435c0d9fc8
This PR switches the Nomad repository from using govendor to Go modules for managing dependencies. Aspects of the Nomad workflow remain pretty much the same. The usual Makefile targets should continue to work as they always did. The API submodule simply defers to the parent Nomad version on the repository, keeping the semantics of API versioning that currently exists.
648 lines
16 KiB
Go
648 lines
16 KiB
Go
// Copyright 2013 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package ssh
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"log"
|
|
"net"
|
|
"sync"
|
|
)
|
|
|
|
// debugHandshake, if set, prints messages sent and received. Key
|
|
// exchange messages are printed as if DH were used, so the debug
|
|
// messages are wrong when using ECDH.
|
|
const debugHandshake = false
|
|
|
|
// chanSize sets the amount of buffering SSH connections. This is
|
|
// primarily for testing: setting chanSize=0 uncovers deadlocks more
|
|
// quickly.
|
|
const chanSize = 16
|
|
|
|
// keyingTransport is a packet based transport that supports key
|
|
// changes. It need not be thread-safe. It should pass through
|
|
// msgNewKeys in both directions.
|
|
type keyingTransport interface {
|
|
packetConn
|
|
|
|
// prepareKeyChange sets up a key change. The key change for a
|
|
// direction will be effected if a msgNewKeys message is sent
|
|
// or received.
|
|
prepareKeyChange(*algorithms, *kexResult) error
|
|
}
|
|
|
|
// handshakeTransport implements rekeying on top of a keyingTransport
|
|
// and offers a thread-safe writePacket() interface.
|
|
type handshakeTransport struct {
|
|
conn keyingTransport
|
|
config *Config
|
|
|
|
serverVersion []byte
|
|
clientVersion []byte
|
|
|
|
// hostKeys is non-empty if we are the server. In that case,
|
|
// it contains all host keys that can be used to sign the
|
|
// connection.
|
|
hostKeys []Signer
|
|
|
|
// hostKeyAlgorithms is non-empty if we are the client. In that case,
|
|
// we accept these key types from the server as host key.
|
|
hostKeyAlgorithms []string
|
|
|
|
// On read error, incoming is closed, and readError is set.
|
|
incoming chan []byte
|
|
readError error
|
|
|
|
mu sync.Mutex
|
|
writeError error
|
|
sentInitPacket []byte
|
|
sentInitMsg *kexInitMsg
|
|
pendingPackets [][]byte // Used when a key exchange is in progress.
|
|
|
|
// If the read loop wants to schedule a kex, it pings this
|
|
// channel, and the write loop will send out a kex
|
|
// message.
|
|
requestKex chan struct{}
|
|
|
|
// If the other side requests or confirms a kex, its kexInit
|
|
// packet is sent here for the write loop to find it.
|
|
startKex chan *pendingKex
|
|
|
|
// data for host key checking
|
|
hostKeyCallback HostKeyCallback
|
|
dialAddress string
|
|
remoteAddr net.Addr
|
|
|
|
// bannerCallback is non-empty if we are the client and it has been set in
|
|
// ClientConfig. In that case it is called during the user authentication
|
|
// dance to handle a custom server's message.
|
|
bannerCallback BannerCallback
|
|
|
|
// Algorithms agreed in the last key exchange.
|
|
algorithms *algorithms
|
|
|
|
readPacketsLeft uint32
|
|
readBytesLeft int64
|
|
|
|
writePacketsLeft uint32
|
|
writeBytesLeft int64
|
|
|
|
// The session ID or nil if first kex did not complete yet.
|
|
sessionID []byte
|
|
}
|
|
|
|
type pendingKex struct {
|
|
otherInit []byte
|
|
done chan error
|
|
}
|
|
|
|
func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, serverVersion []byte) *handshakeTransport {
|
|
t := &handshakeTransport{
|
|
conn: conn,
|
|
serverVersion: serverVersion,
|
|
clientVersion: clientVersion,
|
|
incoming: make(chan []byte, chanSize),
|
|
requestKex: make(chan struct{}, 1),
|
|
startKex: make(chan *pendingKex, 1),
|
|
|
|
config: config,
|
|
}
|
|
t.resetReadThresholds()
|
|
t.resetWriteThresholds()
|
|
|
|
// We always start with a mandatory key exchange.
