diff --git a/acme/version_go112.go b/acme/version_go112.go
index b9efdb59e5..cc5fab604b 100644
--- a/acme/version_go112.go
+++ b/acme/version_go112.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build go1.12
-// +build go1.12
package acme
diff --git a/argon2/blamka_amd64.go b/argon2/blamka_amd64.go
index a014ac92aa..063e7784f8 100644
--- a/argon2/blamka_amd64.go
+++ b/argon2/blamka_amd64.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build amd64 && gc && !purego
-// +build amd64,gc,!purego
package argon2
diff --git a/argon2/blamka_amd64.s b/argon2/blamka_amd64.s
index b2cc051504..6713accac0 100644
--- a/argon2/blamka_amd64.s
+++ b/argon2/blamka_amd64.s
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build amd64 && gc && !purego
-// +build amd64,gc,!purego
#include "textflag.h"
@@ -200,8 +199,8 @@ TEXT ·mixBlocksSSE2(SB), 4, $0-32
MOVQ out+0(FP), DX
MOVQ a+8(FP), AX
MOVQ b+16(FP), BX
- MOVQ a+24(FP), CX
- MOVQ $128, BP
+ MOVQ c+24(FP), CX
+ MOVQ $128, DI
loop:
MOVOU 0(AX), X0
@@ -214,7 +213,7 @@ loop:
ADDQ $16, BX
ADDQ $16, CX
ADDQ $16, DX
- SUBQ $2, BP
+ SUBQ $2, DI
JA loop
RET
@@ -223,8 +222,8 @@ TEXT ·xorBlocksSSE2(SB), 4, $0-32
MOVQ out+0(FP), DX
MOVQ a+8(FP), AX
MOVQ b+16(FP), BX
- MOVQ a+24(FP), CX
- MOVQ $128, BP
+ MOVQ c+24(FP), CX
+ MOVQ $128, DI
loop:
MOVOU 0(AX), X0
@@ -239,6 +238,6 @@ loop:
ADDQ $16, BX
ADDQ $16, CX
ADDQ $16, DX
- SUBQ $2, BP
+ SUBQ $2, DI
JA loop
RET
diff --git a/argon2/blamka_ref.go b/argon2/blamka_ref.go
index 167c59d2d5..16d58c650e 100644
--- a/argon2/blamka_ref.go
+++ b/argon2/blamka_ref.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build !amd64 || purego || !gc
-// +build !amd64 purego !gc
package argon2
diff --git a/blake2b/blake2bAVX2_amd64.go b/blake2b/blake2bAVX2_amd64.go
index 56bfaaa17d..199c21d27a 100644
--- a/blake2b/blake2bAVX2_amd64.go
+++ b/blake2b/blake2bAVX2_amd64.go
@@ -2,8 +2,7 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build go1.7 && amd64 && gc && !purego
-// +build go1.7,amd64,gc,!purego
+//go:build amd64 && gc && !purego
package blake2b
diff --git a/blake2b/blake2bAVX2_amd64.s b/blake2b/blake2bAVX2_amd64.s
index 4b9daa18d9..9ae8206c20 100644
--- a/blake2b/blake2bAVX2_amd64.s
+++ b/blake2b/blake2bAVX2_amd64.s
@@ -2,8 +2,7 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build go1.7 && amd64 && gc && !purego
-// +build go1.7,amd64,gc,!purego
+//go:build amd64 && gc && !purego
#include "textflag.h"
diff --git a/blake2b/blake2b_amd64.go b/blake2b/blake2b_amd64.go
deleted file mode 100644
index 5fa1b32841..0000000000
--- a/blake2b/blake2b_amd64.go
+++ /dev/null
@@ -1,25 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !go1.7 && amd64 && gc && !purego
-// +build !go1.7,amd64,gc,!purego
-
-package blake2b
-
-import "golang.org/x/sys/cpu"
-
-func init() {
- useSSE4 = cpu.X86.HasSSE41
-}
-
-//go:noescape
-func hashBlocksSSE4(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte)
-
-func hashBlocks(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) {
- if useSSE4 {
- hashBlocksSSE4(h, c, flag, blocks)
- } else {
- hashBlocksGeneric(h, c, flag, blocks)
- }
-}
diff --git a/blake2b/blake2b_amd64.s b/blake2b/blake2b_amd64.s
index ae75eb9afc..adfac00c15 100644
--- a/blake2b/blake2b_amd64.s
+++ b/blake2b/blake2b_amd64.s
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build amd64 && gc && !purego
-// +build amd64,gc,!purego
#include "textflag.h"
diff --git a/blake2b/blake2b_ref.go b/blake2b/blake2b_ref.go
index b0137cdf02..6e28668cd1 100644
--- a/blake2b/blake2b_ref.go
+++ b/blake2b/blake2b_ref.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build !amd64 || purego || !gc
-// +build !amd64 purego !gc
package blake2b
diff --git a/blake2b/register.go b/blake2b/register.go
index 9d8633963c..54e446e1d2 100644
--- a/blake2b/register.go
+++ b/blake2b/register.go
@@ -2,9 +2,6 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build go1.9
-// +build go1.9
-
package blake2b
import (
diff --git a/blake2s/blake2s_386.go b/blake2s/blake2s_386.go
index b4463fb4dc..97f629617e 100644
--- a/blake2s/blake2s_386.go
+++ b/blake2s/blake2s_386.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build 386 && gc && !purego
-// +build 386,gc,!purego
package blake2s
diff --git a/blake2s/blake2s_386.s b/blake2s/blake2s_386.s
index 603d00ca32..919c026541 100644
--- a/blake2s/blake2s_386.s
+++ b/blake2s/blake2s_386.s
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build 386 && gc && !purego
-// +build 386,gc,!purego
#include "textflag.h"
diff --git a/blake2s/blake2s_amd64.go b/blake2s/blake2s_amd64.go
index becdaa120f..8a7310254e 100644
--- a/blake2s/blake2s_amd64.go
+++ b/blake2s/blake2s_amd64.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build amd64 && gc && !purego
-// +build amd64,gc,!purego
package blake2s
diff --git a/blake2s/blake2s_amd64.s b/blake2s/blake2s_amd64.s
index e9df7a7c21..fe4b818a33 100644
--- a/blake2s/blake2s_amd64.s
+++ b/blake2s/blake2s_amd64.s
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build amd64 && gc && !purego
-// +build amd64,gc,!purego
#include "textflag.h"
diff --git a/blake2s/blake2s_ref.go b/blake2s/blake2s_ref.go
index 799dba0c41..38ce8e283f 100644
--- a/blake2s/blake2s_ref.go
+++ b/blake2s/blake2s_ref.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build (!amd64 && !386) || !gc || purego
-// +build !amd64,!386 !gc purego
package blake2s
diff --git a/blake2s/register.go b/blake2s/register.go
index ef79ff3c67..3156148a42 100644
--- a/blake2s/register.go
+++ b/blake2s/register.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build go1.9
-// +build go1.9
package blake2s
diff --git a/chacha20/chacha_arm64.go b/chacha20/chacha_arm64.go
index 94c71ac1ac..661ea132e0 100644
--- a/chacha20/chacha_arm64.go
+++ b/chacha20/chacha_arm64.go
@@ -2,8 +2,7 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build go1.11 && gc && !purego
-// +build go1.11,gc,!purego
+//go:build gc && !purego
package chacha20
diff --git a/chacha20/chacha_arm64.s b/chacha20/chacha_arm64.s
index 63cae9e6f0..7dd2638e88 100644
--- a/chacha20/chacha_arm64.s
+++ b/chacha20/chacha_arm64.s
@@ -2,8 +2,7 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build go1.11 && gc && !purego
-// +build go1.11,gc,!purego
+//go:build gc && !purego
#include "textflag.h"
diff --git a/chacha20/chacha_noasm.go b/chacha20/chacha_noasm.go
index 025b49897e..db42e6676a 100644
--- a/chacha20/chacha_noasm.go
+++ b/chacha20/chacha_noasm.go
@@ -2,8 +2,7 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build (!arm64 && !s390x && !ppc64le) || (arm64 && !go1.11) || !gc || purego
-// +build !arm64,!s390x,!ppc64le arm64,!go1.11 !gc purego
+//go:build (!arm64 && !s390x && !ppc64le) || !gc || purego
package chacha20
diff --git a/chacha20/chacha_ppc64le.go b/chacha20/chacha_ppc64le.go
index da420b2e97..3a4287f990 100644
--- a/chacha20/chacha_ppc64le.go
+++ b/chacha20/chacha_ppc64le.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build gc && !purego
-// +build gc,!purego
package chacha20
diff --git a/chacha20/chacha_ppc64le.s b/chacha20/chacha_ppc64le.s
index 5c0fed26f8..66aebae258 100644
--- a/chacha20/chacha_ppc64le.s
+++ b/chacha20/chacha_ppc64le.s
@@ -20,7 +20,6 @@
// due to the calling conventions and initialization of constants.
//go:build gc && !purego
-// +build gc,!purego
#include "textflag.h"
diff --git a/chacha20/chacha_s390x.go b/chacha20/chacha_s390x.go
index 4652247b8a..683ccfd1c3 100644
--- a/chacha20/chacha_s390x.go
+++ b/chacha20/chacha_s390x.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build gc && !purego
-// +build gc,!purego
package chacha20
diff --git a/chacha20/chacha_s390x.s b/chacha20/chacha_s390x.s
index f3ef5a019d..1eda91a3d4 100644
--- a/chacha20/chacha_s390x.s
+++ b/chacha20/chacha_s390x.s
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build gc && !purego
-// +build gc,!purego
#include "go_asm.h"
#include "textflag.h"
diff --git a/chacha20poly1305/chacha20poly1305_amd64.go b/chacha20poly1305/chacha20poly1305_amd64.go
index 0c408c5709..50695a14f6 100644
--- a/chacha20poly1305/chacha20poly1305_amd64.go
+++ b/chacha20poly1305/chacha20poly1305_amd64.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build gc && !purego
-// +build gc,!purego
package chacha20poly1305
diff --git a/chacha20poly1305/chacha20poly1305_amd64.s b/chacha20poly1305/chacha20poly1305_amd64.s
index 867c181a14..731d2ac6db 100644
--- a/chacha20poly1305/chacha20poly1305_amd64.s
+++ b/chacha20poly1305/chacha20poly1305_amd64.s
@@ -5,7 +5,6 @@
// This file was originally from https://golang.org/cl/24717 by Vlad Krasnov of CloudFlare.
//go:build gc && !purego
-// +build gc,!purego
#include "textflag.h"
// General register allocation
@@ -184,11 +183,31 @@ GLOBL ·andMask<>(SB), (NOPTR+RODATA), $240
#define shiftD1Right BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xd2; BYTE $0x04 // PALIGNR $4, X10, X10
#define shiftD2Right BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xdb; BYTE $0x04 // PALIGNR $4, X11, X11
#define shiftD3Right BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xff; BYTE $0x04 // PALIGNR $4, X15, X15
+
// Some macros
+
+// ROL rotates the uint32s in register R left by N bits, using temporary T.
+#define ROL(N, R, T) \
+ MOVO R, T; PSLLL $(N), T; PSRLL $(32-(N)), R; PXOR T, R
+
+// ROL16 rotates the uint32s in register R left by 16, using temporary T if needed.
+#ifdef GOAMD64_v2
+#define ROL16(R, T) PSHUFB ·rol16<>(SB), R
+#else
+#define ROL16(R, T) ROL(16, R, T)
+#endif
+
+// ROL8 rotates the uint32s in register R left by 8, using temporary T if needed.
+#ifdef GOAMD64_v2
+#define ROL8(R, T) PSHUFB ·rol8<>(SB), R
+#else
+#define ROL8(R, T) ROL(8, R, T)
+#endif
+
#define chachaQR(A, B, C, D, T) \
- PADDD B, A; PXOR A, D; PSHUFB ·rol16<>(SB), D \
+ PADDD B, A; PXOR A, D; ROL16(D, T) \
PADDD D, C; PXOR C, B; MOVO B, T; PSLLL $12, T; PSRLL $20, B; PXOR T, B \
- PADDD B, A; PXOR A, D; PSHUFB ·rol8<>(SB), D \
+ PADDD B, A; PXOR A, D; ROL8(D, T) \
PADDD D, C; PXOR C, B; MOVO B, T; PSLLL $7, T; PSRLL $25, B; PXOR T, B
#define chachaQR_AVX2(A, B, C, D, T) \
diff --git a/chacha20poly1305/chacha20poly1305_noasm.go b/chacha20poly1305/chacha20poly1305_noasm.go
index f832b33d45..34e6ab1df8 100644
--- a/chacha20poly1305/chacha20poly1305_noasm.go
+++ b/chacha20poly1305/chacha20poly1305_noasm.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build !amd64 || !gc || purego
-// +build !amd64 !gc purego
package chacha20poly1305
diff --git a/cryptobyte/asn1.go b/cryptobyte/asn1.go
index 6fc2838a3f..2492f796af 100644
--- a/cryptobyte/asn1.go
+++ b/cryptobyte/asn1.go
@@ -733,13 +733,14 @@ func (s *String) ReadOptionalASN1OctetString(out *[]byte, outPresent *bool, tag
return true
}
-// ReadOptionalASN1Boolean sets *out to the value of the next ASN.1 BOOLEAN or,
-// if the next bytes are not an ASN.1 BOOLEAN, to the value of defaultValue.
-// It reports whether the operation was successful.
-func (s *String) ReadOptionalASN1Boolean(out *bool, defaultValue bool) bool {
+// ReadOptionalASN1Boolean attempts to read an optional ASN.1 BOOLEAN
+// explicitly tagged with tag into out and advances. If no element with a
+// matching tag is present, it sets "out" to defaultValue instead. It reports
+// whether the read was successful.
+func (s *String) ReadOptionalASN1Boolean(out *bool, tag asn1.Tag, defaultValue bool) bool {
var present bool
var child String
- if !s.ReadOptionalASN1(&child, &present, asn1.BOOLEAN) {
+ if !s.ReadOptionalASN1(&child, &present, tag) {
return false
}
@@ -748,7 +749,7 @@ func (s *String) ReadOptionalASN1Boolean(out *bool, defaultValue bool) bool {
return true
}
- return s.ReadASN1Boolean(out)
+ return child.ReadASN1Boolean(out)
}
func (s *String) readASN1(out *String, outTag *asn1.Tag, skipHeader bool) bool {
diff --git a/cryptobyte/asn1_test.go b/cryptobyte/asn1_test.go
index e3f53a932e..93760b06e9 100644
--- a/cryptobyte/asn1_test.go
+++ b/cryptobyte/asn1_test.go
@@ -115,6 +115,28 @@ func TestReadASN1OptionalInteger(t *testing.T) {
}
}
+const defaultBool = false
+
+var optionalBoolTestData = []readASN1Test{
+ {"empty", []byte{}, 0xa0, true, false},
+ {"invalid", []byte{0xa1, 0x3, 0x1, 0x2, 0x7f}, 0xa1, false, defaultBool},
+ {"missing", []byte{0xa1, 0x3, 0x1, 0x1, 0x7f}, 0xa0, true, defaultBool},
+ {"present", []byte{0xa1, 0x3, 0x1, 0x1, 0xff}, 0xa1, true, true},
+}
+
+func TestReadASN1OptionalBoolean(t *testing.T) {
+ for _, test := range optionalBoolTestData {
+ t.Run(test.name, func(t *testing.T) {
+ in := String(test.in)
+ var out bool
+ ok := in.ReadOptionalASN1Boolean(&out, test.tag, defaultBool)
+ if ok != test.ok || ok && out != test.out.(bool) {
+ t.Errorf("in.ReadOptionalASN1Boolean() = %v, want %v; out = %v, want %v", ok, test.ok, out, test.out)
+ }
+ })
+ }
+}
+
func TestReadASN1IntegerSigned(t *testing.T) {
testData64 := []struct {
in []byte
diff --git a/cryptobyte/builder.go b/cryptobyte/builder.go
index c05ac7d16d..cf254f5f1e 100644
--- a/cryptobyte/builder.go
+++ b/cryptobyte/builder.go
@@ -95,6 +95,11 @@ func (b *Builder) AddUint32(v uint32) {
b.add(byte(v>>24), byte(v>>16), byte(v>>8), byte(v))
}
+// AddUint48 appends a big-endian, 48-bit value to the byte string.
+func (b *Builder) AddUint48(v uint64) {
+ b.add(byte(v>>40), byte(v>>32), byte(v>>24), byte(v>>16), byte(v>>8), byte(v))
+}
+
// AddUint64 appends a big-endian, 64-bit value to the byte string.
func (b *Builder) AddUint64(v uint64) {
b.add(byte(v>>56), byte(v>>48), byte(v>>40), byte(v>>32), byte(v>>24), byte(v>>16), byte(v>>8), byte(v))
diff --git a/cryptobyte/cryptobyte_test.go b/cryptobyte/cryptobyte_test.go
index dc90e81fa9..9b55d52e32 100644
--- a/cryptobyte/cryptobyte_test.go
+++ b/cryptobyte/cryptobyte_test.go
@@ -179,6 +179,27 @@ func TestUint32(t *testing.T) {
}
}
+func TestUint48(t *testing.T) {
+ var b Builder
+ var u uint64 = 0xfefcff3cfdfc
+ b.AddUint48(u)
+ if err := builderBytesEq(&b, 254, 252, 255, 60, 253, 252); err != nil {
+ t.Error(err)
+ }
+
+ var s String = b.BytesOrPanic()
+ var v uint64
+ if !s.ReadUint48(&v) {
+ t.Error("ReadUint48() = false, want true")
+ }
+ if v != u {
+ t.Errorf("v = %x, want %x", v, u)
+ }
+ if len(s) != 0 {
+ t.Errorf("len(s) = %d, want 0", len(s))
+ }
+}
+
func TestUint64(t *testing.T) {
var b Builder
b.AddUint64(0xf2fefefcff3cfdfc)
diff --git a/cryptobyte/string.go b/cryptobyte/string.go
index 0531a3d6f1..10692a8a31 100644
--- a/cryptobyte/string.go
+++ b/cryptobyte/string.go
@@ -81,6 +81,17 @@ func (s *String) ReadUint32(out *uint32) bool {
return true
}
+// ReadUint48 decodes a big-endian, 48-bit value into out and advances over it.
+// It reports whether the read was successful.
+func (s *String) ReadUint48(out *uint64) bool {
+ v := s.read(6)
+ if v == nil {
+ return false
+ }
+ *out = uint64(v[0])<<40 | uint64(v[1])<<32 | uint64(v[2])<<24 | uint64(v[3])<<16 | uint64(v[4])<<8 | uint64(v[5])
+ return true
+}
+
// ReadUint64 decodes a big-endian, 64-bit value into out and advances over it.
// It reports whether the read was successful.
func (s *String) ReadUint64(out *uint64) bool {
diff --git a/curve25519/internal/field/_asm/go.mod b/curve25519/internal/field/_asm/go.mod
index 5b3dba315e..f6902f4a64 100644
--- a/curve25519/internal/field/_asm/go.mod
+++ b/curve25519/internal/field/_asm/go.mod
@@ -1,10 +1,16 @@
module asm
-go 1.16
+go 1.18
require (
- github.com/mmcloughlin/avo v0.4.0
- golang.org/x/crypto v0.0.0
+ github.com/mmcloughlin/avo v0.5.0
+ golang.org/x/crypto v0.1.0
)
-replace golang.org/x/crypto v0.0.0 => ../../../..
+require (
+ golang.org/x/mod v0.8.0 // indirect
+ golang.org/x/sys v0.14.0 // indirect
+ golang.org/x/tools v0.6.0 // indirect
+)
+
+replace golang.org/x/crypto v0.1.0 => ../../../..
diff --git a/curve25519/internal/field/_asm/go.sum b/curve25519/internal/field/_asm/go.sum
index 4c9bbf675b..96b7915d4f 100644
--- a/curve25519/internal/field/_asm/go.sum
+++ b/curve25519/internal/field/_asm/go.sum
@@ -1,34 +1,51 @@
-github.com/mmcloughlin/avo v0.4.0 h1:jeHDRktVD+578ULxWpQHkilor6pkdLF7u7EiTzDbfcU=
-github.com/mmcloughlin/avo v0.4.0/go.mod h1:RW9BfYA3TgO9uCdNrKU2h6J8cPD8ZLznvfgHAeszb1s=
-github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-golang.org/x/arch v0.0.0-20210923205945-b76863e36670/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
+github.com/mmcloughlin/avo v0.5.0 h1:nAco9/aI9Lg2kiuROBY6BhCI/z0t5jEvJfjWbL8qXLU=
+github.com/mmcloughlin/avo v0.5.0/go.mod h1:ChHFdoV7ql95Wi7vuq2YT1bwCJqiWdZrQ1im3VujLYM=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+golang.org/x/arch v0.1.0/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
+golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211030160813-b3129d9d1021 h1:giLT+HuUP/gXYrG2Plg9WTjj4qhfgaW424ZIFog3rlk=
-golang.org/x/sys v0.0.0-20211030160813-b3129d9d1021/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
+golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.1.7 h1:6j8CgantCy3yc8JGBqkDLMKWqZ0RDU2g1HVgacojGWQ=
-golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
+golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
diff --git a/curve25519/internal/field/fe_amd64.go b/curve25519/internal/field/fe_amd64.go
index edcf163c4e..70c541692c 100644
--- a/curve25519/internal/field/fe_amd64.go
+++ b/curve25519/internal/field/fe_amd64.go
@@ -1,7 +1,6 @@
// Code generated by command: go run fe_amd64_asm.go -out ../fe_amd64.s -stubs ../fe_amd64.go -pkg field. DO NOT EDIT.
//go:build amd64 && gc && !purego
-// +build amd64,gc,!purego
package field
diff --git a/curve25519/internal/field/fe_amd64.s b/curve25519/internal/field/fe_amd64.s
index 293f013c94..60817acc41 100644
--- a/curve25519/internal/field/fe_amd64.s
+++ b/curve25519/internal/field/fe_amd64.s
@@ -1,7 +1,6 @@
// Code generated by command: go run fe_amd64_asm.go -out ../fe_amd64.s -stubs ../fe_amd64.go -pkg field. DO NOT EDIT.
//go:build amd64 && gc && !purego
-// +build amd64,gc,!purego
#include "textflag.h"
diff --git a/curve25519/internal/field/fe_amd64_noasm.go b/curve25519/internal/field/fe_amd64_noasm.go
index ddb6c9b8f7..9da280d1d8 100644
--- a/curve25519/internal/field/fe_amd64_noasm.go
+++ b/curve25519/internal/field/fe_amd64_noasm.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build !amd64 || !gc || purego
-// +build !amd64 !gc purego
package field
diff --git a/curve25519/internal/field/fe_arm64.go b/curve25519/internal/field/fe_arm64.go
index af459ef515..075fe9b925 100644
--- a/curve25519/internal/field/fe_arm64.go
+++ b/curve25519/internal/field/fe_arm64.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build arm64 && gc && !purego
-// +build arm64,gc,!purego
package field
diff --git a/curve25519/internal/field/fe_arm64.s b/curve25519/internal/field/fe_arm64.s
index 5c91e45892..3126a43419 100644
--- a/curve25519/internal/field/fe_arm64.s
+++ b/curve25519/internal/field/fe_arm64.s
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build arm64 && gc && !purego
-// +build arm64,gc,!purego
#include "textflag.h"
diff --git a/curve25519/internal/field/fe_arm64_noasm.go b/curve25519/internal/field/fe_arm64_noasm.go
index 234a5b2e5d..fc029ac12d 100644
--- a/curve25519/internal/field/fe_arm64_noasm.go
+++ b/curve25519/internal/field/fe_arm64_noasm.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build !arm64 || !gc || purego
-// +build !arm64 !gc purego
package field
diff --git a/go.mod b/go.mod
index 3b22b05e01..9cde59c44e 100644
--- a/go.mod
+++ b/go.mod
@@ -1,11 +1,11 @@
module golang.org/x/crypto
-go 1.17
+go 1.18
require (
golang.org/x/net v0.10.0 // tagx:ignore
- golang.org/x/sys v0.10.0
- golang.org/x/term v0.10.0
+ golang.org/x/sys v0.17.0
+ golang.org/x/term v0.17.0
)
-require golang.org/x/text v0.11.0 // indirect
+require golang.org/x/text v0.14.0 // indirect
diff --git a/go.sum b/go.sum
index 9af043f86e..55835d583b 100644
--- a/go.sum
+++ b/go.sum
@@ -1,41 +1,8 @@
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
-golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
-golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
-golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
diff --git a/hkdf/hkdf.go b/hkdf/hkdf.go
index dda3f143be..f4ded5fee2 100644
--- a/hkdf/hkdf.go
+++ b/hkdf/hkdf.go
@@ -56,7 +56,9 @@ func (f *hkdf) Read(p []byte) (int, error) {
// Fill the rest of the buffer
for len(p) > 0 {
- f.expander.Reset()
+ if f.counter > 1 {
+ f.expander.Reset()
+ }
f.expander.Write(f.prev)
f.expander.Write(f.info)
f.expander.Write([]byte{f.counter})
diff --git a/internal/alias/alias.go b/internal/alias/alias.go
index 69c17f822b..551ff0c353 100644
--- a/internal/alias/alias.go
+++ b/internal/alias/alias.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build !purego
-// +build !purego
// Package alias implements memory aliasing tests.
package alias
diff --git a/internal/alias/alias_purego.go b/internal/alias/alias_purego.go
index 4775b0a438..6fe61b5c6e 100644
--- a/internal/alias/alias_purego.go
+++ b/internal/alias/alias_purego.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build purego
-// +build purego
// Package alias implements memory aliasing tests.
package alias
diff --git a/internal/poly1305/bits_compat.go b/internal/poly1305/bits_compat.go
deleted file mode 100644
index 45b5c966b2..0000000000
--- a/internal/poly1305/bits_compat.go
+++ /dev/null
@@ -1,40 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !go1.13
-// +build !go1.13
-
-package poly1305
-
-// Generic fallbacks for the math/bits intrinsics, copied from
-// src/math/bits/bits.go. They were added in Go 1.12, but Add64 and Sum64 had
-// variable time fallbacks until Go 1.13.
-
-func bitsAdd64(x, y, carry uint64) (sum, carryOut uint64) {
- sum = x + y + carry
- carryOut = ((x & y) | ((x | y) &^ sum)) >> 63
- return
-}
-
-func bitsSub64(x, y, borrow uint64) (diff, borrowOut uint64) {
- diff = x - y - borrow
- borrowOut = ((^x & y) | (^(x ^ y) & diff)) >> 63
- return
-}
-
-func bitsMul64(x, y uint64) (hi, lo uint64) {
- const mask32 = 1<<32 - 1
- x0 := x & mask32
- x1 := x >> 32
- y0 := y & mask32
- y1 := y >> 32
- w0 := x0 * y0
- t := x1*y0 + w0>>32
- w1 := t & mask32
- w2 := t >> 32
- w1 += x0 * y1
- hi = x1*y1 + w2 + w1>>32
- lo = x * y
- return
-}
diff --git a/internal/poly1305/bits_go1.13.go b/internal/poly1305/bits_go1.13.go
deleted file mode 100644
index ed52b3418a..0000000000
--- a/internal/poly1305/bits_go1.13.go
+++ /dev/null
@@ -1,22 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.13
-// +build go1.13
-
-package poly1305
-
-import "math/bits"
-
-func bitsAdd64(x, y, carry uint64) (sum, carryOut uint64) {
- return bits.Add64(x, y, carry)
-}
-
-func bitsSub64(x, y, borrow uint64) (diff, borrowOut uint64) {
- return bits.Sub64(x, y, borrow)
-}
-
-func bitsMul64(x, y uint64) (hi, lo uint64) {
- return bits.Mul64(x, y)
-}
diff --git a/internal/poly1305/mac_noasm.go b/internal/poly1305/mac_noasm.go
index f184b67d98..333da285b3 100644
--- a/internal/poly1305/mac_noasm.go
+++ b/internal/poly1305/mac_noasm.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build (!amd64 && !ppc64le && !s390x) || !gc || purego
-// +build !amd64,!ppc64le,!s390x !gc purego
package poly1305
diff --git a/internal/poly1305/sum_amd64.go b/internal/poly1305/sum_amd64.go
index 6d522333f2..164cd47d32 100644
--- a/internal/poly1305/sum_amd64.go
+++ b/internal/poly1305/sum_amd64.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build gc && !purego
-// +build gc,!purego
package poly1305
diff --git a/internal/poly1305/sum_amd64.s b/internal/poly1305/sum_amd64.s
index 1d74f0f881..e0d3c64756 100644
--- a/internal/poly1305/sum_amd64.s
+++ b/internal/poly1305/sum_amd64.s
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build gc && !purego
-// +build gc,!purego
#include "textflag.h"
diff --git a/internal/poly1305/sum_generic.go b/internal/poly1305/sum_generic.go
index e041da5ea3..ec2202bd7d 100644
--- a/internal/poly1305/sum_generic.go
+++ b/internal/poly1305/sum_generic.go
@@ -7,7 +7,10 @@
package poly1305
-import "encoding/binary"
+import (
+ "encoding/binary"
+ "math/bits"
+)
// Poly1305 [RFC 7539] is a relatively simple algorithm: the authentication tag
// for a 64 bytes message is approximately
@@ -114,13 +117,13 @@ type uint128 struct {
}
func mul64(a, b uint64) uint128 {
- hi, lo := bitsMul64(a, b)
+ hi, lo := bits.Mul64(a, b)
return uint128{lo, hi}
}
func add128(a, b uint128) uint128 {
- lo, c := bitsAdd64(a.lo, b.lo, 0)
- hi, c := bitsAdd64(a.hi, b.hi, c)
+ lo, c := bits.Add64(a.lo, b.lo, 0)
+ hi, c := bits.Add64(a.hi, b.hi, c)
if c != 0 {
panic("poly1305: unexpected overflow")
}
@@ -155,8 +158,8 @@ func updateGeneric(state *macState, msg []byte) {
// hide leading zeroes. For full chunks, that's 1 << 128, so we can just
// add 1 to the most significant (2¹²⁸) limb, h2.
if len(msg) >= TagSize {
- h0, c = bitsAdd64(h0, binary.LittleEndian.Uint64(msg[0:8]), 0)
- h1, c = bitsAdd64(h1, binary.LittleEndian.Uint64(msg[8:16]), c)
+ h0, c = bits.Add64(h0, binary.LittleEndian.Uint64(msg[0:8]), 0)
+ h1, c = bits.Add64(h1, binary.LittleEndian.Uint64(msg[8:16]), c)
h2 += c + 1
msg = msg[TagSize:]
@@ -165,8 +168,8 @@ func updateGeneric(state *macState, msg []byte) {
copy(buf[:], msg)
buf[len(msg)] = 1
- h0, c = bitsAdd64(h0, binary.LittleEndian.Uint64(buf[0:8]), 0)
- h1, c = bitsAdd64(h1, binary.LittleEndian.Uint64(buf[8:16]), c)
+ h0, c = bits.Add64(h0, binary.LittleEndian.Uint64(buf[0:8]), 0)
+ h1, c = bits.Add64(h1, binary.LittleEndian.Uint64(buf[8:16]), c)
h2 += c
msg = nil
@@ -219,9 +222,9 @@ func updateGeneric(state *macState, msg []byte) {
m3 := h2r1
t0 := m0.lo
- t1, c := bitsAdd64(m1.lo, m0.hi, 0)
- t2, c := bitsAdd64(m2.lo, m1.hi, c)
- t3, _ := bitsAdd64(m3.lo, m2.hi, c)
+ t1, c := bits.Add64(m1.lo, m0.hi, 0)
+ t2, c := bits.Add64(m2.lo, m1.hi, c)
+ t3, _ := bits.Add64(m3.lo, m2.hi, c)
// Now we have the result as 4 64-bit limbs, and we need to reduce it
// modulo 2¹³⁰ - 5. The special shape of this Crandall prime lets us do
@@ -243,14 +246,14 @@ func updateGeneric(state *macState, msg []byte) {
// To add c * 5 to h, we first add cc = c * 4, and then add (cc >> 2) = c.
- h0, c = bitsAdd64(h0, cc.lo, 0)
- h1, c = bitsAdd64(h1, cc.hi, c)
+ h0, c = bits.Add64(h0, cc.lo, 0)
+ h1, c = bits.Add64(h1, cc.hi, c)
h2 += c
cc = shiftRightBy2(cc)
- h0, c = bitsAdd64(h0, cc.lo, 0)
- h1, c = bitsAdd64(h1, cc.hi, c)
+ h0, c = bits.Add64(h0, cc.lo, 0)
+ h1, c = bits.Add64(h1, cc.hi, c)
h2 += c
// h2 is at most 3 + 1 + 1 = 5, making the whole of h at most
@@ -287,9 +290,9 @@ func finalize(out *[TagSize]byte, h *[3]uint64, s *[2]uint64) {
// in constant time, we compute t = h - (2¹³⁰ - 5), and select h as the
// result if the subtraction underflows, and t otherwise.
- hMinusP0, b := bitsSub64(h0, p0, 0)
- hMinusP1, b := bitsSub64(h1, p1, b)
- _, b = bitsSub64(h2, p2, b)
+ hMinusP0, b := bits.Sub64(h0, p0, 0)
+ hMinusP1, b := bits.Sub64(h1, p1, b)
+ _, b = bits.Sub64(h2, p2, b)
// h = h if h < p else h - p
h0 = select64(b, h0, hMinusP0)
@@ -301,8 +304,8 @@ func finalize(out *[TagSize]byte, h *[3]uint64, s *[2]uint64) {
//
// by just doing a wide addition with the 128 low bits of h and discarding
// the overflow.
- h0, c := bitsAdd64(h0, s[0], 0)
- h1, _ = bitsAdd64(h1, s[1], c)
+ h0, c := bits.Add64(h0, s[0], 0)
+ h1, _ = bits.Add64(h1, s[1], c)
binary.LittleEndian.PutUint64(out[0:8], h0)
binary.LittleEndian.PutUint64(out[8:16], h1)
diff --git a/internal/poly1305/sum_ppc64le.go b/internal/poly1305/sum_ppc64le.go
index 4a069941a6..4aec4874b5 100644
--- a/internal/poly1305/sum_ppc64le.go
+++ b/internal/poly1305/sum_ppc64le.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build gc && !purego
-// +build gc,!purego
package poly1305
diff --git a/internal/poly1305/sum_ppc64le.s b/internal/poly1305/sum_ppc64le.s
index 58422aad23..d2ca5deeb9 100644
--- a/internal/poly1305/sum_ppc64le.s
+++ b/internal/poly1305/sum_ppc64le.s
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build gc && !purego
-// +build gc,!purego
#include "textflag.h"
diff --git a/internal/poly1305/sum_s390x.go b/internal/poly1305/sum_s390x.go
index ec95966889..e1d033a491 100644
--- a/internal/poly1305/sum_s390x.go
+++ b/internal/poly1305/sum_s390x.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build gc && !purego
-// +build gc,!purego
package poly1305
diff --git a/internal/poly1305/sum_s390x.s b/internal/poly1305/sum_s390x.s
index aa9e0494c9..0fe3a7c217 100644
--- a/internal/poly1305/sum_s390x.s
+++ b/internal/poly1305/sum_s390x.s
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build gc && !purego
-// +build gc,!purego
#include "textflag.h"
diff --git a/internal/wycheproof/eddsa_test.go b/internal/wycheproof/eddsa_test.go
index 0a7fbb7e0e..9b97490955 100644
--- a/internal/wycheproof/eddsa_test.go
+++ b/internal/wycheproof/eddsa_test.go
@@ -3,14 +3,12 @@
// license that can be found in the LICENSE file.
//go:build go1.13
-// +build go1.13
package wycheproof
import (
+ "crypto/ed25519"
"testing"
-
- "golang.org/x/crypto/ed25519"
)
func TestEddsa(t *testing.T) {
diff --git a/internal/wycheproof/wycheproof_test.go b/internal/wycheproof/wycheproof_test.go
index fcae97ce33..bbaae3b338 100644
--- a/internal/wycheproof/wycheproof_test.go
+++ b/internal/wycheproof/wycheproof_test.go
@@ -11,6 +11,7 @@ import (
"crypto/x509"
"encoding/hex"
"encoding/json"
+ "flag"
"fmt"
"log"
"os"
@@ -28,6 +29,11 @@ const wycheproofModVer = "v0.0.0-20191219022705-2196000605e4"
var wycheproofTestVectorsDir string
func TestMain(m *testing.M) {
+ flag.Parse()
+ if flag.Lookup("test.short").Value.(flag.Getter).Get().(bool) {
+ log.Println("skipping test that downloads testdata via 'go mod download' in short mode")
+ os.Exit(0)
+ }
if _, err := exec.LookPath("go"); err != nil {
log.Printf("skipping test because 'go' command is unavailable: %v", err)
os.Exit(0)
@@ -42,8 +48,6 @@ func TestMain(m *testing.M) {
// can be used in the following tests.
path := "github.com/google/wycheproof@" + wycheproofModVer
cmd := exec.Command("go", "mod", "download", "-json", path)
- // TODO: enable the sumdb once the Trybots proxy supports it.
