gtsocial-umbx

common.go (12614B)

---

 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
 package ssh
 
 import (
 	"crypto"
 	"crypto/rand"
 	"fmt"
 	"io"
 	"math"
 	"strings"
 	"sync"
 
 	_ "crypto/sha1"
 	_ "crypto/sha256"
 	_ "crypto/sha512"
 )
 
 // These are string constants in the SSH protocol.
 const (
 	compressionNone = "none"
 	serviceUserAuth = "ssh-userauth"
 	serviceSSH      = "ssh-connection"
 )
 
 // supportedCiphers lists ciphers we support but might not recommend.
 var supportedCiphers = []string{
 	"aes128-ctr", "aes192-ctr", "aes256-ctr",
 	"aes128-gcm@openssh.com", gcm256CipherID,
 	chacha20Poly1305ID,
 	"arcfour256", "arcfour128", "arcfour",
 	aes128cbcID,
 	tripledescbcID,
 }
 
 // preferredCiphers specifies the default preference for ciphers.
 var preferredCiphers = []string{
 	"aes128-gcm@openssh.com", gcm256CipherID,
 	chacha20Poly1305ID,
 	"aes128-ctr", "aes192-ctr", "aes256-ctr",
 }
 
 // supportedKexAlgos specifies the supported key-exchange algorithms in
 // preference order.
 var supportedKexAlgos = []string{
 	kexAlgoCurve25519SHA256, kexAlgoCurve25519SHA256LibSSH,
 	// P384 and P521 are not constant-time yet, but since we don't
 	// reuse ephemeral keys, using them for ECDH should be OK.
 	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
 	kexAlgoDH14SHA256, kexAlgoDH14SHA1, kexAlgoDH1SHA1,
 }
 
 // serverForbiddenKexAlgos contains key exchange algorithms, that are forbidden
 // for the server half.
 var serverForbiddenKexAlgos = map[string]struct{}{
 	kexAlgoDHGEXSHA1:   {}, // server half implementation is only minimal to satisfy the automated tests
 	kexAlgoDHGEXSHA256: {}, // server half implementation is only minimal to satisfy the automated tests
 }
 
 // preferredKexAlgos specifies the default preference for key-exchange algorithms
 // in preference order.
 var preferredKexAlgos = []string{
 	kexAlgoCurve25519SHA256, kexAlgoCurve25519SHA256LibSSH,
 	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
 	kexAlgoDH14SHA256, kexAlgoDH14SHA1,
 }
 
 // supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods
 // of authenticating servers) in preference order.
 var supportedHostKeyAlgos = []string{
 	CertAlgoRSASHA512v01, CertAlgoRSASHA256v01,
 	CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
 	CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01,
 
 	KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
 	KeyAlgoRSASHA512, KeyAlgoRSASHA256,
 	KeyAlgoRSA, KeyAlgoDSA,
 
 	KeyAlgoED25519,
 }
 
 // supportedMACs specifies a default set of MAC algorithms in preference order.
 // This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
 // because they have reached the end of their useful life.
 var supportedMACs = []string{
 	"hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96",
 }
 
 var supportedCompressions = []string{compressionNone}
 
 // hashFuncs keeps the mapping of supported signature algorithms to their
 // respective hashes needed for signing and verification.
 var hashFuncs = map[string]crypto.Hash{
 	KeyAlgoRSA:       crypto.SHA1,
 	KeyAlgoRSASHA256: crypto.SHA256,
 	KeyAlgoRSASHA512: crypto.SHA512,
 	KeyAlgoDSA:       crypto.SHA1,
 	KeyAlgoECDSA256:  crypto.SHA256,
 	KeyAlgoECDSA384:  crypto.SHA384,
 	KeyAlgoECDSA521:  crypto.SHA512,
 	// KeyAlgoED25519 doesn't pre-hash.
 	KeyAlgoSKECDSA256: crypto.SHA256,
 	KeyAlgoSKED25519:  crypto.SHA256,
 }
 
 // algorithmsForKeyFormat returns the supported signature algorithms for a given
 // public key format (PublicKey.Type), in order of preference. See RFC 8332,
 // Section 2. See also the note in sendKexInit on backwards compatibility.
 func algorithmsForKeyFormat(keyFormat string) []string {
 	switch keyFormat {
 	case KeyAlgoRSA:
 		return []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512, KeyAlgoRSA}
 	case CertAlgoRSAv01:
 		return []string{CertAlgoRSASHA256v01, CertAlgoRSASHA512v01, CertAlgoRSAv01}
 	default:
 		return []string{keyFormat}
 	}
 }
 
