// Copyright 2013 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package ssh

import (
	
	
	
	
	
	
	
	
)

// debugHandshake, if set, prints messages sent and received.  Key
// exchange messages are printed as if DH were used, so the debug
// messages are wrong when using ECDH.
const debugHandshake = false

// chanSize sets the amount of buffering SSH connections. This is
// primarily for testing: setting chanSize=0 uncovers deadlocks more
// quickly.
const chanSize = 16

// maxPendingPackets sets the maximum number of packets to queue while waiting
// for KEX to complete. This limits the total pending data to maxPendingPackets
// * maxPacket bytes, which is ~16.8MB.
const maxPendingPackets = 64

// keyingTransport is a packet based transport that supports key
// changes. It need not be thread-safe. It should pass through
// msgNewKeys in both directions.
type keyingTransport interface {
	packetConn

	// prepareKeyChange sets up a key change. The key change for a
	// direction will be effected if a msgNewKeys message is sent
	// or received.
	prepareKeyChange(*NegotiatedAlgorithms, *kexResult) error

	// setStrictMode sets the strict KEX mode, notably triggering
	// sequence number resets on sending or receiving msgNewKeys.
	// If the sequence number is already > 1 when setStrictMode
	// is called, an error is returned.
	setStrictMode() error

	// setInitialKEXDone indicates to the transport that the initial key exchange
	// was completed
	setInitialKEXDone()
}

// handshakeTransport implements rekeying on top of a keyingTransport
// and offers a thread-safe writePacket() interface.
type handshakeTransport struct {
	conn   keyingTransport
	config *Config

	serverVersion []byte
	clientVersion []byte

	// hostKeys is non-empty if we are the server. In that case,
	// it contains all host keys that can be used to sign the
	// connection.
	hostKeys []Signer

	// publicKeyAuthAlgorithms is non-empty if we are the server. In that case,
	// it contains the supported client public key authentication algorithms.
	publicKeyAuthAlgorithms []string

	// hostKeyAlgorithms is non-empty if we are the client. In that case,
	// we accept these key types from the server as host key.
	hostKeyAlgorithms []string

	// On read error, incoming is closed, and readError is set.
	incoming  chan []byte
	readError error

	mu sync.Mutex
	// Condition for the above mutex. It is used to notify a completed key
	// exchange or a write failure. Writes can wait for this condition while a
	// key exchange is in progress.
	writeCond      *sync.Cond
	writeError     error
	sentInitPacket []byte
	sentInitMsg    *kexInitMsg
	// Used to queue writes when a key exchange is in progress. The length is
	// limited by pendingPacketsSize. Once full, writes will block until the key
	// exchange is completed or an error occurs. If not empty, it is emptied
	// all at once when the key exchange is completed in kexLoop.
	pendingPackets   [][]byte
	writePacketsLeft uint32
	writeBytesLeft   int64
	userAuthComplete bool // whether the user authentication phase is complete

	// If the read loop wants to schedule a kex, it pings this
	// channel, and the write loop will send out a kex
	// message.
	requestKex chan struct{}

	// If the other side requests or confirms a kex, its kexInit
	// packet is sent here for the write loop to find it.
	startKex    chan *pendingKex
	kexLoopDone chan struct{} // closed (with writeError non-nil) when kexLoop exits

	// data for host key checking
	hostKeyCallback HostKeyCallback
	dialAddress     string
	remoteAddr      net.Addr

	// bannerCallback is non-empty if we are the client and it has been set in
	// ClientConfig. In that case it is called during the user authentication
	// dance to handle a custom server's message.
	bannerCallback BannerCallback

	// Algorithms agreed in the last key exchange.
	algorithms *NegotiatedAlgorithms

	// Counters exclusively owned by readLoop.
	readPacketsLeft uint32
	readBytesLeft   int64

