// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package ssh

import (
	
	
	
	
	
	
	
	
	
	

	
	
)

const (
	packetSizeMultiple = 16 // TODO(huin) this should be determined by the cipher.

	// RFC 4253 section 6.1 defines a minimum packet size of 32768 that implementations
	// MUST be able to process (plus a few more kilobytes for padding and mac). The RFC
	// indicates implementations SHOULD be able to handle larger packet sizes, but then
	// waffles on about reasonable limits.
	//
	// OpenSSH caps their maxPacket at 256kB so we choose to do
	// the same. maxPacket is also used to ensure that uint32
	// length fields do not overflow, so it should remain well
	// below 4G.
	maxPacket = 256 * 1024
)

// noneCipher implements cipher.Stream and provides no encryption. It is used
// by the transport before the first key-exchange.
type noneCipher struct{}

func ( noneCipher) (,  []byte) {
	copy(, )
}

func newAESCTR(,  []byte) (cipher.Stream, error) {
	,  := aes.NewCipher()
	if  != nil {
		return nil, 
	}
	return cipher.NewCTR(, ), nil
}

func newRC4(,  []byte) (cipher.Stream, error) {
	return rc4.NewCipher()
}

type cipherMode struct {
	keySize int
	ivSize  int
	create  func(key, iv []byte, macKey []byte, algs directionAlgorithms) (packetCipher, error)
}

func streamCipherMode( int,  func(,  []byte) (cipher.Stream, error)) func(,  []byte,  []byte,  directionAlgorithms) (packetCipher, error) {
	return func(, ,  []byte,  directionAlgorithms) (packetCipher, error) {
		,  := (, )
		if  != nil {
			return nil, 
		}

		var  []byte
		if  > 0 {
			 = make([]byte, 512)
		}

		for  := ;  > 0; {
			 := 
			if  > len() {
				 = len()
			}
			.XORKeyStream([:], [:])
			 -= 
		}

		 := macModes[.MAC].new()
		return &streamPacketCipher{
			mac:       ,
			etm:       macModes[.MAC].etm,
			macResult: make([]byte, .Size()),
			cipher:    ,
		}, nil
	}
}

// cipherModes documents properties of supported ciphers. Ciphers not included
// are not supported and will not be negotiated, even if explicitly requested in
// ClientConfig.Crypto.Ciphers.
var cipherModes = map[string]*cipherMode{
	// Ciphers from RFC 4344, which introduced many CTR-based ciphers. Algorithms
	// are defined in the order specified in the RFC.
	"aes128-ctr": {16, aes.BlockSize, streamCipherMode(0, newAESCTR)},
	"aes192-ctr": {24, aes.BlockSize, streamCipherMode(0, newAESCTR)},
	"aes256-ctr": {32, aes.BlockSize, streamCipherMode(0, newAESCTR)},

	// Ciphers from RFC 4345, which introduces security-improved arcfour ciphers.
	// They are defined in the order specified in the RFC.
	"arcfour128": {16, 0, streamCipherMode(1536, newRC4)},
	"arcfour256": {32, 0, streamCipherMode(1536, newRC4)},

	// Cipher defined in RFC 4253, which describes SSH Transport Layer Protocol.
	// Note that this cipher is not safe, as stated in RFC 4253: "Arcfour (and
	// RC4) has problems with weak keys, and should be used with caution."
	// RFC 4345 introduces improved versions of Arcfour.
	"arcfour": {16, 0, streamCipherMode(0, newRC4)},

	// AEAD ciphers
	gcm128CipherID:     {16, 12, newGCMCipher},
	gcm256CipherID:     {32, 12, newGCMCipher},
	chacha20Poly1305ID: {64, 0, newChaCha20Cipher},

	// CBC mode is insecure and so is not included in the default config.
	// (See https://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf). If absolutely
	// needed, it's possible to specify a custom Config to enable it.
	// You should expect that an active attacker can recover plaintext if
	// you do.
	aes128cbcID: {16, aes.BlockSize, newAESCBCCipher},

	// 3des-cbc is insecure and is not included in the default
	// config.
	tripledescbcID: {24, des.BlockSize, newTripleDESCBCCipher},
}

// prefixLen is the length of the packet prefix that contains the packet length
// and number of padding bytes.
const prefixLen = 5

// streamPacketCipher is a packetCipher using a stream cipher.
type streamPacketCipher struct {
	mac    hash.Hash
	cipher cipher.Stream
	etm    bool

