[github/fretlink/terraform-provider-statuscake.git] / vendor / golang.org / x / crypto / ssh / common.go

// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package ssh

import (
	"crypto"
	"crypto/rand"
	"fmt"
	"io"
	"sync"

	_ "crypto/sha1"
	_ "crypto/sha256"
	_ "crypto/sha512"
)

// These are string constants in the SSH protocol.
const (
	compressionNone = "none"
	serviceUserAuth = "ssh-userauth"
	serviceSSH      = "ssh-connection"
)

// supportedCiphers specifies the supported ciphers in preference order.
var supportedCiphers = []string{
	"aes128-ctr", "aes192-ctr", "aes256-ctr",
	"aes128-gcm@openssh.com",
	"arcfour256", "arcfour128",
}

// supportedKexAlgos specifies the supported key-exchange algorithms in
// preference order.
var supportedKexAlgos = []string{
	kexAlgoCurve25519SHA256,
	// P384 and P521 are not constant-time yet, but since we don't
	// reuse ephemeral keys, using them for ECDH should be OK.
	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
	kexAlgoDH14SHA1, kexAlgoDH1SHA1,
}

// supportedKexAlgos specifies the supported host-key algorithms (i.e. methods
// of authenticating servers) in preference order.
var supportedHostKeyAlgos = []string{
	CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
	CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01,

	KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
	KeyAlgoRSA, KeyAlgoDSA,

	KeyAlgoED25519,
}

// supportedMACs specifies a default set of MAC algorithms in preference order.
// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
// because they have reached the end of their useful life.
var supportedMACs = []string{
	"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96",
}

var supportedCompressions = []string{compressionNone}

// hashFuncs keeps the mapping of supported algorithms to their respective
// hashes needed for signature verification.
var hashFuncs = map[string]crypto.Hash{
	KeyAlgoRSA:          crypto.SHA1,
	KeyAlgoDSA:          crypto.SHA1,
	KeyAlgoECDSA256:     crypto.SHA256,
	KeyAlgoECDSA384:     crypto.SHA384,
	KeyAlgoECDSA521:     crypto.SHA512,
	CertAlgoRSAv01:      crypto.SHA1,
	CertAlgoDSAv01:      crypto.SHA1,
	CertAlgoECDSA256v01: crypto.SHA256,
	CertAlgoECDSA384v01: crypto.SHA384,
	CertAlgoECDSA521v01: crypto.SHA512,
}

// unexpectedMessageError results when the SSH message that we received didn't
// match what we wanted.
func unexpectedMessageError(expected, got uint8) error {
	return fmt.Errorf("ssh: unexpected message type %d (expected %d)", got, expected)
}

// parseError results from a malformed SSH message.
func parseError(tag uint8) error {
	return fmt.Errorf("ssh: parse error in message type %d", tag)
}

func findCommon(what string, client []string, server []string) (common string, err error) {
	for _, c := range client {
		for _, s := range server {
			if c == s {
				return c, nil
			}
		}
	}
	return "", fmt.Errorf("ssh: no common algorithm for %s; client offered: %v, server offered: %v", what, client, server)
}

type directionAlgorithms struct {
	Cipher      string
	MAC         string
	Compression string
}

// rekeyBytes returns a rekeying intervals in bytes.
func (a *directionAlgorithms) rekeyBytes() int64 {
	// According to RFC4344 block ciphers should rekey after
	// 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
	// 128.
	switch a.Cipher {
	case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID:
		return 16 * (1 << 32)

	}

	// For others, stick with RFC4253 recommendation to rekey after 1 Gb of data.
	return 1 << 30
}

type algorithms struct {
	kex     string
	hostKey string
	w       directionAlgorithms
	r       directionAlgorithms
}

func findAgreedAlgorithms(clientKexInit, serverKexInit *kexInitMsg) (algs *algorithms, err error) {
	result := &algorithms{}

	result.kex, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos)
	if err != nil {
		return
	}

	result.hostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos)
	if err != nil {
		return
	}

	result.w.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer)
	if err != nil {
		return
	}

	result.r.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient)
	if err != nil {
		return
	}

	result.w.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer)
	if err != nil {
		return
	}

	result.r.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient)
	if err != nil {
		return
	}

	result.w.Compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer)
	if err != nil {
		return
	}

	result.r.Compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient)
	if err != nil {
		return
	}

	return result, nil
}

// If rekeythreshold is too small, we can't make any progress sending
// stuff.
const minRekeyThreshold uint64 = 256