	// The session ID or nil if first kex did not complete yet.
	sessionID []byte

	// strictMode indicates if the other side of the handshake indicated
	// that we should be following the strict KEX protocol restrictions.
	strictMode bool
}

type pendingKex struct {
	otherInit []byte
	done      chan error
}

func newHandshakeTransport( keyingTransport,  *Config, ,  []byte) *handshakeTransport {
	 := &handshakeTransport{
		conn:          ,
		serverVersion: ,
		clientVersion: ,
		incoming:      make(chan []byte, chanSize),
		requestKex:    make(chan struct{}, 1),
		startKex:      make(chan *pendingKex),
		kexLoopDone:   make(chan struct{}),

		config: ,
	}
	.writeCond = sync.NewCond(&.mu)
	.resetReadThresholds()
	.resetWriteThresholds()

	// We always start with a mandatory key exchange.
	.requestKex <- struct{}{}
	return 
}

func newClientTransport( keyingTransport, ,  []byte,  *ClientConfig,  string,  net.Addr) *handshakeTransport {
	 := newHandshakeTransport(, &.Config, , )
	.dialAddress = 
	.remoteAddr = 
	.hostKeyCallback = .HostKeyCallback
	.bannerCallback = .BannerCallback
	if .HostKeyAlgorithms != nil {
		.hostKeyAlgorithms = .HostKeyAlgorithms
	} else {
		.hostKeyAlgorithms = defaultHostKeyAlgos
	}
	go .readLoop()
	go .kexLoop()
	return 
}

func newServerTransport( keyingTransport, ,  []byte,  *ServerConfig) *handshakeTransport {
	 := newHandshakeTransport(, &.Config, , )
	.hostKeys = .hostKeys
	.publicKeyAuthAlgorithms = .PublicKeyAuthAlgorithms
	go .readLoop()
	go .kexLoop()
	return 
}

func ( *handshakeTransport) () []byte {
	return .sessionID
}

func ( *handshakeTransport) () NegotiatedAlgorithms {
	return *.algorithms
}

// waitSession waits for the session to be established. This should be
// the first thing to call after instantiating handshakeTransport.
func ( *handshakeTransport) () error {
	,  := .readPacket()
	if  != nil {
		return 
	}
	if [0] != msgNewKeys {
		return fmt.Errorf("ssh: first packet should be msgNewKeys")
	}

	return nil
}

func ( *handshakeTransport) () string {
	if len(.hostKeys) > 0 {
		return "server"
	}
	return "client"
}

func ( *handshakeTransport) ( []byte,  bool) {
	 := "got"
	if  {
		 = "sent"
	}

	if [0] == msgChannelData || [0] == msgChannelExtendedData {
		log.Printf("%s %s data (packet %d bytes)", .id(), , len())
	} else {
		,  := decode()
		log.Printf("%s %s %T %v (%v)", .id(), , , , )
	}
}

func ( *handshakeTransport) () ([]byte, error) {
	,  := <-.incoming
	if ! {
		return nil, .readError
	}
	return , nil
}

func ( *handshakeTransport) () {
	 := true
	for {
		,  := .readOnePacket()
		 = false
		if  != nil {
			.readError = 
			close(.incoming)
			break
		}
		// If this is the first kex, and strict KEX mode is enabled,
		// we don't ignore any messages, as they may be used to manipulate
		// the packet sequence numbers.
		if !(.sessionID == nil && .strictMode) && ([0] == msgIgnore || [0] == msgDebug) {
			continue
		}
		.incoming <- 
	}

	// Stop writers too.
	.recordWriteError(.readError)

	// Unblock the writer should it wait for this.
	close(.startKex)

