forked from gitea/gitea
Update golang x/crypto dependencies (#2923)
This commit is contained in:
@ -0,0 +1,8 @@
// Copyright 2012 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// This code was translated into a form compatible with 6a from the public
// domain sources in SUPERCOP:
@ -3,12 +3,12 @@
// license that can be found in the LICENSE file.
// license that can be found in the LICENSE file.
// This code was translated into a form compatible with 6a from the public
// This code was translated into a form compatible with 6a from the public
// domain sources in SUPERCOP:
// domain sources in SUPERCOP:
// +build amd64,!gccgo,!appengine
// +build amd64,!gccgo,!appengine
// These constants cannot be encoded in non-MOVQ immediates.
// We access them directly from memory instead.
DATA ·_121666_213(SB)/8, $996687872
DATA ·_121666_213(SB)/8, $996687872
GLOBL ·_121666_213(SB), 8, $8
GLOBL ·_121666_213(SB), 8, $8
@ -2,87 +2,64 @@
// Use of this source code is governed by a BSD-style
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// license that can be found in the LICENSE file.
// This code was translated into a form compatible with 6a from the public
// domain sources in SUPERCOP:
// +build amd64,!gccgo,!appengine
// +build amd64,!gccgo,!appengine
// func cswap(inout *[5]uint64, v uint64)
// func cswap(inout *[4][5]uint64, v uint64)
TEXT ·cswap(SB),7,$0
TEXT ·cswap(SB),7,$0
MOVQ inout+0(FP),DI
MOVQ inout+0(FP),DI
PSHUFD $0x44, X15, X15
MOVQ 88(DI),R8
MOVOU 16(DI), X2
MOVOU 32(DI), X4
MOVOU 48(DI), X6
MOVOU 64(DI), X8
MOVOU 80(DI), X1
MOVOU 96(DI), X3
MOVOU 112(DI), X5
MOVOU 128(DI), X7
MOVQ R8,88(DI)
MOVOU 144(DI), X9
MOVO X1, X10
MOVO X3, X11
MOVQ 104(DI),R8
MOVO X5, X12
MOVO X7, X13
MOVO X9, X14
PXOR X0, X10
PXOR X2, X11
PXOR X4, X12
PXOR X6, X13
PXOR X8, X14
PAND X15, X10
MOVQ R8,104(DI)
PAND X15, X11
PAND X15, X12
PAND X15, X13
PAND X15, X14
MOVQ 120(DI),R8
PXOR X10, X0
PXOR X10, X1
PXOR X11, X2
PXOR X11, X3
PXOR X12, X4
PXOR X12, X5
PXOR X13, X6
PXOR X13, X7
PXOR X14, X8
PXOR X14, X9
MOVQ R8,120(DI)
MOVOU X2, 16(DI)
MOVOU X4, 32(DI)
MOVQ 136(DI),R8
MOVOU X6, 48(DI)
MOVOU X8, 64(DI)
MOVOU X1, 80(DI)
MOVOU X3, 96(DI)
MOVOU X5, 112(DI)
MOVOU X7, 128(DI)
MOVOU X9, 144(DI)
MOVQ R8,136(DI)
MOVQ 152(DI),R8
MOVQ R8,152(DI)
@ -1,841 +0,0 @@
// Copyright 2013 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// We have a implementation in amd64 assembly so this code is only run on
// non-amd64 platforms. The amd64 assembly does not support gccgo.
// +build !amd64 gccgo appengine
package curve25519
// This code is a port of the public domain, "ref10" implementation of
// curve25519 from SUPERCOP 20130419 by D. J. Bernstein.
// fieldElement represents an element of the field GF(2^255 - 19). An element
// t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
// t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
// context.
type fieldElement [10]int32
func feZero(fe *fieldElement) {
for i := range fe {
fe[i] = 0
func feOne(fe *fieldElement) {
fe[0] = 1
func feAdd(dst, a, b *fieldElement) {
for i := range dst {
dst[i] = a[i] + b[i]
func feSub(dst, a, b *fieldElement) {
for i := range dst {
dst[i] = a[i] - b[i]
func feCopy(dst, src *fieldElement) {
for i := range dst {
dst[i] = src[i]
// feCSwap replaces (f,g) with (g,f) if b == 1; replaces (f,g) with (f,g) if b == 0.
// Preconditions: b in {0,1}.
func feCSwap(f, g *fieldElement, b int32) {
var x fieldElement
b = -b
for i := range x {
x[i] = b & (f[i] ^ g[i])
for i := range f {
f[i] ^= x[i]
for i := range g {
g[i] ^= x[i]
// load3 reads a 24-bit, little-endian value from in.
func load3(in []byte) int64 {
var r int64
r = int64(in[0])
r |= int64(in[1]) << 8
r |= int64(in[2]) << 16
return r
// load4 reads a 32-bit, little-endian value from in.
func load4(in []byte) int64 {
var r int64
r = int64(in[0])
r |= int64(in[1]) << 8
r |= int64(in[2]) << 16
r |= int64(in[3]) << 24
return r
func feFromBytes(dst *fieldElement, src *[32]byte) {
h0 := load4(src[:])
h1 := load3(src[4:]) << 6
h2 := load3(src[7:]) << 5
h3 := load3(src[10:]) << 3
h4 := load3(src[13:]) << 2
h5 := load4(src[16:])
h6 := load3(src[20:]) << 7
h7 := load3(src[23:]) << 5
h8 := load3(src[26:]) << 4
h9 := load3(src[29:]) << 2
var carry [10]int64
carry[9] = (h9 + 1<<24) >> 25
h0 += carry[9] * 19
h9 -= carry[9] << 25
carry[1] = (h1 + 1<<24) >> 25
h2 += carry[1]
h1 -= carry[1] << 25
carry[3] = (h3 + 1<<24) >> 25
h4 += carry[3]
h3 -= carry[3] << 25
carry[5] = (h5 + 1<<24) >> 25
h6 += carry[5]
h5 -= carry[5] << 25
carry[7] = (h7 + 1<<24) >> 25
h8 += carry[7]
h7 -= carry[7] << 25
carry[0] = (h0 + 1<<25) >> 26
h1 += carry[0]
h0 -= carry[0] << 26
carry[2] = (h2 + 1<<25) >> 26
h3 += carry[2]
h2 -= carry[2] << 26
carry[4] = (h4 + 1<<25) >> 26
h5 += carry[4]
h4 -= carry[4] << 26
carry[6] = (h6 + 1<<25) >> 26
h7 += carry[6]
h6 -= carry[6] << 26
carry[8] = (h8 + 1<<25) >> 26
h9 += carry[8]
h8 -= carry[8] << 26
dst[0] = int32(h0)
dst[1] = int32(h1)
dst[2] = int32(h2)
dst[3] = int32(h3)
dst[4] = int32(h4)
dst[5] = int32(h5)
dst[6] = int32(h6)
dst[7] = int32(h7)
dst[8] = int32(h8)
dst[9] = int32(h9)
// feToBytes marshals h to s.
// Preconditions:
// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
// Write p=2^255-19; q=floor(h/p).
// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
// Proof:
// Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
// Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.
// Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
// Then 0<y<1.
// Write r=h-pq.
// Have 0<=r<=p-1=2^255-20.
// Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
// Write x=r+19(2^-255)r+y.
// Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
// Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
// so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
func feToBytes(s *[32]byte, h *fieldElement) {
var carry [10]int32
q := (19*h[9] + (1 << 24)) >> 25
q = (h[0] + q) >> 26
q = (h[1] + q) >> 25
q = (h[2] + q) >> 26
q = (h[3] + q) >> 25
q = (h[4] + q) >> 26
q = (h[5] + q) >> 25
q = (h[6] + q) >> 26
q = (h[7] + q) >> 25
q = (h[8] + q) >> 26
q = (h[9] + q) >> 25
// Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
h[0] += 19 * q
// Goal: Output h-2^255 q, which is between 0 and 2^255-20.
carry[0] = h[0] >> 26
h[1] += carry[0]
h[0] -= carry[0] << 26
carry[1] = h[1] >> 25
h[2] += carry[1]
h[1] -= carry[1] << 25
carry[2] = h[2] >> 26
h[3] += carry[2]
h[2] -= carry[2] << 26
carry[3] = h[3] >> 25
h[4] += carry[3]
h[3] -= carry[3] << 25
carry[4] = h[4] >> 26
h[5] += carry[4]
h[4] -= carry[4] << 26
carry[5] = h[5] >> 25
h[6] += carry[5]
h[5] -= carry[5] << 25
carry[6] = h[6] >> 26
h[7] += carry[6]
h[6] -= carry[6] << 26
carry[7] = h[7] >> 25
h[8] += carry[7]
h[7] -= carry[7] << 25
carry[8] = h[8] >> 26
h[9] += carry[8]
h[8] -= carry[8] << 26
carry[9] = h[9] >> 25
h[9] -= carry[9] << 25
// h10 = carry9
// Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
// Have h[0]+...+2^230 h[9] between 0 and 2^255-1;
// evidently 2^255 h10-2^255 q = 0.
// Goal: Output h[0]+...+2^230 h[9].
s[0] = byte(h[0] >> 0)
s[1] = byte(h[0] >> 8)
s[2] = byte(h[0] >> 16)
s[3] = byte((h[0] >> 24) | (h[1] << 2))
s[4] = byte(h[1] >> 6)
s[5] = byte(h[1] >> 14)
s[6] = byte((h[1] >> 22) | (h[2] << 3))
s[7] = byte(h[2] >> 5)
s[8] = byte(h[2] >> 13)
s[9] = byte((h[2] >> 21) | (h[3] << 5))
s[10] = byte(h[3] >> 3)
s[11] = byte(h[3] >> 11)
s[12] = byte((h[3] >> 19) | (h[4] << 6))
s[13] = byte(h[4] >> 2)
s[14] = byte(h[4] >> 10)
s[15] = byte(h[4] >> 18)
s[16] = byte(h[5] >> 0)
s[17] = byte(h[5] >> 8)
s[18] = byte(h[5] >> 16)
s[19] = byte((h[5] >> 24) | (h[6] << 1))
s[20] = byte(h[6] >> 7)
s[21] = byte(h[6] >> 15)
s[22] = byte((h[6] >> 23) | (h[7] << 3))
s[23] = byte(h[7] >> 5)
s[24] = byte(h[7] >> 13)
s[25] = byte((h[7] >> 21) | (h[8] << 4))
s[26] = byte(h[8] >> 4)
s[27] = byte(h[8] >> 12)
s[28] = byte((h[8] >> 20) | (h[9] << 6))
s[29] = byte(h[9] >> 2)
s[30] = byte(h[9] >> 10)
s[31] = byte(h[9] >> 18)
// feMul calculates h = f * g
// Can overlap h with f or g.
// Preconditions:
// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
// |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
// Postconditions:
// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
// Notes on implementation strategy:
// Using schoolbook multiplication.
// Karatsuba would save a little in some cost models.
// Most multiplications by 2 and 19 are 32-bit precomputations;
// cheaper than 64-bit postcomputations.
// There is one remaining multiplication by 19 in the carry chain;
// one *19 precomputation can be merged into this,
// but the resulting data flow is considerably less clean.
// There are 12 carries below.
// 10 of them are 2-way parallelizable and vectorizable.
// Can get away with 11 carries, but then data flow is much deeper.
// With tighter constraints on inputs can squeeze carries into int32.
func feMul(h, f, g *fieldElement) {
f0 := f[0]
f1 := f[1]
f2 := f[2]
f3 := f[3]
f4 := f[4]
f5 := f[5]
f6 := f[6]
f7 := f[7]
f8 := f[8]
f9 := f[9]
g0 := g[0]
g1 := g[1]
g2 := g[2]
g3 := g[3]
g4 := g[4]
g5 := g[5]
g6 := g[6]
g7 := g[7]
g8 := g[8]
g9 := g[9]
g1_19 := 19 * g1 // 1.4*2^29
g2_19 := 19 * g2 // 1.4*2^30; still ok
g3_19 := 19 * g3
g4_19 := 19 * g4
g5_19 := 19 * g5
g6_19 := 19 * g6
g7_19 := 19 * g7
g8_19 := 19 * g8
g9_19 := 19 * g9
f1_2 := 2 * f1
f3_2 := 2 * f3
f5_2 := 2 * f5
f7_2 := 2 * f7
f9_2 := 2 * f9
f0g0 := int64(f0) * int64(g0)
f0g1 := int64(f0) * int64(g1)
f0g2 := int64(f0) * int64(g2)
f0g3 := int64(f0) * int64(g3)
f0g4 := int64(f0) * int64(g4)
f0g5 := int64(f0) * int64(g5)
f0g6 := int64(f0) * int64(g6)
f0g7 := int64(f0) * int64(g7)
f0g8 := int64(f0) * int64(g8)
f0g9 := int64(f0) * int64(g9)
f1g0 := int64(f1) * int64(g0)
f1g1_2 := int64(f1_2) * int64(g1)
f1g2 := int64(f1) * int64(g2)
f1g3_2 := int64(f1_2) * int64(g3)
f1g4 := int64(f1) * int64(g4)
f1g5_2 := int64(f1_2) * int64(g5)
f1g6 := int64(f1) * int64(g6)
f1g7_2 := int64(f1_2) * int64(g7)
f1g8 := int64(f1) * int64(g8)
f1g9_38 := int64(f1_2) * int64(g9_19)
f2g0 := int64(f2) * int64(g0)
f2g1 := int64(f2) * int64(g1)
f2g2 := int64(f2) * int64(g2)
f2g3 := int64(f2) * int64(g3)
f2g4 := int64(f2) * int64(g4)
f2g5 := int64(f2) * int64(g5)
f2g6 := int64(f2) * int64(g6)
f2g7 := int64(f2) * int64(g7)
f2g8_19 := int64(f2) * int64(g8_19)
f2g9_19 := int64(f2) * int64(g9_19)
f3g0 := int64(f3) * int64(g0)
f3g1_2 := int64(f3_2) * int64(g1)
f3g2 := int64(f3) * int64(g2)
f3g3_2 := int64(f3_2) * int64(g3)
f3g4 := int64(f3) * int64(g4)
f3g5_2 := int64(f3_2) * int64(g5)
f3g6 := int64(f3) * int64(g6)
f3g7_38 := int64(f3_2) * int64(g7_19)
f3g8_19 := int64(f3) * int64(g8_19)
f3g9_38 := int64(f3_2) * int64(g9_19)
f4g0 := int64(f4) * int64(g0)
f4g1 := int64(f4) * int64(g1)
f4g2 := int64(f4) * int64(g2)
f4g3 := int64(f4) * int64(g3)
f4g4 := int64(f4) * int64(g4)
f4g5 := int64(f4) * int64(g5)
f4g6_19 := int64(f4) * int64(g6_19)
f4g7_19 := int64(f4) * int64(g7_19)
f4g8_19 := int64(f4) * int64(g8_19)
f4g9_19 := int64(f4) * int64(g9_19)
f5g0 := int64(f5) * int64(g0)
f5g1_2 := int64(f5_2) * int64(g1)
f5g2 := int64(f5) * int64(g2)
f5g3_2 := int64(f5_2) * int64(g3)
f5g4 := int64(f5) * int64(g4)
f5g5_38 := int64(f5_2) * int64(g5_19)
f5g6_19 := int64(f5) * int64(g6_19)
f5g7_38 := int64(f5_2) * int64(g7_19)
f5g8_19 := int64(f5) * int64(g8_19)
f5g9_38 := int64(f5_2) * int64(g9_19)
f6g0 := int64(f6) * int64(g0)
f6g1 := int64(f6) * int64(g1)
f6g2 := int64(f6) * int64(g2)
f6g3 := int64(f6) * int64(g3)
f6g4_19 := int64(f6) * int64(g4_19)
f6g5_19 := int64(f6) * int64(g5_19)
f6g6_19 := int64(f6) * int64(g6_19)
f6g7_19 := int64(f6) * int64(g7_19)
f6g8_19 := int64(f6) * int64(g8_19)
f6g9_19 := int64(f6) * int64(g9_19)
f7g0 := int64(f7) * int64(g0)
f7g1_2 := int64(f7_2) * int64(g1)
f7g2 := int64(f7) * int64(g2)
f7g3_38 := int64(f7_2) * int64(g3_19)
f7g4_19 := int64(f7) * int64(g4_19)
f7g5_38 := int64(f7_2) * int64(g5_19)
f7g6_19 := int64(f7) * int64(g6_19)
f7g7_38 := int64(f7_2) * int64(g7_19)
f7g8_19 := int64(f7) * int64(g8_19)
f7g9_38 := int64(f7_2) * int64(g9_19)
f8g0 := int64(f8) * int64(g0)
f8g1 := int64(f8) * int64(g1)
f8g2_19 := int64(f8) * int64(g2_19)
f8g3_19 := int64(f8) * int64(g3_19)
f8g4_19 := int64(f8) * int64(g4_19)
f8g5_19 := int64(f8) * int64(g5_19)
f8g6_19 := int64(f8) * int64(g6_19)
f8g7_19 := int64(f8) * int64(g7_19)
f8g8_19 := int64(f8) * int64(g8_19)
f8g9_19 := int64(f8) * int64(g9_19)
f9g0 := int64(f9) * int64(g0)
f9g1_38 := int64(f9_2) * int64(g1_19)
f9g2_19 := int64(f9) * int64(g2_19)
f9g3_38 := int64(f9_2) * int64(g3_19)
f9g4_19 := int64(f9) * int64(g4_19)
f9g5_38 := int64(f9_2) * int64(g5_19)
f9g6_19 := int64(f9) * int64(g6_19)
f9g7_38 := int64(f9_2) * int64(g7_19)
f9g8_19 := int64(f9) * int64(g8_19)
f9g9_38 := int64(f9_2) * int64(g9_19)
h0 := f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38
h1 := f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19
h2 := f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38
h3 := f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19
h4 := f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38
h5 := f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19
h6 := f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38
h7 := f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19
h8 := f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38
h9 := f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0
var carry [10]int64
// |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38))
// i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8
// |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19))
// i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9
carry[0] = (h0 + (1 << 25)) >> 26
h1 += carry[0]
h0 -= carry[0] << 26
carry[4] = (h4 + (1 << 25)) >> 26
h5 += carry[4]
h4 -= carry[4] << 26
// |h0| <= 2^25
// |h4| <= 2^25
// |h1| <= 1.51*2^58
// |h5| <= 1.51*2^58
carry[1] = (h1 + (1 << 24)) >> 25
h2 += carry[1]
h1 -= carry[1] << 25
carry[5] = (h5 + (1 << 24)) >> 25
h6 += carry[5]
h5 -= carry[5] << 25
// |h1| <= 2^24; from now on fits into int32
// |h5| <= 2^24; from now on fits into int32
// |h2| <= 1.21*2^59
// |h6| <= 1.21*2^59
carry[2] = (h2 + (1 << 25)) >> 26
h3 += carry[2]
h2 -= carry[2] << 26
carry[6] = (h6 + (1 << 25)) >> 26
h7 += carry[6]
h6 -= carry[6] << 26
// |h2| <= 2^25; from now on fits into int32 unchanged
// |h6| <= 2^25; from now on fits into int32 unchanged
// |h3| <= 1.51*2^58
// |h7| <= 1.51*2^58
carry[3] = (h3 + (1 << 24)) >> 25
h4 += carry[3]
h3 -= carry[3] << 25
carry[7] = (h7 + (1 << 24)) >> 25
h8 += carry[7]
h7 -= carry[7] << 25
// |h3| <= 2^24; from now on fits into int32 unchanged
// |h7| <= 2^24; from now on fits into int32 unchanged
// |h4| <= 1.52*2^33
// |h8| <= 1.52*2^33
carry[4] = (h4 + (1 << 25)) >> 26
h5 += carry[4]
h4 -= carry[4] << 26
carry[8] = (h8 + (1 << 25)) >> 26
h9 += carry[8]
h8 -= carry[8] << 26
// |h4| <= 2^25; from now on fits into int32 unchanged
// |h8| <= 2^25; from now on fits into int32 unchanged
// |h5| <= 1.01*2^24
// |h9| <= 1.51*2^58
carry[9] = (h9 + (1 << 24)) >> 25
h0 += carry[9] * 19
h9 -= carry[9] << 25
// |h9| <= 2^24; from now on fits into int32 unchanged
// |h0| <= 1.8*2^37
carry[0] = (h0 + (1 << 25)) >> 26
h1 += carry[0]
h0 -= carry[0] << 26
// |h0| <= 2^25; from now on fits into int32 unchanged
// |h1| <= 1.01*2^24
h[0] = int32(h0)
h[1] = int32(h1)
h[2] = int32(h2)
h[3] = int32(h3)
h[4] = int32(h4)
h[5] = int32(h5)
h[6] = int32(h6)
h[7] = int32(h7)
h[8] = int32(h8)
h[9] = int32(h9)
// feSquare calculates h = f*f. Can overlap h with f.
