// xsnet.go - net.Conn compatible channel setup with encrypted/HMAC // negotiation // Copyright (c) 2017-2020 Russell Magee // Licensed under the terms of the MIT license (see LICENSE.mit in this // distribution) // // golang implementation by Russ Magee (rmagee_at_gmail.com) package xsnet // Implementation of key-exchange-wrapped versions of the golang standard // net package interfaces, allowing clients and servers to simply replace // 'net.Dial' and 'net.Listen' with 'hkex.Dial' and 'hkex.Listen' // (though some extra methods are implemented and must be used // for things outside of the scope of plain sockets). // DESIGN PRINCIPLE: There shall be no protocol features which enable // downgrade attacks. The server shall have final authority to accept or // reject any and all proposed KEx and connection parameters proposed by // clients at setup. Action on denial shall be a simple server disconnect // with possibly a status code sent so client can determine why connection // was denied (compare to how failed auth is communicated to client). import ( "bytes" "crypto/cipher" crand "crypto/rand" "encoding/binary" "encoding/hex" "errors" "fmt" "hash" "io" "io/ioutil" "log" "math/big" "math/rand" "net" "strings" "sync" "time" hkex "blitter.com/go/herradurakex" "blitter.com/go/kyber" "blitter.com/go/newhope" "blitter.com/go/xs/logger" frodo "github.com/kuking/go-frodokem" ) /*---------------------------------------------------------------------*/ const PAD_SZ = 32 // max size of padding applied to each packet const HMAC_CHK_SZ = 8 // leading bytes of HMAC to xmit for verification type ( WinSize struct { Rows uint16 Cols uint16 } // chaffconfig captures attributes used to send chaff packets betwixt // client and server connections, to obscure true traffic timing and // patterns // see: https://en.wikipedia.org/wiki/chaff_(countermeasure) ChaffConfig struct { shutdown bool //set to inform chaffHelper to shut down msecsMin uint //msecs min interval msecsMax uint //msecs max interval szMax uint // max size in bytes } // Conn is a connection wrapping net.Conn with KEX & session state Conn struct { kex KEXAlg // KEX/KEM proposal (client -> server) m *sync.Mutex // (internal) c *net.Conn // which also implements io.Reader, io.Writer, ... logCipherText bool // somewhat expensive, for debugging logPlainText bool // INSECURE and somewhat expensive, for debugging logTunActivity bool cipheropts uint32 // post-KEx cipher/hmac options opts uint32 // post-KEx protocol options (caller-defined) WinCh chan WinSize Rows uint16 Cols uint16 keepalive uint // if this reaches zero, conn is considered dead rekey uint // if nonzero, rekeying interval in seconds Pproc int // proc ID of command run on this conn chaff ChaffConfig tuns *map[uint16](*TunEndpoint) closeStat *CSOType // close status (CSOExitStatus) r cipher.Stream //read cipherStream rm hash.Hash w cipher.Stream //write cipherStream wm hash.Hash dBuf *bytes.Buffer //decrypt buffer for Read() } ) var ( Log *logger.Writer // reg. syslog output (no -d) ) // Return string (suitable as map key) for a tunnel endpoint func (t *TunEndpoint) String() string { return fmt.Sprintf("[%d:%s:%d]", t.Lport, t.Peer, t.Rport) } func (k *KEXAlg) String() string { switch *k { case KEX_HERRADURA256: return "KEX_HERRADURA256" case KEX_HERRADURA512: return "KEX_HERRADURA512" case KEX_HERRADURA1024: return "KEX_HERRADURA1024" case KEX_HERRADURA2048: return "KEX_HERRADURA2048" case KEX_KYBER512: return "KEX_KYBER512" case KEX_KYBER768: return "KEX_KYBER768" case KEX_KYBER1024: return "KEX_KYBER1024" case KEX_NEWHOPE: return "KEX_NEWHOPE" case KEX_NEWHOPE_SIMPLE: return "KEX_NEWHOPE_SIMPLE" case KEX_FRODOKEM_1344AES: return "KEX_FRODOKEM_1344AES" case KEX_FRODOKEM_1344SHAKE: return "KEX_FRODOKEM_1344SHAKE" case KEX_FRODOKEM_976AES: return "KEX_FRODOKEM_976AES" case KEX_FRODOKEM_976SHAKE: return "KEX_FRODOKEM_976SHAKE" default: return "KEX_ERR_UNK" } } func (hc *Conn) CAlg() CSCipherAlg { return CSCipherAlg(hc.cipheropts & 0x0FF) } func (c *CSCipherAlg) String() string { switch *c & 0x0FF { case CAlgAES256: return "C_AES_256" case CAlgTwofish128: return "C_TWOFISH_128" case CAlgBlowfish64: return "C_BLOWFISH_64" case CAlgCryptMT1: return "C_CRYPTMT1" case CAlgHopscotch: return "C_HOPSCOTCH" case CAlgChaCha20_12: return "C_CHACHA20_12" default: return "C_ERR_UNK" } } func (hc *Conn) HAlg() CSHmacAlg { return CSHmacAlg((hc.cipheropts >> 8) & 0x0FF) } func (h *CSHmacAlg) String() string { switch *h & 0x0FF { case HmacSHA256: return "H_SHA256" case HmacSHA512: return "H_SHA512" case HmacWHIRLPOOL: return "H_WHIRLPOOL" default: return "H_ERR_UNK" } } func _initLogging(d bool, c string, f logger.Priority) { if Log == nil { Log, _ = logger.New(f, fmt.Sprintf("%s:xsnet", c)) } if d { log.SetFlags(0) // syslog will have date,time log.SetOutput(Log) } else { log.SetOutput(ioutil.Discard) } } func Init(d bool, c string, f logger.Priority) { _initLogging(d, c, f) } func (hc *Conn) Lock() { hc.m.Lock() } func (hc *Conn) Unlock() { hc.m.Unlock() } func (hc *Conn) KEX() KEXAlg { return hc.kex } func (hc *Conn) GetStatus() CSOType { return *hc.closeStat } func (hc *Conn) SetStatus(stat CSOType) { *hc.closeStat = stat log.Println("closeStat:", *hc.closeStat) } // ConnOpts returns the cipher/hmac options value, which is sent to the // peer but is not itself part of the KEx. // // (Used for protocol-level negotiations after KEx such as // cipher/HMAC algorithm options etc.) func (hc *Conn) ConnOpts() uint32 { return hc.cipheropts } // SetConnOpts sets the cipher/hmac options value, which is sent to the // peer as part of KEx but not part of the KEx itself. // // opts - bitfields for cipher and hmac alg. to use after KEx func (hc *Conn) SetConnOpts(copts uint32) { hc.cipheropts = copts } // Opts returns the protocol options value, which is sent to the peer // but is not itself part of the KEx or connection (cipher/hmac) setup. // // Consumers of this lib may use this for protocol-level options not part // of the KEx or encryption info used by the connection. func (hc *Conn) Opts() uint32 { return hc.opts } // SetOpts sets the protocol options value, which is sent to the peer // but is not itself part of the KEx or connection (cipher/hmac) setup. // // Consumers of this lib may use this for protocol-level options not part // of the KEx of encryption info used by the connection. // // opts - a uint32, caller-defined func (hc *Conn) SetOpts(opts uint32) { hc.opts = opts } // Return a new xsnet.Conn // // Note this is internal: use Dial() or Accept() func _new(kexAlg KEXAlg, conn *net.Conn) (hc *Conn, e error) { // Set up stuff common to all KEx/KEM types hc = &Conn{kex: kexAlg, m: &sync.Mutex{}, c: conn, closeStat: new(CSOType), WinCh: make(chan WinSize, 1), dBuf: new(bytes.Buffer)} tempMap := make(map[uint16]*TunEndpoint) hc.tuns = &tempMap // Set up KEx/KEM-specifics switch kexAlg { case KEX_HERRADURA256: fallthrough case KEX_HERRADURA512: fallthrough case KEX_HERRADURA1024: fallthrough case KEX_HERRADURA2048: fallthrough case KEX_KYBER512: fallthrough case KEX_KYBER768: fallthrough case KEX_KYBER1024: fallthrough case KEX_NEWHOPE: fallthrough case KEX_NEWHOPE_SIMPLE: fallthrough case KEX_FRODOKEM_1344AES: fallthrough case KEX_FRODOKEM_1344SHAKE: fallthrough case KEX_FRODOKEM_976AES: fallthrough case KEX_FRODOKEM_976SHAKE: //log.Printf("[KEx alg %d is valid]\n", kexAlg) default: // UNREACHABLE: _getkexalgnum() guarantees a valid KEX value hc.kex = KEX_HERRADURA512 log.Printf("[KEx alg %d ?? defaults to %d]\n", kexAlg, hc.kex) } //hc.logCipherText = true // !!! DEBUGGING ONLY !!! NEVER DEPLOY this uncommented !!! return } // applyConnExtensions processes optional Dial() negotiation // parameters. See also getkexalgnum(). // // # Currently defined extension values // // # KEx algs // // KEX_HERRADURA256 KEX_HERRADURA512 KEX_HERRADURA1024 KEX_HERRADURA2048 // // KEX_KYBER512 KEX_KYBER768 KEX_KYBER1024 // // KEX_NEWHOPE KEX_NEWHOPE_SIMPLE // // # Session (symmetric) crypto // // C_AES_256 C_TWOFISH_128 C_BLOWFISH_128 C_CRYPTMT1 C_CHACHA20_12 C_HOPSCOTCH // // # Session HMACs // // H_SHA256 H_SHA512 func (hc *Conn) applyConnExtensions(extensions ...string) { for _, s := range extensions { switch s { case "C_AES_256": log.Println("[extension arg = C_AES_256]") hc.cipheropts &= (0xFFFFFF00) hc.cipheropts |= CAlgAES256 case "C_TWOFISH_128": log.Println("[extension arg = C_TWOFISH_128]") hc.cipheropts &= (0xFFFFFF00) hc.cipheropts |= CAlgTwofish128 case "C_BLOWFISH_64": log.Println("[extension arg = C_BLOWFISH_64]") hc.cipheropts &= (0xFFFFFF00) hc.cipheropts |= CAlgBlowfish64 case "C_CRYPTMT1": log.Println("[extension arg = C_CRYPTMT1]") hc.cipheropts &= (0xFFFFFF00) hc.cipheropts |= CAlgCryptMT1 case "C_HOPSCOTCH": log.Println("[extension arg = C_HOPSCOTCH]") hc.cipheropts &= (0xFFFFFF00) hc.cipheropts |= CAlgHopscotch case "C_CHACHA20_12": log.Println("[extension arg = C_CHACHA20_12]") hc.cipheropts &= (0xFFFFFF00) hc.cipheropts |= CAlgChaCha20_12 case "H_SHA256": log.Println("[extension arg = H_SHA256]") hc.cipheropts &= (0xFFFF00FF) hc.cipheropts |= (HmacSHA256 << 8) case "H_SHA512": log.Println("[extension arg = H_SHA512]") hc.cipheropts &= (0xFFFF00FF) hc.cipheropts |= (HmacSHA512 << 8) case "H_WHIRLPOOL": log.Println("[extension arg = H_WHIRLPOOL]") hc.cipheropts &= (0xFFFF00FF) hc.cipheropts |= (HmacWHIRLPOOL << 8) case "OPT_REMOD": log.Println("[extension arg = OPT_REMOD]") hc.opts |= CORemodulateShields //default: // log.Printf("[Dial ext \"%s\" ignored]\n", s) } } } func getkexalgnum(extensions ...string) (k KEXAlg) { k = KEX_HERRADURA512 // default for _, s := range extensions { switch s { case "KEX_HERRADURA256": k = KEX_HERRADURA256 break //out of for case "KEX_HERRADURA512": k = KEX_HERRADURA512 break //out of for case "KEX_HERRADURA1024": k = KEX_HERRADURA1024 break //out of for case "KEX_HERRADURA2048": k = KEX_HERRADURA2048 break //out of for case "KEX_KYBER512": k = KEX_KYBER512 break //out of for case "KEX_KYBER768": k = KEX_KYBER768 break //out of for case "KEX_KYBER1024": k = KEX_KYBER1024 break //out of for case "KEX_NEWHOPE": k = KEX_NEWHOPE break //out of for case "KEX_NEWHOPE_SIMPLE": k = KEX_NEWHOPE_SIMPLE break //out of for case "KEX_FRODOKEM_1344AES": k = KEX_FRODOKEM_1344AES break //out of for case "KEX_FRODOKEM_1344SHAKE": k = KEX_FRODOKEM_1344SHAKE break //out of for case "KEX_FRODOKEM_976AES": k = KEX_FRODOKEM_976AES break //out of for case "KEX_FRODOKEM_976SHAKE": k = KEX_FRODOKEM_976SHAKE break //out of for } } return } func FrodoKEMDialSetup(c io.ReadWriter, hc *Conn) (err error) { // Send xsnet.Conn parameters to remote side // Alice, step 1: Generate a key pair. var kem frodo.FrodoKEM switch hc.kex { case KEX_FRODOKEM_1344AES: kem = frodo.Frodo1344AES() case KEX_FRODOKEM_1344SHAKE: kem = frodo.Frodo1344SHAKE() case KEX_FRODOKEM_976AES: kem = frodo.Frodo976AES() default: kem = frodo.Frodo976SHAKE() } pubA, secA := kem.Keygen() // pA // Alice, step 2: Send the public key (na,ea) to Bob n, err := fmt.Fprintf(c, "0x%x\n", pubA) if err != nil { panic(err) } if n < len(pubA) { panic(errors.New("incomplete Fprintf() of pubA")) } // (... and send cipher, connection opts) fmt.Fprintf(c, "0x%x:0x%x\n", hc.cipheropts, hc.opts) // [Bob does the same and sends use a public key (nb, eb) pubB_bigint := big.NewInt(0) _, err = fmt.Fscanf(c, "0x%x\n", pubB_bigint) pubB := pubB_bigint.Bytes() // (... and sends us cipher, connection opts) _, err = fmt.Fscanf(c, "0x%x:0x%x\n", &hc.cipheropts, &hc.opts) if err != nil { return err } // Alice, step 3: Create ctAtoB, shareA ctAtoB, shareA, err := kem.Encapsulate(pubB) if err != nil { return err } // Alice, step 4: Send ctAtoB to Bob fmt.Fprintf(c, "0x%x\n", ctAtoB) // Alice, step 5: Receive ctBtoA from Bob ctBtoA_bigint := big.NewInt(0) _, err = fmt.Fscanf(c, "0x%x\n", ctBtoA_bigint) ctBtoA := ctBtoA_bigint.Bytes() // Alice, step 6: compute Bob's share shareB, err := kem.Dencapsulate(secA, ctBtoA) sessionKey := append(shareA, shareB...) hc.r, hc.rm, err = hc.getStream(sessionKey) hc.w, hc.wm, err = hc.getStream(sessionKey) return } func NewHopeDialSetup(c io.ReadWriter, hc *Conn) (err error) { // Send xsnet.Conn parameters to remote side // Alice, step 1: Generate a key pair. privKeyAlice, pubKeyAlice, err := newhope.GenerateKeyPairAlice(crand.Reader) if err != nil { panic(err) } // Alice, step 2: Send the public key to Bob fmt.Fprintf(c, "0x%x\n0x%x:0x%x\n", pubKeyAlice.Send, hc.cipheropts, hc.opts) // [Bob does step 1-3], from which we read Bob's pubkey publicKeyBob := big.NewInt(0) fmt.Fscanf(c, "0x%x\n", publicKeyBob) var pubKeyBob newhope.PublicKeyBob for i := range pubKeyBob.Send { pubKeyBob.Send[i] = publicKeyBob.Bytes()[i] } //log.Printf("[Got server pubKey[]:%v]\n", pubKeyBob) // Read cipheropts, session opts _, err = fmt.Fscanf(c, "0x%x:0x%x\n", &hc.cipheropts, &hc.opts) if err != nil { return err } // Alice, step 3: Derive shared secret // (NOTE: actual over-wire exchange was already done above. This is // the math voodoo 'exchange' done after receiving data from Bob.) aliceSharedSecret, err := newhope.KeyExchangeAlice(&pubKeyBob, privKeyAlice) if err != nil { panic(err) } hc.r, hc.rm, err = hc.getStream(aliceSharedSecret) hc.w, hc.wm, err = hc.getStream(aliceSharedSecret) return } func NewHopeSimpleDialSetup(c io.ReadWriter, hc *Conn) (err error) { // Send xsnet.Conn parameters to remote side // Alice, step 1: Generate a key pair. privKeyAlice, pubKeyAlice, err := newhope.GenerateKeyPairSimpleAlice(crand.Reader) if err != nil { panic(err) } // Alice, step 2: Send the public key to Bob fmt.Fprintf(c, "0x%x\n0x%x:0x%x\n", pubKeyAlice.Send, hc.cipheropts, hc.opts) // [Bob does step 1-3], from which we read Bob's pubkey publicKeyBob := big.NewInt(0) fmt.Fscanf(c, "0x%x\n", publicKeyBob) var