handshake.go SSH

// Copyright 2013 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package ssh
import (
    "crypto/rand"
    "errors"
    "fmt"
    "io"
    "log"
    "net"
    "sync"
)
// debugHandshake, if set, prints messages sent and received.  Key
// exchange messages are printed as if DH were used, so the debug
// messages are wrong when using ECDH.
const debugHandshake = false
// chanSize sets the amount of buffering SSH connections. This is
// primarily for testing: setting chanSize=0 uncovers deadlocks more
// quickly.
const chanSize = 16
// keyingTransport is a packet based transport that supports key
// changes. It need not be thread-safe. It should pass through
// msgNewKeys in both directions.
type keyingTransport interface {
    packetConn
    // prepareKeyChange sets up a key change. The key change for a
    // direction will be effected if a msgNewKeys message is sent
    // or received.
    prepareKeyChange(*algorithms, *kexResult) error
}
// handshakeTransport implements rekeying on top of a keyingTransport
// and offers a thread-safe writePacket() interface.
type handshakeTransport struct {
    conn   keyingTransport
    config *Config
    serverVersion []byte
    clientVersion []byte
    // hostKeys is non-empty if we are the server. In that case,
    // it contains all host keys that can be used to sign the
    // connection.
    hostKeys []Signer
    // hostKeyAlgorithms is non-empty if we are the client. In that case,
    // we accept these key types from the server as host key.
    hostKeyAlgorithms []string
    // On read error, incoming is closed, and readError is set.
    incoming  chan []byte
    readError error
    mu             sync.Mutex
    writeError     error
    sentInitPacket []byte
    sentInitMsg    *kexInitMsg
    pendingPackets [][]byte // Used when a key exchange is in progress.
    // If the read loop wants to schedule a kex, it pings this
    // channel, and the write loop will send out a kex
    // message.
    requestKex chan struct{}
    // If the other side requests or confirms a kex, its kexInit
    // packet is sent here for the write loop to find it.
    startKex chan *pendingKex
    // data for host key checking
    hostKeyCallback HostKeyCallback
    dialAddress     string
    remoteAddr      net.Addr
    // bannerCallback is non-empty if we are the client and it has been set in
    // ClientConfig. In that case it is called during the user authentication
    // dance to handle a custom server's message.
    bannerCallback BannerCallback
    // Algorithms agreed in the last key exchange.
    algorithms *algorithms
    readPacketsLeft uint32
    readBytesLeft   int64
    writePacketsLeft uint32
    writeBytesLeft   int64
    // The session ID or nil if first kex did not complete yet.
    sessionID []byte
}
type pendingKex struct {
    otherInit []byte
    done      chan error
}
func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, serverVersion []byte) *handshakeTransport {
    t := &handshakeTransport{
        conn:          conn,
        serverVersion: serverVersion,
        clientVersion: clientVersion,
        incoming:      make(chan []byte, chanSize),
        requestKex:    make(chan struct{}, 1),
        startKex:      make(chan *pendingKex, 1),
        config: config,
    }
    t.resetReadThresholds()
    t.resetWriteThresholds()
    // We always start with a mandatory key exchange.
    t.requestKex <- struct{}{}
    return t
}
func newClientTransport(conn keyingTransport, clientVersion, serverVersion []byte, config *ClientConfig, dialAddr string, addr net.Addr) *handshakeTransport {
    t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion)
    t.dialAddress = dialAddr
    t.remoteAddr = addr
    t.hostKeyCallback = config.HostKeyCallback
    t.bannerCallback = config.BannerCallback
    if config.HostKeyAlgorithms != nil {
        t.hostKeyAlgorithms = config.HostKeyAlgorithms
    } else {
        t.hostKeyAlgorithms = supportedHostKeyAlgos
    }
    go t.readLoop()
    go t.kexLoop()
    return t
}
func newServerTransport(conn keyingTransport, clientVersion, serverVersion []byte, config *ServerConfig) *handshakeTransport {
    t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion)
    t.hostKeys = config.hostKeys
    go t.readLoop()
    go t.kexLoop()
    return t
}
func (t *handshakeTransport) getSessionID() []byte {
    return t.sessionID
}
// waitSession waits for the session to be established. This should be
// the first thing to call after instantiating handshakeTransport.