	// Don't close t.requestKex; it's also written to from writePacket.
}

func ( *handshakeTransport) ( []byte) error {
	if debugHandshake {
		.printPacket(, true)
	}
	return .conn.writePacket()
}

func ( *handshakeTransport) () error {
	.mu.Lock()
	defer .mu.Unlock()
	return .writeError
}

func ( *handshakeTransport) ( error) {
	.mu.Lock()
	defer .mu.Unlock()
	if .writeError == nil &&  != nil {
		.writeError = 
		.writeCond.Broadcast()
	}
}

func ( *handshakeTransport) () {
	select {
	case .requestKex <- struct{}{}:
	default:
		// something already requested a kex, so do nothing.
	}
}

func ( *handshakeTransport) () {
	.writePacketsLeft = packetRekeyThreshold
	if .config.RekeyThreshold > 0 {
		.writeBytesLeft = int64(.config.RekeyThreshold)
	} else if .algorithms != nil {
		.writeBytesLeft = .algorithms.Write.rekeyBytes()
	} else {
		.writeBytesLeft = 1 << 30
	}
}

func ( *handshakeTransport) () {

:
	for .getWriteError() == nil {
		var  *pendingKex
		var  bool

		for  == nil || ! {
			var  bool
			select {
			case ,  = <-.startKex:
				if ! {
					break 
				}
			case <-.requestKex:
				break
			}

			if ! {
				if  := .sendKexInit();  != nil {
					.recordWriteError()
					break
				}
				 = true
			}
		}

		if  := .getWriteError();  != nil {
			if  != nil {
				.done <- 
			}
			break
		}

		// We're not servicing t.requestKex, but that is OK:
		// we never block on sending to t.requestKex.

		// We're not servicing t.startKex, but the remote end
		// has just sent us a kexInitMsg, so it can't send
		// another key change request, until we close the done
		// channel on the pendingKex request.

		 := .enterKeyExchange(.otherInit)

		.mu.Lock()
		.writeError = 
		.sentInitPacket = nil
		.sentInitMsg = nil

		.resetWriteThresholds()

		// we have completed the key exchange. Since the
		// reader is still blocked, it is safe to clear out
		// the requestKex channel. This avoids the situation
		// where: 1) we consumed our own request for the
		// initial kex, and 2) the kex from the remote side
		// caused another send on the requestKex channel,
	:
		for {
			select {
			case <-.requestKex:
				//
			default:
				break 
			}
		}

		.done <- .writeError

		// kex finished. Push packets that we received while
		// the kex was in progress. Don't look at t.startKex
		// and don't increment writtenSinceKex: if we trigger
		// another kex while we are still busy with the last
		// one, things will become very confusing.
		for ,  := range .pendingPackets {
			.writeError = .pushPacket()
			if .writeError != nil {
				break
			}
		}
		.pendingPackets = .pendingPackets[:0]
		// Unblock writePacket if waiting for KEX.
		.writeCond.Broadcast()
		.mu.Unlock()
	}

	// Unblock reader.
	.conn.Close()

	// drain startKex channel. We don't service t.requestKex
	// because nobody does blocking sends there.
	for  := range .startKex {
		.done <- .getWriteError()
	}

	// Mark that the loop is done so that Close can return.
	close(.kexLoopDone)
}

// The protocol uses uint32 for packet counters, so we can't let them
// reach 1<<32.  We will actually read and write more packets than
// this, though: the other side may send more packets, and after we
// hit this limit on writing we will send a few more packets for the
// key exchange itself.
const packetRekeyThreshold = (1 << 31)

func ( *handshakeTransport) () {
	.readPacketsLeft = packetRekeyThreshold
	if .config.RekeyThreshold > 0 {
		.readBytesLeft = int64(.config.RekeyThreshold)
	} else if .algorithms != nil {
		.readBytesLeft = .algorithms.Read.rekeyBytes()
	} else {
		.readBytesLeft = 1 << 30
	}
}

func ( *handshakeTransport) ( bool) ([]byte, error) {
	,  := .conn.readPacket()
	if  != nil {
		return nil, 
	}

	if .readPacketsLeft > 0 {
		.readPacketsLeft--
	} else {
		.requestKeyExchange()
	}

	if .readBytesLeft > 0 {
		.readBytesLeft -= int64(len())
	} else {
		.requestKeyExchange()
	}

	if debugHandshake {
		.printPacket(, false)
	}

	if  && [0] != msgKexInit {
		return nil, fmt.Errorf("ssh: first packet should be msgKexInit")
	}

	if [0] != msgKexInit {
		return , nil
	}

	 := .sessionID == nil

	 := pendingKex{
		done:      make(chan error, 1),
		otherInit: ,
	}
	.startKex <- &
	 = <-.done

	if debugHandshake {
		log.Printf("%s exited key exchange (first %v), err %v", .id(), , )
	}

	if  != nil {
		return nil, 
	}

	.resetReadThresholds()