 // supportedPubKeyAuthAlgos specifies the supported client public key
 // authentication algorithms. Note that this doesn't include certificate types
 // since those use the underlying algorithm. This list is sent to the client if
 // it supports the server-sig-algs extension. Order is irrelevant.
 var supportedPubKeyAuthAlgos = []string{
 	KeyAlgoED25519,
 	KeyAlgoSKED25519, KeyAlgoSKECDSA256,
 	KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
 	KeyAlgoRSASHA256, KeyAlgoRSASHA512, KeyAlgoRSA,
 	KeyAlgoDSA,
 }
 
 var supportedPubKeyAuthAlgosList = strings.Join(supportedPubKeyAuthAlgos, ",")
 
 // unexpectedMessageError results when the SSH message that we received didn't
 // match what we wanted.
 func unexpectedMessageError(expected, got uint8) error {
 	return fmt.Errorf("ssh: unexpected message type %d (expected %d)", got, expected)
 }
 
 // parseError results from a malformed SSH message.
 func parseError(tag uint8) error {
 	return fmt.Errorf("ssh: parse error in message type %d", tag)
 }
 
 func findCommon(what string, client []string, server []string) (common string, err error) {
 	for _, c := range client {
 		for _, s := range server {
 			if c == s {
 				return c, nil
 			}
 		}
 	}
 	return "", fmt.Errorf("ssh: no common algorithm for %s; client offered: %v, server offered: %v", what, client, server)
 }
 
 // directionAlgorithms records algorithm choices in one direction (either read or write)
 type directionAlgorithms struct {
 	Cipher      string
 	MAC         string
 	Compression string
 }
 
 // rekeyBytes returns a rekeying intervals in bytes.
 func (a *directionAlgorithms) rekeyBytes() int64 {
 	// According to RFC 4344 block ciphers should rekey after
 	// 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
 	// 128.
 	switch a.Cipher {
 	case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcm128CipherID, gcm256CipherID, aes128cbcID:
 		return 16 * (1 << 32)
 
 	}
 
 	// For others, stick with RFC 4253 recommendation to rekey after 1 Gb of data.
 	return 1 << 30
 }
 
 var aeadCiphers = map[string]bool{
 	gcm128CipherID:     true,
 	gcm256CipherID:     true,
 	chacha20Poly1305ID: true,
 }
 
 type algorithms struct {
 	kex     string
 	hostKey string
 	w       directionAlgorithms
 	r       directionAlgorithms
 }
 
 func findAgreedAlgorithms(isClient bool, clientKexInit, serverKexInit *kexInitMsg) (algs *algorithms, err error) {
 	result := &algorithms{}
 
 	result.kex, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos)
 	if err != nil {
 		return
 	}
 
 	result.hostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos)
 	if err != nil {
 		return
 	}
 
 	stoc, ctos := &result.w, &result.r
 	if isClient {
 		ctos, stoc = stoc, ctos
 	}
 
 	ctos.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer)
 	if err != nil {
 		return
 	}
 
 	stoc.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient)
 	if err != nil {
 		return
 	}
 
 	if !aeadCiphers[ctos.Cipher] {
 		ctos.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer)
 		if err != nil {
 			return
 		}
 	}
 
 	if !aeadCiphers[stoc.Cipher] {
 		stoc.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient)
 		if err != nil {
 			return
 		}
 	}
 
 	ctos.Compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer)
 	if err != nil {
 		return
 	}
 
 	stoc.Compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient)
 	if err != nil {
 		return
 	}
 
 	return result, nil
 }
 
 // If rekeythreshold is too small, we can't make any progress sending
 // stuff.
 const minRekeyThreshold uint64 = 256
 
 // Config contains configuration data common to both ServerConfig and
 // ClientConfig.
 type Config struct {
 	// Rand provides the source of entropy for cryptographic
 	// primitives. If Rand is nil, the cryptographic random reader
 	// in package crypto/rand will be used.
 	Rand io.Reader
 
 	// The maximum number of bytes sent or received after which a
 	// new key is negotiated. It must be at least 256. If
 	// unspecified, a size suitable for the chosen cipher is used.
 	RekeyThreshold uint64
 
 	// The allowed key exchanges algorithms. If unspecified then a
 	// default set of algorithms is used.
 	KeyExchanges []string
 
 	// The allowed cipher algorithms. If unspecified then a sensible
 	// default is used.
 	Ciphers []string
 
 	// The allowed MAC algorithms. If unspecified then a sensible default
 	// is used.
 	MACs []string
 }
 