- cmd.Env = append(os.Environ(), "GONOSUMDB=*")
output, err := cmd.Output()
if err != nil {
log.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output)
diff --git a/nacl/sign/sign.go b/nacl/sign/sign.go
index 8a6acdcc09..109c08bb95 100644
--- a/nacl/sign/sign.go
+++ b/nacl/sign/sign.go
@@ -21,9 +21,9 @@
package sign
import (
+ "crypto/ed25519"
"io"
- "golang.org/x/crypto/ed25519"
"golang.org/x/crypto/internal/alias"
)
diff --git a/ocsp/ocsp_test.go b/ocsp/ocsp_test.go
index 0bc194b2f4..a23d29bd1f 100644
--- a/ocsp/ocsp_test.go
+++ b/ocsp/ocsp_test.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build go1.7
-// +build go1.7
package ocsp
diff --git a/otr/libotr_test_helper.c b/otr/libotr_test_helper.c
index b3ca072d48..aae03a3df7 100644
--- a/otr/libotr_test_helper.c
+++ b/otr/libotr_test_helper.c
@@ -5,7 +5,7 @@
// This code can be compiled and used to test the otr package against libotr.
// See otr_test.go.
-// +build ignore
+//go:build ignore
#include <stdio.h>
#include <stdlib.h>
diff --git a/salsa20/salsa/salsa20_amd64.go b/salsa20/salsa/salsa20_amd64.go
index c400dfcf7b..e76b44fe59 100644
--- a/salsa20/salsa/salsa20_amd64.go
+++ b/salsa20/salsa/salsa20_amd64.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build amd64 && !purego && gc
-// +build amd64,!purego,gc
package salsa
diff --git a/salsa20/salsa/salsa20_amd64.s b/salsa20/salsa/salsa20_amd64.s
index c089277204..fcce0234b6 100644
--- a/salsa20/salsa/salsa20_amd64.s
+++ b/salsa20/salsa/salsa20_amd64.s
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build amd64 && !purego && gc
-// +build amd64,!purego,gc
// This code was translated into a form compatible with 6a from the public
// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
diff --git a/salsa20/salsa/salsa20_amd64_test.go b/salsa20/salsa/salsa20_amd64_test.go
index fc781f76f9..fe14604fc9 100644
--- a/salsa20/salsa/salsa20_amd64_test.go
+++ b/salsa20/salsa/salsa20_amd64_test.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build amd64 && !purego && gc
-// +build amd64,!purego,gc
package salsa
diff --git a/salsa20/salsa/salsa20_noasm.go b/salsa20/salsa/salsa20_noasm.go
index 4392cc1ac7..9448760f26 100644
--- a/salsa20/salsa/salsa20_noasm.go
+++ b/salsa20/salsa/salsa20_noasm.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build !amd64 || purego || !gc
-// +build !amd64 purego !gc
package salsa
diff --git a/sha3/hashes_generic.go b/sha3/hashes_generic.go
index c74fc20fcb..fe8c84793c 100644
--- a/sha3/hashes_generic.go
+++ b/sha3/hashes_generic.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build !gc || purego || !s390x
-// +build !gc purego !s390x
package sha3
diff --git a/sha3/keccakf.go b/sha3/keccakf.go
index e5faa375c0..ce48b1dd3e 100644
--- a/sha3/keccakf.go
+++ b/sha3/keccakf.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build !amd64 || purego || !gc
-// +build !amd64 purego !gc
package sha3
diff --git a/sha3/keccakf_amd64.go b/sha3/keccakf_amd64.go
index 248a38241f..b908696be5 100644
--- a/sha3/keccakf_amd64.go
+++ b/sha3/keccakf_amd64.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build amd64 && !purego && gc
-// +build amd64,!purego,gc
package sha3
diff --git a/sha3/keccakf_amd64.s b/sha3/keccakf_amd64.s
index 4cfa54383b..1f53938861 100644
--- a/sha3/keccakf_amd64.s
+++ b/sha3/keccakf_amd64.s
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build amd64 && !purego && gc
-// +build amd64,!purego,gc
// This code was translated into a form compatible with 6a from the public
// domain sources at https://github.com/gvanas/KeccakCodePackage
@@ -320,9 +319,9 @@
MOVQ rDi, _si(oState); \
MOVQ rDo, _so(oState) \
-// func keccakF1600(state *[25]uint64)
+// func keccakF1600(a *[25]uint64)
TEXT ·keccakF1600(SB), 0, $200-8
- MOVQ state+0(FP), rpState
+ MOVQ a+0(FP), rpState
// Convert the user state into an internal state
NOTQ _be(rpState)
diff --git a/sha3/register.go b/sha3/register.go
index 8b4453aac3..addfd5049b 100644
--- a/sha3/register.go
+++ b/sha3/register.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build go1.4
-// +build go1.4
package sha3
diff --git a/sha3/sha3.go b/sha3/sha3.go
index fa182beb40..4884d172a4 100644
--- a/sha3/sha3.go
+++ b/sha3/sha3.go
@@ -121,11 +121,11 @@ func (d *state) padAndPermute(dsbyte byte) {
copyOut(d, d.buf)
}
-// Write absorbs more data into the hash's state. It produces an error
-// if more data is written to the ShakeHash after writing
+// Write absorbs more data into the hash's state. It panics if any
+// output has already been read.
func (d *state) Write(p []byte) (written int, err error) {
if d.state != spongeAbsorbing {
- panic("sha3: write to sponge after read")
+ panic("sha3: Write after Read")
}
if d.buf == nil {
d.buf = d.storage.asBytes()[:0]
@@ -182,12 +182,16 @@ func (d *state) Read(out []byte) (n int, err error) {
}
// Sum applies padding to the hash state and then squeezes out the desired
-// number of output bytes.
+// number of output bytes. It panics if any output has already been read.
func (d *state) Sum(in []byte) []byte {
+ if d.state != spongeAbsorbing {
+ panic("sha3: Sum after Read")
+ }
+
// Make a copy of the original hash so that caller can keep writing
// and summing.
dup := d.clone()
- hash := make([]byte, dup.outputLen)
+ hash := make([]byte, dup.outputLen, 64) // explicit cap to allow stack allocation
dup.Read(hash)
return append(in, hash...)
}
diff --git a/sha3/sha3_s390x.go b/sha3/sha3_s390x.go
index 63a3edb4ce..d861bca528 100644
--- a/sha3/sha3_s390x.go
+++ b/sha3/sha3_s390x.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build gc && !purego
-// +build gc,!purego
package sha3
@@ -49,7 +48,7 @@ type asmState struct {
buf []byte // care must be taken to ensure cap(buf) is a multiple of rate
rate int // equivalent to block size
storage [3072]byte // underlying storage for buf
- outputLen int // output length if fixed, 0 if not
+ outputLen int // output length for full security
function code // KIMD/KLMD function code
state spongeDirection // whether the sponge is absorbing or squeezing
}
@@ -72,8 +71,10 @@ func newAsmState(function code) *asmState {
s.outputLen = 64
case shake_128:
s.rate = 168
+ s.outputLen = 32
case shake_256:
s.rate = 136
+ s.outputLen = 64
default:
panic("sha3: unrecognized function code")
}
@@ -108,7 +109,7 @@ func (s *asmState) resetBuf() {
// It never returns an error.
func (s *asmState) Write(b []byte) (int, error) {
if s.state != spongeAbsorbing {
- panic("sha3: write to sponge after read")
+ panic("sha3: Write after Read")
}
length := len(b)
for len(b) > 0 {
@@ -192,8 +193,8 @@ func (s *asmState) Read(out []byte) (n int, err error) {
// Sum appends the current hash to b and returns the resulting slice.
// It does not change the underlying hash state.
func (s *asmState) Sum(b []byte) []byte {
- if s.outputLen == 0 {
- panic("sha3: cannot call Sum on SHAKE functions")
+ if s.state != spongeAbsorbing {
+ panic("sha3: Sum after Read")
}
// Copy the state to preserve the original.
diff --git a/sha3/sha3_s390x.s b/sha3/sha3_s390x.s
index a0e051b045..826b862c77 100644
--- a/sha3/sha3_s390x.s
+++ b/sha3/sha3_s390x.s
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build gc && !purego
-// +build gc,!purego
#include "textflag.h"
diff --git a/sha3/shake.go b/sha3/shake.go
index d7be2954ab..bb69984027 100644
--- a/sha3/shake.go
+++ b/sha3/shake.go
@@ -17,26 +17,25 @@ package sha3
import (
"encoding/binary"
+ "hash"
"io"
)
-// ShakeHash defines the interface to hash functions that
-// support arbitrary-length output.
+// ShakeHash defines the interface to hash functions that support
+// arbitrary-length output. When used as a plain [hash.Hash], it
+// produces minimum-length outputs that provide full-strength generic
+// security.
type ShakeHash interface {
- // Write absorbs more data into the hash's state. It panics if input is
- // written to it after output has been read from it.
- io.Writer
+ hash.Hash
// Read reads more output from the hash; reading affects the hash's
// state. (ShakeHash.Read is thus very different from Hash.Sum)
- // It never returns an error.
+ // It never returns an error, but subsequent calls to Write or Sum
+ // will panic.
io.Reader
// Clone returns a copy of the ShakeHash in its current state.
Clone() ShakeHash
-
- // Reset resets the ShakeHash to its initial state.
- Reset()
}
// cSHAKE specific context
@@ -81,8 +80,8 @@ func leftEncode(value uint64) []byte {
return b[i-1:]
}
-func newCShake(N, S []byte, rate int, dsbyte byte) ShakeHash {
- c := cshakeState{state: &state{rate: rate, dsbyte: dsbyte}}
+func newCShake(N, S []byte, rate, outputLen int, dsbyte byte) ShakeHash {
+ c := cshakeState{state: &state{rate: rate, outputLen: outputLen, dsbyte: dsbyte}}
// leftEncode returns max 9 bytes
c.initBlock = make([]byte, 0, 9*2+len(N)+len(S))
@@ -119,7 +118,7 @@ func NewShake128() ShakeHash {
if h := newShake128Asm(); h != nil {
return h
}
- return &state{rate: rate128, dsbyte: dsbyteShake}
+ return &state{rate: rate128, outputLen: 32, dsbyte: dsbyteShake}
}
// NewShake256 creates a new SHAKE256 variable-output-length ShakeHash.
@@ -129,7 +128,7 @@ func NewShake256() ShakeHash {
if h := newShake256Asm(); h != nil {
return h
}
- return &state{rate: rate256, dsbyte: dsbyteShake}
+ return &state{rate: rate256, outputLen: 64, dsbyte: dsbyteShake}
}
// NewCShake128 creates a new instance of cSHAKE128 variable-output-length ShakeHash,
@@ -142,7 +141,7 @@ func NewCShake128(N, S []byte) ShakeHash {
if len(N) == 0 && len(S) == 0 {
return NewShake128()
}
- return newCShake(N, S, rate128, dsbyteCShake)
+ return newCShake(N, S, rate128, 32, dsbyteCShake)
}
// NewCShake256 creates a new instance of cSHAKE256 variable-output-length ShakeHash,
@@ -155,7 +154,7 @@ func NewCShake256(N, S []byte) ShakeHash {
if len(N) == 0 && len(S) == 0 {
return NewShake256()
}
- return newCShake(N, S, rate256, dsbyteCShake)
+ return newCShake(N, S, rate256, 64, dsbyteCShake)
}
// ShakeSum128 writes an arbitrary-length digest of data into hash.
diff --git a/sha3/shake_generic.go b/sha3/shake_generic.go
index 5c0710ef98..8d31cf5be2 100644
--- a/sha3/shake_generic.go
+++ b/sha3/shake_generic.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build !gc || purego || !s390x
-// +build !gc purego !s390x
package sha3
diff --git a/sha3/xor.go b/sha3/xor.go
index 59c8eb9418..7337cca88e 100644
--- a/sha3/xor.go
+++ b/sha3/xor.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build (!amd64 && !386 && !ppc64le) || purego
-// +build !amd64,!386,!ppc64le purego
package sha3
diff --git a/sha3/xor_unaligned.go b/sha3/xor_unaligned.go
index 1ce606246d..870e2d16e0 100644
--- a/sha3/xor_unaligned.go
+++ b/sha3/xor_unaligned.go
@@ -3,8 +3,6 @@
// license that can be found in the LICENSE file.
//go:build (amd64 || 386 || ppc64le) && !purego
-// +build amd64 386 ppc64le
-// +build !purego
package sha3
diff --git a/ssh/agent/client.go b/ssh/agent/client.go
index c3e112a939..fecba8eb38 100644
--- a/ssh/agent/client.go
+++ b/ssh/agent/client.go
@@ -16,6 +16,7 @@ import (
"bytes"
"crypto/dsa"
"crypto/ecdsa"
+ "crypto/ed25519"
"crypto/elliptic"
"crypto/rsa"
"encoding/base64"
@@ -26,7 +27,6 @@ import (
"math/big"
"sync"
- "golang.org/x/crypto/ed25519"
"golang.org/x/crypto/ssh"
)
@@ -141,9 +141,14 @@ const (
agentAddSmartcardKeyConstrained = 26
// 3.7 Key constraint identifiers
- agentConstrainLifetime = 1
- agentConstrainConfirm = 2
- agentConstrainExtension = 3
+ agentConstrainLifetime = 1
+ agentConstrainConfirm = 2
+ // Constraint extension identifier up to version 2 of the protocol. A
+ // backward incompatible change will be required if we want to add support
+ // for SSH_AGENT_CONSTRAIN_MAXSIGN which uses the same ID.
+ agentConstrainExtensionV00 = 3
+ // Constraint extension identifier in version 3 and later of the protocol.
+ agentConstrainExtension = 255
)
// maxAgentResponseBytes is the maximum agent reply size that is accepted. This
@@ -205,7 +210,7 @@ type constrainLifetimeAgentMsg struct {
}
type constrainExtensionAgentMsg struct {
- ExtensionName string `sshtype:"3"`
+ ExtensionName string `sshtype:"255|3"`
ExtensionDetails []byte
// Rest is a field used for parsing, not part of message
diff --git a/ssh/agent/client_test.go b/ssh/agent/client_test.go
index 8ffaca7491..fdc8000654 100644
--- a/ssh/agent/client_test.go
+++ b/ssh/agent/client_test.go
@@ -29,6 +29,9 @@ func startOpenSSHAgent(t *testing.T) (client ExtendedAgent, socket string, clean
// types supported vary by platform.
t.Skip("skipping test due to -short")
}
+ if runtime.GOOS == "windows" {
+ t.Skip("skipping on windows, we don't support connecting to the ssh-agent via a named pipe")
+ }
bin, err := exec.LookPath("ssh-agent")
if err != nil {
@@ -366,7 +369,8 @@ func TestAuth(t *testing.T) {
go func() {
conn, _, _, err := ssh.NewServerConn(a, &serverConf)
if err != nil {
- t.Fatalf("Server: %v", err)
+ t.Errorf("NewServerConn error: %v", err)
+ return
}
conn.Close()
}()
diff --git a/ssh/agent/server.go b/ssh/agent/server.go
index 9a769de03d..e35ca7ce31 100644
--- a/ssh/agent/server.go
+++ b/ssh/agent/server.go
@@ -7,6 +7,7 @@ package agent
import (
"crypto/dsa"
"crypto/ecdsa"
+ "crypto/ed25519"
"crypto/elliptic"
"crypto/rsa"
"encoding/binary"
@@ -16,7 +17,6 @@ import (
"log"
"math/big"
- "golang.org/x/crypto/ed25519"
"golang.org/x/crypto/ssh"
)
@@ -208,7 +208,7 @@ func parseConstraints(constraints []byte) (lifetimeSecs uint32, confirmBeforeUse
case agentConstrainConfirm:
confirmBeforeUse = true
constraints = constraints[1:]
- case agentConstrainExtension:
+ case agentConstrainExtension, agentConstrainExtensionV00:
var msg constrainExtensionAgentMsg
if err = ssh.Unmarshal(constraints, &msg); err != nil {
return 0, false, nil, err
diff --git a/ssh/agent/server_test.go b/ssh/agent/server_test.go
index 038018ebb1..7700d18f1a 100644
--- a/ssh/agent/server_test.go
+++ b/ssh/agent/server_test.go
@@ -53,10 +53,11 @@ func TestSetupForwardAgent(t *testing.T) {
incoming := make(chan *ssh.ServerConn, 1)
go func() {
conn, _, _, err := ssh.NewServerConn(a, &serverConf)
+ incoming <- conn
if err != nil {
- t.Fatalf("Server: %v", err)
+ t.Errorf("NewServerConn error: %v", err)
+ return
}
- incoming <- conn
}()
conf := ssh.ClientConfig{
@@ -71,8 +72,10 @@ func TestSetupForwardAgent(t *testing.T) {
if err := ForwardToRemote(client, socket); err != nil {
t.Fatalf("SetupForwardAgent: %v", err)
}
-
server := <-incoming
+ if server == nil {
+ t.Fatal("Unable to get server")
+ }
ch, reqs, err := server.OpenChannel(channelType, nil)
if err != nil {
t.Fatalf("OpenChannel(%q): %v", channelType, err)
@@ -240,7 +243,11 @@ func TestParseConstraints(t *testing.T) {
ExtensionDetails: []byte(fmt.Sprintf("details: %d", i)),
}
expect = append(expect, ext)
- data = append(data, agentConstrainExtension)
+ if i%2 == 0 {
+ data = append(data, agentConstrainExtension)
+ } else {
+ data = append(data, agentConstrainExtensionV00)
+ }
data = append(data, ssh.Marshal(ext)...)
}
_, _, extensions, err := parseConstraints(data)
diff --git a/ssh/benchmark_test.go b/ssh/benchmark_test.go
index a13235d743..b356330b46 100644
--- a/ssh/benchmark_test.go
+++ b/ssh/benchmark_test.go
@@ -6,6 +6,7 @@ package ssh
import (
"errors"
+ "fmt"
"io"
"net"
"testing"
@@ -90,16 +91,16 @@ func BenchmarkEndToEnd(b *testing.B) {
go func() {
newCh, err := server.Accept()
if err != nil {
- b.Fatalf("Client: %v", err)
+ panic(fmt.Sprintf("Client: %v", err))
}
ch, incoming, err := newCh.Accept()
if err != nil {
- b.Fatalf("Accept: %v", err)
+ panic(fmt.Sprintf("Accept: %v", err))
}
go DiscardRequests(incoming)
for i := 0; i < b.N; i++ {
if _, err := io.ReadFull(ch, output); err != nil {
- b.Fatalf("ReadFull: %v", err)
+ panic(fmt.Sprintf("ReadFull: %v", err))
}
}
ch.Close()
diff --git a/ssh/certs.go b/ssh/certs.go
index fc04d03e19..27d0e14aa9 100644
--- a/ssh/certs.go
+++ b/ssh/certs.go
@@ -16,8 +16,9 @@ import (
// Certificate algorithm names from [PROTOCOL.certkeys]. These values can appear
// in Certificate.Type, PublicKey.Type, and ClientConfig.HostKeyAlgorithms.
-// Unlike key algorithm names, these are not passed to AlgorithmSigner and don't
-// appear in the Signature.Format field.
+// Unlike key algorithm names, these are not passed to AlgorithmSigner nor
+// returned by MultiAlgorithmSigner and don't appear in the Signature.Format
+// field.
const (
CertAlgoRSAv01 = "ssh-rsa-cert-v01@openssh.com"
CertAlgoDSAv01 = "ssh-dss-cert-v01@openssh.com"
@@ -255,10 +256,17 @@ func NewCertSigner(cert *Certificate, signer Signer) (Signer, error) {
return nil, errors.New("ssh: signer and cert have different public key")
}
- if algorithmSigner, ok := signer.(AlgorithmSigner); ok {
+ switch s := signer.(type) {
+ case MultiAlgorithmSigner:
+ return &multiAlgorithmSigner{
+ AlgorithmSigner: &algorithmOpenSSHCertSigner{
+ &openSSHCertSigner{cert, signer}, s},
+ supportedAlgorithms: s.Algorithms(),
+ }, nil
+ case AlgorithmSigner:
return &algorithmOpenSSHCertSigner{
- &openSSHCertSigner{cert, signer}, algorithmSigner}, nil
- } else {
+ &openSSHCertSigner{cert, signer}, s}, nil
+ default:
return &openSSHCertSigner{cert, signer}, nil
}
}
@@ -432,7 +440,9 @@ func (c *CertChecker) CheckCert(principal string, cert *Certificate) error {
}
// SignCert signs the certificate with an authority, setting the Nonce,
-// SignatureKey, and Signature fields.
+// SignatureKey, and Signature fields. If the authority implements the
+// MultiAlgorithmSigner interface the first algorithm in the list is used. This
+// is useful if you want to sign with a specific algorithm.
func (c *Certificate) SignCert(rand io.Reader, authority Signer) error {
c.Nonce = make([]byte, 32)
if _, err := io.ReadFull(rand, c.Nonce); err != nil {
@@ -440,8 +450,20 @@ func (c *Certificate) SignCert(rand io.Reader, authority Signer) error {
}
c.SignatureKey = authority.PublicKey()
- // Default to KeyAlgoRSASHA512 for ssh-rsa signers.
- if v, ok := authority.(AlgorithmSigner); ok && v.PublicKey().Type() == KeyAlgoRSA {
+ if v, ok := authority.(MultiAlgorithmSigner); ok {
+ if len(v.Algorithms()) == 0 {
+ return errors.New("the provided authority has no signature algorithm")
+ }
+ // Use the first algorithm in the list.
+ sig, err := v.SignWithAlgorithm(rand, c.bytesForSigning(), v.Algorithms()[0])
+ if err != nil {
+ return err
+ }
+ c.Signature = sig
+ return nil
+ } else if v, ok := authority.(AlgorithmSigner); ok && v.PublicKey().Type() == KeyAlgoRSA {
+ // Default to KeyAlgoRSASHA512 for ssh-rsa signers.
+ // TODO: consider using KeyAlgoRSASHA256 as default.
sig, err := v.SignWithAlgorithm(rand, c.bytesForSigning(), KeyAlgoRSASHA512)
if err != nil {
return err
diff --git a/ssh/certs_test.go b/ssh/certs_test.go
index e6004835ea..97b7486d0c 100644
--- a/ssh/certs_test.go
+++ b/ssh/certs_test.go
@@ -187,10 +187,30 @@ func TestHostKeyCert(t *testing.T) {
}
for _, test := range []struct {
- addr string
- succeed bool
+ addr string
+ succeed bool
+ certSignerAlgorithms []string // Empty means no algorithm restrictions.
+ clientHostKeyAlgorithms []string
}{
{addr: "hostname:22", succeed: true},
+ {
+ addr: "hostname:22",
+ succeed: true,
+ certSignerAlgorithms: []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512},
+ clientHostKeyAlgorithms: []string{CertAlgoRSASHA512v01},
+ },
+ {
+ addr: "hostname:22",
+ succeed: false,
+ certSignerAlgorithms: []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512},
+ clientHostKeyAlgorithms: []string{CertAlgoRSAv01},
+ },
+ {
+ addr: "hostname:22",
+ succeed: false,
+ certSignerAlgorithms: []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512},
+ clientHostKeyAlgorithms: []string{KeyAlgoRSASHA512}, // Not a certificate algorithm.
+ },
{addr: "otherhost:22", succeed: false}, // The certificate is valid for 'otherhost' as hostname, but we only recognize the authority of the signer for the address 'hostname:22'
{addr: "lasthost:22", succeed: false},
} {
@@ -207,14 +227,24 @@ func TestHostKeyCert(t *testing.T) {
conf := ServerConfig{
NoClientAuth: true,
}
- conf.AddHostKey(certSigner)
+ if len(test.certSignerAlgorithms) > 0 {
+ mas, err := NewSignerWithAlgorithms(certSigner.(AlgorithmSigner), test.certSignerAlgorithms)
+ if err != nil {
+ errc <- err
+ return
+ }
+ conf.AddHostKey(mas)
+ } else {
+ conf.AddHostKey(certSigner)
+ }
_, _, _, err := NewServerConn(c1, &conf)
errc <- err
}()
config := &ClientConfig{
- User: "user",
- HostKeyCallback: checker.CheckHostKey,
+ User: "user",
+ HostKeyCallback: checker.CheckHostKey,
+ HostKeyAlgorithms: test.clientHostKeyAlgorithms,
}
_, _, _, err = NewClientConn(c2, test.addr, config)
@@ -242,6 +272,20 @@ func (s *legacyRSASigner) Sign(rand io.Reader, data []byte) (*Signature, error)
}
func TestCertTypes(t *testing.T) {
+ algorithmSigner, ok := testSigners["rsa"].(AlgorithmSigner)
+ if !ok {
+ t.Fatal("rsa test signer does not implement the AlgorithmSigner interface")
+ }
+ multiAlgoSignerSHA256, err := NewSignerWithAlgorithms(algorithmSigner, []string{KeyAlgoRSASHA256})
+ if err != nil {
+ t.Fatalf("unable to create multi algorithm signer SHA256: %v", err)
+ }
+ // Algorithms are in order of preference, we expect rsa-sha2-512 to be used.
+ multiAlgoSignerSHA512, err := NewSignerWithAlgorithms(algorithmSigner, []string{KeyAlgoRSASHA512, KeyAlgoRSASHA256})
+ if err != nil {
+ t.Fatalf("unable to create multi algorithm signer SHA512: %v", err)
+ }
+
var testVars = []struct {
name string
signer Signer
@@ -251,8 +295,10 @@ func TestCertTypes(t *testing.T) {
{CertAlgoECDSA384v01, testSigners["ecdsap384"], ""},
{CertAlgoECDSA521v01, testSigners["ecdsap521"], ""},
{CertAlgoED25519v01, testSigners["ed25519"], ""},
- {CertAlgoRSAv01, testSigners["rsa"], KeyAlgoRSASHA512},
+ {CertAlgoRSAv01, testSigners["rsa"], KeyAlgoRSASHA256},
{"legacyRSASigner", &legacyRSASigner{testSigners["rsa"]}, KeyAlgoRSA},
+ {"multiAlgoRSASignerSHA256", multiAlgoSignerSHA256, KeyAlgoRSASHA256},
+ {"multiAlgoRSASignerSHA512", multiAlgoSignerSHA512, KeyAlgoRSASHA512},
{CertAlgoDSAv01, testSigners["dsa"], ""},
}
@@ -318,3 +364,45 @@ func TestCertTypes(t *testing.T) {
})
}
}
+
+func TestCertSignWithMultiAlgorithmSigner(t *testing.T) {
+ type testcase struct {
+ sigAlgo string
+ algoritms []string
+ }
+ cases := []testcase{
+ {
+ sigAlgo: KeyAlgoRSA,
+ algoritms: []string{KeyAlgoRSA, KeyAlgoRSASHA512},
+ },
+ {
+ sigAlgo: KeyAlgoRSASHA256,
+ algoritms: []string{KeyAlgoRSASHA256, KeyAlgoRSA, KeyAlgoRSASHA512},
+ },
+ {
+ sigAlgo: KeyAlgoRSASHA512,
+ algoritms: []string{KeyAlgoRSASHA512, KeyAlgoRSASHA256},
+ },
+ }
+
+ cert := &Certificate{
+ Key: testPublicKeys["rsa"],
+ ValidBefore: CertTimeInfinity,
+ CertType: UserCert,
+ }
+
+ for _, c := range cases {
+ t.Run(c.sigAlgo, func(t *testing.T) {
+ signer, err := NewSignerWithAlgorithms(testSigners["rsa"].(AlgorithmSigner), c.algoritms)
+ if err != nil {
+ t.Fatalf("NewSignerWithAlgorithms error: %v", err)
+ }
+ if err := cert.SignCert(rand.Reader, signer); err != nil {
+ t.Fatalf("SignCert error: %v", err)
+ }
+ if cert.Signature.Format != c.sigAlgo {
+ t.Fatalf("got signature format %q, want %q", cert.Signature.Format, c.sigAlgo)
+ }
+ })
+ }
+}
diff --git a/ssh/channel.go b/ssh/channel.go
index c0834c00df..cc0bb7ab64 100644
--- a/ssh/channel.go
+++ b/ssh/channel.go
@@ -187,9 +187,11 @@ type channel struct {
pending *buffer
extPending *buffer
- // windowMu protects myWindow, the flow-control window.
- windowMu sync.Mutex
- myWindow uint32
+ // windowMu protects myWindow, the flow-control window, and myConsumed,
+ // the number of bytes consumed since we last increased myWindow
+ windowMu sync.Mutex
+ myWindow uint32
+ myConsumed uint32
// writeMu serializes calls to mux.conn.writePacket() and
// protects sentClose and packetPool. This mutex must be
@@ -332,14 +334,24 @@ func (ch *channel) handleData(packet []byte) error {
return nil
}
-func (c *channel) adjustWindow(n uint32) error {
+func (c *channel) adjustWindow(adj uint32) error {
c.windowMu.Lock()
- // Since myWindow is managed on our side, and can never exceed
- // the initial window setting, we don't worry about overflow.
- c.myWindow += uint32(n)
+ // Since myConsumed and myWindow are managed on our side, and can never
+ // exceed the initial window setting, we don't worry about overflow.
+ c.myConsumed += adj
+ var sendAdj uint32
+ if (channelWindowSize-c.myWindow > 3*c.maxIncomingPayload) ||
+ (c.myWindow < channelWindowSize/2) {
+ sendAdj = c.myConsumed
+ c.myConsumed = 0
+ c.myWindow += sendAdj
+ }
c.windowMu.Unlock()
+ if sendAdj == 0 {
+ return nil
+ }
return c.sendMessage(windowAdjustMsg{
- AdditionalBytes: uint32(n),
+ AdditionalBytes: sendAdj,
})
}
diff --git a/ssh/client.go b/ssh/client.go
index bdc356cbdf..fd8c49749e 100644
--- a/ssh/client.go
+++ b/ssh/client.go
@@ -82,7 +82,7 @@ func NewClientConn(c net.Conn, addr string, config *ClientConfig) (Conn, <-chan
if err := conn.clientHandshake(addr, &fullConf); err != nil {
c.Close()
- return nil, nil, nil, fmt.Errorf("ssh: handshake failed: %v", err)
+ return nil, nil, nil, fmt.Errorf("ssh: handshake failed: %w", err)
}
conn.mux = newMux(conn.transport)
return conn, conn.mux.incomingChannels, conn.mux.incomingRequests, nil
diff --git a/ssh/client_auth.go b/ssh/client_auth.go
index 409b5ea1d4..34bf089d0b 100644
--- a/ssh/client_auth.go
+++ b/ssh/client_auth.go
@@ -71,7 +71,9 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
for auth := AuthMethod(new(noneAuth)); auth != nil; {
ok, methods, err := auth.auth(sessionID, config.User, c.transport, config.Rand, extensions)
if err != nil {
- return err
+ // We return the error later if there is no other method left to
+ // try.
+ ok = authFailure
}
if ok == authSuccess {
// success
@@ -101,6 +103,12 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
}
}
}
+
+ if auth == nil && err != nil {
+ // We have an error and there are no other authentication methods to
+ // try, so we return it.
+ return err
+ }
}
return fmt.Errorf("ssh: unable to authenticate, attempted methods %v, no supported methods remain", tried)
}
@@ -217,21 +225,45 @@ func (cb publicKeyCallback) method() string {
return "publickey"
}
-func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (as AlgorithmSigner, algo string) {
+func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (MultiAlgorithmSigner, string, error) {
+ var as MultiAlgorithmSigner
keyFormat := signer.PublicKey().Type()
- // Like in sendKexInit, if the public key implements AlgorithmSigner we
- // assume it supports all algorithms, otherwise only the key format one.
- as, ok := signer.(AlgorithmSigner)
- if !ok {
- return algorithmSignerWrapper{signer}, keyFormat
+ // If the signer implements MultiAlgorithmSigner we use the algorithms it
+ // support, if it implements AlgorithmSigner we assume it supports all
+ // algorithms, otherwise only the key format one.
+ switch s := signer.(type) {
+ case MultiAlgorithmSigner:
+ as = s
+ case AlgorithmSigner:
+ as = &multiAlgorithmSigner{
+ AlgorithmSigner: s,
+ supportedAlgorithms: algorithmsForKeyFormat(underlyingAlgo(keyFormat)),
+ }
+ default:
+ as = &multiAlgorithmSigner{
+ AlgorithmSigner: algorithmSignerWrapper{signer},
+ supportedAlgorithms: []string{underlyingAlgo(keyFormat)},
+ }
+ }
+
+ getFallbackAlgo := func() (string, error) {
+ // Fallback to use if there is no "server-sig-algs" extension or a
+ // common algorithm cannot be found. We use the public key format if the
+ // MultiAlgorithmSigner supports it, otherwise we return an error.
+ if !contains(as.Algorithms(), underlyingAlgo(keyFormat)) {
+ return "", fmt.Errorf("ssh: no common public key signature algorithm, server only supports %q for key type %q, signer only supports %v",
+ underlyingAlgo(keyFormat), keyFormat, as.Algorithms())
+ }
+ return keyFormat, nil
}
extPayload, ok := extensions["server-sig-algs"]
if !ok {
- // If there is no "server-sig-algs" extension, fall back to the key
- // format algorithm.
- return as, keyFormat
+ // If there is no "server-sig-algs" extension use the fallback
+ // algorithm.
+ algo, err := getFallbackAlgo()
+ return as, algo, err
}
// The server-sig-algs extension only carries underlying signature
@@ -245,15 +277,22 @@ func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (as Alg
}
}
- keyAlgos := algorithmsForKeyFormat(keyFormat)
+ // Filter algorithms based on those supported by MultiAlgorithmSigner.
+ var keyAlgos []string
+ for _, algo := range algorithmsForKeyFormat(keyFormat) {
+ if contains(as.Algorithms(), underlyingAlgo(algo)) {
+ keyAlgos = append(keyAlgos, algo)
+ }
+ }
+
algo, err := findCommon("public key signature algorithm", keyAlgos, serverAlgos)
if err != nil {
- // If there is no overlap, try the key anyway with the key format
- // algorithm, to support servers that fail to list all supported
- // algorithms.
- return as, keyFormat
+ // If there is no overlap, return the fallback algorithm to support
+ // servers that fail to list all supported algorithms.
+ algo, err := getFallbackAlgo()
+ return as, algo, err
}
- return as, algo
+ return as, algo, nil
}
func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand io.Reader, extensions map[string][]byte) (authResult, []string, error) {
@@ -267,14 +306,39 @@ func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand
return authFailure, nil, err
}
var methods []string
- for _, signer := range signers {
- pub := signer.PublicKey()
- as, algo := pickSignatureAlgorithm(signer, extensions)
+ var errSigAlgo error
+ origSignersLen := len(signers)
+ for idx := 0; idx < len(signers); idx++ {
+ signer := signers[idx]
+ pub := signer.PublicKey()
+ as, algo, err := pickSignatureAlgorithm(signer, extensions)
+ if err != nil && errSigAlgo == nil {
+ // If we cannot negotiate a signature algorithm store the first
+ // error so we can return it to provide a more meaningful message if
+ // no other signers work.
+ errSigAlgo = err
+ continue
+ }
ok, err := validateKey(pub, algo, user, c)
if err != nil {
return authFailure, nil, err
}
+ // OpenSSH 7.2-7.7 advertises support for rsa-sha2-256 and rsa-sha2-512
+ // in the "server-sig-algs" extension but doesn't support these
+ // algorithms for certificate authentication, so if the server rejects
+ // the key try to use the obtained algorithm as if "server-sig-algs" had
+ // not been implemented if supported from the algorithm signer.
+ if !ok && idx < origSignersLen && isRSACert(algo) && algo != CertAlgoRSAv01 {
+ if contains(as.Algorithms(), KeyAlgoRSA) {
+ // We retry using the compat algorithm after all signers have
+ // been tried normally.
+ signers = append(signers, &multiAlgorithmSigner{
+ AlgorithmSigner: as,
+ supportedAlgorithms: []string{KeyAlgoRSA},
+ })
+ }
+ }
if !ok {
continue
}
@@ -317,22 +381,12 @@ func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand
// contain the "publickey" method, do not attempt to authenticate with any
// other keys. According to RFC 4252 Section 7, the latter can occur when
// additional authentication methods are required.