	// By default, a key exchange is hidden from higher layers by
	// translating it into msgIgnore.
	 := []byte{msgIgnore}
	if  {
		// sendKexInit() for the first kex waits for
		// msgNewKeys so the authentication process is
		// guaranteed to happen over an encrypted transport.
		 = []byte{msgNewKeys}
	}

	return , nil
}

const (
	kexStrictClient = "kex-strict-c-v00@openssh.com"
	kexStrictServer = "kex-strict-s-v00@openssh.com"
)

// sendKexInit sends a key change message.
func ( *handshakeTransport) () error {
	.mu.Lock()
	defer .mu.Unlock()
	if .sentInitMsg != nil {
		// kexInits may be sent either in response to the other side,
		// or because our side wants to initiate a key change, so we
		// may have already sent a kexInit. In that case, don't send a
		// second kexInit.
		return nil
	}

	 := &kexInitMsg{
		CiphersClientServer:     .config.Ciphers,
		CiphersServerClient:     .config.Ciphers,
		MACsClientServer:        .config.MACs,
		MACsServerClient:        .config.MACs,
		CompressionClientServer: supportedCompressions,
		CompressionServerClient: supportedCompressions,
	}
	io.ReadFull(.config.Rand, .Cookie[:])

	// We mutate the KexAlgos slice, in order to add the kex-strict extension algorithm,
	// and possibly to add the ext-info extension algorithm. Since the slice may be the
	// user owned KeyExchanges, we create our own slice in order to avoid using user
	// owned memory by mistake.
	.KexAlgos = make([]string, 0, len(.config.KeyExchanges)+2) // room for kex-strict and ext-info
	.KexAlgos = append(.KexAlgos, .config.KeyExchanges...)

	 := len(.hostKeys) > 0
	if  {
		for ,  := range .hostKeys {
			// If k is a MultiAlgorithmSigner, we restrict the signature
			// algorithms. If k is a AlgorithmSigner, presume it supports all
			// signature algorithms associated with the key format. If k is not
			// an AlgorithmSigner, we can only assume it only supports the
			// algorithms that matches the key format. (This means that Sign
			// can't pick a different default).
			 := .PublicKey().Type()

			switch s := .(type) {
			case MultiAlgorithmSigner:
				for ,  := range algorithmsForKeyFormat() {
					if slices.Contains(.Algorithms(), underlyingAlgo()) {
						.ServerHostKeyAlgos = append(.ServerHostKeyAlgos, )
					}
				}
			case AlgorithmSigner:
				.ServerHostKeyAlgos = append(.ServerHostKeyAlgos, algorithmsForKeyFormat()...)
			default:
				.ServerHostKeyAlgos = append(.ServerHostKeyAlgos, )
			}
		}

		if .sessionID == nil {
			.KexAlgos = append(.KexAlgos, kexStrictServer)
		}
	} else {
		.ServerHostKeyAlgos = .hostKeyAlgorithms

		// As a client we opt in to receiving SSH_MSG_EXT_INFO so we know what
		// algorithms the server supports for public key authentication. See RFC
		// 8308, Section 2.1.
		//
		// We also send the strict KEX mode extension algorithm, in order to opt
		// into the strict KEX mode.
		if  := .sessionID == nil;  {
			.KexAlgos = append(.KexAlgos, "ext-info-c")
			.KexAlgos = append(.KexAlgos, kexStrictClient)
		}

	}

	 := Marshal()

