1 // Copyright 2011 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
20 // These are string constants in the SSH protocol.
22 compressionNone = "none"
23 serviceUserAuth = "ssh-userauth"
24 serviceSSH = "ssh-connection"
27 // supportedCiphers lists ciphers we support but might not recommend.
28 var supportedCiphers = []string{
29 "aes128-ctr", "aes192-ctr", "aes256-ctr",
30 "aes128-gcm@openssh.com",
32 "arcfour256", "arcfour128", "arcfour",
37 // preferredCiphers specifies the default preference for ciphers.
38 var preferredCiphers = []string{
39 "aes128-gcm@openssh.com",
41 "aes128-ctr", "aes192-ctr", "aes256-ctr",
44 // supportedKexAlgos specifies the supported key-exchange algorithms in
46 var supportedKexAlgos = []string{
47 kexAlgoCurve25519SHA256,
48 // P384 and P521 are not constant-time yet, but since we don't
49 // reuse ephemeral keys, using them for ECDH should be OK.
50 kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
51 kexAlgoDH14SHA1, kexAlgoDH1SHA1,
54 // supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods
55 // of authenticating servers) in preference order.
56 var supportedHostKeyAlgos = []string{
57 CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
58 CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01,
60 KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
61 KeyAlgoRSA, KeyAlgoDSA,
66 // supportedMACs specifies a default set of MAC algorithms in preference order.
67 // This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
68 // because they have reached the end of their useful life.
69 var supportedMACs = []string{
70 "hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96",
73 var supportedCompressions = []string{compressionNone}
75 // hashFuncs keeps the mapping of supported algorithms to their respective
76 // hashes needed for signature verification.
77 var hashFuncs = map[string]crypto.Hash{
78 KeyAlgoRSA: crypto.SHA1,
79 KeyAlgoDSA: crypto.SHA1,
80 KeyAlgoECDSA256: crypto.SHA256,
81 KeyAlgoECDSA384: crypto.SHA384,
82 KeyAlgoECDSA521: crypto.SHA512,
83 CertAlgoRSAv01: crypto.SHA1,
84 CertAlgoDSAv01: crypto.SHA1,
85 CertAlgoECDSA256v01: crypto.SHA256,
86 CertAlgoECDSA384v01: crypto.SHA384,
87 CertAlgoECDSA521v01: crypto.SHA512,
90 // unexpectedMessageError results when the SSH message that we received didn't
91 // match what we wanted.
92 func unexpectedMessageError(expected, got uint8) error {
93 return fmt.Errorf("ssh: unexpected message type %d (expected %d)", got, expected)
96 // parseError results from a malformed SSH message.
97 func parseError(tag uint8) error {
98 return fmt.Errorf("ssh: parse error in message type %d", tag)
101 func findCommon(what string, client []string, server []string) (common string, err error) {
102 for _, c := range client {
103 for _, s := range server {
109 return "", fmt.Errorf("ssh: no common algorithm for %s; client offered: %v, server offered: %v", what, client, server)
112 type directionAlgorithms struct {
118 // rekeyBytes returns a rekeying intervals in bytes.
119 func (a *directionAlgorithms) rekeyBytes() int64 {
120 // According to RFC4344 block ciphers should rekey after
121 // 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
124 case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID:
125 return 16 * (1 << 32)
129 // For others, stick with RFC4253 recommendation to rekey after 1 Gb of data.
133 type algorithms struct {
136 w directionAlgorithms
137 r directionAlgorithms
140 func findAgreedAlgorithms(clientKexInit, serverKexInit *kexInitMsg) (algs *algorithms, err error) {
141 result := &algorithms{}
143 result.kex, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos)
148 result.hostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos)
153 result.w.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer)
158 result.r.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient)
163 result.w.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer)
168 result.r.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient)
173 result.w.Compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer)
178 result.r.Compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient)
186 // If rekeythreshold is too small, we can't make any progress sending
188 const minRekeyThreshold uint64 = 256
190 // Config contains configuration data common to both ServerConfig and
193 // Rand provides the source of entropy for cryptographic
194 // primitives. If Rand is nil, the cryptographic random reader
195 // in package crypto/rand will be used.