	// The following members are to avoid per-packet allocations.
	prefix      [prefixLen]byte
	seqNumBytes [4]byte
	padding     [2 * packetSizeMultiple]byte
	packetData  []byte
	macResult   []byte
}

// readCipherPacket reads and decrypt a single packet from the reader argument.
func ( *streamPacketCipher) ( uint32,  io.Reader) ([]byte, error) {
	if ,  := io.ReadFull(, .prefix[:]);  != nil {
		return nil, 
	}

	var  [1]byte
	if .mac != nil && .etm {
		copy([:], .prefix[4:5])
		.cipher.XORKeyStream(.prefix[4:5], .prefix[4:5])
	} else {
		.cipher.XORKeyStream(.prefix[:], .prefix[:])
	}

	 := binary.BigEndian.Uint32(.prefix[0:4])
	 := uint32(.prefix[4])

	var  uint32
	if .mac != nil {
		.mac.Reset()
		binary.BigEndian.PutUint32(.seqNumBytes[:], )
		.mac.Write(.seqNumBytes[:])
		if .etm {
			.mac.Write(.prefix[:4])
			.mac.Write([:])
		} else {
			.mac.Write(.prefix[:])
		}
		 = uint32(.mac.Size())
	}

	if  <= +1 {
		return nil, errors.New("ssh: invalid packet length, packet too small")
	}

	if  > maxPacket {
		return nil, errors.New("ssh: invalid packet length, packet too large")
	}

	// the maxPacket check above ensures that length-1+macSize
	// does not overflow.
	if uint32(cap(.packetData)) < -1+ {
		.packetData = make([]byte, -1+)
	} else {
		.packetData = .packetData[:-1+]
	}

	if ,  := io.ReadFull(, .packetData);  != nil {
		return nil, 
	}
	 := .packetData[-1:]
	 := .packetData[:-1]

	if .mac != nil && .etm {
		.mac.Write()
	}

	.cipher.XORKeyStream(, )

	if .mac != nil {
		if !.etm {
			.mac.Write()
		}
		.macResult = .mac.Sum(.macResult[:0])
		if subtle.ConstantTimeCompare(.macResult, ) != 1 {
			return nil, errors.New("ssh: MAC failure")
		}
	}

	return .packetData[:--1], nil
}

// writeCipherPacket encrypts and sends a packet of data to the writer argument
func ( *streamPacketCipher) ( uint32,  io.Writer,  io.Reader,  []byte) error {
	if len() > maxPacket {
		return errors.New("ssh: packet too large")
	}

	 := 0
	if .mac != nil && .etm {
		// packet length is not encrypted for EtM modes
		 = 4
	}

	 := packetSizeMultiple - (prefixLen+len()-)%packetSizeMultiple
	if  < 4 {
		 += packetSizeMultiple
	}

	 := len() + 1 + 
	binary.BigEndian.PutUint32(.prefix[:], uint32())
	.prefix[4] = byte()
	 := .padding[:]
	if ,  := io.ReadFull(, );  != nil {
		return 
	}

	if .mac != nil {
		.mac.Reset()
		binary.BigEndian.PutUint32(.seqNumBytes[:], )
		.mac.Write(.seqNumBytes[:])

		if .etm {
			// For EtM algorithms, the packet length must stay unencrypted,
			// but the following data (padding length) must be encrypted
			.cipher.XORKeyStream(.prefix[4:5], .prefix[4:5])
		}

		.mac.Write(.prefix[:])

		if !.etm {
			// For non-EtM algorithms, the algorithm is applied on unencrypted data
			.mac.Write()
			.mac.Write()
		}
	}

	if !(.mac != nil && .etm) {
		// For EtM algorithms, the padding length has already been encrypted
		// and the packet length must remain unencrypted
		.cipher.XORKeyStream(.prefix[:], .prefix[:])
	}

	.cipher.XORKeyStream(, )
	.cipher.XORKeyStream(, )

	if .mac != nil && .etm {
		// For EtM algorithms, packet and padding must be encrypted
		.mac.Write()
		.mac.Write()
	}

	if ,  := .Write(.prefix[:]);  != nil {
		return 
	}
	if ,  := .Write();  != nil {
		return 
	}
	if ,  := .Write();  != nil {
		return 
	}

	if .mac != nil {
		.macResult = .mac.Sum(.macResult[:0])
		if ,  := .Write(.macResult);  != nil {
			return 
		}
	}

	return nil
}

type gcmCipher struct {
	aead   cipher.AEAD
	prefix [4]byte
	iv     []byte
	buf    []byte
}

func newGCMCipher(, ,  []byte,  directionAlgorithms) (packetCipher, error) {
	,  := aes.NewCipher()
	if  != nil {
		return nil, 
	}