|
|
t.requestKex <- struct{}{}
|
|
return t
|
|
}
|
|
|
|
func newClientTransport(conn keyingTransport, clientVersion, serverVersion []byte, config *ClientConfig, dialAddr string, addr net.Addr) *handshakeTransport {
|
|
t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion)
|
|
t.dialAddress = dialAddr
|
|
t.remoteAddr = addr
|
|
t.hostKeyCallback = config.HostKeyCallback
|
|
t.bannerCallback = config.BannerCallback
|
|
if config.HostKeyAlgorithms != nil {
|
|
t.hostKeyAlgorithms = config.HostKeyAlgorithms
|
|
} else {
|
|
t.hostKeyAlgorithms = supportedHostKeyAlgos
|
|
}
|
|
go t.readLoop()
|
|
go t.kexLoop()
|
|
return t
|
|
}
|
|
|
|
func newServerTransport(conn keyingTransport, clientVersion, serverVersion []byte, config *ServerConfig) *handshakeTransport {
|
|
t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion)
|
|
t.hostKeys = config.hostKeys
|
|
go t.readLoop()
|
|
go t.kexLoop()
|
|
return t
|
|
}
|
|
|
|
func (t *handshakeTransport) getSessionID() []byte {
|
|
return t.sessionID
|
|
}
|
|
|
|
// waitSession waits for the session to be established. This should be
|
|
// the first thing to call after instantiating handshakeTransport.
|
|
func (t *handshakeTransport) waitSession() error {
|
|
p, err := t.readPacket()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if p[0] != msgNewKeys {
|
|
return fmt.Errorf("ssh: first packet should be msgNewKeys")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (t *handshakeTransport) id() string {
|
|
if len(t.hostKeys) > 0 {
|
|
return "server"
|
|
}
|
|
return "client"
|
|
}
|
|
|
|
func (t *handshakeTransport) printPacket(p []byte, write bool) {
|
|
action := "got"
|
|
if write {
|
|
action = "sent"
|
|
}
|
|
|
|
if p[0] == msgChannelData || p[0] == msgChannelExtendedData {
|
|
log.Printf("%s %s data (packet %d bytes)", t.id(), action, len(p))
|
|
} else {
|
|
msg, err := decode(p)
|
|
log.Printf("%s %s %T %v (%v)", t.id(), action, msg, msg, err)
|
|
}
|
|
}
|
|
|
|
func (t *handshakeTransport) readPacket() ([]byte, error) {
|
|
p, ok := <-t.incoming
|
|
if !ok {
|
|
return nil, t.readError
|
|
}
|
|
return p, nil
|
|
}
|
|
|
|
func (t *handshakeTransport) readLoop() {
|
|
first := true
|
|
for {
|
|
p, err := t.readOnePacket(first)
|
|
first = false
|
|
if err != nil {
|
|
t.readError = err
|
|
close(t.incoming)
|
|
break
|
|
}
|
|
if p[0] == msgIgnore || p[0] == msgDebug {
|
|
continue
|
|
}
|
|
t.incoming <- p
|
|
}
|
|
|
|
// Stop writers too.
|
|
t.recordWriteError(t.readError)
|
|
|
|
// Unblock the writer should it wait for this.
|
|
close(t.startKex)
|
|
|
|
// Don't close t.requestKex; it's also written to from writePacket.
|
|
}
|
|
|
|
func (t *handshakeTransport) pushPacket(p []byte) error {
|
|
if debugHandshake {
|
|
t.printPacket(p, true)
|
|
}
|
|
return t.conn.writePacket(p)
|
|
}
|
|
|
|
func (t *handshakeTransport) getWriteError() error {
|
|
t.mu.Lock()
|
|
defer t.mu.Unlock()
|
|
return t.writeError
|
|
}
|
|
|
|
func (t *handshakeTransport) recordWriteError(err error) {
|
|
t.mu.Lock()
|
|
defer t.mu.Unlock()
|
|
if t.writeError == nil && err != nil {
|
|
t.writeError = err
|
|
}
|
|
}
|
|
|
|
func (t *handshakeTransport) requestKeyExchange() {
|
|
select {
|
|
case t.requestKex <- struct{}{}:
|
|
default:
|
|
// something already requested a kex, so do nothing.