func (t *handshakeTransport) waitSession() error {
    p, err := t.readPacket()
    if err != nil {
        return err
    }
    if p[0] != msgNewKeys {
        return fmt.Errorf("ssh: first packet should be msgNewKeys")
    }
    return nil
}
func (t *handshakeTransport) id() string {
    if len(t.hostKeys) > 0 {
        return "server"
    }
    return "client"
}
func (t *handshakeTransport) printPacket(p []byte, write bool) {
    action := "got"
    if write {
        action = "sent"
    }
    if p[0] == msgChannelData || p[0] == msgChannelExtendedData {
        log.Printf("%s %s data (packet %d bytes)", t.id(), action, len(p))
    } else {
        msg, err := decode(p)
        log.Printf("%s %s %T %v (%v)", t.id(), action, msg, msg, err)
    }
}
func (t *handshakeTransport) readPacket() ([]byte, error) {
    p, ok := <-t.incoming
    if !ok {
        return nil, t.readError
    }
    return p, nil
}
func (t *handshakeTransport) readLoop() {
    first := true
    for {
        p, err := t.readOnePacket(first)
        first = false
        if err != nil {
            t.readError = err
            close(t.incoming)
            break
        }
        if p[0] == msgIgnore || p[0] == msgDebug {
            continue
        }
        t.incoming <- p
    }
    // Stop writers too.
    t.recordWriteError(t.readError)
    // Unblock the writer should it wait for this.
    close(t.startKex)
    // Don't close t.requestKex; it's also written to from writePacket.
}
func (t *handshakeTransport) pushPacket(p []byte) error {
    if debugHandshake {
        t.printPacket(p, true)
    }
    return t.conn.writePacket(p)
}
func (t *handshakeTransport) getWriteError() error {
    t.mu.Lock()
    defer t.mu.Unlock()
    return t.writeError
}
func (t *handshakeTransport) recordWriteError(err error) {
    t.mu.Lock()
    defer t.mu.Unlock()
    if t.writeError == nil && err != nil {
        t.writeError = err
    }
}
func (t *handshakeTransport) requestKeyExchange() {
    select {
    case t.requestKex <- struct{}{}:
    default:
        // something already requested a kex, so do nothing.
    }
}
func (t *handshakeTransport) resetWriteThresholds() {
    t.writePacketsLeft = packetRekeyThreshold
    if t.config.RekeyThreshold > 0 {
        t.writeBytesLeft = int64(t.config.RekeyThreshold)
    } else if t.algorithms != nil {
        t.writeBytesLeft = t.algorithms.w.rekeyBytes()
    } else {
        t.writeBytesLeft = 1 << 30
    }
}
func (t *handshakeTransport) kexLoop() {
write:
    for t.getWriteError() == nil {
        var request *pendingKex
        var sent bool
        for request == nil || !sent {
            var ok bool
            select {
            case request, ok = <-t.startKex:
                if !ok {
                    break write
                }
            case <-t.requestKex:
                break
            }
            if !sent {
                if err := t.sendKexInit(); err != nil {
                    t.recordWriteError(err)
                    break
                }
                sent = true
            }
        }
        if err := t.getWriteError(); err != nil {
            if request != nil {
                request.done <- err
            }
            break
        }
        // We're not servicing t.requestKex, but that is OK:
        // we never block on sending to t.requestKex.
        // We're not servicing t.startKex, but the remote end
        // has just sent us a kexInitMsg, so it can't send
        // another key change request, until we close the done
        // channel on the pendingKex request.
        err := t.enterKeyExchange(request.otherInit)
        t.mu.Lock()
        t.writeError = err
        t.sentInitPacket = nil
        t.sentInitMsg = nil
        t.resetWriteThresholds()
        // we have completed the key exchange. Since the
        // reader is still blocked, it is safe to clear out
        // the requestKex channel. This avoids the situation
        // where: 1) we consumed our own request for the
        // initial kex, and 2) the kex from the remote side
        // caused another send on the requestKex channel,
    clear:
        for {
            select {
            case <-t.requestKex:
                //
            default:
                break clear
            }
        }
        request.done <- t.writeError
        // kex finished. Push packets that we received while
        // the kex was in progress. Don't look at t.startKex
        // and don't increment writtenSinceKex: if we trigger
        // another kex while we are still busy with the last
        // one, things will become very confusing.
        for _, p := range t.pendingPackets {
            t.writeError = t.pushPacket(p)
            if t.writeError != nil {
                break
            }
        }
        t.pendingPackets = t.pendingPackets[:0]
        t.mu.Unlock()
    }
    // drain startKex channel. We don't service t.requestKex
    // because nobody does blocking sends there.