// Config contains configuration data common to both ServerConfig and
// ClientConfig.
type Config struct {
	// Rand provides the source of entropy for cryptographic
	// primitives. If Rand is nil, the cryptographic random reader
	// in package crypto/rand will be used.
	Rand io.Reader

	// The maximum number of bytes sent or received after which a
	// new key is negotiated. It must be at least 256. If
	// unspecified, 1 gigabyte is used.
	RekeyThreshold uint64

	// The allowed key exchanges algorithms. If unspecified then a
	// default set of algorithms is used.
	KeyExchanges []string

	// The allowed cipher algorithms. If unspecified then a sensible
	// default is used.
	Ciphers []string

	// The allowed MAC algorithms. If unspecified then a sensible default
	// is used.
	MACs []string
}

// SetDefaults sets sensible values for unset fields in config. This is
// exported for testing: Configs passed to SSH functions are copied and have
// default values set automatically.
func (c *Config) SetDefaults() {
	if c.Rand == nil {
		c.Rand = rand.Reader
	}
	if c.Ciphers == nil {
		c.Ciphers = supportedCiphers
	}
	var ciphers []string
	for _, c := range c.Ciphers {
		if cipherModes[c] != nil {
			// reject the cipher if we have no cipherModes definition
			ciphers = append(ciphers, c)
		}
	}
	c.Ciphers = ciphers

	if c.KeyExchanges == nil {
		c.KeyExchanges = supportedKexAlgos
	}

	if c.MACs == nil {
		c.MACs = supportedMACs
	}

	if c.RekeyThreshold == 0 {
		// RFC 4253, section 9 suggests rekeying after 1G.
		c.RekeyThreshold = 1 << 30
	}
	if c.RekeyThreshold < minRekeyThreshold {
		c.RekeyThreshold = minRekeyThreshold
	}
}

// buildDataSignedForAuth returns the data that is signed in order to prove
// possession of a private key. See RFC 4252, section 7.
func buildDataSignedForAuth(sessionId []byte, req userAuthRequestMsg, algo, pubKey []byte) []byte {
	data := struct {
		Session []byte
		Type    byte
		User    string
		Service string
		Method  string
		Sign    bool
		Algo    []byte
		PubKey  []byte
	}{
		sessionId,
		msgUserAuthRequest,
		req.User,
		req.Service,
		req.Method,
		true,
		algo,
		pubKey,
	}
	return Marshal(data)
}

func appendU16(buf []byte, n uint16) []byte {
	return append(buf, byte(n>>8), byte(n))
}

func appendU32(buf []byte, n uint32) []byte {
	return append(buf, byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
}

func appendU64(buf []byte, n uint64) []byte {
	return append(buf,
		byte(n>>56), byte(n>>48), byte(n>>40), byte(n>>32),
		byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
}

func appendInt(buf []byte, n int) []byte {
	return appendU32(buf, uint32(n))
}

func appendString(buf []byte, s string) []byte {
	buf = appendU32(buf, uint32(len(s)))
	buf = append(buf, s...)
	return buf
}

func appendBool(buf []byte, b bool) []byte {
	if b {
		return append(buf, 1)
	}
	return append(buf, 0)
}

// newCond is a helper to hide the fact that there is no usable zero
// value for sync.Cond.
func newCond() *sync.Cond { return sync.NewCond(new(sync.Mutex)) }

// window represents the buffer available to clients
// wishing to write to a channel.
type window struct {
	*sync.Cond
	win          uint32 // RFC 4254 5.2 says the window size can grow to 2^32-1
	writeWaiters int
	closed       bool
}