	,  := cipher.NewGCM()
	if  != nil {
		return nil, 
	}

	return &gcmCipher{
		aead: ,
		iv:   ,
	}, nil
}

const gcmTagSize = 16

func ( *gcmCipher) ( uint32,  io.Writer,  io.Reader,  []byte) error {
	// Pad out to multiple of 16 bytes. This is different from the
	// stream cipher because that encrypts the length too.
	 := byte(packetSizeMultiple - (1+len())%packetSizeMultiple)
	if  < 4 {
		 += packetSizeMultiple
	}

	 := uint32(len() + int() + 1)
	binary.BigEndian.PutUint32(.prefix[:], )
	if ,  := .Write(.prefix[:]);  != nil {
		return 
	}

	if cap(.buf) < int() {
		.buf = make([]byte, )
	} else {
		.buf = .buf[:]
	}

	.buf[0] = 
	copy(.buf[1:], )
	if ,  := io.ReadFull(, .buf[1+len():]);  != nil {
		return 
	}
	.buf = .aead.Seal(.buf[:0], .iv, .buf, .prefix[:])
	if ,  := .Write(.buf);  != nil {
		return 
	}
	.incIV()

	return nil
}

func ( *gcmCipher) () {
	for  := 4 + 7;  >= 4; -- {
		.iv[]++
		if .iv[] != 0 {
			break
		}
	}
}

func ( *gcmCipher) ( uint32,  io.Reader) ([]byte, error) {
	if ,  := io.ReadFull(, .prefix[:]);  != nil {
		return nil, 
	}
	 := binary.BigEndian.Uint32(.prefix[:])
	if  > maxPacket {
		return nil, errors.New("ssh: max packet length exceeded")
	}

	if cap(.buf) < int(+gcmTagSize) {
		.buf = make([]byte, +gcmTagSize)
	} else {
		.buf = .buf[:+gcmTagSize]
	}

	if ,  := io.ReadFull(, .buf);  != nil {
		return nil, 
	}

	,  := .aead.Open(.buf[:0], .iv, .buf, .prefix[:])
	if  != nil {
		return nil, 
	}
	.incIV()

	if len() == 0 {
		return nil, errors.New("ssh: empty packet")
	}

	 := [0]
	if  < 4 {
		// padding is a byte, so it automatically satisfies
		// the maximum size, which is 255.
		return nil, fmt.Errorf("ssh: illegal padding %d", )
	}

	if int(+1) >= len() {
		return nil, fmt.Errorf("ssh: padding %d too large", )
	}
	 = [1 : -uint32()]
	return , nil
}

// cbcCipher implements aes128-cbc cipher defined in RFC 4253 section 6.1
type cbcCipher struct {
	mac       hash.Hash
	macSize   uint32
	decrypter cipher.BlockMode
	encrypter cipher.BlockMode

	// The following members are to avoid per-packet allocations.
	seqNumBytes [4]byte
	packetData  []byte
	macResult   []byte

	// Amount of data we should still read to hide which
	// verification error triggered.
	oracleCamouflage uint32
}

func newCBCCipher( cipher.Block, , ,  []byte,  directionAlgorithms) (packetCipher, error) {
	 := &cbcCipher{
		mac:        macModes[.MAC].new(),
		decrypter:  cipher.NewCBCDecrypter(, ),
		encrypter:  cipher.NewCBCEncrypter(, ),
		packetData: make([]byte, 1024),
	}
	if .mac != nil {
		.macSize = uint32(.mac.Size())
	}

	return , nil
}

func newAESCBCCipher(, ,  []byte,  directionAlgorithms) (packetCipher, error) {
	,  := aes.NewCipher()
	if  != nil {
		return nil, 
	}

	,  := newCBCCipher(, , , , )
	if  != nil {
		return nil, 
	}

	return , nil
}

func newTripleDESCBCCipher(, ,  []byte,  directionAlgorithms) (packetCipher, error) {
	,  := des.NewTripleDESCipher()
	if  != nil {
		return nil, 
	}

	,  := newCBCCipher(, , , , )
	if  != nil {
		return nil, 
	}

	return , nil
}

func maxUInt32(,  int) uint32 {
	if  >  {
		return uint32()
	}
	return uint32()
}

const (
	cbcMinPacketSizeMultiple = 8
	cbcMinPacketSize         = 16
	cbcMinPaddingSize        = 4
)

