channel has been closed.
|
||||||
|
c := make(chan NewChannel)
|
||||||
|
close(c)
|
||||||
|
return c
|
||||||
|
}
|
||||||
|
|
||||||
|
ch := c.channelHandlers[channelType]
|
||||||
|
if ch != nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
ch = make(chan NewChannel, chanSize)
|
||||||
|
c.channelHandlers[channelType] = ch
|
||||||
|
return ch
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewClient creates a Client on top of the given connection.
|
||||||
|
func NewClient(c Conn, chans <-chan NewChannel, reqs <-chan *Request) *Client {
|
||||||
|
conn := &Client{
|
||||||
|
Conn: c,
|
||||||
|
channelHandlers: make(map[string]chan NewChannel, 1),
|
||||||
|
}
|
||||||
|
|
||||||
|
go conn.handleGlobalRequests(reqs)
|
||||||
|
go conn.handleChannelOpens(chans)
|
||||||
|
go func() {
|
||||||
|
conn.Wait()
|
||||||
|
conn.forwards.closeAll()
|
||||||
|
}()
|
||||||
|
return conn
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewClientConn establishes an authenticated SSH connection using c
|
||||||
|
// as the underlying transport. The Request and NewChannel channels
|
||||||
|
// must be serviced or the connection will hang.
|
||||||
|
func NewClientConn(c net.Conn, addr string, config *ClientConfig) (Conn, <-chan NewChannel, <-chan *Request, error) {
|
||||||
|
fullConf := *config
|
||||||
|
fullConf.SetDefaults()
|
||||||
|
if fullConf.HostKeyCallback == nil {
|
||||||
|
c.Close()
|
||||||
|
return nil, nil, nil, errors.New("ssh: must specify HostKeyCallback")
|
||||||
|
}
|
||||||
|
|
||||||
|
conn := &connection{
|
||||||
|
sshConn: sshConn{conn: c},
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := conn.clientHandshake(addr, &fullConf); err != nil {
|
||||||
|
c.Close()
|
||||||
|
return nil, nil, nil, fmt.Errorf("ssh: handshake failed: %v", err)
|
||||||
|
}
|
||||||
|
conn.mux = newMux(conn.transport)
|
||||||
|
return conn, conn.mux.incomingChannels, conn.mux.incomingRequests, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// clientHandshake performs the client side key exchange. See RFC 4253 Section
|
||||||
|
// 7.
|
||||||
|
func (c *connection) clientHandshake(dialAddress string, config *ClientConfig) error {
|
||||||
|
if config.ClientVersion != "" {
|
||||||
|
c.clientVersion = []byte(config.ClientVersion)
|
||||||
|
} else {
|
||||||
|
c.clientVersion = []byte(packageVersion)
|
||||||
|
}
|
||||||
|
var err error
|
||||||
|
c.serverVersion, err = exchangeVersions(c.sshConn.conn, c.clientVersion)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
c.transport = newClientTransport(
|
||||||
|
newTransport(c.sshConn.conn, config.Rand, true /* is client */),
|
||||||
|
c.clientVersion, c.serverVersion, config, dialAddress, c.sshConn.RemoteAddr())
|
||||||
|
if err := c.transport.waitSession(); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
c.sessionID = c.transport.getSessionID()
|
||||||
|
return c.clientAuthenticate(config)
|
||||||
|
}
|
||||||
|
|
||||||
|
// verifyHostKeySignature verifies the host key obtained in the key
|
||||||
|
// exchange.
|
||||||
|
func verifyHostKeySignature(hostKey PublicKey, result *kexResult) error {
|
||||||
|
sig, rest, ok := parseSignatureBody(result.Signature)
|
||||||
|
if len(rest) > 0 || !ok {
|
||||||
|
return errors.New("ssh: signature parse error")
|
||||||
|
}
|
||||||
|
|
||||||
|
return hostKey.Verify(result.H, sig)
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewSession opens a new Session for this client. (A session is a remote
|
||||||
|
// execution of a program.)
|
||||||
|
func (c *Client) NewSession() (*Session, error) {
|
||||||
|
ch, in, err := c.OpenChannel("session", nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return newSession(ch, in)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Client) handleGlobalRequests(incoming <-chan *Request) {
|
||||||
|
for r := range incoming {
|
||||||
|
// This handles keepalive messages and matches
|
||||||
|
// the behaviour of OpenSSH.
|
||||||
|
r.Reply(false, nil)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// handleChannelOpens channel open messages from the remote side.
|
||||||
|
func (c *Client) handleChannelOpens(in <-chan NewChannel) {
|
||||||
|
for ch := range in {
|
||||||
|
c.mu.Lock()
|
||||||
|
handler := c.channelHandlers[ch.ChannelType()]
|
||||||
|
c.mu.Unlock()
|
||||||
|
|
||||||
|
if handler != nil {
|
||||||
|
handler <- ch
|
||||||
|
} else {
|
||||||
|
ch.Reject(UnknownChannelType, fmt.Sprintf("unknown channel type: %v", ch.ChannelType()))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
c.mu.Lock()
|
||||||
|
for _, ch := range c.channelHandlers {
|
||||||
|
close(ch)
|
||||||
|
}
|
||||||
|
c.channelHandlers = nil
|
||||||
|
c.mu.Unlock()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Dial starts a client connection to the given SSH server. It is a
|
||||||
|
// convenience function that connects to the given network address,
|
||||||
|
// initiates the SSH handshake, and then sets up a Client. For access
|
||||||
|
// to incoming channels and requests, use net.Dial with NewClientConn
|
||||||
|
// instead.
|
||||||
|
func Dial(network, addr string, config *ClientConfig) (*Client, error) {
|
||||||
|
conn, err := net.DialTimeout(network, addr, config.Timeout)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
c, chans, reqs, err := NewClientConn(conn, addr, config)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return NewClient(c, chans, reqs), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// HostKeyCallback is the function type used for verifying server
|
||||||
|
// keys. A HostKeyCallback must return nil if the host key is OK, or
|
||||||
|
// an error to reject it. It receives the hostname as passed to Dial
|
||||||
|
// or NewClientConn. The remote address is the RemoteAddr of the
|
||||||
|
// net.Conn underlying the SSH connection.
|
||||||
|
type HostKeyCallback func(hostname string, remote net.Addr, key PublicKey) error
|
||||||
|
|
||||||
|
// BannerCallback is the function type used for treat the banner sent by
|
||||||
|
// the server. A BannerCallback receives the message sent by the remote server.
|
||||||
|
type BannerCallback func(message string) error
|
||||||
|
|
||||||
|
// A ClientConfig structure is used to configure a Client. It must not be
|
||||||
|
// modified after having been passed to an SSH function.
|
||||||
|
type ClientConfig struct {
|
||||||
|
// Config contains configuration that is shared between clients and
|
||||||
|
// servers.
|
||||||
|
Config
|
||||||
|
|
||||||
|
// User contains the username to authenticate as.
|
||||||
|
User string
|
||||||
|
|
||||||
|
// Auth contains possible authentication methods to use with the
|
||||||
|
// server. Only the first instance of a particular RFC 4252 method will
|
||||||
|
// be used during authentication.
|
||||||
|
Auth []AuthMethod
|
||||||
|
|
||||||
|
// HostKeyCallback is called during the cryptographic
|
||||||
|
// handshake to validate the server's host key. The client
|
||||||
|
// configuration must supply this callback for the connection
|
||||||
|
// to succeed. The functions InsecureIgnoreHostKey or
|
||||||
|
// FixedHostKey can be used for simplistic host key checks.
|
||||||
|
HostKeyCallback HostKeyCallback
|
||||||
|
|
||||||
|
// BannerCallback is called during the SSH dance to display a custom
|
||||||
|
// server's message. The client configuration can supply this callback to
|
||||||
|
// handle it as wished. The function BannerDisplayStderr can be used for
|
||||||
|
// simplistic display on Stderr.
|
||||||
|
BannerCallback BannerCallback
|
||||||
|
|
||||||
|
// ClientVersion contains the version identification string that will
|
||||||
|
// be used for the connection. If empty, a reasonable default is used.
|
||||||
|
ClientVersion string
|
||||||
|
|
||||||
|
// HostKeyAlgorithms lists the key types that the client will
|
||||||
|
// accept from the server as host key, in order of
|
||||||
|
// preference. If empty, a reasonable default is used. Any
|
||||||
|
// string returned from PublicKey.Type method may be used, or
|
||||||
|
// any of the CertAlgoXxxx and KeyAlgoXxxx constants.
|
||||||
|
HostKeyAlgorithms []string
|
||||||
|
|
||||||
|
// Timeout is the maximum amount of time for the TCP connection to establish.
|
||||||
|
//
|
||||||
|
// A Timeout of zero means no timeout.
|
||||||
|
Timeout time.Duration
|
||||||
|
}
|
||||||
|
|
||||||
|
// InsecureIgnoreHostKey returns a function that can be used for
|
||||||
|
// ClientConfig.HostKeyCallback to accept any host key. It should
|
||||||
|
// not be used for production code.
|
||||||
|
func InsecureIgnoreHostKey() HostKeyCallback {
|
||||||
|
return func(hostname string, remote net.Addr, key PublicKey) error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
type fixedHostKey struct {
|
||||||
|
key PublicKey
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *fixedHostKey) check(hostname string, remote net.Addr, key PublicKey) error {
|
||||||
|
if f.key == nil {
|
||||||
|
return fmt.Errorf("ssh: required host key was nil")
|
||||||
|
}
|
||||||
|
if !bytes.Equal(key.Marshal(), f.key.Marshal()) {
|
||||||
|
return fmt.Errorf("ssh: host key mismatch")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// FixedHostKey returns a function for use in
|
||||||
|
// ClientConfig.HostKeyCallback to accept only a specific host key.
|
||||||
|
func FixedHostKey(key PublicKey) HostKeyCallback {
|
||||||
|
hk := &fixedHostKey{key}
|
||||||
|
return hk.check
|
||||||
|
}
|
||||||
|
|
||||||
|
// BannerDisplayStderr returns a function that can be used for
|
||||||
|
// ClientConfig.BannerCallback to display banners on os.Stderr.
|
||||||
|
func BannerDisplayStderr() BannerCallback {
|
||||||
|
return func(banner string) error {
|
||||||
|
_, err := os.Stderr.WriteString(banner)
|
||||||
|
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,525 @@
|
||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
)
|
||||||
|
|
||||||
|
type authResult int
|
||||||
|
|
||||||
|
const (
|
||||||
|
authFailure authResult = iota
|
||||||
|
authPartialSuccess
|
||||||
|
authSuccess
|
||||||
|
)
|
||||||
|
|
||||||
|
// clientAuthenticate authenticates with the remote server. See RFC 4252.
|
||||||
|
func (c *connection) clientAuthenticate(config *ClientConfig) error {
|
||||||
|
// initiate user auth session
|
||||||
|
if err := c.transport.writePacket(Marshal(&serviceRequestMsg{serviceUserAuth})); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
packet, err := c.transport.readPacket()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
var serviceAccept serviceAcceptMsg
|
||||||
|
if err := Unmarshal(packet, &serviceAccept); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// during the authentication phase the client first attempts the "none" method
|
||||||
|
// then any untried methods suggested by the server.
|
||||||
|
tried := make(map[string]bool)
|
||||||
|
var lastMethods []string
|
||||||
|
|
||||||
|
sessionID := c.transport.getSessionID()
|
||||||
|
for auth := AuthMethod(new(noneAuth)); auth != nil; {
|
||||||
|
ok, methods, err := auth.auth(sessionID, config.User, c.transport, config.Rand)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if ok == authSuccess {
|
||||||
|
// success
|
||||||
|
return nil
|
||||||
|
} else if ok == authFailure {
|
||||||
|
tried[auth.method()] = true
|
||||||
|
}
|
||||||
|
if methods == nil {
|
||||||
|
methods = lastMethods
|
||||||
|
}
|
||||||
|
lastMethods = methods
|
||||||
|
|
||||||
|
auth = nil
|
||||||
|
|
||||||
|
findNext:
|
||||||
|
for _, a := range config.Auth {
|
||||||
|
candidateMethod := a.method()
|
||||||
|
if tried[candidateMethod] {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
for _, meth := range methods {
|
||||||
|
if meth == candidateMethod {
|
||||||
|
auth = a
|
||||||
|
break findNext
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return fmt.Errorf("ssh: unable to authenticate, attempted methods %v, no supported methods remain", keys(tried))
|
||||||
|
}
|
||||||
|
|
||||||
|
func keys(m map[string]bool) []string {
|
||||||
|
s := make([]string, 0, len(m))
|
||||||
|
|
||||||
|
for key := range m {
|
||||||
|
s = append(s, key)
|
||||||
|
}
|
||||||
|
return s
|
||||||
|
}
|
||||||
|
|
||||||
|
// An AuthMethod represents an instance of an RFC 4252 authentication method.
|
||||||
|
type AuthMethod interface {
|
||||||
|
// auth authenticates user over transport t.
|
||||||
|
// Returns true if authentication is successful.
|
||||||
|
// If authentication is not successful, a []string of alternative
|
||||||
|
// method names is returned. If the slice is nil, it will be ignored
|
||||||
|
// and the previous set of possible methods will be reused.
|
||||||
|
auth(session []byte, user string, p packetConn, rand io.Reader) (authResult, []string, error)
|
||||||
|
|
||||||
|
// method returns the RFC 4252 method name.
|
||||||
|
method() string
|
||||||
|
}
|
||||||
|
|
||||||
|
// "none" authentication, RFC 4252 section 5.2.
|
||||||
|
type noneAuth int
|
||||||
|
|
||||||
|
func (n *noneAuth) auth(session []byte, user string, c packetConn, rand io.Reader) (authResult, []string, error) {
|
||||||
|
if err := c.writePacket(Marshal(&userAuthRequestMsg{
|
||||||
|
User: user,
|
||||||
|
Service: serviceSSH,
|
||||||
|
Method: "none",
|
||||||
|
})); err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return handleAuthResponse(c)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (n *noneAuth) method() string {
|
||||||
|
return "none"
|
||||||
|
}
|
||||||
|
|
||||||
|
// passwordCallback is an AuthMethod that fetches the password through
|
||||||
|
// a function call, e.g. by prompting the user.
|
||||||
|
type passwordCallback func() (password string, err error)
|
||||||
|
|
||||||
|
func (cb passwordCallback) auth(session []byte, user string, c packetConn, rand io.Reader) (authResult, []string, error) {
|
||||||
|
type passwordAuthMsg struct {
|
||||||
|
User string `sshtype:"50"`
|
||||||
|
Service string
|
||||||
|
Method string
|
||||||
|
Reply bool
|
||||||
|
Password string
|
||||||
|
}
|
||||||
|
|
||||||
|
pw, err := cb()
|
||||||
|
// REVIEW NOTE: is there a need to support skipping a password attempt?
|
||||||
|
// The program may only find out that the user doesn't have a password
|
||||||
|
// when prompting.
|
||||||
|
if err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := c.writePacket(Marshal(&passwordAuthMsg{
|
||||||
|
User: user,
|
||||||
|
Service: serviceSSH,
|
||||||
|
Method: cb.method(),
|
||||||
|
Reply: false,
|
||||||
|
Password: pw,
|
||||||
|
})); err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return handleAuthResponse(c)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cb passwordCallback) method() string {
|
||||||
|
return "password"
|
||||||
|
}
|
||||||
|
|
||||||
|
// Password returns an AuthMethod using the given password.
|
||||||
|
func Password(secret string) AuthMethod {
|
||||||
|
return passwordCallback(func() (string, error) { return secret, nil })
|
||||||
|
}
|
||||||
|
|
||||||
|
// PasswordCallback returns an AuthMethod that uses a callback for
|
||||||
|
// fetching a password.
|
||||||
|
func PasswordCallback(prompt func() (secret string, err error)) AuthMethod {
|
||||||
|
return passwordCallback(prompt)
|
||||||
|
}
|
||||||
|
|
||||||
|
type publickeyAuthMsg struct {
|
||||||
|
User string `sshtype:"50"`
|
||||||
|
Service string
|
||||||
|
Method string
|
||||||
|
// HasSig indicates to the receiver packet that the auth request is signed and
|
||||||
|
// should be used for authentication of the request.
|
||||||
|
HasSig bool
|
||||||
|
Algoname string
|
||||||
|
PubKey []byte
|
||||||
|
// Sig is tagged with "rest" so Marshal will exclude it during
|
||||||
|
// validateKey
|
||||||
|
Sig []byte `ssh:"rest"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// publicKeyCallback is an AuthMethod that uses a set of key
|
||||||
|
// pairs for authentication.
|
||||||
|
type publicKeyCallback func() ([]Signer, error)
|
||||||
|
|
||||||
|
func (cb publicKeyCallback) method() string {
|
||||||
|
return "publickey"
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand io.Reader) (authResult, []string, error) {
|
||||||
|
// Authentication is performed by sending an enquiry to test if a key is
|
||||||
|
// acceptable to the remote. If the key is acceptable, the client will
|
||||||
|
// attempt to authenticate with the valid key. If not the client will repeat
|
||||||
|
// the process with the remaining keys.
|
||||||
|
|
||||||
|
signers, err := cb()
|
||||||
|
if err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
var methods []string
|
||||||
|
for _, signer := range signers {
|
||||||
|
ok, err := validateKey(signer.PublicKey(), user, c)
|
||||||
|
if err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
if !ok {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
pub := signer.PublicKey()
|
||||||
|
pubKey := pub.Marshal()
|
||||||
|
sign, err := signer.Sign(rand, buildDataSignedForAuth(session, userAuthRequestMsg{
|
||||||
|
User: user,
|
||||||
|
Service: serviceSSH,
|
||||||
|
Method: cb.method(),
|
||||||
|
}, []byte(pub.Type()), pubKey))
|
||||||
|
if err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// manually wrap the serialized signature in a string
|
||||||
|
s := Marshal(sign)
|
||||||
|
sig := make([]byte, stringLength(len(s)))
|
||||||
|
marshalString(sig, s)
|
||||||
|
msg := publickeyAuthMsg{
|
||||||
|
User: user,
|
||||||
|
Service: serviceSSH,
|
||||||
|
Method: cb.method(),
|
||||||
|
HasSig: true,
|
||||||
|
Algoname: pub.Type(),
|
||||||
|
PubKey: pubKey,
|
||||||
|
Sig: sig,
|
||||||
|
}
|
||||||
|
p := Marshal(&msg)
|
||||||
|
if err := c.writePacket(p); err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
var success authResult
|
||||||
|
success, methods, err = handleAuthResponse(c)
|
||||||
|
if err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// If authentication succeeds or the list of available methods does not
|
||||||
|
// contain the "publickey" method, do not attempt to authenticate with any
|
||||||
|
// other keys. According to RFC 4252 Section 7, the latter can occur when
|
||||||
|
// additional authentication methods are required.
|
||||||
|
if success == authSuccess || !containsMethod(methods, cb.method()) {
|
||||||
|
return success, methods, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return authFailure, methods, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func containsMethod(methods []string, method string) bool {
|
||||||
|
for _, m := range methods {
|
||||||
|
if m == method {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// validateKey validates the key provided is acceptable to the server.
|
||||||
|
func validateKey(key PublicKey, user string, c packetConn) (bool, error) {
|
||||||
|
pubKey := key.Marshal()
|
||||||
|
msg := publickeyAuthMsg{
|
||||||
|
User: user,
|
||||||
|
Service: serviceSSH,
|
||||||
|
Method: "publickey",
|
||||||
|
HasSig: false,
|
||||||
|
Algoname: key.Type(),
|
||||||
|
PubKey: pubKey,
|
||||||
|
}
|
||||||
|
if err := c.writePacket(Marshal(&msg)); err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return confirmKeyAck(key, c)
|
||||||
|
}
|
||||||
|
|
||||||
|
func confirmKeyAck(key PublicKey, c packetConn) (bool, error) {
|
||||||
|
pubKey := key.Marshal()
|
||||||
|
algoname := key.Type()
|
||||||
|
|
||||||
|
for {
|
||||||
|
packet, err := c.readPacket()
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
switch packet[0] {
|
||||||
|
case msgUserAuthBanner:
|
||||||
|
if err := handleBannerResponse(c, packet); err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
case msgUserAuthPubKeyOk:
|
||||||
|
var msg userAuthPubKeyOkMsg
|
||||||
|
if err := Unmarshal(packet, &msg); err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
if msg.Algo != algoname || !bytes.Equal(msg.PubKey, pubKey) {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
return true, nil
|
||||||
|
case msgUserAuthFailure:
|
||||||
|
return false, nil
|
||||||
|
default:
|
||||||
|
return false, unexpectedMessageError(msgUserAuthSuccess, packet[0])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// PublicKeys returns an AuthMethod that uses the given key
|
||||||
|
// pairs.
|
||||||
|
func PublicKeys(signers ...Signer) AuthMethod {
|
||||||
|
return publicKeyCallback(func() ([]Signer, error) { return signers, nil })
|
||||||
|
}
|
||||||
|
|
||||||
|
// PublicKeysCallback returns an AuthMethod that runs the given
|
||||||
|
// function to obtain a list of key pairs.
|
||||||
|
func PublicKeysCallback(getSigners func() (signers []Signer, err error)) AuthMethod {
|
||||||
|
return publicKeyCallback(getSigners)
|
||||||
|
}
|
||||||
|
|
||||||
|
// handleAuthResponse returns whether the preceding authentication request succeeded
|
||||||
|
// along with a list of remaining authentication methods to try next and
|
||||||
|
// an error if an unexpected response was received.
|
||||||
|
func handleAuthResponse(c packetConn) (authResult, []string, error) {
|
||||||
|
for {
|
||||||
|
packet, err := c.readPacket()
|
||||||
|
if err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
switch packet[0] {
|
||||||
|
case msgUserAuthBanner:
|
||||||
|
if err := handleBannerResponse(c, packet); err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
case msgUserAuthFailure:
|
||||||
|
var msg userAuthFailureMsg
|
||||||
|
if err := Unmarshal(packet, &msg); err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
if msg.PartialSuccess {
|
||||||
|
return authPartialSuccess, msg.Methods, nil
|
||||||
|
}
|
||||||
|
return authFailure, msg.Methods, nil
|
||||||
|
case msgUserAuthSuccess:
|
||||||
|
return authSuccess, nil, nil
|
||||||
|
default:
|
||||||
|
return authFailure, nil, unexpectedMessageError(msgUserAuthSuccess, packet[0])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func handleBannerResponse(c packetConn, packet []byte) error {
|
||||||
|
var msg userAuthBannerMsg
|
||||||
|
if err := Unmarshal(packet, &msg); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
transport, ok := c.(*handshakeTransport)
|
||||||
|
if !ok {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if transport.bannerCallback != nil {
|
||||||
|
return transport.bannerCallback(msg.Message)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// KeyboardInteractiveChallenge should print questions, optionally
|
||||||
|
// disabling echoing (e.g. for passwords), and return all the answers.
|
||||||
|
// Challenge may be called multiple times in a single session. After
|
||||||
|
// successful authentication, the server may send a challenge with no
|
||||||
|
// questions, for which the user and instruction messages should be
|
||||||
|
// printed. RFC 4256 section 3.3 details how the UI should behave for
|
||||||
|
// both CLI and GUI environments.
|
||||||
|
type KeyboardInteractiveChallenge func(user, instruction string, questions []string, echos []bool) (answers []string, err error)
|
||||||
|
|
||||||
|
// KeyboardInteractive returns an AuthMethod using a prompt/response
|
||||||
|
// sequence controlled by the server.
|
||||||
|
func KeyboardInteractive(challenge KeyboardInteractiveChallenge) AuthMethod {
|
||||||
|
return challenge
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cb KeyboardInteractiveChallenge) method() string {
|
||||||
|
return "keyboard-interactive"
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cb KeyboardInteractiveChallenge) auth(session []byte, user string, c packetConn, rand io.Reader) (authResult, []string, error) {
|
||||||
|
type initiateMsg struct {
|
||||||
|
User string `sshtype:"50"`
|
||||||
|
Service string
|
||||||
|
Method string
|
||||||
|
Language string
|
||||||
|
Submethods string
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := c.writePacket(Marshal(&initiateMsg{
|
||||||
|
User: user,
|
||||||
|
Service: serviceSSH,
|
||||||
|
Method: "keyboard-interactive",
|
||||||
|
})); err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
for {
|
||||||
|
packet, err := c.readPacket()
|
||||||
|
if err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// like handleAuthResponse, but with less options.
|
||||||
|
switch packet[0] {
|
||||||
|
case msgUserAuthBanner:
|
||||||
|
if err := handleBannerResponse(c, packet); err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
continue
|
||||||
|
case msgUserAuthInfoRequest:
|
||||||
|
// OK
|
||||||
|
case msgUserAuthFailure:
|
||||||
|
var msg userAuthFailureMsg
|
||||||
|
if err := Unmarshal(packet, &msg); err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
if msg.PartialSuccess {
|
||||||
|
return authPartialSuccess, msg.Methods, nil
|
||||||
|
}
|
||||||
|
return authFailure, msg.Methods, nil
|
||||||
|
case msgUserAuthSuccess:
|
||||||
|
return authSuccess, nil, nil
|
||||||
|
default:
|
||||||
|
return authFailure, nil, unexpectedMessageError(msgUserAuthInfoRequest, packet[0])
|
||||||
|
}
|
||||||
|
|
||||||
|
var msg userAuthInfoRequestMsg
|
||||||
|
if err := Unmarshal(packet, &msg); err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Manually unpack the prompt/echo pairs.
|
||||||
|
rest := msg.Prompts
|
||||||
|
var prompts []string
|
||||||
|
var echos []bool
|
||||||
|
for i := 0; i < int(msg.NumPrompts); i++ {
|
||||||
|
prompt, r, ok := parseString(rest)
|
||||||
|
if !ok || len(r) == 0 {
|
||||||
|
return authFailure, nil, errors.New("ssh: prompt format error")
|
||||||
|
}
|
||||||
|
prompts = append(prompts, string(prompt))
|
||||||
|
echos = append(echos, r[0] != 0)
|
||||||
|
rest = r[1:]
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(rest) != 0 {
|
||||||
|
return authFailure, nil, errors.New("ssh: extra data following keyboard-interactive pairs")
|
||||||
|
}
|
||||||
|
|
||||||
|
answers, err := cb(msg.User, msg.Instruction, prompts, echos)
|
||||||
|
if err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(answers) != len(prompts) {
|
||||||
|
return authFailure, nil, errors.New("ssh: not enough answers from keyboard-interactive callback")
|
||||||
|
}
|
||||||
|
responseLength := 1 + 4
|
||||||
|
for _, a := range answers {
|
||||||
|
responseLength += stringLength(len(a))
|
||||||
|
}
|
||||||
|
serialized := make([]byte, responseLength)
|
||||||
|
p := serialized
|
||||||
|
p[0] = msgUserAuthInfoResponse
|
||||||
|
p = p[1:]
|
||||||
|
p = marshalUint32(p, uint32(len(answers)))
|
||||||
|
for _, a := range answers {
|
||||||
|
p = marshalString(p, []byte(a))
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := c.writePacket(serialized); err != nil {
|
||||||
|
return authFailure, nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
type retryableAuthMethod struct {
|
||||||
|
authMethod AuthMethod
|
||||||
|
maxTries int
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *retryableAuthMethod) auth(session []byte, user string, c packetConn, rand io.Reader) (ok authResult, methods []string, err error) {
|
||||||
|
for i := 0; r.maxTries <= 0 || i < r.maxTries; i++ {
|
||||||
|
ok, methods, err = r.authMethod.auth(session, user, c, rand)
|
||||||
|
if ok != authFailure || err != nil { // either success, partial success or error terminate
|
||||||
|
return ok, methods, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return ok, methods, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *retryableAuthMethod) method() string {
|
||||||
|
return r.authMethod.method()
|
||||||
|
}
|
||||||
|
|
||||||
|
// RetryableAuthMethod is a decorator for other auth methods enabling them to
|
||||||
|
// be retried up to maxTries before considering that AuthMethod itself failed.
