2019-10-30 03:34:09 +00:00
|
|
|
package xsnet
|
2018-01-09 04:23:19 +00:00
|
|
|
|
2019-10-30 03:34:09 +00:00
|
|
|
// Copyright (c) 2017-2019 Russell Magee
|
2018-04-07 20:04:10 +00:00
|
|
|
// Licensed under the terms of the MIT license (see LICENSE.mit in this
|
|
|
|
// distribution)
|
|
|
|
//
|
|
|
|
// golang implementation by Russ Magee (rmagee_at_gmail.com)
|
|
|
|
|
2018-01-09 07:08:58 +00:00
|
|
|
/* Support functions to set up encryption once an HKEx Conn has been
|
2018-01-13 18:01:27 +00:00
|
|
|
established with FA exchange and support channel operations
|
|
|
|
(echo, file-copy, remote-cmd, ...) */
|
2018-01-09 07:08:58 +00:00
|
|
|
|
2018-01-09 04:23:19 +00:00
|
|
|
import (
|
2018-02-17 02:43:37 +00:00
|
|
|
"crypto"
|
2018-01-09 04:23:19 +00:00
|
|
|
"crypto/aes"
|
|
|
|
"crypto/cipher"
|
2018-02-17 02:46:29 +00:00
|
|
|
"encoding/hex"
|
2018-04-28 23:05:33 +00:00
|
|
|
"errors"
|
2018-01-09 04:23:19 +00:00
|
|
|
"fmt"
|
2018-02-17 02:43:37 +00:00
|
|
|
"hash"
|
2018-01-21 04:37:27 +00:00
|
|
|
"log"
|
2018-01-12 03:42:42 +00:00
|
|
|
|
2019-09-27 16:44:57 +00:00
|
|
|
"blitter.com/go/cryptmt"
|
2020-02-22 01:21:19 +00:00
|
|
|
"github.com/aead/chacha20/chacha"
|
2018-01-12 07:01:39 +00:00
|
|
|
"golang.org/x/crypto/blowfish"
|
2018-01-12 03:42:42 +00:00
|
|
|
"golang.org/x/crypto/twofish"
|
2019-09-27 16:44:57 +00:00
|
|
|
|
2018-02-17 02:43:37 +00:00
|
|
|
// hash algos must be manually imported thusly:
|
|
|
|
// (Would be nice if the golang pkg docs were more clear
|
|
|
|
// on this...)
|
|
|
|
_ "crypto/sha256"
|
2018-09-30 07:19:25 +00:00
|
|
|
_ "crypto/sha512"
|
2018-01-09 04:23:19 +00:00
|
|
|
)
|
|
|
|
|
2018-10-19 20:51:57 +00:00
|
|
|
// Expand keymat, if necessary, to a minimum of 2x(blocksize).
|
|
|
|
// Keymat is used for initial key and the IV, hence the 2x.
|
|
|
|
// This is occasionally necessary for smaller modes of KEX algorithms
|
|
|
|
// (eg., KEX_HERRADURA256); perhaps an indication these should be
|
|
|
|
// avoided in favour of larger modes.
|
2018-10-24 07:15:33 +00:00
|
|
|
//
|
|
|
|
// This is used for block ciphers; stream ciphers should do their
|
|
|
|
// own key expansion.
|
2018-10-19 20:51:57 +00:00
|
|
|
func expandKeyMat(keymat []byte, blocksize int) []byte {
|
|
|
|
if len(keymat) < 2*blocksize {
|
|
|
|
halg := crypto.SHA256
|
|
|
|
mc := halg.New()
|
|
|
|
if !halg.Available() {
|
|
|
|
log.Fatal("hash not available!")
|
|
|
|
}
|
|
|
|
_, _ = mc.Write(keymat)
|
|
|
|
var xpand []byte
|
|
|
|
xpand = mc.Sum(xpand)
|
|
|
|
keymat = append(keymat, xpand...)