// cbcError represents a verification error that may leak information.
type cbcError string

func ( cbcError) () string { return string() }

func ( *cbcCipher) ( uint32,  io.Reader) ([]byte, error) {
	,  := .readCipherPacketLeaky(, )
	if  != nil {
		if ,  := .(cbcError);  {
			// Verification error: read a fixed amount of
			// data, to make distinguishing between
			// failing MAC and failing length check more
			// difficult.
			io.CopyN(io.Discard, , int64(.oracleCamouflage))
		}
	}
	return , 
}

func ( *cbcCipher) ( uint32,  io.Reader) ([]byte, error) {
	 := .decrypter.BlockSize()

	// Read the header, which will include some of the subsequent data in the
	// case of block ciphers - this is copied back to the payload later.
	// How many bytes of payload/padding will be read with this first read.
	 := uint32((prefixLen +  - 1) /  * )
	 := .packetData[:]
	if ,  := io.ReadFull(, );  != nil {
		return nil, 
	}

	.oracleCamouflage = maxPacket + 4 + .macSize - 

	.decrypter.CryptBlocks(, )
	 := binary.BigEndian.Uint32([:4])
	if  > maxPacket {
		return nil, cbcError("ssh: packet too large")
	}
	if +4 < maxUInt32(cbcMinPacketSize, ) {
		// The minimum size of a packet is 16 (or the cipher block size, whichever
		// is larger) bytes.
		return nil, cbcError("ssh: packet too small")
	}
	// The length of the packet (including the length field but not the MAC) must
	// be a multiple of the block size or 8, whichever is larger.
	if (+4)%maxUInt32(cbcMinPacketSizeMultiple, ) != 0 {
		return nil, cbcError("ssh: invalid packet length multiple")
	}

	 := uint32([4])
	if  < cbcMinPaddingSize ||  <= +1 {
		return nil, cbcError("ssh: invalid packet length")
	}

	// Positions within the c.packetData buffer:
	 := 4 + 
	 :=  - 

	// Entire packet size, starting before length, ending at end of mac.
	 :=  + .macSize

	// Ensure c.packetData is large enough for the entire packet data.
	if uint32(cap(.packetData)) <  {
		// Still need to upsize and copy, but this should be rare at runtime, only
		// on upsizing the packetData buffer.
		.packetData = make([]byte, )
		copy(.packetData, )
	} else {
		.packetData = .packetData[:]
	}

	,  := io.ReadFull(, .packetData[:])
	if  != nil {
		return nil, 
	}
	.oracleCamouflage -= uint32()

	 := .packetData[:]
	.decrypter.CryptBlocks(, )

	 := .packetData[:]
	if .mac != nil {
		.mac.Reset()
		binary.BigEndian.PutUint32(.seqNumBytes[:], )
		.mac.Write(.seqNumBytes[:])
		.mac.Write(.packetData[:])
		.macResult = .mac.Sum(.macResult[:0])
		if subtle.ConstantTimeCompare(.macResult, ) != 1 {
			return nil, cbcError("ssh: MAC failure")
		}
	}

	return .packetData[prefixLen:], nil
}

func ( *cbcCipher) ( uint32,  io.Writer,  io.Reader,  []byte) error {
	 := maxUInt32(cbcMinPacketSizeMultiple, .encrypter.BlockSize())

	// Length of encrypted portion of the packet (header, payload, padding).
	// Enforce minimum padding and packet size.
	 := maxUInt32(prefixLen+len()+cbcMinPaddingSize, cbcMinPaddingSize)
	// Enforce block size.
	 = ( +  - 1) /  * 

	 :=  - 4
	 := int() - (1 + len())

	// Overall buffer contains: header, payload, padding, mac.
	// Space for the MAC is reserved in the capacity but not the slice length.
	 :=  + .macSize
	if uint32(cap(.packetData)) <  {
		.packetData = make([]byte, , )
	} else {
		.packetData = .packetData[:]
	}

	 := .packetData

	// Packet header.
	binary.BigEndian.PutUint32(, )
	 = [4:]
	[0] = byte()

	// Payload.
	 = [1:]
	copy(, )

	// Padding.
	 = [len():]
	if ,  := io.ReadFull(, );  != nil {
		return 
	}

	if .mac != nil {
		.mac.Reset()
		binary.BigEndian.PutUint32(.seqNumBytes[:], )
		.mac.Write(.seqNumBytes[:])
		.mac.Write(.packetData)
		// The MAC is now appended into the capacity reserved for it earlier.
		.packetData = .mac.Sum(.packetData)
	}