// Preconditions:
// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
// Postconditions:
// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
func feSquare(h, f *fieldElement) {
f0 := f[0]
f1 := f[1]
f2 := f[2]
f3 := f[3]
f4 := f[4]
f5 := f[5]
f6 := f[6]
f7 := f[7]
f8 := f[8]
f9 := f[9]
f0_2 := 2 * f0
f1_2 := 2 * f1
f2_2 := 2 * f2
f3_2 := 2 * f3
f4_2 := 2 * f4
f5_2 := 2 * f5
f6_2 := 2 * f6
f7_2 := 2 * f7
f5_38 := 38 * f5 // 1.31*2^30
f6_19 := 19 * f6 // 1.31*2^30
f7_38 := 38 * f7 // 1.31*2^30
f8_19 := 19 * f8 // 1.31*2^30
f9_38 := 38 * f9 // 1.31*2^30
f0f0 := int64(f0) * int64(f0)
f0f1_2 := int64(f0_2) * int64(f1)
f0f2_2 := int64(f0_2) * int64(f2)
f0f3_2 := int64(f0_2) * int64(f3)
f0f4_2 := int64(f0_2) * int64(f4)
f0f5_2 := int64(f0_2) * int64(f5)
f0f6_2 := int64(f0_2) * int64(f6)
f0f7_2 := int64(f0_2) * int64(f7)
f0f8_2 := int64(f0_2) * int64(f8)
f0f9_2 := int64(f0_2) * int64(f9)
f1f1_2 := int64(f1_2) * int64(f1)
f1f2_2 := int64(f1_2) * int64(f2)
f1f3_4 := int64(f1_2) * int64(f3_2)
f1f4_2 := int64(f1_2) * int64(f4)
f1f5_4 := int64(f1_2) * int64(f5_2)
f1f6_2 := int64(f1_2) * int64(f6)
f1f7_4 := int64(f1_2) * int64(f7_2)
f1f8_2 := int64(f1_2) * int64(f8)
f1f9_76 := int64(f1_2) * int64(f9_38)
f2f2 := int64(f2) * int64(f2)
f2f3_2 := int64(f2_2) * int64(f3)
f2f4_2 := int64(f2_2) * int64(f4)
f2f5_2 := int64(f2_2) * int64(f5)
f2f6_2 := int64(f2_2) * int64(f6)
f2f7_2 := int64(f2_2) * int64(f7)
f2f8_38 := int64(f2_2) * int64(f8_19)
f2f9_38 := int64(f2) * int64(f9_38)
f3f3_2 := int64(f3_2) * int64(f3)
f3f4_2 := int64(f3_2) * int64(f4)
f3f5_4 := int64(f3_2) * int64(f5_2)
f3f6_2 := int64(f3_2) * int64(f6)
f3f7_76 := int64(f3_2) * int64(f7_38)
f3f8_38 := int64(f3_2) * int64(f8_19)
f3f9_76 := int64(f3_2) * int64(f9_38)
f4f4 := int64(f4) * int64(f4)
f4f5_2 := int64(f4_2) * int64(f5)
f4f6_38 := int64(f4_2) * int64(f6_19)
f4f7_38 := int64(f4) * int64(f7_38)
f4f8_38 := int64(f4_2) * int64(f8_19)
f4f9_38 := int64(f4) * int64(f9_38)
f5f5_38 := int64(f5) * int64(f5_38)
f5f6_38 := int64(f5_2) * int64(f6_19)
f5f7_76 := int64(f5_2) * int64(f7_38)
f5f8_38 := int64(f5_2) * int64(f8_19)
f5f9_76 := int64(f5_2) * int64(f9_38)
f6f6_19 := int64(f6) * int64(f6_19)
f6f7_38 := int64(f6) * int64(f7_38)
f6f8_38 := int64(f6_2) * int64(f8_19)
f6f9_38 := int64(f6) * int64(f9_38)
f7f7_38 := int64(f7) * int64(f7_38)
f7f8_38 := int64(f7_2) * int64(f8_19)
f7f9_76 := int64(f7_2) * int64(f9_38)
f8f8_19 := int64(f8) * int64(f8_19)
f8f9_38 := int64(f8) * int64(f9_38)
f9f9_38 := int64(f9) * int64(f9_38)
h0 := f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38
h1 := f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38
h2 := f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19
h3 := f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38
h4 := f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38
h5 := f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38
h6 := f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19
h7 := f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38
h8 := f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38
h9 := f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2
var carry [10]int64
carry[0] = (h0 + (1 << 25)) >> 26
h1 += carry[0]
h0 -= carry[0] << 26
carry[4] = (h4 + (1 << 25)) >> 26
h5 += carry[4]
h4 -= carry[4] << 26
carry[1] = (h1 + (1 << 24)) >> 25
h2 += carry[1]
h1 -= carry[1] << 25
carry[5] = (h5 + (1 << 24)) >> 25
h6 += carry[5]
h5 -= carry[5] << 25
carry[2] = (h2 + (1 << 25)) >> 26
h3 += carry[2]
h2 -= carry[2] << 26
carry[6] = (h6 + (1 << 25)) >> 26
h7 += carry[6]
h6 -= carry[6] << 26
carry[3] = (h3 + (1 << 24)) >> 25
h4 += carry[3]
h3 -= carry[3] << 25
carry[7] = (h7 + (1 << 24)) >> 25
h8 += carry[7]
h7 -= carry[7] << 25
carry[4] = (h4 + (1 << 25)) >> 26
h5 += carry[4]
h4 -= carry[4] << 26
carry[8] = (h8 + (1 << 25)) >> 26
h9 += carry[8]
h8 -= carry[8] << 26
carry[9] = (h9 + (1 << 24)) >> 25
h0 += carry[9] * 19
h9 -= carry[9] << 25
carry[0] = (h0 + (1 << 25)) >> 26
h1 += carry[0]
h0 -= carry[0] << 26
h[0] = int32(h0)
h[1] = int32(h1)
h[2] = int32(h2)
h[3] = int32(h3)
h[4] = int32(h4)
h[5] = int32(h5)
h[6] = int32(h6)
h[7] = int32(h7)
h[8] = int32(h8)
h[9] = int32(h9)
// feMul121666 calculates h = f * 121666. Can overlap h with f.
// Preconditions:
// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
// Postconditions:
// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
func feMul121666(h, f *fieldElement) {
h0 := int64(f[0]) * 121666
h1 := int64(f[1]) * 121666
h2 := int64(f[2]) * 121666
h3 := int64(f[3]) * 121666
h4 := int64(f[4]) * 121666
h5 := int64(f[5]) * 121666
h6 := int64(f[6]) * 121666
h7 := int64(f[7]) * 121666
h8 := int64(f[8]) * 121666
h9 := int64(f[9]) * 121666
var carry [10]int64
carry[9] = (h9 + (1 << 24)) >> 25
h0 += carry[9] * 19
h9 -= carry[9] << 25
carry[1] = (h1 + (1 << 24)) >> 25
h2 += carry[1]
h1 -= carry[1] << 25
carry[3] = (h3 + (1 << 24)) >> 25
h4 += carry[3]
h3 -= carry[3] << 25
carry[5] = (h5 + (1 << 24)) >> 25
h6 += carry[5]
h5 -= carry[5] << 25
carry[7] = (h7 + (1 << 24)) >> 25
h8 += carry[7]
h7 -= carry[7] << 25
carry[0] = (h0 + (1 << 25)) >> 26
h1 += carry[0]
h0 -= carry[0] << 26
carry[2] = (h2 + (1 << 25)) >> 26
h3 += carry[2]
h2 -= carry[2] << 26
carry[4] = (h4 + (1 << 25)) >> 26
h5 += carry[4]
h4 -= carry[4] << 26
carry[6] = (h6 + (1 << 25)) >> 26
h7 += carry[6]
h6 -= carry[6] << 26
carry[8] = (h8 + (1 << 25)) >> 26
h9 += carry[8]
h8 -= carry[8] << 26
h[0] = int32(h0)
h[1] = int32(h1)
h[2] = int32(h2)
h[3] = int32(h3)
h[4] = int32(h4)
h[5] = int32(h5)
h[6] = int32(h6)
h[7] = int32(h7)
h[8] = int32(h8)
h[9] = int32(h9)
// feInvert sets out = z^-1.
func feInvert(out, z *fieldElement) {
var t0, t1, t2, t3 fieldElement
var i int
feSquare(&t0, z)
for i = 1; i < 1; i++ {
feSquare(&t0, &t0)
feSquare(&t1, &t0)
for i = 1; i < 2; i++ {
feSquare(&t1, &t1)
feMul(&t1, z, &t1)
feMul(&t0, &t0, &t1)
feSquare(&t2, &t0)
for i = 1; i < 1; i++ {
feSquare(&t2, &t2)
feMul(&t1, &t1, &t2)
feSquare(&t2, &t1)
for i = 1; i < 5; i++ {
feSquare(&t2, &t2)
feMul(&t1, &t2, &t1)
feSquare(&t2, &t1)
for i = 1; i < 10; i++ {
feSquare(&t2, &t2)
feMul(&t2, &t2, &t1)
feSquare(&t3, &t2)
for i = 1; i < 20; i++ {
feSquare(&t3, &t3)
feMul(&t2, &t3, &t2)
feSquare(&t2, &t2)
for i = 1; i < 10; i++ {
feSquare(&t2, &t2)
feMul(&t1, &t2, &t1)
feSquare(&t2, &t1)
for i = 1; i < 50; i++ {
feSquare(&t2, &t2)
feMul(&t2, &t2, &t1)
feSquare(&t3, &t2)
for i = 1; i < 100; i++ {
feSquare(&t3, &t3)
feMul(&t2, &t3, &t2)
feSquare(&t2, &t2)
for i = 1; i < 50; i++ {
feSquare(&t2, &t2)
feMul(&t1, &t2, &t1)
feSquare(&t1, &t1)
for i = 1; i < 5; i++ {
feSquare(&t1, &t1)
feMul(out, &t1, &t0)
func scalarMult(out, in, base *[32]byte) {
var e [32]byte
copy(e[:], in[:])
e[0] &= 248
e[31] &= 127
e[31] |= 64
var x1, x2, z2, x3, z3, tmp0, tmp1 fieldElement
feFromBytes(&x1, base)
feCopy(&x3, &x1)
swap := int32(0)
for pos := 254; pos >= 0; pos-- {
b := e[pos/8] >> uint(pos&7)
b &= 1
swap ^= int32(b)
feCSwap(&x2, &x3, swap)
feCSwap(&z2, &z3, swap)
swap = int32(b)
feSub(&tmp0, &x3, &z3)
feSub(&tmp1, &x2, &z2)
feAdd(&x2, &x2, &z2)
feAdd(&z2, &x3, &z3)
feMul(&z3, &tmp0, &x2)
feMul(&z2, &z2, &tmp1)
feSquare(&tmp0, &tmp1)
feSquare(&tmp1, &x2)
feAdd(&x3, &z3, &z2)
feSub(&z2, &z3, &z2)
feMul(&x2, &tmp1, &tmp0)
feSub(&tmp1, &tmp1, &tmp0)
feSquare(&z2, &z2)
feMul121666(&z3, &tmp1)
feSquare(&x3, &x3)
feAdd(&tmp0, &tmp0, &z3)
feMul(&z3, &x1, &z2)
feMul(&z2, &tmp1, &tmp0)
feCSwap(&x2, &x3, swap)
feCSwap(&z2, &z3, swap)
feInvert(&z2, &z2)
feMul(&x2, &x2, &z2)
feToBytes(out, &x2)
@ -3,7 +3,7 @@
// license that can be found in the LICENSE file.