|
|
|
|
log.Println("[NOTE: keymat short - applying key expansion using SHA256]")
|
|
|
|
}
|
|
|
|
return keymat
|
|
|
|
}
|
|
|
|
|
2018-01-09 07:08:58 +00:00
|
|
|
/* Support functionality to set up encryption after a channel has
|
2019-10-30 03:34:09 +00:00
|
|
|
been negotiated via xsnet.go
|
2018-01-09 04:23:19 +00:00
|
|
|
*/
|
2020-07-22 04:52:58 +00:00
|
|
|
func (hc *Conn) getStream(keymat []byte) (rc cipher.Stream, mc hash.Hash, err error) {
|
2018-01-09 04:23:19 +00:00
|
|
|
var key []byte
|
|
|
|
var block cipher.Block
|
2018-02-17 02:46:29 +00:00
|
|
|
var iv []byte
|
2018-01-12 07:01:39 +00:00
|
|
|
var ivlen int
|
2018-01-09 04:23:19 +00:00
|
|
|
|
2018-01-12 03:42:42 +00:00
|
|
|
copts := hc.cipheropts & 0xFF
|
2018-01-12 07:01:39 +00:00
|
|
|
// TODO: each cipher alg case should ensure len(keymat.Bytes())
|
|
|
|
// is >= 2*cipher.BlockSize (enough for both key and iv)
|
2018-01-12 03:42:42 +00:00
|
|
|
switch copts {
|
2018-01-13 06:13:01 +00:00
|
|
|
case CAlgAES256:
|
2018-10-19 20:51:57 +00:00
|
|
|
keymat = expandKeyMat(keymat, aes.BlockSize)
|
2018-10-11 04:12:38 +00:00
|
|
|
key = keymat[0:aes.BlockSize]
|
2018-01-09 07:08:58 +00:00
|
|
|
block, err = aes.NewCipher(key)
|
2018-01-12 07:01:39 +00:00
|
|
|
ivlen = aes.BlockSize
|
2018-10-11 04:12:38 +00:00
|
|
|
iv = keymat[aes.BlockSize : aes.BlockSize+ivlen]
|
2018-02-17 02:43:37 +00:00
|
|
|
rc = cipher.NewOFB(block, iv)
|
2018-01-21 04:37:27 +00:00
|
|
|
log.Printf("[cipher AES_256 (%d)]\n", copts)
|
2018-01-13 06:13:01 +00:00
|
|
|
case CAlgTwofish128:
|
2018-10-19 20:51:57 +00:00
|
|
|
keymat = expandKeyMat(keymat, twofish.BlockSize)
|
2018-10-11 04:12:38 +00:00
|
|
|
key = keymat[0:twofish.BlockSize]
|
2018-01-12 03:42:42 +00:00
|
|
|
block, err = twofish.NewCipher(key)
|
2018-01-12 07:01:39 +00:00
|
|
|
ivlen = twofish.BlockSize
|
2018-10-11 04:12:38 +00:00
|
|
|
iv = keymat[twofish.BlockSize : twofish.BlockSize+ivlen]
|
2018-02-17 02:43:37 +00:00
|
|
|
rc = cipher.NewOFB(block, iv)
|
2018-01-21 04:37:27 +00:00
|
|
|
log.Printf("[cipher TWOFISH_128 (%d)]\n", copts)
|
2018-01-13 06:13:01 +00:00
|
|
|
case CAlgBlowfish64:
|
2018-10-19 20:51:57 +00:00
|
|
|
keymat = expandKeyMat(keymat, blowfish.BlockSize)
|
2018-10-11 04:12:38 +00:00
|
|
|
key = keymat[0:blowfish.BlockSize]
|
2018-01-12 07:01:39 +00:00
|
|
|
block, err = blowfish.NewCipher(key)
|
|
|
|
ivlen = blowfish.BlockSize
|
|
|
|
// N.b. Bounds enforcement of differing cipher algorithms
|
|
|
|
// ------------------------------------------------------
|
|
|
|
// cipher/aes and x/cipher/twofish appear to allow one to
|
|
|
|
// pass an iv larger than the blockSize harmlessly to
|
|
|
|
// cipher.NewOFB(); x/cipher/blowfish implementation will
|
|
|
|
// segfault here if len(iv) is not exactly blowfish.BlockSize.
|
|
|
|
//
|
|
|
|
// I assume the other two check bounds and only
|
|
|
|
// copy what's needed whereas blowfish does no such check.