198 // The maximum number of bytes sent or received after which a
199 // new key is negotiated. It must be at least 256. If
200 // unspecified, a size suitable for the chosen cipher is used.
201 RekeyThreshold uint64
203 // The allowed key exchanges algorithms. If unspecified then a
204 // default set of algorithms is used.
205 KeyExchanges []string
207 // The allowed cipher algorithms. If unspecified then a sensible
211 // The allowed MAC algorithms. If unspecified then a sensible default
216 // SetDefaults sets sensible values for unset fields in config. This is
217 // exported for testing: Configs passed to SSH functions are copied and have
218 // default values set automatically.
219 func (c *Config) SetDefaults() {
223 if c.Ciphers == nil {
224 c.Ciphers = preferredCiphers
227 for _, c := range c.Ciphers {
228 if cipherModes[c] != nil {
229 // reject the cipher if we have no cipherModes definition
230 ciphers = append(ciphers, c)
235 if c.KeyExchanges == nil {
236 c.KeyExchanges = supportedKexAlgos
240 c.MACs = supportedMACs
243 if c.RekeyThreshold == 0 {
244 // cipher specific default
245 } else if c.RekeyThreshold < minRekeyThreshold {
246 c.RekeyThreshold = minRekeyThreshold
247 } else if c.RekeyThreshold >= math.MaxInt64 {
248 // Avoid weirdness if somebody uses -1 as a threshold.
249 c.RekeyThreshold = math.MaxInt64
253 // buildDataSignedForAuth returns the data that is signed in order to prove
254 // possession of a private key. See RFC 4252, section 7.
255 func buildDataSignedForAuth(sessionID []byte, req userAuthRequestMsg, algo, pubKey []byte) []byte {
278 func appendU16(buf []byte, n uint16) []byte {
279 return append(buf, byte(n>>8), byte(n))
282 func appendU32(buf []byte, n uint32) []byte {
283 return append(buf, byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
286 func appendU64(buf []byte, n uint64) []byte {
288 byte(n>>56), byte(n>>48), byte(n>>40), byte(n>>32),
289 byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
292 func appendInt(buf []byte, n int) []byte {
293 return appendU32(buf, uint32(n))
296 func appendString(buf []byte, s string) []byte {
297 buf = appendU32(buf, uint32(len(s)))
298 buf = append(buf, s...)
302 func appendBool(buf []byte, b bool) []byte {
304 return append(buf, 1)
306 return append(buf, 0)
309 // newCond is a helper to hide the fact that there is no usable zero
310 // value for sync.Cond.
311 func newCond() *sync.Cond { return sync.NewCond(new(sync.Mutex)) }
313 // window represents the buffer available to clients
314 // wishing to write to a channel.
317 win uint32 // RFC 4254 5.2 says the window size can grow to 2^32-1
322 // add adds win to the amount of window available
324 func (w *window) add(win uint32) bool {
325 // a zero sized window adjust is a noop.
335 // It is unusual that multiple goroutines would be attempting to reserve
336 // window space, but not guaranteed. Use broadcast to notify all waiters
337 // that additional window is available.
343 // close sets the window to closed, so all reservations fail
345 func (w *window) close() {
352 // reserve reserves win from the available window capacity.
353 // If no capacity remains, reserve will block. reserve may
354 // return less than requested.
355 func (w *window) reserve(win uint32) (uint32, error) {
360 for w.win == 0 && !w.closed {
375 // waitWriterBlocked waits until some goroutine is blocked for further
376 // writes. It is used in tests only.
377 func (w *window) waitWriterBlocked() {
379 for w.writeWaiters == 0 {