// license that can be found in the LICENSE file.
// Package curve25519 provides an implementation of scalar multiplication on
// Package curve25519 provides an implementation of scalar multiplication on
// the elliptic curve known as curve25519. See
// the elliptic curve known as curve25519. See
package curve25519 // import ""
package curve25519 // import ""
// basePoint is the x coordinate of the generator of the curve.
// basePoint is the x coordinate of the generator of the curve.
@ -3,10 +3,12 @@
// license that can be found in the LICENSE file.
// license that can be found in the LICENSE file.
// This code was translated into a form compatible with 6a from the public
// This code was translated into a form compatible with 6a from the public
// domain sources in SUPERCOP:
// domain sources in SUPERCOP:
// +build amd64,!gccgo,!appengine
// +build amd64,!gccgo,!appengine
#include "const_amd64.h"
// func freeze(inout *[5]uint64)
// func freeze(inout *[5]uint64)
TEXT ·freeze(SB),7,$0-8
TEXT ·freeze(SB),7,$0-8
MOVQ inout+0(FP), DI
MOVQ inout+0(FP), DI
@ -16,7 +18,7 @@ TEXT ·freeze(SB),7,$0-8
MOVQ 24(DI),R8
MOVQ 24(DI),R8
MOVQ 32(DI),R9
MOVQ 32(DI),R9
SUBQ $18,R10
SUBQ $18,R10
MOVQ $3,R11
MOVQ $3,R11
@ -3,10 +3,12 @@
// license that can be found in the LICENSE file.
// license that can be found in the LICENSE file.
// This code was translated into a form compatible with 6a from the public
// This code was translated into a form compatible with 6a from the public
// domain sources in SUPERCOP:
// domain sources in SUPERCOP:
// +build amd64,!gccgo,!appengine
// +build amd64,!gccgo,!appengine
#include "const_amd64.h"
// func ladderstep(inout *[5][5]uint64)
// func ladderstep(inout *[5][5]uint64)
TEXT ·ladderstep(SB),0,$296-8
TEXT ·ladderstep(SB),0,$296-8
MOVQ inout+0(FP),DI
MOVQ inout+0(FP),DI
@ -118,7 +120,7 @@ TEXT ·ladderstep(SB),0,$296-8
SHLQ $13,R9:R8
SHLQ $13,R9:R8
@ -233,7 +235,7 @@ TEXT ·ladderstep(SB),0,$296-8
SHLQ $13,R9:R8
SHLQ $13,R9:R8
@ -438,7 +440,7 @@ TEXT ·ladderstep(SB),0,$296-8
SHLQ $13,R9:R8
SHLQ $13,R9:R8
@ -588,7 +590,7 @@ TEXT ·ladderstep(SB),0,$296-8
SHLQ $13,R9:R8
SHLQ $13,R9:R8
@ -728,7 +730,7 @@ TEXT ·ladderstep(SB),0,$296-8
MULQ 152(DI)
MULQ 152(DI)
SHLQ $13,R9:R8
SHLQ $13,R9:R8
@ -843,7 +845,7 @@ TEXT ·ladderstep(SB),0,$296-8
MULQ 192(DI)
MULQ 192(DI)
SHLQ $13,R9:R8
SHLQ $13,R9:R8
@ -993,7 +995,7 @@ TEXT ·ladderstep(SB),0,$296-8
SHLQ $13,R9:R8
SHLQ $13,R9:R8
@ -1143,7 +1145,7 @@ TEXT ·ladderstep(SB),0,$296-8
MULQ 112(SP)
MULQ 112(SP)
SHLQ $13,R9:R8
SHLQ $13,R9:R8
@ -1329,7 +1331,7 @@ TEXT ·ladderstep(SB),0,$296-8
MULQ 192(SP)
MULQ 192(SP)
SHLQ $13,R9:R8
SHLQ $13,R9:R8
@ -3,10 +3,12 @@
// license that can be found in the LICENSE file.
// license that can be found in the LICENSE file.
// This code was translated into a form compatible with 6a from the public
// This code was translated into a form compatible with 6a from the public
// domain sources in SUPERCOP:
// domain sources in SUPERCOP:
// +build amd64,!gccgo,!appengine
// +build amd64,!gccgo,!appengine
#include "const_amd64.h"
// func mul(dest, a, b *[5]uint64)
// func mul(dest, a, b *[5]uint64)
TEXT ·mul(SB),0,$16-24
TEXT ·mul(SB),0,$16-24
MOVQ dest+0(FP), DI
MOVQ dest+0(FP), DI
@ -121,7 +123,7 @@ TEXT ·mul(SB),0,$16-24
SHLQ $13,R9:R8
SHLQ $13,R9:R8
SHLQ $13,R11:R10
SHLQ $13,R11:R10
@ -3,10 +3,12 @@
// license that can be found in the LICENSE file.
// license that can be found in the LICENSE file.
// This code was translated into a form compatible with 6a from the public
// This code was translated into a form compatible with 6a from the public
// domain sources in SUPERCOP:
// domain sources in SUPERCOP:
// +build amd64,!gccgo,!appengine
// +build amd64,!gccgo,!appengine
#include "const_amd64.h"
// func square(out, in *[5]uint64)
// func square(out, in *[5]uint64)
TEXT ·square(SB),7,$0-16
TEXT ·square(SB),7,$0-16
MOVQ out+0(FP), DI
MOVQ out+0(FP), DI
@ -84,7 +86,7 @@ TEXT ·square(SB),7,$0-16
SHLQ $13,R8:CX
SHLQ $13,R8:CX
SHLQ $13,R10:R9
SHLQ $13,R10:R9
@ -3,20 +3,20 @@
// license that can be found in the LICENSE file.
// license that can be found in the LICENSE file.
// Package ed25519 implements the Ed25519 signature algorithm. See
// Package ed25519 implements the Ed25519 signature algorithm. See
// These functions are also compatible with the “Ed25519” function defined in
// These functions are also compatible with the “Ed25519” function defined in
// RFC 8032.
package ed25519
package ed25519
// This code is a port of the public domain, “ref10” implementation of ed25519
// This code is a port of the public domain, “ref10” implementation of ed25519
// from SUPERCOP.
// from SUPERCOP.
import (
import (
cryptorand "crypto/rand"
cryptorand "crypto/rand"
@ -177,5 +177,5 @@ func Verify(publicKey PublicKey, message, sig []byte) bool {
var checkR [32]byte
var checkR [32]byte
return subtle.ConstantTimeCompare(sig[:32], checkR[:]) == 1
return bytes.Equal(sig[:32], checkR[:])
@ -51,13 +51,12 @@ func (b *buffer) write(buf []byte) {
// eof closes the buffer. Reads from the buffer once all
// eof closes the buffer. Reads from the buffer once all
// the data has been consumed will receive os.EOF.
// the data has been consumed will receive io.EOF.
func (b *buffer) eof() error {
func (b *buffer) eof() {
b.closed = true
b.closed = true
return nil
// Read reads data from the internal buffer in buf. Reads will block
// Read reads data from the internal buffer in buf. Reads will block
@ -251,10 +251,18 @@ type CertChecker struct {
// for user certificates.
// for user certificates.
SupportedCriticalOptions []string
SupportedCriticalOptions []string
// IsAuthority should return true if the key is recognized as
// IsUserAuthority should return true if the key is recognized as an
// an authority. This allows for certificates to be signed by other
// authority for the given user certificate. This allows for
// certificates.
// certificates to be signed by other certificates. This must be set
IsAuthority func(auth PublicKey) bool
// if this CertChecker will be checking user certificates.
IsUserAuthority func(auth PublicKey) bool
// IsHostAuthority should report whether the key is recognized as
// an authority for this host. This allows for certificates to be
// signed by other keys, and for those other keys to only be valid
// signers for particular hostnames. This must be set if this
// CertChecker will be checking host certificates.
IsHostAuthority func(auth PublicKey, address string) bool
// Clock is used for verifying time stamps. If nil, time.Now
// Clock is used for verifying time stamps. If nil, time.Now
// is used.
// is used.
@ -268,7 +276,7 @@ type CertChecker struct {
// HostKeyFallback is called when CertChecker.CheckHostKey encounters a
// HostKeyFallback is called when CertChecker.CheckHostKey encounters a
// public key that is not a certificate. It must implement host key
// public key that is not a certificate. It must implement host key
// validation or else, if nil, all such keys are rejected.
// validation or else, if nil, all such keys are rejected.
HostKeyFallback func(addr string, remote net.Addr, key PublicKey) error
HostKeyFallback HostKeyCallback
// IsRevoked is called for each certificate so that revocation checking
// IsRevoked is called for each certificate so that revocation checking
// can be implemented. It should return true if the given certificate
// can be implemented. It should return true if the given certificate
@ -290,8 +298,17 @@ func (c *CertChecker) CheckHostKey(addr string, remote net.Addr, key PublicKey)
if cert.CertType != HostCert {
if cert.CertType != HostCert {
return fmt.Errorf("ssh: certificate presented as a host key has type %d", cert.CertType)
return fmt.Errorf("ssh: certificate presented as a host key has type %d", cert.CertType)
if !c.IsHostAuthority(cert.SignatureKey, addr) {
return fmt.Errorf("ssh: no authorities for hostname: %v", addr)
return c.CheckCert(addr, cert)
hostname, _, err := net.SplitHostPort(addr)
if err != nil {
return err
// Pass hostname only as principal for host certificates (consistent with OpenSSH)
return c.CheckCert(hostname, cert)
// Authenticate checks a user certificate. Authenticate can be used as
// Authenticate checks a user certificate. Authenticate can be used as
@ -308,6 +325,9 @@ func (c *CertChecker) Authenticate(conn ConnMetadata, pubKey PublicKey) (*Permis
if cert.CertType != UserCert {
if cert.CertType != UserCert {
return nil, fmt.Errorf("ssh: cert has type %d", cert.CertType)
return nil, fmt.Errorf("ssh: cert has type %d", cert.CertType)
if !c.IsUserAuthority(cert.SignatureKey) {
return nil, fmt.Errorf("ssh: certificate signed by unrecognized authority")
if err := c.CheckCert(conn.User(), cert); err != nil {
if err := c.CheckCert(conn.User(), cert); err != nil {
return nil, err
return nil, err
@ -356,10 +376,6 @@ func (c *CertChecker) CheckCert(principal string, cert *Certificate) error {
if !c.IsAuthority(cert.SignatureKey) {
return fmt.Errorf("ssh: certificate signed by unrecognized authority")
clock := c.Clock
clock := c.Clock
if clock == nil {
if clock == nil {
clock = time.Now
clock = time.Now
@ -461,8 +461,8 @@ func (m *mux) newChannel(chanType string, direction channelDirection, extraData
pending: newBuffer(),
pending: newBuffer(),
extPending: newBuffer(),
extPending: newBuffer(),
direction: direction,
direction: direction,
incomingRequests: make(chan *Request, 16),
incomingRequests: make(chan *Request, chanSize),
msg: make(chan interface{}, 16),
msg: make(chan interface{}, chanSize),
chanType: chanType,
chanType: chanType,
extraData: extraData,
extraData: extraData,
mux: m,
mux: m,
@ -135,6 +135,7 @@ const prefixLen = 5
type streamPacketCipher struct {
type streamPacketCipher struct {
mac hash.Hash
mac hash.Hash
cipher cipher.Stream
cipher cipher.Stream
etm bool
// The following members are to avoid per-packet allocations.
// The following members are to avoid per-packet allocations.
prefix [prefixLen]byte
prefix [prefixLen]byte
@ -150,7 +151,14 @@ func (s *streamPacketCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, err
return nil, err
return nil, err
var encryptedPaddingLength [1]byte
if s.mac != nil && s.etm {
copy(encryptedPaddingLength[:], s.prefix[4:5])
s.cipher.XORKeyStream(s.prefix[4:5], s.prefix[4:5])
} else {
s.cipher.XORKeyStream(s.prefix[:], s.prefix[:])
s.cipher.XORKeyStream(s.prefix[:], s.prefix[:])
length := binary.BigEndian.Uint32(s.prefix[0:4])
length := binary.BigEndian.Uint32(s.prefix[0:4])
paddingLength := uint32(s.prefix[4])
paddingLength := uint32(s.prefix[4])
@ -159,7 +167,12 @@ func (s *streamPacketCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, err
binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum)
binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum)
if s.etm {
} else {
macSize = uint32(s.mac.Size())
macSize = uint32(s.mac.Size())
@ -184,10 +197,17 @@ func (s *streamPacketCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, err
mac := s.packetData[length-1:]
mac := s.packetData[length-1:]
data := s.packetData[:length-1]
data := s.packetData[:length-1]
if s.mac != nil && s.etm {
s.cipher.XORKeyStream(data, data)
s.cipher.XORKeyStream(data, data)
if s.mac != nil {
if s.mac != nil {
if !s.etm {
s.macResult = s.mac.Sum(s.macResult[:0])
s.macResult = s.mac.Sum(s.macResult[:0])
if subtle.ConstantTimeCompare(s.macResult, mac) != 1 {
if subtle.ConstantTimeCompare(s.macResult, mac) != 1 {
return nil, errors.New("ssh: MAC failure")
return nil, errors.New("ssh: MAC failure")
@ -203,7 +223,13 @@ func (s *streamPacketCipher) writePacket(seqNum uint32, w io.Writer, rand io.Rea
return errors.New("ssh: packet too large")
return errors.New("ssh: packet too large")
paddingLength := packetSizeMultiple - (prefixLen+len(packet))%packetSizeMultiple
aadlen := 0
if s.mac != nil && s.etm {
// packet length is not encrypted for EtM modes
aadlen = 4
paddingLength := packetSizeMultiple - (prefixLen+len(packet)-aadlen)%packetSizeMultiple
if paddingLength < 4 {
if paddingLength < 4 {
paddingLength += packetSizeMultiple
paddingLength += packetSizeMultiple
@ -220,15 +246,37 @@ func (s *streamPacketCipher) writePacket(seqNum uint32, w io.Writer, rand io.Rea
binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum)
binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum)
if s.etm {
// For EtM algorithms, the packet length must stay unencrypted,
// but the following data (padding length) must be encrypted
s.cipher.XORKeyStream(s.prefix[4:5], s.prefix[4:5])
if !s.etm {
// For non-EtM algorithms, the algorithm is applied on unencrypted data
if !(s.mac != nil && s.etm) {
// For EtM algorithms, the padding length has already been encrypted
// and the packet length must remain unencrypted
s.cipher.XORKeyStream(s.prefix[:], s.prefix[:])
s.cipher.XORKeyStream(s.prefix[:], s.prefix[:])
s.cipher.XORKeyStream(packet, packet)
s.cipher.XORKeyStream(packet, packet)
s.cipher.XORKeyStream(padding, padding)
s.cipher.XORKeyStream(padding, padding)
if s.mac != nil && s.etm {
// For EtM algorithms, packet and padding must be encrypted
if _, err := w.Write(s.prefix[:]); err != nil {
if _, err := w.Write(s.prefix[:]); err != nil {
return err
return err
@ -256,7 +304,7 @@ type gcmCipher struct {
buf []byte
buf []byte
func newGCMCipher(iv, key, macKey []byte) (packetCipher, error) {
func newGCMCipher(iv, key []byte) (packetCipher, error) {
c, err := aes.NewCipher(key)
c, err := aes.NewCipher(key)
if err != nil {
if err != nil {
return nil, err
return nil, err
@ -344,7 +392,9 @@ func (c *gcmCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, error) {
padding := plain[0]
padding := plain[0]
if padding < 4 || padding >= 20 {
if padding < 4 {
// padding is a byte, so it automatically satisfies
// the maximum size, which is 255.
return nil, fmt.Errorf("ssh: illegal padding %d", padding)
return nil, fmt.Errorf("ssh: illegal padding %d", padding)
@ -5,15 +5,17 @@
package ssh
package ssh
import (
import (
// Client implements a traditional SSH client that supports shells,
// Client implements a traditional SSH client that supports shells,
// subprocesses, port forwarding and tunneled dialing.