- if success == authSuccess || !containsMethod(methods, cb.method()) {
+ if success == authSuccess || !contains(methods, cb.method()) {
return success, methods, err
}
}
- return authFailure, methods, nil
-}
-
-func containsMethod(methods []string, method string) bool {
- for _, m := range methods {
- if m == method {
- return true
- }
- }
-
- return false
+ return authFailure, methods, errSigAlgo
}
// validateKey validates the key provided is acceptable to the server.
diff --git a/ssh/client_auth_test.go b/ssh/client_auth_test.go
index 35b62e3311..bf0aa1fe23 100644
--- a/ssh/client_auth_test.go
+++ b/ssh/client_auth_test.go
@@ -955,3 +955,330 @@ func TestAuthMethodGSSAPIWithMIC(t *testing.T) {
}
}
}
+
+func TestCompatibleAlgoAndSignatures(t *testing.T) {
+ type testcase struct {
+ algo string
+ sigFormat string
+ compatible bool
+ }
+ testcases := []*testcase{
+ {
+ KeyAlgoRSA,
+ KeyAlgoRSA,
+ true,
+ },
+ {
+ KeyAlgoRSA,
+ KeyAlgoRSASHA256,
+ true,
+ },
+ {
+ KeyAlgoRSA,
+ KeyAlgoRSASHA512,
+ true,
+ },
+ {
+ KeyAlgoRSASHA256,
+ KeyAlgoRSA,
+ true,
+ },
+ {
+ KeyAlgoRSASHA512,
+ KeyAlgoRSA,
+ true,
+ },
+ {
+ KeyAlgoRSASHA512,
+ KeyAlgoRSASHA256,
+ true,
+ },
+ {
+ KeyAlgoRSASHA256,
+ KeyAlgoRSASHA512,
+ true,
+ },
+ {
+ KeyAlgoRSASHA512,
+ KeyAlgoRSASHA512,
+ true,
+ },
+ {
+ CertAlgoRSAv01,
+ KeyAlgoRSA,
+ true,
+ },
+ {
+ CertAlgoRSAv01,
+ KeyAlgoRSASHA256,
+ true,
+ },
+ {
+ CertAlgoRSAv01,
+ KeyAlgoRSASHA512,
+ true,
+ },
+ {
+ CertAlgoRSASHA256v01,
+ KeyAlgoRSASHA512,
+ true,
+ },
+ {
+ CertAlgoRSASHA512v01,
+ KeyAlgoRSASHA512,
+ true,
+ },
+ {
+ CertAlgoRSASHA512v01,
+ KeyAlgoRSASHA256,
+ true,
+ },
+ {
+ CertAlgoRSASHA256v01,
+ CertAlgoRSAv01,
+ true,
+ },
+ {
+ CertAlgoRSAv01,
+ CertAlgoRSASHA512v01,
+ true,
+ },
+ {
+ KeyAlgoECDSA256,
+ KeyAlgoRSA,
+ false,
+ },
+ {
+ KeyAlgoECDSA256,
+ KeyAlgoECDSA521,
+ false,
+ },
+ {
+ KeyAlgoECDSA256,
+ KeyAlgoECDSA256,
+ true,
+ },
+ {
+ KeyAlgoECDSA256,
+ KeyAlgoED25519,
+ false,
+ },
+ {
+ KeyAlgoED25519,
+ KeyAlgoED25519,
+ true,
+ },
+ }
+
+ for _, c := range testcases {
+ if isAlgoCompatible(c.algo, c.sigFormat) != c.compatible {
+ t.Errorf("algorithm %q, signature format %q, expected compatible to be %t", c.algo, c.sigFormat, c.compatible)
+ }
+ }
+}
+
+func TestPickSignatureAlgorithm(t *testing.T) {
+ type testcase struct {
+ name string
+ extensions map[string][]byte
+ }
+ cases := []testcase{
+ {
+ name: "server with empty server-sig-algs",
+ extensions: map[string][]byte{
+ "server-sig-algs": []byte(``),
+ },
+ },
+ {
+ name: "server with no server-sig-algs",
+ extensions: nil,
+ },
+ }
+ for _, c := range cases {
+ t.Run(c.name, func(t *testing.T) {
+ signer, ok := testSigners["rsa"].(MultiAlgorithmSigner)
+ if !ok {
+ t.Fatalf("rsa test signer does not implement the MultiAlgorithmSigner interface")
+ }
+ // The signer supports the public key algorithm which is then returned.
+ _, algo, err := pickSignatureAlgorithm(signer, c.extensions)
+ if err != nil {
+ t.Fatalf("got %v, want no error", err)
+ }
+ if algo != signer.PublicKey().Type() {
+ t.Fatalf("got algo %q, want %q", algo, signer.PublicKey().Type())
+ }
+ // Test a signer that uses a certificate algorithm as the public key
+ // type.
+ cert := &Certificate{
+ CertType: UserCert,
+ Key: signer.PublicKey(),
+ }
+ cert.SignCert(rand.Reader, signer)
+
+ certSigner, err := NewCertSigner(cert, signer)
+ if err != nil {
+ t.Fatalf("error generating cert signer: %v", err)
+ }
+ // The signer supports the public key algorithm and the
+ // public key format is a certificate type so the cerificate
+ // algorithm matching the key format must be returned
+ _, algo, err = pickSignatureAlgorithm(certSigner, c.extensions)
+ if err != nil {
+ t.Fatalf("got %v, want no error", err)
+ }
+ if algo != certSigner.PublicKey().Type() {
+ t.Fatalf("got algo %q, want %q", algo, certSigner.PublicKey().Type())
+ }
+ signer, err = NewSignerWithAlgorithms(signer.(AlgorithmSigner), []string{KeyAlgoRSASHA512, KeyAlgoRSASHA256})
+ if err != nil {
+ t.Fatalf("unable to create signer with algorithms: %v", err)
+ }
+ // The signer does not support the public key algorithm so an error
+ // is returned.
+ _, _, err = pickSignatureAlgorithm(signer, c.extensions)
+ if err == nil {
+ t.Fatal("got no error, no common public key signature algorithm error expected")
+ }
+ })
+ }
+}
+
+// configurablePublicKeyCallback is a public key callback that allows to
+// configure the signature algorithm and format. This way we can emulate the
+// behavior of buggy clients.
+type configurablePublicKeyCallback struct {
+ signer AlgorithmSigner
+ signatureAlgo string
+ signatureFormat string
+}
+
+func (cb configurablePublicKeyCallback) method() string {
+ return "publickey"
+}
+
+func (cb configurablePublicKeyCallback) auth(session []byte, user string, c packetConn, rand io.Reader, extensions map[string][]byte) (authResult, []string, error) {
+ pub := cb.signer.PublicKey()
+
+ ok, err := validateKey(pub, cb.signatureAlgo, user, c)
+ if err != nil {
+ return authFailure, nil, err
+ }
+ if !ok {
+ return authFailure, nil, fmt.Errorf("invalid public key")
+ }
+
+ pubKey := pub.Marshal()
+ data := buildDataSignedForAuth(session, userAuthRequestMsg{
+ User: user,
+ Service: serviceSSH,
+ Method: cb.method(),
+ }, cb.signatureAlgo, pubKey)
+ sign, err := cb.signer.SignWithAlgorithm(rand, data, underlyingAlgo(cb.signatureFormat))
+ if err != nil {
+ return authFailure, nil, err
+ }
+
+ s := Marshal(sign)
+ sig := make([]byte, stringLength(len(s)))
+ marshalString(sig, s)
+ msg := publickeyAuthMsg{
+ User: user,
+ Service: serviceSSH,
+ Method: cb.method(),
+ HasSig: true,
+ Algoname: cb.signatureAlgo,
+ PubKey: pubKey,
+ Sig: sig,
+ }
+ p := Marshal(&msg)
+ if err := c.writePacket(p); err != nil {
+ return authFailure, nil, err
+ }
+ var success authResult
+ success, methods, err := handleAuthResponse(c)
+ if err != nil {
+ return authFailure, nil, err
+ }
+ if success == authSuccess || !contains(methods, cb.method()) {
+ return success, methods, err
+ }
+
+ return authFailure, methods, nil
+}
+
+func TestPublicKeyAndAlgoCompatibility(t *testing.T) {
+ cert := &Certificate{
+ Key: testPublicKeys["rsa"],
+ ValidBefore: CertTimeInfinity,
+ CertType: UserCert,
+ }
+ cert.SignCert(rand.Reader, testSigners["ecdsa"])
+ certSigner, err := NewCertSigner(cert, testSigners["rsa"])
+ if err != nil {
+ t.Fatalf("NewCertSigner: %v", err)
+ }
+
+ clientConfig := &ClientConfig{
+ User: "user",
+ HostKeyCallback: InsecureIgnoreHostKey(),
+ Auth: []AuthMethod{
+ configurablePublicKeyCallback{
+ signer: certSigner.(AlgorithmSigner),
+ signatureAlgo: KeyAlgoRSASHA256,
+ signatureFormat: KeyAlgoRSASHA256,
+ },
+ },
+ }
+ if err := tryAuth(t, clientConfig); err == nil {
+ t.Error("cert login passed with incompatible public key type and algorithm")
+ }
+}
+
+func TestClientAuthGPGAgentCompat(t *testing.T) {
+ clientConfig := &ClientConfig{
+ User: "testuser",
+ HostKeyCallback: InsecureIgnoreHostKey(),
+ Auth: []AuthMethod{
+ // algorithm rsa-sha2-512 and signature format ssh-rsa.
+ configurablePublicKeyCallback{
+ signer: testSigners["rsa"].(AlgorithmSigner),
+ signatureAlgo: KeyAlgoRSASHA512,
+ signatureFormat: KeyAlgoRSA,
+ },
+ },
+ }
+ if err := tryAuth(t, clientConfig); err != nil {
+ t.Fatalf("unable to dial remote side: %s", err)
+ }
+}
+
+func TestCertAuthOpenSSHCompat(t *testing.T) {
+ cert := &Certificate{
+ Key: testPublicKeys["rsa"],
+ ValidBefore: CertTimeInfinity,
+ CertType: UserCert,
+ }
+ cert.SignCert(rand.Reader, testSigners["ecdsa"])
+ certSigner, err := NewCertSigner(cert, testSigners["rsa"])
+ if err != nil {
+ t.Fatalf("NewCertSigner: %v", err)
+ }
+
+ clientConfig := &ClientConfig{
+ User: "user",
+ HostKeyCallback: InsecureIgnoreHostKey(),
+ Auth: []AuthMethod{
+ // algorithm ssh-rsa-cert-v01@openssh.com and signature format
+ // rsa-sha2-256.
+ configurablePublicKeyCallback{
+ signer: certSigner.(AlgorithmSigner),
+ signatureAlgo: CertAlgoRSAv01,
+ signatureFormat: KeyAlgoRSASHA256,
+ },
+ },
+ }
+ if err := tryAuth(t, clientConfig); err != nil {
+ t.Fatalf("unable to dial remote side: %s", err)
+ }
+}
diff --git a/ssh/client_test.go b/ssh/client_test.go
index 281475596c..2621f0ea52 100644
--- a/ssh/client_test.go
+++ b/ssh/client_test.go
@@ -7,6 +7,9 @@ package ssh
import (
"bytes"
"crypto/rand"
+ "errors"
+ "fmt"
+ "net"
"strings"
"testing"
)
@@ -207,9 +210,12 @@ func TestBannerCallback(t *testing.T) {
}
func TestNewClientConn(t *testing.T) {
+ errHostKeyMismatch := errors.New("host key mismatch")
+
for _, tt := range []struct {
- name string
- user string
+ name string
+ user string
+ simulateHostKeyMismatch HostKeyCallback
}{
{
name: "good user field for ConnMetadata",
@@ -219,6 +225,13 @@ func TestNewClientConn(t *testing.T) {
name: "empty user field for ConnMetadata",
user: "",
},
+ {
+ name: "host key mismatch",
+ user: "testuser",
+ simulateHostKeyMismatch: func(hostname string, remote net.Addr, key PublicKey) error {
+ return fmt.Errorf("%w: %s", errHostKeyMismatch, bytes.TrimSpace(MarshalAuthorizedKey(key)))
+ },
+ },
} {
t.Run(tt.name, func(t *testing.T) {
c1, c2, err := netPipe()
@@ -243,8 +256,16 @@ func TestNewClientConn(t *testing.T) {
},
HostKeyCallback: InsecureIgnoreHostKey(),
}
+
+ if tt.simulateHostKeyMismatch != nil {
+ clientConf.HostKeyCallback = tt.simulateHostKeyMismatch
+ }
+
clientConn, _, _, err := NewClientConn(c2, "", clientConf)
if err != nil {
+ if tt.simulateHostKeyMismatch != nil && errors.Is(err, errHostKeyMismatch) {
+ return
+ }
t.Fatal(err)
}
@@ -254,3 +275,93 @@ func TestNewClientConn(t *testing.T) {
})
}
}
+
+func TestUnsupportedAlgorithm(t *testing.T) {
+ for _, tt := range []struct {
+ name string
+ config Config
+ wantError string
+ }{
+ {
+ "unsupported KEX",
+ Config{
+ KeyExchanges: []string{"unsupported"},
+ },
+ "no common algorithm",
+ },
+ {
+ "unsupported and supported KEXs",
+ Config{
+ KeyExchanges: []string{"unsupported", kexAlgoCurve25519SHA256},
+ },
+ "",
+ },
+ {
+ "unsupported cipher",
+ Config{
+ Ciphers: []string{"unsupported"},
+ },
+ "no common algorithm",
+ },
+ {
+ "unsupported and supported ciphers",
+ Config{
+ Ciphers: []string{"unsupported", chacha20Poly1305ID},
+ },
+ "",
+ },
+ {
+ "unsupported MAC",
+ Config{
+ MACs: []string{"unsupported"},
+ // MAC is used for non AAED ciphers.
+ Ciphers: []string{"aes256-ctr"},
+ },
+ "no common algorithm",
+ },
+ {
+ "unsupported and supported MACs",
+ Config{
+ MACs: []string{"unsupported", "hmac-sha2-256-etm@openssh.com"},
+ // MAC is used for non AAED ciphers.
+ Ciphers: []string{"aes256-ctr"},
+ },
+ "",
+ },
+ } {
+ t.Run(tt.name, func(t *testing.T) {
+ c1, c2, err := netPipe()
+ if err != nil {
+ t.Fatalf("netPipe: %v", err)
+ }
+ defer c1.Close()
+ defer c2.Close()
+
+ serverConf := &ServerConfig{
+ Config: tt.config,
+ PasswordCallback: func(conn ConnMetadata, password []byte) (*Permissions, error) {
+ return &Permissions{}, nil
+ },
+ }
+ serverConf.AddHostKey(testSigners["rsa"])
+ go NewServerConn(c1, serverConf)
+
+ clientConf := &ClientConfig{
+ User: "testuser",
+ Config: tt.config,
+ Auth: []AuthMethod{
+ Password("testpw"),
+ },
+ HostKeyCallback: InsecureIgnoreHostKey(),
+ }
+ _, _, _, err = NewClientConn(c2, "", clientConf)
+ if err != nil {
+ if tt.wantError == "" || !strings.Contains(err.Error(), tt.wantError) {
+ t.Errorf("%s: got error %q, missing %q", tt.name, err.Error(), tt.wantError)
+ }
+ } else if tt.wantError != "" {
+ t.Errorf("%s: succeeded, but want error string %q", tt.name, tt.wantError)
+ }
+ })
+ }
+}
diff --git a/ssh/common.go b/ssh/common.go
index 9ba6e10a4a..7e9c2cbc64 100644
--- a/ssh/common.go
+++ b/ssh/common.go
@@ -10,7 +10,6 @@ import (
"fmt"
"io"
"math"
- "strings"
"sync"
_ "crypto/sha1"
@@ -49,7 +48,8 @@ var supportedKexAlgos = []string{
// P384 and P521 are not constant-time yet, but since we don't
// reuse ephemeral keys, using them for ECDH should be OK.
kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
- kexAlgoDH14SHA256, kexAlgoDH14SHA1, kexAlgoDH1SHA1,
+ kexAlgoDH14SHA256, kexAlgoDH16SHA512, kexAlgoDH14SHA1,
+ kexAlgoDH1SHA1,
}
// serverForbiddenKexAlgos contains key exchange algorithms, that are forbidden
@@ -59,8 +59,9 @@ var serverForbiddenKexAlgos = map[string]struct{}{
kexAlgoDHGEXSHA256: {}, // server half implementation is only minimal to satisfy the automated tests
}
-// preferredKexAlgos specifies the default preference for key-exchange algorithms
-// in preference order.
+// preferredKexAlgos specifies the default preference for key-exchange
+// algorithms in preference order. The diffie-hellman-group16-sha512 algorithm
+// is disabled by default because it is a bit slower than the others.
var preferredKexAlgos = []string{
kexAlgoCurve25519SHA256, kexAlgoCurve25519SHA256LibSSH,
kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
@@ -70,12 +71,12 @@ var preferredKexAlgos = []string{
// supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods
// of authenticating servers) in preference order.
var supportedHostKeyAlgos = []string{
- CertAlgoRSASHA512v01, CertAlgoRSASHA256v01,
+ CertAlgoRSASHA256v01, CertAlgoRSASHA512v01,
CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01,
KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
- KeyAlgoRSASHA512, KeyAlgoRSASHA256,
+ KeyAlgoRSASHA256, KeyAlgoRSASHA512,
KeyAlgoRSA, KeyAlgoDSA,
KeyAlgoED25519,
@@ -85,7 +86,7 @@ var supportedHostKeyAlgos = []string{
// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
// because they have reached the end of their useful life.
var supportedMACs = []string{
- "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-sha1-96",
+ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-sha1-96",
}
var supportedCompressions = []string{compressionNone}
@@ -119,6 +120,21 @@ func algorithmsForKeyFormat(keyFormat string) []string {
}
}
+// isRSA returns whether algo is a supported RSA algorithm, including certificate
+// algorithms.
+func isRSA(algo string) bool {
+ algos := algorithmsForKeyFormat(KeyAlgoRSA)
+ return contains(algos, underlyingAlgo(algo))
+}
+
+func isRSACert(algo string) bool {
+ _, ok := certKeyAlgoNames[algo]
+ if !ok {
+ return false
+ }
+ return isRSA(algo)
+}
+
// supportedPubKeyAuthAlgos specifies the supported client public key
// authentication algorithms. Note that this doesn't include certificate types
// since those use the underlying algorithm. This list is sent to the client if
@@ -131,8 +147,6 @@ var supportedPubKeyAuthAlgos = []string{
KeyAlgoDSA,
}
-var supportedPubKeyAuthAlgosList = strings.Join(supportedPubKeyAuthAlgos, ",")
-
// unexpectedMessageError results when the SSH message that we received didn't
// match what we wanted.
func unexpectedMessageError(expected, got uint8) error {
@@ -262,16 +276,16 @@ type Config struct {
// unspecified, a size suitable for the chosen cipher is used.
RekeyThreshold uint64
- // The allowed key exchanges algorithms. If unspecified then a
- // default set of algorithms is used.
+ // The allowed key exchanges algorithms. If unspecified then a default set
+ // of algorithms is used. Unsupported values are silently ignored.
KeyExchanges []string
- // The allowed cipher algorithms. If unspecified then a sensible
- // default is used.
+ // The allowed cipher algorithms. If unspecified then a sensible default is
+ // used. Unsupported values are silently ignored.
Ciphers []string
- // The allowed MAC algorithms. If unspecified then a sensible default
- // is used.
+ // The allowed MAC algorithms. If unspecified then a sensible default is
+ // used. Unsupported values are silently ignored.
MACs []string
}
@@ -288,7 +302,7 @@ func (c *Config) SetDefaults() {
var ciphers []string
for _, c := range c.Ciphers {
if cipherModes[c] != nil {
- // reject the cipher if we have no cipherModes definition
+ // Ignore the cipher if we have no cipherModes definition.
ciphers = append(ciphers, c)
}
}
@@ -297,10 +311,26 @@ func (c *Config) SetDefaults() {
if c.KeyExchanges == nil {
c.KeyExchanges = preferredKexAlgos
}
+ var kexs []string
+ for _, k := range c.KeyExchanges {
+ if kexAlgoMap[k] != nil {
+ // Ignore the KEX if we have no kexAlgoMap definition.
+ kexs = append(kexs, k)
+ }
+ }
+ c.KeyExchanges = kexs
if c.MACs == nil {
c.MACs = supportedMACs
}
+ var macs []string
+ for _, m := range c.MACs {
+ if macModes[m] != nil {
+ // Ignore the MAC if we have no macModes definition.
+ macs = append(macs, m)
+ }
+ }
+ c.MACs = macs
if c.RekeyThreshold == 0 {
// cipher specific default
diff --git a/ssh/common_test.go b/ssh/common_test.go
index 96744dcf0f..a7beee8e88 100644
--- a/ssh/common_test.go
+++ b/ssh/common_test.go
@@ -82,11 +82,11 @@ func TestFindAgreedAlgorithms(t *testing.T) {
}
cases := []testcase{
- testcase{
+ {
name: "standard",
},
- testcase{
+ {
name: "no common hostkey",
serverIn: kexInitMsg{
ServerHostKeyAlgos: []string{"hostkey2"},
@@ -94,7 +94,7 @@ func TestFindAgreedAlgorithms(t *testing.T) {
wantErr: true,
},
- testcase{
+ {
name: "no common kex",
serverIn: kexInitMsg{
KexAlgos: []string{"kex2"},
@@ -102,7 +102,7 @@ func TestFindAgreedAlgorithms(t *testing.T) {
wantErr: true,
},
- testcase{
+ {
name: "no common cipher",
serverIn: kexInitMsg{
CiphersClientServer: []string{"cipher2"},
@@ -110,7 +110,7 @@ func TestFindAgreedAlgorithms(t *testing.T) {
wantErr: true,
},
- testcase{
+ {
name: "client decides cipher",
serverIn: kexInitMsg{
CiphersClientServer: []string{"cipher1", "cipher2"},
diff --git a/ssh/doc.go b/ssh/doc.go
index f6bff60dc7..edbe63340d 100644
--- a/ssh/doc.go
+++ b/ssh/doc.go
@@ -13,6 +13,7 @@ others.
References:
+ [PROTOCOL]: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL?rev=HEAD
[PROTOCOL.certkeys]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
[SSH-PARAMETERS]: http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1
diff --git a/ssh/example_test.go b/ssh/example_test.go
index bee679603b..3920832c1a 100644
--- a/ssh/example_test.go
+++ b/ssh/example_test.go
@@ -7,6 +7,8 @@ package ssh_test
import (
"bufio"
"bytes"
+ "crypto/rand"
+ "crypto/rsa"
"fmt"
"log"
"net"
@@ -14,6 +16,7 @@ import (
"os"
"path/filepath"
"strings"
+ "sync"
"golang.org/x/crypto/ssh"
"golang.org/x/crypto/ssh/terminal"
@@ -75,7 +78,6 @@ func ExampleNewServerConn() {
if err != nil {
log.Fatal("Failed to parse private key: ", err)
}
-
config.AddHostKey(private)
// Once a ServerConfig has been configured, connections can be
@@ -97,8 +99,15 @@ func ExampleNewServerConn() {
}
log.Printf("logged in with key %s", conn.Permissions.Extensions["pubkey-fp"])
+ var wg sync.WaitGroup
+ defer wg.Wait()
+
// The incoming Request channel must be serviced.
- go ssh.DiscardRequests(reqs)
+ wg.Add(1)
+ go func() {
+ ssh.DiscardRequests(reqs)
+ wg.Done()
+ }()
// Service the incoming Channel channel.
for newChannel := range chans {
@@ -118,16 +127,22 @@ func ExampleNewServerConn() {
// Sessions have out-of-band requests such as "shell",
// "pty-req" and "env". Here we handle only the
// "shell" request.
+ wg.Add(1)
go func(in <-chan *ssh.Request) {
for req := range in {
req.Reply(req.Type == "shell", nil)
}
+ wg.Done()
}(requests)
term := terminal.NewTerminal(channel, "> ")
+ wg.Add(1)
go func() {
- defer channel.Close()
+ defer func() {
+ channel.Close()
+ wg.Done()
+ }()
for {
line, err := term.ReadLine()
if err != nil {
@@ -139,6 +154,36 @@ func ExampleNewServerConn() {
}
}
+func ExampleServerConfig_AddHostKey() {
+ // Minimal ServerConfig supporting only password authentication.
+ config := &ssh.ServerConfig{
+ PasswordCallback: func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
+ // Should use constant-time compare (or better, salt+hash) in
+ // a production setting.
+ if c.User() == "testuser" && string(pass) == "tiger" {
+ return nil, nil
+ }
+ return nil, fmt.Errorf("password rejected for %q", c.User())
+ },
+ }
+
+ privateBytes, err := os.ReadFile("id_rsa")
+ if err != nil {
+ log.Fatal("Failed to load private key: ", err)
+ }
+
+ private, err := ssh.ParsePrivateKey(privateBytes)
+ if err != nil {
+ log.Fatal("Failed to parse private key: ", err)
+ }
+ // Restrict host key algorithms to disable ssh-rsa.
+ signer, err := ssh.NewSignerWithAlgorithms(private.(ssh.AlgorithmSigner), []string{ssh.KeyAlgoRSASHA256, ssh.KeyAlgoRSASHA512})
+ if err != nil {
+ log.Fatal("Failed to create private key with restricted algorithms: ", err)
+ }
+ config.AddHostKey(signer)
+}
+
func ExampleClientConfig_HostKeyCallback() {
// Every client must provide a host key check. Here is a
// simple-minded parse of OpenSSH's known_hosts file
@@ -318,3 +363,38 @@ func ExampleSession_RequestPty() {
log.Fatal("failed to start shell: ", err)
}
}
+
+func ExampleCertificate_SignCert() {
+ // Sign a certificate with a specific algorithm.
+ privateKey, err := rsa.GenerateKey(rand.Reader, 3072)
+ if err != nil {
+ log.Fatal("unable to generate RSA key: ", err)
+ }
+ publicKey, err := ssh.NewPublicKey(&privateKey.PublicKey)
+ if err != nil {
+ log.Fatal("unable to get RSA public key: ", err)
+ }
+ caKey, err := rsa.GenerateKey(rand.Reader, 3072)
+ if err != nil {
+ log.Fatal("unable to generate CA key: ", err)
+ }
+ signer, err := ssh.NewSignerFromKey(caKey)
+ if err != nil {
+ log.Fatal("unable to generate signer from key: ", err)
+ }
+ mas, err := ssh.NewSignerWithAlgorithms(signer.(ssh.AlgorithmSigner), []string{ssh.KeyAlgoRSASHA256})
+ if err != nil {
+ log.Fatal("unable to create signer with algoritms: ", err)
+ }
+ certificate := ssh.Certificate{
+ Key: publicKey,
+ CertType: ssh.UserCert,
+ }
+ if err := certificate.SignCert(rand.Reader, mas); err != nil {
+ log.Fatal("unable to sign certificate: ", err)
+ }
+ // Save the public key to a file and check that rsa-sha-256 is used for
+ // signing:
+ // ssh-keygen -L -f <path to the file>
+ fmt.Println(string(ssh.MarshalAuthorizedKey(&certificate)))
+}
diff --git a/ssh/handshake.go b/ssh/handshake.go
index 07a1843e0a..56cdc7c21c 100644
--- a/ssh/handshake.go
+++ b/ssh/handshake.go
@@ -11,6 +11,7 @@ import (
"io"
"log"
"net"
+ "strings"
"sync"
)
@@ -34,6 +35,16 @@ type keyingTransport interface {
// direction will be effected if a msgNewKeys message is sent
// or received.
prepareKeyChange(*algorithms, *kexResult) error
+
+ // setStrictMode sets the strict KEX mode, notably triggering
+ // sequence number resets on sending or receiving msgNewKeys.
+ // If the sequence number is already > 1 when setStrictMode
+ // is called, an error is returned.
+ setStrictMode() error
+
+ // setInitialKEXDone indicates to the transport that the initial key exchange
+ // was completed
+ setInitialKEXDone()
}
// handshakeTransport implements rekeying on top of a keyingTransport
@@ -50,6 +61,10 @@ type handshakeTransport struct {
// connection.
hostKeys []Signer
+ // publicKeyAuthAlgorithms is non-empty if we are the server. In that case,
+ // it contains the supported client public key authentication algorithms.
+ publicKeyAuthAlgorithms []string
+
// hostKeyAlgorithms is non-empty if we are the client. In that case,
// we accept these key types from the server as host key.
hostKeyAlgorithms []string
@@ -95,6 +110,10 @@ type handshakeTransport struct {
// The session ID or nil if first kex did not complete yet.
sessionID []byte
+
+ // strictMode indicates if the other side of the handshake indicated
+ // that we should be following the strict KEX protocol restrictions.
+ strictMode bool
}
type pendingKex struct {
@@ -141,6 +160,7 @@ func newClientTransport(conn keyingTransport, clientVersion, serverVersion []byt
func newServerTransport(conn keyingTransport, clientVersion, serverVersion []byte, config *ServerConfig) *handshakeTransport {
t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion)
t.hostKeys = config.hostKeys
+ t.publicKeyAuthAlgorithms = config.PublicKeyAuthAlgorithms
go t.readLoop()
go t.kexLoop()
return t
@@ -203,7 +223,10 @@ func (t *handshakeTransport) readLoop() {
close(t.incoming)
break
}
- if p[0] == msgIgnore || p[0] == msgDebug {
+ // If this is the first kex, and strict KEX mode is enabled,
+ // we don't ignore any messages, as they may be used to manipulate
+ // the packet sequence numbers.
+ if !(t.sessionID == nil && t.strictMode) && (p[0] == msgIgnore || p[0] == msgDebug) {
continue
}
t.incoming <- p
@@ -435,6 +458,11 @@ func (t *handshakeTransport) readOnePacket(first bool) ([]byte, error) {
return successPacket, nil
}
+const (
+ kexStrictClient = "kex-strict-c-v00@openssh.com"
+ kexStrictServer = "kex-strict-s-v00@openssh.com"
+)
+
// sendKexInit sends a key change message.
func (t *handshakeTransport) sendKexInit() error {
t.mu.Lock()
@@ -448,7 +476,6 @@ func (t *handshakeTransport) sendKexInit() error {
}
msg := &kexInitMsg{
- KexAlgos: t.config.KeyExchanges,
CiphersClientServer: t.config.Ciphers,
CiphersServerClient: t.config.Ciphers,
MACsClientServer: t.config.MACs,
@@ -458,36 +485,55 @@ func (t *handshakeTransport) sendKexInit() error {
}
io.ReadFull(rand.Reader, msg.Cookie[:])
+ // We mutate the KexAlgos slice, in order to add the kex-strict extension algorithm,
+ // and possibly to add the ext-info extension algorithm. Since the slice may be the
+ // user owned KeyExchanges, we create our own slice in order to avoid using user
+ // owned memory by mistake.
+ msg.KexAlgos = make([]string, 0, len(t.config.KeyExchanges)+2) // room for kex-strict and ext-info
+ msg.KexAlgos = append(msg.KexAlgos, t.config.KeyExchanges...)
+
isServer := len(t.hostKeys) > 0
if isServer {
for _, k := range t.hostKeys {
- // If k is an AlgorithmSigner, presume it supports all signature algorithms
- // associated with the key format. (Ideally AlgorithmSigner would have a
- // method to advertise supported algorithms, but it doesn't. This means that
- // adding support for a new algorithm is a breaking change, as we will
- // immediately negotiate it even if existing implementations don't support
- // it. If that ever happens, we'll have to figure something out.)
- // If k is not an AlgorithmSigner, we can only assume it only supports the
- // algorithms that matches the key format. (This means that Sign can't pick
- // a different default.)
+ // If k is a MultiAlgorithmSigner, we restrict the signature
+ // algorithms. If k is a AlgorithmSigner, presume it supports all
+ // signature algorithms associated with the key format. If k is not
+ // an AlgorithmSigner, we can only assume it only supports the
+ // algorithms that matches the key format. (This means that Sign
+ // can't pick a different default).
keyFormat := k.PublicKey().Type()
- if _, ok := k.(AlgorithmSigner); ok {
+
+ switch s := k.(type) {
+ case MultiAlgorithmSigner:
+ for _, algo := range algorithmsForKeyFormat(keyFormat) {
+ if contains(s.Algorithms(), underlyingAlgo(algo)) {
+ msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, algo)
+ }
+ }
+ case AlgorithmSigner:
msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, algorithmsForKeyFormat(keyFormat)...)
- } else {
+ default:
msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, keyFormat)
}
}
+
+ if t.sessionID == nil {
+ msg.KexAlgos = append(msg.KexAlgos, kexStrictServer)
+ }
} else {
msg.ServerHostKeyAlgos = t.hostKeyAlgorithms
// As a client we opt in to receiving SSH_MSG_EXT_INFO so we know what
// algorithms the server supports for public key authentication. See RFC
// 8308, Section 2.1.
+ //
+ // We also send the strict KEX mode extension algorithm, in order to opt
+ // into the strict KEX mode.
if firstKeyExchange := t.sessionID == nil; firstKeyExchange {
- msg.KexAlgos = make([]string, 0, len(t.config.KeyExchanges)+1)
- msg.KexAlgos = append(msg.KexAlgos, t.config.KeyExchanges...)
msg.KexAlgos = append(msg.KexAlgos, "ext-info-c")
+ msg.KexAlgos = append(msg.KexAlgos, kexStrictClient)
}
+
}
packet := Marshal(msg)
@@ -593,6 +639,13 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
return err
}
+ if t.sessionID == nil && ((isClient && contains(serverInit.KexAlgos, kexStrictServer)) || (!isClient && contains(clientInit.KexAlgos, kexStrictClient))) {
+ t.strictMode = true
+ if err := t.conn.setStrictMode(); err != nil {
+ return err
+ }
+ }
+
// We don't send FirstKexFollows, but we handle receiving it.
//
// RFC 4253 section 7 defines the kex and the agreement method for
@@ -642,16 +695,21 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
// On the server side, after the first SSH_MSG_NEWKEYS, send a SSH_MSG_EXT_INFO
// message with the server-sig-algs extension if the client supports it. See
- // RFC 8308, Sections 2.4 and 3.1.
+ // RFC 8308, Sections 2.4 and 3.1, and [PROTOCOL], Section 1.9.
if !isClient && firstKeyExchange && contains(clientInit.KexAlgos, "ext-info-c") {
+ supportedPubKeyAuthAlgosList := strings.Join(t.publicKeyAuthAlgorithms, ",")
extInfo := &extInfoMsg{
- NumExtensions: 1,
- Payload: make([]byte, 0, 4+15+4+len(supportedPubKeyAuthAlgosList)),
+ NumExtensions: 2,
+ Payload: make([]byte, 0, 4+15+4+len(supportedPubKeyAuthAlgosList)+4+16+4+1),
}
extInfo.Payload = appendInt(extInfo.Payload, len("server-sig-algs"))
extInfo.Payload = append(extInfo.Payload, "server-sig-algs"...)
extInfo.Payload = appendInt(extInfo.Payload, len(supportedPubKeyAuthAlgosList))
extInfo.Payload = append(extInfo.Payload, supportedPubKeyAuthAlgosList...)
+ extInfo.Payload = appendInt(extInfo.Payload, len("ping@openssh.com"))
+ extInfo.Payload = append(extInfo.Payload, "ping@openssh.com"...)
+ extInfo.Payload = appendInt(extInfo.Payload, 1)
+ extInfo.Payload = append(extInfo.Payload, "0"...)
if err := t.conn.writePacket(Marshal(extInfo)); err != nil {
return err
}
@@ -663,6 +721,12 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
return unexpectedMessageError(msgNewKeys, packet[0])
}
+ if firstKeyExchange {
+ // Indicates to the transport that the first key exchange is completed
+ // after receiving SSH_MSG_NEWKEYS.
+ t.conn.setInitialKEXDone()
+ }
+
return nil
}
@@ -685,9 +749,16 @@ func (a algorithmSignerWrapper) SignWithAlgorithm(rand io.Reader, data []byte, a
func pickHostKey(hostKeys []Signer, algo string) AlgorithmSigner {
for _, k := range hostKeys {
+ if s, ok := k.(MultiAlgorithmSigner); ok {
+ if !contains(s.Algorithms(), underlyingAlgo(algo)) {
+ continue
+ }
+ }
+
if algo == k.PublicKey().Type() {
return algorithmSignerWrapper{k}
}
+
k, ok := k.(AlgorithmSigner)
if !ok {
continue
diff --git a/ssh/handshake_test.go b/ssh/handshake_test.go
index f190cbfa91..2bc607b649 100644
--- a/ssh/handshake_test.go
+++ b/ssh/handshake_test.go
@@ -148,6 +148,7 @@ func TestHandshakeBasic(t *testing.T) {
clientDone := make(chan int, 0)
gotHalf := make(chan int, 0)
const N = 20
+ errorCh := make(chan error, 1)
go func() {
defer close(clientDone)
@@ -158,7 +159,9 @@ func TestHandshakeBasic(t *testing.T) {
for i := 0; i < N; i++ {
p := []byte{msgRequestSuccess, byte(i)}
if err := trC.writePacket(p); err != nil {
- t.Fatalf("sendPacket: %v", err)
+ errorCh <- err
+ trC.Close()
+ return
}
if (i % 10) == 5 {
<-gotHalf
@@ -177,16 +180,15 @@ func TestHandshakeBasic(t *testing.T) {
checker.waitCall <- 1
}
}
+ errorCh <- nil
}()
// Server checks that client messages come in cleanly
i := 0
- err = nil
for ; i < N; i++ {
- var p []byte
- p, err = trS.readPacket()
- if err != nil {
- break
+ p, err := trS.readPacket()
+ if err != nil && err != io.EOF {
+ t.Fatalf("server error: %v", err)
}
if (i % 10) == 5 {
gotHalf <- 1
@@ -198,8 +200,8 @@ func TestHandshakeBasic(t *testing.T) {
}
}
<-clientDone
- if err != nil && err != io.EOF {
- t.Fatalf("server error: %v", err)
+ if err := <-errorCh; err != nil {
+ t.Fatalf("sendPacket: %v", err)
}
if i != N {
t.Errorf("received %d messages, want 10.", i)
@@ -345,16 +347,16 @@ func TestHandshakeAutoRekeyRead(t *testing.T) {
// While we read out the packet, a key change will be
// initiated.