|
|
}
|
|
}
|
|
|
|
func (t *handshakeTransport) resetWriteThresholds() {
|
|
t.writePacketsLeft = packetRekeyThreshold
|
|
if t.config.RekeyThreshold > 0 {
|
|
t.writeBytesLeft = int64(t.config.RekeyThreshold)
|
|
} else if t.algorithms != nil {
|
|
t.writeBytesLeft = t.algorithms.w.rekeyBytes()
|
|
} else {
|
|
t.writeBytesLeft = 1 << 30
|
|
}
|
|
}
|
|
|
|
func (t *handshakeTransport) kexLoop() {
|
|
|
|
write:
|
|
for t.getWriteError() == nil {
|
|
var request *pendingKex
|
|
var sent bool
|
|
|
|
for request == nil || !sent {
|
|
var ok bool
|
|
select {
|
|
case request, ok = <-t.startKex:
|
|
if !ok {
|
|
break write
|
|
}
|
|
case <-t.requestKex:
|
|
break
|
|
}
|
|
|
|
if !sent {
|
|
if err := t.sendKexInit(); err != nil {
|
|
t.recordWriteError(err)
|
|
break
|
|
}
|
|
sent = true
|
|
}
|
|
}
|
|
|
|
if err := t.getWriteError(); err != nil {
|
|
if request != nil {
|
|
request.done <- err
|
|
}
|
|
break
|
|
}
|
|
|
|
// We're not servicing t.requestKex, but that is OK:
|
|
// we never block on sending to t.requestKex.
|
|
|
|
// We're not servicing t.startKex, but the remote end
|
|
// has just sent us a kexInitMsg, so it can't send
|
|
// another key change request, until we close the done
|
|
// channel on the pendingKex request.
|
|
|
|
err := t.enterKeyExchange(request.otherInit)
|
|
|
|
t.mu.Lock()
|
|
t.writeError = err
|
|
t.sentInitPacket = nil
|
|
t.sentInitMsg = nil
|
|
|
|
t.resetWriteThresholds()
|
|
|
|
// we have completed the key exchange. Since the
|
|
// reader is still blocked, it is safe to clear out
|
|
// the requestKex channel. This avoids the situation
|
|
// where: 1) we consumed our own request for the
|
|
// initial kex, and 2) the kex from the remote side
|
|
// caused another send on the requestKex channel,
|
|
clear:
|
|
for {
|
|
select {
|
|
case <-t.requestKex:
|
|
//
|
|
default:
|
|
break clear
|
|
}
|
|
}
|
|
|
|
request.done <- t.writeError
|
|
|
|
// kex finished. Push packets that we received while
|
|
// the kex was in progress. Don't look at t.startKex
|
|
// and don't increment writtenSinceKex: if we trigger
|
|
// another kex while we are still busy with the last
|
|
// one, things will become very confusing.
|
|
for _, p := range t.pendingPackets {
|
|
t.writeError = t.pushPacket(p)
|
|
if t.writeError != nil {
|
|
break
|
|
}
|
|
}
|
|
t.pendingPackets = t.pendingPackets[:0]
|
|
t.mu.Unlock()
|
|
}
|
|
|
|
// drain startKex channel. We don't service t.requestKex
|
|
// because nobody does blocking sends there.
|
|
go func() {
|
|
for init := range t.startKex {
|
|
init.done <- t.writeError
|
|
}
|
|
}()
|
|
|
|
// Unblock reader.
|
|
t.conn.Close()
|
|
}
|
|
|
|
// The protocol uses uint32 for packet counters, so we can't let them
|
|
// reach 1<<32. We will actually read and write more packets than
|
|
// this, though: the other side may send more packets, and after we
|
|
// hit this limit on writing we will send a few more packets for the
|
|
// key exchange itself.