// subprocesses, TCP port/streamlocal forwarding and tunneled dialing.
type Client struct {
type Client struct {
@ -40,7 +42,7 @@ func (c *Client) HandleChannelOpen(channelType string) <-chan NewChannel {
return nil
return nil
ch = make(chan NewChannel, 16)
ch = make(chan NewChannel, chanSize)
c.channelHandlers[channelType] = ch
c.channelHandlers[channelType] = ch
return ch
return ch
@ -59,6 +61,7 @@ func NewClient(c Conn, chans <-chan NewChannel, reqs <-chan *Request) *Client {
go conn.forwards.handleChannels(conn.HandleChannelOpen("forwarded-tcpip"))
go conn.forwards.handleChannels(conn.HandleChannelOpen("forwarded-tcpip"))
go conn.forwards.handleChannels(conn.HandleChannelOpen(""))
return conn
return conn
@ -68,6 +71,11 @@ func NewClient(c Conn, chans <-chan NewChannel, reqs <-chan *Request) *Client {
func NewClientConn(c net.Conn, addr string, config *ClientConfig) (Conn, <-chan NewChannel, <-chan *Request, error) {
func NewClientConn(c net.Conn, addr string, config *ClientConfig) (Conn, <-chan NewChannel, <-chan *Request, error) {
fullConf := *config
fullConf := *config
if fullConf.HostKeyCallback == nil {
return nil, nil, nil, errors.New("ssh: must specify HostKeyCallback")
conn := &connection{
conn := &connection{
sshConn: sshConn{conn: c},
sshConn: sshConn{conn: c},
@ -97,13 +105,11 @@ func (c *connection) clientHandshake(dialAddress string, config *ClientConfig) e
c.transport = newClientTransport(
c.transport = newClientTransport(
newTransport(c.sshConn.conn, config.Rand, true /* is client */),
newTransport(c.sshConn.conn, config.Rand, true /* is client */),
c.clientVersion, c.serverVersion, config, dialAddress, c.sshConn.RemoteAddr())
c.clientVersion, c.serverVersion, config, dialAddress, c.sshConn.RemoteAddr())
if err := c.transport.requestInitialKeyChange(); err != nil {
if err := c.transport.waitSession(); err != nil {
return err
return err
// We just did the key change, so the session ID is established.
c.sessionID = c.transport.getSessionID()
c.sessionID = c.transport.getSessionID()
return c.clientAuthenticate(config)
return c.clientAuthenticate(config)
@ -175,6 +181,17 @@ func Dial(network, addr string, config *ClientConfig) (*Client, error) {
return NewClient(c, chans, reqs), nil
return NewClient(c, chans, reqs), nil
// HostKeyCallback is the function type used for verifying server
// keys. A HostKeyCallback must return nil if the host key is OK, or
// an error to reject it. It receives the hostname as passed to Dial
// or NewClientConn. The remote address is the RemoteAddr of the
// net.Conn underlying the the SSH connection.
type HostKeyCallback func(hostname string, remote net.Addr, key PublicKey) error
// BannerCallback is the function type used for treat the banner sent by
// the server. A BannerCallback receives the message sent by the remote server.
type BannerCallback func(message string) error
// A ClientConfig structure is used to configure a Client. It must not be
// A ClientConfig structure is used to configure a Client. It must not be
// modified after having been passed to an SSH function.
// modified after having been passed to an SSH function.
type ClientConfig struct {
type ClientConfig struct {
@ -190,10 +207,18 @@ type ClientConfig struct {
// be used during authentication.
// be used during authentication.
Auth []AuthMethod
Auth []AuthMethod
// HostKeyCallback, if not nil, is called during the cryptographic
// HostKeyCallback is called during the cryptographic
// handshake to validate the server's host key. A nil HostKeyCallback
// handshake to validate the server's host key. The client
// implies that all host keys are accepted.
// configuration must supply this callback for the connection
HostKeyCallback func(hostname string, remote net.Addr, key PublicKey) error
// to succeed. The functions InsecureIgnoreHostKey or
// FixedHostKey can be used for simplistic host key checks.
HostKeyCallback HostKeyCallback
// BannerCallback is called during the SSH dance to display a custom
// server's message. The client configuration can supply this callback to
// handle it as wished. The function BannerDisplayStderr can be used for
// simplistic display on Stderr.
BannerCallback BannerCallback
// ClientVersion contains the version identification string that will
// ClientVersion contains the version identification string that will
// be used for the connection. If empty, a reasonable default is used.
// be used for the connection. If empty, a reasonable default is used.
@ -211,3 +236,43 @@ type ClientConfig struct {
// A Timeout of zero means no timeout.
// A Timeout of zero means no timeout.
Timeout time.Duration
Timeout time.Duration
// InsecureIgnoreHostKey returns a function that can be used for
// ClientConfig.HostKeyCallback to accept any host key. It should
// not be used for production code.
func InsecureIgnoreHostKey() HostKeyCallback {
return func(hostname string, remote net.Addr, key PublicKey) error {
return nil
type fixedHostKey struct {
key PublicKey
func (f *fixedHostKey) check(hostname string, remote net.Addr, key PublicKey) error {
if f.key == nil {
return fmt.Errorf("ssh: required host key was nil")
if !bytes.Equal(key.Marshal(), f.key.Marshal()) {
return fmt.Errorf("ssh: host key mismatch")
return nil
// FixedHostKey returns a function for use in
// ClientConfig.HostKeyCallback to accept only a specific host key.
func FixedHostKey(key PublicKey) HostKeyCallback {
hk := &fixedHostKey{key}
return hk.check
// BannerDisplayStderr returns a function that can be used for
// ClientConfig.BannerCallback to display banners on os.Stderr.
func BannerDisplayStderr() BannerCallback {
return func(banner string) error {
_, err := os.Stderr.WriteString(banner)
return err
@ -30,8 +30,10 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
// then any untried methods suggested by the server.
// then any untried methods suggested by the server.
tried := make(map[string]bool)
tried := make(map[string]bool)
var lastMethods []string
var lastMethods []string
sessionID := c.transport.getSessionID()
for auth := AuthMethod(new(noneAuth)); auth != nil; {
for auth := AuthMethod(new(noneAuth)); auth != nil; {
ok, methods, err := auth.auth(c.transport.getSessionID(), config.User, c.transport, config.Rand)
ok, methods, err := auth.auth(sessionID, config.User, c.transport, config.Rand)
if err != nil {
if err != nil {
return err
return err
@ -177,31 +179,26 @@ func (cb publicKeyCallback) method() string {
func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand io.Reader) (bool, []string, error) {
func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand io.Reader) (bool, []string, error) {
// Authentication is performed in two stages. The first stage sends an
// Authentication is performed by sending an enquiry to test if a key is
// enquiry to test if each key is acceptable to the remote. The second
// acceptable to the remote. If the key is acceptable, the client will
// stage attempts to authenticate with the valid keys obtained in the
// attempt to authenticate with the valid key. If not the client will repeat
// first stage.
// the process with the remaining keys.
signers, err := cb()
signers, err := cb()
if err != nil {
if err != nil {
return false, nil, err
return false, nil, err
var validKeys []Signer
var methods []string
for _, signer := range signers {
for _, signer := range signers {
if ok, err := validateKey(signer.PublicKey(), user, c); ok {
ok, err := validateKey(signer.PublicKey(), user, c)
validKeys = append(validKeys, signer)
} else {
if err != nil {
if err != nil {
return false, nil, err
return false, nil, err
if !ok {
// methods that may continue if this auth is not successful.
var methods []string
for _, signer := range validKeys {
pub := signer.PublicKey()
pub := signer.PublicKey()
pubKey := pub.Marshal()
pubKey := pub.Marshal()
sign, err := signer.Sign(rand, buildDataSignedForAuth(session, userAuthRequestMsg{
sign, err := signer.Sign(rand, buildDataSignedForAuth(session, userAuthRequestMsg{
User: user,
User: user,
@ -234,13 +231,29 @@ func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand
if err != nil {
if err != nil {
return false, nil, err
return false, nil, err
if success {
// If authentication succeeds or the list of available methods does not
// contain the "publickey" method, do not attempt to authenticate with any
// other keys. According to RFC 4252 Section 7, the latter can occur when
// additional authentication methods are required.
if success || !containsMethod(methods, cb.method()) {
return success, methods, err
return success, methods, err
return false, methods, nil
return false, methods, nil
func containsMethod(methods []string, method string) bool {
for _, m := range methods {
if m == method {
return true
return false
// validateKey validates the key provided is acceptable to the server.
// validateKey validates the key provided is acceptable to the server.
func validateKey(key PublicKey, user string, c packetConn) (bool, error) {
func validateKey(key PublicKey, user string, c packetConn) (bool, error) {
pubKey := key.Marshal()
pubKey := key.Marshal()
@ -270,7 +283,9 @@ func confirmKeyAck(key PublicKey, c packetConn) (bool, error) {
switch packet[0] {
switch packet[0] {
case msgUserAuthBanner:
case msgUserAuthBanner:
// TODO(gpaul): add callback to present the banner to the user
if err := handleBannerResponse(c, packet); err != nil {
return false, err
case msgUserAuthPubKeyOk:
case msgUserAuthPubKeyOk:
var msg userAuthPubKeyOkMsg
var msg userAuthPubKeyOkMsg
if err := Unmarshal(packet, &msg); err != nil {
if err := Unmarshal(packet, &msg); err != nil {
@ -312,7 +327,9 @@ func handleAuthResponse(c packetConn) (bool, []string, error) {
switch packet[0] {
switch packet[0] {
case msgUserAuthBanner:
case msgUserAuthBanner:
// TODO: add callback to present the banner to the user
if err := handleBannerResponse(c, packet); err != nil {
return false, nil, err
case msgUserAuthFailure:
case msgUserAuthFailure:
var msg userAuthFailureMsg
var msg userAuthFailureMsg
if err := Unmarshal(packet, &msg); err != nil {
if err := Unmarshal(packet, &msg); err != nil {
@ -327,6 +344,24 @@ func handleAuthResponse(c packetConn) (bool, []string, error) {
func handleBannerResponse(c packetConn, packet []byte) error {
var msg userAuthBannerMsg
if err := Unmarshal(packet, &msg); err != nil {
return err
transport, ok := c.(*handshakeTransport)
if !ok {
return nil
if transport.bannerCallback != nil {
return transport.bannerCallback(msg.Message)
return nil
// KeyboardInteractiveChallenge should print questions, optionally
// KeyboardInteractiveChallenge should print questions, optionally
// disabling echoing (e.g. for passwords), and return all the answers.
// disabling echoing (e.g. for passwords), and return all the answers.
// Challenge may be called multiple times in a single session. After
// Challenge may be called multiple times in a single session. After
@ -336,7 +371,7 @@ func handleAuthResponse(c packetConn) (bool, []string, error) {
// both CLI and GUI environments.
// both CLI and GUI environments.
type KeyboardInteractiveChallenge func(user, instruction string, questions []string, echos []bool) (answers []string, err error)
type KeyboardInteractiveChallenge func(user, instruction string, questions []string, echos []bool) (answers []string, err error)
// KeyboardInteractive returns a AuthMethod using a prompt/response
// KeyboardInteractive returns an AuthMethod using a prompt/response
// sequence controlled by the server.
// sequence controlled by the server.
func KeyboardInteractive(challenge KeyboardInteractiveChallenge) AuthMethod {
func KeyboardInteractive(challenge KeyboardInteractiveChallenge) AuthMethod {
return challenge
return challenge
@ -372,7 +407,9 @@ func (cb KeyboardInteractiveChallenge) auth(session []byte, user string, c packe
// like handleAuthResponse, but with less options.
// like handleAuthResponse, but with less options.
switch packet[0] {
switch packet[0] {
case msgUserAuthBanner:
case msgUserAuthBanner:
// TODO: Print banners during userauth.
if err := handleBannerResponse(c, packet); err != nil {
return false, nil, err
case msgUserAuthInfoRequest:
case msgUserAuthInfoRequest:
// OK
// OK
@ -9,6 +9,7 @@ import (
_ "crypto/sha1"
_ "crypto/sha1"
@ -40,7 +41,7 @@ var supportedKexAlgos = []string{
kexAlgoDH14SHA1, kexAlgoDH1SHA1,
kexAlgoDH14SHA1, kexAlgoDH1SHA1,
// supportedKexAlgos specifies the supported host-key algorithms (i.e. methods
// supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods
// of authenticating servers) in preference order.
// of authenticating servers) in preference order.
var supportedHostKeyAlgos = []string{
var supportedHostKeyAlgos = []string{
CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
@ -56,7 +57,7 @@ var supportedHostKeyAlgos = []string{
// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
// because they have reached the end of their useful life.
// because they have reached the end of their useful life.
var supportedMACs = []string{
var supportedMACs = []string{
"hmac-sha2-256", "hmac-sha1", "hmac-sha1-96",
"", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96",
var supportedCompressions = []string{compressionNone}
var supportedCompressions = []string{compressionNone}
@ -104,6 +105,21 @@ type directionAlgorithms struct {
Compression string
Compression string
// rekeyBytes returns a rekeying intervals in bytes.
func (a *directionAlgorithms) rekeyBytes() int64 {
// According to RFC4344 block ciphers should rekey after
// 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
// 128.
switch a.Cipher {
case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID:
return 16 * (1 << 32)
// For others, stick with RFC4253 recommendation to rekey after 1 Gb of data.
return 1 << 30
type algorithms struct {
type algorithms struct {
kex string
kex string
hostKey string
hostKey string
@ -171,7 +187,7 @@ type Config struct {
// The maximum number of bytes sent or received after which a
// The maximum number of bytes sent or received after which a
// new key is negotiated. It must be at least 256. If
// new key is negotiated. It must be at least 256. If
// unspecified, 1 gigabyte is used.
// unspecified, a size suitable for the chosen cipher is used.
RekeyThreshold uint64
RekeyThreshold uint64
// The allowed key exchanges algorithms. If unspecified then a
// The allowed key exchanges algorithms. If unspecified then a
@ -215,11 +231,12 @@ func (c *Config) SetDefaults() {
if c.RekeyThreshold == 0 {
if c.RekeyThreshold == 0 {
// RFC 4253, section 9 suggests rekeying after 1G.
// cipher specific default
c.RekeyThreshold = 1 << 30
} else if c.RekeyThreshold < minRekeyThreshold {
if c.RekeyThreshold < minRekeyThreshold {
c.RekeyThreshold = minRekeyThreshold
c.RekeyThreshold = minRekeyThreshold
} else if c.RekeyThreshold >= math.MaxInt64 {
// Avoid weirdness if somebody uses -1 as a threshold.
c.RekeyThreshold = math.MaxInt64
@ -25,7 +25,7 @@ type ConnMetadata interface {
// User returns the user ID for this connection.
// User returns the user ID for this connection.
User() string
User() string
// SessionID returns the sesson hash, also denoted by H.
// SessionID returns the session hash, also denoted by H.
SessionID() []byte
SessionID() []byte
// ClientVersion returns the client's version string as hashed
// ClientVersion returns the client's version string as hashed
@ -14,5 +14,8 @@ others.
This package does not fall under the stability promise of the Go language itself,
so its API may be changed when pressing needs arise.
package ssh // import ""
package ssh // import ""
@ -19,6 +19,11 @@ import (
// messages are wrong when using ECDH.
// messages are wrong when using ECDH.
const debugHandshake = false
const debugHandshake = false
// chanSize sets the amount of buffering SSH connections. This is
// primarily for testing: setting chanSize=0 uncovers deadlocks more
// quickly.
const chanSize = 16
// keyingTransport is a packet based transport that supports key
// keyingTransport is a packet based transport that supports key
// changes. It need not be thread-safe. It should pass through
// changes. It need not be thread-safe. It should pass through
// msgNewKeys in both directions.
// msgNewKeys in both directions.
@ -53,34 +58,65 @@ type handshakeTransport struct {
incoming chan []byte
incoming chan []byte
readError error
readError error
mu sync.Mutex
writeError error
sentInitPacket []byte
sentInitMsg *kexInitMsg
pendingPackets [][]byte // Used when a key exchange is in progress.