|
||||||
|
// If maxTries is <= 0, will retry indefinitely
|
||||||
|
//
|
||||||
|
// This is useful for interactive clients using challenge/response type
|
||||||
|
// authentication (e.g. Keyboard-Interactive, Password, etc) where the user
|
||||||
|
// could mistype their response resulting in the server issuing a
|
||||||
|
// SSH_MSG_USERAUTH_FAILURE (rfc4252 #8 [password] and rfc4256 #3.4
|
||||||
|
// [keyboard-interactive]); Without this decorator, the non-retryable
|
||||||
|
// AuthMethod would be removed from future consideration, and never tried again
|
||||||
|
// (and so the user would never be able to retry their entry).
|
||||||
|
func RetryableAuthMethod(auth AuthMethod, maxTries int) AuthMethod {
|
||||||
|
return &retryableAuthMethod{authMethod: auth, maxTries: maxTries}
|
||||||
|
}
|
|
@ -0,0 +1,383 @@
|
||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/rand"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"math"
|
||||||
|
"sync"
|
||||||
|
|
||||||
|
_ "crypto/sha1"
|
||||||
|
_ "crypto/sha256"
|
||||||
|
_ "crypto/sha512"
|
||||||
|
)
|
||||||
|
|
||||||
|
// These are string constants in the SSH protocol.
|
||||||
|
const (
|
||||||
|
compressionNone = "none"
|
||||||
|
serviceUserAuth = "ssh-userauth"
|
||||||
|
serviceSSH = "ssh-connection"
|
||||||
|
)
|
||||||
|
|
||||||
|
// supportedCiphers lists ciphers we support but might not recommend.
|
||||||
|
var supportedCiphers = []string{
|
||||||
|
"aes128-ctr", "aes192-ctr", "aes256-ctr",
|
||||||
|
"aes128-gcm@openssh.com",
|
||||||
|
chacha20Poly1305ID,
|
||||||
|
"arcfour256", "arcfour128", "arcfour",
|
||||||
|
aes128cbcID,
|
||||||
|
tripledescbcID,
|
||||||
|
}
|
||||||
|
|
||||||
|
// preferredCiphers specifies the default preference for ciphers.
|
||||||
|
var preferredCiphers = []string{
|
||||||
|
"aes128-gcm@openssh.com",
|
||||||
|
chacha20Poly1305ID,
|
||||||
|
"aes128-ctr", "aes192-ctr", "aes256-ctr",
|
||||||
|
}
|
||||||
|
|
||||||
|
// supportedKexAlgos specifies the supported key-exchange algorithms in
|
||||||
|
// preference order.
|
||||||
|
var supportedKexAlgos = []string{
|
||||||
|
kexAlgoCurve25519SHA256,
|
||||||
|
// P384 and P521 are not constant-time yet, but since we don't
|
||||||
|
// reuse ephemeral keys, using them for ECDH should be OK.
|
||||||
|
kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
|
||||||
|
kexAlgoDH14SHA1, kexAlgoDH1SHA1,
|
||||||
|
}
|
||||||
|
|
||||||
|
// supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods
|
||||||
|
// of authenticating servers) in preference order.
|
||||||
|
var supportedHostKeyAlgos = []string{
|
||||||
|
CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
|
||||||
|
CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01,
|
||||||
|
|
||||||
|
KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
|
||||||
|
KeyAlgoRSA, KeyAlgoDSA,
|
||||||
|
|
||||||
|
KeyAlgoED25519,
|
||||||
|
}
|
||||||
|
|
||||||
|
// supportedMACs specifies a default set of MAC algorithms in preference order.
|
||||||
|
// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
|
||||||
|
// because they have reached the end of their useful life.
|
||||||
|
var supportedMACs = []string{
|
||||||
|
"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96",
|
||||||
|
}
|
||||||
|
|
||||||
|
var supportedCompressions = []string{compressionNone}
|
||||||
|
|
||||||
|
// hashFuncs keeps the mapping of supported algorithms to their respective
|
||||||
|
// hashes needed for signature verification.
|
||||||
|
var hashFuncs = map[string]crypto.Hash{
|
||||||
|
KeyAlgoRSA: crypto.SHA1,
|
||||||
|
KeyAlgoDSA: crypto.SHA1,
|
||||||
|
KeyAlgoECDSA256: crypto.SHA256,
|
||||||
|
KeyAlgoECDSA384: crypto.SHA384,
|
||||||
|
KeyAlgoECDSA521: crypto.SHA512,
|
||||||
|
CertAlgoRSAv01: crypto.SHA1,
|
||||||
|
CertAlgoDSAv01: crypto.SHA1,
|
||||||
|
CertAlgoECDSA256v01: crypto.SHA256,
|
||||||
|
CertAlgoECDSA384v01: crypto.SHA384,
|
||||||
|
CertAlgoECDSA521v01: crypto.SHA512,
|
||||||
|
}
|
||||||
|
|
||||||
|
// unexpectedMessageError results when the SSH message that we received didn't
|
||||||
|
// match what we wanted.
|
||||||
|
func unexpectedMessageError(expected, got uint8) error {
|
||||||
|
return fmt.Errorf("ssh: unexpected message type %d (expected %d)", got, expected)
|
||||||
|
}
|
||||||
|
|
||||||
|
// parseError results from a malformed SSH message.
|
||||||
|
func parseError(tag uint8) error {
|
||||||
|
return fmt.Errorf("ssh: parse error in message type %d", tag)
|
||||||
|
}
|
||||||
|
|
||||||
|
func findCommon(what string, client []string, server []string) (common string, err error) {
|
||||||
|
for _, c := range client {
|
||||||
|
for _, s := range server {
|
||||||
|
if c == s {
|
||||||
|
return c, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return "", fmt.Errorf("ssh: no common algorithm for %s; client offered: %v, server offered: %v", what, client, server)
|
||||||
|
}
|
||||||
|
|
||||||
|
type directionAlgorithms struct {
|
||||||
|
Cipher string
|
||||||
|
MAC string
|
||||||
|
Compression string
|
||||||
|
}
|
||||||
|
|
||||||
|
// rekeyBytes returns a rekeying intervals in bytes.
|
||||||
|
func (a *directionAlgorithms) rekeyBytes() int64 {
|
||||||
|
// According to RFC4344 block ciphers should rekey after
|
||||||
|
// 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
|
||||||
|
// 128.
|
||||||
|
switch a.Cipher {
|
||||||
|
case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID:
|
||||||
|
return 16 * (1 << 32)
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
// For others, stick with RFC4253 recommendation to rekey after 1 Gb of data.
|
||||||
|
return 1 << 30
|
||||||
|
}
|
||||||
|
|
||||||
|
type algorithms struct {
|
||||||
|
kex string
|
||||||
|
hostKey string
|
||||||
|
w directionAlgorithms
|
||||||
|
r directionAlgorithms
|
||||||
|
}
|
||||||
|
|
||||||
|
func findAgreedAlgorithms(clientKexInit, serverKexInit *kexInitMsg) (algs *algorithms, err error) {
|
||||||
|
result := &algorithms{}
|
||||||
|
|
||||||
|
result.kex, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
result.hostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
result.w.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
result.r.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
result.w.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
result.r.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
result.w.Compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
result.r.Compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
return result, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// If rekeythreshold is too small, we can't make any progress sending
|
||||||
|
// stuff.
|
||||||
|
const minRekeyThreshold uint64 = 256
|
||||||
|
|
||||||
|
// Config contains configuration data common to both ServerConfig and
|
||||||
|
// ClientConfig.
|
||||||
|
type Config struct {
|
||||||
|
// Rand provides the source of entropy for cryptographic
|
||||||
|
// primitives. If Rand is nil, the cryptographic random reader
|
||||||
|
// in package crypto/rand will be used.
|
||||||
|
Rand io.Reader
|
||||||
|
|
||||||
|
// The maximum number of bytes sent or received after which a
|
||||||
|
// new key is negotiated. It must be at least 256. If
|
||||||
|
// unspecified, a size suitable for the chosen cipher is used.
|
||||||
|
RekeyThreshold uint64
|
||||||
|
|
||||||
|
// The allowed key exchanges algorithms. If unspecified then a
|
||||||
|
// default set of algorithms is used.
|
||||||
|
KeyExchanges []string
|
||||||
|
|
||||||
|
// The allowed cipher algorithms. If unspecified then a sensible
|
||||||
|
// default is used.
|
||||||
|
Ciphers []string
|
||||||
|
|
||||||
|
// The allowed MAC algorithms. If unspecified then a sensible default
|
||||||
|
// is used.
|
||||||
|
MACs []string
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetDefaults sets sensible values for unset fields in config. This is
|
||||||
|
// exported for testing: Configs passed to SSH functions are copied and have
|
||||||
|
// default values set automatically.
|
||||||
|
func (c *Config) SetDefaults() {
|
||||||
|
if c.Rand == nil {
|
||||||
|
c.Rand = rand.Reader
|
||||||
|
}
|
||||||
|
if c.Ciphers == nil {
|
||||||
|
c.Ciphers = preferredCiphers
|
||||||
|
}
|
||||||
|
var ciphers []string
|
||||||
|
for _, c := range c.Ciphers {
|
||||||
|
if cipherModes[c] != nil {
|
||||||
|
// reject the cipher if we have no cipherModes definition
|
||||||
|
ciphers = append(ciphers, c)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
c.Ciphers = ciphers
|
||||||
|
|
||||||
|
if c.KeyExchanges == nil {
|
||||||
|
c.KeyExchanges = supportedKexAlgos
|
||||||
|
}
|
||||||
|
|
||||||
|
if c.MACs == nil {
|
||||||
|
c.MACs = supportedMACs
|
||||||
|
}
|
||||||
|
|
||||||
|
if c.RekeyThreshold == 0 {
|
||||||
|
// cipher specific default
|
||||||
|
} else if c.RekeyThreshold < minRekeyThreshold {
|
||||||
|
c.RekeyThreshold = minRekeyThreshold
|
||||||
|
} else if c.RekeyThreshold >= math.MaxInt64 {
|
||||||
|
// Avoid weirdness if somebody uses -1 as a threshold.
|
||||||
|
c.RekeyThreshold = math.MaxInt64
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// buildDataSignedForAuth returns the data that is signed in order to prove
|
||||||
|
// possession of a private key. See RFC 4252, section 7.
|
||||||
|
func buildDataSignedForAuth(sessionID []byte, req userAuthRequestMsg, algo, pubKey []byte) []byte {
|
||||||
|
data := struct {
|
||||||
|
Session []byte
|
||||||
|
Type byte
|
||||||
|
User string
|
||||||
|
Service string
|
||||||
|
Method string
|
||||||
|
Sign bool
|
||||||
|
Algo []byte
|
||||||
|
PubKey []byte
|
||||||
|
}{
|
||||||
|
sessionID,
|
||||||
|
msgUserAuthRequest,
|
||||||
|
req.User,
|
||||||
|
req.Service,
|
||||||
|
req.Method,
|
||||||
|
true,
|
||||||
|
algo,
|
||||||
|
pubKey,
|
||||||
|
}
|
||||||
|
return Marshal(data)
|
||||||
|
}
|
||||||
|
|
||||||
|
func appendU16(buf []byte, n uint16) []byte {
|
||||||
|
return append(buf, byte(n>>8), byte(n))
|
||||||
|
}
|
||||||
|
|
||||||
|
func appendU32(buf []byte, n uint32) []byte {
|
||||||
|
return append(buf, byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
|
||||||
|
}
|
||||||
|
|
||||||
|
func appendU64(buf []byte, n uint64) []byte {
|
||||||
|
return append(buf,
|
||||||
|
byte(n>>56), byte(n>>48), byte(n>>40), byte(n>>32),
|
||||||
|
byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
|
||||||
|
}
|
||||||
|
|
||||||
|
func appendInt(buf []byte, n int) []byte {
|
||||||
|
return appendU32(buf, uint32(n))
|
||||||
|
}
|
||||||
|
|
||||||
|
func appendString(buf []byte, s string) []byte {
|
||||||
|
buf = appendU32(buf, uint32(len(s)))
|
||||||
|
buf = append(buf, s...)
|
||||||
|
return buf
|
||||||
|
}
|
||||||
|
|
||||||
|
func appendBool(buf []byte, b bool) []byte {
|
||||||
|
if b {
|
||||||
|
return append(buf, 1)
|
||||||
|
}
|
||||||
|
return append(buf, 0)
|
||||||
|
}
|
||||||
|
|
||||||
|
// newCond is a helper to hide the fact that there is no usable zero
|
||||||
|
// value for sync.Cond.
|
||||||
|
func newCond() *sync.Cond { return sync.NewCond(new(sync.Mutex)) }
|
||||||
|
|
||||||
|
// window represents the buffer available to clients
|
||||||
|
// wishing to write to a channel.
|
||||||
|
type window struct {
|
||||||
|
*sync.Cond
|
||||||
|
win uint32 // RFC 4254 5.2 says the window size can grow to 2^32-1
|
||||||
|
writeWaiters int
|
||||||
|
closed bool
|
||||||
|
}
|
||||||
|
|
||||||
|
// add adds win to the amount of window available
|
||||||
|
// for consumers.
|
||||||
|
func (w *window) add(win uint32) bool {
|
||||||
|
// a zero sized window adjust is a noop.
|
||||||
|
if win == 0 {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
w.L.Lock()
|
||||||
|
if w.win+win < win {
|
||||||
|
w.L.Unlock()
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
w.win += win
|
||||||
|
// It is unusual that multiple goroutines would be attempting to reserve
|
||||||
|
// window space, but not guaranteed. Use broadcast to notify all waiters
|
||||||
|
// that additional window is available.
|
||||||
|
w.Broadcast()
|
||||||
|
w.L.Unlock()
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// close sets the window to closed, so all reservations fail
|
||||||
|
// immediately.
|
||||||
|
func (w *window) close() {
|
||||||
|
w.L.Lock()
|
||||||
|
w.closed = true
|
||||||
|
w.Broadcast()
|
||||||
|
w.L.Unlock()
|
||||||
|
}
|
||||||
|
|
||||||
|
// reserve reserves win from the available window capacity.
|
||||||
|
// If no capacity remains, reserve will block. reserve may
|
||||||
|
// return less than requested.
|
||||||
|
func (w *window) reserve(win uint32) (uint32, error) {
|
||||||
|
var err error
|
||||||
|
w.L.Lock()
|
||||||
|
w.writeWaiters++
|
||||||
|
w.Broadcast()
|
||||||
|
for w.win == 0 && !w.closed {
|
||||||
|
w.Wait()
|
||||||
|
}
|
||||||
|
w.writeWaiters--
|
||||||
|
if w.win < win {
|
||||||
|
win = w.win
|
||||||
|
}
|
||||||
|
w.win -= win
|
||||||
|
if w.closed {
|
||||||
|
err = io.EOF
|
||||||
|
}
|
||||||
|
w.L.Unlock()
|
||||||
|
return win, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// waitWriterBlocked waits until some goroutine is blocked for further
|
||||||
|
// writes. It is used in tests only.
|
||||||
|
func (w *window) waitWriterBlocked() {
|
||||||
|
w.Cond.L.Lock()
|
||||||
|
for w.writeWaiters == 0 {
|
||||||
|
w.Cond.Wait()
|
||||||
|
}
|
||||||
|
w.Cond.L.Unlock()
|
||||||
|
}
|
|
@ -0,0 +1,143 @@
|
||||||
|
// Copyright 2013 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net"
|
||||||
|
)
|
||||||
|
|
||||||
|
// OpenChannelError is returned if the other side rejects an
|
||||||
|
// OpenChannel request.
|
||||||
|
type OpenChannelError struct {
|
||||||
|
Reason RejectionReason
|
||||||
|
Message string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *OpenChannelError) Error() string {
|
||||||
|
return fmt.Sprintf("ssh: rejected: %s (%s)", e.Reason, e.Message)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ConnMetadata holds metadata for the connection.
|
||||||
|
type ConnMetadata interface {
|
||||||
|
// User returns the user ID for this connection.
|
||||||
|
User() string
|
||||||
|
|
||||||
|
// SessionID returns the session hash, also denoted by H.
|
||||||
|
SessionID() []byte
|
||||||
|
|
||||||
|
// ClientVersion returns the client's version string as hashed
|
||||||
|
// into the session ID.
|
||||||
|
ClientVersion() []byte
|
||||||
|
|
||||||
|
// ServerVersion returns the server's version string as hashed
|
||||||
|
// into the session ID.
|
||||||
|
ServerVersion() []byte
|
||||||
|
|
||||||
|
// RemoteAddr returns the remote address for this connection.
|
||||||
|
RemoteAddr() net.Addr
|
||||||
|
|
||||||
|
// LocalAddr returns the local address for this connection.
|
||||||
|
LocalAddr() net.Addr
|
||||||
|
}
|
||||||
|
|
||||||
|
// Conn represents an SSH connection for both server and client roles.
|
||||||
|
// Conn is the basis for implementing an application layer, such
|
||||||
|
// as ClientConn, which implements the traditional shell access for
|
||||||
|
// clients.
|
||||||
|
type Conn interface {
|
||||||
|
ConnMetadata
|
||||||
|
|
||||||
|
// SendRequest sends a global request, and returns the
|
||||||
|
// reply. If wantReply is true, it returns the response status
|
||||||
|
// and payload. See also RFC4254, section 4.
|
||||||
|
SendRequest(name string, wantReply bool, payload []byte) (bool, []byte, error)
|
||||||
|
|
||||||
|
// OpenChannel tries to open an channel. If the request is
|
||||||
|
// rejected, it returns *OpenChannelError. On success it returns
|
||||||
|
// the SSH Channel and a Go channel for incoming, out-of-band
|
||||||
|
// requests. The Go channel must be serviced, or the
|
||||||
|
// connection will hang.
|
||||||
|
OpenChannel(name string, data []byte) (Channel, <-chan *Request, error)
|
||||||
|
|
||||||
|
// Close closes the underlying network connection
|
||||||
|
Close() error
|
||||||
|
|
||||||
|
// Wait blocks until the connection has shut down, and returns the
|
||||||
|
// error causing the shutdown.
|
||||||
|
Wait() error
|
||||||
|
|
||||||
|
// TODO(hanwen): consider exposing:
|
||||||
|
// RequestKeyChange
|
||||||
|
// Disconnect
|
||||||
|
}
|
||||||
|
|
||||||
|
// DiscardRequests consumes and rejects all requests from the
|
||||||
|
// passed-in channel.
|
||||||
|
func DiscardRequests(in <-chan *Request) {
|
||||||
|
for req := range in {
|
||||||
|
if req.WantReply {
|
||||||
|
req.Reply(false, nil)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// A connection represents an incoming connection.
|
||||||
|
type connection struct {
|
||||||
|
transport *handshakeTransport
|
||||||
|
sshConn
|
||||||
|
|
||||||
|
// The connection protocol.
|
||||||
|
*mux
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *connection) Close() error {
|
||||||
|
return c.sshConn.conn.Close()
|
||||||
|
}
|
||||||
|
|
||||||
|
// sshconn provides net.Conn metadata, but disallows direct reads and
|
||||||
|
// writes.
|
||||||
|
type sshConn struct {
|
||||||
|
conn net.Conn
|
||||||
|
|
||||||
|
user string
|
||||||
|
sessionID []byte
|
||||||
|
clientVersion []byte
|
||||||
|
serverVersion []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
func dup(src []byte) []byte {
|
||||||
|
dst := make([]byte, len(src))
|
||||||
|
copy(dst, src)
|
||||||
|
return dst
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *sshConn) User() string {
|
||||||
|
return c.user
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *sshConn) RemoteAddr() net.Addr {
|
||||||
|
return c.conn.RemoteAddr()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *sshConn) Close() error {
|
||||||
|
return c.conn.Close()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *sshConn) LocalAddr() net.Addr {
|
||||||
|
return c.conn.LocalAddr()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *sshConn) SessionID() []byte {
|
||||||
|
return dup(c.sessionID)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *sshConn) ClientVersion() []byte {
|
||||||
|
return dup(c.clientVersion)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *sshConn) ServerVersion() []byte {
|
||||||
|
return dup(c.serverVersion)
|
||||||
|
}
|
|
@ -0,0 +1,21 @@
|
||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
/*
|
||||||
|
Package ssh implements an SSH client and server.
|
||||||
|
|
||||||
|
SSH is a transport security protocol, an authentication protocol and a
|
||||||
|
family of application protocols. The most typical application level
|
||||||
|
protocol is a remote shell and this is specifically implemented. However,
|
||||||
|
the multiplexed nature of SSH is exposed to users that wish to support
|
||||||
|
others.
|
||||||
|
|
||||||
|
References:
|
||||||
|
[PROTOCOL.certkeys]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
|
||||||
|
[SSH-PARAMETERS]: http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1
|
||||||
|
|
||||||
|
This package does not fall under the stability promise of the Go language itself,
|
||||||
|
so its API may be changed when pressing needs arise.
|
||||||
|
*/
|
||||||
|
package ssh // import "golang.org/x/crypto/ssh"
|
|
@ -0,0 +1,646 @@
|
||||||
|
// Copyright 2013 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/rand"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"log"
|
||||||
|
"net"
|
||||||
|
"sync"
|
||||||
|
)
|
||||||
|
|
||||||
|
// debugHandshake, if set, prints messages sent and received. Key
|
||||||
|
// exchange messages are printed as if DH were used, so the debug
|
||||||
|
// messages are wrong when using ECDH.
|
||||||
|
const debugHandshake = false
|
||||||
|
|
||||||
|
// chanSize sets the amount of buffering SSH connections. This is
|
||||||
|
// primarily for testing: setting chanSize=0 uncovers deadlocks more
|
||||||
|
// quickly.
|
||||||
|
const chanSize = 16
|
||||||
|
|
||||||
|
// keyingTransport is a packet based transport that supports key
|
||||||
|
// changes. It need not be thread-safe. It should pass through
|
||||||
|
// msgNewKeys in both directions.
|
||||||
|
type keyingTransport interface {
|
||||||
|
packetConn
|
||||||
|
|
||||||
|
// prepareKeyChange sets up a key change. The key change for a
|
||||||
|
// direction will be effected if a msgNewKeys message is sent
|
||||||
|
// or received.
|
||||||
|
prepareKeyChange(*algorithms, *kexResult) error
|
||||||
|
}
|
||||||
|
|
||||||
|
// handshakeTransport implements rekeying on top of a keyingTransport
|
||||||
|
// and offers a thread-safe writePacket() interface.
|
||||||
|
type handshakeTransport struct {
|
||||||
|
conn keyingTransport
|
||||||
|
config *Config
|
||||||
|
|
||||||
|
serverVersion []byte
|
||||||
|
clientVersion []byte
|
||||||
|
|
||||||
|
// hostKeys is non-empty if we are the server. In that case,
|
||||||
|
// it contains all host keys that can be used to sign the
|
||||||
|
// connection.
|
||||||
|
hostKeys []Signer
|
||||||
|
|
||||||
|
// hostKeyAlgorithms is non-empty if we are the client. In that case,
|
||||||
|
// we accept these key types from the server as host key.
|
||||||
|
hostKeyAlgorithms []string
|
||||||
|
|
||||||
|
// On read error, incoming is closed, and readError is set.
|
||||||
|
incoming chan []byte
|
||||||
|
readError error
|
||||||
|
|
||||||
|
mu sync.Mutex
|
||||||
|
writeError error
|
||||||
|
sentInitPacket []byte
|
||||||
|
sentInitMsg *kexInitMsg
|
||||||
|
pendingPackets [][]byte // Used when a key exchange is in progress.
|
||||||
|
|
||||||
|
// If the read loop wants to schedule a kex, it pings this
|
||||||
|
// channel, and the write loop will send out a kex
|
||||||
|
// message.
|
||||||
|
requestKex chan struct{}
|
||||||
|
|
||||||
|
// If the other side requests or confirms a kex, its kexInit
|
||||||
|
// packet is sent here for the write loop to find it.
|
||||||
|
startKex chan *pendingKex
|
||||||
|
|
||||||
|
// data for host key checking
|
||||||
|
hostKeyCallback HostKeyCallback
|
||||||
|
dialAddress string
|
||||||
|
remoteAddr net.Addr
|
||||||
|
|
||||||
|
// bannerCallback is non-empty if we are the client and it has been set in
|
||||||
|
// ClientConfig. In that case it is called during the user authentication
|
||||||
|
// dance to handle a custom server's message.
|
||||||
|
bannerCallback BannerCallback
|
||||||
|
|
||||||
|
// Algorithms agreed in the last key exchange.
|
||||||
|
algorithms *algorithms
|
||||||
|
|
||||||
|
readPacketsLeft uint32
|
||||||
|
readBytesLeft int64
|
||||||
|
|
||||||
|
writePacketsLeft uint32
|
||||||
|
writeBytesLeft int64
|
||||||
|
|
||||||
|
// The session ID or nil if first kex did not complete yet.
|
||||||
|
sessionID []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
type pendingKex struct {
|
||||||
|
otherInit []byte
|
||||||
|
done chan error
|
||||||
|
}
|
||||||
|
|
||||||
|
func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, serverVersion []byte) *handshakeTransport {
|
||||||
|
t := &handshakeTransport{
|
||||||
|
conn: conn,
|
||||||
|
serverVersion: serverVersion,
|
||||||
|
clientVersion: clientVersion,
|
||||||
|
incoming: make(chan []byte, chanSize),
|
||||||
|
requestKex: make(chan struct{}, 1),
|
||||||
|
startKex: make(chan *pendingKex, 1),
|
||||||
|
|
||||||
|
config: config,
|
||||||
|
}
|
||||||
|
t.resetReadThresholds()
|
||||||
|
t.resetWriteThresholds()
|
||||||
|
|
||||||
|
// We always start with a mandatory key exchange.
|
||||||
|
t.requestKex <- struct{}{}
|
||||||
|
return t
|
||||||
|
}
|
||||||
|
|
||||||
|
func newClientTransport(conn keyingTransport, clientVersion, serverVersion []byte, config *ClientConfig, dialAddr string, addr net.Addr) *handshakeTransport {
|
||||||
|
t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion)
|
||||||
|
t.dialAddress = dialAddr
|
||||||
|
t.remoteAddr = addr
|
||||||
|
t.hostKeyCallback = config.HostKeyCallback
|
||||||
|
t.bannerCallback = config.BannerCallback
|
||||||
|
if config.HostKeyAlgorithms != nil {
|
||||||
|
t.hostKeyAlgorithms = config.HostKeyAlgorithms
|
||||||
|
} else {
|
||||||
|
t.hostKeyAlgorithms = supportedHostKeyAlgos
|
||||||
|
}
|
||||||
|
go t.readLoop()
|
||||||
|
go t.kexLoop()
|
||||||
|
return t
|
||||||
|
}
|
||||||
|
|
||||||
|
func newServerTransport(conn keyingTransport, clientVersion, serverVersion []byte, config *ServerConfig) *handshakeTransport {
|
||||||
|
t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion)
|
||||||
|
t.hostKeys = config.hostKeys
|
||||||
|
go t.readLoop()
|
||||||
|
go t.kexLoop()
|
||||||
|
return t
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) getSessionID() []byte {
|
||||||
|
return t.sessionID
|
||||||
|
}
|
||||||
|
|
||||||
|
// waitSession waits for the session to be established. This should be
|
||||||
|
// the first thing to call after instantiating handshakeTransport.
|
||||||
|
func (t *handshakeTransport) waitSession() error {
|
||||||
|
p, err := t.readPacket()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if p[0] != msgNewKeys {
|
||||||
|
return fmt.Errorf("ssh: first packet should be msgNewKeys")
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) id() string {
|
||||||
|
if len(t.hostKeys) > 0 {
|
||||||
|
return "server"
|
||||||
|
}
|
||||||
|
return "client"
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) printPacket(p []byte, write bool) {
|
||||||
|
action := "got"
|
||||||
|
if write {
|
||||||
|
action = "sent"
|
||||||
|
}
|
||||||
|
|
||||||
|
if p[0] == msgChannelData || p[0] == msgChannelExtendedData {
|
||||||
|
log.Printf("%s %s data (packet %d bytes)", t.id(), action, len(p))
|
||||||
|
} else {
|
||||||
|
msg, err := decode(p)
|
||||||
|
log.Printf("%s %s %T %v (%v)", t.id(), action, msg, msg, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) readPacket() ([]byte, error) {
|
||||||
|
p, ok := <-t.incoming
|
||||||
|
if !ok {
|
||||||
|
return nil, t.readError
|
||||||
|
}
|
||||||
|
return p, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) readLoop() {
|
||||||
|
first := true
|
||||||
|
for {
|
||||||
|
p, err := t.readOnePacket(first)
|
||||||
|
first = false
|
||||||
|
if err != nil {
|
||||||
|
t.readError = err
|
||||||
|
close(t.incoming)
|
||||||
|
break
|
||||||
|
}
|
||||||
|
if p[0] == msgIgnore || p[0] == msgDebug {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
t.incoming <- p
|
||||||
|
}
|
||||||
|
|
||||||
|
// Stop writers too.
|
||||||
|
t.recordWriteError(t.readError)
|
||||||
|
|
||||||
|
// Unblock the writer should it wait for this.
|
||||||
|
close(t.startKex)
|
||||||
|
|
||||||
|
// Don't close t.requestKex; it's also written to from writePacket.