    go func() {
        for init := range t.startKex {
            init.done <- t.writeError
        }
    }()
    // Unblock reader.
    t.conn.Close()
}
// The protocol uses uint32 for packet counters, so we can't let them
// reach 1<<32.  We will actually read and write more packets than
// this, though: the other side may send more packets, and after we
// hit this limit on writing we will send a few more packets for the
// key exchange itself.
const packetRekeyThreshold = (1 << 31)
func (t *handshakeTransport) resetReadThresholds() {
    t.readPacketsLeft = packetRekeyThreshold
    if t.config.RekeyThreshold > 0 {
        t.readBytesLeft = int64(t.config.RekeyThreshold)
    } else if t.algorithms != nil {
        t.readBytesLeft = t.algorithms.r.rekeyBytes()
    } else {
        t.readBytesLeft = 1 << 30
    }
}
func (t *handshakeTransport) readOnePacket(first bool) ([]byte, error) {
    p, err := t.conn.readPacket()
    if err != nil {
        return nil, err
    }
    if t.readPacketsLeft > 0 {
        t.readPacketsLeft--
    } else {
        t.requestKeyExchange()
    }
    if t.readBytesLeft > 0 {
        t.readBytesLeft -= int64(len(p))
    } else {
        t.requestKeyExchange()
    }
    if debugHandshake {
        t.printPacket(p, false)
    }
    if first && p[0] != msgKexInit {
        return nil, fmt.Errorf("ssh: first packet should be msgKexInit")
    }
    if p[0] != msgKexInit {
        return p, nil
    }
    firstKex := t.sessionID == nil
    kex := pendingKex{
        done:      make(chan error, 1),
        otherInit: p,
    }
    t.startKex <- &kex
    err = <-kex.done
    if debugHandshake {
        log.Printf("%s exited key exchange (first %v), err %v", t.id(), firstKex, err)
    }
    if err != nil {
        return nil, err
    }
    t.resetReadThresholds()
    // By default, a key exchange is hidden from higher layers by
    // translating it into msgIgnore.
    successPacket := []byte{msgIgnore}
    if firstKex {
        // sendKexInit() for the first kex waits for
        // msgNewKeys so the authentication process is
        // guaranteed to happen over an encrypted transport.
        successPacket = []byte{msgNewKeys}
    }
    return successPacket, nil
}
// sendKexInit sends a key change message.
func (t *handshakeTransport) sendKexInit() error {
    t.mu.Lock()
    defer t.mu.Unlock()
    if t.sentInitMsg != nil {
        // kexInits may be sent either in response to the other side,
        // or because our side wants to initiate a key change, so we
        // may have already sent a kexInit. In that case, don't send a
        // second kexInit.
        return nil
    }
    msg := &kexInitMsg{
        KexAlgos:                t.config.KeyExchanges,
        CiphersClientServer:     t.config.Ciphers,
        CiphersServerClient:     t.config.Ciphers,
        MACsClientServer:        t.config.MACs,
        MACsServerClient:        t.config.MACs,
        CompressionClientServer: supportedCompressions,
        CompressionServerClient: supportedCompressions,
    }
    io.ReadFull(rand.Reader, msg.Cookie[:])
    if len(t.hostKeys) > 0 {
        for _, k := range t.hostKeys {
            msg.ServerHostKeyAlgos = append(
                msg.ServerHostKeyAlgos, k.PublicKey().Type())
        }
    } else {
        msg.ServerHostKeyAlgos = t.hostKeyAlgorithms
    }
    packet := Marshal(msg)
    // writePacket destroys the contents, so save a copy.
    packetCopy := make([]byte, len(packet))
    copy(packetCopy, packet)
    if err := t.pushPacket(packetCopy); err != nil {
        return err
    }
    t.sentInitMsg = msg
    t.sentInitPacket = packet
    return nil
}
func (t *handshakeTransport) writePacket(p []byte) error {
    switch p[0] {
    case msgKexInit:
        return errors.New("ssh: only handshakeTransport can send kexInit")
    case msgNewKeys:
        return errors.New("ssh: only handshakeTransport can send newKeys")
    }
    t.mu.Lock()
    defer t.mu.Unlock()
    if t.writeError != nil {
        return t.writeError
    }
    if t.sentInitMsg != nil {
        // Copy the packet so the writer can reuse the buffer.