// If the read loop wants to schedule a kex, it pings this
// channel, and the write loop will send out a kex
// message.
requestKex chan struct{}
// If the other side requests or confirms a kex, its kexInit
// packet is sent here for the write loop to find it.
startKex chan *pendingKex
// data for host key checking
// data for host key checking
hostKeyCallback func(hostname string, remote net.Addr, key PublicKey) error
hostKeyCallback HostKeyCallback
dialAddress string
dialAddress string
remoteAddr net.Addr
remoteAddr net.Addr
readSinceKex uint64
// bannerCallback is non-empty if we are the client and it has been set in
// ClientConfig. In that case it is called during the user authentication
// dance to handle a custom server's message.
bannerCallback BannerCallback
// Protects the writing side of the connection
// Algorithms agreed in the last key exchange.
mu sync.Mutex
algorithms *algorithms
cond *sync.Cond
sentInitPacket []byte
readPacketsLeft uint32
sentInitMsg *kexInitMsg
readBytesLeft int64
writtenSinceKex uint64
writeError error
writePacketsLeft uint32
writeBytesLeft int64
// The session ID or nil if first kex did not complete yet.
// The session ID or nil if first kex did not complete yet.
sessionID []byte
sessionID []byte
type pendingKex struct {
otherInit []byte
done chan error
func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, serverVersion []byte) *handshakeTransport {
func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, serverVersion []byte) *handshakeTransport {
t := &handshakeTransport{
t := &handshakeTransport{
conn: conn,
conn: conn,
serverVersion: serverVersion,
serverVersion: serverVersion,
clientVersion: clientVersion,
clientVersion: clientVersion,
incoming: make(chan []byte, 16),
incoming: make(chan []byte, chanSize),
requestKex: make(chan struct{}, 1),
startKex: make(chan *pendingKex, 1),
config: config,
config: config,
t.cond = sync.NewCond(&
// We always start with a mandatory key exchange.
t.requestKex <- struct{}{}
return t
return t
@ -89,12 +125,14 @@ func newClientTransport(conn keyingTransport, clientVersion, serverVersion []byt
t.dialAddress = dialAddr
t.dialAddress = dialAddr
t.remoteAddr = addr
t.remoteAddr = addr
t.hostKeyCallback = config.HostKeyCallback
t.hostKeyCallback = config.HostKeyCallback
t.bannerCallback = config.BannerCallback
if config.HostKeyAlgorithms != nil {
if config.HostKeyAlgorithms != nil {
t.hostKeyAlgorithms = config.HostKeyAlgorithms
t.hostKeyAlgorithms = config.HostKeyAlgorithms
} else {
} else {
t.hostKeyAlgorithms = supportedHostKeyAlgos
t.hostKeyAlgorithms = supportedHostKeyAlgos
go t.readLoop()
go t.readLoop()
go t.kexLoop()
return t
return t
@ -102,6 +140,7 @@ func newServerTransport(conn keyingTransport, clientVersion, serverVersion []byt
t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion)
t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion)
t.hostKeys = config.hostKeys
t.hostKeys = config.hostKeys
go t.readLoop()
go t.readLoop()
go t.kexLoop()
return t
return t
@ -109,6 +148,20 @@ func (t *handshakeTransport) getSessionID() []byte {
return t.sessionID
return t.sessionID
// waitSession waits for the session to be established. This should be
// the first thing to call after instantiating handshakeTransport.
func (t *handshakeTransport) waitSession() error {
p, err := t.readPacket()
if err != nil {
return err
if p[0] != msgNewKeys {
return fmt.Errorf("ssh: first packet should be msgNewKeys")
return nil
func (t *handshakeTransport) id() string {
func (t *handshakeTransport) id() string {
if len(t.hostKeys) > 0 {
if len(t.hostKeys) > 0 {
return "server"
return "server"
@ -116,6 +169,20 @@ func (t *handshakeTransport) id() string {
return "client"
return "client"
func (t *handshakeTransport) printPacket(p []byte, write bool) {
action := "got"
if write {
action = "sent"
if p[0] == msgChannelData || p[0] == msgChannelExtendedData {
log.Printf("%s %s data (packet %d bytes)",, action, len(p))
} else {
msg, err := decode(p)
log.Printf("%s %s %T %v (%v)",, action, msg, msg, err)
func (t *handshakeTransport) readPacket() ([]byte, error) {
func (t *handshakeTransport) readPacket() ([]byte, error) {
p, ok := <-t.incoming
p, ok := <-t.incoming
if !ok {
if !ok {
@ -125,8 +192,10 @@ func (t *handshakeTransport) readPacket() ([]byte, error) {
func (t *handshakeTransport) readLoop() {
func (t *handshakeTransport) readLoop() {
first := true
for {
for {
p, err := t.readOnePacket()
p, err := t.readOnePacket(first)
first = false
if err != nil {
if err != nil {
t.readError = err
t.readError = err
@ -138,67 +207,217 @@ func (t *handshakeTransport) readLoop() {
t.incoming <- p
t.incoming <- p
// If we can't read, declare the writing part dead too.
// Stop writers too.
// Unblock the writer should it wait for this.
// Don't close t.requestKex; it's also written to from writePacket.
func (t *handshakeTransport) pushPacket(p []byte) error {
if debugHandshake {
t.printPacket(p, true)
return t.conn.writePacket(p)
func (t *handshakeTransport) getWriteError() error {
if t.writeError == nil {
return t.writeError
t.writeError = t.readError
func (t *handshakeTransport) readOnePacket() ([]byte, error) {
func (t *handshakeTransport) recordWriteError(err error) {
if t.readSinceKex > t.config.RekeyThreshold {
if err := t.requestKeyChange(); err != nil {
return nil, err
if t.writeError == nil && err != nil {
t.writeError = err
func (t *handshakeTransport) requestKeyExchange() {
select {
case t.requestKex <- struct{}{}:
// something already requested a kex, so do nothing.
func (t *handshakeTransport) resetWriteThresholds() {
t.writePacketsLeft = packetRekeyThreshold
if t.config.RekeyThreshold > 0 {
t.writeBytesLeft = int64(t.config.RekeyThreshold)
} else if t.algorithms != nil {
t.writeBytesLeft = t.algorithms.w.rekeyBytes()
} else {
t.writeBytesLeft = 1 << 30
func (t *handshakeTransport) kexLoop() {
for t.getWriteError() == nil {
var request *pendingKex
var sent bool
for request == nil || !sent {
var ok bool
select {
case request, ok = <-t.startKex:
if !ok {
break write
case <-t.requestKex:
if !sent {
if err := t.sendKexInit(); err != nil {
sent = true
if err := t.getWriteError(); err != nil {
if request != nil {
request.done <- err
// We're not servicing t.requestKex, but that is OK:
// we never block on sending to t.requestKex.
// We're not servicing t.startKex, but the remote end
// has just sent us a kexInitMsg, so it can't send
// another key change request, until we close the done
// channel on the pendingKex request.
err := t.enterKeyExchange(request.otherInit)
t.writeError = err
t.sentInitPacket = nil
t.sentInitMsg = nil
// we have completed the key exchange. Since the
// reader is still blocked, it is safe to clear out
// the requestKex channel. This avoids the situation
// where: 1) we consumed our own request for the
// initial kex, and 2) the kex from the remote side
// caused another send on the requestKex channel,
for {
select {
case <-t.requestKex:
break clear
request.done <- t.writeError
// kex finished. Push packets that we received while
// the kex was in progress. Don't look at t.startKex
// and don't increment writtenSinceKex: if we trigger
// another kex while we are still busy with the last
// one, things will become very confusing.
for _, p := range t.pendingPackets {
t.writeError = t.pushPacket(p)
if t.writeError != nil {
t.pendingPackets = t.pendingPackets[:0]
// drain startKex channel. We don't service t.requestKex
// because nobody does blocking sends there.
go func() {
for init := range t.startKex {
init.done <- t.writeError
// Unblock reader.
// The protocol uses uint32 for packet counters, so we can't let them
// reach 1<<32. We will actually read and write more packets than
// this, though: the other side may send more packets, and after we
// hit this limit on writing we will send a few more packets for the
// key exchange itself.
const packetRekeyThreshold = (1 << 31)
func (t *handshakeTransport) resetReadThresholds() {
t.readPacketsLeft = packetRekeyThreshold
if t.config.RekeyThreshold > 0 {
t.readBytesLeft = int64(t.config.RekeyThreshold)
} else if t.algorithms != nil {
t.readBytesLeft = t.algorithms.r.rekeyBytes()
} else {
t.readBytesLeft = 1 << 30
func (t *handshakeTransport) readOnePacket(first bool) ([]byte, error) {
p, err := t.conn.readPacket()
p, err := t.conn.readPacket()
if err != nil {
if err != nil {
return nil, err
return nil, err
t.readSinceKex += uint64(len(p))
if t.readPacketsLeft > 0 {
if debugHandshake {
if p[0] == msgChannelData || p[0] == msgChannelExtendedData {
log.Printf("%s got data (packet %d bytes)",, len(p))
} else {
} else {
msg, err := decode(p)
log.Printf("%s got %T %v (%v)",, msg, msg, err)
if t.readBytesLeft > 0 {
t.readBytesLeft -= int64(len(p))
} else {
if debugHandshake {
t.printPacket(p, false)
if first && p[0] != msgKexInit {
return nil, fmt.Errorf("ssh: first packet should be msgKexInit")
if p[0] != msgKexInit {
if p[0] != msgKexInit {
return p, nil
return p, nil
firstKex := t.sessionID == nil
firstKex := t.sessionID == nil
err = t.enterKeyExchangeLocked(p)
kex := pendingKex{
if err != nil {
done: make(chan error, 1),
// drop connection
otherInit: p,
t.writeError = err
t.startKex <- &kex
err = <-kex.done
if debugHandshake {
if debugHandshake {
log.Printf("%s exited key exchange (first %v), err %v",, firstKex, err)
log.Printf("%s exited key exchange (first %v), err %v",, firstKex, err)
// Unblock writers.
t.sentInitMsg = nil
t.sentInitPacket = nil
t.writtenSinceKex = 0
if err != nil {
if err != nil {
return nil, err
return nil, err
t.readSinceKex = 0
// By default, a key exchange is hidden from higher layers by
// By default, a key exchange is hidden from higher layers by
// translating it into msgIgnore.
// translating it into msgIgnore.
@ -213,61 +432,16 @@ func (t *handshakeTransport) readOnePacket() ([]byte, error) {
return successPacket, nil
return successPacket, nil
// keyChangeCategory describes whether a key exchange is the first on a
// sendKexInit sends a key change message.
// connection, or a subsequent one.
func (t *handshakeTransport) sendKexInit() error {
type keyChangeCategory bool
const (
firstKeyExchange keyChangeCategory = true
subsequentKeyExchange keyChangeCategory = false
// sendKexInit sends a key change message, and returns the message
// that was sent. After initiating the key change, all writes will be
// blocked until the change is done, and a failed key change will
// close the underlying transport. This function is safe for
// concurrent use by multiple goroutines.
func (t *handshakeTransport) sendKexInit(isFirst keyChangeCategory) error {
var err error
// If this is the initial key change, but we already have a sessionID,
// then do nothing because the key exchange has already completed
if t.sentInitMsg != nil {
// asynchronously.
if !isFirst || t.sessionID == nil {
_, _, err = t.sendKexInitLocked(isFirst)
if err != nil {
return err
if isFirst {
if packet, err := t.readPacket(); err != nil {
return err
} else if packet[0] != msgNewKeys {
return unexpectedMessageError(msgNewKeys, packet[0])
return nil
func (t *handshakeTransport) requestInitialKeyChange() error {
return t.sendKexInit(firstKeyExchange)
func (t *handshakeTransport) requestKeyChange() error {
return t.sendKexInit(subsequentKeyExchange)
// sendKexInitLocked sends a key change message. must be locked
// while this happens.
func (t *handshakeTransport) sendKexInitLocked(isFirst keyChangeCategory) (*kexInitMsg, []byte, error) {
// kexInits may be sent either in response to the other side,
// kexInits may be sent either in response to the other side,
// or because our side wants to initiate a key change, so we
// or because our side wants to initiate a key change, so we
// may have already sent a kexInit. In that case, don't send a
// may have already sent a kexInit. In that case, don't send a
// second kexInit.
// second kexInit.
if t.sentInitMsg != nil {
return nil
return t.sentInitMsg, t.sentInitPacket, nil
msg := &kexInitMsg{
msg := &kexInitMsg{
@ -295,53 +469,65 @@ func (t *handshakeTransport) sendKexInitLocked(isFirst keyChangeCategory) (*kexI
packetCopy := make([]byte, len(packet))
packetCopy := make([]byte, len(packet))
copy(packetCopy, packet)
copy(packetCopy, packet)
if err := t.conn.writePacket(packetCopy); err != nil {
if err := t.pushPacket(packetCopy); err != nil {
return nil, nil, err
return err
t.sentInitMsg = msg
t.sentInitMsg = msg
t.sentInitPacket = packet
t.sentInitPacket = packet
return msg, packet, nil
return nil
func (t *handshakeTransport) writePacket(p []byte) error {
func (t *handshakeTransport) writePacket(p []byte) error {
if t.writtenSinceKex > t.config.RekeyThreshold {
for t.sentInitMsg != nil && t.writeError == nil {
if t.writeError != nil {
return t.writeError
t.writtenSinceKex += uint64(len(p))
switch p[0] {
switch p[0] {
case msgKexInit:
case msgKexInit:
return errors.New("ssh: only handshakeTransport can send kexInit")
return errors.New("ssh: only handshakeTransport can send kexInit")
case msgNewKeys:
case msgNewKeys:
return errors.New("ssh: only handshakeTransport can send newKeys")
return errors.New("ssh: only handshakeTransport can send newKeys")
return t.conn.writePacket(p)
if t.writeError != nil {
return t.writeError
if t.sentInitMsg != nil {
// Copy the packet so the writer can reuse the buffer.
cp := make([]byte, len(p))
copy(cp, p)
t.pendingPackets = append(t.pendingPackets, cp)
return nil
if t.writeBytesLeft > 0 {
t.writeBytesLeft -= int64(len(p))
} else {
if t.writePacketsLeft > 0 {
} else {
if err := t.pushPacket(p); err != nil {
t.writeError = err
return nil
func (t *handshakeTransport) Close() error {
func (t *handshakeTransport) Close() error {
return t.conn.Close()
return t.conn.Close()
// enterKeyExchange runs the key exchange. must be held while running this.
func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
func (t *handshakeTransport) enterKeyExchangeLocked(otherInitPacket []byte) error {
if debugHandshake {
if debugHandshake {
log.Printf("%s entered key exchange",
log.Printf("%s entered key exchange",
myInit, myInitPacket, err := t.sendKexInitLocked(subsequentKeyExchange)
if err != nil {
return err
otherInit := &kexInitMsg{}
otherInit := &kexInitMsg{}
if err := Unmarshal(otherInitPacket, otherInit); err != nil {
if err := Unmarshal(otherInitPacket, otherInit); err != nil {
@ -352,20 +538,20 @@ func (t *handshakeTransport) enterKeyExchangeLocked(otherInitPacket []byte) erro
clientVersion: t.clientVersion,
clientVersion: t.clientVersion,
serverVersion: t.serverVersion,
serverVersion: t.serverVersion,
clientKexInit: otherInitPacket,
clientKexInit: otherInitPacket,
serverKexInit: myInitPacket,
serverKexInit: t.sentInitPacket,
clientInit := otherInit
clientInit := otherInit
serverInit := myInit
serverInit := t.sentInitMsg
if len(t.hostKeys) == 0 {
if len(t.hostKeys) == 0 {
clientInit = myInit
clientInit, serverInit = serverInit, clientInit
serverInit = otherInit
magics.clientKexInit = myInitPacket
magics.clientKexInit = t.sentInitPacket
magics.serverKexInit = otherInitPacket
magics.serverKexInit = otherInitPacket
algs, err := findAgreedAlgorithms(clientInit, serverInit)
var err error
t.algorithms, err = findAgreedAlgorithms(clientInit, serverInit)
if err != nil {
if err != nil {
return err
return err
@ -388,16 +574,16 @@ func (t *handshakeTransport) enterKeyExchangeLocked(otherInitPacket []byte) erro
kex, ok := kexAlgoMap[algs.kex]
kex, ok := kexAlgoMap[t.algorithms.kex]
if !ok {
if !ok {
return fmt.Errorf("ssh: unexpected key exchange algorithm %v", algs.kex)
return fmt.Errorf("ssh: unexpected key exchange algorithm %v", t.algorithms.kex)
var result *kexResult
var result *kexResult
if len(t.hostKeys) > 0 {
if len(t.hostKeys) > 0 {
result, err = t.server(kex, algs, &magics)
result, err = t.server(kex, t.algorithms, &magics)
} else {
} else {
result, err = t.client(kex, algs, &magics)
result, err = t.client(kex, t.algorithms, &magics)
if err != nil {
if err != nil {
@ -409,7 +595,9 @@ func (t *handshakeTransport) enterKeyExchangeLocked(otherInitPacket []byte) erro
result.SessionID = t.sessionID
result.SessionID = t.sessionID
t.conn.prepareKeyChange(algs, result)
if err := t.conn.prepareKeyChange(t.algorithms, result); err != nil {
return err
if err = t.conn.writePacket([]byte{msgNewKeys}); err != nil {
if err = t.conn.writePacket([]byte{msgNewKeys}); err != nil {
return err
return err
@ -449,12 +637,10 @@ func (t *handshakeTransport) client(kex kexAlgorithm, algs *algorithms, magics *
return nil, err
return nil, err
if t.hostKeyCallback != nil {
err = t.hostKeyCallback(t.dialAddress, t.remoteAddr, hostKey)
err = t.hostKeyCallback(t.dialAddress, t.remoteAddr, hostKey)
if err != nil {
if err != nil {
return nil, err
return nil, err
return result, nil
return result, nil
@ -10,10 +10,13 @@ import (
@ -364,6 +367,17 @@ func (r *dsaPublicKey) Type() string {
return "ssh-dss"
return "ssh-dss"
func checkDSAParams(param *dsa.Parameters) error {
// SSH specifies FIPS 186-2, which only provided a single size
// (1024 bits) DSA key. FIPS 186-3 allows for larger key
// sizes, which would confuse SSH.
if l := param.P.BitLen(); l != 1024 {
return fmt.Errorf("ssh: unsupported DSA key size %d", l)
return nil
// parseDSA parses an DSA key according to RFC 4253, section 6.6.