|
2018-10-11 04:12:38 +00:00
|
|
|
iv = keymat[blowfish.BlockSize : blowfish.BlockSize+ivlen]
|
2018-02-17 02:43:37 +00:00
|
|
|
rc = cipher.NewOFB(block, iv)
|
2018-01-21 04:37:27 +00:00
|
|
|
log.Printf("[cipher BLOWFISH_64 (%d)]\n", copts)
|
2018-10-24 07:15:33 +00:00
|
|
|
case CAlgCryptMT1:
|
2020-02-07 02:56:36 +00:00
|
|
|
rc = cryptmt.New(nil, nil, keymat)
|
2018-10-24 07:15:33 +00:00
|
|
|
log.Printf("[cipher CRYPTMT1 (%d)]\n", copts)
|
2020-02-22 01:21:19 +00:00
|
|
|
case CAlgChaCha20_12:
|
|
|
|
keymat = expandKeyMat(keymat, chacha.KeySize)
|
|
|
|
key = keymat[0:chacha.KeySize]
|
|
|
|
ivlen = chacha.INonceSize
|
|
|
|
iv = keymat[chacha.KeySize : chacha.KeySize+ivlen]
|
|
|
|
rc, err = chacha.NewCipher(iv, key, 20)
|
|
|
|
if err != nil {
|
|
|
|
log.Printf("[ChaCha20 config error]\n")
|
|
|
|
fmt.Printf("[ChaCha20 config error]\n")
|
|
|
|
}
|
|
|
|
// TODO: SetCounter() to something derived from key or nonce or extra keymat?
|
|
|
|
log.Printf("[cipher CHACHA20_12 (%d)]\n", copts)
|
2018-01-09 04:23:19 +00:00
|
|
|
default:
|
2018-01-21 04:37:27 +00:00
|
|
|
log.Printf("[invalid cipher (%d)]\n", copts)
|
2018-01-12 03:42:42 +00:00
|
|
|
fmt.Printf("DOOFUS SET A VALID CIPHER ALG (%d)\n", copts)
|
2018-04-28 23:05:33 +00:00
|
|
|
err = errors.New("hkexchan: INVALID CIPHER ALG")
|
|
|
|
//os.Exit(1)
|
2018-01-09 07:08:58 +00:00
|
|
|
}
|
|
|
|
|
2018-01-12 03:42:42 +00:00
|
|
|
hopts := (hc.cipheropts >> 8) & 0xFF
|
|
|
|
switch hopts {
|
2018-01-13 06:13:01 +00:00
|
|
|
case HmacSHA256:
|
2018-02-17 02:43:37 +00:00
|
|
|
log.Printf("[hash HmacSHA256 (%d)]\n", hopts)
|
|
|
|
halg := crypto.SHA256
|
|
|
|
mc = halg.New()
|
|
|
|
if !halg.Available() {
|
|
|
|
log.Fatal("hash not available!")
|
|
|
|
}
|
2018-09-30 07:19:25 +00:00
|
|
|
case HmacSHA512:
|
|
|
|
log.Printf("[hash HmacSHA512 (%d)]\n", hopts)
|
|
|
|
halg := crypto.SHA512
|
|
|
|
mc = halg.New()
|
|
|
|
if !halg.Available() {
|
|
|
|
log.Fatal("hash not available!")
|
|
|
|
}
|
2018-01-12 03:42:42 +00:00
|
|
|
default:
|
2018-01-21 04:37:27 +00:00
|
|
|
log.Printf("[invalid hmac (%d)]\n", hopts)
|
2018-01-12 03:42:42 +00:00
|
|
|
fmt.Printf("DOOFUS SET A VALID HMAC ALG (%d)\n", hopts)
|
2018-04-28 23:05:33 +00:00
|
|
|
err = errors.New("hkexchan: INVALID HMAC ALG")
|
|
|
|
return
|
|
|
|
//os.Exit(1)
|
2018-01-12 03:42:42 +00:00
|
|
|
}
|
|
|
|
|
2018-01-09 07:08:58 +00:00
|
|
|
if err != nil {
|
2018-04-28 23:05:33 +00:00
|
|
|
// Feed the IV into the hmac: all traffic in the connection must
|
|
|
|
// feed its data into the hmac afterwards, so both ends can xor
|
|
|
|
// that with the stream to detect corruption.
|
|
|
|
_, _ = mc.Write(iv)
|
|
|
|
var currentHash []byte
|
|
|
|
currentHash = mc.Sum(currentHash)
|
|
|
|
log.Printf("Channel init hmac(iv):%s\n", hex.EncodeToString(currentHash))
|
2018-01-09 04:23:19 +00:00
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|