- done := make(chan int, 1)
+ errorCh := make(chan error, 1)
go func() {
- defer close(done)
- if _, err := trC.readPacket(); err != nil {
- t.Fatalf("readPacket(client): %v", err)
- }
-
+ _, err := trC.readPacket()
+ errorCh <- err
}()
- <-done
+ if err := <-errorCh; err != nil {
+ t.Fatalf("readPacket(client): %v", err)
+ }
+
<-sync.called
}
@@ -393,6 +395,10 @@ func (n *errorKeyingTransport) readPacket() ([]byte, error) {
return n.packetConn.readPacket()
}
+func (n *errorKeyingTransport) setStrictMode() error { return nil }
+
+func (n *errorKeyingTransport) setInitialKEXDone() {}
+
func TestHandshakeErrorHandlingRead(t *testing.T) {
for i := 0; i < 20; i++ {
testHandshakeErrorHandlingN(t, i, -1, false)
@@ -618,3 +624,398 @@ func TestNoSHA2Support(t *testing.T) {
t.Fatal(err)
}
}
+
+func TestMultiAlgoSignerHandshake(t *testing.T) {
+ algorithmSigner, ok := testSigners["rsa"].(AlgorithmSigner)
+ if !ok {
+ t.Fatal("rsa test signer does not implement the AlgorithmSigner interface")
+ }
+ multiAlgoSigner, err := NewSignerWithAlgorithms(algorithmSigner, []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512})
+ if err != nil {
+ t.Fatalf("unable to create multi algorithm signer: %v", err)
+ }
+ c1, c2, err := netPipe()
+ if err != nil {
+ t.Fatalf("netPipe: %v", err)
+ }
+ defer c1.Close()
+ defer c2.Close()
+
+ serverConf := &ServerConfig{
+ PasswordCallback: func(conn ConnMetadata, password []byte) (*Permissions, error) {
+ return &Permissions{}, nil
+ },
+ }
+ serverConf.AddHostKey(multiAlgoSigner)
+ go NewServerConn(c1, serverConf)
+
+ clientConf := &ClientConfig{
+ User: "test",
+ Auth: []AuthMethod{Password("testpw")},
+ HostKeyCallback: FixedHostKey(testSigners["rsa"].PublicKey()),
+ HostKeyAlgorithms: []string{KeyAlgoRSASHA512},
+ }
+
+ if _, _, _, err := NewClientConn(c2, "", clientConf); err != nil {
+ t.Fatal(err)
+ }
+}
+
+func TestMultiAlgoSignerNoCommonHostKeyAlgo(t *testing.T) {
+ algorithmSigner, ok := testSigners["rsa"].(AlgorithmSigner)
+ if !ok {
+ t.Fatal("rsa test signer does not implement the AlgorithmSigner interface")
+ }
+ multiAlgoSigner, err := NewSignerWithAlgorithms(algorithmSigner, []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512})
+ if err != nil {
+ t.Fatalf("unable to create multi algorithm signer: %v", err)
+ }
+ c1, c2, err := netPipe()
+ if err != nil {
+ t.Fatalf("netPipe: %v", err)
+ }
+ defer c1.Close()
+ defer c2.Close()
+
+ // ssh-rsa is disabled server side
+ serverConf := &ServerConfig{
+ PasswordCallback: func(conn ConnMetadata, password []byte) (*Permissions, error) {
+ return &Permissions{}, nil
+ },
+ }
+ serverConf.AddHostKey(multiAlgoSigner)
+ go NewServerConn(c1, serverConf)
+
+ // the client only supports ssh-rsa
+ clientConf := &ClientConfig{
+ User: "test",
+ Auth: []AuthMethod{Password("testpw")},
+ HostKeyCallback: FixedHostKey(testSigners["rsa"].PublicKey()),
+ HostKeyAlgorithms: []string{KeyAlgoRSA},
+ }
+
+ _, _, _, err = NewClientConn(c2, "", clientConf)
+ if err == nil {
+ t.Fatal("succeeded connecting with no common hostkey algorithm")
+ }
+}
+
+func TestPickIncompatibleHostKeyAlgo(t *testing.T) {
+ algorithmSigner, ok := testSigners["rsa"].(AlgorithmSigner)
+ if !ok {
+ t.Fatal("rsa test signer does not implement the AlgorithmSigner interface")
+ }
+ multiAlgoSigner, err := NewSignerWithAlgorithms(algorithmSigner, []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512})
+ if err != nil {
+ t.Fatalf("unable to create multi algorithm signer: %v", err)
+ }
+ signer := pickHostKey([]Signer{multiAlgoSigner}, KeyAlgoRSA)
+ if signer != nil {
+ t.Fatal("incompatible signer returned")
+ }
+}
+
+func TestStrictKEXResetSeqFirstKEX(t *testing.T) {
+ if runtime.GOOS == "plan9" {
+ t.Skip("see golang.org/issue/7237")
+ }
+
+ checker := &syncChecker{
+ waitCall: make(chan int, 10),
+ called: make(chan int, 10),
+ }
+
+ checker.waitCall <- 1
+ trC, trS, err := handshakePair(&ClientConfig{HostKeyCallback: checker.Check}, "addr", false)
+ if err != nil {
+ t.Fatalf("handshakePair: %v", err)
+ }
+ <-checker.called
+
+ t.Cleanup(func() {
+ trC.Close()
+ trS.Close()
+ })
+
+ // Throw away the msgExtInfo packet sent during the handshake by the server
+ _, err = trC.readPacket()
+ if err != nil {
+ t.Fatalf("readPacket failed: %s", err)
+ }
+
+ // close the handshake transports before checking the sequence number to
+ // avoid races.
+ trC.Close()
+ trS.Close()
+
+ // check that the sequence number counters. We reset after msgNewKeys, but
+ // then the server immediately writes msgExtInfo, and we close the
+ // transports so we expect read 2, write 0 on the client and read 1, write 1
+ // on the server.
+ if trC.conn.(*transport).reader.seqNum != 2 || trC.conn.(*transport).writer.seqNum != 0 ||
+ trS.conn.(*transport).reader.seqNum != 1 || trS.conn.(*transport).writer.seqNum != 1 {
+ t.Errorf(
+ "unexpected sequence counters:\nclient: reader %d (expected 2), writer %d (expected 0)\nserver: reader %d (expected 1), writer %d (expected 1)",
+ trC.conn.(*transport).reader.seqNum,
+ trC.conn.(*transport).writer.seqNum,
+ trS.conn.(*transport).reader.seqNum,
+ trS.conn.(*transport).writer.seqNum,
+ )
+ }
+}
+
+func TestStrictKEXResetSeqSuccessiveKEX(t *testing.T) {
+ if runtime.GOOS == "plan9" {
+ t.Skip("see golang.org/issue/7237")
+ }
+
+ checker := &syncChecker{
+ waitCall: make(chan int, 10),
+ called: make(chan int, 10),
+ }
+
+ checker.waitCall <- 1
+ trC, trS, err := handshakePair(&ClientConfig{HostKeyCallback: checker.Check}, "addr", false)
+ if err != nil {
+ t.Fatalf("handshakePair: %v", err)
+ }
+ <-checker.called
+
+ t.Cleanup(func() {
+ trC.Close()
+ trS.Close()
+ })
+
+ // Throw away the msgExtInfo packet sent during the handshake by the server
+ _, err = trC.readPacket()
+ if err != nil {
+ t.Fatalf("readPacket failed: %s", err)
+ }
+
+ // write and read five packets on either side to bump the sequence numbers
+ for i := 0; i < 5; i++ {
+ if err := trC.writePacket([]byte{msgRequestSuccess}); err != nil {
+ t.Fatalf("writePacket failed: %s", err)
+ }
+ if _, err := trS.readPacket(); err != nil {
+ t.Fatalf("readPacket failed: %s", err)
+ }
+ if err := trS.writePacket([]byte{msgRequestSuccess}); err != nil {
+ t.Fatalf("writePacket failed: %s", err)
+ }
+ if _, err := trC.readPacket(); err != nil {
+ t.Fatalf("readPacket failed: %s", err)
+ }
+ }
+
+ // Request a key exchange, which should cause the sequence numbers to reset
+ checker.waitCall <- 1
+ trC.requestKeyExchange()
+ <-checker.called
+
+ // write a packet on the client, and then read it, to verify the key change has actually happened, since
+ // the HostKeyCallback is called _during_ the handshake, so isn't actually indicative of the handshake
+ // finishing.
+ dummyPacket := []byte{99}
+ if err := trS.writePacket(dummyPacket); err != nil {
+ t.Fatalf("writePacket failed: %s", err)
+ }
+ if p, err := trC.readPacket(); err != nil {
+ t.Fatalf("readPacket failed: %s", err)
+ } else if !bytes.Equal(p, dummyPacket) {
+ t.Fatalf("unexpected packet: got %x, want %x", p, dummyPacket)
+ }
+
+ // close the handshake transports before checking the sequence number to
+ // avoid races.
+ trC.Close()
+ trS.Close()
+
+ if trC.conn.(*transport).reader.seqNum != 2 || trC.conn.(*transport).writer.seqNum != 0 ||
+ trS.conn.(*transport).reader.seqNum != 1 || trS.conn.(*transport).writer.seqNum != 1 {
+ t.Errorf(
+ "unexpected sequence counters:\nclient: reader %d (expected 2), writer %d (expected 0)\nserver: reader %d (expected 1), writer %d (expected 1)",
+ trC.conn.(*transport).reader.seqNum,
+ trC.conn.(*transport).writer.seqNum,
+ trS.conn.(*transport).reader.seqNum,
+ trS.conn.(*transport).writer.seqNum,
+ )
+ }
+}
+
+func TestSeqNumIncrease(t *testing.T) {
+ if runtime.GOOS == "plan9" {
+ t.Skip("see golang.org/issue/7237")
+ }
+
+ checker := &syncChecker{
+ waitCall: make(chan int, 10),
+ called: make(chan int, 10),
+ }
+
+ checker.waitCall <- 1
+ trC, trS, err := handshakePair(&ClientConfig{HostKeyCallback: checker.Check}, "addr", false)
+ if err != nil {
+ t.Fatalf("handshakePair: %v", err)
+ }
+ <-checker.called
+
+ t.Cleanup(func() {
+ trC.Close()
+ trS.Close()
+ })
+
+ // Throw away the msgExtInfo packet sent during the handshake by the server
+ _, err = trC.readPacket()
+ if err != nil {
+ t.Fatalf("readPacket failed: %s", err)
+ }
+
+ // write and read five packets on either side to bump the sequence numbers
+ for i := 0; i < 5; i++ {
+ if err := trC.writePacket([]byte{msgRequestSuccess}); err != nil {
+ t.Fatalf("writePacket failed: %s", err)
+ }
+ if _, err := trS.readPacket(); err != nil {
+ t.Fatalf("readPacket failed: %s", err)
+ }
+ if err := trS.writePacket([]byte{msgRequestSuccess}); err != nil {
+ t.Fatalf("writePacket failed: %s", err)
+ }
+ if _, err := trC.readPacket(); err != nil {
+ t.Fatalf("readPacket failed: %s", err)
+ }
+ }
+
+ // close the handshake transports before checking the sequence number to
+ // avoid races.
+ trC.Close()
+ trS.Close()
+
+ if trC.conn.(*transport).reader.seqNum != 7 || trC.conn.(*transport).writer.seqNum != 5 ||
+ trS.conn.(*transport).reader.seqNum != 6 || trS.conn.(*transport).writer.seqNum != 6 {
+ t.Errorf(
+ "unexpected sequence counters:\nclient: reader %d (expected 7), writer %d (expected 5)\nserver: reader %d (expected 6), writer %d (expected 6)",
+ trC.conn.(*transport).reader.seqNum,
+ trC.conn.(*transport).writer.seqNum,
+ trS.conn.(*transport).reader.seqNum,
+ trS.conn.(*transport).writer.seqNum,
+ )
+ }
+}
+
+func TestStrictKEXUnexpectedMsg(t *testing.T) {
+ if runtime.GOOS == "plan9" {
+ t.Skip("see golang.org/issue/7237")
+ }
+
+ // Check that unexpected messages during the handshake cause failure
+ _, _, err := handshakePair(&ClientConfig{HostKeyCallback: func(hostname string, remote net.Addr, key PublicKey) error { return nil }}, "addr", true)
+ if err == nil {
+ t.Fatal("handshake should fail when there are unexpected messages during the handshake")
+ }
+
+ trC, trS, err := handshakePair(&ClientConfig{HostKeyCallback: func(hostname string, remote net.Addr, key PublicKey) error { return nil }}, "addr", false)
+ if err != nil {
+ t.Fatalf("handshake failed: %s", err)
+ }
+
+ // Check that ignore/debug pacekts are still ignored outside of the handshake
+ if err := trC.writePacket([]byte{msgIgnore}); err != nil {
+ t.Fatalf("writePacket failed: %s", err)
+ }
+ if err := trC.writePacket([]byte{msgDebug}); err != nil {
+ t.Fatalf("writePacket failed: %s", err)
+ }
+ dummyPacket := []byte{99}
+ if err := trC.writePacket(dummyPacket); err != nil {
+ t.Fatalf("writePacket failed: %s", err)
+ }
+
+ if p, err := trS.readPacket(); err != nil {
+ t.Fatalf("readPacket failed: %s", err)
+ } else if !bytes.Equal(p, dummyPacket) {
+ t.Fatalf("unexpected packet: got %x, want %x", p, dummyPacket)
+ }
+}
+
+func TestStrictKEXMixed(t *testing.T) {
+ // Test that we still support a mixed connection, where one side sends kex-strict but the other
+ // side doesn't.
+
+ a, b, err := netPipe()
+ if err != nil {
+ t.Fatalf("netPipe failed: %s", err)
+ }
+
+ var trC, trS keyingTransport
+
+ trC = newTransport(a, rand.Reader, true)
+ trS = newTransport(b, rand.Reader, false)
+ trS = addNoiseTransport(trS)
+
+ clientConf := &ClientConfig{HostKeyCallback: func(hostname string, remote net.Addr, key PublicKey) error { return nil }}
+ clientConf.SetDefaults()
+
+ v := []byte("version")
+ client := newClientTransport(trC, v, v, clientConf, "addr", a.RemoteAddr())
+
+ serverConf := &ServerConfig{}
+ serverConf.AddHostKey(testSigners["ecdsa"])
+ serverConf.AddHostKey(testSigners["rsa"])
+ serverConf.SetDefaults()
+
+ transport := newHandshakeTransport(trS, &serverConf.Config, []byte("version"), []byte("version"))
+ transport.hostKeys = serverConf.hostKeys
+ transport.publicKeyAuthAlgorithms = serverConf.PublicKeyAuthAlgorithms
+
+ readOneFailure := make(chan error, 1)
+ go func() {
+ if _, err := transport.readOnePacket(true); err != nil {
+ readOneFailure <- err
+ }
+ }()
+
+ // Basically sendKexInit, but without the kex-strict extension algorithm
+ msg := &kexInitMsg{
+ KexAlgos: transport.config.KeyExchanges,
+ CiphersClientServer: transport.config.Ciphers,
+ CiphersServerClient: transport.config.Ciphers,
+ MACsClientServer: transport.config.MACs,
+ MACsServerClient: transport.config.MACs,
+ CompressionClientServer: supportedCompressions,
+ CompressionServerClient: supportedCompressions,
+ ServerHostKeyAlgos: []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512, KeyAlgoRSA},
+ }
+ packet := Marshal(msg)
+ // writePacket destroys the contents, so save a copy.
+ packetCopy := make([]byte, len(packet))
+ copy(packetCopy, packet)
+ if err := transport.pushPacket(packetCopy); err != nil {
+ t.Fatalf("pushPacket: %s", err)
+ }
+ transport.sentInitMsg = msg
+ transport.sentInitPacket = packet
+
+ if err := transport.getWriteError(); err != nil {
+ t.Fatalf("getWriteError failed: %s", err)
+ }
+ var request *pendingKex
+ select {
+ case err = <-readOneFailure:
+ t.Fatalf("server readOnePacket failed: %s", err)
+ case request = <-transport.startKex:
+ break
+ }
+
+ // We expect the following calls to fail if the side which does not support
+ // kex-strict sends unexpected/ignored packets during the handshake, even if
+ // the other side does support kex-strict.
+
+ if err := transport.enterKeyExchange(request.otherInit); err != nil {
+ t.Fatalf("enterKeyExchange failed: %s", err)
+ }
+ if err := client.waitSession(); err != nil {
+ t.Fatalf("client.waitSession: %v", err)
+ }
+}
diff --git a/ssh/kex.go b/ssh/kex.go
index 927a90cd46..8a05f79902 100644
--- a/ssh/kex.go
+++ b/ssh/kex.go
@@ -23,6 +23,7 @@ const (
kexAlgoDH1SHA1 = "diffie-hellman-group1-sha1"
kexAlgoDH14SHA1 = "diffie-hellman-group14-sha1"
kexAlgoDH14SHA256 = "diffie-hellman-group14-sha256"
+ kexAlgoDH16SHA512 = "diffie-hellman-group16-sha512"
kexAlgoECDH256 = "ecdh-sha2-nistp256"
kexAlgoECDH384 = "ecdh-sha2-nistp384"
kexAlgoECDH521 = "ecdh-sha2-nistp521"
@@ -430,6 +431,17 @@ func init() {
hashFunc: crypto.SHA256,
}
+ // This is the group called diffie-hellman-group16-sha512 in RFC
+ // 8268 and Oakley Group 16 in RFC 3526.
+ p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF", 16)
+
+ kexAlgoMap[kexAlgoDH16SHA512] = &dhGroup{
+ g: new(big.Int).SetInt64(2),
+ p: p,
+ pMinus1: new(big.Int).Sub(p, bigOne),
+ hashFunc: crypto.SHA512,
+ }
+
kexAlgoMap[kexAlgoECDH521] = &ecdh{elliptic.P521()}
kexAlgoMap[kexAlgoECDH384] = &ecdh{elliptic.P384()}
kexAlgoMap[kexAlgoECDH256] = &ecdh{elliptic.P256()}
diff --git a/ssh/kex_test.go b/ssh/kex_test.go
index 327013b7d4..cb7f66a509 100644
--- a/ssh/kex_test.go
+++ b/ssh/kex_test.go
@@ -8,6 +8,7 @@ package ssh
import (
"crypto/rand"
+ "fmt"
"reflect"
"sync"
"testing"
@@ -63,3 +64,43 @@ func TestKexes(t *testing.T) {
})
}
}
+
+func BenchmarkKexes(b *testing.B) {
+ type kexResultErr struct {
+ result *kexResult
+ err error
+ }
+
+ for name, kex := range kexAlgoMap {
+ b.Run(name, func(b *testing.B) {
+ for i := 0; i < b.N; i++ {
+ t1, t2 := memPipe()
+
+ s := make(chan kexResultErr, 1)
+ c := make(chan kexResultErr, 1)
+ var magics handshakeMagics
+
+ go func() {
+ r, e := kex.Client(t1, rand.Reader, &magics)
+ t1.Close()
+ c <- kexResultErr{r, e}
+ }()
+ go func() {
+ r, e := kex.Server(t2, rand.Reader, &magics, testSigners["ecdsa"].(AlgorithmSigner), testSigners["ecdsa"].PublicKey().Type())
+ t2.Close()
+ s <- kexResultErr{r, e}
+ }()
+
+ clientRes := <-c
+ serverRes := <-s
+
+ if clientRes.err != nil {
+ panic(fmt.Sprintf("client: %v", clientRes.err))
+ }
+ if serverRes.err != nil {
+ panic(fmt.Sprintf("server: %v", serverRes.err))
+ }
+ }
+ })
+ }
+}
diff --git a/ssh/keys.go b/ssh/keys.go
index dac8ee7244..df4ebdada5 100644
--- a/ssh/keys.go
+++ b/ssh/keys.go
@@ -11,13 +11,16 @@ import (
"crypto/cipher"
"crypto/dsa"
"crypto/ecdsa"
+ "crypto/ed25519"
"crypto/elliptic"
"crypto/md5"
+ "crypto/rand"
"crypto/rsa"
"crypto/sha256"
"crypto/x509"
"encoding/asn1"
"encoding/base64"
+ "encoding/binary"
"encoding/hex"
"encoding/pem"
"errors"
@@ -26,7 +29,6 @@ import (
"math/big"
"strings"
- "golang.org/x/crypto/ed25519"
"golang.org/x/crypto/ssh/internal/bcrypt_pbkdf"
)
@@ -295,6 +297,18 @@ func MarshalAuthorizedKey(key PublicKey) []byte {
return b.Bytes()
}
+// MarshalPrivateKey returns a PEM block with the private key serialized in the
+// OpenSSH format.
+func MarshalPrivateKey(key crypto.PrivateKey, comment string) (*pem.Block, error) {
+ return marshalOpenSSHPrivateKey(key, comment, unencryptedOpenSSHMarshaler)
+}
+
+// MarshalPrivateKeyWithPassphrase returns a PEM block holding the encrypted
+// private key serialized in the OpenSSH format.
+func MarshalPrivateKeyWithPassphrase(key crypto.PrivateKey, comment string, passphrase []byte) (*pem.Block, error) {
+ return marshalOpenSSHPrivateKey(key, comment, passphraseProtectedOpenSSHMarshaler(passphrase))
+}
+
// PublicKey represents a public key using an unspecified algorithm.
//
// Some PublicKeys provided by this package also implement CryptoPublicKey.
@@ -321,7 +335,7 @@ type CryptoPublicKey interface {
// A Signer can create signatures that verify against a public key.
//
-// Some Signers provided by this package also implement AlgorithmSigner.
+// Some Signers provided by this package also implement MultiAlgorithmSigner.
type Signer interface {
// PublicKey returns the associated PublicKey.
PublicKey() PublicKey
@@ -336,9 +350,9 @@ type Signer interface {
// An AlgorithmSigner is a Signer that also supports specifying an algorithm to
// use for signing.
//
-// An AlgorithmSigner can't advertise the algorithms it supports, so it should
-// be prepared to be invoked with every algorithm supported by the public key
-// format.
+// An AlgorithmSigner can't advertise the algorithms it supports, unless it also
+// implements MultiAlgorithmSigner, so it should be prepared to be invoked with
+// every algorithm supported by the public key format.
type AlgorithmSigner interface {
Signer
@@ -349,6 +363,75 @@ type AlgorithmSigner interface {
SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error)
}
+// MultiAlgorithmSigner is an AlgorithmSigner that also reports the algorithms
+// supported by that signer.
+type MultiAlgorithmSigner interface {
+ AlgorithmSigner
+
+ // Algorithms returns the available algorithms in preference order. The list
+ // must not be empty, and it must not include certificate types.
+ Algorithms() []string
+}
+
+// NewSignerWithAlgorithms returns a signer restricted to the specified
+// algorithms. The algorithms must be set in preference order. The list must not
+// be empty, and it must not include certificate types. An error is returned if
+// the specified algorithms are incompatible with the public key type.
+func NewSignerWithAlgorithms(signer AlgorithmSigner, algorithms []string) (MultiAlgorithmSigner, error) {
+ if len(algorithms) == 0 {
+ return nil, errors.New("ssh: please specify at least one valid signing algorithm")
+ }
+ var signerAlgos []string
+ supportedAlgos := algorithmsForKeyFormat(underlyingAlgo(signer.PublicKey().Type()))
+ if s, ok := signer.(*multiAlgorithmSigner); ok {
+ signerAlgos = s.Algorithms()
+ } else {
+ signerAlgos = supportedAlgos
+ }
+
+ for _, algo := range algorithms {
+ if !contains(supportedAlgos, algo) {
+ return nil, fmt.Errorf("ssh: algorithm %q is not supported for key type %q",
+ algo, signer.PublicKey().Type())
+ }
+ if !contains(signerAlgos, algo) {
+ return nil, fmt.Errorf("ssh: algorithm %q is restricted for the provided signer", algo)
+ }
+ }
+ return &multiAlgorithmSigner{
+ AlgorithmSigner: signer,
+ supportedAlgorithms: algorithms,
+ }, nil
+}
+
+type multiAlgorithmSigner struct {
+ AlgorithmSigner
+ supportedAlgorithms []string
+}
+
+func (s *multiAlgorithmSigner) Algorithms() []string {
+ return s.supportedAlgorithms
+}
+
+func (s *multiAlgorithmSigner) isAlgorithmSupported(algorithm string) bool {
+ if algorithm == "" {
+ algorithm = underlyingAlgo(s.PublicKey().Type())
+ }
+ for _, algo := range s.supportedAlgorithms {
+ if algorithm == algo {
+ return true
+ }
+ }
+ return false
+}
+
+func (s *multiAlgorithmSigner) SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error) {
+ if !s.isAlgorithmSupported(algorithm) {
+ return nil, fmt.Errorf("ssh: algorithm %q is not supported: %v", algorithm, s.supportedAlgorithms)
+ }
+ return s.AlgorithmSigner.SignWithAlgorithm(rand, data, algorithm)
+}
+
type rsaPublicKey rsa.PublicKey
func (r *rsaPublicKey) Type() string {
@@ -512,6 +595,10 @@ func (k *dsaPrivateKey) Sign(rand io.Reader, data []byte) (*Signature, error) {
return k.SignWithAlgorithm(rand, data, k.PublicKey().Type())
}
+func (k *dsaPrivateKey) Algorithms() []string {
+ return []string{k.PublicKey().Type()}
+}
+
func (k *dsaPrivateKey) SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error) {
if algorithm != "" && algorithm != k.PublicKey().Type() {
return nil, fmt.Errorf("ssh: unsupported signature algorithm %s", algorithm)
@@ -961,13 +1048,16 @@ func (s *wrappedSigner) Sign(rand io.Reader, data []byte) (*Signature, error) {
return s.SignWithAlgorithm(rand, data, s.pubKey.Type())
}
+func (s *wrappedSigner) Algorithms() []string {
+ return algorithmsForKeyFormat(s.pubKey.Type())
+}
+
func (s *wrappedSigner) SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error) {
if algorithm == "" {
algorithm = s.pubKey.Type()
}
- supportedAlgos := algorithmsForKeyFormat(s.pubKey.Type())
- if !contains(supportedAlgos, algorithm) {
+ if !contains(s.Algorithms(), algorithm) {
return nil, fmt.Errorf("ssh: unsupported signature algorithm %q for key format %q", algorithm, s.pubKey.Type())
}
@@ -1142,16 +1232,27 @@ func ParseRawPrivateKeyWithPassphrase(pemBytes, passphrase []byte) (interface{},
return nil, fmt.Errorf("ssh: cannot decode encrypted private keys: %v", err)
}
+ var result interface{}
+
switch block.Type {
case "RSA PRIVATE KEY":
- return x509.ParsePKCS1PrivateKey(buf)
+ result, err = x509.ParsePKCS1PrivateKey(buf)
case "EC PRIVATE KEY":
- return x509.ParseECPrivateKey(buf)
+ result, err = x509.ParseECPrivateKey(buf)
case "DSA PRIVATE KEY":
- return ParseDSAPrivateKey(buf)
+ result, err = ParseDSAPrivateKey(buf)
default:
- return nil, fmt.Errorf("ssh: unsupported key type %q", block.Type)
+ err = fmt.Errorf("ssh: unsupported key type %q", block.Type)
+ }
+ // Because of deficiencies in the format, DecryptPEMBlock does not always
+ // detect an incorrect password. In these cases decrypted DER bytes is
+ // random noise. If the parsing of the key returns an asn1.StructuralError
+ // we return x509.IncorrectPasswordError.
+ if _, ok := err.(asn1.StructuralError); ok {
+ return nil, x509.IncorrectPasswordError
}
+
+ return result, err
}
// ParseDSAPrivateKey returns a DSA private key from its ASN.1 DER encoding, as
@@ -1241,28 +1342,106 @@ func passphraseProtectedOpenSSHKey(passphrase []byte) openSSHDecryptFunc {
}
}
+func unencryptedOpenSSHMarshaler(privKeyBlock []byte) ([]byte, string, string, string, error) {
+ key := generateOpenSSHPadding(privKeyBlock, 8)
+ return key, "none", "none", "", nil
+}
+
+func passphraseProtectedOpenSSHMarshaler(passphrase []byte) openSSHEncryptFunc {
+ return func(privKeyBlock []byte) ([]byte, string, string, string, error) {
+ salt := make([]byte, 16)
+ if _, err := rand.Read(salt); err != nil {
+ return nil, "", "", "", err
+ }
+
+ opts := struct {
+ Salt []byte
+ Rounds uint32
+ }{salt, 16}
+
+ // Derive key to encrypt the private key block.
+ k, err := bcrypt_pbkdf.Key(passphrase, salt, int(opts.Rounds), 32+aes.BlockSize)
+ if err != nil {
+ return nil, "", "", "", err
+ }
+
+ // Add padding matching the block size of AES.
+ keyBlock := generateOpenSSHPadding(privKeyBlock, aes.BlockSize)
+
+ // Encrypt the private key using the derived secret.
+
+ dst := make([]byte, len(keyBlock))
+ key, iv := k[:32], k[32:]
+ block, err := aes.NewCipher(key)
+ if err != nil {
+ return nil, "", "", "", err
+ }
+
+ stream := cipher.NewCTR(block, iv)
+ stream.XORKeyStream(dst, keyBlock)
+
+ return dst, "aes256-ctr", "bcrypt", string(Marshal(opts)), nil
+ }
+}
+
+const privateKeyAuthMagic = "openssh-key-v1\x00"
+
type openSSHDecryptFunc func(CipherName, KdfName, KdfOpts string, PrivKeyBlock []byte) ([]byte, error)
+type openSSHEncryptFunc func(PrivKeyBlock []byte) (ProtectedKeyBlock []byte, cipherName, kdfName, kdfOptions string, err error)
+
+type openSSHEncryptedPrivateKey struct {
+ CipherName string
+ KdfName string
+ KdfOpts string
+ NumKeys uint32
+ PubKey []byte
+ PrivKeyBlock []byte
+}
+
+type openSSHPrivateKey struct {
+ Check1 uint32
+ Check2 uint32
+ Keytype string
+ Rest []byte `ssh:"rest"`
+}
+
+type openSSHRSAPrivateKey struct {
+ N *big.Int
+ E *big.Int
+ D *big.Int
+ Iqmp *big.Int
+ P *big.Int
+ Q *big.Int
+ Comment string
+ Pad []byte `ssh:"rest"`
+}
+
+type openSSHEd25519PrivateKey struct {
+ Pub []byte
+ Priv []byte
+ Comment string
+ Pad []byte `ssh:"rest"`
+}
+
+type openSSHECDSAPrivateKey struct {
+ Curve string
+ Pub []byte
+ D *big.Int
+ Comment string
+ Pad []byte `ssh:"rest"`
+}
// parseOpenSSHPrivateKey parses an OpenSSH private key, using the decrypt
// function to unwrap the encrypted portion. unencryptedOpenSSHKey can be used
// as the decrypt function to parse an unencrypted private key. See
// https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key.
func parseOpenSSHPrivateKey(key []byte, decrypt openSSHDecryptFunc) (crypto.PrivateKey, error) {
- const magic = "openssh-key-v1\x00"
- if len(key) < len(magic) || string(key[:len(magic)]) != magic {
+ if len(key) < len(privateKeyAuthMagic) || string(key[:len(privateKeyAuthMagic)]) != privateKeyAuthMagic {
return nil, errors.New("ssh: invalid openssh private key format")
}
- remaining := key[len(magic):]
-
- var w struct {
- CipherName string
- KdfName string
- KdfOpts string
- NumKeys uint32
- PubKey []byte
- PrivKeyBlock []byte
- }
+ remaining := key[len(privateKeyAuthMagic):]
+ var w openSSHEncryptedPrivateKey
if err := Unmarshal(remaining, &w); err != nil {
return nil, err
}
@@ -1284,13 +1463,7 @@ func parseOpenSSHPrivateKey(key []byte, decrypt openSSHDecryptFunc) (crypto.Priv
return nil, err
}
- pk1 := struct {
- Check1 uint32
- Check2 uint32
- Keytype string
- Rest []byte `ssh:"rest"`
- }{}
-
+ var pk1 openSSHPrivateKey
if err := Unmarshal(privKeyBlock, &pk1); err != nil || pk1.Check1 != pk1.Check2 {
if w.CipherName != "none" {
return nil, x509.IncorrectPasswordError
@@ -1300,18 +1473,7 @@ func parseOpenSSHPrivateKey(key []byte, decrypt openSSHDecryptFunc) (crypto.Priv
switch pk1.Keytype {
case KeyAlgoRSA:
- // https://github.com/openssh/openssh-portable/blob/master/sshkey.c#L2760-L2773
- key := struct {
- N *big.Int
- E *big.Int
- D *big.Int
- Iqmp *big.Int
- P *big.Int
- Q *big.Int
- Comment string
- Pad []byte `ssh:"rest"`
- }{}
-
+ var key openSSHRSAPrivateKey
if err := Unmarshal(pk1.Rest, &key); err != nil {
return nil, err
}
@@ -1337,13 +1499,7 @@ func parseOpenSSHPrivateKey(key []byte, decrypt openSSHDecryptFunc) (crypto.Priv
return pk, nil
case KeyAlgoED25519:
- key := struct {
- Pub []byte
- Priv []byte
- Comment string
- Pad []byte `ssh:"rest"`
- }{}
-
+ var key openSSHEd25519PrivateKey
if err := Unmarshal(pk1.Rest, &key); err != nil {
return nil, err
}
@@ -1360,14 +1516,7 @@ func parseOpenSSHPrivateKey(key []byte, decrypt openSSHDecryptFunc) (crypto.Priv
copy(pk, key.Priv)
return &pk, nil
case KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521:
- key := struct {
- Curve string
- Pub []byte
- D *big.Int
- Comment string
- Pad []byte `ssh:"rest"`
- }{}
-
+ var key openSSHECDSAPrivateKey
if err := Unmarshal(pk1.Rest, &key); err != nil {
return nil, err
}
@@ -1415,6 +1564,131 @@ func parseOpenSSHPrivateKey(key []byte, decrypt openSSHDecryptFunc) (crypto.Priv
}
}
+func marshalOpenSSHPrivateKey(key crypto.PrivateKey, comment string, encrypt openSSHEncryptFunc) (*pem.Block, error) {
+ var w openSSHEncryptedPrivateKey
+ var pk1 openSSHPrivateKey
+
+ // Random check bytes.
+ var check uint32
+ if err := binary.Read(rand.Reader, binary.BigEndian, &check); err != nil {
+ return nil, err
+ }
+
+ pk1.Check1 = check
+ pk1.Check2 = check
+ w.NumKeys = 1
+
+ // Use a []byte directly on ed25519 keys.
+ if k, ok := key.(*ed25519.PrivateKey); ok {
+ key = *k
+ }
+
+ switch k := key.(type) {
+ case *rsa.PrivateKey:
+ E := new(big.Int).SetInt64(int64(k.PublicKey.E))
+ // Marshal public key:
+ // E and N are in reversed order in the public and private key.
+ pubKey := struct {
+ KeyType string
+ E *big.Int
+ N *big.Int
+ }{
+ KeyAlgoRSA,
+ E, k.PublicKey.N,
+ }
+ w.PubKey = Marshal(pubKey)
+
+ // Marshal private key.
+ key := openSSHRSAPrivateKey{
+ N: k.PublicKey.N,
+ E: E,
+ D: k.D,
+ Iqmp: k.Precomputed.Qinv,
+ P: k.Primes[0],
+ Q: k.Primes[1],
+ Comment: comment,
+ }
+ pk1.Keytype = KeyAlgoRSA
+ pk1.Rest = Marshal(key)
+ case ed25519.PrivateKey:
+ pub := make([]byte, ed25519.PublicKeySize)
+ priv := make([]byte, ed25519.PrivateKeySize)
+ copy(pub, k[32:])
+ copy(priv, k)
+
+ // Marshal public key.
+ pubKey := struct {
+ KeyType string
+ Pub []byte
+ }{
+ KeyAlgoED25519, pub,
+ }
+ w.PubKey = Marshal(pubKey)
+
+ // Marshal private key.