// parseDSA parses an DSA key according to RFC 4253, section 6.6.
func parseDSA(in []byte) (out PublicKey, rest []byte, err error) {
func parseDSA(in []byte) (out PublicKey, rest []byte, err error) {
var w struct {
var w struct {
@ -374,12 +388,17 @@ func parseDSA(in []byte) (out PublicKey, rest []byte, err error) {
return nil, nil, err
return nil, nil, err
key := &dsaPublicKey{
param := dsa.Parameters{
Parameters: dsa.Parameters{
P: w.P,
P: w.P,
Q: w.Q,
Q: w.Q,
G: w.G,
G: w.G,
if err := checkDSAParams(¶m); err != nil {
return nil, nil, err
key := &dsaPublicKey{
Parameters: param,
Y: w.Y,
Y: w.Y,
return key, w.Rest, nil
return key, w.Rest, nil
@ -627,19 +646,28 @@ func (k *ecdsaPublicKey) CryptoPublicKey() crypto.PublicKey {
// NewSignerFromKey takes an *rsa.PrivateKey, *dsa.PrivateKey,
// NewSignerFromKey takes an *rsa.PrivateKey, *dsa.PrivateKey,
// *ecdsa.PrivateKey or any other crypto.Signer and returns a corresponding
// *ecdsa.PrivateKey or any other crypto.Signer and returns a
// Signer instance. ECDSA keys must use P-256, P-384 or P-521.
// corresponding Signer instance. ECDSA keys must use P-256, P-384 or
// P-521. DSA keys must use parameter size L1024N160.
func NewSignerFromKey(key interface{}) (Signer, error) {
func NewSignerFromKey(key interface{}) (Signer, error) {
switch key := key.(type) {
switch key := key.(type) {
case crypto.Signer:
case crypto.Signer:
return NewSignerFromSigner(key)
return NewSignerFromSigner(key)
case *dsa.PrivateKey:
case *dsa.PrivateKey:
return &dsaPrivateKey{key}, nil
return newDSAPrivateKey(key)
return nil, fmt.Errorf("ssh: unsupported key type %T", key)
return nil, fmt.Errorf("ssh: unsupported key type %T", key)
func newDSAPrivateKey(key *dsa.PrivateKey) (Signer, error) {
if err := checkDSAParams(&key.PublicKey.Parameters); err != nil {
return nil, err
return &dsaPrivateKey{key}, nil
type wrappedSigner struct {
type wrappedSigner struct {
signer crypto.Signer
signer crypto.Signer
pubKey PublicKey
pubKey PublicKey
@ -753,6 +781,18 @@ func ParsePrivateKey(pemBytes []byte) (Signer, error) {
return NewSignerFromKey(key)
return NewSignerFromKey(key)
// ParsePrivateKeyWithPassphrase returns a Signer from a PEM encoded private
// key and passphrase. It supports the same keys as
// ParseRawPrivateKeyWithPassphrase.
func ParsePrivateKeyWithPassphrase(pemBytes, passPhrase []byte) (Signer, error) {
key, err := ParseRawPrivateKeyWithPassphrase(pemBytes, passPhrase)
if err != nil {
return nil, err
return NewSignerFromKey(key)
// encryptedBlock tells whether a private key is
// encryptedBlock tells whether a private key is
// encrypted by examining its Proc-Type header
// encrypted by examining its Proc-Type header
// for a mention of ENCRYPTED
// for a mention of ENCRYPTED
@ -787,6 +827,43 @@ func ParseRawPrivateKey(pemBytes []byte) (interface{}, error) {
// ParseRawPrivateKeyWithPassphrase returns a private key decrypted with
// passphrase from a PEM encoded private key. If wrong passphrase, return
// x509.IncorrectPasswordError.
func ParseRawPrivateKeyWithPassphrase(pemBytes, passPhrase []byte) (interface{}, error) {
block, _ := pem.Decode(pemBytes)
if block == nil {
return nil, errors.New("ssh: no key found")
buf := block.Bytes
if encryptedBlock(block) {
if x509.IsEncryptedPEMBlock(block) {
var err error
buf, err = x509.DecryptPEMBlock(block, passPhrase)
if err != nil {
if err == x509.IncorrectPasswordError {
return nil, err
return nil, fmt.Errorf("ssh: cannot decode encrypted private keys: %v", err)
switch block.Type {
return x509.ParsePKCS1PrivateKey(buf)
return x509.ParseECPrivateKey(buf)
return ParseDSAPrivateKey(buf)
return parseOpenSSHPrivateKey(buf)
return nil, fmt.Errorf("ssh: unsupported key type %q", block.Type)
// ParseDSAPrivateKey returns a DSA private key from its ASN.1 DER encoding, as
// ParseDSAPrivateKey returns a DSA private key from its ASN.1 DER encoding, as
// specified by the OpenSSL DSA man page.
// specified by the OpenSSL DSA man page.
func ParseDSAPrivateKey(der []byte) (*dsa.PrivateKey, error) {
func ParseDSAPrivateKey(der []byte) (*dsa.PrivateKey, error) {
@ -795,8 +872,8 @@ func ParseDSAPrivateKey(der []byte) (*dsa.PrivateKey, error) {
P *big.Int
P *big.Int
Q *big.Int
Q *big.Int
G *big.Int
G *big.Int
Priv *big.Int
Pub *big.Int
Pub *big.Int
Priv *big.Int
rest, err := asn1.Unmarshal(der, &k)
rest, err := asn1.Unmarshal(der, &k)
if err != nil {
if err != nil {
@ -813,15 +890,15 @@ func ParseDSAPrivateKey(der []byte) (*dsa.PrivateKey, error) {
Q: k.Q,
Q: k.Q,
G: k.G,
G: k.G,
Y: k.Priv,
Y: k.Pub,
X: k.Pub,
X: k.Priv,
}, nil
}, nil
// Implemented based on the documentation at
// Implemented based on the documentation at
func parseOpenSSHPrivateKey(key []byte) (*ed25519.PrivateKey, error) {
func parseOpenSSHPrivateKey(key []byte) (crypto.PrivateKey, error) {
magic := append([]byte("openssh-key-v1"), 0)
magic := append([]byte("openssh-key-v1"), 0)
if !bytes.Equal(magic, key[0:len(magic)]) {
if !bytes.Equal(magic, key[0:len(magic)]) {
return nil, errors.New("ssh: invalid openssh private key format")
return nil, errors.New("ssh: invalid openssh private key format")
@ -841,14 +918,15 @@ func parseOpenSSHPrivateKey(key []byte) (*ed25519.PrivateKey, error) {
return nil, err
return nil, err
if w.KdfName != "none" || w.CipherName != "none" {
return nil, errors.New("ssh: cannot decode encrypted private keys")
pk1 := struct {
pk1 := struct {
Check1 uint32
Check1 uint32
Check2 uint32
Check2 uint32
Keytype string
Keytype string
Pub []byte
Rest []byte `ssh:"rest"`
Priv []byte
Comment string
Pad []byte `ssh:"rest"`
if err := Unmarshal(w.PrivKeyBlock, &pk1); err != nil {
if err := Unmarshal(w.PrivKeyBlock, &pk1); err != nil {
@ -859,22 +937,95 @@ func parseOpenSSHPrivateKey(key []byte) (*ed25519.PrivateKey, error) {
return nil, errors.New("ssh: checkint mismatch")
return nil, errors.New("ssh: checkint mismatch")
// we only handle ed25519 keys currently
// we only handle ed25519 and rsa keys currently
if pk1.Keytype != KeyAlgoED25519 {
switch pk1.Keytype {
return nil, errors.New("ssh: unhandled key type")
case KeyAlgoRSA:
key := struct {
N *big.Int
E *big.Int
D *big.Int
Iqmp *big.Int
P *big.Int
Q *big.Int
Comment string
Pad []byte `ssh:"rest"`
if err := Unmarshal(pk1.Rest, &key); err != nil {
return nil, err
for i, b := range pk1.Pad {
for i, b := range key.Pad {
if int(b) != i+1 {
if int(b) != i+1 {
return nil, errors.New("ssh: padding not as expected")
return nil, errors.New("ssh: padding not as expected")
if len(pk1.Priv) != ed25519.PrivateKeySize {
pk := &rsa.PrivateKey{
PublicKey: rsa.PublicKey{
N: key.N,
E: int(key.E.Int64()),
D: key.D,
Primes: []*big.Int{key.P, key.Q},
if err := pk.Validate(); err != nil {
return nil, err
return pk, nil
case KeyAlgoED25519:
key := struct {
Pub []byte
Priv []byte
Comment string
Pad []byte `ssh:"rest"`
if err := Unmarshal(pk1.Rest, &key); err != nil {
return nil, err
if len(key.Priv) != ed25519.PrivateKeySize {
return nil, errors.New("ssh: private key unexpected length")
return nil, errors.New("ssh: private key unexpected length")
pk := ed25519.PrivateKey(make([]byte, ed25519.PrivateKeySize))
for i, b := range key.Pad {
copy(pk, pk1.Priv)
if int(b) != i+1 {
return &pk, nil
return nil, errors.New("ssh: padding not as expected")
pk := ed25519.PrivateKey(make([]byte, ed25519.PrivateKeySize))
copy(pk, key.Priv)
return &pk, nil
return nil, errors.New("ssh: unhandled key type")
// FingerprintLegacyMD5 returns the user presentation of the key's
// fingerprint as described by RFC 4716 section 4.
func FingerprintLegacyMD5(pubKey PublicKey) string {
md5sum := md5.Sum(pubKey.Marshal())
hexarray := make([]string, len(md5sum))
for i, c := range md5sum {
hexarray[i] = hex.EncodeToString([]byte{c})
return strings.Join(hexarray, ":")
// FingerprintSHA256 returns the user presentation of the key's
// fingerprint as unpadded base64 encoded sha256 hash.
// This format was introduced from OpenSSH 6.8.
// (unpadded base64 encoding)
func FingerprintSHA256(pubKey PublicKey) string {
sha256sum := sha256.Sum256(pubKey.Marshal())
hash := base64.RawStdEncoding.EncodeToString(sha256sum[:])
return "SHA256:" + hash
@ -15,6 +15,7 @@ import (
type macMode struct {
type macMode struct {
keySize int
keySize int
etm bool
new func(key []byte) hash.Hash
new func(key []byte) hash.Hash
@ -45,13 +46,16 @@ func (t truncatingMAC) Size() int {
func (t truncatingMAC) BlockSize() int { return t.hmac.BlockSize() }
func (t truncatingMAC) BlockSize() int { return t.hmac.BlockSize() }
var macModes = map[string]*macMode{
var macModes = map[string]*macMode{
"hmac-sha2-256": {32, func(key []byte) hash.Hash {
"": {32, true, func(key []byte) hash.Hash {
return hmac.New(sha256.New, key)
return hmac.New(sha256.New, key)
"hmac-sha1": {20, func(key []byte) hash.Hash {
"hmac-sha2-256": {32, false, func(key []byte) hash.Hash {
return hmac.New(sha256.New, key)
"hmac-sha1": {20, false, func(key []byte) hash.Hash {
return hmac.New(sha1.New, key)
return hmac.New(sha1.New, key)
"hmac-sha1-96": {20, func(key []byte) hash.Hash {
"hmac-sha1-96": {20, false, func(key []byte) hash.Hash {
return truncatingMAC{12, hmac.New(sha1.New, key)}
return truncatingMAC{12, hmac.New(sha1.New, key)}
@ -23,10 +23,6 @@ const (
msgUnimplemented = 3
msgUnimplemented = 3
msgDebug = 4
msgDebug = 4
msgNewKeys = 21
msgNewKeys = 21
// Standard authentication messages
msgUserAuthSuccess = 52
msgUserAuthBanner = 53
// SSH messages:
// SSH messages:
@ -137,6 +133,18 @@ type userAuthFailureMsg struct {
PartialSuccess bool
PartialSuccess bool
// See RFC 4252, section 5.1
const msgUserAuthSuccess = 52
// See RFC 4252, section 5.4
const msgUserAuthBanner = 53
type userAuthBannerMsg struct {
Message string `sshtype:"53"`
// unused, but required to allow message parsing
Language string
// See RFC 4256, section 3.2
// See RFC 4256, section 3.2
const msgUserAuthInfoRequest = 60
const msgUserAuthInfoRequest = 60
const msgUserAuthInfoResponse = 61
const msgUserAuthInfoResponse = 61
@ -116,9 +116,9 @@ func (m *mux) Wait() error {
func newMux(p packetConn) *mux {
func newMux(p packetConn) *mux {
m := &mux{
m := &mux{
conn: p,
conn: p,
incomingChannels: make(chan NewChannel, 16),
incomingChannels: make(chan NewChannel, chanSize),
globalResponses: make(chan interface{}, 1),
globalResponses: make(chan interface{}, 1),
incomingRequests: make(chan *Request, 16),
incomingRequests: make(chan *Request, chanSize),
errCond: newCond(),
errCond: newCond(),
if debugMux {
if debugMux {
@ -10,26 +10,38 @@ import (
// The Permissions type holds fine-grained permissions that are
// The Permissions type holds fine-grained permissions that are
// specific to a user or a specific authentication method for a
// specific to a user or a specific authentication method for a user.
// user. Permissions, except for "source-address", must be enforced in
// The Permissions value for a successful authentication attempt is
// the server application layer, after successful authentication. The
// available in ServerConn, so it can be used to pass information from
// Permissions are passed on in ServerConn so a server implementation
// the user-authentication phase to the application layer.
// can honor them.
type Permissions struct {
type Permissions struct {
// Critical options restrict default permissions. Common
// CriticalOptions indicate restrictions to the default
// restrictions are "source-address" and "force-command". If
// permissions, and are typically used in conjunction with
// the server cannot enforce the restriction, or does not
// user certificates. The standard for SSH certificates
// recognize it, the user should not authenticate.
// defines "force-command" (only allow the given command to
// execute) and "source-address" (only allow connections from
// the given address). The SSH package currently only enforces
// the "source-address" critical option. It is up to server
// implementations to enforce other critical options, such as
// "force-command", by checking them after the SSH handshake
// is successful. In general, SSH servers should reject
// connections that specify critical options that are unknown
// or not supported.