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) pushPacket(p []byte) error {
|
||||||
|
if debugHandshake {
|
||||||
|
t.printPacket(p, true)
|
||||||
|
}
|
||||||
|
return t.conn.writePacket(p)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) getWriteError() error {
|
||||||
|
t.mu.Lock()
|
||||||
|
defer t.mu.Unlock()
|
||||||
|
return t.writeError
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) recordWriteError(err error) {
|
||||||
|
t.mu.Lock()
|
||||||
|
defer t.mu.Unlock()
|
||||||
|
if t.writeError == nil && err != nil {
|
||||||
|
t.writeError = err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) requestKeyExchange() {
|
||||||
|
select {
|
||||||
|
case t.requestKex <- struct{}{}:
|
||||||
|
default:
|
||||||
|
// something already requested a kex, so do nothing.
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) resetWriteThresholds() {
|
||||||
|
t.writePacketsLeft = packetRekeyThreshold
|
||||||
|
if t.config.RekeyThreshold > 0 {
|
||||||
|
t.writeBytesLeft = int64(t.config.RekeyThreshold)
|
||||||
|
} else if t.algorithms != nil {
|
||||||
|
t.writeBytesLeft = t.algorithms.w.rekeyBytes()
|
||||||
|
} else {
|
||||||
|
t.writeBytesLeft = 1 << 30
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) kexLoop() {
|
||||||
|
|
||||||
|
write:
|
||||||
|
for t.getWriteError() == nil {
|
||||||
|
var request *pendingKex
|
||||||
|
var sent bool
|
||||||
|
|
||||||
|
for request == nil || !sent {
|
||||||
|
var ok bool
|
||||||
|
select {
|
||||||
|
case request, ok = <-t.startKex:
|
||||||
|
if !ok {
|
||||||
|
break write
|
||||||
|
}
|
||||||
|
case <-t.requestKex:
|
||||||
|
break
|
||||||
|
}
|
||||||
|
|
||||||
|
if !sent {
|
||||||
|
if err := t.sendKexInit(); err != nil {
|
||||||
|
t.recordWriteError(err)
|
||||||
|
break
|
||||||
|
}
|
||||||
|
sent = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := t.getWriteError(); err != nil {
|
||||||
|
if request != nil {
|
||||||
|
request.done <- err
|
||||||
|
}
|
||||||
|
break
|
||||||
|
}
|
||||||
|
|
||||||
|
// We're not servicing t.requestKex, but that is OK:
|
||||||
|
// we never block on sending to t.requestKex.
|
||||||
|
|
||||||
|
// We're not servicing t.startKex, but the remote end
|
||||||
|
// has just sent us a kexInitMsg, so it can't send
|
||||||
|
// another key change request, until we close the done
|
||||||
|
// channel on the pendingKex request.
|
||||||
|
|
||||||
|
err := t.enterKeyExchange(request.otherInit)
|
||||||
|
|
||||||
|
t.mu.Lock()
|
||||||
|
t.writeError = err
|
||||||
|
t.sentInitPacket = nil
|
||||||
|
t.sentInitMsg = nil
|
||||||
|
|
||||||
|
t.resetWriteThresholds()
|
||||||
|
|
||||||
|
// we have completed the key exchange. Since the
|
||||||
|
// reader is still blocked, it is safe to clear out
|
||||||
|
// the requestKex channel. This avoids the situation
|
||||||
|
// where: 1) we consumed our own request for the
|
||||||
|
// initial kex, and 2) the kex from the remote side
|
||||||
|
// caused another send on the requestKex channel,
|
||||||
|
clear:
|
||||||
|
for {
|
||||||
|
select {
|
||||||
|
case <-t.requestKex:
|
||||||
|
//
|
||||||
|
default:
|
||||||
|
break clear
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
request.done <- t.writeError
|
||||||
|
|
||||||
|
// kex finished. Push packets that we received while
|
||||||
|
// the kex was in progress. Don't look at t.startKex
|
||||||
|
// and don't increment writtenSinceKex: if we trigger
|
||||||
|
// another kex while we are still busy with the last
|
||||||
|
// one, things will become very confusing.
|
||||||
|
for _, p := range t.pendingPackets {
|
||||||
|
t.writeError = t.pushPacket(p)
|
||||||
|
if t.writeError != nil {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
t.pendingPackets = t.pendingPackets[:0]
|
||||||
|
t.mu.Unlock()
|
||||||
|
}
|
||||||
|
|
||||||
|
// drain startKex channel. We don't service t.requestKex
|
||||||
|
// because nobody does blocking sends there.
|
||||||
|
go func() {
|
||||||
|
for init := range t.startKex {
|
||||||
|
init.done <- t.writeError
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
|
||||||
|
// Unblock reader.
|
||||||
|
t.conn.Close()
|
||||||
|
}
|
||||||
|
|
||||||
|
// The protocol uses uint32 for packet counters, so we can't let them
|
||||||
|
// reach 1<<32. We will actually read and write more packets than
|
||||||
|
// this, though: the other side may send more packets, and after we
|
||||||
|
// hit this limit on writing we will send a few more packets for the
|
||||||
|
// key exchange itself.
|
||||||
|
const packetRekeyThreshold = (1 << 31)
|
||||||
|
|
||||||
|
func (t *handshakeTransport) resetReadThresholds() {
|
||||||
|
t.readPacketsLeft = packetRekeyThreshold
|
||||||
|
if t.config.RekeyThreshold > 0 {
|
||||||
|
t.readBytesLeft = int64(t.config.RekeyThreshold)
|
||||||
|
} else if t.algorithms != nil {
|
||||||
|
t.readBytesLeft = t.algorithms.r.rekeyBytes()
|
||||||
|
} else {
|
||||||
|
t.readBytesLeft = 1 << 30
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) readOnePacket(first bool) ([]byte, error) {
|
||||||
|
p, err := t.conn.readPacket()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if t.readPacketsLeft > 0 {
|
||||||
|
t.readPacketsLeft--
|
||||||
|
} else {
|
||||||
|
t.requestKeyExchange()
|
||||||
|
}
|
||||||
|
|
||||||
|
if t.readBytesLeft > 0 {
|
||||||
|
t.readBytesLeft -= int64(len(p))
|
||||||
|
} else {
|
||||||
|
t.requestKeyExchange()
|
||||||
|
}
|
||||||
|
|
||||||
|
if debugHandshake {
|
||||||
|
t.printPacket(p, false)
|
||||||
|
}
|
||||||
|
|
||||||
|
if first && p[0] != msgKexInit {
|
||||||
|
return nil, fmt.Errorf("ssh: first packet should be msgKexInit")
|
||||||
|
}
|
||||||
|
|
||||||
|
if p[0] != msgKexInit {
|
||||||
|
return p, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
firstKex := t.sessionID == nil
|
||||||
|
|
||||||
|
kex := pendingKex{
|
||||||
|
done: make(chan error, 1),
|
||||||
|
otherInit: p,
|
||||||
|
}
|
||||||
|
t.startKex <- &kex
|
||||||
|
err = <-kex.done
|
||||||
|
|
||||||
|
if debugHandshake {
|
||||||
|
log.Printf("%s exited key exchange (first %v), err %v", t.id(), firstKex, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
t.resetReadThresholds()
|
||||||
|
|
||||||
|
// By default, a key exchange is hidden from higher layers by
|
||||||
|
// translating it into msgIgnore.
|
||||||
|
successPacket := []byte{msgIgnore}
|
||||||
|
if firstKex {
|
||||||
|
// sendKexInit() for the first kex waits for
|
||||||
|
// msgNewKeys so the authentication process is
|
||||||
|
// guaranteed to happen over an encrypted transport.
|
||||||
|
successPacket = []byte{msgNewKeys}
|
||||||
|
}
|
||||||
|
|
||||||
|
return successPacket, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// sendKexInit sends a key change message.
|
||||||
|
func (t *handshakeTransport) sendKexInit() error {
|
||||||
|
t.mu.Lock()
|
||||||
|
defer t.mu.Unlock()
|
||||||
|
if t.sentInitMsg != nil {
|
||||||
|
// kexInits may be sent either in response to the other side,
|
||||||
|
// or because our side wants to initiate a key change, so we
|
||||||
|
// may have already sent a kexInit. In that case, don't send a
|
||||||
|
// second kexInit.
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
msg := &kexInitMsg{
|
||||||
|
KexAlgos: t.config.KeyExchanges,
|
||||||
|
CiphersClientServer: t.config.Ciphers,
|
||||||
|
CiphersServerClient: t.config.Ciphers,
|
||||||
|
MACsClientServer: t.config.MACs,
|
||||||
|
MACsServerClient: t.config.MACs,
|
||||||
|
CompressionClientServer: supportedCompressions,
|
||||||
|
CompressionServerClient: supportedCompressions,
|
||||||
|
}
|
||||||
|
io.ReadFull(rand.Reader, msg.Cookie[:])
|
||||||
|
|
||||||
|
if len(t.hostKeys) > 0 {
|
||||||
|
for _, k := range t.hostKeys {
|
||||||
|
msg.ServerHostKeyAlgos = append(
|
||||||
|
msg.ServerHostKeyAlgos, k.PublicKey().Type())
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
msg.ServerHostKeyAlgos = t.hostKeyAlgorithms
|
||||||
|
}
|
||||||
|
packet := Marshal(msg)
|
||||||
|
|
||||||
|
// writePacket destroys the contents, so save a copy.
|
||||||
|
packetCopy := make([]byte, len(packet))
|
||||||
|
copy(packetCopy, packet)
|
||||||
|
|
||||||
|
if err := t.pushPacket(packetCopy); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
t.sentInitMsg = msg
|
||||||
|
t.sentInitPacket = packet
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) writePacket(p []byte) error {
|
||||||
|
switch p[0] {
|
||||||
|
case msgKexInit:
|
||||||
|
return errors.New("ssh: only handshakeTransport can send kexInit")
|
||||||
|
case msgNewKeys:
|
||||||
|
return errors.New("ssh: only handshakeTransport can send newKeys")
|
||||||
|
}
|
||||||
|
|
||||||
|
t.mu.Lock()
|
||||||
|
defer t.mu.Unlock()
|
||||||
|
if t.writeError != nil {
|
||||||
|
return t.writeError
|
||||||
|
}
|
||||||
|
|
||||||
|
if t.sentInitMsg != nil {
|
||||||
|
// Copy the packet so the writer can reuse the buffer.
|
||||||
|
cp := make([]byte, len(p))
|
||||||
|
copy(cp, p)
|
||||||
|
t.pendingPackets = append(t.pendingPackets, cp)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if t.writeBytesLeft > 0 {
|
||||||
|
t.writeBytesLeft -= int64(len(p))
|
||||||
|
} else {
|
||||||
|
t.requestKeyExchange()
|
||||||
|
}
|
||||||
|
|
||||||
|
if t.writePacketsLeft > 0 {
|
||||||
|
t.writePacketsLeft--
|
||||||
|
} else {
|
||||||
|
t.requestKeyExchange()
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := t.pushPacket(p); err != nil {
|
||||||
|
t.writeError = err
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) Close() error {
|
||||||
|
return t.conn.Close()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
|
||||||
|
if debugHandshake {
|
||||||
|
log.Printf("%s entered key exchange", t.id())
|
||||||
|
}
|
||||||
|
|
||||||
|
otherInit := &kexInitMsg{}
|
||||||
|
if err := Unmarshal(otherInitPacket, otherInit); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
magics := handshakeMagics{
|
||||||
|
clientVersion: t.clientVersion,
|
||||||
|
serverVersion: t.serverVersion,
|
||||||
|
clientKexInit: otherInitPacket,
|
||||||
|
serverKexInit: t.sentInitPacket,
|
||||||
|
}
|
||||||
|
|
||||||
|
clientInit := otherInit
|
||||||
|
serverInit := t.sentInitMsg
|
||||||
|
if len(t.hostKeys) == 0 {
|
||||||
|
clientInit, serverInit = serverInit, clientInit
|
||||||
|
|
||||||
|
magics.clientKexInit = t.sentInitPacket
|
||||||
|
magics.serverKexInit = otherInitPacket
|
||||||
|
}
|
||||||
|
|
||||||
|
var err error
|
||||||
|
t.algorithms, err = findAgreedAlgorithms(clientInit, serverInit)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// We don't send FirstKexFollows, but we handle receiving it.
|
||||||
|
//
|
||||||
|
// RFC 4253 section 7 defines the kex and the agreement method for
|
||||||
|
// first_kex_packet_follows. It states that the guessed packet
|
||||||
|
// should be ignored if the "kex algorithm and/or the host
|
||||||
|
// key algorithm is guessed wrong (server and client have
|
||||||
|
// different preferred algorithm), or if any of the other
|
||||||
|
// algorithms cannot be agreed upon". The other algorithms have
|
||||||
|
// already been checked above so the kex algorithm and host key
|
||||||
|
// algorithm are checked here.
|
||||||
|
if otherInit.FirstKexFollows && (clientInit.KexAlgos[0] != serverInit.KexAlgos[0] || clientInit.ServerHostKeyAlgos[0] != serverInit.ServerHostKeyAlgos[0]) {
|
||||||
|
// other side sent a kex message for the wrong algorithm,
|
||||||
|
// which we have to ignore.
|
||||||
|
if _, err := t.conn.readPacket(); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
kex, ok := kexAlgoMap[t.algorithms.kex]
|
||||||
|
if !ok {
|
||||||
|
return fmt.Errorf("ssh: unexpected key exchange algorithm %v", t.algorithms.kex)
|
||||||
|
}
|
||||||
|
|
||||||
|
var result *kexResult
|
||||||
|
if len(t.hostKeys) > 0 {
|
||||||
|
result, err = t.server(kex, t.algorithms, &magics)
|
||||||
|
} else {
|
||||||
|
result, err = t.client(kex, t.algorithms, &magics)
|
||||||
|
}
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if t.sessionID == nil {
|
||||||
|
t.sessionID = result.H
|
||||||
|
}
|
||||||
|
result.SessionID = t.sessionID
|
||||||
|
|
||||||
|
if err := t.conn.prepareKeyChange(t.algorithms, result); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if err = t.conn.writePacket([]byte{msgNewKeys}); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if packet, err := t.conn.readPacket(); err != nil {
|
||||||
|
return err
|
||||||
|
} else if packet[0] != msgNewKeys {
|
||||||
|
return unexpectedMessageError(msgNewKeys, packet[0])
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) server(kex kexAlgorithm, algs *algorithms, magics *handshakeMagics) (*kexResult, error) {
|
||||||
|
var hostKey Signer
|
||||||
|
for _, k := range t.hostKeys {
|
||||||
|
if algs.hostKey == k.PublicKey().Type() {
|
||||||
|
hostKey = k
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
r, err := kex.Server(t.conn, t.config.Rand, magics, hostKey)
|
||||||
|
return r, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *handshakeTransport) client(kex kexAlgorithm, algs *algorithms, magics *handshakeMagics) (*kexResult, error) {
|
||||||
|
result, err := kex.Client(t.conn, t.config.Rand, magics)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
hostKey, err := ParsePublicKey(result.HostKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := verifyHostKeySignature(hostKey, result); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
err = t.hostKeyCallback(t.dialAddress, t.remoteAddr, hostKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return result, nil
|
||||||
|
}
|
|
@ -0,0 +1,540 @@
|
||||||
|
// Copyright 2013 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/elliptic"
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/subtle"
|
||||||
|
"errors"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
|
||||||
|
"golang.org/x/crypto/curve25519"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
kexAlgoDH1SHA1 = "diffie-hellman-group1-sha1"
|
||||||
|
kexAlgoDH14SHA1 = "diffie-hellman-group14-sha1"
|
||||||
|
kexAlgoECDH256 = "ecdh-sha2-nistp256"
|
||||||
|
kexAlgoECDH384 = "ecdh-sha2-nistp384"
|
||||||
|
kexAlgoECDH521 = "ecdh-sha2-nistp521"
|
||||||
|
kexAlgoCurve25519SHA256 = "curve25519-sha256@libssh.org"
|
||||||
|
)
|
||||||
|
|
||||||
|
// kexResult captures the outcome of a key exchange.
|
||||||
|
type kexResult struct {
|
||||||
|
// Session hash. See also RFC 4253, section 8.
|
||||||
|
H []byte
|
||||||
|
|
||||||
|
// Shared secret. See also RFC 4253, section 8.
|
||||||
|
K []byte
|
||||||
|
|
||||||
|
// Host key as hashed into H.
|
||||||
|
HostKey []byte
|
||||||
|
|
||||||
|
// Signature of H.
|
||||||
|
Signature []byte
|
||||||
|
|
||||||
|
// A cryptographic hash function that matches the security
|
||||||
|
// level of the key exchange algorithm. It is used for
|
||||||
|
// calculating H, and for deriving keys from H and K.
|
||||||
|
Hash crypto.Hash
|
||||||
|
|
||||||
|
// The session ID, which is the first H computed. This is used
|
||||||
|
// to derive key material inside the transport.
|
||||||
|
SessionID []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
// handshakeMagics contains data that is always included in the
|
||||||
|
// session hash.
|
||||||
|
type handshakeMagics struct {
|
||||||
|
clientVersion, serverVersion []byte
|
||||||
|
clientKexInit, serverKexInit []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *handshakeMagics) write(w io.Writer) {
|
||||||
|
writeString(w, m.clientVersion)
|
||||||
|
writeString(w, m.serverVersion)
|
||||||
|
writeString(w, m.clientKexInit)
|
||||||
|
writeString(w, m.serverKexInit)
|
||||||
|
}
|
||||||
|
|
||||||
|
// kexAlgorithm abstracts different key exchange algorithms.
|
||||||
|
type kexAlgorithm interface {
|
||||||
|
// Server runs server-side key agreement, signing the result
|
||||||
|
// with a hostkey.
|
||||||
|
Server(p packetConn, rand io.Reader, magics *handshakeMagics, s Signer) (*kexResult, error)
|
||||||
|
|
||||||
|
// Client runs the client-side key agreement. Caller is
|
||||||
|
// responsible for verifying the host key signature.
|
||||||
|
Client(p packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error)
|
||||||
|
}
|
||||||
|
|
||||||
|
// dhGroup is a multiplicative group suitable for implementing Diffie-Hellman key agreement.
|
||||||
|
type dhGroup struct {
|
||||||
|
g, p, pMinus1 *big.Int
|
||||||
|
}
|
||||||
|
|
||||||
|
func (group *dhGroup) diffieHellman(theirPublic, myPrivate *big.Int) (*big.Int, error) {
|
||||||
|
if theirPublic.Cmp(bigOne) <= 0 || theirPublic.Cmp(group.pMinus1) >= 0 {
|
||||||
|
return nil, errors.New("ssh: DH parameter out of bounds")
|
||||||
|
}
|
||||||
|
return new(big.Int).Exp(theirPublic, myPrivate, group.p), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (group *dhGroup) Client(c packetConn, randSource io.Reader, magics *handshakeMagics) (*kexResult, error) {
|
||||||
|
hashFunc := crypto.SHA1
|
||||||
|
|
||||||
|
var x *big.Int
|
||||||
|
for {
|
||||||
|
var err error
|
||||||
|
if x, err = rand.Int(randSource, group.pMinus1); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if x.Sign() > 0 {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
X := new(big.Int).Exp(group.g, x, group.p)
|
||||||
|
kexDHInit := kexDHInitMsg{
|
||||||
|
X: X,
|
||||||
|
}
|
||||||
|
if err := c.writePacket(Marshal(&kexDHInit)); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
packet, err := c.readPacket()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var kexDHReply kexDHReplyMsg
|
||||||
|
if err = Unmarshal(packet, &kexDHReply); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
ki, err := group.diffieHellman(kexDHReply.Y, x)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
h := hashFunc.New()
|
||||||
|
magics.write(h)
|
||||||
|
writeString(h, kexDHReply.HostKey)
|
||||||
|
writeInt(h, X)
|
||||||
|
writeInt(h, kexDHReply.Y)
|
||||||
|
K := make([]byte, intLength(ki))
|
||||||
|
marshalInt(K, ki)
|
||||||
|
h.Write(K)
|
||||||
|
|
||||||
|
return &kexResult{
|
||||||
|
H: h.Sum(nil),
|
||||||
|
K: K,
|
||||||
|
HostKey: kexDHReply.HostKey,
|
||||||
|
Signature: kexDHReply.Signature,
|
||||||
|
Hash: crypto.SHA1,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (group *dhGroup) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
|
||||||
|
hashFunc := crypto.SHA1
|
||||||
|
packet, err := c.readPacket()
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
var kexDHInit kexDHInitMsg
|
||||||
|
if err = Unmarshal(packet, &kexDHInit); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
var y *big.Int
|
||||||
|
for {
|
||||||
|
if y, err = rand.Int(randSource, group.pMinus1); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if y.Sign() > 0 {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Y := new(big.Int).Exp(group.g, y, group.p)
|
||||||
|
ki, err := group.diffieHellman(kexDHInit.X, y)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
hostKeyBytes := priv.PublicKey().Marshal()
|
||||||
|
|
||||||
|
h := hashFunc.New()
|
||||||
|
magics.write(h)
|
||||||
|
writeString(h, hostKeyBytes)
|
||||||
|
writeInt(h, kexDHInit.X)
|
||||||
|
writeInt(h, Y)
|
||||||
|
|
||||||
|
K := make([]byte, intLength(ki))
|
||||||
|
marshalInt(K, ki)
|
||||||
|
h.Write(K)
|
||||||
|
|
||||||
|
H := h.Sum(nil)
|
||||||
|
|
||||||
|
// H is already a hash, but the hostkey signing will apply its
|
||||||
|
// own key-specific hash algorithm.
|
||||||
|
sig, err := signAndMarshal(priv, randSource, H)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
kexDHReply := kexDHReplyMsg{
|
||||||
|
HostKey: hostKeyBytes,
|
||||||
|
Y: Y,
|
||||||
|
Signature: sig,
|
||||||
|
}
|
||||||
|
packet = Marshal(&kexDHReply)
|
||||||
|
|
||||||
|
err = c.writePacket(packet)
|
||||||
|
return &kexResult{
|
||||||
|
H: H,
|
||||||
|
K: K,
|
||||||
|
HostKey: hostKeyBytes,
|
||||||
|
Signature: sig,
|
||||||
|
Hash: crypto.SHA1,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// ecdh performs Elliptic Curve Diffie-Hellman key exchange as
|
||||||
|
// described in RFC 5656, section 4.
|
||||||
|
type ecdh struct {
|
||||||
|
curve elliptic.Curve
|
||||||
|
}
|
||||||
|
|
||||||
|
func (kex *ecdh) Client(c packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error) {
|
||||||
|
ephKey, err := ecdsa.GenerateKey(kex.curve, rand)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
kexInit := kexECDHInitMsg{
|
||||||
|
ClientPubKey: elliptic.Marshal(kex.curve, ephKey.PublicKey.X, ephKey.PublicKey.Y),
|
||||||
|
}
|
||||||
|
|
||||||
|
serialized := Marshal(&kexInit)
|
||||||
|
if err := c.writePacket(serialized); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
packet, err := c.readPacket()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var reply kexECDHReplyMsg
|
||||||
|
if err = Unmarshal(packet, &reply); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
x, y, err := unmarshalECKey(kex.curve, reply.EphemeralPubKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// generate shared secret
|
||||||
|
secret, _ := kex.curve.ScalarMult(x, y, ephKey.D.Bytes())
|
||||||
|
|
||||||
|
h := ecHash(kex.curve).New()
|
||||||
|
magics.write(h)
|
||||||
|
writeString(h, reply.HostKey)
|
||||||
|
writeString(h, kexInit.ClientPubKey)
|
||||||
|
writeString(h, reply.EphemeralPubKey)
|
||||||
|
K := make([]byte, intLength(secret))
|
||||||
|
marshalInt(K, secret)
|
||||||
|
h.Write(K)
|
||||||
|
|
||||||
|
return &kexResult{
|
||||||
|
H: h.Sum(nil),
|
||||||
|
K: K,
|
||||||
|
HostKey: reply.HostKey,
|
||||||
|
Signature: reply.Signature,
|
||||||
|
Hash: ecHash(kex.curve),
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// unmarshalECKey parses and checks an EC key.
|
||||||
|
func unmarshalECKey(curve elliptic.Curve, pubkey []byte) (x, y *big.Int, err error) {
|
||||||
|
x, y = elliptic.Unmarshal(curve, pubkey)
|
||||||
|
if x == nil {
|
||||||
|
return nil, nil, errors.New("ssh: elliptic.Unmarshal failure")
|
||||||
|
}
|
||||||
|
if !validateECPublicKey(curve, x, y) {
|
||||||
|
return nil, nil, errors.New("ssh: public key not on curve")
|
||||||
|
}
|
||||||
|
return x, y, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// validateECPublicKey checks that the point is a valid public key for
|
||||||
|
// the given curve. See [SEC1], 3.2.2
|
||||||
|
func validateECPublicKey(curve elliptic.Curve, x, y *big.Int) bool {
|
||||||
|
if x.Sign() == 0 && y.Sign() == 0 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
if x.Cmp(curve.Params().P) >= 0 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
if y.Cmp(curve.Params().P) >= 0 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
if !curve.IsOnCurve(x, y) {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// We don't check if N * PubKey == 0, since
|
||||||
|
//
|
||||||
|
// - the NIST curves have cofactor = 1, so this is implicit.
|
||||||
|
// (We don't foresee an implementation that supports non NIST
|
||||||
|
// curves)
|
||||||
|
//
|
||||||
|
// - for ephemeral keys, we don't need to worry about small
|
||||||
|
// subgroup attacks.