+ key := openSSHEd25519PrivateKey{
+ Pub: pub,
+ Priv: priv,
+ Comment: comment,
+ }
+ pk1.Keytype = KeyAlgoED25519
+ pk1.Rest = Marshal(key)
+ case *ecdsa.PrivateKey:
+ var curve, keyType string
+ switch name := k.Curve.Params().Name; name {
+ case "P-256":
+ curve = "nistp256"
+ keyType = KeyAlgoECDSA256
+ case "P-384":
+ curve = "nistp384"
+ keyType = KeyAlgoECDSA384
+ case "P-521":
+ curve = "nistp521"
+ keyType = KeyAlgoECDSA521
+ default:
+ return nil, errors.New("ssh: unhandled elliptic curve " + name)
+ }
+
+ pub := elliptic.Marshal(k.Curve, k.PublicKey.X, k.PublicKey.Y)
+
+ // Marshal public key.
+ pubKey := struct {
+ KeyType string
+ Curve string
+ Pub []byte
+ }{
+ keyType, curve, pub,
+ }
+ w.PubKey = Marshal(pubKey)
+
+ // Marshal private key.
+ key := openSSHECDSAPrivateKey{
+ Curve: curve,
+ Pub: pub,
+ D: k.D,
+ Comment: comment,
+ }
+ pk1.Keytype = keyType
+ pk1.Rest = Marshal(key)
+ default:
+ return nil, fmt.Errorf("ssh: unsupported key type %T", k)
+ }
+
+ var err error
+ // Add padding and encrypt the key if necessary.
+ w.PrivKeyBlock, w.CipherName, w.KdfName, w.KdfOpts, err = encrypt(Marshal(pk1))
+ if err != nil {
+ return nil, err
+ }
+
+ b := Marshal(w)
+ block := &pem.Block{
+ Type: "OPENSSH PRIVATE KEY",
+ Bytes: append([]byte(privateKeyAuthMagic), b...),
+ }
+ return block, nil
+}
+
func checkOpenSSHKeyPadding(pad []byte) error {
for i, b := range pad {
if int(b) != i+1 {
@@ -1424,6 +1698,13 @@ func checkOpenSSHKeyPadding(pad []byte) error {
return nil
}
+func generateOpenSSHPadding(block []byte, blockSize int) []byte {
+ for i, l := 0, len(block); (l+i)%blockSize != 0; i++ {
+ block = append(block, byte(i+1))
+ }
+ return block
+}
+
// FingerprintLegacyMD5 returns the user presentation of the key's
// fingerprint as described by RFC 4716 section 4.
func FingerprintLegacyMD5(pubKey PublicKey) string {
diff --git a/ssh/keys_test.go b/ssh/keys_test.go
index 334ef74532..3e18488f34 100644
--- a/ssh/keys_test.go
+++ b/ssh/keys_test.go
@@ -8,6 +8,7 @@ import (
"bytes"
"crypto/dsa"
"crypto/ecdsa"
+ "crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
@@ -15,13 +16,13 @@ import (
"encoding/base64"
"encoding/hex"
"encoding/pem"
+ "errors"
"fmt"
"io"
"reflect"
"strings"
"testing"
- "golang.org/x/crypto/ed25519"
"golang.org/x/crypto/ssh/testdata"
)
@@ -111,9 +112,9 @@ func TestKeySignVerify(t *testing.T) {
}
func TestKeySignWithAlgorithmVerify(t *testing.T) {
- for _, priv := range testSigners {
- if algorithmSigner, ok := priv.(AlgorithmSigner); !ok {
- t.Errorf("Signers constructed by ssh package should always implement the AlgorithmSigner interface: %T", priv)
+ for k, priv := range testSigners {
+ if algorithmSigner, ok := priv.(MultiAlgorithmSigner); !ok {
+ t.Errorf("Signers %q constructed by ssh package should always implement the MultiAlgorithmSigner interface: %T", k, priv)
} else {
pub := priv.PublicKey()
data := []byte("sign me")
@@ -221,6 +222,16 @@ func TestParseEncryptedPrivateKeysWithPassphrase(t *testing.T) {
}
}
+func TestParseEncryptedPrivateKeysWithIncorrectPassphrase(t *testing.T) {
+ pem := testdata.PEMEncryptedKeys[0].PEMBytes
+ for i := 0; i < 4096; i++ {
+ _, err := ParseRawPrivateKeyWithPassphrase(pem, []byte(fmt.Sprintf("%d", i)))
+ if !errors.Is(err, x509.IncorrectPasswordError) {
+ t.Fatalf("expected error: %v, got: %v", x509.IncorrectPasswordError, err)
+ }
+ }
+}
+
func TestParseDSA(t *testing.T) {
// We actually exercise the ParsePrivateKey codepath here, as opposed to
// using the ParseRawPrivateKey+NewSignerFromKey path that testdata_test.go
@@ -281,6 +292,74 @@ func TestMarshalParsePublicKey(t *testing.T) {
}
}
+func TestMarshalPrivateKey(t *testing.T) {
+ tests := []struct {
+ name string
+ }{
+ {"rsa-openssh-format"},
+ {"ed25519"},
+ {"p256-openssh-format"},
+ {"p384-openssh-format"},
+ {"p521-openssh-format"},
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ expected, ok := testPrivateKeys[tt.name]
+ if !ok {
+ t.Fatalf("cannot find key %s", tt.name)
+ }
+
+ block, err := MarshalPrivateKey(expected, "test@golang.org")
+ if err != nil {
+ t.Fatalf("cannot marshal %s: %v", tt.name, err)
+ }
+
+ key, err := ParseRawPrivateKey(pem.EncodeToMemory(block))
+ if err != nil {
+ t.Fatalf("cannot parse %s: %v", tt.name, err)
+ }
+
+ if !reflect.DeepEqual(expected, key) {
+ t.Errorf("unexpected marshaled key %s", tt.name)
+ }
+ })
+ }
+}
+
+func TestMarshalPrivateKeyWithPassphrase(t *testing.T) {
+ tests := []struct {
+ name string
+ }{
+ {"rsa-openssh-format"},
+ {"ed25519"},
+ {"p256-openssh-format"},
+ {"p384-openssh-format"},
+ {"p521-openssh-format"},
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ expected, ok := testPrivateKeys[tt.name]
+ if !ok {
+ t.Fatalf("cannot find key %s", tt.name)
+ }
+
+ block, err := MarshalPrivateKeyWithPassphrase(expected, "test@golang.org", []byte("test-passphrase"))
+ if err != nil {
+ t.Fatalf("cannot marshal %s: %v", tt.name, err)
+ }
+
+ key, err := ParseRawPrivateKeyWithPassphrase(pem.EncodeToMemory(block), []byte("test-passphrase"))
+ if err != nil {
+ t.Fatalf("cannot parse %s: %v", tt.name, err)
+ }
+
+ if !reflect.DeepEqual(expected, key) {
+ t.Errorf("unexpected marshaled key %s", tt.name)
+ }
+ })
+ }
+}
+
type testAuthResult struct {
pubKey PublicKey
options []string
@@ -616,3 +695,34 @@ func TestSKKeys(t *testing.T) {
}
}
}
+
+func TestNewSignerWithAlgos(t *testing.T) {
+ algorithSigner, ok := testSigners["rsa"].(AlgorithmSigner)
+ if !ok {
+ t.Fatal("rsa test signer does not implement the AlgorithmSigner interface")
+ }
+ _, err := NewSignerWithAlgorithms(algorithSigner, nil)
+ if err == nil {
+ t.Error("signer with algos created with no algorithms")
+ }
+
+ _, err = NewSignerWithAlgorithms(algorithSigner, []string{KeyAlgoED25519})
+ if err == nil {
+ t.Error("signer with algos created with invalid algorithms")
+ }
+
+ _, err = NewSignerWithAlgorithms(algorithSigner, []string{CertAlgoRSASHA256v01})
+ if err == nil {
+ t.Error("signer with algos created with certificate algorithms")
+ }
+
+ mas, err := NewSignerWithAlgorithms(algorithSigner, []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512})
+ if err != nil {
+ t.Errorf("unable to create signer with valid algorithms: %v", err)
+ }
+
+ _, err = NewSignerWithAlgorithms(mas, []string{KeyAlgoRSA})
+ if err == nil {
+ t.Error("signer with algos created with restricted algorithms")
+ }
+}
diff --git a/ssh/mempipe_test.go b/ssh/mempipe_test.go
index 8697cd6140..f27339c51a 100644
--- a/ssh/mempipe_test.go
+++ b/ssh/mempipe_test.go
@@ -13,9 +13,10 @@ import (
// An in-memory packetConn. It is safe to call Close and writePacket
// from different goroutines.
type memTransport struct {
- eof bool
- pending [][]byte
- write *memTransport
+ eof bool
+ pending [][]byte
+ write *memTransport
+ writeCount uint64
sync.Mutex
*sync.Cond
}
@@ -63,9 +64,16 @@ func (t *memTransport) writePacket(p []byte) error {
copy(c, p)
t.write.pending = append(t.write.pending, c)
t.write.Cond.Signal()
+ t.writeCount++
return nil
}
+func (t *memTransport) getWriteCount() uint64 {
+ t.write.Lock()
+ defer t.write.Unlock()
+ return t.writeCount
+}
+
func memPipe() (a, b packetConn) {
t1 := memTransport{}
t2 := memTransport{}
@@ -81,6 +89,9 @@ func TestMemPipe(t *testing.T) {
if err := a.writePacket([]byte{42}); err != nil {
t.Fatalf("writePacket: %v", err)
}
+ if wc := a.(*memTransport).getWriteCount(); wc != 1 {
+ t.Fatalf("got %v, want 1", wc)
+ }
if err := a.Close(); err != nil {
t.Fatal("Close: ", err)
}
@@ -95,6 +106,9 @@ func TestMemPipe(t *testing.T) {
if err != io.EOF {
t.Fatalf("got %v, %v, want EOF", p, err)
}
+ if wc := b.(*memTransport).getWriteCount(); wc != 0 {
+ t.Fatalf("got %v, want 0", wc)
+ }
}
func TestDoubleClose(t *testing.T) {
diff --git a/ssh/messages.go b/ssh/messages.go
index 922032d952..b55f860564 100644
--- a/ssh/messages.go
+++ b/ssh/messages.go
@@ -349,6 +349,20 @@ type userAuthGSSAPIError struct {
LanguageTag string
}
+// Transport layer OpenSSH extension. See [PROTOCOL], section 1.9
+const msgPing = 192
+
+type pingMsg struct {
+ Data string `sshtype:"192"`
+}
+
+// Transport layer OpenSSH extension. See [PROTOCOL], section 1.9
+const msgPong = 193
+
+type pongMsg struct {
+ Data string `sshtype:"193"`
+}
+
// typeTags returns the possible type bytes for the given reflect.Type, which
// should be a struct. The possible values are separated by a '|' character.
func typeTags(structType reflect.Type) (tags []byte) {
diff --git a/ssh/mux.go b/ssh/mux.go
index 9654c01869..d2d24c635d 100644
--- a/ssh/mux.go
+++ b/ssh/mux.go
@@ -231,6 +231,12 @@ func (m *mux) onePacket() error {
return m.handleChannelOpen(packet)
case msgGlobalRequest, msgRequestSuccess, msgRequestFailure:
return m.handleGlobalPacket(packet)
+ case msgPing:
+ var msg pingMsg
+ if err := Unmarshal(packet, &msg); err != nil {
+ return fmt.Errorf("failed to unmarshal ping@openssh.com message: %w", err)
+ }
+ return m.sendMessage(pongMsg(msg))
}
// assume a channel packet.
diff --git a/ssh/mux_test.go b/ssh/mux_test.go
index 393017c08c..21f0ac3e32 100644
--- a/ssh/mux_test.go
+++ b/ssh/mux_test.go
@@ -5,10 +5,11 @@
package ssh
import (
+ "errors"
+ "fmt"
"io"
"sync"
"testing"
- "time"
)
func muxPair() (*mux, *mux) {
@@ -29,14 +30,21 @@ func channelPair(t *testing.T) (*channel, *channel, *mux) {
go func() {
newCh, ok := <-s.incomingChannels
if !ok {
- t.Fatalf("No incoming channel")
+ t.Error("no incoming channel")
+ close(res)
+ return
}
if newCh.ChannelType() != "chan" {
- t.Fatalf("got type %q want chan", newCh.ChannelType())
+ t.Errorf("got type %q want chan", newCh.ChannelType())
+ newCh.Reject(Prohibited, fmt.Sprintf("got type %q want chan", newCh.ChannelType()))
+ close(res)
+ return
}
ch, _, err := newCh.Accept()
if err != nil {
- t.Fatalf("Accept %v", err)
+ t.Errorf("accept: %v", err)
+ close(res)
+ return
}
res <- ch.(*channel)
}()
@@ -45,8 +53,12 @@ func channelPair(t *testing.T) (*channel, *channel, *mux) {
if err != nil {
t.Fatalf("OpenChannel: %v", err)
}
+ w := <-res
+ if w == nil {
+ t.Fatal("unable to get write channel")
+ }
- return <-res, ch, c
+ return w, ch, c
}
// Test that stderr and stdout can be addressed from different
@@ -74,14 +86,14 @@ func TestMuxChannelExtendedThreadSafety(t *testing.T) {
go func() {
c, err := io.ReadAll(reader)
if string(c) != magic {
- t.Fatalf("stdout read got %q, want %q (error %s)", c, magic, err)
+ t.Errorf("stdout read got %q, want %q (error %s)", c, magic, err)
}
rd.Done()
}()
go func() {
c, err := io.ReadAll(reader.Stderr())
if string(c) != magic {
- t.Fatalf("stderr read got %q, want %q (error %s)", c, magic, err)
+ t.Errorf("stderr read got %q, want %q (error %s)", c, magic, err)
}
rd.Done()
}()
@@ -99,14 +111,20 @@ func TestMuxReadWrite(t *testing.T) {
magic := "hello world"
magicExt := "hello stderr"
+ var wg sync.WaitGroup
+ t.Cleanup(wg.Wait)
+ wg.Add(1)
go func() {
+ defer wg.Done()
_, err := s.Write([]byte(magic))
if err != nil {
- t.Fatalf("Write: %v", err)
+ t.Errorf("Write: %v", err)
+ return
}
_, err = s.Extended(1).Write([]byte(magicExt))
if err != nil {
- t.Fatalf("Write: %v", err)
+ t.Errorf("Write: %v", err)
+ return
}
}()
@@ -137,13 +155,15 @@ func TestMuxChannelOverflow(t *testing.T) {
defer writer.Close()
defer mux.Close()
- wDone := make(chan int, 1)
+ var wg sync.WaitGroup
+ t.Cleanup(wg.Wait)
+ wg.Add(1)
go func() {
+ defer wg.Done()
if _, err := writer.Write(make([]byte, channelWindowSize)); err != nil {
t.Errorf("could not fill window: %v", err)
}
writer.Write(make([]byte, 1))
- wDone <- 1
}()
writer.remoteWin.waitWriterBlocked()
@@ -160,7 +180,40 @@ func TestMuxChannelOverflow(t *testing.T) {
if _, err := reader.SendRequest("hello", true, nil); err == nil {
t.Errorf("SendRequest succeeded.")
}
- <-wDone
+}
+
+func TestMuxChannelReadUnblock(t *testing.T) {
+ reader, writer, mux := channelPair(t)
+ defer reader.Close()
+ defer writer.Close()
+ defer mux.Close()
+
+ var wg sync.WaitGroup
+ t.Cleanup(wg.Wait)
+ wg.Add(1)
+ go func() {
+ defer wg.Done()
+ if _, err := writer.Write(make([]byte, channelWindowSize)); err != nil {
+ t.Errorf("could not fill window: %v", err)
+ }
+ if _, err := writer.Write(make([]byte, 1)); err != nil {
+ t.Errorf("Write: %v", err)
+ }
+ writer.Close()
+ }()
+
+ writer.remoteWin.waitWriterBlocked()
+
+ buf := make([]byte, 32768)
+ for {
+ _, err := reader.Read(buf)
+ if err == io.EOF {
+ break
+ }
+ if err != nil {
+ t.Fatalf("Read: %v", err)
+ }
+ }
}
func TestMuxChannelCloseWriteUnblock(t *testing.T) {
@@ -169,20 +222,21 @@ func TestMuxChannelCloseWriteUnblock(t *testing.T) {
defer writer.Close()
defer mux.Close()
- wDone := make(chan int, 1)
+ var wg sync.WaitGroup
+ t.Cleanup(wg.Wait)
+ wg.Add(1)
go func() {
+ defer wg.Done()
if _, err := writer.Write(make([]byte, channelWindowSize)); err != nil {
t.Errorf("could not fill window: %v", err)
}
if _, err := writer.Write(make([]byte, 1)); err != io.EOF {
t.Errorf("got %v, want EOF for unblock write", err)
}
- wDone <- 1
}()
writer.remoteWin.waitWriterBlocked()
reader.Close()
- <-wDone
}
func TestMuxConnectionCloseWriteUnblock(t *testing.T) {
@@ -191,20 +245,21 @@ func TestMuxConnectionCloseWriteUnblock(t *testing.T) {
defer writer.Close()
defer mux.Close()
- wDone := make(chan int, 1)
+ var wg sync.WaitGroup
+ t.Cleanup(wg.Wait)
+ wg.Add(1)
go func() {
+ defer wg.Done()
if _, err := writer.Write(make([]byte, channelWindowSize)); err != nil {
t.Errorf("could not fill window: %v", err)
}
if _, err := writer.Write(make([]byte, 1)); err != io.EOF {
t.Errorf("got %v, want EOF for unblock write", err)
}
- wDone <- 1
}()
writer.remoteWin.waitWriterBlocked()
mux.Close()
- <-wDone
}
func TestMuxReject(t *testing.T) {
@@ -212,13 +267,21 @@ func TestMuxReject(t *testing.T) {
defer server.Close()
defer client.Close()
+ var wg sync.WaitGroup
+ t.Cleanup(wg.Wait)
+ wg.Add(1)
go func() {
+ defer wg.Done()
+
ch, ok := <-server.incomingChannels
if !ok {
- t.Fatalf("Accept")
+ t.Error("cannot accept channel")
+ return
}
if ch.ChannelType() != "ch" || string(ch.ExtraData()) != "extra" {
- t.Fatalf("unexpected channel: %q, %q", ch.ChannelType(), ch.ExtraData())
+ t.Errorf("unexpected channel: %q, %q", ch.ChannelType(), ch.ExtraData())
+ ch.Reject(RejectionReason(UnknownChannelType), UnknownChannelType.String())
+ return
}
ch.Reject(RejectionReason(42), "message")
}()
@@ -249,6 +312,7 @@ func TestMuxChannelRequest(t *testing.T) {
var received int
var wg sync.WaitGroup
+ t.Cleanup(wg.Wait)
wg.Add(1)
go func() {
for r := range server.incomingRequests {
@@ -277,7 +341,6 @@ func TestMuxChannelRequest(t *testing.T) {
}
if ok {
t.Errorf("SendRequest(no): %v", ok)
-
}
client.Close()
@@ -294,7 +357,7 @@ func TestMuxUnknownChannelRequests(t *testing.T) {
defer serverPipe.Close()
defer client.Close()
- kDone := make(chan struct{})
+ kDone := make(chan error, 1)
go func() {
// Ignore unknown channel messages that don't want a reply.
err := serverPipe.writePacket(Marshal(channelRequestMsg{
@@ -304,7 +367,8 @@ func TestMuxUnknownChannelRequests(t *testing.T) {
RequestSpecificData: []byte{},
}))
if err != nil {
- t.Fatalf("send: %v", err)
+ kDone <- fmt.Errorf("send: %w", err)
+ return
}
// Send a keepalive, which should get a channel failure message
@@ -316,44 +380,53 @@ func TestMuxUnknownChannelRequests(t *testing.T) {
RequestSpecificData: []byte{},
}))
if err != nil {
- t.Fatalf("send: %v", err)
+ kDone <- fmt.Errorf("send: %w", err)
+ return
}
packet, err := serverPipe.readPacket()
if err != nil {
- t.Fatalf("read packet: %v", err)
+ kDone <- fmt.Errorf("read packet: %w", err)
+ return
}
decoded, err := decode(packet)
if err != nil {
- t.Fatalf("decode failed: %v", err)
+ kDone <- fmt.Errorf("decode failed: %w", err)
+ return
}
switch msg := decoded.(type) {
case *channelRequestFailureMsg:
if msg.PeersID != 2 {
- t.Fatalf("received response to wrong message: %v", msg)
+ kDone <- fmt.Errorf("received response to wrong message: %v", msg)
+ return
+
}
default:
- t.Fatalf("unexpected channel message: %v", msg)
+ kDone <- fmt.Errorf("unexpected channel message: %v", msg)
+ return
}
- kDone <- struct{}{}
+ kDone <- nil
// Receive and respond to the keepalive to confirm the mux is
// still processing requests.
packet, err = serverPipe.readPacket()
if err != nil {
- t.Fatalf("read packet: %v", err)
+ kDone <- fmt.Errorf("read packet: %w", err)
+ return
}
if packet[0] != msgGlobalRequest {
- t.Fatalf("expected global request")
+ kDone <- errors.New("expected global request")
+ return
}
err = serverPipe.writePacket(Marshal(globalRequestFailureMsg{
Data: []byte{},
}))
if err != nil {
- t.Fatalf("failed to send failure msg: %v", err)
+ kDone <- fmt.Errorf("failed to send failure msg: %w", err)
+ return
}
close(kDone)
@@ -361,10 +434,8 @@ func TestMuxUnknownChannelRequests(t *testing.T) {
// Wait for the server to send the keepalive message and receive back a
// response.
- select {
- case <-kDone:
- case <-time.After(10 * time.Second):
- t.Fatalf("server never received ack")
+ if err := <-kDone; err != nil {
+ t.Fatal(err)
}
// Confirm client hasn't closed.
@@ -372,10 +443,9 @@ func TestMuxUnknownChannelRequests(t *testing.T) {
t.Fatalf("failed to send keepalive: %v", err)
}
- select {
- case <-kDone:
- case <-time.After(10 * time.Second):
- t.Fatalf("server never shut down")
+ // Wait for the server to shut down.
+ if err := <-kDone; err != nil {
+ t.Fatal(err)
}
}
@@ -385,20 +455,23 @@ func TestMuxClosedChannel(t *testing.T) {
defer serverPipe.Close()
defer client.Close()
- kDone := make(chan struct{})
+ kDone := make(chan error, 1)
go func() {
// Open the channel.
packet, err := serverPipe.readPacket()
if err != nil {
- t.Fatalf("read packet: %v", err)
+ kDone <- fmt.Errorf("read packet: %w", err)
+ return
}
if packet[0] != msgChannelOpen {
- t.Fatalf("expected chan open")
+ kDone <- errors.New("expected chan open")
+ return
}
var openMsg channelOpenMsg
if err := Unmarshal(packet, &openMsg); err != nil {
- t.Fatalf("unmarshal: %v", err)
+ kDone <- fmt.Errorf("unmarshal: %w", err)
+ return
}
// Send back the opened channel confirmation.
@@ -409,7 +482,8 @@ func TestMuxClosedChannel(t *testing.T) {
MaxPacketSize: channelMaxPacket,
}))
if err != nil {
- t.Fatalf("send: %v", err)
+ kDone <- fmt.Errorf("send: %w", err)
+ return
}
// Close the channel.
@@ -417,7 +491,8 @@ func TestMuxClosedChannel(t *testing.T) {
PeersID: openMsg.PeersID,
}))
if err != nil {
- t.Fatalf("send: %v", err)
+ kDone <- fmt.Errorf("send: %w", err)
+ return
}
// Send a keepalive message on the channel we just closed.
@@ -428,43 +503,51 @@ func TestMuxClosedChannel(t *testing.T) {
RequestSpecificData: []byte{},
}))
if err != nil {
- t.Fatalf("send: %v", err)
+ kDone <- fmt.Errorf("send: %w", err)
+ return
}
// Receive the channel closed response.
packet, err = serverPipe.readPacket()
if err != nil {
- t.Fatalf("read packet: %v", err)
+ kDone <- fmt.Errorf("read packet: %w", err)
+ return
}
if packet[0] != msgChannelClose {
- t.Fatalf("expected channel close")
+ kDone <- errors.New("expected channel close")
+ return
}
// Receive the keepalive response failure.
packet, err = serverPipe.readPacket()
if err != nil {
- t.Fatalf("read packet: %v", err)
+ kDone <- fmt.Errorf("read packet: %w", err)
+ return
}
if packet[0] != msgChannelFailure {
- t.Fatalf("expected channel close")
+ kDone <- errors.New("expected channel failure")
+ return
}
- kDone <- struct{}{}
+ kDone <- nil
// Receive and respond to the keepalive to confirm the mux is
// still processing requests.
packet, err = serverPipe.readPacket()
if err != nil {
- t.Fatalf("read packet: %v", err)
+ kDone <- fmt.Errorf("read packet: %w", err)
+ return
}
if packet[0] != msgGlobalRequest {
- t.Fatalf("expected global request")
+ kDone <- errors.New("expected global request")
+ return
}
err = serverPipe.writePacket(Marshal(globalRequestFailureMsg{
Data: []byte{},
}))
if err != nil {
- t.Fatalf("failed to send failure msg: %v", err)
+ kDone <- fmt.Errorf("failed to send failure msg: %w", err)
+ return
}
close(kDone)
@@ -478,11 +561,7 @@ func TestMuxClosedChannel(t *testing.T) {
defer ch.Close()
// Wait for the server to close the channel and send the keepalive.
- select {
- case <-kDone:
- case <-time.After(10 * time.Second):
- t.Fatalf("server never received ack")
- }
+ <-kDone
// Make sure the channel closed.
if _, ok := <-ch.incomingRequests; ok {
@@ -494,22 +573,29 @@ func TestMuxClosedChannel(t *testing.T) {
t.Fatalf("failed to send keepalive: %v", err)
}
- select {
- case <-kDone:
- case <-time.After(10 * time.Second):
- t.Fatalf("server never shut down")
- }
+ // Wait for the server to shut down.
+ <-kDone
}
func TestMuxGlobalRequest(t *testing.T) {
+ var sawPeek bool
+ var wg sync.WaitGroup
+ defer func() {
+ wg.Wait()
+ if !sawPeek {
+ t.Errorf("never saw 'peek' request")
+ }
+ }()
+
clientMux, serverMux := muxPair()
defer serverMux.Close()
defer clientMux.Close()
- var seen bool
+ wg.Add(1)
go func() {
+ defer wg.Done()
for r := range serverMux.incomingRequests {
- seen = seen || r.Type == "peek"
+ sawPeek = sawPeek || r.Type == "peek"
if r.WantReply {
err := r.Reply(r.Type == "yes",
append([]byte(r.Type), r.Payload...))
@@ -539,10 +625,6 @@ func TestMuxGlobalRequest(t *testing.T) {
t.Errorf("SendRequest(\"no\", true, \"a\"): %v %v %v",
ok, data, err)
}
-
- if !seen {
- t.Errorf("never saw 'peek' request")
- }
}
func TestMuxGlobalRequestUnblock(t *testing.T) {
@@ -692,7 +774,13 @@ func TestMuxMaxPacketSize(t *testing.T) {
t.Errorf("could not send packet")
}
- go a.SendRequest("hello", false, nil)
+ var wg sync.WaitGroup
+ t.Cleanup(wg.Wait)
+ wg.Add(1)
+ go func() {
+ a.SendRequest("hello", false, nil)
+ wg.Done()
+ }()
_, ok := <-b.incomingRequests
if ok {
@@ -700,6 +788,43 @@ func TestMuxMaxPacketSize(t *testing.T) {
}
}
+func TestMuxChannelWindowDeferredUpdates(t *testing.T) {
+ s, c, mux := channelPair(t)
+ cTransport := mux.conn.(*memTransport)
+ defer s.Close()
+ defer c.Close()
+ defer mux.Close()
+
+ var wg sync.WaitGroup
+ t.Cleanup(wg.Wait)
+
+ data := make([]byte, 1024)
+
+ wg.Add(1)
+ go func() {
+ defer wg.Done()
+ _, err := s.Write(data)
+ if err != nil {
+ t.Errorf("Write: %v", err)
+ return
+ }
+ }()
+ cWritesInit := cTransport.getWriteCount()
+ buf := make([]byte, 1)
+ for i := 0; i < len(data); i++ {
+ n, err := c.Read(buf)
+ if n != len(buf) || err != nil {
+ t.Fatalf("Read: %v, %v", n, err)
+ }
+ }
+ cWrites := cTransport.getWriteCount() - cWritesInit
+ // reading 1 KiB should not cause any window updates to be sent, but allow
+ // for some unexpected writes
+ if cWrites > 30 {
+ t.Fatalf("reading 1 KiB from channel caused %v writes", cWrites)
+ }
+}
+
// Don't ship code with debug=true.
func TestDebug(t *testing.T) {
if debugMux {
diff --git a/ssh/server.go b/ssh/server.go
index 9e3870292f..c2dfe3268c 100644
--- a/ssh/server.go
+++ b/ssh/server.go
@@ -64,6 +64,13 @@ type ServerConfig struct {
// Config contains configuration shared between client and server.
Config
+ // PublicKeyAuthAlgorithms specifies the supported client public key
+ // authentication algorithms. Note that this should not include certificate
+ // types since those use the underlying algorithm. This list is sent to the
+ // client if it supports the server-sig-algs extension. Order is irrelevant.
+ // If unspecified then a default set of algorithms is used.
+ PublicKeyAuthAlgorithms []string
+
hostKeys []Signer
// NoClientAuth is true if clients are allowed to connect without
@@ -201,9 +208,20 @@ func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewCha
if fullConf.MaxAuthTries == 0 {
fullConf.MaxAuthTries = 6
}
+ if len(fullConf.PublicKeyAuthAlgorithms) == 0 {
+ fullConf.PublicKeyAuthAlgorithms = supportedPubKeyAuthAlgos
+ } else {
+ for _, algo := range fullConf.PublicKeyAuthAlgorithms {
+ if !contains(supportedPubKeyAuthAlgos, algo) {
+ c.Close()
+ return nil, nil, nil, fmt.Errorf("ssh: unsupported public key authentication algorithm %s", algo)
+ }
+ }
+ }
// Check if the config contains any unsupported key exchanges
for _, kex := range fullConf.KeyExchanges {
if _, ok := serverForbiddenKexAlgos[kex]; ok {
+ c.Close()
return nil, nil, nil, fmt.Errorf("ssh: unsupported key exchange %s for server", kex)
}
}
@@ -321,7 +339,7 @@ func checkSourceAddress(addr net.Addr, sourceAddrs string) error {
return fmt.Errorf("ssh: remote address %v is not allowed because of source-address restriction", addr)
}
-func gssExchangeToken(gssapiConfig *GSSAPIWithMICConfig, firstToken []byte, s *connection,
+func gssExchangeToken(gssapiConfig *GSSAPIWithMICConfig, token []byte, s *connection,
sessionID []byte, userAuthReq userAuthRequestMsg) (authErr error, perms *Permissions, err error) {
gssAPIServer := gssapiConfig.Server
defer gssAPIServer.DeleteSecContext()
@@ -331,7 +349,7 @@ func gssExchangeToken(gssapiConfig *GSSAPIWithMICConfig, firstToken []byte, s *c
outToken []byte
needContinue bool
)
- outToken, srcName, needContinue, err = gssAPIServer.AcceptSecContext(firstToken)
+ outToken, srcName, needContinue, err = gssAPIServer.AcceptSecContext(token)
if err != nil {
return err, nil, nil
}
@@ -353,6 +371,7 @@ func gssExchangeToken(gssapiConfig *GSSAPIWithMICConfig, firstToken []byte, s *c
if err := Unmarshal(packet, userAuthGSSAPITokenReq); err != nil {
return nil, nil, err
}
+ token = userAuthGSSAPITokenReq.Token
}
packet, err := s.transport.readPacket()
if err != nil {
@@ -370,6 +389,25 @@ func gssExchangeToken(gssapiConfig *GSSAPIWithMICConfig, firstToken []byte, s *c
return authErr, perms, nil
}
+// isAlgoCompatible checks if the signature format is compatible with the
+// selected algorithm taking into account edge cases that occur with old
+// clients.
+func isAlgoCompatible(algo, sigFormat string) bool {
+ // Compatibility for old clients.
+ //
+ // For certificate authentication with OpenSSH 7.2-7.7 signature format can
+ // be rsa-sha2-256 or rsa-sha2-512 for the algorithm
+ // ssh-rsa-cert-v01@openssh.com.
+ //
+ // With gpg-agent < 2.2.6 the algorithm can be rsa-sha2-256 or rsa-sha2-512
+ // for signature format ssh-rsa.
+ if isRSA(algo) && isRSA(sigFormat) {
+ return true
+ }
+ // Standard case: the underlying algorithm must match the signature format.
+ return underlyingAlgo(algo) == sigFormat
+}
+
// ServerAuthError represents server authentication errors and is
// sometimes returned by NewServerConn. It appends any authentication
// errors that may occur, and is returned if all of the authentication
@@ -505,7 +543,7 @@ userAuthLoop:
return nil, parseError(msgUserAuthRequest)
}
algo := string(algoBytes)
- if !contains(supportedPubKeyAuthAlgos, underlyingAlgo(algo)) {
+ if !contains(config.PublicKeyAuthAlgorithms, underlyingAlgo(algo)) {
authErr = fmt.Errorf("ssh: algorithm %q not accepted", algo)
break
}
@@ -557,17 +595,26 @@ userAuthLoop:
if !ok || len(payload) > 0 {
return nil, parseError(msgUserAuthRequest)
}
-
+ // Ensure the declared public key algo is compatible with the
+ // decoded one. This check will ensure we don't accept e.g.
+ // ssh-rsa-cert-v01@openssh.com algorithm with ssh-rsa public
+ // key type. The algorithm and public key type must be
+ // consistent: both must be certificate algorithms, or neither.
+ if !contains(algorithmsForKeyFormat(pubKey.Type()), algo) {
+ authErr = fmt.Errorf("ssh: public key type %q not compatible with selected algorithm %q",
+ pubKey.Type(), algo)
+ break
+ }
// Ensure the public key algo and signature algo
// are supported. Compare the private key
// algorithm name that corresponds to algo with
// sig.Format. This is usually the same, but
// for certs, the names differ.
