1 // Copyright 2011 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
15 // These are string constants in the SSH protocol.
17 kexAlgoDH14SHA1 = "diffie-hellman-group14-sha1"
18 hostAlgoRSA = "ssh-rsa"
19 macSHA196 = "hmac-sha1-96"
20 compressionNone = "none"
21 serviceUserAuth = "ssh-userauth"
22 serviceSSH = "ssh-connection"
25 var supportedKexAlgos = []string{kexAlgoDH14SHA1}
26 var supportedHostKeyAlgos = []string{hostAlgoRSA}
27 var supportedMACs = []string{macSHA196}
28 var supportedCompressions = []string{compressionNone}
30 // dhGroup is a multiplicative group suitable for implementing Diffie-Hellman key agreement.
35 // dhGroup14 is the group called diffie-hellman-group14-sha1 in RFC 4253 and
36 // Oakley Group 14 in RFC 3526.
37 var dhGroup14 *dhGroup
39 var dhGroup14Once sync.Once
41 func initDHGroup14() {
42 p, _ := new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", 16)
45 g: new(big.Int).SetInt64(2),
50 // UnexpectedMessageError results when the SSH message that we received didn't
51 // match what we wanted.
52 type UnexpectedMessageError struct {
56 func (u UnexpectedMessageError) Error() string {
57 return "ssh: unexpected message type " + strconv.Itoa(int(u.got)) + " (expected " + strconv.Itoa(int(u.expected)) + ")"
60 // ParseError results from a malformed SSH message.
61 type ParseError struct {
65 func (p ParseError) Error() string {
66 return "ssh: parse error in message type " + strconv.Itoa(int(p.msgType))
69 type handshakeMagics struct {
70 clientVersion, serverVersion []byte
71 clientKexInit, serverKexInit []byte
74 func findCommonAlgorithm(clientAlgos []string, serverAlgos []string) (commonAlgo string, ok bool) {
75 for _, clientAlgo := range clientAlgos {
76 for _, serverAlgo := range serverAlgos {
77 if clientAlgo == serverAlgo {
78 return clientAlgo, true
86 func findAgreedAlgorithms(transport *transport, clientKexInit, serverKexInit *kexInitMsg) (kexAlgo, hostKeyAlgo string, ok bool) {
87 kexAlgo, ok = findCommonAlgorithm(clientKexInit.KexAlgos, serverKexInit.KexAlgos)
92 hostKeyAlgo, ok = findCommonAlgorithm(clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos)
97 transport.writer.cipherAlgo, ok = findCommonAlgorithm(clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer)
102 transport.reader.cipherAlgo, ok = findCommonAlgorithm(clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient)
107 transport.writer.macAlgo, ok = findCommonAlgorithm(clientKexInit.MACsClientServer, serverKexInit.MACsClientServer)
112 transport.reader.macAlgo, ok = findCommonAlgorithm(clientKexInit.MACsServerClient, serverKexInit.MACsServerClient)
117 transport.writer.compressionAlgo, ok = findCommonAlgorithm(clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer)
122 transport.reader.compressionAlgo, ok = findCommonAlgorithm(clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient)
131 // Cryptographic configuration common to both ServerConfig and ClientConfig.
132 type CryptoConfig struct {
133 // The allowed cipher algorithms. If unspecified then DefaultCipherOrder is
138 func (c *CryptoConfig) ciphers() []string {
139 if c.Ciphers == nil {
140 return DefaultCipherOrder
145 // serialize a signed slice according to RFC 4254 6.6.
146 func serializeSignature(algoname string, sig []byte) []byte {
147 length := stringLength([]byte(algoname))
148 length += stringLength(sig)
150 ret := make([]byte, length)
151 r := marshalString(ret, []byte(algoname))
152 r = marshalString(r, sig)
157 // serialize an rsa.PublicKey or dsa.PublicKey according to RFC 4253 6.6.
158 func serializePublickey(key interface{}) []byte {
159 algoname := algoName(key)
160 switch key := key.(type) {
162 e := new(big.Int).SetInt64(int64(key.E))
163 length := stringLength([]byte(algoname))
164 length += intLength(e)
165 length += intLength(key.N)
166 ret := make([]byte, length)
167 r := marshalString(ret, []byte(algoname))
172 length := stringLength([]byte(algoname))
173 length += intLength(key.P)
174 length += intLength(key.Q)
175 length += intLength(key.G)
176 length += intLength(key.Y)
177 ret := make([]byte, length)
178 r := marshalString(ret, []byte(algoname))
179 r = marshalInt(r, key.P)
180 r = marshalInt(r, key.Q)
181 r = marshalInt(r, key.G)
185 panic("unexpected key type")
188 func algoName(key interface{}) string {
195 panic("unexpected key type")
198 // buildDataSignedForAuth returns the data that is signed in order to prove
199 // posession of a private key. See RFC 4252, section 7.
200 func buildDataSignedForAuth(sessionId []byte, req userAuthRequestMsg, algo, pubKey []byte) []byte {
201 user := []byte(req.User)
202 service := []byte(req.Service)
203 method := []byte(req.Method)
205 length := stringLength(sessionId)
207 length += stringLength(user)
208 length += stringLength(service)
209 length += stringLength(method)
211 length += stringLength(algo)
212 length += stringLength(pubKey)
214 ret := make([]byte, length)
215 r := marshalString(ret, sessionId)
216 r[0] = msgUserAuthRequest
218 r = marshalString(r, user)
219 r = marshalString(r, service)
220 r = marshalString(r, method)
223 r = marshalString(r, algo)
224 r = marshalString(r, pubKey)
228 // safeString sanitises s according to RFC 4251, section 9.2.
229 // All control characters except tab, carriage return and newline are
231 func safeString(s string) string {
233 for i, c := range out {
234 if c < 0x20 && c != 0xd && c != 0xa && c != 0x9 {