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
func (kex *ecdh) Server(c packetConn, rand io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
|
||||||
|
packet, err := c.readPacket()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var kexECDHInit kexECDHInitMsg
|
||||||
|
if err = Unmarshal(packet, &kexECDHInit); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
clientX, clientY, err := unmarshalECKey(kex.curve, kexECDHInit.ClientPubKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// We could cache this key across multiple users/multiple
|
||||||
|
// connection attempts, but the benefit is small. OpenSSH
|
||||||
|
// generates a new key for each incoming connection.
|
||||||
|
ephKey, err := ecdsa.GenerateKey(kex.curve, rand)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
hostKeyBytes := priv.PublicKey().Marshal()
|
||||||
|
|
||||||
|
serializedEphKey := elliptic.Marshal(kex.curve, ephKey.PublicKey.X, ephKey.PublicKey.Y)
|
||||||
|
|
||||||
|
// generate shared secret
|
||||||
|
secret, _ := kex.curve.ScalarMult(clientX, clientY, ephKey.D.Bytes())
|
||||||
|
|
||||||
|
h := ecHash(kex.curve).New()
|
||||||
|
magics.write(h)
|
||||||
|
writeString(h, hostKeyBytes)
|
||||||
|
writeString(h, kexECDHInit.ClientPubKey)
|
||||||
|
writeString(h, serializedEphKey)
|
||||||
|
|
||||||
|
K := make([]byte, intLength(secret))
|
||||||
|
marshalInt(K, secret)
|
||||||
|
h.Write(K)
|
||||||
|
|
||||||
|
H := h.Sum(nil)
|
||||||
|
|
||||||
|
// H is already a hash, but the hostkey signing will apply its
|
||||||
|
// own key-specific hash algorithm.
|
||||||
|
sig, err := signAndMarshal(priv, rand, H)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
reply := kexECDHReplyMsg{
|
||||||
|
EphemeralPubKey: serializedEphKey,
|
||||||
|
HostKey: hostKeyBytes,
|
||||||
|
Signature: sig,
|
||||||
|
}
|
||||||
|
|
||||||
|
serialized := Marshal(&reply)
|
||||||
|
if err := c.writePacket(serialized); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return &kexResult{
|
||||||
|
H: H,
|
||||||
|
K: K,
|
||||||
|
HostKey: reply.HostKey,
|
||||||
|
Signature: sig,
|
||||||
|
Hash: ecHash(kex.curve),
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
var kexAlgoMap = map[string]kexAlgorithm{}
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
// This is the group called diffie-hellman-group1-sha1 in RFC
|
||||||
|
// 4253 and Oakley Group 2 in RFC 2409.
|
||||||
|
p, _ := new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF", 16)
|
||||||
|
kexAlgoMap[kexAlgoDH1SHA1] = &dhGroup{
|
||||||
|
g: new(big.Int).SetInt64(2),
|
||||||
|
p: p,
|
||||||
|
pMinus1: new(big.Int).Sub(p, bigOne),
|
||||||
|
}
|
||||||
|
|
||||||
|
// This is the group called diffie-hellman-group14-sha1 in RFC
|
||||||
|
// 4253 and Oakley Group 14 in RFC 3526.
|
||||||
|
p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", 16)
|
||||||
|
|
||||||
|
kexAlgoMap[kexAlgoDH14SHA1] = &dhGroup{
|
||||||
|
g: new(big.Int).SetInt64(2),
|
||||||
|
p: p,
|
||||||
|
pMinus1: new(big.Int).Sub(p, bigOne),
|
||||||
|
}
|
||||||
|
|
||||||
|
kexAlgoMap[kexAlgoECDH521] = &ecdh{elliptic.P521()}
|
||||||
|
kexAlgoMap[kexAlgoECDH384] = &ecdh{elliptic.P384()}
|
||||||
|
kexAlgoMap[kexAlgoECDH256] = &ecdh{elliptic.P256()}
|
||||||
|
kexAlgoMap[kexAlgoCurve25519SHA256] = &curve25519sha256{}
|
||||||
|
}
|
||||||
|
|
||||||
|
// curve25519sha256 implements the curve25519-sha256@libssh.org key
|
||||||
|
// agreement protocol, as described in
|
||||||
|
// https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt
|
||||||
|
type curve25519sha256 struct{}
|
||||||
|
|
||||||
|
type curve25519KeyPair struct {
|
||||||
|
priv [32]byte
|
||||||
|
pub [32]byte
|
||||||
|
}
|
||||||
|
|
||||||
|
func (kp *curve25519KeyPair) generate(rand io.Reader) error {
|
||||||
|
if _, err := io.ReadFull(rand, kp.priv[:]); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
curve25519.ScalarBaseMult(&kp.pub, &kp.priv)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// curve25519Zeros is just an array of 32 zero bytes so that we have something
|
||||||
|
// convenient to compare against in order to reject curve25519 points with the
|
||||||
|
// wrong order.
|
||||||
|
var curve25519Zeros [32]byte
|
||||||
|
|
||||||
|
func (kex *curve25519sha256) Client(c packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error) {
|
||||||
|
var kp curve25519KeyPair
|
||||||
|
if err := kp.generate(rand); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if err := c.writePacket(Marshal(&kexECDHInitMsg{kp.pub[:]})); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
packet, err := c.readPacket()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var reply kexECDHReplyMsg
|
||||||
|
if err = Unmarshal(packet, &reply); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if len(reply.EphemeralPubKey) != 32 {
|
||||||
|
return nil, errors.New("ssh: peer's curve25519 public value has wrong length")
|
||||||
|
}
|
||||||
|
|
||||||
|
var servPub, secret [32]byte
|
||||||
|
copy(servPub[:], reply.EphemeralPubKey)
|
||||||
|
curve25519.ScalarMult(&secret, &kp.priv, &servPub)
|
||||||
|
if subtle.ConstantTimeCompare(secret[:], curve25519Zeros[:]) == 1 {
|
||||||
|
return nil, errors.New("ssh: peer's curve25519 public value has wrong order")
|
||||||
|
}
|
||||||
|
|
||||||
|
h := crypto.SHA256.New()
|
||||||
|
magics.write(h)
|
||||||
|
writeString(h, reply.HostKey)
|
||||||
|
writeString(h, kp.pub[:])
|
||||||
|
writeString(h, reply.EphemeralPubKey)
|
||||||
|
|
||||||
|
ki := new(big.Int).SetBytes(secret[:])
|
||||||
|
K := make([]byte, intLength(ki))
|
||||||
|
marshalInt(K, ki)
|
||||||
|
h.Write(K)
|
||||||
|
|
||||||
|
return &kexResult{
|
||||||
|
H: h.Sum(nil),
|
||||||
|
K: K,
|
||||||
|
HostKey: reply.HostKey,
|
||||||
|
Signature: reply.Signature,
|
||||||
|
Hash: crypto.SHA256,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (kex *curve25519sha256) Server(c packetConn, rand io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
|
||||||
|
packet, err := c.readPacket()
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
var kexInit kexECDHInitMsg
|
||||||
|
if err = Unmarshal(packet, &kexInit); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(kexInit.ClientPubKey) != 32 {
|
||||||
|
return nil, errors.New("ssh: peer's curve25519 public value has wrong length")
|
||||||
|
}
|
||||||
|
|
||||||
|
var kp curve25519KeyPair
|
||||||
|
if err := kp.generate(rand); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var clientPub, secret [32]byte
|
||||||
|
copy(clientPub[:], kexInit.ClientPubKey)
|
||||||
|
curve25519.ScalarMult(&secret, &kp.priv, &clientPub)
|
||||||
|
if subtle.ConstantTimeCompare(secret[:], curve25519Zeros[:]) == 1 {
|
||||||
|
return nil, errors.New("ssh: peer's curve25519 public value has wrong order")
|
||||||
|
}
|
||||||
|
|
||||||
|
hostKeyBytes := priv.PublicKey().Marshal()
|
||||||
|
|
||||||
|
h := crypto.SHA256.New()
|
||||||
|
magics.write(h)
|
||||||
|
writeString(h, hostKeyBytes)
|
||||||
|
writeString(h, kexInit.ClientPubKey)
|
||||||
|
writeString(h, kp.pub[:])
|
||||||
|
|
||||||
|
ki := new(big.Int).SetBytes(secret[:])
|
||||||
|
K := make([]byte, intLength(ki))
|
||||||
|
marshalInt(K, ki)
|
||||||
|
h.Write(K)
|
||||||
|
|
||||||
|
H := h.Sum(nil)
|
||||||
|
|
||||||
|
sig, err := signAndMarshal(priv, rand, H)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
reply := kexECDHReplyMsg{
|
||||||
|
EphemeralPubKey: kp.pub[:],
|
||||||
|
HostKey: hostKeyBytes,
|
||||||
|
Signature: sig,
|
||||||
|
}
|
||||||
|
if err := c.writePacket(Marshal(&reply)); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return &kexResult{
|
||||||
|
H: H,
|
||||||
|
K: K,
|
||||||
|
HostKey: hostKeyBytes,
|
||||||
|
Signature: sig,
|
||||||
|
Hash: crypto.SHA256,
|
||||||
|
}, nil
|
||||||
|
}
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,61 @@
|
||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
// Message authentication support
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/hmac"
|
||||||
|
"crypto/sha1"
|
||||||
|
"crypto/sha256"
|
||||||
|
"hash"
|
||||||
|
)
|
||||||
|
|
||||||
|
type macMode struct {
|
||||||
|
keySize int
|
||||||
|
etm bool
|
||||||
|
new func(key []byte) hash.Hash
|
||||||
|
}
|
||||||
|
|
||||||
|
// truncatingMAC wraps around a hash.Hash and truncates the output digest to
|
||||||
|
// a given size.
|
||||||
|
type truncatingMAC struct {
|
||||||
|
length int
|
||||||
|
hmac hash.Hash
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t truncatingMAC) Write(data []byte) (int, error) {
|
||||||
|
return t.hmac.Write(data)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t truncatingMAC) Sum(in []byte) []byte {
|
||||||
|
out := t.hmac.Sum(in)
|
||||||
|
return out[:len(in)+t.length]
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t truncatingMAC) Reset() {
|
||||||
|
t.hmac.Reset()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t truncatingMAC) Size() int {
|
||||||
|
return t.length
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t truncatingMAC) BlockSize() int { return t.hmac.BlockSize() }
|
||||||
|
|
||||||
|
var macModes = map[string]*macMode{
|
||||||
|
"hmac-sha2-256-etm@openssh.com": {32, true, func(key []byte) hash.Hash {
|
||||||
|
return hmac.New(sha256.New, key)
|
||||||
|
}},
|
||||||
|
"hmac-sha2-256": {32, false, func(key []byte) hash.Hash {
|
||||||
|
return hmac.New(sha256.New, key)
|
||||||
|
}},
|
||||||
|
"hmac-sha1": {20, false, func(key []byte) hash.Hash {
|
||||||
|
return hmac.New(sha1.New, key)
|
||||||
|
}},
|
||||||
|
"hmac-sha1-96": {20, false, func(key []byte) hash.Hash {
|
||||||
|
return truncatingMAC{12, hmac.New(sha1.New, key)}
|
||||||
|
}},
|
||||||
|
}
|
|
@ -0,0 +1,792 @@
|
||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/binary"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
"reflect"
|
||||||
|
"strconv"
|
||||||
|
"strings"
|
||||||
|
)
|
||||||
|
|
||||||
|
// These are SSH message type numbers. They are scattered around several
|
||||||
|
// documents but many were taken from [SSH-PARAMETERS].
|
||||||
|
const (
|
||||||
|
msgIgnore = 2
|
||||||
|
msgUnimplemented = 3
|
||||||
|
msgDebug = 4
|
||||||
|
msgNewKeys = 21
|
||||||
|
)
|
||||||
|
|
||||||
|
// SSH messages:
|
||||||
|
//
|
||||||
|
// These structures mirror the wire format of the corresponding SSH messages.
|
||||||
|
// They are marshaled using reflection with the marshal and unmarshal functions
|
||||||
|
// in this file. The only wrinkle is that a final member of type []byte with a
|
||||||
|
// ssh tag of "rest" receives the remainder of a packet when unmarshaling.
|
||||||
|
|
||||||
|
// See RFC 4253, section 11.1.
|
||||||
|
const msgDisconnect = 1
|
||||||
|
|
||||||
|
// disconnectMsg is the message that signals a disconnect. It is also
|
||||||
|
// the error type returned from mux.Wait()
|
||||||
|
type disconnectMsg struct {
|
||||||
|
Reason uint32 `sshtype:"1"`
|
||||||
|
Message string
|
||||||
|
Language string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (d *disconnectMsg) Error() string {
|
||||||
|
return fmt.Sprintf("ssh: disconnect, reason %d: %s", d.Reason, d.Message)
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4253, section 7.1.
|
||||||
|
const msgKexInit = 20
|
||||||
|
|
||||||
|
type kexInitMsg struct {
|
||||||
|
Cookie [16]byte `sshtype:"20"`
|
||||||
|
KexAlgos []string
|
||||||
|
ServerHostKeyAlgos []string
|
||||||
|
CiphersClientServer []string
|
||||||
|
CiphersServerClient []string
|
||||||
|
MACsClientServer []string
|
||||||
|
MACsServerClient []string
|
||||||
|
CompressionClientServer []string
|
||||||
|
CompressionServerClient []string
|
||||||
|
LanguagesClientServer []string
|
||||||
|
LanguagesServerClient []string
|
||||||
|
FirstKexFollows bool
|
||||||
|
Reserved uint32
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4253, section 8.
|
||||||
|
|
||||||
|
// Diffie-Helman
|
||||||
|
const msgKexDHInit = 30
|
||||||
|
|
||||||
|
type kexDHInitMsg struct {
|
||||||
|
X *big.Int `sshtype:"30"`
|
||||||
|
}
|
||||||
|
|
||||||
|
const msgKexECDHInit = 30
|
||||||
|
|
||||||
|
type kexECDHInitMsg struct {
|
||||||
|
ClientPubKey []byte `sshtype:"30"`
|
||||||
|
}
|
||||||
|
|
||||||
|
const msgKexECDHReply = 31
|
||||||
|
|
||||||
|
type kexECDHReplyMsg struct {
|
||||||
|
HostKey []byte `sshtype:"31"`
|
||||||
|
EphemeralPubKey []byte
|
||||||
|
Signature []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
const msgKexDHReply = 31
|
||||||
|
|
||||||
|
type kexDHReplyMsg struct {
|
||||||
|
HostKey []byte `sshtype:"31"`
|
||||||
|
Y *big.Int
|
||||||
|
Signature []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4253, section 10.
|
||||||
|
const msgServiceRequest = 5
|
||||||
|
|
||||||
|
type serviceRequestMsg struct {
|
||||||
|
Service string `sshtype:"5"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4253, section 10.
|
||||||
|
const msgServiceAccept = 6
|
||||||
|
|
||||||
|
type serviceAcceptMsg struct {
|
||||||
|
Service string `sshtype:"6"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4252, section 5.
|
||||||
|
const msgUserAuthRequest = 50
|
||||||
|
|
||||||
|
type userAuthRequestMsg struct {
|
||||||
|
User string `sshtype:"50"`
|
||||||
|
Service string
|
||||||
|
Method string
|
||||||
|
Payload []byte `ssh:"rest"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// Used for debug printouts of packets.
|
||||||
|
type userAuthSuccessMsg struct {
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4252, section 5.1
|
||||||
|
const msgUserAuthFailure = 51
|
||||||
|
|
||||||
|
type userAuthFailureMsg struct {
|
||||||
|
Methods []string `sshtype:"51"`
|
||||||
|
PartialSuccess bool
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4252, section 5.1
|
||||||
|
const msgUserAuthSuccess = 52
|
||||||
|
|
||||||
|
// See RFC 4252, section 5.4
|
||||||
|
const msgUserAuthBanner = 53
|
||||||
|
|
||||||
|
type userAuthBannerMsg struct {
|
||||||
|
Message string `sshtype:"53"`
|
||||||
|
// unused, but required to allow message parsing
|
||||||
|
Language string
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4256, section 3.2
|
||||||
|
const msgUserAuthInfoRequest = 60
|
||||||
|
const msgUserAuthInfoResponse = 61
|
||||||
|
|
||||||
|
type userAuthInfoRequestMsg struct {
|
||||||
|
User string `sshtype:"60"`
|
||||||
|
Instruction string
|
||||||
|
DeprecatedLanguage string
|
||||||
|
NumPrompts uint32
|
||||||
|
Prompts []byte `ssh:"rest"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4254, section 5.1.
|
||||||
|
const msgChannelOpen = 90
|
||||||
|
|
||||||
|
type channelOpenMsg struct {
|
||||||
|
ChanType string `sshtype:"90"`
|
||||||
|
PeersID uint32
|
||||||
|
PeersWindow uint32
|
||||||
|
MaxPacketSize uint32
|
||||||
|
TypeSpecificData []byte `ssh:"rest"`
|
||||||
|
}
|
||||||
|
|
||||||
|
const msgChannelExtendedData = 95
|
||||||
|
const msgChannelData = 94
|
||||||
|
|
||||||
|
// Used for debug print outs of packets.
|
||||||
|
type channelDataMsg struct {
|
||||||
|
PeersID uint32 `sshtype:"94"`
|
||||||
|
Length uint32
|
||||||
|
Rest []byte `ssh:"rest"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4254, section 5.1.
|
||||||
|
const msgChannelOpenConfirm = 91
|
||||||
|
|
||||||
|
type channelOpenConfirmMsg struct {
|
||||||
|
PeersID uint32 `sshtype:"91"`
|
||||||
|
MyID uint32
|
||||||
|
MyWindow uint32
|
||||||
|
MaxPacketSize uint32
|
||||||
|
TypeSpecificData []byte `ssh:"rest"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4254, section 5.1.
|
||||||
|
const msgChannelOpenFailure = 92
|
||||||
|
|
||||||
|
type channelOpenFailureMsg struct {
|
||||||
|
PeersID uint32 `sshtype:"92"`
|
||||||
|
Reason RejectionReason
|
||||||
|
Message string
|
||||||
|
Language string
|
||||||
|
}
|
||||||
|
|
||||||
|
const msgChannelRequest = 98
|
||||||
|
|
||||||
|
type channelRequestMsg struct {
|
||||||
|
PeersID uint32 `sshtype:"98"`
|
||||||
|
Request string
|
||||||
|
WantReply bool
|
||||||
|
RequestSpecificData []byte `ssh:"rest"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4254, section 5.4.
|
||||||
|
const msgChannelSuccess = 99
|
||||||
|
|
||||||
|
type channelRequestSuccessMsg struct {
|
||||||
|
PeersID uint32 `sshtype:"99"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4254, section 5.4.
|
||||||
|
const msgChannelFailure = 100
|
||||||
|
|
||||||
|
type channelRequestFailureMsg struct {
|
||||||
|
PeersID uint32 `sshtype:"100"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4254, section 5.3
|
||||||
|
const msgChannelClose = 97
|
||||||
|
|
||||||
|
type channelCloseMsg struct {
|
||||||
|
PeersID uint32 `sshtype:"97"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4254, section 5.3
|
||||||
|
const msgChannelEOF = 96
|
||||||
|
|
||||||
|
type channelEOFMsg struct {
|
||||||
|
PeersID uint32 `sshtype:"96"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4254, section 4
|
||||||
|
const msgGlobalRequest = 80
|
||||||
|
|
||||||
|
type globalRequestMsg struct {
|
||||||
|
Type string `sshtype:"80"`
|
||||||
|
WantReply bool
|
||||||
|
Data []byte `ssh:"rest"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4254, section 4
|
||||||
|
const msgRequestSuccess = 81
|
||||||
|
|
||||||
|
type globalRequestSuccessMsg struct {
|
||||||
|
Data []byte `ssh:"rest" sshtype:"81"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4254, section 4
|
||||||
|
const msgRequestFailure = 82
|
||||||
|
|
||||||
|
type globalRequestFailureMsg struct {
|
||||||
|
Data []byte `ssh:"rest" sshtype:"82"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4254, section 5.2
|
||||||
|
const msgChannelWindowAdjust = 93
|
||||||
|
|
||||||
|
type windowAdjustMsg struct {
|
||||||
|
PeersID uint32 `sshtype:"93"`
|
||||||
|
AdditionalBytes uint32
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4252, section 7
|
||||||
|
const msgUserAuthPubKeyOk = 60
|
||||||
|
|
||||||
|
type userAuthPubKeyOkMsg struct {
|
||||||
|
Algo string `sshtype:"60"`
|
||||||
|
PubKey []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
// typeTags returns the possible type bytes for the given reflect.Type, which
|
||||||
|
// should be a struct. The possible values are separated by a '|' character.
|
||||||
|
func typeTags(structType reflect.Type) (tags []byte) {
|
||||||
|
tagStr := structType.Field(0).Tag.Get("sshtype")
|
||||||
|
|
||||||
|
for _, tag := range strings.Split(tagStr, "|") {
|
||||||
|
i, err := strconv.Atoi(tag)
|
||||||
|
if err == nil {
|
||||||
|
tags = append(tags, byte(i))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return tags
|
||||||
|
}
|
||||||
|
|
||||||
|
func fieldError(t reflect.Type, field int, problem string) error {
|
||||||
|
if problem != "" {
|
||||||
|
problem = ": " + problem
|
||||||
|
}
|
||||||
|
return fmt.Errorf("ssh: unmarshal error for field %s of type %s%s", t.Field(field).Name, t.Name(), problem)
|
||||||
|
}
|
||||||
|
|
||||||
|
var errShortRead = errors.New("ssh: short read")
|
||||||
|
|
||||||
|
// Unmarshal parses data in SSH wire format into a structure. The out
|
||||||
|
// argument should be a pointer to struct. If the first member of the
|
||||||
|
// struct has the "sshtype" tag set to a '|'-separated set of numbers
|
||||||
|
// in decimal, the packet must start with one of those numbers. In
|
||||||
|
// case of error, Unmarshal returns a ParseError or
|
||||||
|
// UnexpectedMessageError.
|
||||||
|
func Unmarshal(data []byte, out interface{}) error {
|
||||||
|
v := reflect.ValueOf(out).Elem()
|
||||||
|
structType := v.Type()
|
||||||
|
expectedTypes := typeTags(structType)
|
||||||
|
|
||||||
|
var expectedType byte
|
||||||
|
if len(expectedTypes) > 0 {
|
||||||
|
expectedType = expectedTypes[0]
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(data) == 0 {
|
||||||
|
return parseError(expectedType)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(expectedTypes) > 0 {
|
||||||
|
goodType := false
|
||||||
|
for _, e := range expectedTypes {
|
||||||
|
if e > 0 && data[0] == e {
|
||||||
|
goodType = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !goodType {
|
||||||
|
return fmt.Errorf("ssh: unexpected message type %d (expected one of %v)", data[0], expectedTypes)
|
||||||
|
}
|
||||||
|
data = data[1:]
|
||||||
|
}
|
||||||
|
|
||||||
|
var ok bool
|
||||||
|
for i := 0; i < v.NumField(); i++ {
|
||||||
|
field := v.Field(i)
|
||||||
|
t := field.Type()
|
||||||
|
switch t.Kind() {
|
||||||
|
case reflect.Bool:
|
||||||
|
if len(data) < 1 {
|
||||||
|
return errShortRead
|
||||||
|
}
|
||||||
|
field.SetBool(data[0] != 0)
|
||||||
|
data = data[1:]
|
||||||
|
case reflect.Array:
|
||||||
|
if t.Elem().Kind() != reflect.Uint8 {
|
||||||
|
return fieldError(structType, i, "array of unsupported type")
|
||||||
|
}
|
||||||
|
if len(data) < t.Len() {
|
||||||
|
return errShortRead
|
||||||
|
}
|
||||||
|
for j, n := 0, t.Len(); j < n; j++ {
|
||||||
|
field.Index(j).Set(reflect.ValueOf(data[j]))
|
||||||
|
}
|
||||||
|
data = data[t.Len():]
|
||||||
|
case reflect.Uint64:
|
||||||
|
var u64 uint64
|
||||||
|
if u64, data, ok = parseUint64(data); !ok {
|
||||||
|
return errShortRead
|
||||||
|
}
|
||||||
|
field.SetUint(u64)
|
||||||
|
case reflect.Uint32:
|
||||||
|
var u32 uint32
|
||||||
|
if u32, data, ok = parseUint32(data); !ok {
|
||||||
|
return errShortRead
|
||||||
|
}
|
||||||
|
field.SetUint(uint64(u32))
|
||||||
|
case reflect.Uint8:
|
||||||
|
if len(data) < 1 {
|
||||||
|
return errShortRead
|
||||||
|
}
|
||||||
|
field.SetUint(uint64(data[0]))
|
||||||
|
data = data[1:]
|
||||||
|
case reflect.String:
|
||||||
|
var s []byte
|
||||||
|
if s, data, ok = parseString(data); !ok {
|
||||||
|
return fieldError(structType, i, "")
|
||||||
|
}
|
||||||
|
field.SetString(string(s))
|
||||||
|
case reflect.Slice:
|
||||||
|
switch t.Elem().Kind() {
|
||||||
|
case reflect.Uint8:
|
||||||
|
if structType.Field(i).Tag.Get("ssh") == "rest" {
|
||||||
|
field.Set(reflect.ValueOf(data))
|
||||||
|
data = nil
|
||||||
|
} else {
|
||||||
|
var s []byte
|
||||||
|
if s, data, ok = parseString(data); !ok {
|
||||||
|
return errShortRead
|
||||||
|
}
|
||||||
|
field.Set(reflect.ValueOf(s))
|
||||||
|
}
|
||||||
|
case reflect.String:
|
||||||
|
var nl []string
|
||||||
|
if nl, data, ok = parseNameList(data); !ok {
|
||||||
|
return errShortRead
|
||||||
|
}
|
||||||
|
field.Set(reflect.ValueOf(nl))
|
||||||
|
default:
|
||||||
|
return fieldError(structType, i, "slice of unsupported type")
|
||||||
|
}
|
||||||
|
case reflect.Ptr:
|
||||||
|
if t == bigIntType {
|
||||||
|
var n *big.Int
|
||||||
|
if n, data, ok = parseInt(data); !ok {
|
||||||
|
return errShortRead
|
||||||
|
}
|
||||||
|
field.Set(reflect.ValueOf(n))
|
||||||
|
} else {
|
||||||
|
return fieldError(structType, i, "pointer to unsupported type")
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
return fieldError(structType, i, fmt.Sprintf("unsupported type: %v", t))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(data) != 0 {
|
||||||
|
return parseError(expectedType)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Marshal serializes the message in msg to SSH wire format. The msg
|
||||||
|
// argument should be a struct or pointer to struct. If the first
|
||||||
|
// member has the "sshtype" tag set to a number in decimal, that
|
||||||
|
// number is prepended to the result. If the last of member has the
|
||||||
|
// "ssh" tag set to "rest", its contents are appended to the output.
|
||||||
|
func Marshal(msg interface{}) []byte {
|
||||||
|
out := make([]byte, 0, 64)
|
||||||
|
return marshalStruct(out, msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalStruct(out []byte, msg interface{}) []byte {
|
||||||
|
v := reflect.Indirect(reflect.ValueOf(msg))
|
||||||
|
msgTypes := typeTags(v.Type())
|
||||||
|
if len(msgTypes) > 0 {
|
||||||
|
out = append(out, msgTypes[0])
|
||||||
|
}
|
||||||
|
|
||||||
|
for i, n := 0, v.NumField(); i < n; i++ {
|
||||||
|
field := v.Field(i)
|
||||||
|
switch t := field.Type(); t.Kind() {
|
||||||
|
case reflect.Bool:
|
||||||
|
var v uint8
|
||||||
|
if field.Bool() {
|
||||||
|
v = 1
|
||||||
|
}
|
||||||
|
out = append(out, v)
|
||||||
|
case reflect.Array:
|
||||||
|
if t.Elem().Kind() != reflect.Uint8 {
|
||||||
|
panic(fmt.Sprintf("array of non-uint8 in field %d: %T", i, field.Interface()))
|
||||||
|
}
|
||||||
|
for j, l := 0, t.Len(); j < l; j++ {
|
||||||
|
out = append(out, uint8(field.Index(j).Uint()))
|
||||||
|
}
|
||||||
|
case reflect.Uint32:
|
||||||
|
out = appendU32(out, uint32(field.Uint()))
|
||||||
|
case reflect.Uint64:
|
||||||
|
out = appendU64(out, uint64(field.Uint()))
|
||||||
|
case reflect.Uint8:
|
||||||
|
out = append(out, uint8(field.Uint()))
|
||||||
|
case reflect.String:
|
||||||
|
s := field.String()
|
||||||
|
out = appendInt(out, len(s))
|
||||||
|
out = append(out, s...)
