mirror of https://github.com/gogits/gogs.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
332 lines
8.6 KiB
332 lines
8.6 KiB
// Copyright 2011 The Go Authors. All rights reserved. |
|
// Use of this source code is governed by a BSD-style |
|
// license that can be found in the LICENSE file. |
|
|
|
package ssh |
|
|
|
import ( |
|
"bufio" |
|
"errors" |
|
"io" |
|
) |
|
|
|
const ( |
|
gcmCipherID = "aes128-gcm@openssh.com" |
|
aes128cbcID = "aes128-cbc" |
|
) |
|
|
|
// packetConn represents a transport that implements packet based |
|
// operations. |
|
type packetConn interface { |
|
// Encrypt and send a packet of data to the remote peer. |
|
writePacket(packet []byte) error |
|
|
|
// Read a packet from the connection |
|
readPacket() ([]byte, error) |
|
|
|
// Close closes the write-side of the connection. |
|
Close() error |
|
} |
|
|
|
// transport is the keyingTransport that implements the SSH packet |
|
// protocol. |
|
type transport struct { |
|
reader connectionState |
|
writer connectionState |
|
|
|
bufReader *bufio.Reader |
|
bufWriter *bufio.Writer |
|
rand io.Reader |
|
|
|
io.Closer |
|
|
|
// Initial H used for the session ID. Once assigned this does |
|
// not change, even during subsequent key exchanges. |
|
sessionID []byte |
|
} |
|
|
|
// getSessionID returns the ID of the SSH connection. The return value |
|
// should not be modified. |
|
func (t *transport) getSessionID() []byte { |
|
if t.sessionID == nil { |
|
panic("session ID not set yet") |
|
} |
|
return t.sessionID |
|
} |
|
|
|
// packetCipher represents a combination of SSH encryption/MAC |
|
// protocol. A single instance should be used for one direction only. |
|
type packetCipher interface { |
|
// writePacket encrypts the packet and writes it to w. The |
|
// contents of the packet are generally scrambled. |
|
writePacket(seqnum uint32, w io.Writer, rand io.Reader, packet []byte) error |
|
|
|
// readPacket reads and decrypts a packet of data. The |
|
// returned packet may be overwritten by future calls of |
|
// readPacket. |
|
readPacket(seqnum uint32, r io.Reader) ([]byte, error) |
|
} |
|
|
|
// connectionState represents one side (read or write) of the |
|
// connection. This is necessary because each direction has its own |
|
// keys, and can even have its own algorithms |
|
type connectionState struct { |
|
packetCipher |
|
seqNum uint32 |
|
dir direction |
|
pendingKeyChange chan packetCipher |
|
} |
|
|
|
// prepareKeyChange sets up key material for a keychange. The key changes in |
|
// both directions are triggered by reading and writing a msgNewKey packet |
|
// respectively. |
|
func (t *transport) prepareKeyChange(algs *algorithms, kexResult *kexResult) error { |
|
if t.sessionID == nil { |
|
t.sessionID = kexResult.H |
|
} |
|
|
|
kexResult.SessionID = t.sessionID |
|
|
|
if ciph, err := newPacketCipher(t.reader.dir, algs.r, kexResult); err != nil { |
|
return err |
|
} else { |
|
t.reader.pendingKeyChange <- ciph |
|
} |
|
|
|
if ciph, err := newPacketCipher(t.writer.dir, algs.w, kexResult); err != nil { |
|
return err |
|
} else { |
|
t.writer.pendingKeyChange <- ciph |
|
} |
|
|
|
return nil |
|
} |
|
|
|
// Read and decrypt next packet. |
|
func (t *transport) readPacket() ([]byte, error) { |
|