- if !contains(supportedPubKeyAuthAlgos, sig.Format) {
+ if !contains(config.PublicKeyAuthAlgorithms, sig.Format) {
authErr = fmt.Errorf("ssh: algorithm %q not accepted", sig.Format)
break
}
- if underlyingAlgo(algo) != sig.Format {
+ if !isAlgoCompatible(algo, sig.Format) {
authErr = fmt.Errorf("ssh: signature %q not compatible with selected algorithm %q", sig.Format, algo)
break
}
diff --git a/ssh/server_test.go b/ssh/server_test.go
new file mode 100644
index 0000000000..a9b2bce0c1
--- /dev/null
+++ b/ssh/server_test.go
@@ -0,0 +1,140 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ssh
+
+import (
+ "io"
+ "net"
+ "sync/atomic"
+ "testing"
+ "time"
+)
+
+func TestClientAuthRestrictedPublicKeyAlgos(t *testing.T) {
+ for _, tt := range []struct {
+ name string
+ key Signer
+ wantError bool
+ }{
+ {"rsa", testSigners["rsa"], false},
+ {"dsa", testSigners["dsa"], true},
+ {"ed25519", testSigners["ed25519"], true},
+ } {
+ c1, c2, err := netPipe()
+ if err != nil {
+ t.Fatalf("netPipe: %v", err)
+ }
+ defer c1.Close()
+ defer c2.Close()
+ serverConf := &ServerConfig{
+ PublicKeyAuthAlgorithms: []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512},
+ PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
+ return nil, nil
+ },
+ }
+ serverConf.AddHostKey(testSigners["ecdsap256"])
+
+ done := make(chan struct{})
+ go func() {
+ defer close(done)
+ NewServerConn(c1, serverConf)
+ }()
+
+ clientConf := ClientConfig{
+ User: "user",
+ Auth: []AuthMethod{
+ PublicKeys(tt.key),
+ },
+ HostKeyCallback: InsecureIgnoreHostKey(),
+ }
+
+ _, _, _, err = NewClientConn(c2, "", &clientConf)
+ if err != nil {
+ if !tt.wantError {
+ t.Errorf("%s: got unexpected error %q", tt.name, err.Error())
+ }
+ } else if tt.wantError {
+ t.Errorf("%s: succeeded, but want error", tt.name)
+ }
+ <-done
+ }
+}
+
+func TestNewServerConnValidationErrors(t *testing.T) {
+ serverConf := &ServerConfig{
+ PublicKeyAuthAlgorithms: []string{CertAlgoRSAv01},
+ }
+ c := &markerConn{}
+ _, _, _, err := NewServerConn(c, serverConf)
+ if err == nil {
+ t.Fatal("NewServerConn with invalid public key auth algorithms succeeded")
+ }
+ if !c.isClosed() {
+ t.Fatal("NewServerConn with invalid public key auth algorithms left connection open")
+ }
+ if c.isUsed() {
+ t.Fatal("NewServerConn with invalid public key auth algorithms used connection")
+ }
+
+ serverConf = &ServerConfig{
+ Config: Config{
+ KeyExchanges: []string{kexAlgoDHGEXSHA256},
+ },
+ }
+ c = &markerConn{}
+ _, _, _, err = NewServerConn(c, serverConf)
+ if err == nil {
+ t.Fatal("NewServerConn with unsupported key exchange succeeded")
+ }
+ if !c.isClosed() {
+ t.Fatal("NewServerConn with unsupported key exchange left connection open")
+ }
+ if c.isUsed() {
+ t.Fatal("NewServerConn with unsupported key exchange used connection")
+ }
+}
+
+type markerConn struct {
+ closed uint32
+ used uint32
+}
+
+func (c *markerConn) isClosed() bool {
+ return atomic.LoadUint32(&c.closed) != 0
+}
+
+func (c *markerConn) isUsed() bool {
+ return atomic.LoadUint32(&c.used) != 0
+}
+
+func (c *markerConn) Close() error {
+ atomic.StoreUint32(&c.closed, 1)
+ return nil
+}
+
+func (c *markerConn) Read(b []byte) (n int, err error) {
+ atomic.StoreUint32(&c.used, 1)
+ if atomic.LoadUint32(&c.closed) != 0 {
+ return 0, net.ErrClosed
+ } else {
+ return 0, io.EOF
+ }
+}
+
+func (c *markerConn) Write(b []byte) (n int, err error) {
+ atomic.StoreUint32(&c.used, 1)
+ if atomic.LoadUint32(&c.closed) != 0 {
+ return 0, net.ErrClosed
+ } else {
+ return 0, io.ErrClosedPipe
+ }
+}
+
+func (*markerConn) LocalAddr() net.Addr { return nil }
+func (*markerConn) RemoteAddr() net.Addr { return nil }
+
+func (*markerConn) SetDeadline(t time.Time) error { return nil }
+func (*markerConn) SetReadDeadline(t time.Time) error { return nil }
+func (*markerConn) SetWriteDeadline(t time.Time) error { return nil }
diff --git a/ssh/session_test.go b/ssh/session_test.go
index c4b9f0ea5b..807a913e5a 100644
--- a/ssh/session_test.go
+++ b/ssh/session_test.go
@@ -13,6 +13,7 @@ import (
"io"
"math/rand"
"net"
+ "sync"
"testing"
"golang.org/x/crypto/ssh/terminal"
@@ -27,8 +28,14 @@ func dial(handler serverType, t *testing.T) *Client {
t.Fatalf("netPipe: %v", err)
}
+ var wg sync.WaitGroup
+ t.Cleanup(wg.Wait)
+ wg.Add(1)
go func() {
- defer c1.Close()
+ defer func() {
+ c1.Close()
+ wg.Done()
+ }()
conf := ServerConfig{
NoClientAuth: true,
}
@@ -36,9 +43,14 @@ func dial(handler serverType, t *testing.T) *Client {
conn, chans, reqs, err := NewServerConn(c1, &conf)
if err != nil {
- t.Fatalf("Unable to handshake: %v", err)
+ t.Errorf("Unable to handshake: %v", err)
+ return
}
- go DiscardRequests(reqs)
+ wg.Add(1)
+ go func() {
+ DiscardRequests(reqs)
+ wg.Done()
+ }()
for newCh := range chans {
if newCh.ChannelType() != "session" {
@@ -51,8 +63,10 @@ func dial(handler serverType, t *testing.T) *Client {
t.Errorf("Accept: %v", err)
continue
}
+ wg.Add(1)
go func() {
handler(ch, inReqs, t)
+ wg.Done()
}()
}
if err := conn.Wait(); err != io.EOF {
@@ -337,8 +351,13 @@ func TestServerWindow(t *testing.T) {
t.Fatal(err)
}
defer session.Close()
- result := make(chan []byte)
+ serverStdin, err := session.StdinPipe()
+ if err != nil {
+ t.Fatalf("StdinPipe failed: %v", err)
+ }
+
+ result := make(chan []byte)
go func() {
defer close(result)
echoedBuf := bytes.NewBuffer(make([]byte, 0, windowTestBytes))
@@ -354,10 +373,6 @@ func TestServerWindow(t *testing.T) {
result <- echoedBuf.Bytes()
}()
- serverStdin, err := session.StdinPipe()
- if err != nil {
- t.Fatalf("StdinPipe failed: %v", err)
- }
written, err := copyNRandomly("stdin", serverStdin, origBuf, windowTestBytes)
if err != nil {
t.Errorf("failed to copy origBuf to serverStdin: %v", err)
@@ -647,30 +662,57 @@ func TestSessionID(t *testing.T) {
User: "user",
}
+ var wg sync.WaitGroup
+ t.Cleanup(wg.Wait)
+
+ srvErrCh := make(chan error, 1)
+ wg.Add(1)
go func() {
+ defer wg.Done()
conn, chans, reqs, err := NewServerConn(c1, serverConf)
+ srvErrCh <- err
if err != nil {
- t.Fatalf("server handshake: %v", err)
+ return
}
serverID <- conn.SessionID()
- go DiscardRequests(reqs)
+ wg.Add(1)
+ go func() {
+ DiscardRequests(reqs)
+ wg.Done()
+ }()
for ch := range chans {
ch.Reject(Prohibited, "")
}
}()
+ cliErrCh := make(chan error, 1)
+ wg.Add(1)
go func() {
+ defer wg.Done()
conn, chans, reqs, err := NewClientConn(c2, "", clientConf)
+ cliErrCh <- err
if err != nil {
- t.Fatalf("client handshake: %v", err)
+ return
}
clientID <- conn.SessionID()
- go DiscardRequests(reqs)
+ wg.Add(1)
+ go func() {
+ DiscardRequests(reqs)
+ wg.Done()
+ }()
for ch := range chans {
ch.Reject(Prohibited, "")
}
}()
+ if err := <-srvErrCh; err != nil {
+ t.Fatalf("server handshake: %v", err)
+ }
+
+ if err := <-cliErrCh; err != nil {
+ t.Fatalf("client handshake: %v", err)
+ }
+
s := <-serverID
c := <-clientID
if bytes.Compare(s, c) != 0 {
@@ -725,6 +767,8 @@ func TestHostKeyAlgorithms(t *testing.T) {
serverConf.AddHostKey(testSigners["rsa"])
serverConf.AddHostKey(testSigners["ecdsa"])
+ var wg sync.WaitGroup
+ t.Cleanup(wg.Wait)
connect := func(clientConf *ClientConfig, want string) {
var alg string
clientConf.HostKeyCallback = func(h string, a net.Addr, key PublicKey) error {
@@ -738,7 +782,11 @@ func TestHostKeyAlgorithms(t *testing.T) {
defer c1.Close()
defer c2.Close()
- go NewServerConn(c1, serverConf)
+ wg.Add(1)
+ go func() {
+ NewServerConn(c1, serverConf)
+ wg.Done()
+ }()
_, _, _, err = NewClientConn(c2, "", clientConf)
if err != nil {
t.Fatalf("NewClientConn: %v", err)
@@ -772,7 +820,11 @@ func TestHostKeyAlgorithms(t *testing.T) {
defer c1.Close()
defer c2.Close()
- go NewServerConn(c1, serverConf)
+ wg.Add(1)
+ go func() {
+ NewServerConn(c1, serverConf)
+ wg.Done()
+ }()
clientConf.HostKeyAlgorithms = []string{"nonexistent-hostkey-algo"}
_, _, _, err = NewClientConn(c2, "", clientConf)
if err == nil {
@@ -805,14 +857,22 @@ func TestServerClientAuthCallback(t *testing.T) {
User: someUsername,
}
+ var wg sync.WaitGroup
+ t.Cleanup(wg.Wait)
+ wg.Add(1)
go func() {
+ defer wg.Done()
_, chans, reqs, err := NewServerConn(c1, serverConf)
if err != nil {
t.Errorf("server handshake: %v", err)
userCh <- "error"
return
}
- go DiscardRequests(reqs)
+ wg.Add(1)
+ go func() {
+ DiscardRequests(reqs)
+ wg.Done()
+ }()
for ch := range chans {
ch.Reject(Prohibited, "")
}
diff --git a/ssh/tcpip.go b/ssh/tcpip.go
index 80d35f5ec1..ef5059a11d 100644
--- a/ssh/tcpip.go
+++ b/ssh/tcpip.go
@@ -5,6 +5,7 @@
package ssh
import (
+ "context"
"errors"
"fmt"
"io"
@@ -332,6 +333,40 @@ func (l *tcpListener) Addr() net.Addr {
return l.laddr
}
+// DialContext initiates a connection to the addr from the remote host.
+//
+// The provided Context must be non-nil. If the context expires before the
+// connection is complete, an error is returned. Once successfully connected,
+// any expiration of the context will not affect the connection.
+//
+// See func Dial for additional information.
+func (c *Client) DialContext(ctx context.Context, n, addr string) (net.Conn, error) {
+ if err := ctx.Err(); err != nil {
+ return nil, err
+ }
+ type connErr struct {
+ conn net.Conn
+ err error
+ }
+ ch := make(chan connErr)
+ go func() {
+ conn, err := c.Dial(n, addr)
+ select {
+ case ch <- connErr{conn, err}:
+ case <-ctx.Done():
+ if conn != nil {
+ conn.Close()
+ }
+ }
+ }()
+ select {
+ case res := <-ch:
+ return res.conn, res.err
+ case <-ctx.Done():
+ return nil, ctx.Err()
+ }
+}
+
// Dial initiates a connection to the addr from the remote host.
// The resulting connection has a zero LocalAddr() and RemoteAddr().
func (c *Client) Dial(n, addr string) (net.Conn, error) {
diff --git a/ssh/tcpip_test.go b/ssh/tcpip_test.go
index f1265cb496..4d85114727 100644
--- a/ssh/tcpip_test.go
+++ b/ssh/tcpip_test.go
@@ -5,7 +5,10 @@
package ssh
import (
+ "context"
+ "net"
"testing"
+ "time"
)
func TestAutoPortListenBroken(t *testing.T) {
@@ -18,3 +21,33 @@ func TestAutoPortListenBroken(t *testing.T) {
t.Errorf("version %q marked as broken", works)
}
}
+
+func TestClientImplementsDialContext(t *testing.T) {
+ type ContextDialer interface {
+ DialContext(context.Context, string, string) (net.Conn, error)
+ }
+ // Belt and suspenders assertion, since package net does not
+ // declare a ContextDialer type.
+ var _ ContextDialer = &net.Dialer{}
+ var _ ContextDialer = &Client{}
+}
+
+func TestClientDialContextWithCancel(t *testing.T) {
+ c := &Client{}
+ ctx, cancel := context.WithCancel(context.Background())
+ cancel()
+ _, err := c.DialContext(ctx, "tcp", "localhost:1000")
+ if err != context.Canceled {
+ t.Errorf("DialContext: got nil error, expected %v", context.Canceled)
+ }
+}
+
+func TestClientDialContextWithDeadline(t *testing.T) {
+ c := &Client{}
+ ctx, cancel := context.WithDeadline(context.Background(), time.Now())
+ defer cancel()
+ _, err := c.DialContext(ctx, "tcp", "localhost:1000")
+ if err != context.DeadlineExceeded {
+ t.Errorf("DialContext: got nil error, expected %v", context.DeadlineExceeded)
+ }
+}
diff --git a/ssh/test/agent_unix_test.go b/ssh/test/agent_unix_test.go
index 43fbdb22eb..a9c4893f7d 100644
--- a/ssh/test/agent_unix_test.go
+++ b/ssh/test/agent_unix_test.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
-// +build aix darwin dragonfly freebsd linux netbsd openbsd solaris
package test
@@ -35,6 +34,7 @@ func TestAgentForward(t *testing.T) {
sess, err := conn.NewSession()
if err != nil {
+ skipIfIssue64959(t, err)
t.Fatalf("NewSession: %v", err)
}
if err := agent.RequestAgentForwarding(sess); err != nil {
diff --git a/ssh/test/banner_test.go b/ssh/test/banner_test.go
index 3bfdd4b059..dd17db5a87 100644
--- a/ssh/test/banner_test.go
+++ b/ssh/test/banner_test.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
-// +build aix darwin dragonfly freebsd linux netbsd openbsd solaris
package test
diff --git a/ssh/test/cert_test.go b/ssh/test/cert_test.go
index 83dd534c5c..15c44fb58e 100644
--- a/ssh/test/cert_test.go
+++ b/ssh/test/cert_test.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
-// +build aix darwin dragonfly freebsd linux netbsd openbsd solaris
package test
diff --git a/ssh/test/dial_unix_test.go b/ssh/test/dial_unix_test.go
index 4a7ec31737..7d6fb2877f 100644
--- a/ssh/test/dial_unix_test.go
+++ b/ssh/test/dial_unix_test.go
@@ -3,13 +3,13 @@
// license that can be found in the LICENSE file.
//go:build !windows && !js && !wasip1
-// +build !windows,!js,!wasip1
package test
// direct-tcpip and direct-streamlocal functional tests
import (
+ "context"
"fmt"
"io"
"net"
@@ -47,8 +47,13 @@ func testDial(t *testing.T, n, listenAddr string, x dialTester) {
}
}()
- conn, err := sshConn.Dial(n, l.Addr().String())
+ ctx, cancel := context.WithCancel(context.Background())
+ conn, err := sshConn.DialContext(ctx, n, l.Addr().String())
+ // Canceling the context after dial should have no effect
+ // on the opened connection.
+ cancel()
if err != nil {
+ skipIfIssue64959(t, err)
t.Fatalf("Dial: %v", err)
}
x.TestClientConn(t, conn)
diff --git a/ssh/test/forward_unix_test.go b/ssh/test/forward_unix_test.go
index 1171bc3a14..e32d732e9f 100644
--- a/ssh/test/forward_unix_test.go
+++ b/ssh/test/forward_unix_test.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
-// +build aix darwin dragonfly freebsd linux netbsd openbsd solaris
package test
@@ -13,6 +12,7 @@ import (
"io"
"math/rand"
"net"
+ "runtime"
"testing"
"time"
)
@@ -28,6 +28,9 @@ func testPortForward(t *testing.T, n, listenAddr string) {
sshListener, err := conn.Listen(n, listenAddr)
if err != nil {
+ if runtime.GOOS == "darwin" && err == io.EOF {
+ t.Skipf("skipping test broken on some versions of macOS; see https://go.dev/issue/64959")
+ }
t.Fatal(err)
}
@@ -123,6 +126,9 @@ func testAcceptClose(t *testing.T, n, listenAddr string) {
sshListener, err := conn.Listen(n, listenAddr)
if err != nil {
+ if runtime.GOOS == "darwin" && err == io.EOF {
+ t.Skipf("skipping test broken on some versions of macOS; see https://go.dev/issue/64959")
+ }
t.Fatal(err)
}
@@ -164,6 +170,9 @@ func testPortForwardConnectionClose(t *testing.T, n, listenAddr string) {
sshListener, err := client.Listen(n, listenAddr)
if err != nil {
+ if runtime.GOOS == "darwin" && err == io.EOF {
+ t.Skipf("skipping test broken on some versions of macOS; see https://go.dev/issue/64959")
+ }
t.Fatal(err)
}
diff --git a/ssh/test/multi_auth_test.go b/ssh/test/multi_auth_test.go
index 6c253a7547..14cf1cce12 100644
--- a/ssh/test/multi_auth_test.go
+++ b/ssh/test/multi_auth_test.go
@@ -15,7 +15,6 @@
// (for linux) in file ./sshd_test_pw.c.
//go:build linux
-// +build linux
package test
@@ -77,27 +76,27 @@ func (ctx *multiAuthTestCtx) kbdIntCb(user, instruction string, questions []stri
func TestMultiAuth(t *testing.T) {
testCases := []multiAuthTestCase{
// Test password,publickey authentication, assert that password callback is called 1 time
- multiAuthTestCase{
+ {
authMethods: []string{"password", "publickey"},
expectedPasswordCbs: 1,
},
// Test keyboard-interactive,publickey authentication, assert that keyboard-interactive callback is called 1 time
- multiAuthTestCase{
+ {
authMethods: []string{"keyboard-interactive", "publickey"},
expectedKbdIntCbs: 1,
},
// Test publickey,password authentication, assert that password callback is called 1 time
- multiAuthTestCase{
+ {
authMethods: []string{"publickey", "password"},
expectedPasswordCbs: 1,
},
// Test publickey,keyboard-interactive authentication, assert that keyboard-interactive callback is called 1 time
- multiAuthTestCase{
+ {
authMethods: []string{"publickey", "keyboard-interactive"},
expectedKbdIntCbs: 1,
},
// Test password,password authentication, assert that password callback is called 2 times
- multiAuthTestCase{
+ {
authMethods: []string{"password", "password"},
expectedPasswordCbs: 2,
},
diff --git a/ssh/test/server_test.go b/ssh/test/server_test.go
new file mode 100644
index 0000000000..e70241bc6e
--- /dev/null
+++ b/ssh/test/server_test.go
@@ -0,0 +1,98 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package test
+
+import (
+ "net"
+
+ "golang.org/x/crypto/ssh"
+)
+
+type exitStatusMsg struct {
+ Status uint32
+}
+
+// goServer is a test Go SSH server that accepts public key and certificate
+// authentication and replies with a 0 exit status to any exec request without
+// running any commands.
+type goTestServer struct {
+ listener net.Listener
+ config *ssh.ServerConfig
+ done <-chan struct{}
+}
+
+func newTestServer(config *ssh.ServerConfig) (*goTestServer, error) {
+ server := &goTestServer{
+ config: config,
+ }
+ listener, err := net.Listen("tcp", "127.0.0.1:")
+ if err != nil {
+ return nil, err
+ }
+ server.listener = listener
+ done := make(chan struct{}, 1)
+ server.done = done
+ go server.acceptConnections(done)
+
+ return server, nil
+}
+
+func (s *goTestServer) port() (string, error) {
+ _, port, err := net.SplitHostPort(s.listener.Addr().String())
+ return port, err
+}
+
+func (s *goTestServer) acceptConnections(done chan<- struct{}) {
+ defer close(done)
+
+ for {
+ c, err := s.listener.Accept()
+ if err != nil {
+ return
+ }
+ _, chans, reqs, err := ssh.NewServerConn(c, s.config)
+ if err != nil {
+ return
+ }
+ go ssh.DiscardRequests(reqs)
+ defer c.Close()
+
+ for newChannel := range chans {
+ if newChannel.ChannelType() != "session" {
+ newChannel.Reject(ssh.UnknownChannelType, "unknown channel type")
+ continue
+ }
+
+ channel, requests, err := newChannel.Accept()
+ if err != nil {
+ continue
+ }
+
+ go func(in <-chan *ssh.Request) {
+ for req := range in {
+ ok := false
+ switch req.Type {
+ case "exec":
+ ok = true
+ go func() {
+ channel.SendRequest("exit-status", false, ssh.Marshal(&exitStatusMsg{Status: 0}))
+ channel.Close()
+ }()
+ }
+ if req.WantReply {
+ req.Reply(ok, nil)
+ }
+ }
+ }(requests)
+ }
+ }
+}
+
+func (s *goTestServer) Close() error {
+ err := s.listener.Close()
+ // wait for the accept loop to exit
+ <-s.done
+ return err
+}
diff --git a/ssh/test/session_test.go b/ssh/test/session_test.go
index e98b7865e5..c128b2ae51 100644
--- a/ssh/test/session_test.go
+++ b/ssh/test/session_test.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build !windows && !js && !wasip1
-// +build !windows,!js,!wasip1
package test
@@ -23,6 +22,13 @@ import (
"golang.org/x/crypto/ssh"
)
+func skipIfIssue64959(t *testing.T, err error) {
+ if err != nil && runtime.GOOS == "darwin" && strings.Contains(err.Error(), "ssh: unexpected packet in response to channel open: <nil>") {
+ t.Helper()
+ t.Skipf("skipping test broken on some versions of macOS; see https://go.dev/issue/64959")
+ }
+}
+
func TestRunCommandSuccess(t *testing.T) {
server := newServer(t)
conn := server.Dial(clientConfig())
@@ -30,6 +36,7 @@ func TestRunCommandSuccess(t *testing.T) {
session, err := conn.NewSession()
if err != nil {
+ skipIfIssue64959(t, err)
t.Fatalf("session failed: %v", err)
}
defer session.Close()
@@ -67,6 +74,7 @@ func TestRunCommandStdin(t *testing.T) {
session, err := conn.NewSession()
if err != nil {
+ skipIfIssue64959(t, err)
t.Fatalf("session failed: %v", err)
}
defer session.Close()
@@ -89,6 +97,7 @@ func TestRunCommandStdinError(t *testing.T) {
session, err := conn.NewSession()
if err != nil {
+ skipIfIssue64959(t, err)
t.Fatalf("session failed: %v", err)
}
defer session.Close()
@@ -112,6 +121,7 @@ func TestRunCommandFailed(t *testing.T) {
session, err := conn.NewSession()
if err != nil {
+ skipIfIssue64959(t, err)
t.Fatalf("session failed: %v", err)
}
defer session.Close()
@@ -128,6 +138,7 @@ func TestRunCommandWeClosed(t *testing.T) {
session, err := conn.NewSession()
if err != nil {
+ skipIfIssue64959(t, err)
t.Fatalf("session failed: %v", err)
}
err = session.Shell()
@@ -147,6 +158,7 @@ func TestFuncLargeRead(t *testing.T) {
session, err := conn.NewSession()
if err != nil {
+ skipIfIssue64959(t, err)
t.Fatalf("unable to create new session: %s", err)
}
@@ -183,6 +195,7 @@ func TestKeyChange(t *testing.T) {
for i := 0; i < 4; i++ {
session, err := conn.NewSession()
if err != nil {
+ skipIfIssue64959(t, err)
t.Fatalf("unable to create new session: %s", err)
}
@@ -224,6 +237,7 @@ func TestValidTerminalMode(t *testing.T) {
session, err := conn.NewSession()
if err != nil {
+ skipIfIssue64959(t, err)
t.Fatalf("session failed: %v", err)
}
defer session.Close()
@@ -248,7 +262,7 @@ func TestValidTerminalMode(t *testing.T) {
t.Fatalf("session failed: %s", err)
}
- if _, err := io.WriteString(stdin, "echo SHELL $SHELL && stty -a && exit\n"); err != nil {
+ if _, err := io.WriteString(stdin, "echo && echo SHELL $SHELL && stty -a && exit\n"); err != nil {
t.Fatal(err)
}
@@ -258,7 +272,7 @@ func TestValidTerminalMode(t *testing.T) {
}
if testing.Verbose() {
- t.Logf("echo SHELL $SHELL && stty -a && exit:\n%s", buf)
+ t.Logf("echo && echo SHELL $SHELL && stty -a && exit:\n%s", buf)
}
shellLine := regexp.MustCompile("(?m)^SHELL (.*)$").FindStringSubmatch(buf.String())
@@ -288,6 +302,7 @@ func TestWindowChange(t *testing.T) {
session, err := conn.NewSession()
if err != nil {
+ skipIfIssue64959(t, err)
t.Fatalf("session failed: %v", err)
}
defer session.Close()
@@ -350,6 +365,7 @@ func testOneCipher(t *testing.T, cipher string, cipherOrder []string) {
// Exercise receiving data from the server
session, err := conn.NewSession()
if err != nil {
+ skipIfIssue64959(t, err)
t.Fatalf("NewSession: %v", err)
}
@@ -410,6 +426,9 @@ func TestKeyExchanges(t *testing.T) {
// are not included in the default list of supported kex so we have to add them
// here manually.
kexOrder = append(kexOrder, "diffie-hellman-group-exchange-sha1", "diffie-hellman-group-exchange-sha256")
+ // The key exchange algorithms diffie-hellman-group16-sha512 is disabled by
+ // default so we add it here manually.
+ kexOrder = append(kexOrder, "diffie-hellman-group16-sha512")
for _, kex := range kexOrder {
t.Run(kex, func(t *testing.T) {
server := newServer(t)
diff --git a/ssh/test/sshcli_test.go b/ssh/test/sshcli_test.go
new file mode 100644
index 0000000000..ac2f7c10a9
--- /dev/null
+++ b/ssh/test/sshcli_test.go
@@ -0,0 +1,100 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package test
+
+import (
+ "bytes"
+ "fmt"
+ "os"
+ "os/exec"
+ "path/filepath"
+ "runtime"
+ "testing"
+
+ "golang.org/x/crypto/internal/testenv"
+ "golang.org/x/crypto/ssh"
+ "golang.org/x/crypto/ssh/testdata"
+)
+
+func sshClient(t *testing.T) string {
+ if testing.Short() {
+ t.Skip("Skipping test that executes OpenSSH in -short mode")
+ }
+ sshCLI := os.Getenv("SSH_CLI_PATH")
+ if sshCLI == "" {
+ sshCLI = "ssh"
+ }
+ var err error
+ sshCLI, err = exec.LookPath(sshCLI)
+ if err != nil {
+ t.Skipf("Can't find an ssh(1) client to test against: %v", err)
+ }
+ return sshCLI
+}
+
+func TestSSHCLIAuth(t *testing.T) {
+ if runtime.GOOS == "windows" {
+ t.Skipf("always fails on Windows, see #64403")
+ }
+ sshCLI := sshClient(t)
+ dir := t.TempDir()
+ keyPrivPath := filepath.Join(dir, "rsa")
+
+ for fn, content := range map[string][]byte{
+ keyPrivPath: testdata.PEMBytes["rsa"],
+ keyPrivPath + ".pub": ssh.MarshalAuthorizedKey(testPublicKeys["rsa"]),
+ filepath.Join(dir, "rsa-cert.pub"): testdata.SSHCertificates["rsa-user-testcertificate"],
+ } {
+ if err := os.WriteFile(fn, content, 0600); err != nil {
+ t.Fatalf("WriteFile(%q): %v", fn, err)
+ }
+ }
+
+ certChecker := ssh.CertChecker{
+ IsUserAuthority: func(k ssh.PublicKey) bool {
+ return bytes.Equal(k.Marshal(), testPublicKeys["ca"].Marshal())
+ },
+ UserKeyFallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+ if conn.User() == "testpubkey" && bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
+ return nil, nil
+ }
+
+ return nil, fmt.Errorf("pubkey for %q not acceptable", conn.User())
+ },
+ }
+
+ config := &ssh.ServerConfig{
+ PublicKeyCallback: certChecker.Authenticate,
+ }
+ config.AddHostKey(testSigners["rsa"])
+
+ server, err := newTestServer(config)
+ if err != nil {
+ t.Fatalf("unable to start test server: %v", err)
+ }
+ defer server.Close()
+
+ port, err := server.port()
+ if err != nil {
+ t.Fatalf("unable to get server port: %v", err)
+ }
+
+ // test public key authentication.
+ cmd := testenv.Command(t, sshCLI, "-vvv", "-i", keyPrivPath, "-o", "StrictHostKeyChecking=no",
+ "-p", port, "testpubkey@127.0.0.1", "true")
+ out, err := cmd.CombinedOutput()
+ if err != nil {
+ t.Fatalf("public key authentication failed, error: %v, command output %q", err, string(out))
+ }
+ // Test SSH user certificate authentication.
+ // The username must match one of the principals included in the certificate.
+ // The certificate "rsa-user-testcertificate" has "testcertificate" as principal.
+ cmd = testenv.Command(t, sshCLI, "-vvv", "-i", keyPrivPath, "-o", "StrictHostKeyChecking=no",
+ "-p", port, "testcertificate@127.0.0.1", "true")
+ out, err = cmd.CombinedOutput()
+ if err != nil {
+ t.Fatalf("user certificate authentication failed, error: %v, command output %q", err, string(out))
+ }
+}
diff --git a/ssh/test/sshd_test_pw.c b/ssh/test/sshd_test_pw.c
index 2794a563a4..1e48619994 100644
--- a/ssh/test/sshd_test_pw.c
+++ b/ssh/test/sshd_test_pw.c
@@ -20,7 +20,7 @@
// Run sshd:
// LD_PRELOAD="sshd_test_pw.so" TEST_USER="..." TEST_PASSWD="..." sshd ...
-// +build ignore
+//go:build ignore
#define _GNU_SOURCE
#include <string.h>
diff --git a/ssh/test/test_unix_test.go b/ssh/test/test_unix_test.go
index f3f55db128..9695de7319 100644
--- a/ssh/test/test_unix_test.go
+++ b/ssh/test/test_unix_test.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || plan9 || solaris
-// +build aix darwin dragonfly freebsd linux netbsd openbsd plan9 solaris
package test
@@ -179,7 +178,7 @@ func (s *server) TryDial(config *ssh.ClientConfig) (*ssh.Client, error) {
// addr is the user specified host:port. While we don't actually dial it,
// we need to know this for host key matching
-func (s *server) TryDialWithAddr(config *ssh.ClientConfig, addr string) (*ssh.Client, error) {
+func (s *server) TryDialWithAddr(config *ssh.ClientConfig, addr string) (client *ssh.Client, err error) {
sshd, err := exec.LookPath("sshd")
if err != nil {
s.t.Skipf("skipping test: %v", err)
@@ -189,13 +188,26 @@ func (s *server) TryDialWithAddr(config *ssh.ClientConfig, addr string) (*ssh.Cl
if err != nil {
s.t.Fatalf("unixConnection: %v", err)
}
+ defer func() {
+ // Close c2 after we've started the sshd command so that it won't prevent c1
+ // from returning EOF when the sshd command exits.
+ c2.Close()
+
+ // Leave c1 open if we're returning a client that wraps it.
+ // (The client is responsible for closing it.)
+ // Otherwise, close it to free up the socket.
+ if client == nil {
+ c1.Close()
+ }
+ }()
- cmd := testenv.Command(s.t, sshd, "-f", s.configfile, "-i", "-e")
f, err := c2.File()
if err != nil {
s.t.Fatalf("UnixConn.File: %v", err)
}
defer f.Close()
+
+ cmd := testenv.Command(s.t, sshd, "-f", s.configfile, "-i", "-e")
cmd.Stdin = f
cmd.Stdout = f
cmd.Stderr = new(bytes.Buffer)
@@ -224,7 +236,7 @@ func (s *server) TryDialWithAddr(config *ssh.ClientConfig, addr string) (*ssh.Cl
// processes are killed too.
cmd.Process.Signal(os.Interrupt)
cmd.Wait()
- if s.t.Failed() {
+ if s.t.Failed() || testing.Verbose() {
// log any output from sshd process
s.t.Logf("sshd:\n%s", cmd.Stderr)
}
diff --git a/ssh/testdata/keys.go b/ssh/testdata/keys.go
index ad95a81929..69f9eef4de 100644
--- a/ssh/testdata/keys.go
+++ b/ssh/testdata/keys.go
@@ -195,6 +195,12 @@ var SSHCertificates = map[string][]byte{
"rsa-sha2-256": []byte(`ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgOyK28gunJkM60qp4EbsYAjgbUsyjS8u742OLjipIgc0AAAADAQABAAAAgQC8A6FGHDiWCSREAXCq6yBfNVr0xCVG2CzvktFNRpue+RXrGs/2a6ySEJQb3IYquw7HlJgu6fg3WIWhOmHCjfpG0PrL4CRwbqQ2LaPPXhJErWYejcD8Di00cF3677+G10KMZk9RXbmHtuBFZT98wxg8j+ZsBMqGM1+7yrWUvynswQAAAAAAAAAAAAAAAgAAABRob3N0LmV4YW1wbGUuY29tLWtleQAAABQAAAAQaG9zdC5leGFtcGxlLmNvbQAAAABeSMJ4AAAAAHBPBLwAAAAAAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC+D11D0hEbn2Vglv4YRJ8pZNyHjIGmvth3DWOQrq++2vH2MujmGQDxfr4SVE9GpMBlKU3lwGbpgIBxAg6yZcNSfo6PWVU9ACg6NMFO+yMzc2MaG+/naQdNjSewywF5j2rkNO2XOaViRVSrZroe2B/aY2LTV0jDl8nu5NOjwRs1/s7SLe5z1rw/X0dpmXk0qJY3gQhmR8HZZ1dhEkJUGwaBCPd0T8asSYf1Ag2rUD4aQ28r3q69mbwfWOOa6rMemVZruUV5dzHwVNVNtVv+ImtnYtz8m8g+K0plaGptHn3KsaOnASkh3tujhaE7kvc4HR9Igli9+76jhZie3h/dTN5zAAABFAAAAAxyc2Etc2hhMi0yNTYAAAEAbG4De/+QiqopPS3O1H7ySeEUCY56qmdgr02sFErnihdXPDaWXUXxacvJHaEtLrSTSaPL/3v3iKvjLWDOHaQ5c+cN9J7Tqzso7RQCXZD2nK9bwCUyBoiDyBCRe8w4DQEtfL5okpVzQsSAiojQ8hBohMOpy3gFfXrdm4PVC1ZKqlZh4fAc7ajieRq/Tpq2xOLdHwxkcgPNR83WVHva6K9/xjev/5n227/gkHo0qbGs8YYDOFXIEhENi+B23IzxdNVieWdyQpYpe0C2i95Jhyo0wJmaFY2ArruTS+D1jGQQpMPvAQRy26/A5hI83GLhpwyhrN/M8wCxzAhyPL6Ieuh5tQ== host.example.com
`),
"rsa-sha2-512": []byte(`ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgFGv4IpXfs4L/Y0b3rmUdPFhWoUrVnXuPxXr6aHGs7wgAAAADAQABAAAAgQC8A6FGHDiWCSREAXCq6yBfNVr0xCVG2CzvktFNRpue+RXrGs/2a6ySEJQb3IYquw7HlJgu6fg3WIWhOmHCjfpG0PrL4CRwbqQ2LaPPXhJErWYejcD8Di00cF3677+G10KMZk9RXbmHtuBFZT98wxg8j+ZsBMqGM1+7yrWUvynswQAAAAAAAAAAAAAAAgAAABRob3N0LmV4YW1wbGUuY29tLWtleQAAABQAAAAQaG9zdC5leGFtcGxlLmNvbQAAAABeSMRYAAAAAHBPBp4AAAAAAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC+D11D0hEbn2Vglv4YRJ8pZNyHjIGmvth3DWOQrq++2vH2MujmGQDxfr4SVE9GpMBlKU3lwGbpgIBxAg6yZcNSfo6PWVU9ACg6NMFO+yMzc2MaG+/naQdNjSewywF5j2rkNO2XOaViRVSrZroe2B/aY2LTV0jDl8nu5NOjwRs1/s7SLe5z1rw/X0dpmXk0qJY3gQhmR8HZZ1dhEkJUGwaBCPd0T8asSYf1Ag2rUD4aQ28r3q69mbwfWOOa6rMemVZruUV5dzHwVNVNtVv+ImtnYtz8m8g+K0plaGptHn3KsaOnASkh3tujhaE7kvc4HR9Igli9+76jhZie3h/dTN5zAAABFAAAAAxyc2Etc2hhMi01MTIAAAEAnF4fVj6mm+UFeNCIf9AKJCv9WzymjjPvzzmaMWWkPWqoV0P0m5SiYfvbY9SbA73Blpv8SOr0DmpublF183kodREia4KyVuC8hLhSCV2Y16hy9MBegOZMepn80w+apj7Rn9QCz5OfEakDdztp6OWTBtqxnZFcTQ4XrgFkNWeWRElGdEvAVNn2WHwHi4EIdz0mdv48Imv5SPlOuW862ZdFG4Do1dUfDIiGsBofLlgcyIYlf+eNHul6sBeUkuwFxisMpI5DQzNp8PX1g/QJA2wzwT674PTqDXNttKjyh50Fdr4sXxm9Gz1+jVLoESvFNa55ERdSyAqNu4wTy11MZsWwSA== host.example.com
+`),
+ // Assumes "ca" key above in file named "ca", sign a user cert for "rsa.pub"
+ // using "testcertificate" as principal:
+ //
+ // ssh-keygen -s ca -I username -n testcertificate rsa.pub
+ "rsa-user-testcertificate": []byte(`ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgr0MnhSf+KkQWEQmweJOGsJfOrUt80pQZDaI9YiwSfDUAAAADAQABAAAAgQC8A6FGHDiWCSREAXCq6yBfNVr0xCVG2CzvktFNRpue+RXrGs/2a6ySEJQb3IYquw7HlJgu6fg3WIWhOmHCjfpG0PrL4CRwbqQ2LaPPXhJErWYejcD8Di00cF3677+G10KMZk9RXbmHtuBFZT98wxg8j+ZsBMqGM1+7yrWUvynswQAAAAAAAAAAAAAAAQAAAAh1c2VybmFtZQAAABMAAAAPdGVzdGNlcnRpZmljYXRlAAAAAAAAAAD//////////wAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC+D11D0hEbn2Vglv4YRJ8pZNyHjIGmvth3DWOQrq++2vH2MujmGQDxfr4SVE9GpMBlKU3lwGbpgIBxAg6yZcNSfo6PWVU9ACg6NMFO+yMzc2MaG+/naQdNjSewywF5j2rkNO2XOaViRVSrZroe2B/aY2LTV0jDl8nu5NOjwRs1/s7SLe5z1rw/X0dpmXk0qJY3gQhmR8HZZ1dhEkJUGwaBCPd0T8asSYf1Ag2rUD4aQ28r3q69mbwfWOOa6rMemVZruUV5dzHwVNVNtVv+ImtnYtz8m8g+K0plaGptHn3KsaOnASkh3tujhaE7kvc4HR9Igli9+76jhZie3h/dTN5zAAABFAAAAAxyc2Etc2hhMi01MTIAAAEAFuA+67KvnlmcodIp0Lv4mR9UW/CHghAaN1csBJTkI8mx3wXKyIPTsS2uXboEhWD0a7S9gps2SEwC5m6E3kV2Rzg7aH1S03GZqMvVlK2VHe7fzuoW2yOKk6yEPjeTF0pKCFbUQ6mce8pRpD/zdvjG0Z287XM3c3Axlrn7qq7TS0MDTjEZ/dsUNFHxep3co/HuAsWVWPVDItr/FPnvZ6WVH1yc8N/AJn0gLHobkGgug22vI9rNIge1wrnXxU9BUSouzkau/PQsrCQapnn+I1H7HaQt0wdk45nxMP+ags+HRI9qpX/p8WDn6+zpqYqN/nfw2aoytyaJqhsV32Teuqtrgg== rsa.pub
`),
}
diff --git a/ssh/transport.go b/ssh/transport.go
index da015801ea..0424d2d37c 100644
--- a/ssh/transport.go
+++ b/ssh/transport.go
@@ -49,6 +49,9 @@ type transport struct {
rand io.Reader
isClient bool
io.Closer
+
+ strictMode bool
+ initialKEXDone bool
}
// packetCipher represents a combination of SSH encryption/MAC
@@ -74,6 +77,18 @@ type connectionState struct {
pendingKeyChange chan packetCipher
}
+func (t *transport) setStrictMode() error {
+ if t.reader.seqNum != 1 {
+ return errors.New("ssh: sequence number != 1 when strict KEX mode requested")
+ }
+ t.strictMode = true
+ return nil
+}
+
+func (t *transport) setInitialKEXDone() {
+ t.initialKEXDone = true
+}
+
// prepareKeyChange sets up key material for a keychange. The key changes in
// both directions are triggered by reading and writing a msgNewKey packet
// respectively.