// add adds win to the amount of window available
// for consumers.
func (w *window) add(win uint32) bool {
	// a zero sized window adjust is a noop.
	if win == 0 {
		return true
	}
	w.L.Lock()
	if w.win+win < win {
		w.L.Unlock()
		return false
	}
	w.win += win
	// It is unusual that multiple goroutines would be attempting to reserve
	// window space, but not guaranteed. Use broadcast to notify all waiters
	// that additional window is available.
	w.Broadcast()
	w.L.Unlock()
	return true
}

// close sets the window to closed, so all reservations fail
// immediately.
func (w *window) close() {
	w.L.Lock()
	w.closed = true
	w.Broadcast()
	w.L.Unlock()
}

// reserve reserves win from the available window capacity.
// If no capacity remains, reserve will block. reserve may
// return less than requested.
func (w *window) reserve(win uint32) (uint32, error) {
	var err error
	w.L.Lock()
	w.writeWaiters++
	w.Broadcast()
	for w.win == 0 && !w.closed {
		w.Wait()
	}
	w.writeWaiters--
	if w.win < win {
		win = w.win
	}
	w.win -= win
	if w.closed {
		err = io.EOF
	}
	w.L.Unlock()
	return win, err
}

// waitWriterBlocked waits until some goroutine is blocked for further
// writes. It is used in tests only.
func (w *window) waitWriterBlocked() {
	w.Cond.L.Lock()
	for w.writeWaiters == 0 {
		w.Cond.Wait()
	}
	w.Cond.L.Unlock()
}
Commit	Line	Data
bae9f6d2 JC	1	// Copyright 2011 The Go Authors. All rights reserved.
	2	// Use of this source code is governed by a BSD-style
	3	// license that can be found in the LICENSE file.
	4
	5	package ssh
	6
	7	import (
	8	"crypto"
	9	"crypto/rand"
	10	"fmt"
	11	"io"
	12	"sync"
	13
	14	_ "crypto/sha1"
	15	_ "crypto/sha256"
	16	_ "crypto/sha512"
	17	)
	18
	19	// These are string constants in the SSH protocol.
	20	const (
	21	compressionNone = "none"
	22	serviceUserAuth = "ssh-userauth"
	23	serviceSSH = "ssh-connection"
	24	)
	25
	26	// supportedCiphers specifies the supported ciphers in preference order.
	27	var supportedCiphers = []string{
	28	"aes128-ctr", "aes192-ctr", "aes256-ctr",
	29	"aes128-gcm@openssh.com",
	30	"arcfour256", "arcfour128",
	31	}
	32
	33	// supportedKexAlgos specifies the supported key-exchange algorithms in
	34	// preference order.
	35	var supportedKexAlgos = []string{
	36	kexAlgoCurve25519SHA256,
	37	// P384 and P521 are not constant-time yet, but since we don't
	38	// reuse ephemeral keys, using them for ECDH should be OK.
	39	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
	40	kexAlgoDH14SHA1, kexAlgoDH1SHA1,
	41	}
	42
	43	// supportedKexAlgos specifies the supported host-key algorithms (i.e. methods
	44	// of authenticating servers) in preference order.
	45	var supportedHostKeyAlgos = []string{
	46	CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
	47	CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01,
	48
	49	KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
	50	KeyAlgoRSA, KeyAlgoDSA,
	51
	52	KeyAlgoED25519,
	53	}
	54
	55	// supportedMACs specifies a default set of MAC algorithms in preference order.
	56	// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
	57	// because they have reached the end of their useful life.
	58	var supportedMACs = []string{
	59	"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96",
	60	}
	61
	62	var supportedCompressions = []string{compressionNone}
	63
	64	// hashFuncs keeps the mapping of supported algorithms to their respective
65	// hashes needed for signature verification.
66	var hashFuncs = map[string]crypto.Hash{
67	KeyAlgoRSA: crypto.SHA1,
68	KeyAlgoDSA: crypto.SHA1,
69	KeyAlgoECDSA256: crypto.SHA256,
70	KeyAlgoECDSA384: crypto.SHA384,
71	KeyAlgoECDSA521: crypto.SHA512,
72	CertAlgoRSAv01: crypto.SHA1,
73	CertAlgoDSAv01: crypto.SHA1,
74	CertAlgoECDSA256v01: crypto.SHA256,
75	CertAlgoECDSA384v01: crypto.SHA384,
76	CertAlgoECDSA521v01: crypto.SHA512,
77	}
78
79	// unexpectedMessageError results when the SSH message that we received didn't