	.encrypter.CryptBlocks(.packetData[:], .packetData[:])

	if ,  := .Write(.packetData);  != nil {
		return 
	}

	return nil
}

const chacha20Poly1305ID = "chacha20-poly1305@openssh.com"

// chacha20Poly1305Cipher implements the chacha20-poly1305@openssh.com
// AEAD, which is described here:
//
//	https://tools.ietf.org/html/draft-josefsson-ssh-chacha20-poly1305-openssh-00
//
// the methods here also implement padding, which RFC 4253 Section 6
// also requires of stream ciphers.
type chacha20Poly1305Cipher struct {
	lengthKey  [32]byte
	contentKey [32]byte
	buf        []byte
}

func newChaCha20Cipher(, ,  []byte,  directionAlgorithms) (packetCipher, error) {
	if len() != 64 {
		panic(len())
	}

	 := &chacha20Poly1305Cipher{
		buf: make([]byte, 256),
	}

	copy(.contentKey[:], [:32])
	copy(.lengthKey[:], [32:])
	return , nil
}

func ( *chacha20Poly1305Cipher) ( uint32,  io.Reader) ([]byte, error) {
	 := make([]byte, 12)
	binary.BigEndian.PutUint32([8:], )
	,  := chacha20.NewUnauthenticatedCipher(.contentKey[:], )
	if  != nil {
		return nil, 
	}
	var ,  [32]byte
	.XORKeyStream([:], [:])
	.XORKeyStream([:], [:]) // skip the next 32 bytes

	 := .buf[:4]
	if ,  := io.ReadFull(, );  != nil {
		return nil, 
	}

	var  [4]byte
	,  := chacha20.NewUnauthenticatedCipher(.lengthKey[:], )
	if  != nil {
		return nil, 
	}
	.XORKeyStream([:], )

	 := binary.BigEndian.Uint32([:])
	if  > maxPacket {
		return nil, errors.New("ssh: invalid packet length, packet too large")
	}

	 := 4 + 
	 :=  + poly1305.TagSize
	if uint32(cap(.buf)) <  {
		.buf = make([]byte, )
		copy(.buf[:], )
	} else {
		.buf = .buf[:]
	}

	if ,  := io.ReadFull(, .buf[4:]);  != nil {
		return nil, 
	}

	var  [poly1305.TagSize]byte
	copy([:], .buf[:])
	if !poly1305.Verify(&, .buf[:], &) {
		return nil, errors.New("ssh: MAC failure")
	}

	 := .buf[4:]
	.XORKeyStream(, )

	if len() == 0 {
		return nil, errors.New("ssh: empty packet")
	}

	 := [0]
	if  < 4 {
		// padding is a byte, so it automatically satisfies
		// the maximum size, which is 255.
		return nil, fmt.Errorf("ssh: illegal padding %d", )
	}

	if int()+1 >= len() {
		return nil, fmt.Errorf("ssh: padding %d too large", )
	}

	 = [1 : len()-int()]

	return , nil
}

func ( *chacha20Poly1305Cipher) ( uint32,  io.Writer,  io.Reader,  []byte) error {
	 := make([]byte, 12)
	binary.BigEndian.PutUint32([8:], )
	,  := chacha20.NewUnauthenticatedCipher(.contentKey[:], )
	if  != nil {
		return 
	}
	var ,  [32]byte
	.XORKeyStream([:], [:])
	.XORKeyStream([:], [:]) // skip the next 32 bytes

	// There is no blocksize, so fall back to multiple of 8 byte
	// padding, as described in RFC 4253, Sec 6.
	const  = 8

	 :=  - (1+len())%
	if  < 4 {
		 += 
	}

	// size (4 bytes), padding (1), payload, padding, tag.
	 := 4 + 1 + len() +  + poly1305.TagSize
	if cap(.buf) <  {
		.buf = make([]byte, )
	} else {
		.buf = .buf[:]
	}

	binary.BigEndian.PutUint32(.buf, uint32(1+len()+))
	,  := chacha20.NewUnauthenticatedCipher(.lengthKey[:], )
	if  != nil {
		return 
	}
	.XORKeyStream(.buf, .buf[:4])
	.buf[4] = byte()
	copy(.buf[5:], )
	 := 5 + len() + 
	if ,  := io.ReadFull(, .buf[5+len():]);  != nil {
		return 
	}

	.XORKeyStream(.buf[4:], .buf[4:])

	var  [poly1305.TagSize]byte
	poly1305.Sum(&, .buf[:], &)

	copy(.buf[:], [:])

	if ,  := .Write(.buf);  != nil {
		return 
	}
	return nil
}