29
29
// direction will be effected if a msgNewKeys message is sent
31
31
prepareKeyChange(*algorithms, *kexResult) error
33
// getSessionID returns the session ID. prepareKeyChange must
34
// have been called once.
38
// rekeyingTransport is the interface of handshakeTransport that we
39
// (internally) expose to ClientConn and ServerConn.
40
type rekeyingTransport interface {
43
// requestKeyChange asks the remote side to change keys. All
44
// writes are blocked until the key change succeeds, which is
45
// signaled by reading a msgNewKeys.
46
requestKeyChange() error
48
// getSessionID returns the session ID. This is only valid
49
// after the first key change has completed.
53
34
// handshakeTransport implements rekeying on top of a keyingTransport
178
162
t.readSinceKex += uint64(len(p))
179
163
if debugHandshake {
180
msg, err := decode(p)
181
log.Printf("%s got %T %v (%v)", t.id(), msg, msg, err)
164
if p[0] == msgChannelData || p[0] == msgChannelExtendedData {
165
log.Printf("%s got data (packet %d bytes)", t.id(), len(p))
167
msg, err := decode(p)
168
log.Printf("%s got %T %v (%v)", t.id(), msg, msg, err)
183
171
if p[0] != msgKexInit {
186
err = t.enterKeyExchange(p)
177
firstKex := t.sessionID == nil
179
err = t.enterKeyExchangeLocked(p)
190
181
// drop connection
210
201
t.readSinceKex = 0
211
return []byte{msgNewKeys}, nil
203
// By default, a key exchange is hidden from higher layers by
204
// translating it into msgIgnore.
205
successPacket := []byte{msgIgnore}
207
// sendKexInit() for the first kex waits for
208
// msgNewKeys so the authentication process is
209
// guaranteed to happen over an encrypted transport.
210
successPacket = []byte{msgNewKeys}
213
return successPacket, nil
216
// keyChangeCategory describes whether a key exchange is the first on a
217
// connection, or a subsequent one.
218
type keyChangeCategory bool
221
firstKeyExchange keyChangeCategory = true
222
subsequentKeyExchange keyChangeCategory = false
214
225
// sendKexInit sends a key change message, and returns the message
215
226
// that was sent. After initiating the key change, all writes will be
216
227
// blocked until the change is done, and a failed key change will
217
228
// close the underlying transport. This function is safe for
218
229
// concurrent use by multiple goroutines.
219
func (t *handshakeTransport) sendKexInit() (*kexInitMsg, []byte, error) {
230
func (t *handshakeTransport) sendKexInit(isFirst keyChangeCategory) error {
222
return t.sendKexInitLocked()
234
// If this is the initial key change, but we already have a sessionID,
235
// then do nothing because the key exchange has already completed
237
if !isFirst || t.sessionID == nil {
238
_, _, err = t.sendKexInitLocked(isFirst)
245
if packet, err := t.readPacket(); err != nil {
247
} else if packet[0] != msgNewKeys {
248
return unexpectedMessageError(msgNewKeys, packet[0])
254
func (t *handshakeTransport) requestInitialKeyChange() error {
255
return t.sendKexInit(firstKeyExchange)
225
258
func (t *handshakeTransport) requestKeyChange() error {
226
_, _, err := t.sendKexInit()
259
return t.sendKexInit(subsequentKeyExchange)
230
262
// sendKexInitLocked sends a key change message. t.mu must be locked
231
263
// while this happens.
232
func (t *handshakeTransport) sendKexInitLocked() (*kexInitMsg, []byte, error) {
264
func (t *handshakeTransport) sendKexInitLocked(isFirst keyChangeCategory) (*kexInitMsg, []byte, error) {
233
265
// kexInits may be sent either in response to the other side,
234
266
// or because our side wants to initiate a key change, so we
235
267
// may have already sent a kexInit. In that case, don't send a
300
333
return t.conn.Close()
303
// enterKeyExchange runs the key exchange.
304
func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
336
// enterKeyExchange runs the key exchange. t.mu must be held while running this.
337
func (t *handshakeTransport) enterKeyExchangeLocked(otherInitPacket []byte) error {
305
338
if debugHandshake {
306
339
log.Printf("%s entered key exchange", t.id())
308
myInit, myInitPacket, err := t.sendKexInit()
341
myInit, myInitPacket, err := t.sendKexInitLocked(subsequentKeyExchange)
340
373
// We don't send FirstKexFollows, but we handle receiving it.
341
if otherInit.FirstKexFollows && algs.kex != otherInit.KexAlgos[0] {
375
// RFC 4253 section 7 defines the kex and the agreement method for
376
// first_kex_packet_follows. It states that the guessed packet
377
// should be ignored if the "kex algorithm and/or the host
378
// key algorithm is guessed wrong (server and client have
379
// different preferred algorithm), or if any of the other
380
// algorithms cannot be agreed upon". The other algorithms have
381
// already been checked above so the kex algorithm and host key
382
// algorithm are checked here.
383
if otherInit.FirstKexFollows && (clientInit.KexAlgos[0] != serverInit.KexAlgos[0] || clientInit.ServerHostKeyAlgos[0] != serverInit.ServerHostKeyAlgos[0]) {
342
384
// other side sent a kex message for the wrong algorithm,
343
385
// which we have to ignore.
344
386
if _, err := t.conn.readPacket(); err != nil {