80	// match what we wanted.
81	func unexpectedMessageError(expected, got uint8) error {
82	return fmt.Errorf("ssh: unexpected message type %d (expected %d)", got, expected)
83	}
84
85	// parseError results from a malformed SSH message.
86	func parseError(tag uint8) error {
87	return fmt.Errorf("ssh: parse error in message type %d", tag)
88	}
89
90	func findCommon(what string, client []string, server []string) (common string, err error) {
91	for _, c := range client {
92	for _, s := range server {
93	if c == s {
94	return c, nil
95	}
96	}
97	}
98	return "", fmt.Errorf("ssh: no common algorithm for %s; client offered: %v, server offered: %v", what, client, server)
99	}
100
101	type directionAlgorithms struct {
102	Cipher string
103	MAC string
104	Compression string
105	}
106
107	// rekeyBytes returns a rekeying intervals in bytes.
108	func (a *directionAlgorithms) rekeyBytes() int64 {
109	// According to RFC4344 block ciphers should rekey after
110	// 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
111	// 128.
112	switch a.Cipher {
113	case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID:
114	return 16 * (1 << 32)
115
116	}
117
118	// For others, stick with RFC4253 recommendation to rekey after 1 Gb of data.
119	return 1 << 30
120	}
121
122	type algorithms struct {
123	kex string
124	hostKey string
125	w directionAlgorithms
126	r directionAlgorithms
127	}
128
129	func findAgreedAlgorithms(clientKexInit, serverKexInit kexInitMsg) (algs algorithms, err error) {
130	result := &algorithms{}
131
132	result.kex, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos)
133	if err != nil {
134	return
135	}
136
137	result.hostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos)
138	if err != nil {
139	return
140	}
141
142	result.w.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer)
143	if err != nil {
144	return
145	}
146
147	result.r.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient)
148	if err != nil {
149	return
150	}
151
152	result.w.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer)
153	if err != nil {
154	return
155	}
156
157	result.r.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient)
158	if err != nil {
159	return
160	}
161
162	result.w.Compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer)
163	if err != nil {
164	return
165	}
166
167	result.r.Compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient)
168	if err != nil {
169	return
170	}
171
172	return result, nil
173	}
174
175	// If rekeythreshold is too small, we can't make any progress sending
176	// stuff.
177	const minRekeyThreshold uint64 = 256
178
179	// Config contains configuration data common to both ServerConfig and
180	// ClientConfig.
181	type Config struct {
182	// Rand provides the source of entropy for cryptographic
183	// primitives. If Rand is nil, the cryptographic random reader
184	// in package crypto/rand will be used.
185	Rand io.Reader
186
187	// The maximum number of bytes sent or received after which a
188	// new key is negotiated. It must be at least 256. If
189	// unspecified, 1 gigabyte is used.
190	RekeyThreshold uint64
191
192	// The allowed key exchanges algorithms. If unspecified then a
193	// default set of algorithms is used.
194	KeyExchanges []string
195
196	// The allowed cipher algorithms. If unspecified then a sensible
197	// default is used.
198	Ciphers []string
199
200	// The allowed MAC algorithms. If unspecified then a sensible default
201	// is used.
202	MACs []string
203	}
204
205	// SetDefaults sets sensible values for unset fields in config. This is
206	// exported for testing: Configs passed to SSH functions are copied and have
207	// default values set automatically.
208	func (c *Config) SetDefaults() {
209	if c.Rand == nil {
210	c.Rand = rand.Reader
211	}
212	if c.Ciphers == nil {
213	c.Ciphers = supportedCiphers
214	}
215	var ciphers []string