|
|
const packetRekeyThreshold = (1 << 31)
|
|
|
|
func (t *handshakeTransport) resetReadThresholds() {
|
|
t.readPacketsLeft = packetRekeyThreshold
|
|
if t.config.RekeyThreshold > 0 {
|
|
t.readBytesLeft = int64(t.config.RekeyThreshold)
|
|
} else if t.algorithms != nil {
|
|
t.readBytesLeft = t.algorithms.r.rekeyBytes()
|
|
} else {
|
|
t.readBytesLeft = 1 << 30
|
|
}
|
|
}
|
|
|
|
func (t *handshakeTransport) readOnePacket(first bool) ([]byte, error) {
|
|
p, err := t.conn.readPacket()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if t.readPacketsLeft > 0 {
|
|
t.readPacketsLeft--
|
|
} else {
|
|
t.requestKeyExchange()
|
|
}
|
|
|
|
if t.readBytesLeft > 0 {
|
|
t.readBytesLeft -= int64(len(p))
|
|
} else {
|
|
t.requestKeyExchange()
|
|
}
|
|
|
|
if debugHandshake {
|
|
t.printPacket(p, false)
|
|
}
|
|
|
|
if first && p[0] != msgKexInit {
|
|
return nil, fmt.Errorf("ssh: first packet should be msgKexInit")
|
|
}
|
|
|
|
if p[0] != msgKexInit {
|
|
return p, nil
|
|
}
|
|
|
|
firstKex := t.sessionID == nil
|
|
|
|
kex := pendingKex{
|
|
done: make(chan error, 1),
|
|
otherInit: p,
|
|
}
|
|
t.startKex <- &kex
|
|
err = <-kex.done
|
|
|
|
if debugHandshake {
|
|
log.Printf("%s exited key exchange (first %v), err %v", t.id(), firstKex, err)
|
|
}
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
t.resetReadThresholds()
|
|
|
|
// By default, a key exchange is hidden from higher layers by
|
|
// translating it into msgIgnore.
|
|
successPacket := []byte{msgIgnore}
|
|
if firstKex {
|
|
// sendKexInit() for the first kex waits for
|
|
// msgNewKeys so the authentication process is
|
|
// guaranteed to happen over an encrypted transport.
|
|
successPacket = []byte{msgNewKeys}
|
|
}
|
|
|
|
return successPacket, nil
|
|
}
|
|
|
|
// sendKexInit sends a key change message.
|
|
func (t *handshakeTransport) sendKexInit() error {
|
|
t.mu.Lock()
|
|
defer t.mu.Unlock()
|
|
if t.sentInitMsg != nil {
|
|
// kexInits may be sent either in response to the other side,
|
|
// or because our side wants to initiate a key change, so we
|
|
// may have already sent a kexInit. In that case, don't send a
|
|
// second kexInit.
|
|
return nil
|
|
}
|
|
|
|
msg := &kexInitMsg{
|
|
KexAlgos: t.config.KeyExchanges,
|
|
CiphersClientServer: t.config.Ciphers,
|
|
CiphersServerClient: t.config.Ciphers,
|
|
MACsClientServer: t.config.MACs,
|
|
MACsServerClient: t.config.MACs,
|
|
CompressionClientServer: supportedCompressions,
|
|
CompressionServerClient: supportedCompressions,
|
|
}
|
|
io.ReadFull(rand.Reader, msg.Cookie[:])
|
|
|
|
if len(t.hostKeys) > 0 {
|
|
for _, k := range t.hostKeys {
|
|
msg.ServerHostKeyAlgos = append(
|
|
msg.ServerHostKeyAlgos, k.PublicKey().Type())
|
|
}
|
|
} else {
|
|
msg.ServerHostKeyAlgos = t.hostKeyAlgorithms
|
|
}
|
|
packet := Marshal(msg)
|
|
|
|
// writePacket destroys the contents, so save a copy.
|
|
packetCopy := make([]byte, len(packet))
|
|
copy(packetCopy, packet)
|
|
|
|
if err := t.pushPacket(packetCopy); err != nil {
|
|
return err
|
|
}
|
|
|
|
t.sentInitMsg = msg
|
|
t.sentInitPacket = packet
|
|
|
|
return nil
|
|
}
|
|
|
|
func (t *handshakeTransport) writePacket(p []byte) error {
|
|
switch p[0] {
|
|
case msgKexInit:
|
|
return errors.New("ssh: only handshakeTransport can send kexInit")
|
|
case msgNewKeys:
|
|
return errors.New("ssh: only handshakeTransport can send newKeys")
|
|
}
|
|
|
|
t.mu.Lock()
|
|
defer t.mu.Unlock()
|
|
if t.writeError != nil {
|
|
return t.writeError
|
|
}
|
|
|
|
if t.sentInitMsg != nil {
|
|
// Copy the packet so the writer can reuse the buffer.