@@ -112,11 +127,12 @@ func (t *transport) printPacket(p []byte, write bool) {
// Read and decrypt next packet.
func (t *transport) readPacket() (p []byte, err error) {
for {
- p, err = t.reader.readPacket(t.bufReader)
+ p, err = t.reader.readPacket(t.bufReader, t.strictMode)
if err != nil {
break
}
- if len(p) == 0 || (p[0] != msgIgnore && p[0] != msgDebug) {
+ // in strict mode we pass through DEBUG and IGNORE packets only during the initial KEX
+ if len(p) == 0 || (t.strictMode && !t.initialKEXDone) || (p[0] != msgIgnore && p[0] != msgDebug) {
break
}
}
@@ -127,7 +143,7 @@ func (t *transport) readPacket() (p []byte, err error) {
return p, err
}
-func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) {
+func (s *connectionState) readPacket(r *bufio.Reader, strictMode bool) ([]byte, error) {
packet, err := s.packetCipher.readCipherPacket(s.seqNum, r)
s.seqNum++
if err == nil && len(packet) == 0 {
@@ -140,6 +156,9 @@ func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) {
select {
case cipher := <-s.pendingKeyChange:
s.packetCipher = cipher
+ if strictMode {
+ s.seqNum = 0
+ }
default:
return nil, errors.New("ssh: got bogus newkeys message")
}
@@ -170,10 +189,10 @@ func (t *transport) writePacket(packet []byte) error {
if debugTransport {
t.printPacket(packet, true)
}
- return t.writer.writePacket(t.bufWriter, t.rand, packet)
+ return t.writer.writePacket(t.bufWriter, t.rand, packet, t.strictMode)
}
-func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte) error {
+func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte, strictMode bool) error {
changeKeys := len(packet) > 0 && packet[0] == msgNewKeys
err := s.packetCipher.writeCipherPacket(s.seqNum, w, rand, packet)
@@ -188,6 +207,9 @@ func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []
select {
case cipher := <-s.pendingKeyChange:
s.packetCipher = cipher
+ if strictMode {
+ s.seqNum = 0
+ }
default:
panic("ssh: no key material for msgNewKeys")
}
diff --git a/x509roots/fallback/bundle.go b/x509roots/fallback/bundle.go
index bcde653c7f..a666f5f742 100644
--- a/x509roots/fallback/bundle.go
+++ b/x509roots/fallback/bundle.go
@@ -360,6 +360,55 @@ maHFCN795trV1lpFDMS3wrUU77QR/w4VtfX128a961qn8FYiqTxlVMYVqL2Gns2D
lmh6cYGJ4Qvh6hEbaAjMaZ7snkGeRDImeuKHCnE96+RapNLbxc3G3mB/ufNPRJLv
KrcYPqcZ2Qt9sTdBQrC6YB3y/gkRsPCHe6ed
-----END CERTIFICATE-----
+# CN=Atos TrustedRoot Root CA ECC TLS 2021,O=Atos,C=DE
+# b2fae53e14ccd7ab9212064701ae279c1d8988facb775fa8a008914e663988a8
+-----BEGIN CERTIFICATE-----
+MIICFTCCAZugAwIBAgIQPZg7pmY9kGP3fiZXOATvADAKBggqhkjOPQQDAzBMMS4w
+LAYDVQQDDCVBdG9zIFRydXN0ZWRSb290IFJvb3QgQ0EgRUNDIFRMUyAyMDIxMQ0w
+CwYDVQQKDARBdG9zMQswCQYDVQQGEwJERTAeFw0yMTA0MjIwOTI2MjNaFw00MTA0
+MTcwOTI2MjJaMEwxLjAsBgNVBAMMJUF0b3MgVHJ1c3RlZFJvb3QgUm9vdCBDQSBF
+Q0MgVExTIDIwMjExDTALBgNVBAoMBEF0b3MxCzAJBgNVBAYTAkRFMHYwEAYHKoZI
+zj0CAQYFK4EEACIDYgAEloZYKDcKZ9Cg3iQZGeHkBQcfl+3oZIK59sRxUM6KDP/X
+tXa7oWyTbIOiaG6l2b4siJVBzV3dscqDY4PMwL502eCdpO5KTlbgmClBk1IQ1SQ4
+AjJn8ZQSb+/Xxd4u/RmAo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR2
+KCXWfeBmmnoJsmo7jjPXNtNPojAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwMD
+aAAwZQIwW5kp85wxtolrbNa9d+F851F+uDrNozZffPc8dz7kUK2o59JZDCaOMDtu
+CCrCp1rIAjEAmeMM56PDr9NJLkaCI2ZdyQAUEv049OGYa3cpetskz2VAv9LcjBHo
+9H1/IISpQuQo
+-----END CERTIFICATE-----
+# CN=Atos TrustedRoot Root CA RSA TLS 2021,O=Atos,C=DE
+# 81a9088ea59fb364c548a6f85559099b6f0405efbf18e5324ec9f457ba00112f
+-----BEGIN CERTIFICATE-----
+MIIFZDCCA0ygAwIBAgIQU9XP5hmTC/srBRLYwiqipDANBgkqhkiG9w0BAQwFADBM
+MS4wLAYDVQQDDCVBdG9zIFRydXN0ZWRSb290IFJvb3QgQ0EgUlNBIFRMUyAyMDIx
+MQ0wCwYDVQQKDARBdG9zMQswCQYDVQQGEwJERTAeFw0yMTA0MjIwOTIxMTBaFw00
+MTA0MTcwOTIxMDlaMEwxLjAsBgNVBAMMJUF0b3MgVHJ1c3RlZFJvb3QgUm9vdCBD
+QSBSU0EgVExTIDIwMjExDTALBgNVBAoMBEF0b3MxCzAJBgNVBAYTAkRFMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtoAOxHm9BYx9sKOdTSJNy/BBl01Z
+4NH+VoyX8te9j2y3I49f1cTYQcvyAh5x5en2XssIKl4w8i1mx4QbZFc4nXUtVsYv
+Ye+W/CBGvevUez8/fEc4BKkbqlLfEzfTFRVOvV98r61jx3ncCHvVoOX3W3WsgFWZ
+kmGbzSoXfduP9LVq6hdKZChmFSlsAvFr1bqjM9xaZ6cF4r9lthawEO3NUDPJcFDs
+GY6wx/J0W2tExn2WuZgIWWbeKQGb9Cpt0xU6kGpn8bRrZtkh68rZYnxGEFzedUln
+nkL5/nWpo63/dgpnQOPF943HhZpZnmKaau1Fh5hnstVKPNe0OwANwI8f4UDErmwh
+3El+fsqyjW22v5MvoVw+j8rtgI5Y4dtXz4U2OLJxpAmMkokIiEjxQGMYsluMWuPD
+0xeqqxmjLBvk1cbiZnrXghmmOxYsL3GHX0WelXOTwkKBIROW1527k2gV+p2kHYzy
+geBYBr3JtuP2iV2J+axEoctr+hbxx1A9JNr3w+SH1VbxT5Aw+kUJWdo0zuATHAR8
+ANSbhqRAvNncTFd+rrcztl524WWLZt+NyteYr842mIycg5kDcPOvdO3GDjbnvezB
+c6eUWsuSZIKmAMFwoW4sKeFYV+xafJlrJaSQOoD0IJ2azsct+bJLKZWD6TWNp0lI
+pw9MGZHQ9b8Q4HECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
+dEmZ0f+0emhFdcN+tNzMzjkz2ggwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB
+DAUAA4ICAQAjQ1MkYlxt/T7Cz1UAbMVWiLkO3TriJQ2VSpfKgInuKs1l+NsW4AmS
+4BjHeJi78+xCUvuppILXTdiK/ORO/auQxDh1MoSf/7OwKwIzNsAQkG8dnK/haZPs
+o0UvFJ/1TCplQ3IM98P4lYsU84UgYt1UU90s3BiVaU+DR3BAM1h3Egyi61IxHkzJ
+qM7F78PRreBrAwA0JrRUITWXAdxfG/F851X6LWh3e9NpzNMOa7pNdkTWwhWaJuyw
+xfW70Xp0wmzNxbVe9kzmWy2B27O3Opee7c9GslA9hGCZcbUztVdF5kJHdWoOsAgM
+rr3e97sPWD2PAzHoPYJQyi9eDF20l74gNAf0xBLh7tew2VktafcxBPTy+av5EzH4
+AXcOPUIjJsyacmdRIXrMPIWo6iFqO9taPKU0nprALN+AnCng33eU0aKAQv9qTFsR
+0PXNor6uzFFcw9VUewyu1rkGd4Di7wcaaMxZUa1+XGdrudviB0JbuAEFWDlN5LuY
+o7Ey7Nmj1m+UI/87tyll5gfp77YZ6ufCOB0yiJA8EytuzO+rdwY0d4RPcuSBhPm5
+dDTedk+SKlOxJTnbPP/lPqYO5Wue/9vsL3SD3460s6neFE3/MaNFcyT6lSnMEpcE
+oji2jbDwN/zIIX8/syQbPYtuzE2wFg2WHYMfRsCbvUOZ58SWLs5fyQ==
+-----END CERTIFICATE-----
# CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
# 57de0583efd2b26e0361da99da9df4648def7ee8441c3b728afa9bcde0f9b26a
-----BEGIN CERTIFICATE-----
@@ -397,43 +446,6 @@ f9DEMnDAGf/JOC0ULGb0QkTmVXYbgBVX/8Cnp6o5qtjTcNAuuuuUavpfNIbnYrX9
ivAwhZTJryQCL2/W3Wf+47BVTwSYT6RBVuKT0Gro1vP7ZeDOdcQxWQzugsgMYDNK
GbqEZycPvEJdvSRUDewdcAZfpLz6IHxV
-----END CERTIFICATE-----
-# CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
-# 04048028bf1f2864d48f9ad4d83294366a828856553f3b14303f90147f5d40ef
------BEGIN CERTIFICATE-----
-MIIGFDCCA/ygAwIBAgIIU+w77vuySF8wDQYJKoZIhvcNAQEFBQAwUTELMAkGA1UE
-BhMCRVMxQjBABgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1h
-cHJvZmVzaW9uYWwgQ0lGIEE2MjYzNDA2ODAeFw0wOTA1MjAwODM4MTVaFw0zMDEy
-MzEwODM4MTVaMFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUg
-Q2VydGlmaWNhY2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjgwggIi
-MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKlmuO6vj78aI14H9M2uDDUtd9
-thDIAl6zQyrET2qyyhxdKJp4ERppWVevtSBC5IsP5t9bpgOSL/UR5GLXMnE42QQM
-cas9UX4PB99jBVzpv5RvwSmCwLTaUbDBPLutN0pcyvFLNg4kq7/DhHf9qFD0sefG
-L9ItWY16Ck6WaVICqjaY7Pz6FIMMNx/Jkjd/14Et5cS54D40/mf0PmbR0/RAz15i
-NA9wBj4gGFrO93IbJWyTdBSTo3OxDqqHECNZXyAFGUftaI6SEspd/NYrspI8IM/h
-X68gvqB2f3bl7BqGYTM+53u0P6APjqK5am+5hyZvQWyIplD9amML9ZMWGxmPsu2b
-m8mQ9QEM3xk9Dz44I8kvjwzRAv4bVdZO0I08r0+k8/6vKtMFnXkIoctXMbScyJCy
-Z/QYFpM6/EfY0XiWMR+6KwxfXZmtY4laJCB22N/9q06mIqqdXuYnin1oKaPnirja
-EbsXLZmdEyRG98Xi2J+Of8ePdG1asuhy9azuJBCtLxTa/y2aRnFHvkLfuwHb9H/T
-KI8xWVvTyQKmtFLKbpf7Q8UIJm+K9Lv9nyiqDdVF8xM6HdjAeI9BZzwelGSuewvF
-6NkBiDkal4ZkQdU7hwxu+g/GvUgUvzlN1J5Bto+WHWOWk9mVBngxaJ43BjuAiUVh
-OSPHG0SjFeUc+JIwuwIDAQABo4HvMIHsMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYD
-VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRlzeurNR4APn7VdMActHNHDhpkLzCBpgYD
-VR0gBIGeMIGbMIGYBgRVHSAAMIGPMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LmZp
-cm1hcHJvZmVzaW9uYWwuY29tL2NwczBcBggrBgEFBQcCAjBQHk4AUABhAHMAZQBv
-ACAAZABlACAAbABhACAAQgBvAG4AYQBuAG8AdgBhACAANAA3ACAAQgBhAHIAYwBl
-AGwAbwBuAGEAIAAwADgAMAAxADcwDQYJKoZIhvcNAQEFBQADggIBABd9oPm03cXF
-661LJLWhAqvdpYhKsg9VSytXjDvlMd3+xDLx51tkljYyGOylMnfX40S2wBEqgLk9
-am58m9Ot/MPWo+ZkKXzR4Tgegiv/J2Wv+xYVxC5xhOW1//qkR71kMrv2JYSiJ0L1
-ILDCExARzRAVukKQKtJE4ZYm6zFIEv0q2skGz3QeqUvVhyj5eTSSPi5E6PaPT481
-PyWzOdxjKpBrIF/EUhJOlywqrJ2X3kjyo2bbwtKDlaZmp54lD+kLM5FlClrD2VQS
-3a/DTg4fJl4N3LON7NWBcN7STyQF82xO9UxJZo3R/9ILJUFI/lGExkKvgATP0H5k
-SeTy36LssUzAKh3ntLFlosS88Zj0qnAHY7S42jtM+kAiMFsRpvAFDsYCA0irhpuF
-3dvd6qJ2gHN99ZwExEWN57kci57q13XRcrHedUTnQn3iV2t93Jm8PYMo6oCTjcVM
-ZcFwgbg4/EMxsvYDNEeyrPsiBsse3RdHHF9mudMaotoRsaS8I8nkvof/uZS2+F0g
-StRf571oe2XyFR7SOqkt6dhrJKyXWERHrVkY8SFlcN7ONGCoQPHzPKTDKCOM/icz
-Q0CgFzzr6juwcqajuUpLXhZI9LK8yIySxZ2frHI2vDSANGupi5LAuBft7HZT9SQB
-jLMi6Et8Vcad+qMUu2WFbm5PEn4KPJ2V
------END CERTIFICATE-----
# CN=BJCA Global Root CA1,O=BEIJING CERTIFICATE AUTHORITY,C=CN
# f3896f88fe7c0a882766a7fa6ad2749fb57a7f3e98fb769c1fa7b09c2c44d5ae
-----BEGIN CERTIFICATE-----
@@ -943,6 +955,104 @@ qJZ9ZPskWkoDbGs4xugDQ5r3V7mzKWmTOPQD8rv7gmsHINFSH5pkAnuYZttcTVoP
0ISVoDwUQwbKytu4QTbaakRnh6+v40URFWkIsr4WOZckbxJF0WddCajJFdr60qZf
E2Efv4WstK2tBZQIgx51F9NxO5NQI1mg7TyRVJ12AMXDuDjb
-----END CERTIFICATE-----
+# CN=CommScope Public Trust ECC Root-01,O=CommScope,C=US
+# 11437cda7bb45e41365f45b39a38986b0de00def348e0c7bb0873633800bc38b
+-----BEGIN CERTIFICATE-----
+MIICHTCCAaOgAwIBAgIUQ3CCd89NXTTxyq4yLzf39H91oJ4wCgYIKoZIzj0EAwMw
+TjELMAkGA1UEBhMCVVMxEjAQBgNVBAoMCUNvbW1TY29wZTErMCkGA1UEAwwiQ29t
+bVNjb3BlIFB1YmxpYyBUcnVzdCBFQ0MgUm9vdC0wMTAeFw0yMTA0MjgxNzM1NDNa
+Fw00NjA0MjgxNzM1NDJaME4xCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlDb21tU2Nv
+cGUxKzApBgNVBAMMIkNvbW1TY29wZSBQdWJsaWMgVHJ1c3QgRUNDIFJvb3QtMDEw
+djAQBgcqhkjOPQIBBgUrgQQAIgNiAARLNumuV16ocNfQj3Rid8NeeqrltqLxeP0C
+flfdkXmcbLlSiFS8LwS+uM32ENEp7LXQoMPwiXAZu1FlxUOcw5tjnSCDPgYLpkJE
+hRGnSjot6dZoL0hOUysHP029uax3OVejQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYD
+VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSOB2LAUN3GGQYARnQE9/OufXVNMDAKBggq
+hkjOPQQDAwNoADBlAjEAnDPfQeMjqEI2Jpc1XHvr20v4qotzVRVcrHgpD7oh2MSg
+2NED3W3ROT3Ek2DS43KyAjB8xX6I01D1HiXo+k515liWpDVfG2XqYZpwI7UNo5uS
+Um9poIyNStDuiw7LR47QjRE=
+-----END CERTIFICATE-----
+# CN=CommScope Public Trust ECC Root-02,O=CommScope,C=US
+# 2ffb7f813bbbb3c89ab4e8162d0f16d71509a830cc9d73c262e5140875d1ad4a
+-----BEGIN CERTIFICATE-----
+MIICHDCCAaOgAwIBAgIUKP2ZYEFHpgE6yhR7H+/5aAiDXX0wCgYIKoZIzj0EAwMw
+TjELMAkGA1UEBhMCVVMxEjAQBgNVBAoMCUNvbW1TY29wZTErMCkGA1UEAwwiQ29t
+bVNjb3BlIFB1YmxpYyBUcnVzdCBFQ0MgUm9vdC0wMjAeFw0yMTA0MjgxNzQ0NTRa
+Fw00NjA0MjgxNzQ0NTNaME4xCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlDb21tU2Nv
+cGUxKzApBgNVBAMMIkNvbW1TY29wZSBQdWJsaWMgVHJ1c3QgRUNDIFJvb3QtMDIw
+djAQBgcqhkjOPQIBBgUrgQQAIgNiAAR4MIHoYx7l63FRD/cHB8o5mXxO1Q/MMDAL
+j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
+v4RDsNuESgMjGWdqb8FuvAY5N9GIIvejQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYD
+VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTmGHX/72DehKT1RsfeSlXjMjZ59TAKBggq
+hkjOPQQDAwNnADBkAjAmc0l6tqvmSfR9Uj/UQQSugEODZXW5hYA4O9Zv5JOGq4/n
+ich/m35rChJVYaoR4HkCMHfoMXGsPHED1oQmHhS48zs73u1Z/GtMMH9ZzkXpc2AV
+mkzw5l4lIhVtwodZ0LKOag==
+-----END CERTIFICATE-----
+# CN=CommScope Public Trust RSA Root-01,O=CommScope,C=US
+# 02bdf96e2a45dd9bf18fc7e1dbdf21a0379ba3c9c2610344cfd8d606fec1ed81
+-----BEGIN CERTIFICATE-----
+MIIFbDCCA1SgAwIBAgIUPgNJgXUWdDGOTKvVxZAplsU5EN0wDQYJKoZIhvcNAQEL
+BQAwTjELMAkGA1UEBhMCVVMxEjAQBgNVBAoMCUNvbW1TY29wZTErMCkGA1UEAwwi
+Q29tbVNjb3BlIFB1YmxpYyBUcnVzdCBSU0EgUm9vdC0wMTAeFw0yMTA0MjgxNjQ1
+NTRaFw00NjA0MjgxNjQ1NTNaME4xCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlDb21t
+U2NvcGUxKzApBgNVBAMMIkNvbW1TY29wZSBQdWJsaWMgVHJ1c3QgUlNBIFJvb3Qt
+MDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwSGWjDR1C45FtnYSk
+YZYSwu3D2iM0GXb26v1VWvZVAVMP8syMl0+5UMuzAURWlv2bKOx7dAvnQmtVzslh
+suitQDy6uUEKBU8bJoWPQ7VAtYXR1HHcg0Hz9kXHgKKEUJdGzqAMxGBWBB0HW0al
+DrJLpA6lfO741GIDuZNqihS4cPgugkY4Iw50x2tBt9Apo52AsH53k2NC+zSDO3Oj
+WiE260f6GBfZumbCk6SP/F2krfxQapWsvCQz0b2If4b19bJzKo98rwjyGpg/qYFl
+P8GMicWWMJoKz/TUyDTtnS+8jTiGU+6Xn6myY5QXjQ/cZip8UlF1y5mO6D1cv547
+KI2DAg+pn3LiLCuz3GaXAEDQpFSOm117RTYm1nJD68/A6g3czhLmfTifBSeolz7p
+UcZsBSjBAg/pGG3svZwG1KdJ9FQFa2ww8esD1eo9anbCyxooSU1/ZOD6K9pzg4H/
+kQO9lLvkuI6cMmPNn7togbGEW682v3fuHX/3SZtS7NJ3Wn2RnU3COS3kuoL4b/JO
+Hg9O5j9ZpSPcPYeoKFgo0fEbNttPxP/hjFtyjMcmAyejOQoBqsCyMWCDIqFPEgkB
+Ea801M/XrmLTBQe0MXXgDW1XT2mH+VepuhX2yFJtocucH+X8eKg1mp9BFM6ltM6U
+CBwJrVbl2rZJmkrqYxhTnCwuwwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4G
+A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUN12mmnQywsL5x6YVEFm45P3luG0wDQYJ
+KoZIhvcNAQELBQADggIBAK+nz97/4L1CjU3lIpbfaOp9TSp90K09FlxD533Ahuh6
+NWPxzIHIxgvoLlI1pKZJkGNRrDSsBTtXAOnTYtPZKdVUvhwQkZyybf5Z/Xn36lbQ
+nmhUQo8mUuJM3y+Xpi/SB5io82BdS5pYV4jvguX6r2yBS5KPQJqTRlnLX3gWsWc+
+QgvfKNmwrZggvkN80V4aCRckjXtdlemrwWCrWxhkgPut4AZ9HcpZuPN4KWfGVh2v
+trV0KnahP/t1MJ+UXjulYPPLXAziDslg+MkfFoom3ecnf+slpoq9uC02EJqxWE2a
+aE9gVOX2RhOOiKy8IUISrcZKiX2bwdgt6ZYD9KJ0DLwAHb/WNyVntHKLr4W96ioD
+j8z7PEQkguIBpQtZtjSNMgsSDesnwv1B10A8ckYpwIzqug/xBpMu95yo9GA+o/E4
+Xo4TwbM6l4c/ksp4qRyv0LAbJh6+cOx69TOY6lz/KwsETkPdY34Op054A5U+1C0w
+lREQKC6/oAI+/15Z0wUOlV9TRe9rh9VIzRamloPh37MG88EU26fsHItdkJANclHn
+YfkUyq+Dj7+vsQpZXdxc1+SWrVtgHdqul7I52Qb1dgAT+GhMIbA1xNxVssnBQVoc
+icCMb3SgazNNtQEo/a2tiRc7ppqEvOuM6sRxJKi6KfkIsidWNTJf6jn7MZrVGczw
+-----END CERTIFICATE-----
+# CN=CommScope Public Trust RSA Root-02,O=CommScope,C=US
+# ffe943d793424b4f7c440c1c3d648d5363f34b82dc87aa7a9f118fc5dee101f1
+-----BEGIN CERTIFICATE-----
+MIIFbDCCA1SgAwIBAgIUVBa/O345lXGN0aoApYYNK496BU4wDQYJKoZIhvcNAQEL
+BQAwTjELMAkGA1UEBhMCVVMxEjAQBgNVBAoMCUNvbW1TY29wZTErMCkGA1UEAwwi
+Q29tbVNjb3BlIFB1YmxpYyBUcnVzdCBSU0EgUm9vdC0wMjAeFw0yMTA0MjgxNzE2
+NDNaFw00NjA0MjgxNzE2NDJaME4xCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlDb21t
+U2NvcGUxKzApBgNVBAMMIkNvbW1TY29wZSBQdWJsaWMgVHJ1c3QgUlNBIFJvb3Qt
+MDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDh+g77aAASyE3VrCLE
+NQE7xVTlWXZjpX/rwcRqmL0yjReA61260WI9JSMZNRTpf4mnG2I81lDnNJUDMrG0
+kyI9p+Kx7eZ7Ti6Hmw0zdQreqjXnfuU2mKKuJZ6VszKWpCtYHu8//mI0SFHRtI1C
+rWDaSWqVcN3SAOLMV2MCe5bdSZdbkk6V0/nLKR8YSvgBKtJjCW4k6YnS5cciTNxz
+hkcAqg2Ijq6FfUrpuzNPDlJwnZXjfG2WWy09X6GDRl224yW4fKcZgBzqZUPckXk2
+LHR88mcGyYnJ27/aaL8j7dxrrSiDeS/sOKUNNwFnJ5rpM9kzXzehxfCrPfp4sOcs
+n/Y+n2Dg70jpkEUeBVF4GiwSLFworA2iI540jwXmojPOEXcT1A6kHkIfhs1w/tku
+FT0du7jyU1fbzMZ0KZwYszZ1OC4PVKH4kh+Jlk+71O6d6Ts2QrUKOyrUZHk2EOH5
+kQMreyBUzQ0ZGshBMjTRsJnhkB4BQDa1t/qp5Xd1pCKBXbCL5CcSD1SIxtuFdOa3
+wNemKfrb3vOTlycEVS8KbzfFPROvCgCpLIscgSjX74Yxqa7ybrjKaixUR9gqiC6v
+wQcQeKwRoi9C8DfF8rhW3Q5iLc4tVn5V8qdE9isy9COoR+jUKgF4z2rDN6ieZdIs
+5fq6M8EGRPbmz6UNp2YINIos8wIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4G
+A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUR9DnsSL/nSz12Vdgs7GxcJXvYXowDQYJ
+KoZIhvcNAQELBQADggIBAIZpsU0v6Z9PIpNojuQhmaPORVMbc0RTAIFhzTHjCLqB
+KCh6krm2qMhDnscTJk3C2OVVnJJdUNjCK9v+5qiXz1I6JMNlZFxHMaNlNRPDk7n3
++VGXu6TwYofF1gbTl4MgqX67tiHCpQ2EAOHyJxCDut0DgdXdaMNmEMjRdrSzbyme
+APnCKfWxkxlSaRosTKCL4BWaMS/TiJVZbuXEs1DIFAhKm4sTg7GkcrI7djNB3Nyq
+pgdvHSQSn8h2vS/ZjvQs7rfSOBAkNlEv41xdgSGn2rtO/+YHqP65DSdsu3BaVXoT
+6fEqSWnHX4dXTEN5bTpl6TBcQe7rd6VzEojov32u5cSoHw2OHG1QAk8mGEPej1WF
+sQs3BWDJVTkSBKEqz3EWnzZRSb9wO55nnPt7eck5HHisd5FUmrh1CoFSl+NmYWvt
+PjgelmFV4ZFUjO2MJB+ByRCac5krFk5yAD9UG/iNuovnFNa2RU9g7Jauwy8CTl2d
+lklyALKrdVwPaFsdZcJfMw8eD/A7hvWwTruc9+olBdytoptLFwG+Qt81IR2tq670
+v64fG9PiO/yzcnMcmyiQiRM9HcEARwmWmjgb3bHPDcK0RPOWlc4yOo80nOAXx17O
+rg3bhzjlP1v9mxnhMUF6cKojawHhRUzNlM47ni3niAIi9G7oyOzWPPO5std3eqx7
+-----END CERTIFICATE-----
# CN=D-TRUST BR Root CA 1 2020,O=D-Trust GmbH,C=DE
# e59aaa816009c22bff5b25bad37df306f049797c1f81d85ab089e657bd8f0044
-----BEGIN CERTIFICATE-----
@@ -1275,99 +1385,6 @@ r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
/YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm
gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
-----END CERTIFICATE-----
-# CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş.,L=Ankara,C=TR
-# b0bfd52bb0d7d9bd92bf5d4dc13da255c02c542f378365ea893911f55e55f23c
------BEGIN CERTIFICATE-----
-MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNV
-BAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBC
-aWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNV
-BAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQDDB9FLVR1
-Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMwNTEyMDk0OFoXDTIz
-MDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+
-BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhp
-em1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN
-ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4vU/kwVRHoViVF56C/UY
-B4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vdhQd2h8y/L5VMzH2nPbxH
-D5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5KCKpbknSF
-Q9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEo
-q1+gElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3D
-k14opz8n8Y4e0ypQBaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcH
-fC425lAcP9tDJMW/hkd5s3kc91r0E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsut
-dEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gzrt48Ue7LE3wBf4QOXVGUnhMM
-ti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAqjqFGOjGY5RH8
-zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn
-rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUX
-U8u3Zg5mTPj5dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6
-Jyr+zE7S6E5UMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5
-XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAF
-Nzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAKkEh47U6YA5n+KGCR
-HTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jOXKqY
-GwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c
-77NCR807VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3
-+GbHeJAAFS6LrVE1Uweoa2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WK
-vJUawSg5TB9D0pH0clmKuVb8P7Sd2nCcdlqMQ1DujjByTd//SffGqWfZbawCEeI6
-FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEVKV0jq9BgoRJP3vQXzTLl
-yb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gTDx4JnW2P
-AJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpD
-y4Q08ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8d
-NL/+I5c30jn6PQ0GC7TbO6Orb1wdtn7os4I07QZcJA==
------END CERTIFICATE-----
-# CN=E-Tugra Global Root CA ECC v3,OU=E-Tugra Trust Center,O=E-Tugra EBG A.S.,L=Ankara,C=TR
-# 873f4685fa7f563625252e6d36bcd7f16fc24951f264e47e1b954f4908cdca13
------BEGIN CERTIFICATE-----
-MIICpTCCAiqgAwIBAgIUJkYZdzHhT28oNt45UYbm1JeIIsEwCgYIKoZIzj0EAwMw
-gYAxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHEwZBbmthcmExGTAXBgNVBAoTEEUtVHVn
-cmEgRUJHIEEuUy4xHTAbBgNVBAsTFEUtVHVncmEgVHJ1c3QgQ2VudGVyMSYwJAYD
-VQQDEx1FLVR1Z3JhIEdsb2JhbCBSb290IENBIEVDQyB2MzAeFw0yMDAzMTgwOTQ2
-NThaFw00NTAzMTIwOTQ2NThaMIGAMQswCQYDVQQGEwJUUjEPMA0GA1UEBxMGQW5r
-YXJhMRkwFwYDVQQKExBFLVR1Z3JhIEVCRyBBLlMuMR0wGwYDVQQLExRFLVR1Z3Jh
-IFRydXN0IENlbnRlcjEmMCQGA1UEAxMdRS1UdWdyYSBHbG9iYWwgUm9vdCBDQSBF
-Q0MgdjMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASOmCm/xxAeJ9urA8woLNheSBkQ
-KczLWYHMjLiSF4mDKpL2w6QdTGLVn9agRtwcvHbB40fQWxPa56WzZkjnIZpKT4YK
-fWzqTTKACrJ6CZtpS5iB4i7sAnCWH/31Rs7K3IKjYzBhMA8GA1UdEwEB/wQFMAMB
-Af8wHwYDVR0jBBgwFoAU/4Ixcj75xGZsrTie0bBRiKWQzPUwHQYDVR0OBBYEFP+C
-MXI++cRmbK04ntGwUYilkMz1MA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNp
-ADBmAjEA5gVYaWHlLcoNy/EZCL3W/VGSGn5jVASQkZo1kTmZ+gepZpO6yGjUij/6
-7W4WAie3AjEA3VoXK3YdZUKWpqxdinlW2Iob35reX8dQj7FbcQwm32pAAOwzkSFx
-vmjkI6TZraE3
------END CERTIFICATE-----
-# CN=E-Tugra Global Root CA RSA v3,OU=E-Tugra Trust Center,O=E-Tugra EBG A.S.,L=Ankara,C=TR
-# ef66b0b10a3cdb9f2e3648c76bd2af18ead2bfe6f117655e28c4060da1a3f4c2
------BEGIN CERTIFICATE-----
-MIIF8zCCA9ugAwIBAgIUDU3FzRYilZYIfrgLfxUGNPt5EDQwDQYJKoZIhvcNAQEL
-BQAwgYAxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHEwZBbmthcmExGTAXBgNVBAoTEEUt
-VHVncmEgRUJHIEEuUy4xHTAbBgNVBAsTFEUtVHVncmEgVHJ1c3QgQ2VudGVyMSYw
-JAYDVQQDEx1FLVR1Z3JhIEdsb2JhbCBSb290IENBIFJTQSB2MzAeFw0yMDAzMTgw
-OTA3MTdaFw00NTAzMTIwOTA3MTdaMIGAMQswCQYDVQQGEwJUUjEPMA0GA1UEBxMG
-QW5rYXJhMRkwFwYDVQQKExBFLVR1Z3JhIEVCRyBBLlMuMR0wGwYDVQQLExRFLVR1
-Z3JhIFRydXN0IENlbnRlcjEmMCQGA1UEAxMdRS1UdWdyYSBHbG9iYWwgUm9vdCBD
-QSBSU0EgdjMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCiZvCJt3J7
-7gnJY9LTQ91ew6aEOErxjYG7FL1H6EAX8z3DeEVypi6Q3po61CBxyryfHUuXCscx
-uj7X/iWpKo429NEvx7epXTPcMHD4QGxLsqYxYdE0PD0xesevxKenhOGXpOhL9hd8
-7jwH7eKKV9y2+/hDJVDqJ4GohryPUkqWOmAalrv9c/SF/YP9f4RtNGx/ardLAQO/
-rWm31zLZ9Vdq6YaCPqVmMbMWPcLzJmAy01IesGykNz709a/r4d+ABs8qQedmCeFL
-l+d3vSFtKbZnwy1+7dZ5ZdHPOrbRsV5WYVB6Ws5OUDGAA5hH5+QYfERaxqSzO8bG
-wzrwbMOLyKSRBfP12baqBqG3q+Sx6iEUXIOk/P+2UNOMEiaZdnDpwA+mdPy70Bt4
-znKS4iicvObpCdg604nmvi533wEKb5b25Y08TVJ2Glbhc34XrD2tbKNSEhhw5oBO
-M/J+JjKsBY04pOZ2PJ8QaQ5tndLBeSBrW88zjdGUdjXnXVXHt6woq0bM5zshtQoK
-5EpZ3IE1S0SVEgpnpaH/WwAH0sDM+T/8nzPyAPiMbIedBi3x7+PmBvrFZhNb/FAH
-nnGGstpvdDDPk1Po3CLW3iAfYY2jLqN4MpBs3KwytQXk9TwzDdbgh3cXTJ2w2Amo
-DVf3RIXwyAS+XF1a4xeOVGNpf0l0ZAWMowIDAQABo2MwYTAPBgNVHRMBAf8EBTAD
-AQH/MB8GA1UdIwQYMBaAFLK0ruYt9ybVqnUtdkvAG1Mh0EjvMB0GA1UdDgQWBBSy