        cp := make([]byte, len(p))
        copy(cp, p)
        t.pendingPackets = append(t.pendingPackets, cp)
        return nil
    }
    if t.writeBytesLeft > 0 {
        t.writeBytesLeft -= int64(len(p))
    } else {
        t.requestKeyExchange()
    }
    if t.writePacketsLeft > 0 {
        t.writePacketsLeft--
    } else {
        t.requestKeyExchange()
    }
    if err := t.pushPacket(p); err != nil {
        t.writeError = err
    }
    return nil
}
func (t *handshakeTransport) Close() error {
    return t.conn.Close()
}
func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
    if debugHandshake {
        log.Printf("%s entered key exchange", t.id())
    }
    otherInit := &kexInitMsg{}
    if err := Unmarshal(otherInitPacket, otherInit); err != nil {
        return err
    }
    magics := handshakeMagics{
        clientVersion: t.clientVersion,
        serverVersion: t.serverVersion,
        clientKexInit: otherInitPacket,
        serverKexInit: t.sentInitPacket,
    }
    clientInit := otherInit
    serverInit := t.sentInitMsg
    isClient := len(t.hostKeys) == 0
    if isClient {
        clientInit, serverInit = serverInit, clientInit
        magics.clientKexInit = t.sentInitPacket
        magics.serverKexInit = otherInitPacket
    }
    var err error
    t.algorithms, err = findAgreedAlgorithms(isClient, clientInit, serverInit)
    if err != nil {
        return err
    }
    // We don't send FirstKexFollows, but we handle receiving it.
    //
    // RFC 4253 section 7 defines the kex and the agreement method for
    // first_kex_packet_follows. It states that the guessed packet
    // should be ignored if the "kex algorithm and/or the host
    // key algorithm is guessed wrong (server and client have
    // different preferred algorithm), or if any of the other
    // algorithms cannot be agreed upon". The other algorithms have
    // already been checked above so the kex algorithm and host key
    // algorithm are checked here.
    if otherInit.FirstKexFollows && (clientInit.KexAlgos[0] != serverInit.KexAlgos[0] || clientInit.ServerHostKeyAlgos[0] != serverInit.ServerHostKeyAlgos[0]) {
        // other side sent a kex message for the wrong algorithm,
        // which we have to ignore.
        if _, err := t.conn.readPacket(); err != nil {
            return err
        }
    }
    kex, ok := kexAlgoMap[t.algorithms.kex]
    if !ok {
        return fmt.Errorf("ssh: unexpected key exchange algorithm %v", t.algorithms.kex)
    }
    var result *kexResult
    if len(t.hostKeys) > 0 {
        result, err = t.server(kex, t.algorithms, &magics)
    } else {
        result, err = t.client(kex, t.algorithms, &magics)
    }
    if err != nil {
        return err
    }
    if t.sessionID == nil {
        t.sessionID = result.H
    }
    result.SessionID = t.sessionID
    if err := t.conn.prepareKeyChange(t.algorithms, result); err != nil {
        return err
    }
    if err = t.conn.writePacket([]byte{msgNewKeys}); err != nil {
        return err
    }
    if packet, err := t.conn.readPacket(); err != nil {
        return err
    } else if packet[0] != msgNewKeys {
        return unexpectedMessageError(msgNewKeys, packet[0])
    }
    return nil
}
func (t *handshakeTransport) server(kex kexAlgorithm, algs *algorithms, magics *handshakeMagics) (*kexResult, error) {
    var hostKey Signer
    for _, k := range t.hostKeys {
        if algs.hostKey == k.PublicKey().Type() {
            hostKey = k
        }
    }
    r, err := kex.Server(t.conn, t.config.Rand, magics, hostKey)
    return r, err
}
func (t *handshakeTransport) client(kex kexAlgorithm, algs *algorithms, magics *handshakeMagics) (*kexResult, error) {
    result, err := kex.Client(t.conn, t.config.Rand, magics)
    if err != nil {
        return nil, err
    }
    hostKey, err := ParsePublicKey(result.HostKey)
    if err != nil {
        return nil, err
    }
    if err := verifyHostKeySignature(hostKey, result); err != nil {
        return nil, err
    }
    err = t.hostKeyCallback(t.dialAddress, t.remoteAddr, hostKey)
    if err != nil {
        return nil, err
    }
    return result, nil
}