|
||||||
|
case reflect.Slice:
|
||||||
|
switch t.Elem().Kind() {
|
||||||
|
case reflect.Uint8:
|
||||||
|
if v.Type().Field(i).Tag.Get("ssh") != "rest" {
|
||||||
|
out = appendInt(out, field.Len())
|
||||||
|
}
|
||||||
|
out = append(out, field.Bytes()...)
|
||||||
|
case reflect.String:
|
||||||
|
offset := len(out)
|
||||||
|
out = appendU32(out, 0)
|
||||||
|
if n := field.Len(); n > 0 {
|
||||||
|
for j := 0; j < n; j++ {
|
||||||
|
f := field.Index(j)
|
||||||
|
if j != 0 {
|
||||||
|
out = append(out, ',')
|
||||||
|
}
|
||||||
|
out = append(out, f.String()...)
|
||||||
|
}
|
||||||
|
// overwrite length value
|
||||||
|
binary.BigEndian.PutUint32(out[offset:], uint32(len(out)-offset-4))
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
panic(fmt.Sprintf("slice of unknown type in field %d: %T", i, field.Interface()))
|
||||||
|
}
|
||||||
|
case reflect.Ptr:
|
||||||
|
if t == bigIntType {
|
||||||
|
var n *big.Int
|
||||||
|
nValue := reflect.ValueOf(&n)
|
||||||
|
nValue.Elem().Set(field)
|
||||||
|
needed := intLength(n)
|
||||||
|
oldLength := len(out)
|
||||||
|
|
||||||
|
if cap(out)-len(out) < needed {
|
||||||
|
newOut := make([]byte, len(out), 2*(len(out)+needed))
|
||||||
|
copy(newOut, out)
|
||||||
|
out = newOut
|
||||||
|
}
|
||||||
|
out = out[:oldLength+needed]
|
||||||
|
marshalInt(out[oldLength:], n)
|
||||||
|
} else {
|
||||||
|
panic(fmt.Sprintf("pointer to unknown type in field %d: %T", i, field.Interface()))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
var bigOne = big.NewInt(1)
|
||||||
|
|
||||||
|
func parseString(in []byte) (out, rest []byte, ok bool) {
|
||||||
|
if len(in) < 4 {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
length := binary.BigEndian.Uint32(in)
|
||||||
|
in = in[4:]
|
||||||
|
if uint32(len(in)) < length {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
out = in[:length]
|
||||||
|
rest = in[length:]
|
||||||
|
ok = true
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
comma = []byte{','}
|
||||||
|
emptyNameList = []string{}
|
||||||
|
)
|
||||||
|
|
||||||
|
func parseNameList(in []byte) (out []string, rest []byte, ok bool) {
|
||||||
|
contents, rest, ok := parseString(in)
|
||||||
|
if !ok {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if len(contents) == 0 {
|
||||||
|
out = emptyNameList
|
||||||
|
return
|
||||||
|
}
|
||||||
|
parts := bytes.Split(contents, comma)
|
||||||
|
out = make([]string, len(parts))
|
||||||
|
for i, part := range parts {
|
||||||
|
out[i] = string(part)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseInt(in []byte) (out *big.Int, rest []byte, ok bool) {
|
||||||
|
contents, rest, ok := parseString(in)
|
||||||
|
if !ok {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
out = new(big.Int)
|
||||||
|
|
||||||
|
if len(contents) > 0 && contents[0]&0x80 == 0x80 {
|
||||||
|
// This is a negative number
|
||||||
|
notBytes := make([]byte, len(contents))
|
||||||
|
for i := range notBytes {
|
||||||
|
notBytes[i] = ^contents[i]
|
||||||
|
}
|
||||||
|
out.SetBytes(notBytes)
|
||||||
|
out.Add(out, bigOne)
|
||||||
|
out.Neg(out)
|
||||||
|
} else {
|
||||||
|
// Positive number
|
||||||
|
out.SetBytes(contents)
|
||||||
|
}
|
||||||
|
ok = true
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseUint32(in []byte) (uint32, []byte, bool) {
|
||||||
|
if len(in) < 4 {
|
||||||
|
return 0, nil, false
|
||||||
|
}
|
||||||
|
return binary.BigEndian.Uint32(in), in[4:], true
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseUint64(in []byte) (uint64, []byte, bool) {
|
||||||
|
if len(in) < 8 {
|
||||||
|
return 0, nil, false
|
||||||
|
}
|
||||||
|
return binary.BigEndian.Uint64(in), in[8:], true
|
||||||
|
}
|
||||||
|
|
||||||
|
func intLength(n *big.Int) int {
|
||||||
|
length := 4 /* length bytes */
|
||||||
|
if n.Sign() < 0 {
|
||||||
|
nMinus1 := new(big.Int).Neg(n)
|
||||||
|
nMinus1.Sub(nMinus1, bigOne)
|
||||||
|
bitLen := nMinus1.BitLen()
|
||||||
|
if bitLen%8 == 0 {
|
||||||
|
// The number will need 0xff padding
|
||||||
|
length++
|
||||||
|
}
|
||||||
|
length += (bitLen + 7) / 8
|
||||||
|
} else if n.Sign() == 0 {
|
||||||
|
// A zero is the zero length string
|
||||||
|
} else {
|
||||||
|
bitLen := n.BitLen()
|
||||||
|
if bitLen%8 == 0 {
|
||||||
|
// The number will need 0x00 padding
|
||||||
|
length++
|
||||||
|
}
|
||||||
|
length += (bitLen + 7) / 8
|
||||||
|
}
|
||||||
|
|
||||||
|
return length
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalUint32(to []byte, n uint32) []byte {
|
||||||
|
binary.BigEndian.PutUint32(to, n)
|
||||||
|
return to[4:]
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalUint64(to []byte, n uint64) []byte {
|
||||||
|
binary.BigEndian.PutUint64(to, n)
|
||||||
|
return to[8:]
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalInt(to []byte, n *big.Int) []byte {
|
||||||
|
lengthBytes := to
|
||||||
|
to = to[4:]
|
||||||
|
length := 0
|
||||||
|
|
||||||
|
if n.Sign() < 0 {
|
||||||
|
// A negative number has to be converted to two's-complement
|
||||||
|
// form. So we'll subtract 1 and invert. If the
|
||||||
|
// most-significant-bit isn't set then we'll need to pad the
|
||||||
|
// beginning with 0xff in order to keep the number negative.
|
||||||
|
nMinus1 := new(big.Int).Neg(n)
|
||||||
|
nMinus1.Sub(nMinus1, bigOne)
|
||||||
|
bytes := nMinus1.Bytes()
|
||||||
|
for i := range bytes {
|
||||||
|
bytes[i] ^= 0xff
|
||||||
|
}
|
||||||
|
if len(bytes) == 0 || bytes[0]&0x80 == 0 {
|
||||||
|
to[0] = 0xff
|
||||||
|
to = to[1:]
|
||||||
|
length++
|
||||||
|
}
|
||||||
|
nBytes := copy(to, bytes)
|
||||||
|
to = to[nBytes:]
|
||||||
|
length += nBytes
|
||||||
|
} else if n.Sign() == 0 {
|
||||||
|
// A zero is the zero length string
|
||||||
|
} else {
|
||||||
|
bytes := n.Bytes()
|
||||||
|
if len(bytes) > 0 && bytes[0]&0x80 != 0 {
|
||||||
|
// We'll have to pad this with a 0x00 in order to
|
||||||
|
// stop it looking like a negative number.
|
||||||
|
to[0] = 0
|
||||||
|
to = to[1:]
|
||||||
|
length++
|
||||||
|
}
|
||||||
|
nBytes := copy(to, bytes)
|
||||||
|
to = to[nBytes:]
|
||||||
|
length += nBytes
|
||||||
|
}
|
||||||
|
|
||||||
|
lengthBytes[0] = byte(length >> 24)
|
||||||
|
lengthBytes[1] = byte(length >> 16)
|
||||||
|
lengthBytes[2] = byte(length >> 8)
|
||||||
|
lengthBytes[3] = byte(length)
|
||||||
|
return to
|
||||||
|
}
|
||||||
|
|
||||||
|
func writeInt(w io.Writer, n *big.Int) {
|
||||||
|
length := intLength(n)
|
||||||
|
buf := make([]byte, length)
|
||||||
|
marshalInt(buf, n)
|
||||||
|
w.Write(buf)
|
||||||
|
}
|
||||||
|
|
||||||
|
func writeString(w io.Writer, s []byte) {
|
||||||
|
var lengthBytes [4]byte
|
||||||
|
lengthBytes[0] = byte(len(s) >> 24)
|
||||||
|
lengthBytes[1] = byte(len(s) >> 16)
|
||||||
|
lengthBytes[2] = byte(len(s) >> 8)
|
||||||
|
lengthBytes[3] = byte(len(s))
|
||||||
|
w.Write(lengthBytes[:])
|
||||||
|
w.Write(s)
|
||||||
|
}
|
||||||
|
|
||||||
|
func stringLength(n int) int {
|
||||||
|
return 4 + n
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalString(to []byte, s []byte) []byte {
|
||||||
|
to[0] = byte(len(s) >> 24)
|
||||||
|
to[1] = byte(len(s) >> 16)
|
||||||
|
to[2] = byte(len(s) >> 8)
|
||||||
|
to[3] = byte(len(s))
|
||||||
|
to = to[4:]
|
||||||
|
copy(to, s)
|
||||||
|
return to[len(s):]
|
||||||
|
}
|
||||||
|
|
||||||
|
var bigIntType = reflect.TypeOf((*big.Int)(nil))
|
||||||
|
|
||||||
|
// Decode a packet into its corresponding message.
|
||||||
|
func decode(packet []byte) (interface{}, error) {
|
||||||
|
var msg interface{}
|
||||||
|
switch packet[0] {
|
||||||
|
case msgDisconnect:
|
||||||
|
msg = new(disconnectMsg)
|
||||||
|
case msgServiceRequest:
|
||||||
|
msg = new(serviceRequestMsg)
|
||||||
|
case msgServiceAccept:
|
||||||
|
msg = new(serviceAcceptMsg)
|
||||||
|
case msgKexInit:
|
||||||
|
msg = new(kexInitMsg)
|
||||||
|
case msgKexDHInit:
|
||||||
|
msg = new(kexDHInitMsg)
|
||||||
|
case msgKexDHReply:
|
||||||
|
msg = new(kexDHReplyMsg)
|
||||||
|
case msgUserAuthRequest:
|
||||||
|
msg = new(userAuthRequestMsg)
|
||||||
|
case msgUserAuthSuccess:
|
||||||
|
return new(userAuthSuccessMsg), nil
|
||||||
|
case msgUserAuthFailure:
|
||||||
|
msg = new(userAuthFailureMsg)
|
||||||
|
case msgUserAuthPubKeyOk:
|
||||||
|
msg = new(userAuthPubKeyOkMsg)
|
||||||
|
case msgGlobalRequest:
|
||||||
|
msg = new(globalRequestMsg)
|
||||||
|
case msgRequestSuccess:
|
||||||
|
msg = new(globalRequestSuccessMsg)
|
||||||
|
case msgRequestFailure:
|
||||||
|
msg = new(globalRequestFailureMsg)
|
||||||
|
case msgChannelOpen:
|
||||||
|
msg = new(channelOpenMsg)
|
||||||
|
case msgChannelData:
|
||||||
|
msg = new(channelDataMsg)
|
||||||
|
case msgChannelOpenConfirm:
|
||||||
|
msg = new(channelOpenConfirmMsg)
|
||||||
|
case msgChannelOpenFailure:
|
||||||
|
msg = new(channelOpenFailureMsg)
|
||||||
|
case msgChannelWindowAdjust:
|
||||||
|
msg = new(windowAdjustMsg)
|
||||||
|
case msgChannelEOF:
|
||||||
|
msg = new(channelEOFMsg)
|
||||||
|
case msgChannelClose:
|
||||||
|
msg = new(channelCloseMsg)
|
||||||
|
case msgChannelRequest:
|
||||||
|
msg = new(channelRequestMsg)
|
||||||
|
case msgChannelSuccess:
|
||||||
|
msg = new(channelRequestSuccessMsg)
|
||||||
|
case msgChannelFailure:
|
||||||
|
msg = new(channelRequestFailureMsg)
|
||||||
|
default:
|
||||||
|
return nil, unexpectedMessageError(0, packet[0])
|
||||||
|
}
|
||||||
|
if err := Unmarshal(packet, msg); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return msg, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
var packetTypeNames = map[byte]string{
|
||||||
|
msgDisconnect: "disconnectMsg",
|
||||||
|
msgServiceRequest: "serviceRequestMsg",
|
||||||
|
msgServiceAccept: "serviceAcceptMsg",
|
||||||
|
msgKexInit: "kexInitMsg",
|
||||||
|
msgKexDHInit: "kexDHInitMsg",
|
||||||
|
msgKexDHReply: "kexDHReplyMsg",
|
||||||
|
msgUserAuthRequest: "userAuthRequestMsg",
|
||||||
|
msgUserAuthSuccess: "userAuthSuccessMsg",
|
||||||
|
msgUserAuthFailure: "userAuthFailureMsg",
|
||||||
|
msgUserAuthPubKeyOk: "userAuthPubKeyOkMsg",
|
||||||
|
msgGlobalRequest: "globalRequestMsg",
|
||||||
|
msgRequestSuccess: "globalRequestSuccessMsg",
|
||||||
|
msgRequestFailure: "globalRequestFailureMsg",
|
||||||
|
msgChannelOpen: "channelOpenMsg",
|
||||||
|
msgChannelData: "channelDataMsg",
|
||||||
|
msgChannelOpenConfirm: "channelOpenConfirmMsg",
|
||||||
|
msgChannelOpenFailure: "channelOpenFailureMsg",
|
||||||
|
msgChannelWindowAdjust: "windowAdjustMsg",
|
||||||
|
msgChannelEOF: "channelEOFMsg",
|
||||||
|
msgChannelClose: "channelCloseMsg",
|
||||||
|
msgChannelRequest: "channelRequestMsg",
|
||||||
|
msgChannelSuccess: "channelRequestSuccessMsg",
|
||||||
|
msgChannelFailure: "channelRequestFailureMsg",
|
||||||
|
}
|
|
@ -0,0 +1,330 @@
|
||||||
|
// Copyright 2013 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/binary"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"log"
|
||||||
|
"sync"
|
||||||
|
"sync/atomic"
|
||||||
|
)
|
||||||
|
|
||||||
|
// debugMux, if set, causes messages in the connection protocol to be
|
||||||
|
// logged.
|
||||||
|
const debugMux = false
|
||||||
|
|
||||||
|
// chanList is a thread safe channel list.
|
||||||
|
type chanList struct {
|
||||||
|
// protects concurrent access to chans
|
||||||
|
sync.Mutex
|
||||||
|
|
||||||
|
// chans are indexed by the local id of the channel, which the
|
||||||
|
// other side should send in the PeersId field.
|
||||||
|
chans []*channel
|
||||||
|
|
||||||
|
// This is a debugging aid: it offsets all IDs by this
|
||||||
|
// amount. This helps distinguish otherwise identical
|
||||||
|
// server/client muxes
|
||||||
|
offset uint32
|
||||||
|
}
|
||||||
|
|
||||||
|
// Assigns a channel ID to the given channel.
|
||||||
|
func (c *chanList) add(ch *channel) uint32 {
|
||||||
|
c.Lock()
|
||||||
|
defer c.Unlock()
|
||||||
|
for i := range c.chans {
|
||||||
|
if c.chans[i] == nil {
|
||||||
|
c.chans[i] = ch
|
||||||
|
return uint32(i) + c.offset
|
||||||
|
}
|
||||||
|
}
|
||||||
|
c.chans = append(c.chans, ch)
|
||||||
|
return uint32(len(c.chans)-1) + c.offset
|
||||||
|
}
|
||||||
|
|
||||||
|
// getChan returns the channel for the given ID.
|
||||||
|
func (c *chanList) getChan(id uint32) *channel {
|
||||||
|
id -= c.offset
|
||||||
|
|
||||||
|
c.Lock()
|
||||||
|
defer c.Unlock()
|
||||||
|
if id < uint32(len(c.chans)) {
|
||||||
|
return c.chans[id]
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *chanList) remove(id uint32) {
|
||||||
|
id -= c.offset
|
||||||
|
c.Lock()
|
||||||
|
if id < uint32(len(c.chans)) {
|
||||||
|
c.chans[id] = nil
|
||||||
|
}
|
||||||
|
c.Unlock()
|
||||||
|
}
|
||||||
|
|
||||||
|
// dropAll forgets all channels it knows, returning them in a slice.
|
||||||
|
func (c *chanList) dropAll() []*channel {
|
||||||
|
c.Lock()
|
||||||
|
defer c.Unlock()
|
||||||
|
var r []*channel
|
||||||
|
|
||||||
|
for _, ch := range c.chans {
|
||||||
|
if ch == nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
r = append(r, ch)
|
||||||
|
}
|
||||||
|
c.chans = nil
|
||||||
|
return r
|
||||||
|
}
|
||||||
|
|
||||||
|
// mux represents the state for the SSH connection protocol, which
|
||||||
|
// multiplexes many channels onto a single packet transport.
|
||||||
|
type mux struct {
|
||||||
|
conn packetConn
|
||||||
|
chanList chanList
|
||||||
|
|
||||||
|
incomingChannels chan NewChannel
|
||||||
|
|
||||||
|
globalSentMu sync.Mutex
|
||||||
|
globalResponses chan interface{}
|
||||||
|
incomingRequests chan *Request
|
||||||
|
|
||||||
|
errCond *sync.Cond
|
||||||
|
err error
|
||||||
|
}
|
||||||
|
|
||||||
|
// When debugging, each new chanList instantiation has a different
|
||||||
|
// offset.
|
||||||
|
var globalOff uint32
|
||||||
|
|
||||||
|
func (m *mux) Wait() error {
|
||||||
|
m.errCond.L.Lock()
|
||||||
|
defer m.errCond.L.Unlock()
|
||||||
|
for m.err == nil {
|
||||||
|
m.errCond.Wait()
|
||||||
|
}
|
||||||
|
return m.err
|
||||||
|
}
|
||||||
|
|
||||||
|
// newMux returns a mux that runs over the given connection.
|
||||||
|
func newMux(p packetConn) *mux {
|
||||||
|
m := &mux{
|
||||||
|
conn: p,
|
||||||
|
incomingChannels: make(chan NewChannel, chanSize),
|
||||||
|
globalResponses: make(chan interface{}, 1),
|
||||||
|
incomingRequests: make(chan *Request, chanSize),
|
||||||
|
errCond: newCond(),
|
||||||
|
}
|
||||||
|
if debugMux {
|
||||||
|
m.chanList.offset = atomic.AddUint32(&globalOff, 1)
|
||||||
|
}
|
||||||
|
|
||||||
|
go m.loop()
|
||||||
|
return m
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *mux) sendMessage(msg interface{}) error {
|
||||||
|
p := Marshal(msg)
|
||||||
|
if debugMux {
|
||||||
|
log.Printf("send global(%d): %#v", m.chanList.offset, msg)
|
||||||
|
}
|
||||||
|
return m.conn.writePacket(p)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *mux) SendRequest(name string, wantReply bool, payload []byte) (bool, []byte, error) {
|
||||||
|
if wantReply {
|
||||||
|
m.globalSentMu.Lock()
|
||||||
|
defer m.globalSentMu.Unlock()
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := m.sendMessage(globalRequestMsg{
|
||||||
|
Type: name,
|
||||||
|
WantReply: wantReply,
|
||||||
|
Data: payload,
|
||||||
|
}); err != nil {
|
||||||
|
return false, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if !wantReply {
|
||||||
|
return false, nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
msg, ok := <-m.globalResponses
|
||||||
|
if !ok {
|
||||||
|
return false, nil, io.EOF
|
||||||
|
}
|
||||||
|
switch msg := msg.(type) {
|
||||||
|
case *globalRequestFailureMsg:
|
||||||
|
return false, msg.Data, nil
|
||||||
|
case *globalRequestSuccessMsg:
|
||||||
|
return true, msg.Data, nil
|
||||||
|
default:
|
||||||
|
return false, nil, fmt.Errorf("ssh: unexpected response to request: %#v", msg)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// ackRequest must be called after processing a global request that
|
||||||
|
// has WantReply set.
|
||||||
|
func (m *mux) ackRequest(ok bool, data []byte) error {
|
||||||
|
if ok {
|
||||||
|
return m.sendMessage(globalRequestSuccessMsg{Data: data})
|
||||||
|
}
|
||||||
|
return m.sendMessage(globalRequestFailureMsg{Data: data})
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *mux) Close() error {
|
||||||
|
return m.conn.Close()
|
||||||
|
}
|
||||||
|
|
||||||
|
// loop runs the connection machine. It will process packets until an
|
||||||
|
// error is encountered. To synchronize on loop exit, use mux.Wait.
|
||||||
|
func (m *mux) loop() {
|
||||||
|
var err error
|
||||||
|
for err == nil {
|
||||||
|
err = m.onePacket()
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, ch := range m.chanList.dropAll() {
|
||||||
|
ch.close()
|
||||||
|
}
|
||||||
|
|
||||||
|
close(m.incomingChannels)
|
||||||
|
close(m.incomingRequests)
|
||||||
|
close(m.globalResponses)
|
||||||
|
|
||||||
|
m.conn.Close()
|
||||||
|
|
||||||
|
m.errCond.L.Lock()
|
||||||
|
m.err = err
|
||||||
|
m.errCond.Broadcast()
|
||||||
|
m.errCond.L.Unlock()
|
||||||
|
|
||||||
|
if debugMux {
|
||||||
|
log.Println("loop exit", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// onePacket reads and processes one packet.
|
||||||
|
func (m *mux) onePacket() error {
|
||||||
|
packet, err := m.conn.readPacket()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if debugMux {
|
||||||
|
if packet[0] == msgChannelData || packet[0] == msgChannelExtendedData {
|
||||||
|
log.Printf("decoding(%d): data packet - %d bytes", m.chanList.offset, len(packet))
|
||||||
|
} else {
|
||||||
|
p, _ := decode(packet)
|
||||||
|
log.Printf("decoding(%d): %d %#v - %d bytes", m.chanList.offset, packet[0], p, len(packet))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
switch packet[0] {
|
||||||
|
case msgChannelOpen:
|
||||||
|
return m.handleChannelOpen(packet)
|
||||||
|
case msgGlobalRequest, msgRequestSuccess, msgRequestFailure:
|
||||||
|
return m.handleGlobalPacket(packet)
|
||||||
|
}
|
||||||
|
|
||||||
|
// assume a channel packet.
|
||||||
|
if len(packet) < 5 {
|
||||||
|
return parseError(packet[0])
|
||||||
|
}
|
||||||
|
id := binary.BigEndian.Uint32(packet[1:])
|
||||||
|
ch := m.chanList.getChan(id)
|
||||||
|
if ch == nil {
|
||||||
|
return fmt.Errorf("ssh: invalid channel %d", id)
|
||||||
|
}
|
||||||
|
|
||||||
|
return ch.handlePacket(packet)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *mux) handleGlobalPacket(packet []byte) error {
|
||||||
|
msg, err := decode(packet)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
switch msg := msg.(type) {
|
||||||
|
case *globalRequestMsg:
|
||||||
|
m.incomingRequests <- &Request{
|
||||||
|
Type: msg.Type,
|
||||||
|
WantReply: msg.WantReply,
|
||||||
|
Payload: msg.Data,
|
||||||
|
mux: m,
|
||||||
|
}
|
||||||
|
case *globalRequestSuccessMsg, *globalRequestFailureMsg:
|
||||||
|
m.globalResponses <- msg
|
||||||
|
default:
|
||||||
|
panic(fmt.Sprintf("not a global message %#v", msg))
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// handleChannelOpen schedules a channel to be Accept()ed.
|
||||||
|
func (m *mux) handleChannelOpen(packet []byte) error {
|
||||||
|
var msg channelOpenMsg
|
||||||
|
if err := Unmarshal(packet, &msg); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if msg.MaxPacketSize < minPacketLength || msg.MaxPacketSize > 1<<31 {
|
||||||
|
failMsg := channelOpenFailureMsg{
|
||||||
|
PeersID: msg.PeersID,
|
||||||
|
Reason: ConnectionFailed,
|
||||||
|
Message: "invalid request",
|
||||||
|
Language: "en_US.UTF-8",
|
||||||
|
}
|
||||||
|
return m.sendMessage(failMsg)
|
||||||
|
}
|
||||||
|
|
||||||
|
c := m.newChannel(msg.ChanType, channelInbound, msg.TypeSpecificData)
|
||||||
|
c.remoteId = msg.PeersID
|
||||||
|
c.maxRemotePayload = msg.MaxPacketSize
|
||||||
|
c.remoteWin.add(msg.PeersWindow)
|
||||||
|
m.incomingChannels <- c
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *mux) OpenChannel(chanType string, extra []byte) (Channel, <-chan *Request, error) {
|
||||||
|
ch, err := m.openChannel(chanType, extra)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return ch, ch.incomingRequests, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *mux) openChannel(chanType string, extra []byte) (*channel, error) {
|
||||||
|
ch := m.newChannel(chanType, channelOutbound, extra)
|
||||||
|
|
||||||
|
ch.maxIncomingPayload = channelMaxPacket
|
||||||
|
|
||||||
|
open := channelOpenMsg{
|
||||||
|
ChanType: chanType,
|
||||||
|
PeersWindow: ch.myWindow,
|
||||||
|
MaxPacketSize: ch.maxIncomingPayload,
|
||||||
|
TypeSpecificData: extra,
|
||||||
|
PeersID: ch.localId,
|
||||||
|
}
|
||||||
|
if err := m.sendMessage(open); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
switch msg := (<-ch.msg).(type) {
|
||||||
|
case *channelOpenConfirmMsg:
|
||||||
|
return ch, nil
|
||||||
|
case *channelOpenFailureMsg:
|
||||||
|
return nil, &OpenChannelError{msg.Reason, msg.Message}
|
||||||
|
default:
|
||||||
|
return nil, fmt.Errorf("ssh: unexpected packet in response to channel open: %T", msg)
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,594 @@
|
||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"net"
|
||||||
|
"strings"
|
||||||
|
)
|
||||||
|
|
||||||
|
// The Permissions type holds fine-grained permissions that are
|
||||||
|
// specific to a user or a specific authentication method for a user.
|
||||||
|
// The Permissions value for a successful authentication attempt is
|
||||||
|
// available in ServerConn, so it can be used to pass information from
|
||||||
|
// the user-authentication phase to the application layer.
|
||||||
|
type Permissions struct {
|
||||||
|
// CriticalOptions indicate restrictions to the default
|
||||||
|
// permissions, and are typically used in conjunction with
|
||||||
|
// user certificates. The standard for SSH certificates
|
||||||
|
// defines "force-command" (only allow the given command to
|
||||||
|
// execute) and "source-address" (only allow connections from
|
||||||
|
// the given address). The SSH package currently only enforces
|
||||||
|
// the "source-address" critical option. It is up to server
|
||||||
|
// implementations to enforce other critical options, such as
|
||||||
|
// "force-command", by checking them after the SSH handshake
|
||||||
|
// is successful. In general, SSH servers should reject
|
||||||
|
// connections that specify critical options that are unknown
|
||||||
|
// or not supported.
|
||||||
|
CriticalOptions map[string]string
|
||||||
|
|
||||||
|
// Extensions are extra functionality that the server may
|
||||||
|
// offer on authenticated connections. Lack of support for an
|
||||||
|
// extension does not preclude authenticating a user. Common
|
||||||
|
// extensions are "permit-agent-forwarding",
|
||||||
|
// "permit-X11-forwarding". The Go SSH library currently does
|
||||||
|
// not act on any extension, and it is up to server
|
||||||
|
// implementations to honor them. Extensions can be used to
|
||||||
|
// pass data from the authentication callbacks to the server
|
||||||
|
// application layer.
|
||||||
|
Extensions map[string]string
|
||||||
|
}
|
||||||
|
|
||||||
|
// ServerConfig holds server specific configuration data.