 // SetDefaults sets sensible values for unset fields in config. This is
 // exported for testing: Configs passed to SSH functions are copied and have
 // default values set automatically.
 func (c *Config) SetDefaults() {
 	if c.Rand == nil {
 		c.Rand = rand.Reader
 	}
 	if c.Ciphers == nil {
 		c.Ciphers = preferredCiphers
 	}
 	var ciphers []string
 	for _, c := range c.Ciphers {
 		if cipherModes[c] != nil {
 			// reject the cipher if we have no cipherModes definition
 			ciphers = append(ciphers, c)
 		}
 	}
 	c.Ciphers = ciphers
 
 	if c.KeyExchanges == nil {
 		c.KeyExchanges = preferredKexAlgos
 	}
 
 	if c.MACs == nil {
 		c.MACs = supportedMACs
 	}
 
 	if c.RekeyThreshold == 0 {
 		// cipher specific default
 	} else if c.RekeyThreshold < minRekeyThreshold {
 		c.RekeyThreshold = minRekeyThreshold
 	} else if c.RekeyThreshold >= math.MaxInt64 {
 		// Avoid weirdness if somebody uses -1 as a threshold.
 		c.RekeyThreshold = math.MaxInt64
 	}
 }
 
 // buildDataSignedForAuth returns the data that is signed in order to prove
 // possession of a private key. See RFC 4252, section 7. algo is the advertised
 // algorithm, and may be a certificate type.
 func buildDataSignedForAuth(sessionID []byte, req userAuthRequestMsg, algo string, pubKey []byte) []byte {
 	data := struct {
 		Session []byte
 		Type    byte
 		User    string
 		Service string
 		Method  string
 		Sign    bool
 		Algo    string
 		PubKey  []byte
 	}{
 		sessionID,
 		msgUserAuthRequest,
 		req.User,
 		req.Service,
 		req.Method,
 		true,
 		algo,
 		pubKey,
 	}
 	return Marshal(data)
 }
 
 func appendU16(buf []byte, n uint16) []byte {
 	return append(buf, byte(n>>8), byte(n))
 }
 
 func appendU32(buf []byte, n uint32) []byte {
 	return append(buf, byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
 }
 
 func appendU64(buf []byte, n uint64) []byte {
 	return append(buf,
 		byte(n>>56), byte(n>>48), byte(n>>40), byte(n>>32),
 		byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
 }
 
 func appendInt(buf []byte, n int) []byte {
 	return appendU32(buf, uint32(n))
 }
 
 func appendString(buf []byte, s string) []byte {
 	buf = appendU32(buf, uint32(len(s)))
 	buf = append(buf, s...)
 	return buf
 }
 
 func appendBool(buf []byte, b bool) []byte {
 	if b {
 		return append(buf, 1)
 	}
 	return append(buf, 0)
 }
 
 // newCond is a helper to hide the fact that there is no usable zero
 // value for sync.Cond.
 func newCond() *sync.Cond { return sync.NewCond(new(sync.Mutex)) }
 
 // window represents the buffer available to clients
 // wishing to write to a channel.
 type window struct {
 	*sync.Cond
 	win          uint32 // RFC 4254 5.2 says the window size can grow to 2^32-1
 	writeWaiters int
 	closed       bool
 }
 
 // add adds win to the amount of window available
 // for consumers.
 func (w *window) add(win uint32) bool {
 	// a zero sized window adjust is a noop.
 	if win == 0 {
 		return true
 	}
 	w.L.Lock()
 	if w.win+win < win {
 		w.L.Unlock()
 		return false
 	}
 	w.win += win
 	// It is unusual that multiple goroutines would be attempting to reserve
 	// window space, but not guaranteed. Use broadcast to notify all waiters
 	// that additional window is available.
 	w.Broadcast()
 	w.L.Unlock()
 	return true
 }
 
 // close sets the window to closed, so all reservations fail
 // immediately.
 func (w *window) close() {
 	w.L.Lock()
 	w.closed = true
 	w.Broadcast()
 	w.L.Unlock()
 }
 
 // reserve reserves win from the available window capacity.
 // If no capacity remains, reserve will block. reserve may
 // return less than requested.
 func (w *window) reserve(win uint32) (uint32, error) {
 	var err error
 	w.L.Lock()
 	w.writeWaiters++
 	w.Broadcast()
 	for w.win == 0 && !w.closed {
 		w.Wait()
 	}
 	w.writeWaiters--
 	if w.win < win {
 		win = w.win
 	}
 	w.win -= win
 	if w.closed {
 		err = io.EOF
 	}
 	w.L.Unlock()
 	return win, err
 }
 
 // waitWriterBlocked waits until some goroutine is blocked for further
 // writes. It is used in tests only.
 func (w *window) waitWriterBlocked() {
 	w.Cond.L.Lock()
 	for w.writeWaiters == 0 {
 		w.Cond.Wait()
 	}
 	w.Cond.L.Unlock()
 }