-tK7mLfcm1ap1LXZLwBtTIdBI7zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEL
-BQADggIBAImocn+M684uGMQQgC0QDP/7FM0E4BQ8Tpr7nym/Ip5XuYJzEmMmtcyQ
-6dIqKe6cLcwsmb5FJ+Sxce3kOJUxQfJ9emN438o2Fi+CiJ+8EUdPdk3ILY7r3y18
-Tjvarvbj2l0Upq7ohUSdBm6O++96SmotKygY/r+QLHUWnw/qln0F7psTpURs+APQ
-3SPh/QMSEgj0GDSz4DcLdxEBSL9htLX4GdnLTeqjjO/98Aa1bZL0SmFQhO3sSdPk
-vmjmLuMxC1QLGpLWgti2omU8ZgT5Vdps+9u1FGZNlIM7zR6mK7L+d0CGq+ffCsn9
-9t2HVhjYsCxVYJb6CH5SkPVLpi6HfMsg2wY+oF0Dd32iPBMbKaITVaA9FCKvb7jQ
-mhty3QUBjYZgv6Rn7rWlDdF/5horYmbDB7rnoEgcOMPpRfunf/ztAmgayncSd6YA
-VSgU7NbHEqIbZULpkejLPoeJVF3Zr52XnGnnCv8PWniLYypMfUeUP95L6VPQMPHF
-9p5J3zugkaOj/s1YzOrfr28oO6Bpm4/srK4rVJ2bBLFHIK+WEj5jlB0E5y67hscM
-moi/dkfv97ALl2bSRM9gUgfh1SxKOidhd8rXj+eHDjD/DLsE4mHDosiXYY60MGo8
-bcIHX0pzLz/5FooBZu+6kcpSV3uu1OYP3Qt6f4ueJiDPO++BcYNZ
------END CERTIFICATE-----
# CN=Entrust Root Certification Authority - EC1,OU=See www.entrust.net/legal-terms+OU=(c) 2012 Entrust\, Inc. - for authorized use only,O=Entrust\, Inc.,C=US
# 02ed0eb28c14da45165c566791700d6451d7fb56f0b2ab1d3b8eb070e56edff5
-----BEGIN CERTIFICATE-----
@@ -1997,28 +2014,6 @@ kkVbbiVghUbN0aqwdmaTd5a+g744tiROJgvM7XpWGuDpWsZkrUx6AEhEL7lAuxM+
vhV4nYWBSipX3tUZQ9rbyltHhoMLP7YNdnhzeSJesYAfz77RP1YQmCuVh6EfnWQU
YDksswBVLuT1sw5XxJFBAJw/6KXf6vb/yPCtbVKoF6ubYfwSUTXkJf2vqmqGOQ==
-----END CERTIFICATE-----
-# CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
-# f9e67d336c51002ac054c632022d66dda2e7e3fff10ad061ed31d8bbb410cfb2
------BEGIN CERTIFICATE-----
-MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCSEsx
-FjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3Qg
-Um9vdCBDQSAxMB4XDTAzMDUxNTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzELMAkG
-A1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdr
-b25nIFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEArP84tulmAknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1ApzQ
-jVrhVcNQhrkpJsLj2aDxaQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEn
-PzlTCeqrauh0ssJlXI6/fMN4hM2eFvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjh
-ZY4bXSNmO7ilMlHIhqqhqZ5/dpTCpmy3QfDVyAY45tQM4vM7TG1QjMSDJ8EThFk9
-nnV0ttgCXjqQesBCNnLsak3c78QA3xMYV18meMjWCnl3v/evt3a5pQuEF10Q6m/h
-q5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgED
-MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7ih9legYsC
-mEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI3
-7piol7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clB
-oiMBdDhViw+5LmeiIAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJs
-EhTkYY2sEJCehFC78JZvRZ+K88psT/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpO
-fMGx+6fWtScvl6tu4B3i0RwsH0Ti/L6RoZz71ilTc4afU9hDDl3WY4JxHYB0yvbi
-AmvZWg==
------END CERTIFICATE-----
# CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK
# 5a2fc03f0c83b090bbfa40604b0988446c7636183df9846e17101a447fb8efd6
-----BEGIN CERTIFICATE-----
@@ -2668,6 +2663,56 @@ nLwsoFvVagCvXzfh1foQC5ichucmj87w7G6KVwuA406ywKBjYZC6VWg3dGq2ktuf
oYYitmUnDuy2n0Jg5GfCtdpBC8TTi2EbvPofkSvXRAdeuims2cXp71NIWuuA8ShY
Ic2wBlX7Jz9TkHCpBB5XJ7k=
-----END CERTIFICATE-----
+# CN=SSL.com TLS ECC Root CA 2022,O=SSL Corporation,C=US
+# c32ffd9f46f936d16c3673990959434b9ad60aafbb9e7cf33654f144cc1ba143
+-----BEGIN CERTIFICATE-----
+MIICOjCCAcCgAwIBAgIQFAP1q/s3ixdAW+JDsqXRxDAKBggqhkjOPQQDAzBOMQsw
+CQYDVQQGEwJVUzEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMSUwIwYDVQQDDBxT
+U0wuY29tIFRMUyBFQ0MgUm9vdCBDQSAyMDIyMB4XDTIyMDgyNTE2MzM0OFoXDTQ2
+MDgxOTE2MzM0N1owTjELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD1NTTCBDb3Jwb3Jh
+dGlvbjElMCMGA1UEAwwcU1NMLmNvbSBUTFMgRUNDIFJvb3QgQ0EgMjAyMjB2MBAG
+ByqGSM49AgEGBSuBBAAiA2IABEUpNXP6wrgjzhR9qLFNoFs27iosU8NgCTWyJGYm
+acCzldZdkkAZDsalE3D07xJRKF3nzL35PIXBz5SQySvOkkJYWWf9lCcQZIxPBLFN
+SeR7T5v15wj4A4j3p8OSSxlUgaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME
+GDAWgBSJjy+j6CugFFR781a4Jl9nOAuc0DAdBgNVHQ4EFgQUiY8vo+groBRUe/NW
+uCZfZzgLnNAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2gAMGUCMFXjIlbp
+15IkWE8elDIPDAI2wv2sdDJO4fscgIijzPvX6yv/N33w7deedWo1dlJF4AIxAMeN
+b0Igj762TVntd00pxCAgRWSGOlDGxK0tk/UYfXLtqc/ErFc2KAhl3zx5Zn6g6g==
+-----END CERTIFICATE-----
+# CN=SSL.com TLS RSA Root CA 2022,O=SSL Corporation,C=US
+# 8faf7d2e2cb4709bb8e0b33666bf75a5dd45b5de480f8ea8d4bfe6bebc17f2ed
+-----BEGIN CERTIFICATE-----
+MIIFiTCCA3GgAwIBAgIQb77arXO9CEDii02+1PdbkTANBgkqhkiG9w0BAQsFADBO
+MQswCQYDVQQGEwJVUzEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMSUwIwYDVQQD
+DBxTU0wuY29tIFRMUyBSU0EgUm9vdCBDQSAyMDIyMB4XDTIyMDgyNTE2MzQyMloX
+DTQ2MDgxOTE2MzQyMVowTjELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD1NTTCBDb3Jw
+b3JhdGlvbjElMCMGA1UEAwwcU1NMLmNvbSBUTFMgUlNBIFJvb3QgQ0EgMjAyMjCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANCkCXJPQIgSYT41I57u9nTP
+L3tYPc48DRAokC+X94xI2KDYJbFMsBFMF3NQ0CJKY7uB0ylu1bUJPiYYf7ISf5OY
+t6/wNr/y7hienDtSxUcZXXTzZGbVXcdotL8bHAajvI9AI7YexoS9UcQbOcGV0ins
+S657Lb85/bRi3pZ7QcacoOAGcvvwB5cJOYF0r/c0WRFXCsJbwST0MXMwgsadugL3
+PnxEX4MN8/HdIGkWCVDi1FW24IBydm5MR7d1VVm0U3TZlMZBrViKMWYPHqIbKUBO
+L9975hYsLfy/7PO0+r4Y9ptJ1O4Fbtk085zx7AGL0SDGD6C1vBdOSHtRwvzpXGk3
+R2azaPgVKPC506QVzFpPulJwoxJF3ca6TvvC0PeoUidtbnm1jPx7jMEWTO6Af77w
+dr5BUxIzrlo4QqvXDz5BjXYHMtWrifZOZ9mxQnUjbvPNQrL8VfVThxc7wDNY8VLS
++YCk8OjwO4s4zKTGkH8PnP2L0aPP2oOnaclQNtVcBdIKQXTbYxE3waWglksejBYS
+d66UNHsef8JmAOSqg+qKkK3ONkRN0VHpvB/zagX9wHQfJRlAUW7qglFA35u5CCoG
+AtUjHBPW6dvbxrB6y3snm/vg1UYk7RBLY0ulBY+6uB0rpvqR4pJSvezrZ5dtmi2f
+gTIFZzL7SAg/2SW4BCUvAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0j
+BBgwFoAU+y437uOEeicuzRk1sTN8/9REQrkwHQYDVR0OBBYEFPsuN+7jhHonLs0Z
+NbEzfP/UREK5MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAjYlt
+hEUY8U+zoO9opMAdrDC8Z2awms22qyIZZtM7QbUQnRC6cm4pJCAcAZli05bg4vsM
+QtfhWsSWTVTNj8pDU/0quOr4ZcoBwq1gaAafORpR2eCNJvkLTqVTJXojpBzOCBvf
+R4iyrT7gJ4eLSYwfqUdYe5byiB0YrrPRpgqU+tvT5TgKa3kSM/tKWTcWQA673vWJ
+DPFs0/dRa1419dvAJuoSc06pkZCmF8NsLzjUo3KUQyxi4U5cMj29TH0ZR6LDSeeW
+P4+a0zvkEdiLA9z2tmBVGKaBUfPhqBVq6+AL8BQx1rmMRTqoENjwuSfr98t67wVy
+lrXEj5ZzxOhWc5y8aVFjvO9nHEMaX3cZHxj4HCUp+UmZKbaSPaKDN7EgkaibMOlq
+bLQjk2UEqxHzDh1TJElTHaE/nUiSEeJ9DU/1172iWD54nR4fK/4huxoTtrEoZP2w
+AgDHbICivRZQIA9ygV/MlP+7mea6kMvq+cYMwq7FGc4zoWtcu358NFcXrfA/rs3q
+r5nsLFR+jM4uElZI7xc7P0peYNLcdDa8pUNjyw9bowJWCZ4kLOGGgYz+qxcs+sji
+Mho6/4UIyYOf8kpIEFR3N+2ivEC+5BB09+Rbu7nzifmPQdjH5FCQNYA+HLhNkNPU
+98OwoX6EyneSMSy4kLGCenROmxMmtNVQZlR4rmA=
+-----END CERTIFICATE-----
# CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
# a1339d33281a0b56e557d3d32b1ce7f9367eb094bd5fa72a7e5004c8ded7cafe
-----BEGIN CERTIFICATE-----
@@ -2691,6 +2736,56 @@ oky4rc/hkA/NrgrHXXu3UNLUYfrVFdvXn4dRVOul4+vJhaAlIDf7js4MNIThPIGy
d05DpYhfhmehPea0XGG2Ptv+tyjFogeutcrKjSoS75ftwjCkySp6+/NNIxuZMzSg
LvWpCz/UXeHPhJ/iGcJfitYgHuNztw==
-----END CERTIFICATE-----
+# CN=Sectigo Public Server Authentication Root E46,O=Sectigo Limited,C=GB
+# c90f26f0fb1b4018b22227519b5ca2b53e2ca5b3be5cf18efe1bef47380c5383
+-----BEGIN CERTIFICATE-----
+MIICOjCCAcGgAwIBAgIQQvLM2htpN0RfFf51KBC49DAKBggqhkjOPQQDAzBfMQsw
+CQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQDEy1T
+ZWN0aWdvIFB1YmxpYyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBFNDYwHhcN
+MjEwMzIyMDAwMDAwWhcNNDYwMzIxMjM1OTU5WjBfMQswCQYDVQQGEwJHQjEYMBYG
+A1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQDEy1TZWN0aWdvIFB1YmxpYyBT
+ZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBFNDYwdjAQBgcqhkjOPQIBBgUrgQQA
+IgNiAAR2+pmpbiDt+dd34wc7qNs9Xzjoq1WmVk/WSOrsfy2qw7LFeeyZYX8QeccC
+WvkEN/U0NSt3zn8gj1KjAIns1aeibVvjS5KToID1AZTc8GgHHs3u/iVStSBDHBv+
+6xnOQ6OjQjBAMB0GA1UdDgQWBBTRItpMWfFLXyY4qp3W7usNw/upYTAOBgNVHQ8B
+Af8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNnADBkAjAn7qRa
+qCG76UeXlImldCBteU/IvZNeWBj7LRoAasm4PdCkT0RHlAFWovgzJQxC36oCMB3q
+4S6ILuH5px0CMk7yn2xVdOOurvulGu7t0vzCAxHrRVxgED1cf5kDW21USAGKcw==
+-----END CERTIFICATE-----
+# CN=Sectigo Public Server Authentication Root R46,O=Sectigo Limited,C=GB
+# 7bb647a62aeeac88bf257aa522d01ffea395e0ab45c73f93f65654ec38f25a06
+-----BEGIN CERTIFICATE-----
+MIIFijCCA3KgAwIBAgIQdY39i658BwD6qSWn4cetFDANBgkqhkiG9w0BAQwFADBf
+MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQD
+Ey1TZWN0aWdvIFB1YmxpYyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBSNDYw
+HhcNMjEwMzIyMDAwMDAwWhcNNDYwMzIxMjM1OTU5WjBfMQswCQYDVQQGEwJHQjEY
+MBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQDEy1TZWN0aWdvIFB1Ymxp
+YyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBSNDYwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCTvtU2UnXYASOgHEdCSe5jtrch/cSV1UgrJnwUUxDa
+ef0rty2k1Cz66jLdScK5vQ9IPXtamFSvnl0xdE8H/FAh3aTPaE8bEmNtJZlMKpnz
+SDBh+oF8HqcIStw+KxwfGExxqjWMrfhu6DtK2eWUAtaJhBOqbchPM8xQljeSM9xf
+iOefVNlI8JhD1mb9nxc4Q8UBUQvX4yMPFF1bFOdLvt30yNoDN9HWOaEhUTCDsG3X
+ME6WW5HwcCSrv0WBZEMNvSE6Lzzpng3LILVCJ8zab5vuZDCQOc2TZYEhMbUjUDM3
+IuM47fgxMMxF/mL50V0yeUKH32rMVhlATc6qu/m1dkmU8Sf4kaWD5QazYw6A3OAS
+VYCmO2a0OYctyPDQ0RTp5A1NDvZdV3LFOxxHVp3i1fuBYYzMTYCQNFu31xR13NgE
+SJ/AwSiItOkcyqex8Va3e0lMWeUgFaiEAin6OJRpmkkGj80feRQXEgyDet4fsZfu
++Zd4KKTIRJLpfSYFplhym3kT2BFfrsU4YjRosoYwjviQYZ4ybPUHNs2iTG7sijbt
+8uaZFURww3y8nDnAtOFr94MlI1fZEoDlSfB1D++N6xybVCi0ITz8fAr/73trdf+L
+HaAZBav6+CuBQug4urv7qv094PPK306Xlynt8xhW6aWWrL3DkJiy4Pmi1KZHQ3xt
+zwIDAQABo0IwQDAdBgNVHQ4EFgQUVnNYZJX5khqwEioEYnmhQBWIIUkwDgYDVR0P
+AQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAC9c
+mTz8Bl6MlC5w6tIyMY208FHVvArzZJ8HXtXBc2hkeqK5Duj5XYUtqDdFqij0lgVQ
+YKlJfp/imTYpE0RHap1VIDzYm/EDMrraQKFz6oOht0SmDpkBm+S8f74TlH7Kph52
+gDY9hAaLMyZlbcp+nv4fjFg4exqDsQ+8FxG75gbMY/qB8oFM2gsQa6H61SilzwZA
+Fv97fRheORKkU55+MkIQpiGRqRxOF3yEvJ+M0ejf5lG5Nkc/kLnHvALcWxxPDkjB
+JYOcCj+esQMzEhonrPcibCTRAUH4WAP+JWgiH5paPHxsnnVI84HxZmduTILA7rpX
+DhjvLpr3Etiga+kFpaHpaPi8TD8SHkXoUsCjvxInebnMMTzD9joiFgOgyY9mpFui
+TdaBJQbpdqQACj7LzTWb4OE4y2BThihCQRxEV+ioratF4yUQvNs+ZUH7G6aXD+u5
+dHn5HrwdVw1Hr8Mvn4dGp+smWg9WY7ViYG4A++MnESLn/pmPNPW56MORcr3Ywx65
+LvKRRFHQV80MNNVIIb/bE/FmJUNS0nAiNs2fxBx1IK1jcmMGDw4nztJqDby1ORrp
+0XZ60Vzk50lJLVU3aPAaOpg+VBeHVOmmJ1CJeyAvP/+/oYtKR5j/K3tJPsMpRmAY
+QqszKbrAKbkTidOIijlBO8n9pu0f9GBj39ItVQGL
+-----END CERTIFICATE-----
# CN=Secure Global CA,O=SecureTrust Corporation,C=US
# 4200f5043ac8590ebb527d209ed1503029fbcbd41ca1b506ec27f15ade7dac69
-----BEGIN CERTIFICATE-----
@@ -3067,6 +3162,58 @@ lhh9DrUUOYTxKOkto557HnpyWoOzeW/vtPzQCqVYT0bf+215WfKEIlKuD8z7fDvn
aspHYcN6+NOSBB+4IIThNlQWx0DeO4pz3N/GCUzf7Nr/1FNCocnyYh0igzyXxfkZ
YiesZSLX0zzG5Y6yU8xJzrww/nsOM5D77dIUkR8Hrw==
-----END CERTIFICATE-----
+# CN=Telekom Security TLS ECC Root 2020,O=Deutsche Telekom Security GmbH,C=DE
+# 578af4ded0853f4e5998db4aeaf9cbea8d945f60b620a38d1a3c13b2bc7ba8e1
+-----BEGIN CERTIFICATE-----
+MIICQjCCAcmgAwIBAgIQNjqWjMlcsljN0AFdxeVXADAKBggqhkjOPQQDAzBjMQsw
+CQYDVQQGEwJERTEnMCUGA1UECgweRGV1dHNjaGUgVGVsZWtvbSBTZWN1cml0eSBH
+bWJIMSswKQYDVQQDDCJUZWxla29tIFNlY3VyaXR5IFRMUyBFQ0MgUm9vdCAyMDIw
+MB4XDTIwMDgyNTA3NDgyMFoXDTQ1MDgyNTIzNTk1OVowYzELMAkGA1UEBhMCREUx
+JzAlBgNVBAoMHkRldXRzY2hlIFRlbGVrb20gU2VjdXJpdHkgR21iSDErMCkGA1UE
+AwwiVGVsZWtvbSBTZWN1cml0eSBUTFMgRUNDIFJvb3QgMjAyMDB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABM6//leov9Wq9xCazbzREaK9Z0LMkOsVGJDZos0MKiXrPk/O
+tdKPD/M12kOLAoC+b1EkHQ9rK8qfwm9QMuU3ILYg/4gND21Ju9sGpIeQkpT0CdDP
+f8iAC8GXs7s1J8nCG6NCMEAwHQYDVR0OBBYEFONyzG6VmUex5rNhTNHLq+O6zd6f
+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2cA
+MGQCMHVSi7ekEE+uShCLsoRbQuHmKjYC2qBuGT8lv9pZMo7k+5Dck2TOrbRBR2Di
+z6fLHgIwN0GMZt9Ba9aDAEH9L1r3ULRn0SyocddDypwnJJGDSA3PzfdUga/sf+Rn
+27iQ7t0l
+-----END CERTIFICATE-----
+# CN=Telekom Security TLS RSA Root 2023,O=Deutsche Telekom Security GmbH,C=DE
+# efc65cadbb59adb6efe84da22311b35624b71b3b1ea0da8b6655174ec8978646
+-----BEGIN CERTIFICATE-----
+MIIFszCCA5ugAwIBAgIQIZxULej27HF3+k7ow3BXlzANBgkqhkiG9w0BAQwFADBj
+MQswCQYDVQQGEwJERTEnMCUGA1UECgweRGV1dHNjaGUgVGVsZWtvbSBTZWN1cml0
+eSBHbWJIMSswKQYDVQQDDCJUZWxla29tIFNlY3VyaXR5IFRMUyBSU0EgUm9vdCAy
+MDIzMB4XDTIzMDMyODEyMTY0NVoXDTQ4MDMyNzIzNTk1OVowYzELMAkGA1UEBhMC
+REUxJzAlBgNVBAoMHkRldXRzY2hlIFRlbGVrb20gU2VjdXJpdHkgR21iSDErMCkG
+A1UEAwwiVGVsZWtvbSBTZWN1cml0eSBUTFMgUlNBIFJvb3QgMjAyMzCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBAO01oYGA88tKaVvC+1GDrib94W7zgRJ9
+cUD/h3VCKSHtgVIs3xLBGYSJwb3FKNXVS2xE1kzbB5ZKVXrKNoIENqil/Cf2SfHV
+cp6R+SPWcHu79ZvB7JPPGeplfohwoHP89v+1VmLhc2o0mD6CuKyVU/QBoCcHcqMA
+U6DksquDOFczJZSfvkgdmOGjup5czQRxUX11eKvzWarE4GC+j4NSuHUaQTXtvPM6
+Y+mpFEXX5lLRbtLevOP1Czvm4MS9Q2QTps70mDdsipWol8hHD/BeEIvnHRz+sTug
+BTNoBUGCwQMrAcjnj02r6LX2zWtEtefdi+zqJbQAIldNsLGyMcEWzv/9FIS3R/qy
+8XDe24tsNlikfLMR0cN3f1+2JeANxdKz+bi4d9s3cXFH42AYTyS2dTd4uaNir73J
+co4vzLuu2+QVUhkHM/tqty1LkCiCc/4YizWN26cEar7qwU02OxY2kTLvtkCJkUPg
+8qKrBC7m8kwOFjQgrIfBLX7JZkcXFBGk8/ehJImr2BrIoVyxo/eMbcgByU/J7MT8
+rFEz0ciD0cmfHdRHNCk+y7AO+oMLKFjlKdw/fKifybYKu6boRhYPluV75Gp6SG12
+mAWl3G0eQh5C2hrgUve1g8Aae3g1LDj1H/1Joy7SWWO/gLCMk3PLNaaZlSJhZQNg
++y+TS/qanIA7AgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUtqeX
+gj10hZv3PJ+TmpV5dVKMbUcwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBS2
+p5eCPXSFm/c8n5OalXl1UoxtRzANBgkqhkiG9w0BAQwFAAOCAgEAqMxhpr51nhVQ
+pGv7qHBFfLp+sVr8WyP6Cnf4mHGCDG3gXkaqk/QeoMPhk9tLrbKmXauw1GLLXrtm
+9S3ul0A8Yute1hTWjOKWi0FpkzXmuZlrYrShF2Y0pmtjxrlO8iLpWA1WQdH6DErw
+M807u20hOq6OcrXDSvvpfeWxm4bu4uB9tPcy/SKE8YXJN3nptT+/XOR0so8RYgDd
+GGah2XsjX/GO1WfoVNpbOms2b/mBsTNHM3dA+VKq3dSDz4V4mZqTuXNnQkYRIer+
+CqkbGmVps4+uFrb2S1ayLfmlyOw7YqPta9BO1UAJpB+Y1zqlklkg5LB9zVtzaL1t
+xKITDmcZuI1CfmwMmm6gJC3VRRvcxAIU/oVbZZfKTpBQCHpCNfnqwmbU+AGuHrS+
+w6jv/naaoqYfRvaE7fzbzsQCzndILIyy7MMAo+wsVRjBfhnu4S/yrYObnqsZ38aK
+L4x35bcF7DvB7L6Gs4a8wPfc5+pbrrLMtTWGS9DiP7bY+A4A7l3j941Y/8+LN+lj
+X273CXE2whJdV/LItM3z7gLfEdxquVeEHVlNjM7IDiPCtyaaEBRx/pOyiriA8A4Q
+ntOoUAw3gi/q4Iqd4Sw5/7W0cwDk90imc6y/st53BIe0o82bNSQ3+pCTE4FCxpgm
+dTdmQRCsu/WU48IxK63nI1bMNSWSs1A=
+-----END CERTIFICATE-----
# CN=Telia Root CA v2,O=Telia Finland Oyj,C=FI
# 242b69742fcb1e5b2abf98898b94572187544e5b4d9911786573621f6a74b82c
-----BEGIN CERTIFICATE-----
@@ -3133,6 +3280,58 @@ t88NkvuOGKmYSdGe/mBEciG5Ge3C9THxOUiIkCR1VBatzvT4aRRkOfujuLpwQMcn
HL/EVlP6Y2XQ8xwOFvVrhlhNGNTkDY6lnVuR3HYkUD/GKvvZt5y11ubQ2egZixVx
SK236thZiNSQvxaz2emsWWFUyBy6ysHK4bkgTI86k4mloMy/0/Z1pHWWbVY=
-----END CERTIFICATE-----
+# CN=TrustAsia Global Root CA G3,O=TrustAsia Technologies\, Inc.,C=CN
+# e0d3226aeb1163c2e48ff9be3b50b4c6431be7bb1eacc5c36b5d5ec509039a08
+-----BEGIN CERTIFICATE-----
+MIIFpTCCA42gAwIBAgIUZPYOZXdhaqs7tOqFhLuxibhxkw8wDQYJKoZIhvcNAQEM
+BQAwWjELMAkGA1UEBhMCQ04xJTAjBgNVBAoMHFRydXN0QXNpYSBUZWNobm9sb2dp
+ZXMsIEluYy4xJDAiBgNVBAMMG1RydXN0QXNpYSBHbG9iYWwgUm9vdCBDQSBHMzAe
+Fw0yMTA1MjAwMjEwMTlaFw00NjA1MTkwMjEwMTlaMFoxCzAJBgNVBAYTAkNOMSUw
+IwYDVQQKDBxUcnVzdEFzaWEgVGVjaG5vbG9naWVzLCBJbmMuMSQwIgYDVQQDDBtU
+cnVzdEFzaWEgR2xvYmFsIFJvb3QgQ0EgRzMwggIiMA0GCSqGSIb3DQEBAQUAA4IC
+DwAwggIKAoICAQDAMYJhkuSUGwoqZdC+BqmHO1ES6nBBruL7dOoKjbmzTNyPtxNS
+T1QY4SxzlZHFZjtqz6xjbYdT8PfxObegQ2OwxANdV6nnRM7EoYNl9lA+sX4WuDqK
+AtCWHwDNBSHvBm3dIZwZQ0WhxeiAysKtQGIXBsaqvPPW5vxQfmZCHzyLpnl5hkA1
+nyDvP+uLRx+PjsXUjrYsyUQE49RDdT/VP68czH5GX6zfZBCK70bwkPAPLfSIC7Ep
+qq+FqklYqL9joDiR5rPmd2jE+SoZhLsO4fWvieylL1AgdB4SQXMeJNnKziyhWTXA
+yB1GJ2Faj/lN03J5Zh6fFZAhLf3ti1ZwA0pJPn9pMRJpxx5cynoTi+jm9WAPzJMs
+hH/x/Gr8m0ed262IPfN2dTPXS6TIi/n1Q1hPy8gDVI+lhXgEGvNz8teHHUGf59gX
+zhqcD0r83ERoVGjiQTz+LISGNzzNPy+i2+f3VANfWdP3kXjHi3dqFuVJhZBFcnAv
+kV34PmVACxmZySYgWmjBNb9Pp1Hx2BErW+Canig7CjoKH8GB5S7wprlppYiU5msT
+f9FkPz2ccEblooV7WIQn3MSAPmeamseaMQ4w7OYXQJXZRe0Blqq/DPNL0WP3E1jA
+uPP6Z92bfW1K/zJMtSU7/xxnD4UiWQWRkUF3gdCFTIcQcf+eQxuulXUtgQIDAQAB
+o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFEDk5PIj7zjKsK5Xf/Ih
+MBY027ySMB0GA1UdDgQWBBRA5OTyI+84yrCuV3/yITAWNNu8kjAOBgNVHQ8BAf8E
+BAMCAQYwDQYJKoZIhvcNAQEMBQADggIBACY7UeFNOPMyGLS0XuFlXsSUT9SnYaP4
+wM8zAQLpw6o1D/GUE3d3NZ4tVlFEbuHGLige/9rsR82XRBf34EzC4Xx8MnpmyFq2
+XFNFV1pF1AWZLy4jVe5jaN/TG3inEpQGAHUNcoTpLrxaatXeL1nHo+zSh2bbt1S1
+JKv0Q3jbSwTEb93mPmY+KfJLaHEih6D4sTNjduMNhXJEIlU/HHzp/LgV6FL6qj6j
+ITk1dImmasI5+njPtqzn59ZW/yOSLlALqbUHM/Q4X6RJpstlcHboCoWASzY9M/eV
+VHUl2qzEc4Jl6VL1XP04lQJqaTDFHApXB64ipCz5xUG3uOyfT0gA+QEEVcys+TIx
+xHWVBqB/0Y0n3bOppHKH/lmLmnp0Ft0WpWIp6zqW3IunaFnT63eROfjXy9mPX1on
+AX1daBli2MjN9LdyR75bl87yraKZk62Uy5P2EgmVtqvXO9A/EcswFi55gORngS1d
+7XB4tmBZrOFdRWOPyN9yaFvqHbgB8X7754qz41SgOAngPN5C8sLtLpvzHzW2Ntjj
+gKGLzZlkD8Kqq7HK9W+eQ42EVJmzbsASZthwEPEGNTNDqJwuuhQxzhB/HIbjj9LV
++Hfsm6vxL2PZQl/gZ4FkkfGXL/xuJvYz+NO1+MRiqzFRJQJ6+N1rZdVtTTDIZbpo
+FGWsJwt0ivKH
+-----END CERTIFICATE-----
+# CN=TrustAsia Global Root CA G4,O=TrustAsia Technologies\, Inc.,C=CN
+# be4b56cb5056c0136a526df444508daa36a0b54f42e4ac38f72af470e479654c
+-----BEGIN CERTIFICATE-----
+MIICVTCCAdygAwIBAgIUTyNkuI6XY57GU4HBdk7LKnQV1tcwCgYIKoZIzj0EAwMw
+WjELMAkGA1UEBhMCQ04xJTAjBgNVBAoMHFRydXN0QXNpYSBUZWNobm9sb2dpZXMs
+IEluYy4xJDAiBgNVBAMMG1RydXN0QXNpYSBHbG9iYWwgUm9vdCBDQSBHNDAeFw0y
+MTA1MjAwMjEwMjJaFw00NjA1MTkwMjEwMjJaMFoxCzAJBgNVBAYTAkNOMSUwIwYD
+VQQKDBxUcnVzdEFzaWEgVGVjaG5vbG9naWVzLCBJbmMuMSQwIgYDVQQDDBtUcnVz
+dEFzaWEgR2xvYmFsIFJvb3QgQ0EgRzQwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATx
+s8045CVD5d4ZCbuBeaIVXxVjAd7Cq92zphtnS4CDr5nLrBfbK5bKfFJV4hrhPVbw
+LxYI+hW8m7tH5j/uqOFMjPXTNvk4XatwmkcN4oFBButJ+bAp3TPsUKV/eSm4IJij
+YzBhMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUpbtKl86zK3+kMd6Xg1mD
+pm9xy94wHQYDVR0OBBYEFKW7SpfOsyt/pDHel4NZg6ZvccveMA4GA1UdDwEB/wQE
+AwIBBjAKBggqhkjOPQQDAwNnADBkAjBe8usGzEkxn0AAbbd+NvBNEU/zy4k6LHiR
+UKNbwMp1JvK/kF0LgoxgKJ/GcJpo5PECMFxYDlZ2z1jD1xCMuo6u47xkdUfFVZDj
+/bpV6wfEU6s3qe4hsiFbYI89MvHVI5TWWA==
+-----END CERTIFICATE-----
# CN=Trustwave Global Certification Authority,O=Trustwave Holdings\, Inc.,L=Chicago,ST=Illinois,C=US
# 97552015f5ddfc3c8788c006944555408894450084f100867086bc1a2bb58dc8
-----BEGIN CERTIFICATE-----
@@ -3593,28 +3792,6 @@ HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
ReYNnyicsbkqWletNw+vHX/bvZ8=
-----END CERTIFICATE-----
-# OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
-# e75e72ed9f560eec6eb4800073a43fc3ad19195a392282017895974a99026b6c
------BEGIN CERTIFICATE-----
-MIIDWjCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJKUDEY
-MBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21t
-dW5pY2F0aW9uIFJvb3RDQTEwHhcNMDMwOTMwMDQyMDQ5WhcNMjMwOTMwMDQyMDQ5
-WjBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYD
-VQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQCzs/5/022x7xZ8V6UMbXaKL0u/ZPtM7orw8yl8
-9f/uKuDp6bpbZCKamm8sOiZpUQWZJtzVHGpxxpp9Hp3dfGzGjGdnSj74cbAZJ6kJ
-DKaVv0uMDPpVmDvY6CKhS3E4eayXkmmziX7qIWgGmBSWh9JhNrxtJ1aeV+7AwFb9
-Ms+k2Y7CI9eNqPPYJayX5HA49LY6tJ07lyZDo6G8SVlyTCMwhwFY9k6+HGhWZq/N
-QV3Is00qVUarH9oe4kA92819uZKAnDfdDJZkndwi92SL32HeFZRSFaB9UslLqCHJ
-xrHty8OVYNEP8Ktw+N/LTX7s1vqr2b1/VPKl6Xn62dZ2JChzAgMBAAGjPzA9MB0G
-A1UdDgQWBBSgc0mZaNyFW2XjmygvV5+9M7wHSDALBgNVHQ8EBAMCAQYwDwYDVR0T
-AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaECpqLvkT115swW1F7NgE+vG
-kl3g0dNq/vu+m22/xwVtWSDEHPC32oRYAmP6SBbvT6UL90qY8j+eG61Ha2POCEfr
-Uj94nK9NrvjVT8+amCoQQTlSxN3Zmw7vkwGusi7KaEIkQmywszo+zenaSMQVy+n5
-Bw+SUEmK3TGXX8npN6o7WWWXlDLJs58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJU
-JRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ6rBK+1YWc26sTfcioU+tHXot
-RSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAiFL39vmwLAw==
------END CERTIFICATE-----
# OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP
# 513b2cecb810d4cde5dd85391adfc6c2dd60d87bb736d2b521484aa47a0ebef6
-----BEGIN CERTIFICATE-----
diff --git a/x509roots/gen_fallback_bundle.go b/x509roots/gen_fallback_bundle.go
index c22d1b0c38..ffea49b1e8 100644
--- a/x509roots/gen_fallback_bundle.go
+++ b/x509roots/gen_fallback_bundle.go
@@ -3,7 +3,6 @@
// license that can be found in the LICENSE file.
//go:build generate
-// +build generate
//go:generate go run gen_fallback_bundle.go
@@ -18,6 +17,7 @@ import (
"go/format"
"io"
"log"
+ "mime"
"net/http"
"os"
"sort"
@@ -87,6 +87,16 @@ func main() {
log.Fatalf("failed to request %q: %s", *certDataURL, err)
}
defer resp.Body.Close()
+ if resp.StatusCode != http.StatusOK {
+ body, _ := io.ReadAll(io.LimitReader(resp.Body, 4<<10))
+ log.Fatalf("got non-200 OK status code: %v body: %q", resp.Status, body)
+ } else if ct, want := resp.Header.Get("Content-Type"), `text/plain; charset="UTF-8"`; ct != want {
+ if mediaType, _, err := mime.ParseMediaType(ct); err != nil {
+ log.Fatalf("bad Content-Type header %q: %v", ct, err)
+ } else if mediaType != "text/plain" {
+ log.Fatalf("got media type %q, want %q", mediaType, "text/plain")
+ }
+ }
certdata = resp.Body
}
@@ -95,6 +105,10 @@ func main() {
log.Fatalf("failed to parse %q: %s", *certDataPath, err)
}
+ if len(certs) == 0 {
+ log.Fatal("certdata.txt appears to contain zero roots")
+ }
+
sort.Slice(certs, func(i, j int) bool {
// Sort based on the stringified subject (which may not be unique), and
// break any ties by just sorting on the raw DER (which will be unique,