|
||||||
|
type ServerConfig struct {
|
||||||
|
// Config contains configuration shared between client and server.
|
||||||
|
Config
|
||||||
|
|
||||||
|
hostKeys []Signer
|
||||||
|
|
||||||
|
// NoClientAuth is true if clients are allowed to connect without
|
||||||
|
// authenticating.
|
||||||
|
NoClientAuth bool
|
||||||
|
|
||||||
|
// MaxAuthTries specifies the maximum number of authentication attempts
|
||||||
|
// permitted per connection. If set to a negative number, the number of
|
||||||
|
// attempts are unlimited. If set to zero, the number of attempts are limited
|
||||||
|
// to 6.
|
||||||
|
MaxAuthTries int
|
||||||
|
|
||||||
|
// PasswordCallback, if non-nil, is called when a user
|
||||||
|
// attempts to authenticate using a password.
|
||||||
|
PasswordCallback func(conn ConnMetadata, password []byte) (*Permissions, error)
|
||||||
|
|
||||||
|
// PublicKeyCallback, if non-nil, is called when a client
|
||||||
|
// offers a public key for authentication. It must return a nil error
|
||||||
|
// if the given public key can be used to authenticate the
|
||||||
|
// given user. For example, see CertChecker.Authenticate. A
|
||||||
|
// call to this function does not guarantee that the key
|
||||||
|
// offered is in fact used to authenticate. To record any data
|
||||||
|
// depending on the public key, store it inside a
|
||||||
|
// Permissions.Extensions entry.
|
||||||
|
PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions, error)
|
||||||
|
|
||||||
|
// KeyboardInteractiveCallback, if non-nil, is called when
|
||||||
|
// keyboard-interactive authentication is selected (RFC
|
||||||
|
// 4256). The client object's Challenge function should be
|
||||||
|
// used to query the user. The callback may offer multiple
|
||||||
|
// Challenge rounds. To avoid information leaks, the client
|
||||||
|
// should be presented a challenge even if the user is
|
||||||
|
// unknown.
|
||||||
|
KeyboardInteractiveCallback func(conn ConnMetadata, client KeyboardInteractiveChallenge) (*Permissions, error)
|
||||||
|
|
||||||
|
// AuthLogCallback, if non-nil, is called to log all authentication
|
||||||
|
// attempts.
|
||||||
|
AuthLogCallback func(conn ConnMetadata, method string, err error)
|
||||||
|
|
||||||
|
// ServerVersion is the version identification string to announce in
|
||||||
|
// the public handshake.
|
||||||
|
// If empty, a reasonable default is used.
|
||||||
|
// Note that RFC 4253 section 4.2 requires that this string start with
|
||||||
|
// "SSH-2.0-".
|
||||||
|
ServerVersion string
|
||||||
|
|
||||||
|
// BannerCallback, if present, is called and the return string is sent to
|
||||||
|
// the client after key exchange completed but before authentication.
|
||||||
|
BannerCallback func(conn ConnMetadata) string
|
||||||
|
}
|
||||||
|
|
||||||
|
// AddHostKey adds a private key as a host key. If an existing host
|
||||||
|
// key exists with the same algorithm, it is overwritten. Each server
|
||||||
|
// config must have at least one host key.
|
||||||
|
func (s *ServerConfig) AddHostKey(key Signer) {
|
||||||
|
for i, k := range s.hostKeys {
|
||||||
|
if k.PublicKey().Type() == key.PublicKey().Type() {
|
||||||
|
s.hostKeys[i] = key
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
s.hostKeys = append(s.hostKeys, key)
|
||||||
|
}
|
||||||
|
|
||||||
|
// cachedPubKey contains the results of querying whether a public key is
|
||||||
|
// acceptable for a user.
|
||||||
|
type cachedPubKey struct {
|
||||||
|
user string
|
||||||
|
pubKeyData []byte
|
||||||
|
result error
|
||||||
|
perms *Permissions
|
||||||
|
}
|
||||||
|
|
||||||
|
const maxCachedPubKeys = 16
|
||||||
|
|
||||||
|
// pubKeyCache caches tests for public keys. Since SSH clients
|
||||||
|
// will query whether a public key is acceptable before attempting to
|
||||||
|
// authenticate with it, we end up with duplicate queries for public
|
||||||
|
// key validity. The cache only applies to a single ServerConn.
|
||||||
|
type pubKeyCache struct {
|
||||||
|
keys []cachedPubKey
|
||||||
|
}
|
||||||
|
|
||||||
|
// get returns the result for a given user/algo/key tuple.
|
||||||
|
func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) {
|
||||||
|
for _, k := range c.keys {
|
||||||
|
if k.user == user && bytes.Equal(k.pubKeyData, pubKeyData) {
|
||||||
|
return k, true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return cachedPubKey{}, false
|
||||||
|
}
|
||||||
|
|
||||||
|
// add adds the given tuple to the cache.
|
||||||
|
func (c *pubKeyCache) add(candidate cachedPubKey) {
|
||||||
|
if len(c.keys) < maxCachedPubKeys {
|
||||||
|
c.keys = append(c.keys, candidate)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// ServerConn is an authenticated SSH connection, as seen from the
|
||||||
|
// server
|
||||||
|
type ServerConn struct {
|
||||||
|
Conn
|
||||||
|
|
||||||
|
// If the succeeding authentication callback returned a
|
||||||
|
// non-nil Permissions pointer, it is stored here.
|
||||||
|
Permissions *Permissions
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewServerConn starts a new SSH server with c as the underlying
|
||||||
|
// transport. It starts with a handshake and, if the handshake is
|
||||||
|
// unsuccessful, it closes the connection and returns an error. The
|
||||||
|
// Request and NewChannel channels must be serviced, or the connection
|
||||||
|
// will hang.
|
||||||
|
//
|
||||||
|
// The returned error may be of type *ServerAuthError for
|
||||||
|
// authentication errors.
|
||||||
|
func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewChannel, <-chan *Request, error) {
|
||||||
|
fullConf := *config
|
||||||
|
fullConf.SetDefaults()
|
||||||
|
if fullConf.MaxAuthTries == 0 {
|
||||||
|
fullConf.MaxAuthTries = 6
|
||||||
|
}
|
||||||
|
|
||||||
|
s := &connection{
|
||||||
|
sshConn: sshConn{conn: c},
|
||||||
|
}
|
||||||
|
perms, err := s.serverHandshake(&fullConf)
|
||||||
|
if err != nil {
|
||||||
|
c.Close()
|
||||||
|
return nil, nil, nil, err
|
||||||
|
}
|
||||||
|
return &ServerConn{s, perms}, s.mux.incomingChannels, s.mux.incomingRequests, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// signAndMarshal signs the data with the appropriate algorithm,
|
||||||
|
// and serializes the result in SSH wire format.
|
||||||
|
func signAndMarshal(k Signer, rand io.Reader, data []byte) ([]byte, error) {
|
||||||
|
sig, err := k.Sign(rand, data)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return Marshal(sig), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// handshake performs key exchange and user authentication.
|
||||||
|
func (s *connection) serverHandshake(config *ServerConfig) (*Permissions, error) {
|
||||||
|
if len(config.hostKeys) == 0 {
|
||||||
|
return nil, errors.New("ssh: server has no host keys")
|
||||||
|
}
|
||||||
|
|
||||||
|
if !config.NoClientAuth && config.PasswordCallback == nil && config.PublicKeyCallback == nil && config.KeyboardInteractiveCallback == nil {
|
||||||
|
return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
|
||||||
|
}
|
||||||
|
|
||||||
|
if config.ServerVersion != "" {
|
||||||
|
s.serverVersion = []byte(config.ServerVersion)
|
||||||
|
} else {
|
||||||
|
s.serverVersion = []byte(packageVersion)
|
||||||
|
}
|
||||||
|
var err error
|
||||||
|
s.clientVersion, err = exchangeVersions(s.sshConn.conn, s.serverVersion)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
tr := newTransport(s.sshConn.conn, config.Rand, false /* not client */)
|
||||||
|
s.transport = newServerTransport(tr, s.clientVersion, s.serverVersion, config)
|
||||||
|
|
||||||
|
if err := s.transport.waitSession(); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// We just did the key change, so the session ID is established.
|
||||||
|
s.sessionID = s.transport.getSessionID()
|
||||||
|
|
||||||
|
var packet []byte
|
||||||
|
if packet, err = s.transport.readPacket(); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var serviceRequest serviceRequestMsg
|
||||||
|
if err = Unmarshal(packet, &serviceRequest); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if serviceRequest.Service != serviceUserAuth {
|
||||||
|
return nil, errors.New("ssh: requested service '" + serviceRequest.Service + "' before authenticating")
|
||||||
|
}
|
||||||
|
serviceAccept := serviceAcceptMsg{
|
||||||
|
Service: serviceUserAuth,
|
||||||
|
}
|
||||||
|
if err := s.transport.writePacket(Marshal(&serviceAccept)); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
perms, err := s.serverAuthenticate(config)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
s.mux = newMux(s.transport)
|
||||||
|
return perms, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func isAcceptableAlgo(algo string) bool {
|
||||||
|
switch algo {
|
||||||
|
case KeyAlgoRSA, KeyAlgoDSA, KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521, KeyAlgoED25519,
|
||||||
|
CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01:
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
func checkSourceAddress(addr net.Addr, sourceAddrs string) error {
|
||||||
|
if addr == nil {
|
||||||
|
return errors.New("ssh: no address known for client, but source-address match required")
|
||||||
|
}
|
||||||
|
|
||||||
|
tcpAddr, ok := addr.(*net.TCPAddr)
|
||||||
|
if !ok {
|
||||||
|
return fmt.Errorf("ssh: remote address %v is not an TCP address when checking source-address match", addr)
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, sourceAddr := range strings.Split(sourceAddrs, ",") {
|
||||||
|
if allowedIP := net.ParseIP(sourceAddr); allowedIP != nil {
|
||||||
|
if allowedIP.Equal(tcpAddr.IP) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
_, ipNet, err := net.ParseCIDR(sourceAddr)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("ssh: error parsing source-address restriction %q: %v", sourceAddr, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if ipNet.Contains(tcpAddr.IP) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return fmt.Errorf("ssh: remote address %v is not allowed because of source-address restriction", addr)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ServerAuthError represents server authentication errors and is
|
||||||
|
// sometimes returned by NewServerConn. It appends any authentication
|
||||||
|
// errors that may occur, and is returned if all of the authentication
|
||||||
|
// methods provided by the user failed to authenticate.
|
||||||
|
type ServerAuthError struct {
|
||||||
|
// Errors contains authentication errors returned by the authentication
|
||||||
|
// callback methods. The first entry is typically ErrNoAuth.
|
||||||
|
Errors []error
|
||||||
|
}
|
||||||
|
|
||||||
|
func (l ServerAuthError) Error() string {
|
||||||
|
var errs []string
|
||||||
|
for _, err := range l.Errors {
|
||||||
|
errs = append(errs, err.Error())
|
||||||
|
}
|
||||||
|
return "[" + strings.Join(errs, ", ") + "]"
|
||||||
|
}
|
||||||
|
|
||||||
|
// ErrNoAuth is the error value returned if no
|
||||||
|
// authentication method has been passed yet. This happens as a normal
|
||||||
|
// part of the authentication loop, since the client first tries
|
||||||
|
// 'none' authentication to discover available methods.
|
||||||
|
// It is returned in ServerAuthError.Errors from NewServerConn.
|
||||||
|
var ErrNoAuth = errors.New("ssh: no auth passed yet")
|
||||||
|
|
||||||
|
func (s *connection) serverAuthenticate(config *ServerConfig) (*Permissions, error) {
|
||||||
|
sessionID := s.transport.getSessionID()
|
||||||
|
var cache pubKeyCache
|
||||||
|
var perms *Permissions
|
||||||
|
|
||||||
|
authFailures := 0
|
||||||
|
var authErrs []error
|
||||||
|
var displayedBanner bool
|
||||||
|
|
||||||
|
userAuthLoop:
|
||||||
|
for {
|
||||||
|
if authFailures >= config.MaxAuthTries && config.MaxAuthTries > 0 {
|
||||||
|
discMsg := &disconnectMsg{
|
||||||
|
Reason: 2,
|
||||||
|
Message: "too many authentication failures",
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := s.transport.writePacket(Marshal(discMsg)); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, discMsg
|
||||||
|
}
|
||||||
|
|
||||||
|
var userAuthReq userAuthRequestMsg
|
||||||
|
if packet, err := s.transport.readPacket(); err != nil {
|
||||||
|
if err == io.EOF {
|
||||||
|
return nil, &ServerAuthError{Errors: authErrs}
|
||||||
|
}
|
||||||
|
return nil, err
|
||||||
|
} else if err = Unmarshal(packet, &userAuthReq); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if userAuthReq.Service != serviceSSH {
|
||||||
|
return nil, errors.New("ssh: client attempted to negotiate for unknown service: " + userAuthReq.Service)
|
||||||
|
}
|
||||||
|
|
||||||
|
s.user = userAuthReq.User
|
||||||
|
|
||||||
|
if !displayedBanner && config.BannerCallback != nil {
|
||||||
|
displayedBanner = true
|
||||||
|
msg := config.BannerCallback(s)
|
||||||
|
if msg != "" {
|
||||||
|
bannerMsg := &userAuthBannerMsg{
|
||||||
|
Message: msg,
|
||||||
|
}
|
||||||
|
if err := s.transport.writePacket(Marshal(bannerMsg)); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
perms = nil
|
||||||
|
authErr := ErrNoAuth
|
||||||
|
|
||||||
|
switch userAuthReq.Method {
|
||||||
|
case "none":
|
||||||
|
if config.NoClientAuth {
|
||||||
|
authErr = nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// allow initial attempt of 'none' without penalty
|
||||||
|
if authFailures == 0 {
|
||||||
|
authFailures--
|
||||||
|
}
|
||||||
|
case "password":
|
||||||
|
if config.PasswordCallback == nil {
|
||||||
|
authErr = errors.New("ssh: password auth not configured")
|
||||||
|
break
|
||||||
|
}
|
||||||
|
payload := userAuthReq.Payload
|
||||||
|
if len(payload) < 1 || payload[0] != 0 {
|
||||||
|
return nil, parseError(msgUserAuthRequest)
|
||||||
|
}
|
||||||
|
payload = payload[1:]
|
||||||
|
password, payload, ok := parseString(payload)
|
||||||
|
if !ok || len(payload) > 0 {
|
||||||
|
return nil, parseError(msgUserAuthRequest)
|
||||||
|
}
|
||||||
|
|
||||||
|
perms, authErr = config.PasswordCallback(s, password)
|
||||||
|
case "keyboard-interactive":
|
||||||
|
if config.KeyboardInteractiveCallback == nil {
|
||||||
|
authErr = errors.New("ssh: keyboard-interactive auth not configured")
|
||||||
|
break
|
||||||
|
}
|
||||||
|
|
||||||
|
prompter := &sshClientKeyboardInteractive{s}
|
||||||
|
perms, authErr = config.KeyboardInteractiveCallback(s, prompter.Challenge)
|
||||||
|
case "publickey":
|
||||||
|
if config.PublicKeyCallback == nil {
|
||||||
|
authErr = errors.New("ssh: publickey auth not configured")
|
||||||
|
break
|
||||||
|
}
|
||||||
|
payload := userAuthReq.Payload
|
||||||
|
if len(payload) < 1 {
|
||||||
|
return nil, parseError(msgUserAuthRequest)
|
||||||
|
}
|
||||||
|
isQuery := payload[0] == 0
|
||||||
|
payload = payload[1:]
|
||||||
|
algoBytes, payload, ok := parseString(payload)
|
||||||
|
if !ok {
|
||||||
|
return nil, parseError(msgUserAuthRequest)
|
||||||
|
}
|
||||||
|
algo := string(algoBytes)
|
||||||
|
if !isAcceptableAlgo(algo) {
|
||||||
|
authErr = fmt.Errorf("ssh: algorithm %q not accepted", algo)
|
||||||
|
break
|
||||||
|
}
|
||||||
|
|
||||||
|
pubKeyData, payload, ok := parseString(payload)
|
||||||
|
if !ok {
|
||||||
|
return nil, parseError(msgUserAuthRequest)
|
||||||
|
}
|
||||||
|
|
||||||
|
pubKey, err := ParsePublicKey(pubKeyData)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
candidate, ok := cache.get(s.user, pubKeyData)
|
||||||
|
if !ok {
|
||||||
|
candidate.user = s.user
|
||||||
|
candidate.pubKeyData = pubKeyData
|
||||||
|
candidate.perms, candidate.result = config.PublicKeyCallback(s, pubKey)
|
||||||
|
if candidate.result == nil && candidate.perms != nil && candidate.perms.CriticalOptions != nil && candidate.perms.CriticalOptions[sourceAddressCriticalOption] != "" {
|
||||||
|
candidate.result = checkSourceAddress(
|
||||||
|
s.RemoteAddr(),
|
||||||
|
candidate.perms.CriticalOptions[sourceAddressCriticalOption])
|
||||||
|
}
|
||||||
|
cache.add(candidate)
|
||||||
|
}
|
||||||
|
|
||||||
|
if isQuery {
|
||||||
|
// The client can query if the given public key
|
||||||
|
// would be okay.
|
||||||
|
|
||||||
|
if len(payload) > 0 {
|
||||||
|
return nil, parseError(msgUserAuthRequest)
|
||||||
|
}
|
||||||
|
|
||||||
|
if candidate.result == nil {
|
||||||
|
okMsg := userAuthPubKeyOkMsg{
|
||||||
|
Algo: algo,
|
||||||
|
PubKey: pubKeyData,
|
||||||
|
}
|
||||||
|
if err = s.transport.writePacket(Marshal(&okMsg)); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
continue userAuthLoop
|
||||||
|
}
|
||||||
|
authErr = candidate.result
|
||||||
|
} else {
|
||||||
|
sig, payload, ok := parseSignature(payload)
|
||||||
|
if !ok || len(payload) > 0 {
|
||||||
|
return nil, parseError(msgUserAuthRequest)
|
||||||
|
}
|
||||||
|
// Ensure the public key algo and signature algo
|
||||||
|
// are supported. Compare the private key
|
||||||
|
// algorithm name that corresponds to algo with
|
||||||
|
// sig.Format. This is usually the same, but
|
||||||
|
// for certs, the names differ.
|
||||||
|
if !isAcceptableAlgo(sig.Format) {
|
||||||
|
authErr = fmt.Errorf("ssh: algorithm %q not accepted", sig.Format)
|
||||||
|
break
|
||||||
|
}
|
||||||
|
signedData := buildDataSignedForAuth(sessionID, userAuthReq, algoBytes, pubKeyData)
|
||||||
|
|
||||||
|
if err := pubKey.Verify(signedData, sig); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
authErr = candidate.result
|
||||||
|
perms = candidate.perms
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
authErr = fmt.Errorf("ssh: unknown method %q", userAuthReq.Method)
|
||||||
|
}
|
||||||
|
|
||||||
|
authErrs = append(authErrs, authErr)
|
||||||
|
|
||||||
|
if config.AuthLogCallback != nil {
|
||||||
|
config.AuthLogCallback(s, userAuthReq.Method, authErr)
|
||||||
|
}
|
||||||
|
|
||||||
|
if authErr == nil {
|
||||||
|
break userAuthLoop
|
||||||
|
}
|
||||||
|
|
||||||
|
authFailures++
|
||||||
|
|
||||||
|
var failureMsg userAuthFailureMsg
|
||||||
|
if config.PasswordCallback != nil {
|
||||||
|
failureMsg.Methods = append(failureMsg.Methods, "password")
|
||||||
|
}
|
||||||
|
if config.PublicKeyCallback != nil {
|
||||||
|
failureMsg.Methods = append(failureMsg.Methods, "publickey")
|
||||||
|
}
|
||||||
|
if config.KeyboardInteractiveCallback != nil {
|
||||||
|
failureMsg.Methods = append(failureMsg.Methods, "keyboard-interactive")
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(failureMsg.Methods) == 0 {
|
||||||
|
return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := s.transport.writePacket(Marshal(&failureMsg)); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := s.transport.writePacket([]byte{msgUserAuthSuccess}); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return perms, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// sshClientKeyboardInteractive implements a ClientKeyboardInteractive by
|
||||||
|
// asking the client on the other side of a ServerConn.
|
||||||
|
type sshClientKeyboardInteractive struct {
|
||||||
|
*connection
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *sshClientKeyboardInteractive) Challenge(user, instruction string, questions []string, echos []bool) (answers []string, err error) {
|
||||||
|
if len(questions) != len(echos) {
|
||||||
|
return nil, errors.New("ssh: echos and questions must have equal length")
|
||||||
|
}
|
||||||
|
|
||||||
|
var prompts []byte
|
||||||
|
for i := range questions {
|
||||||
|
prompts = appendString(prompts, questions[i])
|
||||||
|
prompts = appendBool(prompts, echos[i])
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := c.transport.writePacket(Marshal(&userAuthInfoRequestMsg{
|
||||||
|
Instruction: instruction,
|
||||||
|
NumPrompts: uint32(len(questions)),
|
||||||
|
Prompts: prompts,
|
||||||
|
})); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
packet, err := c.transport.readPacket()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if packet[0] != msgUserAuthInfoResponse {
|
||||||
|
return nil, unexpectedMessageError(msgUserAuthInfoResponse, packet[0])
|
||||||
|
}
|
||||||
|
packet = packet[1:]
|
||||||
|
|
||||||
|
n, packet, ok := parseUint32(packet)
|
||||||
|
if !ok || int(n) != len(questions) {
|
||||||
|
return nil, parseError(msgUserAuthInfoResponse)
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := uint32(0); i < n; i++ {
|
||||||
|
ans, rest, ok := parseString(packet)
|
||||||
|
if !ok {
|
||||||
|
return nil, parseError(msgUserAuthInfoResponse)
|
||||||
|
}
|
||||||
|
|
||||||
|
answers = append(answers, string(ans))
|
||||||
|
packet = rest
|
||||||
|
}
|
||||||
|
if len(packet) != 0 {
|
||||||
|
return nil, errors.New("ssh: junk at end of message")
|
||||||
|
}
|
||||||
|
|
||||||
|
return answers, nil
|
||||||
|
}
|
|
@ -0,0 +1,647 @@
|
||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
// Session implements an interactive session described in
|
||||||
|
// "RFC 4254, section 6".
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/binary"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"io/ioutil"
|
||||||
|
"sync"
|
||||||
|
)
|
||||||
|
|
||||||
|
type Signal string
|
||||||
|
|
||||||
|
// POSIX signals as listed in RFC 4254 Section 6.10.
|
||||||
|
const (
|
||||||
|
SIGABRT Signal = "ABRT"
|
||||||
|
SIGALRM Signal = "ALRM"
|
||||||
|
SIGFPE Signal = "FPE"
|
||||||
|
SIGHUP Signal = "HUP"
|
||||||
|
SIGILL Signal = "ILL"
|
||||||
|
SIGINT Signal = "INT"
|
||||||
|
SIGKILL Signal = "KILL"
|
||||||
|
SIGPIPE Signal = "PIPE"
|
||||||
|
SIGQUIT Signal = "QUIT"
|
||||||
|
SIGSEGV Signal = "SEGV"
|
||||||
|
SIGTERM Signal = "TERM"
|
||||||
|
SIGUSR1 Signal = "USR1"
|
||||||
|
SIGUSR2 Signal = "USR2"
|
||||||
|
)
|
||||||
|
|
||||||
|
var signals = map[Signal]int{
|
||||||
|
SIGABRT: 6,
|
||||||
|
SIGALRM: 14,
|
||||||
|
SIGFPE: 8,
|
||||||
|
SIGHUP: 1,
|
||||||
|
SIGILL: 4,
|
||||||
|
SIGINT: 2,
|
||||||
|
SIGKILL: 9,
|
||||||
|
SIGPIPE: 13,
|
||||||
|
SIGQUIT: 3,
|
||||||
|
SIGSEGV: 11,
|
||||||
|
SIGTERM: 15,
|
||||||
|
}
|
||||||
|
|
||||||
|
type TerminalModes map[uint8]uint32
|
||||||
|
|
||||||
|
// POSIX terminal mode flags as listed in RFC 4254 Section 8.
|
||||||
|
const (
|
||||||
|
tty_OP_END = 0
|
||||||
|
VINTR = 1
|
||||||
|
VQUIT = 2
|
||||||
|
VERASE = 3
|
||||||
|
VKILL = 4
|
||||||
|
VEOF = 5
|
||||||
|
VEOL = 6
|
||||||
|
VEOL2 = 7
|
||||||
|
VSTART = 8
|
||||||
|
VSTOP = 9
|
||||||
|
VSUSP = 10
|
||||||
|
VDSUSP = 11
|
||||||
|
VREPRINT = 12
|
||||||
|
VWERASE = 13
|
||||||
|
VLNEXT = 14
|
||||||
|
VFLUSH = 15
|
||||||
|
VSWTCH = 16
|
||||||
|
VSTATUS = 17
|
||||||
|
VDISCARD = 18
|
||||||
|
IGNPAR = 30
|
||||||
|
PARMRK = 31
|
||||||
|
INPCK = 32
|
||||||
|
ISTRIP = 33
|
||||||
|
INLCR = 34
|
||||||
|
IGNCR = 35
|
||||||
|
ICRNL = 36
|
||||||
|
IUCLC = 37
|
||||||
|
IXON = 38
|
||||||
|
IXANY = 39
|
||||||
|
IXOFF = 40
|
||||||
|
IMAXBEL = 41
|
||||||
|
ISIG = 50
|
||||||
|
ICANON = 51
|
||||||
|
XCASE = 52
|
||||||
|
ECHO = 53
|
||||||
|
ECHOE = 54
|
||||||
|
ECHOK = 55
|
||||||
|
ECHONL = 56
|
||||||
|
NOFLSH = 57
|
||||||
|
TOSTOP = 58
|
||||||
|
IEXTEN = 59
|
||||||
|
ECHOCTL = 60
|
||||||
|
ECHOKE = 61
|
||||||
|
PENDIN = 62
|
||||||
|
OPOST = 70
|
||||||
|
OLCUC = 71
|
||||||
|
ONLCR = 72
|
||||||
|
OCRNL = 73
|
||||||
|
ONOCR = 74
|
||||||
|
ONLRET = 75
|
||||||
|
CS7 = 90
|
||||||
|
CS8 = 91
|
||||||
|
PARENB = 92
|
||||||
|
PARODD = 93
|
||||||
|
TTY_OP_ISPEED = 128
|
||||||
|
TTY_OP_OSPEED = 129
|
||||||
|
)
|
||||||
|
|
||||||
|
// A Session represents a connection to a remote command or shell.
|
||||||
|
type Session struct {
|
||||||
|
// Stdin specifies the remote process's standard input.
|
||||||
|
// If Stdin is nil, the remote process reads from an empty
|
||||||
|
// bytes.Buffer.
|
||||||
|
Stdin io.Reader
|
||||||
|
|
||||||
|
// Stdout and Stderr specify the remote process's standard
|
||||||
|
// output and error.
|
||||||
|
//
|
||||||
|
// If either is nil, Run connects the corresponding file
|
||||||
|
// descriptor to an instance of ioutil.Discard. There is a
|
||||||
|
// fixed amount of buffering that is shared for the two streams.
|
||||||
|
// If either blocks it may eventually cause the remote
|
||||||
|
// command to block.
|
||||||
|
Stdout io.Writer
|
||||||
|
Stderr io.Writer
|
||||||
|
|
||||||
|
ch Channel // the channel backing this session
|
||||||
|
started bool // true once Start, Run or Shell is invoked.
|
||||||
|
copyFuncs []func() error
|
||||||
|
errors chan error // one send per copyFunc
|
||||||
|
|
||||||
|
// true if pipe method is active
|
||||||
|
stdinpipe, stdoutpipe, stderrpipe bool
|
||||||
|
|
||||||
|
// stdinPipeWriter is non-nil if StdinPipe has not been called
|
||||||
|
// and Stdin was specified by the user; it is the write end of
|
||||||
|
// a pipe connecting Session.Stdin to the stdin channel.