	// writePacket destroys the contents, so save a copy.
	 := make([]byte, len())
	copy(, )

	if  := .pushPacket();  != nil {
		return 
	}

	.sentInitMsg = 
	.sentInitPacket = 

	return nil
}

var errSendBannerPhase = errors.New("ssh: SendAuthBanner outside of authentication phase")

func ( *handshakeTransport) ( []byte) error {
	.mu.Lock()
	defer .mu.Unlock()

	switch [0] {
	case msgKexInit:
		return errors.New("ssh: only handshakeTransport can send kexInit")
	case msgNewKeys:
		return errors.New("ssh: only handshakeTransport can send newKeys")
	case msgUserAuthBanner:
		if .userAuthComplete {
			return errSendBannerPhase
		}
	case msgUserAuthSuccess:
		.userAuthComplete = true
	}

	if .writeError != nil {
		return .writeError
	}

	if .sentInitMsg != nil {
		if len(.pendingPackets) < maxPendingPackets {
			// Copy the packet so the writer can reuse the buffer.
			 := make([]byte, len())
			copy(, )
			.pendingPackets = append(.pendingPackets, )
			return nil
		}
		for .sentInitMsg != nil {
			// Block and wait for KEX to complete or an error.
			.writeCond.Wait()
			if .writeError != nil {
				return .writeError
			}
		}
	}

	if .writeBytesLeft > 0 {
		.writeBytesLeft -= int64(len())
	} else {
		.requestKeyExchange()
	}

	if .writePacketsLeft > 0 {
		.writePacketsLeft--
	} else {
		.requestKeyExchange()
	}

	if  := .pushPacket();  != nil {
		.writeError = 
		.writeCond.Broadcast()
	}

	return nil
}

func ( *handshakeTransport) () error {
	// Close the connection. This should cause the readLoop goroutine to wake up
	// and close t.startKex, which will shut down kexLoop if running.
	 := .conn.Close()

	// Wait for the kexLoop goroutine to complete.
	// At that point we know that the readLoop goroutine is complete too,
	// because kexLoop itself waits for readLoop to close the startKex channel.
	<-.kexLoopDone

	return 
}

func ( *handshakeTransport) ( []byte) error {
	if debugHandshake {
		log.Printf("%s entered key exchange", .id())
	}

	 := &kexInitMsg{}
	if  := Unmarshal(, );  != nil {
		return 
	}

	 := handshakeMagics{
		clientVersion: .clientVersion,
		serverVersion: .serverVersion,
		clientKexInit: ,
		serverKexInit: .sentInitPacket,
	}

	 := 
	 := .sentInitMsg
	 := len(.hostKeys) == 0
	if  {
		,  = , 

		.clientKexInit = .sentInitPacket
		.serverKexInit = 
	}

	var  error
	.algorithms,  = findAgreedAlgorithms(, , )
	if  != nil {
		return 
	}

	if .sessionID == nil && (( && slices.Contains(.KexAlgos, kexStrictServer)) || (! && slices.Contains(.KexAlgos, kexStrictClient))) {
		.strictMode = true
		if  := .conn.setStrictMode();  != nil {
			return 
		}
	}

	// We don't send FirstKexFollows, but we handle receiving it.
	//
	// RFC 4253 section 7 defines the kex and the agreement method for
	// first_kex_packet_follows. It states that the guessed packet
	// should be ignored if the "kex algorithm and/or the host
	// key algorithm is guessed wrong (server and client have
	// different preferred algorithm), or if any of the other
	// algorithms cannot be agreed upon". The other algorithms have
	// already been checked above so the kex algorithm and host key
	// algorithm are checked here.
	if .FirstKexFollows && (.KexAlgos[0] != .KexAlgos[0] || .ServerHostKeyAlgos[0] != .ServerHostKeyAlgos[0]) {
		// other side sent a kex message for the wrong algorithm,
		// which we have to ignore.
		if ,  := .conn.readPacket();  != nil {
			return 
		}
	}