pubKeyBob newhope.PublicKeySimpleBob for i := range pubKeyBob.Send { pubKeyBob.Send[i] = publicKeyBob.Bytes()[i] } //log.Printf("[Got server pubKey[]:%v]\n", pubKeyBob) // Read cipheropts, session opts _, err = fmt.Fscanf(c, "0x%x:0x%x\n", &hc.cipheropts, &hc.opts) if err != nil { return err } // Alice, step 3: Derive shared secret // (NOTE: actual over-wire exchange was already done above. This is // the math voodoo 'exchange' done after receiving data from Bob.) aliceSharedSecret, err := newhope.KeyExchangeSimpleAlice(&pubKeyBob, privKeyAlice) if err != nil { panic(err) } hc.r, hc.rm, err = hc.getStream(aliceSharedSecret) hc.w, hc.wm, err = hc.getStream(aliceSharedSecret) return } func KyberDialSetup(c io.ReadWriter /*net.Conn*/, hc *Conn) (err error) { // Send xsnet.Conn parameters to remote side // Alice, step 1: Generate a key pair. var alicePublicKey *kyber.PublicKey var alicePrivateKey *kyber.PrivateKey switch hc.kex { case KEX_KYBER512: alicePublicKey, alicePrivateKey, err = kyber.Kyber512.GenerateKeyPair(crand.Reader) case KEX_KYBER768: alicePublicKey, alicePrivateKey, err = kyber.Kyber768.GenerateKeyPair(crand.Reader) case KEX_KYBER1024: alicePublicKey, alicePrivateKey, err = kyber.Kyber1024.GenerateKeyPair(crand.Reader) default: alicePublicKey, alicePrivateKey, err = kyber.Kyber768.GenerateKeyPair(crand.Reader) } if err != nil { panic(err) } // Alice, step 2: Send the public key to Bob fmt.Fprintf(c, "0x%x\n0x%x:0x%x\n", alicePublicKey.Bytes(), hc.cipheropts, hc.opts) // [Bob, step 1-3], from which we read cipher text pubKeyB := make([]byte, 4096) fmt.Fscanf(c, "0x%x\n", &pubKeyB) //if err != nil { // return err //} //log.Printf("[Got server pubKeyB[]:%v]\n", pubKeyB) // Read cipheropts, session opts _, err = fmt.Fscanf(c, "0x%x:0x%x\n", &hc.cipheropts, &hc.opts) if err != nil { return err } // Alice, step 3: Decrypt the KEM cipher text. aliceSharedSecret := alicePrivateKey.KEMDecrypt(pubKeyB) hc.r, hc.rm, err = hc.getStream(aliceSharedSecret) hc.w, hc.wm, err = hc.getStream(aliceSharedSecret) return } func HKExDialSetup(c io.ReadWriter /*net.Conn*/, hc *Conn) (err error) { var h *hkex.HerraduraKEx switch hc.kex { case KEX_HERRADURA256: h = hkex.New(256, 64) case KEX_HERRADURA512: h = hkex.New(512, 128) case KEX_HERRADURA1024: h = hkex.New(1024, 256) case KEX_HERRADURA2048: h = hkex.New(2048, 512) default: h = hkex.New(256, 64) } // Send xsnet.Conn parameters to remote side // d is value for Herradura key exchange fmt.Fprintf(c, "0x%s\n0x%x:0x%x\n", h.D().Text(16), hc.cipheropts, hc.opts) // Read peer D over net.Conn (c) d := big.NewInt(0) _, err = fmt.Fscanln(c, d) if err != nil { return err } _, err = fmt.Fscanf(c, "0x%x:0x%x\n", &hc.cipheropts, &hc.opts) if err != nil { return err } h.SetPeerD(d) log.Printf("** local D:%s\n", h.D().Text(16)) log.Printf("**(c)** peer D:%s\n", h.PeerD().Text(16)) h.ComputeFA() log.Printf("**(c)** FA:%s\n", h.FA()) hc.r, hc.rm, err = hc.getStream(h.FA().Bytes()) hc.w, hc.wm, err = hc.getStream(h.FA().Bytes()) return } func FrodoKEMAcceptSetup(c *net.Conn, hc *Conn) (err error) { // Bob, step 1: Generate a key pair. var kem frodo.FrodoKEM switch hc.kex { case KEX_FRODOKEM_1344AES: kem = frodo.Frodo1344AES() case KEX_FRODOKEM_1344SHAKE: kem = frodo.Frodo1344SHAKE() case KEX_FRODOKEM_976AES: kem = frodo.Frodo976AES() default: kem = frodo.Frodo976SHAKE() } pubB, secB := kem.Keygen() // [Alice sends use a public key (na, ea) pubA_bigint := big.NewInt(0) _, err = fmt.Fscanf(*c, "0x%x\n", pubA_bigint) pubA := pubA_bigint.Bytes() // (... and sends us cipher, connection opts) _, err = fmt.Fscanf(*c, "0x%x:0x%x\n", &hc.cipheropts, &hc.opts) if err != nil { return err } // Bob, step 2: Send the public key (nb,eb) to Alice n, err := fmt.Fprintf(*c, "0x%x\n", pubB) if err != nil { panic(err) } if n < len(pubB) { panic(errors.New("incomplete Fprintf() of pubB")) } // (... and send cipher, connection opts) fmt.Fprintf(*c, "0x%x:0x%x\n", hc.cipheropts, hc.opts) // Bob, step 3: Create ctBtoA, shareB ctBtoA, shareB, err := kem.Encapsulate(pubA) if err != nil { return err } // Bob, step 4: Send ctBtoA to Alice fmt.Fprintf(*c, "0x%x\n", ctBtoA) // Bob, step 5: Receive ctAtoB from Alice ctAtoB_bigint := big.NewInt(0) _, err = fmt.Fscanf(*c, "0x%x\n", ctAtoB_bigint) ctAtoB := ctAtoB_bigint.Bytes() // Alice, step 6: compute Bob's share shareA, err := kem.Dencapsulate(secB, ctAtoB) sessionKey := append(shareA, shareB...) hc.r, hc.rm, err = hc.getStream(sessionKey) hc.w, hc.wm, err = hc.getStream(sessionKey) return } func NewHopeAcceptSetup(c *net.Conn, hc *Conn) (err