return t.reader.readPacket(t.bufReader) |
|
} |
|
|
|
func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) { |
|
packet, err := s.packetCipher.readPacket(s.seqNum, r) |
|
s.seqNum++ |
|
if err == nil && len(packet) == 0 { |
|
err = errors.New("ssh: zero length packet") |
|
} |
|
|
|
if len(packet) > 0 && packet[0] == msgNewKeys { |
|
select { |
|
case cipher := <-s.pendingKeyChange: |
|
s.packetCipher = cipher |
|
default: |
|
return nil, errors.New("ssh: got bogus newkeys message.") |
|
} |
|
} |
|
|
|
// The packet may point to an internal buffer, so copy the |
|
// packet out here. |
|
fresh := make([]byte, len(packet)) |
|
copy(fresh, packet) |
|
|
|
return fresh, err |
|
} |
|
|
|
func (t *transport) writePacket(packet []byte) error { |
|
return t.writer.writePacket(t.bufWriter, t.rand, packet) |
|
} |
|
|
|
func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte) error { |
|
changeKeys := len(packet) > 0 && packet[0] == msgNewKeys |
|
|
|
err := s.packetCipher.writePacket(s.seqNum, w, rand, packet) |
|
if err != nil { |
|
return err |
|
} |
|
if err = w.Flush(); err != nil { |
|
return err |
|
} |
|
s.seqNum++ |
|
if changeKeys { |
|
select { |
|
case cipher := <-s.pendingKeyChange: |
|
s.packetCipher = cipher |
|
default: |
|
panic("ssh: no key material for msgNewKeys") |
|
} |
|
} |
|
return err |
|
} |
|
|
|
func newTransport(rwc io.ReadWriteCloser, rand io.Reader, isClient bool) *transport { |
|
t := &transport{ |
|
bufReader: bufio.NewReader(rwc), |
|
bufWriter: bufio.NewWriter(rwc), |
|
rand: rand, |
|
reader: connectionState{ |
|
packetCipher: &streamPacketCipher{cipher: noneCipher{}}, |
|
pendingKeyChange: make(chan packetCipher, 1), |
|
}, |
|
writer: connectionState{ |
|
packetCipher: &streamPacketCipher{cipher: noneCipher{}}, |
|
pendingKeyChange: make(chan packetCipher, 1), |
|
}, |
|
Closer: rwc, |
|
} |
|
if isClient { |
|
t.reader.dir = serverKeys |
|
t.writer.dir = clientKeys |
|
} else { |
|
t.reader.dir = clientKeys |
|
t.writer.dir = serverKeys |
|
} |
|
|
|
return t |
|
} |
|
|
|
type direction struct { |
|
ivTag []byte |
|
keyTag []byte |
|
macKeyTag []byte |
|
} |
|
|
|
var ( |
|
serverKeys = direction{[]byte{'B'}, []byte{'D'}, []byte{'F'}} |
|
clientKeys = direction{[]byte{'A'}, []byte{'C'}, []byte{'E'}} |
|
) |
|
|
|
// generateKeys generates key material for IV, MAC and encryption. |
|
func generateKeys(d direction, algs directionAlgorithms, kex *kexResult) (iv, key, macKey []byte) { |
|
cipherMode := cipherModes[algs.Cipher] |
|
macMode := macModes[algs.MAC] |
|
|
|
iv = make([]byte, cipherMode.ivSize) |
|
key = make([]byte, cipherMode.keySize) |
|
macKey = make([]byte, macMode.keySize) |
|
|
|
generateKeyMaterial(iv, d.ivTag, kex) |
|
generateKeyMaterial(key, d.keyTag, kex) |
|
generateKeyMaterial(macKey, d.macKeyTag, kex) |
|
return |
|
} |
|
|
|
// setupKeys sets the cipher and MAC keys from kex.K, kex.H and sessionId, as |
|
// described in RFC 4253, section 6.4. direction should either be serverKeys |
|
// (to setup server->client keys) or clientKeys (for client->server keys). |
|
func newPacketCipher(d direction, algs directionAlgorithms, kex *kexResult) (packetCipher, error) { |
|
iv, key, macKey := generateKeys(d, algs, kex) |
|
|
|
if algs.Cipher == gcmCipherID { |
|