CriticalOptions map[string]string
CriticalOptions map[string]string
// Extensions are extra functionality that the server may
// Extensions are extra functionality that the server may
// offer on authenticated connections. Common extensions are
// offer on authenticated connections. Lack of support for an
// "permit-agent-forwarding", "permit-X11-forwarding". Lack of
// extension does not preclude authenticating a user. Common
// support for an extension does not preclude authenticating a
// extensions are "permit-agent-forwarding",
// user.
// "permit-X11-forwarding". The Go SSH library currently does
// not act on any extension, and it is up to server
// implementations to honor them. Extensions can be used to
// pass data from the authentication callbacks to the server
// application layer.
Extensions map[string]string
Extensions map[string]string
@ -44,13 +56,24 @@ type ServerConfig struct {
// authenticating.
// authenticating.
NoClientAuth bool
NoClientAuth bool
// MaxAuthTries specifies the maximum number of authentication attempts
// permitted per connection. If set to a negative number, the number of
// attempts are unlimited. If set to zero, the number of attempts are limited
// to 6.
MaxAuthTries int
// PasswordCallback, if non-nil, is called when a user
// PasswordCallback, if non-nil, is called when a user
// attempts to authenticate using a password.
// attempts to authenticate using a password.
PasswordCallback func(conn ConnMetadata, password []byte) (*Permissions, error)
PasswordCallback func(conn ConnMetadata, password []byte) (*Permissions, error)
// PublicKeyCallback, if non-nil, is called when a client attempts public
// PublicKeyCallback, if non-nil, is called when a client
// key authentication. It must return true if the given public key is
// offers a public key for authentication. It must return a nil error
// valid for the given user. For example, see CertChecker.Authenticate.
// if the given public key can be used to authenticate the
// given user. For example, see CertChecker.Authenticate. A
// call to this function does not guarantee that the key
// offered is in fact used to authenticate. To record any data
// depending on the public key, store it inside a
// Permissions.Extensions entry.
PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions, error)
PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions, error)
// KeyboardInteractiveCallback, if non-nil, is called when
// KeyboardInteractiveCallback, if non-nil, is called when
@ -72,6 +95,10 @@ type ServerConfig struct {
// Note that RFC 4253 section 4.2 requires that this string start with
// Note that RFC 4253 section 4.2 requires that this string start with
// "SSH-2.0-".
// "SSH-2.0-".
ServerVersion string
ServerVersion string
// BannerCallback, if present, is called and the return string is sent to
// the client after key exchange completed but before authentication.
BannerCallback func(conn ConnMetadata) string
// AddHostKey adds a private key as a host key. If an existing host
// AddHostKey adds a private key as a host key. If an existing host
@ -142,6 +169,10 @@ type ServerConn struct {
func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewChannel, <-chan *Request, error) {
func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewChannel, <-chan *Request, error) {
fullConf := *config
fullConf := *config
if fullConf.MaxAuthTries == 0 {
fullConf.MaxAuthTries = 6
s := &connection{
s := &connection{
sshConn: sshConn{conn: c},
sshConn: sshConn{conn: c},
@ -188,7 +219,7 @@ func (s *connection) serverHandshake(config *ServerConfig) (*Permissions, error)
tr := newTransport(s.sshConn.conn, config.Rand, false /* not client */)
tr := newTransport(s.sshConn.conn, config.Rand, false /* not client */)
s.transport = newServerTransport(tr, s.clientVersion, s.serverVersion, config)
s.transport = newServerTransport(tr, s.clientVersion, s.serverVersion, config)
if err := s.transport.requestInitialKeyChange(); err != nil {
if err := s.transport.waitSession(); err != nil {
return nil, err
return nil, err
@ -231,7 +262,7 @@ func isAcceptableAlgo(algo string) bool {
return false
return false
func checkSourceAddress(addr net.Addr, sourceAddr string) error {
func checkSourceAddress(addr net.Addr, sourceAddrs string) error {
if addr == nil {
if addr == nil {
return errors.New("ssh: no address known for client, but source-address match required")
return errors.New("ssh: no address known for client, but source-address match required")
@ -241,8 +272,9 @@ func checkSourceAddress(addr net.Addr, sourceAddr string) error {
return fmt.Errorf("ssh: remote address %v is not an TCP address when checking source-address match", addr)
return fmt.Errorf("ssh: remote address %v is not an TCP address when checking source-address match", addr)
for _, sourceAddr := range strings.Split(sourceAddrs, ",") {
if allowedIP := net.ParseIP(sourceAddr); allowedIP != nil {
if allowedIP := net.ParseIP(sourceAddr); allowedIP != nil {
if bytes.Equal(allowedIP, tcpAddr.IP) {
if allowedIP.Equal(tcpAddr.IP) {
return nil
return nil
} else {
} else {
@ -255,19 +287,56 @@ func checkSourceAddress(addr net.Addr, sourceAddr string) error {
return nil
return nil
return fmt.Errorf("ssh: remote address %v is not allowed because of source-address restriction", addr)
return fmt.Errorf("ssh: remote address %v is not allowed because of source-address restriction", addr)
// ServerAuthError implements the error interface. It appends any authentication
// errors that may occur, and is returned if all of the authentication methods
// provided by the user failed to authenticate.
type ServerAuthError struct {
// Errors contains authentication errors returned by the authentication
// callback methods.
Errors []error
func (l ServerAuthError) Error() string {
var errs []string
for _, err := range l.Errors {
errs = append(errs, err.Error())
return "[" + strings.Join(errs, ", ") + "]"
func (s *connection) serverAuthenticate(config *ServerConfig) (*Permissions, error) {
func (s *connection) serverAuthenticate(config *ServerConfig) (*Permissions, error) {
var err error
sessionID := s.transport.getSessionID()
var cache pubKeyCache
var cache pubKeyCache
var perms *Permissions
var perms *Permissions
authFailures := 0
var authErrs []error
for {
for {
if authFailures >= config.MaxAuthTries && config.MaxAuthTries > 0 {
discMsg := &disconnectMsg{
Reason: 2,
Message: "too many authentication failures",
if err := s.transport.writePacket(Marshal(discMsg)); err != nil {
return nil, err
return nil, discMsg
var userAuthReq userAuthRequestMsg
var userAuthReq userAuthRequestMsg
if packet, err := s.transport.readPacket(); err != nil {
if packet, err := s.transport.readPacket(); err != nil {
if err == io.EOF {
return nil, &ServerAuthError{Errors: authErrs}
return nil, err
return nil, err
} else if err = Unmarshal(packet, &userAuthReq); err != nil {
} else if err = Unmarshal(packet, &userAuthReq); err != nil {
return nil, err
return nil, err
@ -278,6 +347,19 @@ userAuthLoop:
s.user = userAuthReq.User
s.user = userAuthReq.User
if authFailures == 0 && config.BannerCallback != nil {
msg := config.BannerCallback(s)
if msg != "" {
bannerMsg := &userAuthBannerMsg{
Message: msg,
if err := s.transport.writePacket(Marshal(bannerMsg)); err != nil {
return nil, err
perms = nil
perms = nil
authErr := errors.New("no auth passed yet")
authErr := errors.New("no auth passed yet")
@ -286,6 +368,11 @@ userAuthLoop:
if config.NoClientAuth {
if config.NoClientAuth {
authErr = nil
authErr = nil
// allow initial attempt of 'none' without penalty
if authFailures == 0 {
case "password":
case "password":
if config.PasswordCallback == nil {
if config.PasswordCallback == nil {
authErr = errors.New("ssh: password auth not configured")
authErr = errors.New("ssh: password auth not configured")
@ -357,6 +444,7 @@ userAuthLoop:
if isQuery {
if isQuery {
// The client can query if the given public key
// The client can query if the given public key
// would be okay.
// would be okay.
if len(payload) > 0 {
if len(payload) > 0 {
return nil, parseError(msgUserAuthRequest)
return nil, parseError(msgUserAuthRequest)
@ -385,7 +473,7 @@ userAuthLoop:
if !isAcceptableAlgo(sig.Format) {
if !isAcceptableAlgo(sig.Format) {
signedData := buildDataSignedForAuth(s.transport.getSessionID(), userAuthReq, algoBytes, pubKeyData)
signedData := buildDataSignedForAuth(sessionID, userAuthReq, algoBytes, pubKeyData)
if err := pubKey.Verify(signedData, sig); err != nil {
if err := pubKey.Verify(signedData, sig); err != nil {
return nil, err
return nil, err
@ -398,6 +486,8 @@ userAuthLoop:
authErr = fmt.Errorf("ssh: unknown method %q", userAuthReq.Method)
authErr = fmt.Errorf("ssh: unknown method %q", userAuthReq.Method)
authErrs = append(authErrs, authErr)
if config.AuthLogCallback != nil {
if config.AuthLogCallback != nil {
config.AuthLogCallback(s, userAuthReq.Method, authErr)
config.AuthLogCallback(s, userAuthReq.Method, authErr)
@ -406,6 +496,8 @@ userAuthLoop:
break userAuthLoop
break userAuthLoop
var failureMsg userAuthFailureMsg
var failureMsg userAuthFailureMsg
if config.PasswordCallback != nil {
if config.PasswordCallback != nil {
failureMsg.Methods = append(failureMsg.Methods, "password")
failureMsg.Methods = append(failureMsg.Methods, "password")
@ -421,12 +513,12 @@ userAuthLoop:
return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
if err = s.transport.writePacket(Marshal(&failureMsg)); err != nil {
if err := s.transport.writePacket(Marshal(&failureMsg)); err != nil {
return nil, err
return nil, err
if err = s.transport.writePacket([]byte{msgUserAuthSuccess}); err != nil {
if err := s.transport.writePacket([]byte{msgUserAuthSuccess}); err != nil {
return nil, err
return nil, err
return perms, nil
return perms, nil
@ -231,6 +231,26 @@ func (s *Session) RequestSubsystem(subsystem string) error {
return err
return err
// RFC 4254 Section 6.7.
type ptyWindowChangeMsg struct {
Columns uint32
Rows uint32
Width uint32
Height uint32
// WindowChange informs the remote host about a terminal window dimension change to h rows and w columns.
func (s *Session) WindowChange(h, w int) error {
req := ptyWindowChangeMsg{
Columns: uint32(w),
Rows: uint32(h),
Width: uint32(w * 8),
Height: uint32(h * 8),
_, err :="window-change", false, Marshal(&req))
return err
// RFC 4254 Section 6.9.
// RFC 4254 Section 6.9.
type signalMsg struct {
type signalMsg struct {
Signal string
Signal string
@ -0,0 +1,115 @@
package ssh
import (
// streamLocalChannelOpenDirectMsg is a struct used for SSH_MSG_CHANNEL_OPEN message
// with "" string.
// See openssh-portable/PROTOCOL, section 2.4. connection: Unix domain socket forwarding
type streamLocalChannelOpenDirectMsg struct {
socketPath string
reserved0 string
reserved1 uint32
// forwardedStreamLocalPayload is a struct used for SSH_MSG_CHANNEL_OPEN message
// with "" string.
type forwardedStreamLocalPayload struct {
SocketPath string
Reserved0 string
// streamLocalChannelForwardMsg is a struct used for SSH2_MSG_GLOBAL_REQUEST message
// with ""/"" string.
type streamLocalChannelForwardMsg struct {
socketPath string
// ListenUnix is similar to ListenTCP but uses a Unix domain socket.
func (c *Client) ListenUnix(socketPath string) (net.Listener, error) {
m := streamLocalChannelForwardMsg{
// send message
ok, _, err := c.SendRequest("", true, Marshal(&m))
if err != nil {
return nil, err
if !ok {
return nil, errors.New("ssh: request denied by peer")
ch := c.forwards.add(&net.UnixAddr{Name: socketPath, Net: "unix"})
return &unixListener{socketPath, c, ch}, nil
func (c *Client) dialStreamLocal(socketPath string) (Channel, error) {
msg := streamLocalChannelOpenDirectMsg{
socketPath: socketPath,
ch, in, err := c.OpenChannel("", Marshal(&msg))
if err != nil {
return nil, err
go DiscardRequests(in)
return ch, err
type unixListener struct {
socketPath string
conn *Client
in <-chan forward
// Accept waits for and returns the next connection to the listener.
func (l *unixListener) Accept() (net.Conn, error) {
s, ok := <
if !ok {
return nil, io.EOF
ch, incoming, err := s.newCh.Accept()
if err != nil {
return nil, err
go DiscardRequests(incoming)
return &chanConn{
Channel: ch,
laddr: &net.UnixAddr{
Name: l.socketPath,
Net: "unix",
raddr: &net.UnixAddr{
Name: "@",
Net: "unix",
}, nil
// Close closes the listener.
func (l *unixListener) Close() error {
// this also closes the listener.
l.conn.forwards.remove(&net.UnixAddr{Name: l.socketPath, Net: "unix"})
m := streamLocalChannelForwardMsg{
ok, _, err := l.conn.SendRequest("", true, Marshal(&m))
if err == nil && !ok {
err = errors.New("ssh: failed")
return err
// Addr returns the listener's network address.
func (l *unixListener) Addr() net.Addr {
return &net.UnixAddr{
Name: l.socketPath,
Net: "unix",
@ -20,12 +20,20 @@ import (
// addr. Incoming connections will be available by calling Accept on
// addr. Incoming connections will be available by calling Accept on
// the returned net.Listener. The listener must be serviced, or the
// the returned net.Listener. The listener must be serviced, or the
// SSH connection may hang.
// SSH connection may hang.
// N must be "tcp", "tcp4", "tcp6", or "unix".
func (c *Client) Listen(n, addr string) (net.Listener, error) {
func (c *Client) Listen(n, addr string) (net.Listener, error) {
switch n {
case "tcp", "tcp4", "tcp6":
laddr, err := net.ResolveTCPAddr(n, addr)
laddr, err := net.ResolveTCPAddr(n, addr)
if err != nil {
if err != nil {
return nil, err
return nil, err
return c.ListenTCP(laddr)
return c.ListenTCP(laddr)
case "unix":
return c.ListenUnix(addr)
return nil, fmt.Errorf("ssh: unsupported protocol: %s", n)
// Automatic port allocation is broken with OpenSSH before 6.0. See
// Automatic port allocation is broken with OpenSSH before 6.0. See
@ -116,7 +124,7 @@ func (c *Client) ListenTCP(laddr *net.TCPAddr) (net.Listener, error) {
// Register this forward, using the port number we obtained.
// Register this forward, using the port number we obtained.
ch := c.forwards.add(*laddr)
ch := c.forwards.add(laddr)
return &tcpListener{laddr, c, ch}, nil
return &tcpListener{laddr, c, ch}, nil
@ -131,7 +139,7 @@ type forwardList struct {
// forwardEntry represents an established mapping of a laddr on a
// forwardEntry represents an established mapping of a laddr on a
// remote ssh server to a channel connected to a tcpListener.
// remote ssh server to a channel connected to a tcpListener.
type forwardEntry struct {
type forwardEntry struct {
laddr net.TCPAddr
laddr net.Addr
c chan forward
c chan forward
@ -140,15 +148,15 @@ type forwardEntry struct {
// the original forward-request.
// the original forward-request.
type forward struct {
type forward struct {
newCh NewChannel // the ssh client channel underlying this forward
newCh NewChannel // the ssh client channel underlying this forward
raddr *net.TCPAddr // the raddr of the incoming connection
raddr net.Addr // the raddr of the incoming connection
func (l *forwardList) add(addr net.TCPAddr) chan forward {
func (l *forwardList) add(addr net.Addr) chan forward {
defer l.Unlock()
defer l.Unlock()
f := forwardEntry{
f := forwardEntry{
laddr: addr,
make(chan forward, 1),
c: make(chan forward, 1),
l.entries = append(l.entries, f)
l.entries = append(l.entries, f)
return f.c
return f.c
@ -176,8 +184,15 @@ func parseTCPAddr(addr string, port uint32) (*net.TCPAddr, error) {
func (l *forwardList) handleChannels(in <-chan NewChannel) {
func (l *forwardList) handleChannels(in <-chan NewChannel) {
for ch := range in {
for ch := range in {
var (
laddr net.Addr
raddr net.Addr
err error
switch channelType := ch.ChannelType(); channelType {
case "forwarded-tcpip":
var payload forwardedTCPPayload
var payload forwardedTCPPayload
if err := Unmarshal(ch.ExtraData(), &payload); err != nil {
if err = Unmarshal(ch.ExtraData(), &payload); err != nil {
ch.Reject(ConnectionFailed, "could not parse forwarded-tcpip payload: "+err.Error())
ch.Reject(ConnectionFailed, "could not parse forwarded-tcpip payload: "+err.Error())
@ -187,33 +202,51 @@ func (l *forwardList) handleChannels(in <-chan NewChannel) {
// format. It is implied that this should be an IP
// format. It is implied that this should be an IP
// address, as it would be impossible to connect to it
// address, as it would be impossible to connect to it
// otherwise.