|
||||||
|
stdinPipeWriter io.WriteCloser
|
||||||
|
|
||||||
|
exitStatus chan error
|
||||||
|
}
|
||||||
|
|
||||||
|
// SendRequest sends an out-of-band channel request on the SSH channel
|
||||||
|
// underlying the session.
|
||||||
|
func (s *Session) SendRequest(name string, wantReply bool, payload []byte) (bool, error) {
|
||||||
|
return s.ch.SendRequest(name, wantReply, payload)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *Session) Close() error {
|
||||||
|
return s.ch.Close()
|
||||||
|
}
|
||||||
|
|
||||||
|
// RFC 4254 Section 6.4.
|
||||||
|
type setenvRequest struct {
|
||||||
|
Name string
|
||||||
|
Value string
|
||||||
|
}
|
||||||
|
|
||||||
|
// Setenv sets an environment variable that will be applied to any
|
||||||
|
// command executed by Shell or Run.
|
||||||
|
func (s *Session) Setenv(name, value string) error {
|
||||||
|
msg := setenvRequest{
|
||||||
|
Name: name,
|
||||||
|
Value: value,
|
||||||
|
}
|
||||||
|
ok, err := s.ch.SendRequest("env", true, Marshal(&msg))
|
||||||
|
if err == nil && !ok {
|
||||||
|
err = errors.New("ssh: setenv failed")
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// RFC 4254 Section 6.2.
|
||||||
|
type ptyRequestMsg struct {
|
||||||
|
Term string
|
||||||
|
Columns uint32
|
||||||
|
Rows uint32
|
||||||
|
Width uint32
|
||||||
|
Height uint32
|
||||||
|
Modelist string
|
||||||
|
}
|
||||||
|
|
||||||
|
// RequestPty requests the association of a pty with the session on the remote host.
|
||||||
|
func (s *Session) RequestPty(term string, h, w int, termmodes TerminalModes) error {
|
||||||
|
var tm []byte
|
||||||
|
for k, v := range termmodes {
|
||||||
|
kv := struct {
|
||||||
|
Key byte
|
||||||
|
Val uint32
|
||||||
|
}{k, v}
|
||||||
|
|
||||||
|
tm = append(tm, Marshal(&kv)...)
|
||||||
|
}
|
||||||
|
tm = append(tm, tty_OP_END)
|
||||||
|
req := ptyRequestMsg{
|
||||||
|
Term: term,
|
||||||
|
Columns: uint32(w),
|
||||||
|
Rows: uint32(h),
|
||||||
|
Width: uint32(w * 8),
|
||||||
|
Height: uint32(h * 8),
|
||||||
|
Modelist: string(tm),
|
||||||
|
}
|
||||||
|
ok, err := s.ch.SendRequest("pty-req", true, Marshal(&req))
|
||||||
|
if err == nil && !ok {
|
||||||
|
err = errors.New("ssh: pty-req failed")
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// RFC 4254 Section 6.5.
|
||||||
|
type subsystemRequestMsg struct {
|
||||||
|
Subsystem string
|
||||||
|
}
|
||||||
|
|
||||||
|
// RequestSubsystem requests the association of a subsystem with the session on the remote host.
|
||||||
|
// A subsystem is a predefined command that runs in the background when the ssh session is initiated
|
||||||
|
func (s *Session) RequestSubsystem(subsystem string) error {
|
||||||
|
msg := subsystemRequestMsg{
|
||||||
|
Subsystem: subsystem,
|
||||||
|
}
|
||||||
|
ok, err := s.ch.SendRequest("subsystem", true, Marshal(&msg))
|
||||||
|
if err == nil && !ok {
|
||||||
|
err = errors.New("ssh: subsystem request failed")
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// RFC 4254 Section 6.7.
|
||||||
|
type ptyWindowChangeMsg struct {
|
||||||
|
Columns uint32
|
||||||
|
Rows uint32
|
||||||
|
Width uint32
|
||||||
|
Height uint32
|
||||||
|
}
|
||||||
|
|
||||||
|
// WindowChange informs the remote host about a terminal window dimension change to h rows and w columns.
|
||||||
|
func (s *Session) WindowChange(h, w int) error {
|
||||||
|
req := ptyWindowChangeMsg{
|
||||||
|
Columns: uint32(w),
|
||||||
|
Rows: uint32(h),
|
||||||
|
Width: uint32(w * 8),
|
||||||
|
Height: uint32(h * 8),
|
||||||
|
}
|
||||||
|
_, err := s.ch.SendRequest("window-change", false, Marshal(&req))
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// RFC 4254 Section 6.9.
|
||||||
|
type signalMsg struct {
|
||||||
|
Signal string
|
||||||
|
}
|
||||||
|
|
||||||
|
// Signal sends the given signal to the remote process.
|
||||||
|
// sig is one of the SIG* constants.
|
||||||
|
func (s *Session) Signal(sig Signal) error {
|
||||||
|
msg := signalMsg{
|
||||||
|
Signal: string(sig),
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err := s.ch.SendRequest("signal", false, Marshal(&msg))
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// RFC 4254 Section 6.5.
|
||||||
|
type execMsg struct {
|
||||||
|
Command string
|
||||||
|
}
|
||||||
|
|
||||||
|
// Start runs cmd on the remote host. Typically, the remote
|
||||||
|
// server passes cmd to the shell for interpretation.
|
||||||
|
// A Session only accepts one call to Run, Start or Shell.
|
||||||
|
func (s *Session) Start(cmd string) error {
|
||||||
|
if s.started {
|
||||||
|
return errors.New("ssh: session already started")
|
||||||
|
}
|
||||||
|
req := execMsg{
|
||||||
|
Command: cmd,
|
||||||
|
}
|
||||||
|
|
||||||
|
ok, err := s.ch.SendRequest("exec", true, Marshal(&req))
|
||||||
|
if err == nil && !ok {
|
||||||
|
err = fmt.Errorf("ssh: command %v failed", cmd)
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return s.start()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Run runs cmd on the remote host. Typically, the remote
|
||||||
|
// server passes cmd to the shell for interpretation.
|
||||||
|
// A Session only accepts one call to Run, Start, Shell, Output,
|
||||||
|
// or CombinedOutput.
|
||||||
|
//
|
||||||
|
// The returned error is nil if the command runs, has no problems
|
||||||
|
// copying stdin, stdout, and stderr, and exits with a zero exit
|
||||||
|
// status.
|
||||||
|
//
|
||||||
|
// If the remote server does not send an exit status, an error of type
|
||||||
|
// *ExitMissingError is returned. If the command completes
|
||||||
|
// unsuccessfully or is interrupted by a signal, the error is of type
|
||||||
|
// *ExitError. Other error types may be returned for I/O problems.
|
||||||
|
func (s *Session) Run(cmd string) error {
|
||||||
|
err := s.Start(cmd)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return s.Wait()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Output runs cmd on the remote host and returns its standard output.
|
||||||
|
func (s *Session) Output(cmd string) ([]byte, error) {
|
||||||
|
if s.Stdout != nil {
|
||||||
|
return nil, errors.New("ssh: Stdout already set")
|
||||||
|
}
|
||||||
|
var b bytes.Buffer
|
||||||
|
s.Stdout = &b
|
||||||
|
err := s.Run(cmd)
|
||||||
|
return b.Bytes(), err
|
||||||
|
}
|
||||||
|
|
||||||
|
type singleWriter struct {
|
||||||
|
b bytes.Buffer
|
||||||
|
mu sync.Mutex
|
||||||
|
}
|
||||||
|
|
||||||
|
func (w *singleWriter) Write(p []byte) (int, error) {
|
||||||
|
w.mu.Lock()
|
||||||
|
defer w.mu.Unlock()
|
||||||
|
return w.b.Write(p)
|
||||||
|
}
|
||||||
|
|
||||||
|
// CombinedOutput runs cmd on the remote host and returns its combined
|
||||||
|
// standard output and standard error.
|
||||||
|
func (s *Session) CombinedOutput(cmd string) ([]byte, error) {
|
||||||
|
if s.Stdout != nil {
|
||||||
|
return nil, errors.New("ssh: Stdout already set")
|
||||||
|
}
|
||||||
|
if s.Stderr != nil {
|
||||||
|
return nil, errors.New("ssh: Stderr already set")
|
||||||
|
}
|
||||||
|
var b singleWriter
|
||||||
|
s.Stdout = &b
|
||||||
|
s.Stderr = &b
|
||||||
|
err := s.Run(cmd)
|
||||||
|
return b.b.Bytes(), err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Shell starts a login shell on the remote host. A Session only
|
||||||
|
// accepts one call to Run, Start, Shell, Output, or CombinedOutput.
|
||||||
|
func (s *Session) Shell() error {
|
||||||
|
if s.started {
|
||||||
|
return errors.New("ssh: session already started")
|
||||||
|
}
|
||||||
|
|
||||||
|
ok, err := s.ch.SendRequest("shell", true, nil)
|
||||||
|
if err == nil && !ok {
|
||||||
|
return errors.New("ssh: could not start shell")
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return s.start()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *Session) start() error {
|
||||||
|
s.started = true
|
||||||
|
|
||||||
|
type F func(*Session)
|
||||||
|
for _, setupFd := range []F{(*Session).stdin, (*Session).stdout, (*Session).stderr} {
|
||||||
|
setupFd(s)
|
||||||
|
}
|
||||||
|
|
||||||
|
s.errors = make(chan error, len(s.copyFuncs))
|
||||||
|
for _, fn := range s.copyFuncs {
|
||||||
|
go func(fn func() error) {
|
||||||
|
s.errors <- fn()
|
||||||
|
}(fn)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Wait waits for the remote command to exit.
|
||||||
|
//
|
||||||
|
// The returned error is nil if the command runs, has no problems
|
||||||
|
// copying stdin, stdout, and stderr, and exits with a zero exit
|
||||||
|
// status.
|
||||||
|
//
|
||||||
|
// If the remote server does not send an exit status, an error of type
|
||||||
|
// *ExitMissingError is returned. If the command completes
|
||||||
|
// unsuccessfully or is interrupted by a signal, the error is of type
|
||||||
|
// *ExitError. Other error types may be returned for I/O problems.
|
||||||
|
func (s *Session) Wait() error {
|
||||||
|
if !s.started {
|
||||||
|
return errors.New("ssh: session not started")
|
||||||
|
}
|
||||||
|
waitErr := <-s.exitStatus
|
||||||
|
|
||||||
|
if s.stdinPipeWriter != nil {
|
||||||
|
s.stdinPipeWriter.Close()
|
||||||
|
}
|
||||||
|
var copyError error
|
||||||
|
for range s.copyFuncs {
|
||||||
|
if err := <-s.errors; err != nil && copyError == nil {
|
||||||
|
copyError = err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if waitErr != nil {
|
||||||
|
return waitErr
|
||||||
|
}
|
||||||
|
return copyError
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *Session) wait(reqs <-chan *Request) error {
|
||||||
|
wm := Waitmsg{status: -1}
|
||||||
|
// Wait for msg channel to be closed before returning.
|
||||||
|
for msg := range reqs {
|
||||||
|
switch msg.Type {
|
||||||
|
case "exit-status":
|
||||||
|
wm.status = int(binary.BigEndian.Uint32(msg.Payload))
|
||||||
|
case "exit-signal":
|
||||||
|
var sigval struct {
|
||||||
|
Signal string
|
||||||
|
CoreDumped bool
|
||||||
|
Error string
|
||||||
|
Lang string
|
||||||
|
}
|
||||||
|
if err := Unmarshal(msg.Payload, &sigval); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Must sanitize strings?
|
||||||
|
wm.signal = sigval.Signal
|
||||||
|
wm.msg = sigval.Error
|
||||||
|
wm.lang = sigval.Lang
|
||||||
|
default:
|
||||||
|
// This handles keepalives and matches
|
||||||
|
// OpenSSH's behaviour.
|
||||||
|
if msg.WantReply {
|
||||||
|
msg.Reply(false, nil)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if wm.status == 0 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
if wm.status == -1 {
|
||||||
|
// exit-status was never sent from server
|
||||||
|
if wm.signal == "" {
|
||||||
|
// signal was not sent either. RFC 4254
|
||||||
|
// section 6.10 recommends against this
|
||||||
|
// behavior, but it is allowed, so we let
|
||||||
|
// clients handle it.
|
||||||
|
return &ExitMissingError{}
|
||||||
|
}
|
||||||
|
wm.status = 128
|
||||||
|
if _, ok := signals[Signal(wm.signal)]; ok {
|
||||||
|
wm.status += signals[Signal(wm.signal)]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return &ExitError{wm}
|
||||||
|
}
|
||||||
|
|
||||||
|
// ExitMissingError is returned if a session is torn down cleanly, but
|
||||||
|
// the server sends no confirmation of the exit status.
|
||||||
|
type ExitMissingError struct{}
|
||||||
|
|
||||||
|
func (e *ExitMissingError) Error() string {
|
||||||
|
return "wait: remote command exited without exit status or exit signal"
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *Session) stdin() {
|
||||||
|
if s.stdinpipe {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
var stdin io.Reader
|
||||||
|
if s.Stdin == nil {
|
||||||
|
stdin = new(bytes.Buffer)
|
||||||
|
} else {
|
||||||
|
r, w := io.Pipe()
|
||||||
|
go func() {
|
||||||
|
_, err := io.Copy(w, s.Stdin)
|
||||||
|
w.CloseWithError(err)
|
||||||
|
}()
|
||||||
|
stdin, s.stdinPipeWriter = r, w
|
||||||
|
}
|
||||||
|
s.copyFuncs = append(s.copyFuncs, func() error {
|
||||||
|
_, err := io.Copy(s.ch, stdin)
|
||||||
|
if err1 := s.ch.CloseWrite(); err == nil && err1 != io.EOF {
|
||||||
|
err = err1
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *Session) stdout() {
|
||||||
|
if s.stdoutpipe {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if s.Stdout == nil {
|
||||||
|
s.Stdout = ioutil.Discard
|
||||||
|
}
|
||||||
|
s.copyFuncs = append(s.copyFuncs, func() error {
|
||||||
|
_, err := io.Copy(s.Stdout, s.ch)
|
||||||
|
return err
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *Session) stderr() {
|
||||||
|
if s.stderrpipe {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if s.Stderr == nil {
|
||||||
|
s.Stderr = ioutil.Discard
|
||||||
|
}
|
||||||
|
s.copyFuncs = append(s.copyFuncs, func() error {
|
||||||
|
_, err := io.Copy(s.Stderr, s.ch.Stderr())
|
||||||
|
return err
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// sessionStdin reroutes Close to CloseWrite.
|
||||||
|
type sessionStdin struct {
|
||||||
|
io.Writer
|
||||||
|
ch Channel
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *sessionStdin) Close() error {
|
||||||
|
return s.ch.CloseWrite()
|
||||||
|
}
|
||||||
|
|
||||||
|
// StdinPipe returns a pipe that will be connected to the
|
||||||
|
// remote command's standard input when the command starts.
|
||||||
|
func (s *Session) StdinPipe() (io.WriteCloser, error) {
|
||||||
|
if s.Stdin != nil {
|
||||||
|
return nil, errors.New("ssh: Stdin already set")
|
||||||
|
}
|
||||||
|
if s.started {
|
||||||
|
return nil, errors.New("ssh: StdinPipe after process started")
|
||||||
|
}
|
||||||
|
s.stdinpipe = true
|
||||||
|
return &sessionStdin{s.ch, s.ch}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// StdoutPipe returns a pipe that will be connected to the
|
||||||
|
// remote command's standard output when the command starts.
|
||||||
|
// There is a fixed amount of buffering that is shared between
|
||||||
|
// stdout and stderr streams. If the StdoutPipe reader is
|
||||||
|
// not serviced fast enough it may eventually cause the
|
||||||
|
// remote command to block.
|
||||||
|
func (s *Session) StdoutPipe() (io.Reader, error) {
|
||||||
|
if s.Stdout != nil {
|
||||||
|
return nil, errors.New("ssh: Stdout already set")
|
||||||
|
}
|
||||||
|
if s.started {
|
||||||
|
return nil, errors.New("ssh: StdoutPipe after process started")
|
||||||
|
}
|
||||||
|
s.stdoutpipe = true
|
||||||
|
return s.ch, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// StderrPipe returns a pipe that will be connected to the
|
||||||
|
// remote command's standard error when the command starts.
|
||||||
|
// There is a fixed amount of buffering that is shared between
|
||||||
|
// stdout and stderr streams. If the StderrPipe reader is
|
||||||
|
// not serviced fast enough it may eventually cause the
|
||||||
|
// remote command to block.
|
||||||
|
func (s *Session) StderrPipe() (io.Reader, error) {
|
||||||
|
if s.Stderr != nil {
|
||||||
|
return nil, errors.New("ssh: Stderr already set")
|
||||||
|
}
|
||||||
|
if s.started {
|
||||||
|
return nil, errors.New("ssh: StderrPipe after process started")
|
||||||
|
}
|
||||||
|
s.stderrpipe = true
|
||||||
|
return s.ch.Stderr(), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// newSession returns a new interactive session on the remote host.
|
||||||
|
func newSession(ch Channel, reqs <-chan *Request) (*Session, error) {
|
||||||
|
s := &Session{
|
||||||
|
ch: ch,
|
||||||
|
}
|
||||||
|
s.exitStatus = make(chan error, 1)
|
||||||
|
go func() {
|
||||||
|
s.exitStatus <- s.wait(reqs)
|
||||||
|
}()
|
||||||
|
|
||||||
|
return s, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// An ExitError reports unsuccessful completion of a remote command.
|
||||||
|
type ExitError struct {
|
||||||
|
Waitmsg
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *ExitError) Error() string {
|
||||||
|
return e.Waitmsg.String()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Waitmsg stores the information about an exited remote command
|
||||||
|
// as reported by Wait.
|
||||||
|
type Waitmsg struct {
|
||||||
|
status int
|
||||||
|
signal string
|
||||||
|
msg string
|
||||||
|
lang string
|
||||||
|
}
|
||||||
|
|
||||||
|
// ExitStatus returns the exit status of the remote command.
|
||||||
|
func (w Waitmsg) ExitStatus() int {
|
||||||
|
return w.status
|
||||||
|
}
|
||||||
|
|
||||||
|
// Signal returns the exit signal of the remote command if
|
||||||
|
// it was terminated violently.
|
||||||
|
func (w Waitmsg) Signal() string {
|
||||||
|
return w.signal
|
||||||
|
}
|
||||||
|
|
||||||
|
// Msg returns the exit message given by the remote command
|
||||||
|
func (w Waitmsg) Msg() string {
|
||||||
|
return w.msg
|
||||||
|
}
|
||||||
|
|
||||||
|
// Lang returns the language tag. See RFC 3066
|
||||||
|
func (w Waitmsg) Lang() string {
|
||||||
|
return w.lang
|
||||||
|
}
|
||||||
|
|
||||||
|
func (w Waitmsg) String() string {
|
||||||
|
str := fmt.Sprintf("Process exited with status %v", w.status)
|
||||||
|
if w.signal != "" {
|
||||||
|
str += fmt.Sprintf(" from signal %v", w.signal)
|
||||||
|
}
|
||||||
|
if w.msg != "" {
|
||||||
|
str += fmt.Sprintf(". Reason was: %v", w.msg)
|
||||||
|
}
|
||||||
|
return str
|
||||||
|
}
|
|
@ -0,0 +1,116 @@
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"io"
|
||||||
|
"net"
|
||||||
|
)
|
||||||
|
|
||||||
|
// streamLocalChannelOpenDirectMsg is a struct used for SSH_MSG_CHANNEL_OPEN message
|
||||||
|
// with "direct-streamlocal@openssh.com" string.
|
||||||
|
//
|
||||||
|
// See openssh-portable/PROTOCOL, section 2.4. connection: Unix domain socket forwarding
|
||||||
|
// https://github.com/openssh/openssh-portable/blob/master/PROTOCOL#L235
|
||||||
|
type streamLocalChannelOpenDirectMsg struct {
|
||||||
|
socketPath string
|
||||||
|
reserved0 string
|
||||||
|
reserved1 uint32
|
||||||
|
}
|
||||||
|
|
||||||
|
// forwardedStreamLocalPayload is a struct used for SSH_MSG_CHANNEL_OPEN message
|
||||||
|
// with "forwarded-streamlocal@openssh.com" string.
|
||||||
|
type forwardedStreamLocalPayload struct {
|
||||||
|
SocketPath string
|
||||||
|
Reserved0 string
|
||||||
|
}
|
||||||
|
|
||||||
|
// streamLocalChannelForwardMsg is a struct used for SSH2_MSG_GLOBAL_REQUEST message
|
||||||
|
// with "streamlocal-forward@openssh.com"/"cancel-streamlocal-forward@openssh.com" string.
|
||||||
|
type streamLocalChannelForwardMsg struct {
|
||||||
|
socketPath string
|
||||||
|
}
|
||||||
|
|
||||||
|
// ListenUnix is similar to ListenTCP but uses a Unix domain socket.
|
||||||
|
func (c *Client) ListenUnix(socketPath string) (net.Listener, error) {
|
||||||
|
c.handleForwardsOnce.Do(c.handleForwards)
|
||||||
|
m := streamLocalChannelForwardMsg{
|
||||||
|
socketPath,
|
||||||
|
}
|
||||||
|
// send message
|
||||||
|
ok, _, err := c.SendRequest("streamlocal-forward@openssh.com", true, Marshal(&m))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.New("ssh: streamlocal-forward@openssh.com request denied by peer")
|
||||||
|
}
|
||||||
|
ch := c.forwards.add(&net.UnixAddr{Name: socketPath, Net: "unix"})
|
||||||
|
|
||||||
|
return &unixListener{socketPath, c, ch}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Client) dialStreamLocal(socketPath string) (Channel, error) {
|
||||||
|
msg := streamLocalChannelOpenDirectMsg{
|
||||||
|
socketPath: socketPath,
|
||||||
|
}
|
||||||
|
ch, in, err := c.OpenChannel("direct-streamlocal@openssh.com", Marshal(&msg))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
go DiscardRequests(in)
|
||||||
|
return ch, err
|
||||||
|
}
|
||||||
|
|
||||||
|
type unixListener struct {
|
||||||
|
socketPath string
|
||||||
|
|
||||||
|
conn *Client
|
||||||
|
in <-chan forward
|
||||||
|
}
|
||||||
|
|
||||||
|
// Accept waits for and returns the next connection to the listener.
|
||||||
|
func (l *unixListener) Accept() (net.Conn, error) {
|
||||||
|
s, ok := <-l.in
|
||||||
|
if !ok {
|
||||||
|
return nil, io.EOF
|
||||||
|
}
|
||||||
|
ch, incoming, err := s.newCh.Accept()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
go DiscardRequests(incoming)
|
||||||
|
|
||||||
|
return &chanConn{
|
||||||
|
Channel: ch,
|
||||||
|
laddr: &net.UnixAddr{
|
||||||
|
Name: l.socketPath,
|
||||||
|
Net: "unix",
|
||||||
|
},
|
||||||
|
raddr: &net.UnixAddr{
|
||||||
|
Name: "@",
|
||||||
|
Net: "unix",
|
||||||
|
},
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Close closes the listener.
|
||||||
|
func (l *unixListener) Close() error {
|
||||||
|
// this also closes the listener.
|
||||||
|
l.conn.forwards.remove(&net.UnixAddr{Name: l.socketPath, Net: "unix"})
|
||||||
|
m := streamLocalChannelForwardMsg{
|
||||||
|
l.socketPath,
|
||||||
|
}
|
||||||
|
ok, _, err := l.conn.SendRequest("cancel-streamlocal-forward@openssh.com", true, Marshal(&m))
|
||||||
|
if err == nil && !ok {
|
||||||
|
err = errors.New("ssh: cancel-streamlocal-forward@openssh.com failed")
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Addr returns the listener's network address.
|
||||||
|
func (l *unixListener) Addr() net.Addr {
|
||||||
|
return &net.UnixAddr{
|
||||||
|
Name: l.socketPath,
|
||||||
|
Net: "unix",
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,474 @@
|
||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"math/rand"
|
||||||
|
"net"
|
||||||
|
"strconv"
|
||||||
|
"strings"
|
||||||
|
"sync"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Listen requests the remote peer open a listening socket on
|
||||||
|
// addr. Incoming connections will be available by calling Accept on
|
||||||
|
// the returned net.Listener. The listener must be serviced, or the
|
||||||
|
// SSH connection may hang.
|
||||||
|
// N must be "tcp", "tcp4", "tcp6", or "unix".
|
||||||
|
func (c *Client) Listen(n, addr string) (net.Listener, error) {
|
||||||
|
switch n {
|
||||||
|
case "tcp", "tcp4", "tcp6":
|
||||||
|
laddr, err := net.ResolveTCPAddr(n, addr)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return c.ListenTCP(laddr)
|
||||||
|
case "unix":
|
||||||
|
return c.ListenUnix(addr)
|
||||||
|
default:
|
||||||
|
return nil, fmt.Errorf("ssh: unsupported protocol: %s", n)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Automatic port allocation is broken with OpenSSH before 6.0. See
|
||||||
|
// also https://bugzilla.mindrot.org/show_bug.cgi?id=2017. In
|
||||||
|
// particular, OpenSSH 5.9 sends a channelOpenMsg with port number 0,
|
||||||
|
// rather than the actual port number. This means you can never open
|
||||||
|
// two different listeners with auto allocated ports. We work around
|
||||||
|
// this by trying explicit ports until we succeed.
|
||||||
|
|
||||||
|
const openSSHPrefix = "OpenSSH_"
|
||||||
|
|
||||||
|
var portRandomizer = rand.New(rand.NewSource(time.Now().UnixNano()))
|
||||||
|
|
||||||
|
// isBrokenOpenSSHVersion returns true if the given version string
|
||||||
|
// specifies a version of OpenSSH that is known to have a bug in port
|
||||||
|
// forwarding.
|
||||||
|
func isBrokenOpenSSHVersion(versionStr string) bool {
|
||||||
|
i := strings.Index(versionStr, openSSHPrefix)
|
||||||
|
if i < 0 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
i += len(openSSHPrefix)
|
||||||
|
j := i
|
||||||
|
for ; j < len(versionStr); j++ {
|
||||||
|
if versionStr[j] < '0' || versionStr[j] > '9' {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version, _ := strconv.Atoi(versionStr[i:j])
|
||||||
|
return version < 6
|
||||||
|
}
|
||||||
|
|
||||||
|
// autoPortListenWorkaround simulates automatic port allocation by
|
||||||
|
// trying random ports repeatedly.
|
||||||
|
func (c *Client) autoPortListenWorkaround(laddr *net.TCPAddr) (net.Listener, error) {
|
||||||
|
var sshListener net.Listener
|
||||||
|
var err error
|
||||||
|
const tries = 10
|
||||||
|
for i := 0; i < tries; i++ {
|
||||||
|
addr := *laddr
|
||||||
|
addr.Port = 1024 + portRandomizer.Intn(60000)
|
||||||
|
sshListener, err = c.ListenTCP(&addr)
|
||||||
|
if err == nil {
|
||||||
|
laddr.Port = addr.Port
|
||||||
|
return sshListener, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil, fmt.Errorf("ssh: listen on random port failed after %d tries: %v", tries, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// RFC 4254 7.1
|
||||||
|
type channelForwardMsg struct {
|
||||||
|
addr string
|
||||||
|
rport uint32
|
||||||
|
}
|
||||||
|
|
||||||
|
// handleForwards starts goroutines handling forwarded connections.
|
||||||
|
// It's called on first use by (*Client).ListenTCP to not launch
|
||||||
|
// goroutines until needed.