return newGCMCipher(iv, key, macKey) |
|
} |
|
|
|
if algs.Cipher == aes128cbcID { |
|
return newAESCBCCipher(iv, key, macKey, algs) |
|
} |
|
|
|
c := &streamPacketCipher{ |
|
mac: macModes[algs.MAC].new(macKey), |
|
} |
|
c.macResult = make([]byte, c.mac.Size()) |
|
|
|
var err error |
|
c.cipher, err = cipherModes[algs.Cipher].createStream(key, iv) |
|
if err != nil { |
|
return nil, err |
|
} |
|
|
|
return c, nil |
|
} |
|
|
|
// generateKeyMaterial fills out with key material generated from tag, K, H |
|
// and sessionId, as specified in RFC 4253, section 7.2. |
|
func generateKeyMaterial(out, tag []byte, r *kexResult) { |
|
var digestsSoFar []byte |
|
|
|
h := r.Hash.New() |
|
for len(out) > 0 { |
|
h.Reset() |
|
h.Write(r.K) |
|
h.Write(r.H) |
|
|
|
if len(digestsSoFar) == 0 { |
|
h.Write(tag) |
|
h.Write(r.SessionID) |
|
} else { |
|
h.Write(digestsSoFar) |
|
} |
|
|
|
digest := h.Sum(nil) |
|
n := copy(out, digest) |
|
out = out[n:] |
|
if len(out) > 0 { |
|
digestsSoFar = append(digestsSoFar, digest...) |
|
} |
|
} |
|
} |
|
|
|
const packageVersion = "SSH-2.0-Go" |
|
|
|
// Sends and receives a version line. The versionLine string should |
|
// be US ASCII, start with "SSH-2.0-", and should not include a |
|
// newline. exchangeVersions returns the other side's version line. |
|
func exchangeVersions(rw io.ReadWriter, versionLine []byte) (them []byte, err error) { |
|
// Contrary to the RFC, we do not ignore lines that don't |
|
// start with "SSH-2.0-" to make the library usable with |
|
// nonconforming servers. |
|
for _, c := range versionLine { |
|
// The spec disallows non US-ASCII chars, and |
|
// specifically forbids null chars. |
|
if c < 32 { |
|
return nil, errors.New("ssh: junk character in version line") |
|
} |
|
} |
|
if _, err = rw.Write(append(versionLine, '\r', '\n')); err != nil { |
|
return |
|
} |
|
|
|
them, err = readVersion(rw) |
|
return them, err |
|
} |
|
|
|
// maxVersionStringBytes is the maximum number of bytes that we'll |
|
// accept as a version string. RFC 4253 section 4.2 limits this at 255 |
|
// chars |
|
const maxVersionStringBytes = 255 |
|
|
|
// Read version string as specified by RFC 4253, section 4.2. |
|
func readVersion(r io.Reader) ([]byte, error) { |
|
versionString := make([]byte, 0, 64) |
|
var ok bool |
|
var buf [1]byte |
|
|
|
for len(versionString) < maxVersionStringBytes { |
|
_, err := io.ReadFull(r, buf[:]) |
|
if err != nil { |
|
return nil, err |
|
} |
|
// The RFC says that the version should be terminated with \r\n |
|
// but several SSH servers actually only send a \n. |
|
if buf[0] == '\n' { |
|
ok = true |
|
break |
|
} |
|
|
|
// non ASCII chars are disallowed, but we are lenient, |
|
// since Go doesn't use null-terminated strings. |
|
|
|
// The RFC allows a comment after a space, however, |
|
// all of it (version and comments) goes into the |
|
// session hash. |
|
versionString = append(versionString, buf[0]) |
|
} |
|
|
|
if !ok { |
|
return nil, errors.New("ssh: overflow reading version string") |
|
} |
|
|
|
// There might be a '\r' on the end which we should remove. |
|
if len(versionString) > 0 && versionString[len(versionString)-1] == '\r' { |
|
versionString = versionString[:len(versionString)-1] |
|
} |
|
return versionString, nil |
|
}
|
|
|