error) { // Bob, step 1: Deserialize Alice's public key from the binary encoding. alicePublicKey := big.NewInt(0) _, err = fmt.Fscanln(*c, alicePublicKey) //log.Printf("[Got client pubKey:0x%x\n]", alicePublicKey) if err != nil { return err } var pubKeyAlice newhope.PublicKeyAlice for i := range pubKeyAlice.Send { pubKeyAlice.Send[i] = alicePublicKey.Bytes()[i] } _, err = fmt.Fscanf(*c, "0x%x:0x%x\n", &hc.cipheropts, &hc.opts) log.Printf("[Got cipheropts, opts:%v, %v]", hc.cipheropts, hc.opts) if err != nil { return err } // Bob, step 2: Generate the KEM cipher text and shared secret. pubKeyBob, bobSharedSecret, err := newhope.KeyExchangeBob(crand.Reader, &pubKeyAlice) if err != nil { panic(err) } // Bob, step 3: Send the cipher text to Alice. fmt.Fprintf(*c, "0x%x\n0x%x:0x%x\n", pubKeyBob.Send, hc.cipheropts, hc.opts) hc.r, hc.rm, err = hc.getStream(bobSharedSecret) hc.w, hc.wm, err = hc.getStream(bobSharedSecret) return } func NewHopeSimpleAcceptSetup(c *net.Conn, hc *Conn) (err error) { // Bob, step 1: Deserialize Alice's public key from the binary encoding. alicePublicKey := big.NewInt(0) _, err = fmt.Fscanln(*c, alicePublicKey) //log.Printf("[Got client pubKey:0x%x\n]", alicePublicKey) if err != nil { return err } var pubKeyAlice newhope.PublicKeySimpleAlice for i := range pubKeyAlice.Send { pubKeyAlice.Send[i] = alicePublicKey.Bytes()[i] } _, err = fmt.Fscanf(*c, "0x%x:0x%x\n", &hc.cipheropts, &hc.opts) log.Printf("[Got cipheropts, opts:%v, %v]", hc.cipheropts, hc.opts) if err != nil { return err } // Bob, step 2: Generate the KEM cipher text and shared secret. pubKeyBob, bobSharedSecret, err := newhope.KeyExchangeSimpleBob(crand.Reader, &pubKeyAlice) if err != nil { panic(err) } // Bob, step 3: Send the cipher text to Alice. fmt.Fprintf(*c, "0x%x\n0x%x:0x%x\n", pubKeyBob.Send, hc.cipheropts, hc.opts) hc.r, hc.rm, err = hc.getStream(bobSharedSecret) hc.w, hc.wm, err = hc.getStream(bobSharedSecret) return } func KyberAcceptSetup(c *net.Conn, hc *Conn) (err error) { // Bob, step 1: Deserialize Alice's public key from the binary encoding. alicePublicKey := big.NewInt(0) _, err = fmt.Fscanln(*c, alicePublicKey) //log.Printf("[Got client pubKey:0x%x\n]", alicePublicKey) if err != nil { return err } _, err = fmt.Fscanf(*c, "0x%x:0x%x\n", &hc.cipheropts, &hc.opts) log.Printf("[Got cipheropts, opts:%v, %v]", hc.cipheropts, hc.opts) if err != nil { return err } var peerPublicKey *kyber.PublicKey switch hc.kex { case KEX_KYBER512: peerPublicKey, err = kyber.Kyber512.PublicKeyFromBytes(alicePublicKey.Bytes()) case KEX_KYBER768: peerPublicKey, err = kyber.Kyber768.PublicKeyFromBytes(alicePublicKey.Bytes()) case KEX_KYBER1024: peerPublicKey, err = kyber.Kyber1024.PublicKeyFromBytes(alicePublicKey.Bytes()) default: peerPublicKey, err = kyber.Kyber768.PublicKeyFromBytes(alicePublicKey.Bytes()) } if err != nil { panic(err) } // Bob, step 2: Generate the KEM cipher text and shared secret. cipherText, bobSharedSecret, err := peerPublicKey.KEMEncrypt(crand.Reader) if err != nil { panic(err) } // Bob, step 3: Send the cipher text to Alice. fmt.Fprintf(*c, "0x%x\n0x%x:0x%x\n", cipherText, hc.cipheropts, hc.opts) hc.r, hc.rm, err = hc.getStream(bobSharedSecret) hc.w, hc.wm, err = hc.getStream(bobSharedSecret) return } func HKExAcceptSetup(c *net.Conn, hc *Conn) (err error) { var h *hkex.HerraduraKEx switch hc.kex { case KEX_HERRADURA256: h = hkex.New(256, 64) case KEX_HERRADURA512: h = hkex.New(512, 128) case KEX_HERRADURA1024: h = hkex.New(1024, 256) case KEX_HERRADURA2048: h = hkex.New(2048, 512) default: h = hkex.New(256, 64) } // Read in xsnet.Conn parameters over raw Conn c // d is value for Herradura key exchange d := big.NewInt(0) _, err = fmt.Fscanln(*c, d) log.Printf("[Got d:%v]", d) if err != nil { return err } _, err = fmt.Fscanf(*c, "0x%x:0x%x\n", &hc.cipheropts, &hc.opts) log.Printf("[Got cipheropts, opts:%v, %v]", hc.cipheropts, hc.opts) if err != nil { return err } h.SetPeerD(d) log.Printf("** D:%s\n", h.D().Text(16)) log.Printf("**(s)** peerD:%s\n", h.PeerD().Text(16)) h.ComputeFA() log.Printf("**(s)** FA:%s\n", h.FA()) // Send D and cipheropts/conn_opts to peer fmt.Fprintf(*c, "0x%s\n0x%x:0x%x\n", h.D().Text(16), hc.cipheropts, hc.opts) hc.r, hc.rm, err = hc.getStream(h.FA().Bytes()) hc.w, hc.wm, err = hc.getStream(h.FA().Bytes()) return } // Dial as net.Dial(), but with implicit key exchange to set up secure // channel on connect // // Can be called like net.Dial(), defaulting to C_AES_256/H_SHA256, // or additional extensions can be passed amongst the following: // // "C_AES_256" | "C_TWOFISH_128" | ... // // "H_SHA256" | "H_SHA512" | ... // // See go doc -u xsnet.applyConnExtensions func Dial(protocol string, ipport string, extensions ...string) (hc Conn, err error) { if Log == nil { Init(false, "client", logger.LOG_DAEMON|logger.LOG_DEBUG) } var c net.Conn if protocol == "kcp" { c, err = kcpDial(ipport, extensions) if err != nil { return Conn{}, err } } else { // Open raw Conn c c, err = net.Dial(protocol, ipport) if err != nil { return Conn{}, err } } // Init xsnet.Conn hc over net.Conn c ret, err := _new(getkexalgnum(extensions...), &c) if err != nil { return Conn{}, err } hc = *ret // Client has full control over Conn extensions. It's the server's // responsibility to accept or reject the proposed parameters. hc.applyConnExtensions(extensions...) // Perform Key Exchange according to client-request algorithm fmt.Fprintf(c, "%02x\n", hc.kex) switch hc.kex { case KEX_HERRADURA256: fallthrough case KEX_HERRADURA512: fallthrough case KEX_HERRADURA1024: fallthrough case KEX_HERRADURA2048: log.Printf("[Setting up for KEX_HERRADURA %d]\n", hc.kex) if HKExDialSetup(c, &hc) != nil { return Conn{}, nil } case KEX_KYBER512: fallthrough case KEX_KYBER768: fallthrough case KEX_KYBER1024: log.Printf("[Setting up for KEX_KYBER %d]\n", hc.kex) if KyberDialSetup(c, &hc) != nil { return Conn{}, nil } case KEX_NEWHOPE: log.Printf("[Setting up for KEX_NEWHOPE %d]\n", hc.kex) if NewHopeDialSetup(c, &hc) != nil { return Conn{}, nil } case KEX_NEWHOPE_SIMPLE: log.Printf("[Setting up for KEX_NEWHOPE_SIMPLE %d]\n", hc.kex) if NewHopeSimpleDialSetup(c, &hc) != nil { return Conn{}, nil } case KEX_FRODOKEM_1344AES: fallthrough case KEX_FRODOKEM_1344SHAKE: fallthrough case KEX_FRODOKEM_976AES: fallthrough case KEX_FRODOKEM_976SHAKE: log.Printf("[Setting up for KEX_FRODOKEM %d]\n", hc.kex) if FrodoKEMDialSetup(c, &hc) != nil { return Conn{}, nil } default: return Conn{}, err } return } // Close a hkex.Conn func (hc *Conn) Close() (err error) { hc.ShutdownChaff() s := make([]byte, 4) binary.BigEndian.PutUint32(s, uint32(*hc.closeStat)) log.Printf("** Writing closeStat %d at Close()\n", *hc.closeStat) //(*hc.c).SetWriteDeadline(time.Now().Add(500 * time.Millisecond)) hc.WritePacket(s, CSOExitStatus) // HACK: Bug #22,#33: Need to wait for rcvr to get final data // TODO: Find a way to explicitly check if any outgoing data is pending //Ensure socket has sent all data to client prior to closing //NOTE: This is not ideal, as it would be better to somehow //determine if there is any pending outgoing (write) data to the //underlying socket (TCP/KCP) prior to closing; however Go's net pkg //completely hides lower-level stuff. net.Conn.Close() according to //docs sends written data in the background, so how best to determine //all data has been sent? -rlm 2022-10-04 time.Sleep(10 * time.Millisecond) //nolint:gomnd err = (*hc.c).Close() logger.LogDebug(fmt.Sprintln("[Conn Closing]")) return } // LocalAddr returns the local network address. func (hc *Conn) LocalAddr() net.Addr { return (*hc.c).LocalAddr() } // RemoteAddr returns the remote network address. func (hc *Conn) RemoteAddr() net.Addr { return (*hc.c).RemoteAddr() } // SetDeadline sets the read and write deadlines associated // with the connection. It is equivalent to calling both // SetReadDeadline and SetWriteDeadline. // // A deadline is an absolute time after which I/O operations // fail with a timeout (see type Error) instead of // blocking. The deadline applies to all future and pending // I/O, not just the immediately following call to Read or // Write. After a deadline has been exceeded, the connection // can be refreshed by setting a deadline in the future. // // An idle timeout can be implemented by repeatedly extending // the deadline after successful Read or Write calls. // // A zero value for t means I/O operations will not time out. func (hc *Conn) SetDeadline(t time.Time) error { return (*hc.c).SetDeadline(t) } // SetWriteDeadline sets the deadline for future Write calls // and any currently-blocked Write call. // Even if write times out, it may return n > 0, indicating that // some of the data was successfully written. // A zero value for t means Write will not time out. func (hc *Conn) SetWriteDeadline(t time.Time) error { return (*hc.c).SetWriteDeadline(t) } // SetReadDeadline sets the deadline for future Read calls // and any currently-blocked Read call. // A zero value for t means Read will not time out. func (hc *Conn) SetReadDeadline(t time.Time) error { return (*hc.c).SetReadDeadline(t) } /*---------------------------------------------------------------------*/ // HKExListener is a Listener conforming to net.Listener // // See go doc net.Listener type HKExListener struct { l net.Listener proto string } // Listen for a connection // // See go doc net.Listen func Listen(proto string, ipport string, extensions ...string) (hl HKExListener, e error) { if Log == nil { Init(false, "server", logger.LOG_DAEMON|logger.LOG_DEBUG) } var lErr error var l net.Listener if proto == "kcp" { l, lErr = kcpListen(ipport, extensions) } else { l, lErr = net.Listen(proto, ipport) } if lErr != nil { return HKExListener{nil, proto}, lErr } logger.LogDebug(fmt.Sprintf("[Listening (proto '%s') on %s]\n", proto, ipport)) hl.l = l hl.proto = proto return } // Close a hkex Listener - closes the Listener. // Any blocked Accept operations will be unblocked and return errors. // // See go doc net.Listener.Close func (hl HKExListener) Close() error { logger.LogDebug(fmt.Sprintln("[Listener Closed]")) return hl.l.Close() } // Addr returns the listener's network address. // // See go doc net.Listener.Addr func (hl HKExListener) Addr() net.Addr { return hl.l.Addr() } // Accept a client connection, conforming to net.Listener.Accept() // // See go doc net.Listener.Accept func (hl *HKExListener) Accept() (hc Conn, err error) { var c net.Conn if hl.proto == "kcp" { c, err = hl.AcceptKCP() if err != nil { return Conn{}, err } logger.LogDebug(fmt.Sprintln("[kcp.Listener Accepted]")) } else { // Open raw Conn c c, err = hl.l.Accept() if err != nil { return Conn{}, err } logger.LogDebug(fmt.Sprintf("[net.Listener Accepted %v]\n", c.RemoteAddr())) } // Read KEx alg proposed by client var kexAlg KEXAlg //! NB. Was using fmt.FScanln() here, but integers with a leading zero // were being mis-scanned? (is it an octal thing? Investigate.) _, err = fmt.Fscanf(c, "%02x\n", &kexAlg) if err != nil { return Conn{}, err } log.Printf("[Client proposed KEx alg: %v]\n", kexAlg) // -- ret, err := _new(kexAlg, &c) if err != nil { return Conn{}, err } hc = *ret switch hc.kex { case KEX_HERRADURA256: fallthrough case KEX_HERRADURA512: fallthrough case KEX_HERRADURA1024: fallthrough case KEX_HERRADURA2048: log.Printf("[Setting up for KEX_HERRADURA %d]\n", hc.kex) if HKExAcceptSetup(&c, &hc) != nil { return Conn{}, err } case KEX_KYBER512: fallthrough case KEX_KYBER768: fallthrough case KEX_KYBER1024: log.Printf("[Setting up for KEX_KYBER %d]\n", hc.kex) if KyberAcceptSetup(&c, &hc) != nil { return Conn{}, err } case KEX_NEWHOPE: log.Printf("[Setting up for KEX_NEWHOPE %d]\n", hc.kex) if NewHopeAcceptSetup(&c, &hc) != nil { return Conn{}, err } case KEX_NEWHOPE_SIMPLE: log.Printf("[Setting up for KEX_NEWHOPE_SIMPLE %d]\n", hc.kex) if NewHopeSimpleAcceptSetup(&c, &hc) != nil { return Conn{}, err } case KEX_FRODOKEM_1344AES: log.Printf("[Setting up for KEX_FRODOKEM_1344AES %d]\n", hc.kex) if FrodoKEMAcceptSetup(&c, &hc) != nil { return Conn{}, err } case KEX_FRODOKEM_1344SHAKE: log.Printf("[Setting up for KEX_FRODOKEM_1344SHAKE %d]\n", hc.kex) if FrodoKEMAcceptSetup(&c, &hc) != nil { return Conn{}, err } case KEX_FRODOKEM_976AES: log.Printf("[Setting up for KEX_FRODOKEM_976AES %d]\n", hc.kex) if FrodoKEMAcceptSetup(&c, &hc) != nil { return Conn{}, err } case KEX_FRODOKEM_976SHAKE: log.Printf("[Setting up for KEX_FRODOKEM_976SHAKE %d]\n", hc.kex) if FrodoKEMAcceptSetup(&c, &hc) != nil { return Conn{}, err } default: return Conn{}, err } log.Println("[hc.Accept successful]") return hc, err } /*---------------------------------------------------------------------*/ // Read into a byte slice // // In addition to regular io.Reader behaviour this does demultiplexing of // secured terminal comms and (if defined) tunnel traffic and session control // packet processing. // // See go doc io.Reader func (hc *Conn) Read(b []byte) (n int, err error) { for { if hc.dBuf.Len() > 0 { break } var ctrlStatOp uint8 var hmacIn [HMAC_CHK_SZ]uint8 var payloadLen uint32 //------------- Read ctrl/status opcode -------------------- // Read ctrl/status opcode (CSOHmacInvalid on hmac mismatch) err = binary.Read(*hc.c, binary.BigEndian, &ctrlStatOp) if err != nil { if err.Error() == "EOF" { return 0, io.EOF } if strings.HasSuffix(err.Error(), "use of closed network connection") { logger.LogDebug(fmt.Sprintln("[Client hung up(1)]")) //!rlm hc.SetStatus(CSENone) //FIXME: re-examine this (exit 9 w/o it - 2023-11-05) return 0, io.EOF } etxt := fmt.Sprintf("** Failed read:%s (%s) **", "ctrlStatOp", err) logger.LogDebug(etxt) return 0, errors.New(etxt) } log.Printf("[ctrlStatOp: %v]\n", ctrlStatOp) if ctrlStatOp == CSOHmacInvalid { // Other side indicated channel