|
||||||
|
func (c *Client) handleForwards() {
|
||||||
|
go c.forwards.handleChannels(c.HandleChannelOpen("forwarded-tcpip"))
|
||||||
|
go c.forwards.handleChannels(c.HandleChannelOpen("forwarded-streamlocal@openssh.com"))
|
||||||
|
}
|
||||||
|
|
||||||
|
// ListenTCP requests the remote peer open a listening socket
|
||||||
|
// on laddr. Incoming connections will be available by calling
|
||||||
|
// Accept on the returned net.Listener.
|
||||||
|
func (c *Client) ListenTCP(laddr *net.TCPAddr) (net.Listener, error) {
|
||||||
|
c.handleForwardsOnce.Do(c.handleForwards)
|
||||||
|
if laddr.Port == 0 && isBrokenOpenSSHVersion(string(c.ServerVersion())) {
|
||||||
|
return c.autoPortListenWorkaround(laddr)
|
||||||
|
}
|
||||||
|
|
||||||
|
m := channelForwardMsg{
|
||||||
|
laddr.IP.String(),
|
||||||
|
uint32(laddr.Port),
|
||||||
|
}
|
||||||
|
// send message
|
||||||
|
ok, resp, err := c.SendRequest("tcpip-forward", true, Marshal(&m))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.New("ssh: tcpip-forward request denied by peer")
|
||||||
|
}
|
||||||
|
|
||||||
|
// If the original port was 0, then the remote side will
|
||||||
|
// supply a real port number in the response.
|
||||||
|
if laddr.Port == 0 {
|
||||||
|
var p struct {
|
||||||
|
Port uint32
|
||||||
|
}
|
||||||
|
if err := Unmarshal(resp, &p); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
laddr.Port = int(p.Port)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Register this forward, using the port number we obtained.
|
||||||
|
ch := c.forwards.add(laddr)
|
||||||
|
|
||||||
|
return &tcpListener{laddr, c, ch}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// forwardList stores a mapping between remote
|
||||||
|
// forward requests and the tcpListeners.
|
||||||
|
type forwardList struct {
|
||||||
|
sync.Mutex
|
||||||
|
entries []forwardEntry
|
||||||
|
}
|
||||||
|
|
||||||
|
// forwardEntry represents an established mapping of a laddr on a
|
||||||
|
// remote ssh server to a channel connected to a tcpListener.
|
||||||
|
type forwardEntry struct {
|
||||||
|
laddr net.Addr
|
||||||
|
c chan forward
|
||||||
|
}
|
||||||
|
|
||||||
|
// forward represents an incoming forwarded tcpip connection. The
|
||||||
|
// arguments to add/remove/lookup should be address as specified in
|
||||||
|
// the original forward-request.
|
||||||
|
type forward struct {
|
||||||
|
newCh NewChannel // the ssh client channel underlying this forward
|
||||||
|
raddr net.Addr // the raddr of the incoming connection
|
||||||
|
}
|
||||||
|
|
||||||
|
func (l *forwardList) add(addr net.Addr) chan forward {
|
||||||
|
l.Lock()
|
||||||
|
defer l.Unlock()
|
||||||
|
f := forwardEntry{
|
||||||
|
laddr: addr,
|
||||||
|
c: make(chan forward, 1),
|
||||||
|
}
|
||||||
|
l.entries = append(l.entries, f)
|
||||||
|
return f.c
|
||||||
|
}
|
||||||
|
|
||||||
|
// See RFC 4254, section 7.2
|
||||||
|
type forwardedTCPPayload struct {
|
||||||
|
Addr string
|
||||||
|
Port uint32
|
||||||
|
OriginAddr string
|
||||||
|
OriginPort uint32
|
||||||
|
}
|
||||||
|
|
||||||
|
// parseTCPAddr parses the originating address from the remote into a *net.TCPAddr.
|
||||||
|
func parseTCPAddr(addr string, port uint32) (*net.TCPAddr, error) {
|
||||||
|
if port == 0 || port > 65535 {
|
||||||
|
return nil, fmt.Errorf("ssh: port number out of range: %d", port)
|
||||||
|
}
|
||||||
|
ip := net.ParseIP(string(addr))
|
||||||
|
if ip == nil {
|
||||||
|
return nil, fmt.Errorf("ssh: cannot parse IP address %q", addr)
|
||||||
|
}
|
||||||
|
return &net.TCPAddr{IP: ip, Port: int(port)}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (l *forwardList) handleChannels(in <-chan NewChannel) {
|
||||||
|
for ch := range in {
|
||||||
|
var (
|
||||||
|
laddr net.Addr
|
||||||
|
raddr net.Addr
|
||||||
|
err error
|
||||||
|
)
|
||||||
|
switch channelType := ch.ChannelType(); channelType {
|
||||||
|
case "forwarded-tcpip":
|
||||||
|
var payload forwardedTCPPayload
|
||||||
|
if err = Unmarshal(ch.ExtraData(), &payload); err != nil {
|
||||||
|
ch.Reject(ConnectionFailed, "could not parse forwarded-tcpip payload: "+err.Error())
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// RFC 4254 section 7.2 specifies that incoming
|
||||||
|
// addresses should list the address, in string
|
||||||
|
// format. It is implied that this should be an IP
|
||||||
|
// address, as it would be impossible to connect to it
|
||||||
|
// otherwise.
|
||||||
|
laddr, err = parseTCPAddr(payload.Addr, payload.Port)
|
||||||
|
if err != nil {
|
||||||
|
ch.Reject(ConnectionFailed, err.Error())
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
raddr, err = parseTCPAddr(payload.OriginAddr, payload.OriginPort)
|
||||||
|
if err != nil {
|
||||||
|
ch.Reject(ConnectionFailed, err.Error())
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
case "forwarded-streamlocal@openssh.com":
|
||||||
|
var payload forwardedStreamLocalPayload
|
||||||
|
if err = Unmarshal(ch.ExtraData(), &payload); err != nil {
|
||||||
|
ch.Reject(ConnectionFailed, "could not parse forwarded-streamlocal@openssh.com payload: "+err.Error())
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
laddr = &net.UnixAddr{
|
||||||
|
Name: payload.SocketPath,
|
||||||
|
Net: "unix",
|
||||||
|
}
|
||||||
|
raddr = &net.UnixAddr{
|
||||||
|
Name: "@",
|
||||||
|
Net: "unix",
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
panic(fmt.Errorf("ssh: unknown channel type %s", channelType))
|
||||||
|
}
|
||||||
|
if ok := l.forward(laddr, raddr, ch); !ok {
|
||||||
|
// Section 7.2, implementations MUST reject spurious incoming
|
||||||
|
// connections.
|
||||||
|
ch.Reject(Prohibited, "no forward for address")
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// remove removes the forward entry, and the channel feeding its
|
||||||
|
// listener.
|
||||||
|
func (l *forwardList) remove(addr net.Addr) {
|
||||||
|
l.Lock()
|
||||||
|
defer l.Unlock()
|
||||||
|
for i, f := range l.entries {
|
||||||
|
if addr.Network() == f.laddr.Network() && addr.String() == f.laddr.String() {
|
||||||
|
l.entries = append(l.entries[:i], l.entries[i+1:]...)
|
||||||
|
close(f.c)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// closeAll closes and clears all forwards.
|
||||||
|
func (l *forwardList) closeAll() {
|
||||||
|
l.Lock()
|
||||||
|
defer l.Unlock()
|
||||||
|
for _, f := range l.entries {
|
||||||
|
close(f.c)
|
||||||
|
}
|
||||||
|
l.entries = nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (l *forwardList) forward(laddr, raddr net.Addr, ch NewChannel) bool {
|
||||||
|
l.Lock()
|
||||||
|
defer l.Unlock()
|
||||||
|
for _, f := range l.entries {
|
||||||
|
if laddr.Network() == f.laddr.Network() && laddr.String() == f.laddr.String() {
|
||||||
|
f.c <- forward{newCh: ch, raddr: raddr}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
type tcpListener struct {
|
||||||
|
laddr *net.TCPAddr
|
||||||
|
|
||||||
|
conn *Client
|
||||||
|
in <-chan forward
|
||||||
|
}
|
||||||
|
|
||||||
|
// Accept waits for and returns the next connection to the listener.
|
||||||
|
func (l *tcpListener) Accept() (net.Conn, error) {
|
||||||
|
s, ok := <-l.in
|
||||||
|
if !ok {
|
||||||
|
return nil, io.EOF
|
||||||
|
}
|
||||||
|
ch, incoming, err := s.newCh.Accept()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
go DiscardRequests(incoming)
|
||||||
|
|
||||||
|
return &chanConn{
|
||||||
|
Channel: ch,
|
||||||
|
laddr: l.laddr,
|
||||||
|
raddr: s.raddr,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Close closes the listener.
|
||||||
|
func (l *tcpListener) Close() error {
|
||||||
|
m := channelForwardMsg{
|
||||||
|
l.laddr.IP.String(),
|
||||||
|
uint32(l.laddr.Port),
|
||||||
|
}
|
||||||
|
|
||||||
|
// this also closes the listener.
|
||||||
|
l.conn.forwards.remove(l.laddr)
|
||||||
|
ok, _, err := l.conn.SendRequest("cancel-tcpip-forward", true, Marshal(&m))
|
||||||
|
if err == nil && !ok {
|
||||||
|
err = errors.New("ssh: cancel-tcpip-forward failed")
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Addr returns the listener's network address.
|
||||||
|
func (l *tcpListener) Addr() net.Addr {
|
||||||
|
return l.laddr
|
||||||
|
}
|
||||||
|
|
||||||
|
// Dial initiates a connection to the addr from the remote host.
|
||||||
|
// The resulting connection has a zero LocalAddr() and RemoteAddr().
|
||||||
|
func (c *Client) Dial(n, addr string) (net.Conn, error) {
|
||||||
|
var ch Channel
|
||||||
|
switch n {
|
||||||
|
case "tcp", "tcp4", "tcp6":
|
||||||
|
// Parse the address into host and numeric port.
|
||||||
|
host, portString, err := net.SplitHostPort(addr)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
port, err := strconv.ParseUint(portString, 10, 16)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
ch, err = c.dial(net.IPv4zero.String(), 0, host, int(port))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
// Use a zero address for local and remote address.
|
||||||
|
zeroAddr := &net.TCPAddr{
|
||||||
|
IP: net.IPv4zero,
|
||||||
|
Port: 0,
|
||||||
|
}
|
||||||
|
return &chanConn{
|
||||||
|
Channel: ch,
|
||||||
|
laddr: zeroAddr,
|
||||||
|
raddr: zeroAddr,
|
||||||
|
}, nil
|
||||||
|
case "unix":
|
||||||
|
var err error
|
||||||
|
ch, err = c.dialStreamLocal(addr)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return &chanConn{
|
||||||
|
Channel: ch,
|
||||||
|
laddr: &net.UnixAddr{
|
||||||
|
Name: "@",
|
||||||
|
Net: "unix",
|
||||||
|
},
|
||||||
|
raddr: &net.UnixAddr{
|
||||||
|
Name: addr,
|
||||||
|
Net: "unix",
|
||||||
|
},
|
||||||
|
}, nil
|
||||||
|
default:
|
||||||
|
return nil, fmt.Errorf("ssh: unsupported protocol: %s", n)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// DialTCP connects to the remote address raddr on the network net,
|
||||||
|
// which must be "tcp", "tcp4", or "tcp6". If laddr is not nil, it is used
|
||||||
|
// as the local address for the connection.
|
||||||
|
func (c *Client) DialTCP(n string, laddr, raddr *net.TCPAddr) (net.Conn, error) {
|
||||||
|
if laddr == nil {
|
||||||
|
laddr = &net.TCPAddr{
|
||||||
|
IP: net.IPv4zero,
|
||||||
|
Port: 0,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ch, err := c.dial(laddr.IP.String(), laddr.Port, raddr.IP.String(), raddr.Port)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return &chanConn{
|
||||||
|
Channel: ch,
|
||||||
|
laddr: laddr,
|
||||||
|
raddr: raddr,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// RFC 4254 7.2
|
||||||
|
type channelOpenDirectMsg struct {
|
||||||
|
raddr string
|
||||||
|
rport uint32
|
||||||
|
laddr string
|
||||||
|
lport uint32
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Client) dial(laddr string, lport int, raddr string, rport int) (Channel, error) {
|
||||||
|
msg := channelOpenDirectMsg{
|
||||||
|
raddr: raddr,
|
||||||
|
rport: uint32(rport),
|
||||||
|
laddr: laddr,
|
||||||
|
lport: uint32(lport),
|
||||||
|
}
|
||||||
|
ch, in, err := c.OpenChannel("direct-tcpip", Marshal(&msg))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
go DiscardRequests(in)
|
||||||
|
return ch, err
|
||||||
|
}
|
||||||
|
|
||||||
|
type tcpChan struct {
|
||||||
|
Channel // the backing channel
|
||||||
|
}
|
||||||
|
|
||||||
|
// chanConn fulfills the net.Conn interface without
|
||||||
|
// the tcpChan having to hold laddr or raddr directly.
|
||||||
|
type chanConn struct {
|
||||||
|
Channel
|
||||||
|
laddr, raddr net.Addr
|
||||||
|
}
|
||||||
|
|
||||||
|
// LocalAddr returns the local network address.
|
||||||
|
func (t *chanConn) LocalAddr() net.Addr {
|
||||||
|
return t.laddr
|
||||||
|
}
|
||||||
|
|
||||||
|
// RemoteAddr returns the remote network address.
|
||||||
|
func (t *chanConn) RemoteAddr() net.Addr {
|
||||||
|
return t.raddr
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetDeadline sets the read and write deadlines associated
|
||||||
|
// with the connection.
|
||||||
|
func (t *chanConn) SetDeadline(deadline time.Time) error {
|
||||||
|
if err := t.SetReadDeadline(deadline); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return t.SetWriteDeadline(deadline)
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetReadDeadline sets the read deadline.
|
||||||
|
// A zero value for t means Read will not time out.
|
||||||
|
// After the deadline, the error from Read will implement net.Error
|
||||||
|
// with Timeout() == true.
|
||||||
|
func (t *chanConn) SetReadDeadline(deadline time.Time) error {
|
||||||
|
// for compatibility with previous version,
|
||||||
|
// the error message contains "tcpChan"
|
||||||
|
return errors.New("ssh: tcpChan: deadline not supported")
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetWriteDeadline exists to satisfy the net.Conn interface
|
||||||
|
// but is not implemented by this type. It always returns an error.
|
||||||
|
func (t *chanConn) SetWriteDeadline(deadline time.Time) error {
|
||||||
|
return errors.New("ssh: tcpChan: deadline not supported")
|
||||||
|
}
|
|
@ -0,0 +1,353 @@
|
||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package ssh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bufio"
|
||||||
|
"bytes"
|
||||||
|
"errors"
|
||||||
|
"io"
|
||||||
|
"log"
|
||||||
|
)
|
||||||
|
|
||||||
|
// debugTransport if set, will print packet types as they go over the
|
||||||
|
// wire. No message decoding is done, to minimize the impact on timing.
|
||||||
|
const debugTransport = false
|
||||||
|
|
||||||
|
const (
|
||||||
|
gcmCipherID = "aes128-gcm@openssh.com"
|
||||||
|
aes128cbcID = "aes128-cbc"
|
||||||
|
tripledescbcID = "3des-cbc"
|
||||||
|
)
|
||||||
|
|
||||||
|
// packetConn represents a transport that implements packet based
|
||||||
|
// operations.
|
||||||
|
type packetConn interface {
|
||||||
|
// Encrypt and send a packet of data to the remote peer.
|
||||||
|
writePacket(packet []byte) error
|
||||||
|
|
||||||
|
// Read a packet from the connection. The read is blocking,
|
||||||
|
// i.e. if error is nil, then the returned byte slice is
|
||||||
|
// always non-empty.
|
||||||
|
readPacket() ([]byte, error)
|
||||||
|
|
||||||
|
// Close closes the write-side of the connection.
|
||||||
|
Close() error
|
||||||
|
}
|
||||||
|
|
||||||
|
// transport is the keyingTransport that implements the SSH packet
|
||||||
|
// protocol.
|
||||||
|
type transport struct {
|
||||||
|
reader connectionState
|
||||||
|
writer connectionState
|
||||||
|
|
||||||
|
bufReader *bufio.Reader
|
||||||
|
bufWriter *bufio.Writer
|
||||||
|
rand io.Reader
|
||||||
|
isClient bool
|
||||||
|
io.Closer
|
||||||
|
}
|
||||||
|
|
||||||
|
// packetCipher represents a combination of SSH encryption/MAC
|
||||||
|
// protocol. A single instance should be used for one direction only.
|
||||||
|
type packetCipher interface {
|
||||||
|
// writeCipherPacket encrypts the packet and writes it to w. The
|
||||||
|
// contents of the packet are generally scrambled.
|
||||||
|
writeCipherPacket(seqnum uint32, w io.Writer, rand io.Reader, packet []byte) error
|
||||||
|
|
||||||
|
// readCipherPacket reads and decrypts a packet of data. The
|
||||||
|
// returned packet may be overwritten by future calls of
|
||||||
|
// readPacket.
|
||||||
|
readCipherPacket(seqnum uint32, r io.Reader) ([]byte, error)
|
||||||
|
}
|
||||||
|
|
||||||
|
// connectionState represents one side (read or write) of the
|
||||||
|
// connection. This is necessary because each direction has its own
|
||||||
|
// keys, and can even have its own algorithms
|
||||||
|
type connectionState struct {
|
||||||
|
packetCipher
|
||||||
|
seqNum uint32
|
||||||
|
dir direction
|
||||||
|
pendingKeyChange chan packetCipher
|
||||||
|
}
|
||||||
|
|
||||||
|
// prepareKeyChange sets up key material for a keychange. The key changes in
|
||||||
|
// both directions are triggered by reading and writing a msgNewKey packet
|
||||||
|
// respectively.
|
||||||
|
func (t *transport) prepareKeyChange(algs *algorithms, kexResult *kexResult) error {
|
||||||
|
ciph, err := newPacketCipher(t.reader.dir, algs.r, kexResult)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
t.reader.pendingKeyChange <- ciph
|
||||||
|
|
||||||
|
ciph, err = newPacketCipher(t.writer.dir, algs.w, kexResult)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
t.writer.pendingKeyChange <- ciph
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *transport) printPacket(p []byte, write bool) {
|
||||||
|
if len(p) == 0 {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
who := "server"
|
||||||
|
if t.isClient {
|
||||||
|
who = "client"
|
||||||
|
}
|
||||||
|
what := "read"
|
||||||
|
if write {
|
||||||
|
what = "write"
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Println(what, who, p[0])
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read and decrypt next packet.
|
||||||
|
func (t *transport) readPacket() (p []byte, err error) {
|
||||||
|
for {
|
||||||
|
p, err = t.reader.readPacket(t.bufReader)
|
||||||
|
if err != nil {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
if len(p) == 0 || (p[0] != msgIgnore && p[0] != msgDebug) {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if debugTransport {
|
||||||
|
t.printPacket(p, false)
|
||||||
|
}
|
||||||
|
|
||||||
|
return p, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) {
|
||||||
|
packet, err := s.packetCipher.readCipherPacket(s.seqNum, r)
|
||||||
|
s.seqNum++
|
||||||
|
if err == nil && len(packet) == 0 {
|
||||||
|
err = errors.New("ssh: zero length packet")
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(packet) > 0 {
|
||||||
|
switch packet[0] {
|
||||||
|
case msgNewKeys:
|
||||||
|
select {
|
||||||
|
case cipher := <-s.pendingKeyChange:
|
||||||
|
s.packetCipher = cipher
|
||||||
|
default:
|
||||||
|
return nil, errors.New("ssh: got bogus newkeys message")
|
||||||
|
}
|
||||||
|
|
||||||
|
case msgDisconnect:
|
||||||
|
// Transform a disconnect message into an
|
||||||
|
// error. Since this is lowest level at which
|
||||||
|
// we interpret message types, doing it here
|
||||||
|
// ensures that we don't have to handle it
|
||||||
|
// elsewhere.
|
||||||
|
var msg disconnectMsg
|
||||||
|
if err := Unmarshal(packet, &msg); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return nil, &msg
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// The packet may point to an internal buffer, so copy the
|
||||||
|
// packet out here.
|
||||||
|
fresh := make([]byte, len(packet))
|
||||||
|
copy(fresh, packet)
|
||||||
|
|
||||||
|
return fresh, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *transport) writePacket(packet []byte) error {
|
||||||
|
if debugTransport {
|
||||||
|
t.printPacket(packet, true)
|
||||||
|
}
|
||||||
|
return t.writer.writePacket(t.bufWriter, t.rand, packet)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte) error {
|
||||||
|
changeKeys := len(packet) > 0 && packet[0] == msgNewKeys
|
||||||
|
|
||||||
|
err := s.packetCipher.writeCipherPacket(s.seqNum, w, rand, packet)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if err = w.Flush(); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
s.seqNum++
|
||||||
|
if changeKeys {
|
||||||
|
select {
|
||||||
|
case cipher := <-s.pendingKeyChange:
|
||||||
|
s.packetCipher = cipher
|
||||||
|
default:
|
||||||
|
panic("ssh: no key material for msgNewKeys")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
func newTransport(rwc io.ReadWriteCloser, rand io.Reader, isClient bool) *transport {
|
||||||
|
t := &transport{
|
||||||
|
bufReader: bufio.NewReader(rwc),
|
||||||
|
bufWriter: bufio.NewWriter(rwc),
|
||||||
|
rand: rand,
|
||||||
|
reader: connectionState{
|
||||||
|
packetCipher: &streamPacketCipher{cipher: noneCipher{}},
|
||||||
|
pendingKeyChange: make(chan packetCipher, 1),
|
||||||
|
},
|
||||||
|
writer: connectionState{
|
||||||
|
packetCipher: &streamPacketCipher{cipher: noneCipher{}},
|
||||||
|
pendingKeyChange: make(chan packetCipher, 1),
|
||||||
|
},
|
||||||
|
Closer: rwc,
|
||||||
|
}
|
||||||
|
t.isClient = isClient
|
||||||
|
|
||||||
|
if isClient {
|
||||||
|
t.reader.dir = serverKeys
|
||||||
|
t.writer.dir = clientKeys
|
||||||
|
} else {
|
||||||
|
t.reader.dir = clientKeys
|
||||||
|
t.writer.dir = serverKeys
|
||||||
|
}
|
||||||
|
|
||||||
|
return t
|
||||||
|
}
|
||||||
|
|
||||||
|
type direction struct {
|
||||||
|
ivTag []byte
|
||||||
|
keyTag []byte
|
||||||
|
macKeyTag []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
serverKeys = direction{[]byte{'B'}, []byte{'D'}, []byte{'F'}}
|
||||||
|
clientKeys = direction{[]byte{'A'}, []byte{'C'}, []byte{'E'}}
|
||||||
|
)
|
||||||
|
|
||||||
|
// setupKeys sets the cipher and MAC keys from kex.K, kex.H and sessionId, as
|
||||||
|
// described in RFC 4253, section 6.4. direction should either be serverKeys
|
||||||
|
// (to setup server->client keys) or clientKeys (for client->server keys).
|
||||||
|
func newPacketCipher(d direction, algs directionAlgorithms, kex *kexResult) (packetCipher, error) {
|
||||||
|
cipherMode := cipherModes[algs.Cipher]
|
||||||
|
macMode := macModes[algs.MAC]
|
||||||
|
|
||||||
|
iv := make([]byte, cipherMode.ivSize)
|
||||||
|
key := make([]byte, cipherMode.keySize)
|
||||||
|
macKey := make([]byte, macMode.keySize)
|
||||||
|
|
||||||
|
generateKeyMaterial(iv, d.ivTag, kex)
|
||||||
|
generateKeyMaterial(key, d.keyTag, kex)
|
||||||
|
generateKeyMaterial(macKey, d.macKeyTag, kex)
|
||||||
|
|
||||||
|
return cipherModes[algs.Cipher].create(key, iv, macKey, algs)
|
||||||
|
}
|
||||||
|
|
||||||
|
// generateKeyMaterial fills out with key material generated from tag, K, H
|
||||||
|
// and sessionId, as specified in RFC 4253, section 7.2.
|
||||||
|
func generateKeyMaterial(out, tag []byte, r *kexResult) {
|
||||||
|
var digestsSoFar []byte
|
||||||
|
|
||||||
|
h := r.Hash.New()
|
||||||
|
for len(out) > 0 {
|
||||||
|
h.Reset()
|
||||||
|
h.Write(r.K)
|
||||||
|
h.Write(r.H)
|
||||||
|
|
||||||
|
if len(digestsSoFar) == 0 {
|
||||||
|
h.Write(tag)
|
||||||
|
h.Write(r.SessionID)
|
||||||
|
} else {
|
||||||
|
h.Write(digestsSoFar)
|
||||||
|
}
|
||||||
|
|
||||||
|
digest := h.Sum(nil)
|
||||||
|
n := copy(out, digest)
|
||||||
|
out = out[n:]
|
||||||
|
if len(out) > 0 {
|
||||||
|
digestsSoFar = append(digestsSoFar, digest...)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
const packageVersion = "SSH-2.0-Go"
|
||||||
|
|
||||||
|
// Sends and receives a version line. The versionLine string should
|
||||||
|
// be US ASCII, start with "SSH-2.0-", and should not include a
|
||||||
|
// newline. exchangeVersions returns the other side's version line.
|
||||||
|
func exchangeVersions(rw io.ReadWriter, versionLine []byte) (them []byte, err error) {
|
||||||
|
// Contrary to the RFC, we do not ignore lines that don't
|
||||||
|
// start with "SSH-2.0-" to make the library usable with
|
||||||
|
// nonconforming servers.
|
||||||
|
for _, c := range versionLine {
|
||||||
|
// The spec disallows non US-ASCII chars, and
|
||||||
|
// specifically forbids null chars.
|
||||||
|
if c < 32 {
|
||||||
|
return nil, errors.New("ssh: junk character in version line")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if _, err = rw.Write(append(versionLine, '\r', '\n')); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
them, err = readVersion(rw)
|
||||||
|
return them, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// maxVersionStringBytes is the maximum number of bytes that we'll
|
||||||
|
// accept as a version string. RFC 4253 section 4.2 limits this at 255
|
||||||
|
// chars
|
||||||
|
const maxVersionStringBytes = 255
|
||||||
|
|
||||||
|
// Read version string as specified by RFC 4253, section 4.2.
|
||||||
|
func readVersion(r io.Reader) ([]byte, error) {
|
||||||
|
versionString := make([]byte, 0, 64)
|
||||||
|
var ok bool
|
||||||
|
var buf [1]byte
|
||||||
|
|
||||||
|
for length := 0; length < maxVersionStringBytes; length++ {
|
||||||
|
_, err := io.ReadFull(r, buf[:])
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
// The RFC says that the version should be terminated with \r\n
|
||||||
|
// but several SSH servers actually only send a \n.
|
||||||
|
if buf[0] == '\n' {
|
||||||
|
if !bytes.HasPrefix(versionString, []byte("SSH-")) {
|
||||||
|
// RFC 4253 says we need to ignore all version string lines
|
||||||
|
// except the one containing the SSH version (provided that
|
||||||
|
// all the lines do not exceed 255 bytes in total).
|
||||||
|
versionString = versionString[:0]
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
ok = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
|
||||||
|
// non ASCII chars are disallowed, but we are lenient,
|
||||||
|
// since Go doesn't use null-terminated strings.
|
||||||
|
|
||||||
|
// The RFC allows a comment after a space, however,
|
||||||
|
// all of it (version and comments) goes into the
|
||||||
|
// session hash.
|
||||||
|
versionString = append(versionString, buf[0])
|
||||||
|
}
|
||||||
|
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.New("ssh: overflow reading version string")
|
||||||
|
}
|
||||||
|
|
||||||
|
// There might be a '\r' on the end which we should remove.
|
||||||
|
if len(versionString) > 0 && versionString[len(versionString)-1] == '\r' {
|
||||||
|
versionString = versionString[:len(versionString)-1]
|
||||||
|
}
|
||||||
|
return versionString, nil
|
||||||
|
}
|
Loading…
Reference in New Issue