// otherwise.
laddr, err := parseTCPAddr(payload.Addr, payload.Port)
laddr, err = parseTCPAddr(payload.Addr, payload.Port)
if err != nil {
if err != nil {
ch.Reject(ConnectionFailed, err.Error())
ch.Reject(ConnectionFailed, err.Error())
raddr, err := parseTCPAddr(payload.OriginAddr, payload.OriginPort)
raddr, err = parseTCPAddr(payload.OriginAddr, payload.OriginPort)
if err != nil {
if err != nil {
ch.Reject(ConnectionFailed, err.Error())
ch.Reject(ConnectionFailed, err.Error())
if ok := l.forward(*laddr, *raddr, ch); !ok {
case "":
var payload forwardedStreamLocalPayload
if err = Unmarshal(ch.ExtraData(), &payload); err != nil {
ch.Reject(ConnectionFailed, "could not parse payload: "+err.Error())
laddr = &net.UnixAddr{
Name: payload.SocketPath,
Net: "unix",
raddr = &net.UnixAddr{
Name: "@",
Net: "unix",
panic(fmt.Errorf("ssh: unknown channel type %s", channelType))
if ok := l.forward(laddr, raddr, ch); !ok {
// Section 7.2, implementations MUST reject spurious incoming
// Section 7.2, implementations MUST reject spurious incoming
// connections.
// connections.
ch.Reject(Prohibited, "no forward for address")
ch.Reject(Prohibited, "no forward for address")
// remove removes the forward entry, and the channel feeding its
// remove removes the forward entry, and the channel feeding its
// listener.
// listener.
func (l *forwardList) remove(addr net.TCPAddr) {
func (l *forwardList) remove(addr net.Addr) {
defer l.Unlock()
defer l.Unlock()
for i, f := range l.entries {
for i, f := range l.entries {
if addr.IP.Equal(f.laddr.IP) && addr.Port == f.laddr.Port {
if addr.Network() == f.laddr.Network() && addr.String() == f.laddr.String() {
l.entries = append(l.entries[:i], l.entries[i+1:]...)
l.entries = append(l.entries[:i], l.entries[i+1:]...)
@ -231,12 +264,12 @@ func (l *forwardList) closeAll() {
l.entries = nil
l.entries = nil
func (l *forwardList) forward(laddr, raddr net.TCPAddr, ch NewChannel) bool {
func (l *forwardList) forward(laddr, raddr net.Addr, ch NewChannel) bool {
defer l.Unlock()
defer l.Unlock()
for _, f := range l.entries {
for _, f := range l.entries {
if laddr.IP.Equal(f.laddr.IP) && laddr.Port == f.laddr.Port {
if laddr.Network() == f.laddr.Network() && laddr.String() == f.laddr.String() {
f.c <- forward{ch, &raddr}
f.c <- forward{newCh: ch, raddr: raddr}
return true
return true
@ -262,7 +295,7 @@ func (l *tcpListener) Accept() (net.Conn, error) {
go DiscardRequests(incoming)
go DiscardRequests(incoming)
return &tcpChanConn{
return &chanConn{
Channel: ch,
Channel: ch,
laddr: l.laddr,
laddr: l.laddr,
raddr: s.raddr,
raddr: s.raddr,
@ -277,7 +310,7 @@ func (l *tcpListener) Close() error {
// this also closes the listener.
// this also closes the listener.
ok, _, err := l.conn.SendRequest("cancel-tcpip-forward", true, Marshal(&m))
ok, _, err := l.conn.SendRequest("cancel-tcpip-forward", true, Marshal(&m))
if err == nil && !ok {
if err == nil && !ok {
err = errors.New("ssh: cancel-tcpip-forward failed")
err = errors.New("ssh: cancel-tcpip-forward failed")
@ -293,6 +326,9 @@ func (l *tcpListener) Addr() net.Addr {
// Dial initiates a connection to the addr from the remote host.
// Dial initiates a connection to the addr from the remote host.
// The resulting connection has a zero LocalAddr() and RemoteAddr().
// The resulting connection has a zero LocalAddr() and RemoteAddr().
func (c *Client) Dial(n, addr string) (net.Conn, error) {
func (c *Client) Dial(n, addr string) (net.Conn, error) {
var ch Channel
switch n {
case "tcp", "tcp4", "tcp6":
// Parse the address into host and numeric port.
// Parse the address into host and numeric port.
host, portString, err := net.SplitHostPort(addr)
host, portString, err := net.SplitHostPort(addr)
if err != nil {
if err != nil {
@ -302,20 +338,40 @@ func (c *Client) Dial(n, addr string) (net.Conn, error) {
if err != nil {
if err != nil {
return nil, err
return nil, err
ch, err = c.dial(net.IPv4zero.String(), 0, host, int(port))
if err != nil {
return nil, err
// Use a zero address for local and remote address.
// Use a zero address for local and remote address.
zeroAddr := &net.TCPAddr{
zeroAddr := &net.TCPAddr{
IP: net.IPv4zero,
IP: net.IPv4zero,
Port: 0,
Port: 0,
ch, err := c.dial(net.IPv4zero.String(), 0, host, int(port))
return &chanConn{
if err != nil {
return nil, err
return &tcpChanConn{
Channel: ch,
Channel: ch,
laddr: zeroAddr,
laddr: zeroAddr,
raddr: zeroAddr,
raddr: zeroAddr,
}, nil
}, nil
case "unix":
var err error
ch, err = c.dialStreamLocal(addr)
if err != nil {
return nil, err
return &chanConn{
Channel: ch,
laddr: &net.UnixAddr{
Name: "@",
Net: "unix",
raddr: &net.UnixAddr{
Name: addr,
Net: "unix",
}, nil
return nil, fmt.Errorf("ssh: unsupported protocol: %s", n)
// DialTCP connects to the remote address raddr on the network net,
// DialTCP connects to the remote address raddr on the network net,
@ -332,7 +388,7 @@ func (c *Client) DialTCP(n string, laddr, raddr *net.TCPAddr) (net.Conn, error)
if err != nil {
if err != nil {
return nil, err
return nil, err
return &tcpChanConn{
return &chanConn{
Channel: ch,
Channel: ch,
laddr: laddr,
laddr: laddr,
raddr: raddr,
raddr: raddr,
@ -366,26 +422,26 @@ type tcpChan struct {
Channel // the backing channel
Channel // the backing channel
// tcpChanConn fulfills the net.Conn interface without
// chanConn fulfills the net.Conn interface without
// the tcpChan having to hold laddr or raddr directly.
// the tcpChan having to hold laddr or raddr directly.
type tcpChanConn struct {
type chanConn struct {
laddr, raddr net.Addr
laddr, raddr net.Addr
// LocalAddr returns the local network address.
// LocalAddr returns the local network address.
func (t *tcpChanConn) LocalAddr() net.Addr {
func (t *chanConn) LocalAddr() net.Addr {
return t.laddr
return t.laddr
// RemoteAddr returns the remote network address.
// RemoteAddr returns the remote network address.
func (t *tcpChanConn) RemoteAddr() net.Addr {
func (t *chanConn) RemoteAddr() net.Addr {
return t.raddr
return t.raddr
// SetDeadline sets the read and write deadlines associated
// SetDeadline sets the read and write deadlines associated
// with the connection.
// with the connection.
func (t *tcpChanConn) SetDeadline(deadline time.Time) error {
func (t *chanConn) SetDeadline(deadline time.Time) error {
if err := t.SetReadDeadline(deadline); err != nil {
if err := t.SetReadDeadline(deadline); err != nil {
return err
return err
@ -396,12 +452,14 @@ func (t *tcpChanConn) SetDeadline(deadline time.Time) error {
// A zero value for t means Read will not time out.
// A zero value for t means Read will not time out.
// After the deadline, the error from Read will implement net.Error
// After the deadline, the error from Read will implement net.Error
// with Timeout() == true.
// with Timeout() == true.
func (t *tcpChanConn) SetReadDeadline(deadline time.Time) error {
func (t *chanConn) SetReadDeadline(deadline time.Time) error {
// for compatibility with previous version,
// the error message contains "tcpChan"
return errors.New("ssh: tcpChan: deadline not supported")
return errors.New("ssh: tcpChan: deadline not supported")
// SetWriteDeadline exists to satisfy the net.Conn interface
// SetWriteDeadline exists to satisfy the net.Conn interface
// but is not implemented by this type. It always returns an error.
// but is not implemented by this type. It always returns an error.
func (t *tcpChanConn) SetWriteDeadline(deadline time.Time) error {
func (t *chanConn) SetWriteDeadline(deadline time.Time) error {
return errors.New("ssh: tcpChan: deadline not supported")
return errors.New("ssh: tcpChan: deadline not supported")
@ -8,8 +8,13 @@ import (
// debugTransport if set, will print packet types as they go over the
// wire. No message decoding is done, to minimize the impact on timing.
const debugTransport = false
const (
const (
gcmCipherID = ""
gcmCipherID = ""
aes128cbcID = "aes128-cbc"
aes128cbcID = "aes128-cbc"
@ -22,7 +27,9 @@ type packetConn interface {
// Encrypt and send a packet of data to the remote peer.
// Encrypt and send a packet of data to the remote peer.
writePacket(packet []byte) error
writePacket(packet []byte) error
// Read a packet from the connection
// Read a packet from the connection. The read is blocking,
// i.e. if error is nil, then the returned byte slice is
// always non-empty.
readPacket() ([]byte, error)
readPacket() ([]byte, error)
// Close closes the write-side of the connection.
// Close closes the write-side of the connection.
@ -38,7 +45,7 @@ type transport struct {
bufReader *bufio.Reader
bufReader *bufio.Reader
bufWriter *bufio.Writer
bufWriter *bufio.Writer
rand io.Reader
rand io.Reader
isClient bool
@ -84,9 +91,38 @@ func (t *transport) prepareKeyChange(algs *algorithms, kexResult *kexResult) err
return nil
return nil
func (t *transport) printPacket(p []byte, write bool) {
if len(p) == 0 {
who := "server"
if t.isClient {
who = "client"
what := "read"
if write {
what = "write"
log.Println(what, who, p[0])
// Read and decrypt next packet.
// Read and decrypt next packet.
func (t *transport) readPacket() ([]byte, error) {
func (t *transport) readPacket() (p []byte, err error) {
return t.reader.readPacket(t.bufReader)
for {
p, err = t.reader.readPacket(t.bufReader)
if err != nil {
if len(p) == 0 || (p[0] != msgIgnore && p[0] != msgDebug) {
if debugTransport {
t.printPacket(p, false)
return p, err
func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) {
func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) {
@ -129,6 +165,9 @@ func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) {
func (t *transport) writePacket(packet []byte) error {
func (t *transport) writePacket(packet []byte) error {
if debugTransport {
t.printPacket(packet, true)
return t.writer.writePacket(t.bufWriter, t.rand, packet)
return t.writer.writePacket(t.bufWriter, t.rand, packet)
@ -169,6 +208,8 @@ func newTransport(rwc io.ReadWriteCloser, rand io.Reader, isClient bool) *transp
Closer: rwc,
Closer: rwc,
t.isClient = isClient
if isClient {
if isClient {
t.reader.dir = serverKeys
t.reader.dir = serverKeys
t.writer.dir = clientKeys
t.writer.dir = clientKeys
@ -213,7 +254,7 @@ func newPacketCipher(d direction, algs directionAlgorithms, kex *kexResult) (pac
iv, key, macKey := generateKeys(d, algs, kex)
iv, key, macKey := generateKeys(d, algs, kex)
if algs.Cipher == gcmCipherID {
if algs.Cipher == gcmCipherID {
return newGCMCipher(iv, key, macKey)
return newGCMCipher(iv, key)
if algs.Cipher == aes128cbcID {
if algs.Cipher == aes128cbcID {
@ -226,6 +267,7 @@ func newPacketCipher(d direction, algs directionAlgorithms, kex *kexResult) (pac
c := &streamPacketCipher{
c := &streamPacketCipher{
mac: macModes[algs.MAC].new(macKey),
mac: macModes[algs.MAC].new(macKey),
etm: macModes[algs.MAC].etm,
c.macResult = make([]byte, c.mac.Size())
c.macResult = make([]byte, c.mac.Size())
@ -1279,40 +1279,40 @@
"revisionTime": "2016-09-14T08:04:27Z"
"revisionTime": "2016-09-14T08:04:27Z"
"checksumSHA1": "dwOedwBJ1EIK9+S3t108Bx054Y8=",
"checksumSHA1": "sFH/xPPl/UZgLj+ypPNPlT+2Sx0=",
"path": "",
"path": "",
"revision": "9477e0b78b9ac3d0b03822fd95422e2fe07627cd",
"revision": "9f005a07e0d31d45e6656d241bb5c0f2efd4bc94",
"revisionTime": "2016-10-31T15:37:30Z"
"revisionTime": "2017-09-21T17:41:56Z"
"checksumSHA1": "wGb//LjBPNxYHqk+dcLo7BjPXK8=",
"checksumSHA1": "1hwn8cgg4EVXhCpJIqmMbzqnUo0=",
"path": "",
"path": "",
"revision": "9477e0b78b9ac3d0b03822fd95422e2fe07627cd",
"revision": "9f005a07e0d31d45e6656d241bb5c0f2efd4bc94",
"revisionTime": "2016-10-31T15:37:30Z"
"revisionTime": "2017-09-21T17:41:56Z"
"checksumSHA1": "LXFcVx8I587SnWmKycSDEq9yvK8=",
"checksumSHA1": "LXFcVx8I587SnWmKycSDEq9yvK8=",
"path": "",
"path": "",
"revision": "9477e0b78b9ac3d0b03822fd95422e2fe07627cd",
"revision": "9f005a07e0d31d45e6656d241bb5c0f2efd4bc94",
"revisionTime": "2016-10-31T15:37:30Z"
"revisionTime": "2017-09-21T17:41:56Z"
"checksumSHA1": "MCeXr2RNeiG1XG6V+er1OR0qyeo=",
"checksumSHA1": "MCeXr2RNeiG1XG6V+er1OR0qyeo=",
"path": "",
"path": "",
"revision": "ede567c8e044a5913dad1d1af3696d9da953104c",
"revision": "9f005a07e0d31d45e6656d241bb5c0f2efd4bc94",
"revisionTime": "2016-11-04T19:41:44Z"
"revisionTime": "2017-09-21T17:41:56Z"
"checksumSHA1": "1MGpGDQqnUoRpv7VEcQrXOBydXE=",
"checksumSHA1": "1MGpGDQqnUoRpv7VEcQrXOBydXE=",
"path": "",
"path": "",
"revision": "8e06e8ddd9629eb88639aba897641bff8031f1d3",
"revision": "9f005a07e0d31d45e6656d241bb5c0f2efd4bc94",
"revisionTime": "2016-09-10T18:59:01Z"
"revisionTime": "2017-09-21T17:41:56Z"
"checksumSHA1": "LlElMHeTC34ng8eHzjvtUhAgrr8=",
"checksumSHA1": "YXeyyvak2xbvsqj5MBHMzyG+22M=",
"path": "",
"path": "",
"revision": "9477e0b78b9ac3d0b03822fd95422e2fe07627cd",
"revision": "9f005a07e0d31d45e6656d241bb5c0f2efd4bc94",
"revisionTime": "2016-10-31T15:37:30Z"
"revisionTime": "2017-09-21T17:41:56Z"
"checksumSHA1": "9jjO5GjLa0XF/nfWihF02RoH4qc=",
"checksumSHA1": "9jjO5GjLa0XF/nfWihF02RoH4qc=",
Reference in New Issue