	,  := kexAlgoMap[.algorithms.KeyExchange]
	if ! {
		return fmt.Errorf("ssh: unexpected key exchange algorithm %v", .algorithms.KeyExchange)
	}

	var  *kexResult
	if len(.hostKeys) > 0 {
		,  = .server(, &)
	} else {
		,  = .client(, &)
	}

	if  != nil {
		return 
	}

	 := .sessionID == nil
	if  {
		.sessionID = .H
	}
	.SessionID = .sessionID

	if  := .conn.prepareKeyChange(.algorithms, );  != nil {
		return 
	}
	if  = .conn.writePacket([]byte{msgNewKeys});  != nil {
		return 
	}

	// On the server side, after the first SSH_MSG_NEWKEYS, send a SSH_MSG_EXT_INFO
	// message with the server-sig-algs extension if the client supports it. See
	// RFC 8308, Sections 2.4 and 3.1, and [PROTOCOL], Section 1.9.
	if ! &&  && slices.Contains(.KexAlgos, "ext-info-c") {
		 := strings.Join(.publicKeyAuthAlgorithms, ",")
		 := &extInfoMsg{
			NumExtensions: 2,
			Payload:       make([]byte, 0, 4+15+4+len()+4+16+4+1),
		}
		.Payload = appendInt(.Payload, len("server-sig-algs"))
		.Payload = append(.Payload, "server-sig-algs"...)
		.Payload = appendInt(.Payload, len())
		.Payload = append(.Payload, ...)
		.Payload = appendInt(.Payload, len("ping@openssh.com"))
		.Payload = append(.Payload, "ping@openssh.com"...)
		.Payload = appendInt(.Payload, 1)
		.Payload = append(.Payload, "0"...)
		if  := .conn.writePacket(Marshal());  != nil {
			return 
		}
	}

	if ,  := .conn.readPacket();  != nil {
		return 
	} else if [0] != msgNewKeys {
		return unexpectedMessageError(msgNewKeys, [0])
	}

	if  {
		// Indicates to the transport that the first key exchange is completed
		// after receiving SSH_MSG_NEWKEYS.
		.conn.setInitialKEXDone()
	}

	return nil
}

// algorithmSignerWrapper is an AlgorithmSigner that only supports the default
// key format algorithm.
//
// This is technically a violation of the AlgorithmSigner interface, but it
// should be unreachable given where we use this. Anyway, at least it returns an
// error instead of panicing or producing an incorrect signature.
type algorithmSignerWrapper struct {
	Signer
}

func ( algorithmSignerWrapper) ( io.Reader,  []byte,  string) (*Signature, error) {
	if  != underlyingAlgo(.PublicKey().Type()) {
		return nil, errors.New("ssh: internal error: algorithmSignerWrapper invoked with non-default algorithm")
	}
	return .Sign(, )
}

func pickHostKey( []Signer,  string) AlgorithmSigner {
	for ,  := range  {
		if ,  := .(MultiAlgorithmSigner);  {
			if !slices.Contains(.Algorithms(), underlyingAlgo()) {
				continue
			}
		}

		if  == .PublicKey().Type() {
			return algorithmSignerWrapper{}
		}

		,  := .(AlgorithmSigner)
		if ! {
			continue
		}
		for ,  := range algorithmsForKeyFormat(.PublicKey().Type()) {
			if  ==  {
				return 
			}
		}
	}
	return nil
}

func ( *handshakeTransport) ( kexAlgorithm,  *handshakeMagics) (*kexResult, error) {
	 := pickHostKey(.hostKeys, .algorithms.HostKey)
	if  == nil {
		return nil, errors.New("ssh: internal error: negotiated unsupported signature type")
	}

	,  := .Server(.conn, .config.Rand, , , .algorithms.HostKey)
	return , 
}

func ( *handshakeTransport) ( kexAlgorithm,  *handshakeMagics) (*kexResult, error) {
	,  := .Client(.conn, .config.Rand, )
	if  != nil {
		return nil, 
	}

	,  := ParsePublicKey(.HostKey)
	if  != nil {
		return nil, 
	}

	if  := verifyHostKeySignature(, .algorithms.HostKey, );  != nil {
		return nil, 
	}

	 = .hostKeyCallback(.dialAddress, .remoteAddr, )
	if  != nil {
		return nil, 
	}

	return , nil
}