|
|
cp := make([]byte, len(p))
|
|
copy(cp, p)
|
|
t.pendingPackets = append(t.pendingPackets, cp)
|
|
return nil
|
|
}
|
|
|
|
if t.writeBytesLeft > 0 {
|
|
t.writeBytesLeft -= int64(len(p))
|
|
} else {
|
|
t.requestKeyExchange()
|
|
}
|
|
|
|
if t.writePacketsLeft > 0 {
|
|
t.writePacketsLeft--
|
|
} else {
|
|
t.requestKeyExchange()
|
|
}
|
|
|
|
if err := t.pushPacket(p); err != nil {
|
|
t.writeError = err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (t *handshakeTransport) Close() error {
|
|
return t.conn.Close()
|
|
}
|
|
|
|
func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
|
|
if debugHandshake {
|
|
log.Printf("%s entered key exchange", t.id())
|
|
}
|
|
|
|
otherInit := &kexInitMsg{}
|
|
if err := Unmarshal(otherInitPacket, otherInit); err != nil {
|
|
return err
|
|
}
|
|
|
|
magics := handshakeMagics{
|
|
clientVersion: t.clientVersion,
|
|
serverVersion: t.serverVersion,
|
|
clientKexInit: otherInitPacket,
|
|
serverKexInit: t.sentInitPacket,
|
|
}
|
|
|
|
clientInit := otherInit
|
|
serverInit := t.sentInitMsg
|
|
isClient := len(t.hostKeys) == 0
|
|
if isClient {
|
|
clientInit, serverInit = serverInit, clientInit
|
|
|
|
magics.clientKexInit = t.sentInitPacket
|
|
magics.serverKexInit = otherInitPacket
|
|
}
|
|
|
|
var err error
|
|
t.algorithms, err = findAgreedAlgorithms(isClient, clientInit, serverInit)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// We don't send FirstKexFollows, but we handle receiving it.
|
|
//
|
|
// RFC 4253 section 7 defines the kex and the agreement method for
|
|
// first_kex_packet_follows. It states that the guessed packet
|
|
// should be ignored if the "kex algorithm and/or the host
|
|
// key algorithm is guessed wrong (server and client have
|
|
// different preferred algorithm), or if any of the other
|
|
// algorithms cannot be agreed upon". The other algorithms have
|
|
// already been checked above so the kex algorithm and host key
|
|
// algorithm are checked here.
|
|
if otherInit.FirstKexFollows && (clientInit.KexAlgos[0] != serverInit.KexAlgos[0] || clientInit.ServerHostKeyAlgos[0] != serverInit.ServerHostKeyAlgos[0]) {
|
|
// other side sent a kex message for the wrong algorithm,
|
|
// which we have to ignore.
|
|
if _, err := t.conn.readPacket(); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
kex, ok := kexAlgoMap[t.algorithms.kex]
|
|
if !ok {
|
|
return fmt.Errorf("ssh: unexpected key exchange algorithm %v", t.algorithms.kex)
|
|
}
|
|
|
|
var result *kexResult
|
|
if len(t.hostKeys) > 0 {
|
|
result, err = t.server(kex, t.algorithms, &magics)
|
|
} else {
|
|
result, err = t.client(kex, t.algorithms, &magics)
|
|
}
|
|
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if t.sessionID == nil {
|
|
t.sessionID = result.H
|
|
}
|
|
result.SessionID = t.sessionID
|
|
|
|
if err := t.conn.prepareKeyChange(t.algorithms, result); err != nil {
|
|
return err
|
|
}
|
|
if err = t.conn.writePacket([]byte{msgNewKeys}); err != nil {
|
|
return err
|
|
}
|
|
if packet, err := t.conn.readPacket(); err != nil {
|
|
return err
|
|
} else if packet[0] != msgNewKeys {
|
|
return unexpectedMessageError(msgNewKeys, packet[0])
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (t *handshakeTransport) server(kex kexAlgorithm, algs *algorithms, magics *handshakeMagics) (*kexResult, error) {
|
|
var hostKey Signer
|
|
for _, k := range t.hostKeys {
|
|
if algs.hostKey == k.PublicKey().Type() {
|
|
hostKey = k
|
|
}
|
|
}
|
|
|
|
r, err := kex.Server(t.conn, t.config.Rand, magics, hostKey)
|
|
return r, err
|
|
}
|
|
|
|
func (t *handshakeTransport) client(kex kexAlgorithm, algs *algorithms, magics *handshakeMagics) (*kexResult, error) {
|
|
result, err := kex.Client(t.conn, t.config.Rand, magics)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
hostKey, err := ParsePublicKey(result.HostKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if err := verifyHostKeySignature(hostKey, result); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
err = t.hostKeyCallback(t.dialAddress, t.remoteAddr, hostKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return result, nil
|
|
}
|