216	for _, c := range c.Ciphers {
217	if cipherModes[c] != nil {
218	// reject the cipher if we have no cipherModes definition
219	ciphers = append(ciphers, c)
220	}
221	}
222	c.Ciphers = ciphers
223
224	if c.KeyExchanges == nil {
225	c.KeyExchanges = supportedKexAlgos
226	}
227
228	if c.MACs == nil {
229	c.MACs = supportedMACs
230	}
231
232	if c.RekeyThreshold == 0 {
233	// RFC 4253, section 9 suggests rekeying after 1G.
234	c.RekeyThreshold = 1 << 30
235	}
236	if c.RekeyThreshold < minRekeyThreshold {
237	c.RekeyThreshold = minRekeyThreshold
238	}
239	}
240
241	// buildDataSignedForAuth returns the data that is signed in order to prove
242	// possession of a private key. See RFC 4252, section 7.
243	func buildDataSignedForAuth(sessionId []byte, req userAuthRequestMsg, algo, pubKey []byte) []byte {
244	data := struct {
245	Session []byte
246	Type byte
247	User string
248	Service string
249	Method string
250	Sign bool
251	Algo []byte
252	PubKey []byte
253	}{
254	sessionId,
255	msgUserAuthRequest,
256	req.User,
257	req.Service,
258	req.Method,
259	true,
260	algo,
261	pubKey,
262	}
263	return Marshal(data)
264	}
265
266	func appendU16(buf []byte, n uint16) []byte {
267	return append(buf, byte(n>>8), byte(n))
268	}
269
270	func appendU32(buf []byte, n uint32) []byte {
271	return append(buf, byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
272	}
273
274	func appendU64(buf []byte, n uint64) []byte {
275	return append(buf,
276	byte(n>>56), byte(n>>48), byte(n>>40), byte(n>>32),
277	byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
278	}
279
280	func appendInt(buf []byte, n int) []byte {
281	return appendU32(buf, uint32(n))
282	}
283
284	func appendString(buf []byte, s string) []byte {
285	buf = appendU32(buf, uint32(len(s)))
286	buf = append(buf, s...)
287	return buf
288	}
289
290	func appendBool(buf []byte, b bool) []byte {
291	if b {
292	return append(buf, 1)
293	}
294	return append(buf, 0)
295	}
296
297	// newCond is a helper to hide the fact that there is no usable zero
298	// value for sync.Cond.
299	func newCond() *sync.Cond { return sync.NewCond(new(sync.Mutex)) }
300
301	// window represents the buffer available to clients
302	// wishing to write to a channel.
303	type window struct {
304	*sync.Cond
305	win uint32 // RFC 4254 5.2 says the window size can grow to 2^32-1
306	writeWaiters int
307	closed bool
308	}
309
310	// add adds win to the amount of window available
311	// for consumers.
312	func (w *window) add(win uint32) bool {
313	// a zero sized window adjust is a noop.
314	if win == 0 {
315	return true
316	}
317	w.L.Lock()
318	if w.win+win < win {
319	w.L.Unlock()
320	return false
321	}
322	w.win += win
323	// It is unusual that multiple goroutines would be attempting to reserve
324	// window space, but not guaranteed. Use broadcast to notify all waiters
325	// that additional window is available.
326	w.Broadcast()
327	w.L.Unlock()
328	return true
329	}
330
331	// close sets the window to closed, so all reservations fail
332	// immediately.
333	func (w *window) close() {
334	w.L.Lock()
335	w.closed = true
336	w.Broadcast()
337	w.L.Unlock()
338	}
339
340	// reserve reserves win from the available window capacity.
341	// If no capacity remains, reserve will block. reserve may
342	// return less than requested.
343	func (w *window) reserve(win uint32) (uint32, error) {
344	var err error
345	w.L.Lock()
346	w.writeWaiters++
347	w.Broadcast()
348	for w.win == 0 && !w.closed {
349	w.Wait()
350	}
351	w.writeWaiters--
352	if w.win < win {
353	win = w.win
354	}
355	w.win -= win
356	if w.closed {
357	err = io.EOF
358	}
359	w.L.Unlock()
360	return win, err
361	}
362
363	// waitWriterBlocked waits until some goroutine is blocked for further
364	// writes. It is used in tests only.
365	func (w *window) waitWriterBlocked() {
366	w.Cond.L.Lock()
367	for w.writeWaiters == 0 {
368	w.Cond.Wait()
369	}
370	w.Cond.L.Unlock()
371	}