tampering, close channel hc.Close() return 0, errors.New("** ALERT - remote end detected HMAC mismatch - possible channel tampering **") } //---------------------------------------------------------- //------------------ Read HMAC len ------------------------ // Read the hmac and payload len first err = binary.Read(*hc.c, binary.BigEndian, &hmacIn) if err != nil { if err.Error() == "EOF" { return 0, io.EOF } if strings.HasSuffix(err.Error(), "use of closed network connection") { logger.LogDebug(fmt.Sprintln("[Client hung up(2)]")) return 0, io.EOF } etxt := fmt.Sprintf("** Failed read:%s (%s) **", "HMAC", err) logger.LogDebug(etxt) return 0, errors.New(etxt) } //---------------------------------------------------------- //------------------ Read Payload len --------------------- err = binary.Read(*hc.c, binary.BigEndian, &payloadLen) if err != nil { if err.Error() == "EOF" { return 0, io.EOF } if strings.HasSuffix(err.Error(), "use of closed network connection") { logger.LogDebug(fmt.Sprintln("[Client hung up(3)]")) return 0, io.EOF } etxt := fmt.Sprintf("** Failed read:%s (%s) **", "payloadLen", err) logger.LogDebug(etxt) return 0, errors.New(etxt) } //---------------------------------------------------------- if payloadLen > MAX_PAYLOAD_LEN { logger.LogDebug(fmt.Sprintf("[Insane payloadLen:%v]\n", payloadLen)) hc.Close() return 1, errors.New("Insane payloadLen") } //-------------------- Read Payload ------------------------ var payloadBytes = make([]byte, payloadLen) n, err = io.ReadFull(*hc.c, payloadBytes) if err != nil { if err.Error() == "EOF" { return 0, io.EOF } if strings.HasSuffix(err.Error(), "use of closed network connection") { logger.LogDebug(fmt.Sprintln("[Client hung up(4)]")) return 0, io.EOF } etxt := fmt.Sprintf("** Failed read:%s (%s) **", "payloadBytes", err) logger.LogDebug(etxt) return 0, errors.New(etxt) } //---------------------------------------------------------- if hc.logCipherText { log.Printf(" <:ctext:\r\n%s\r\n", hex.Dump(payloadBytes[:n])) } //fmt.Printf(" <:ctext:\r\n%s\r\n", hex.Dump(payloadBytes[:n])) //---------------- Verify Payload via HMAC ----------------- hc.rm.Write(payloadBytes) // Calc hmac on received data hTmp := hc.rm.Sum(nil)[0:HMAC_CHK_SZ] //log.Printf("<%04x) HMAC:(i)%s (c)%02x\r\n", decryptN, hex.EncodeToString([]byte(hmacIn[0:])), hTmp) // Log alert if hmac didn't match, corrupted channel if !bytes.Equal(hTmp, []byte(hmacIn[0:])) /*|| hmacIn[0] > 0xf8*/ { logger.LogDebug(fmt.Sprintln("** ALERT - detected HMAC mismatch, possible channel tampering **")) _, _ = (*hc.c).Write([]byte{CSOHmacInvalid}) } //---------------------------------------------------------- //------------------- Decrypt Payload ---------------------- db := bytes.NewBuffer(payloadBytes[:n]) //copying payloadBytes to db // The StreamReader acts like a pipe, decrypting // whatever is available and forwarding the result // to the parameter of Read() as a normal io.Reader rs := &cipher.StreamReader{S: hc.r, R: db} // The caller isn't necessarily reading the full payload so we need // to decrypt to an intermediate buffer, draining it on demand of caller decryptN, err := rs.Read(payloadBytes) //---------------------------------------------------------- if hc.logPlainText { log.Printf(" <:ptext:\r\n%s\r\n", hex.Dump(payloadBytes[:n])) } if err != nil { log.Println("xsnet.Read():", err) //panic(err) } else { //------------ Discard Padding --------------------- // Padding: Read padSide, padLen, (padding | d) or (d | padding) padSide := payloadBytes[0] padLen := payloadBytes[1] payloadBytes = payloadBytes[2:] if padSide == 0 { payloadBytes = payloadBytes[padLen:] } else { payloadBytes = payloadBytes[0 : len(payloadBytes)-int(padLen)] } //-------------------------------------------------- switch ctrlStatOp { case CSOChaff: // Throw away pkt if it's chaff (ie., caller to Read() won't see this data) log.Printf("[Chaff pkt, discarded (len %d)]\n", decryptN) case CSOKeepAlive: //logger.LogDebug(fmt.Sprintf("[got keepAlive pkt, discarded (len %d)]\n", decryptN)) // payload of keepalive (2 bytes) is not currently used (0x55aa fixed) _ = binary.BigEndian.Uint16(payloadBytes[0:2]) hc.ResetKeepAlive() case CSORekey: // rekey //logger.LogDebug(fmt.Sprintf("[Got rekey [%02x %02x %02x ...]\n", // payloadBytes[0], payloadBytes[1], payloadBytes[2])) rekeyData := payloadBytes if (hc.opts & CORemodulateShields) != 0 { hc.Lock() hc.cipheropts = getNewStreamAlgs(rekeyData[0], rekeyData[1]) hc.Unlock() } hc.r, hc.rm, err = hc.getStream(rekeyData) case CSOTermSize: fmt.Sscanf(string(payloadBytes), "%d %d", &hc.Rows, &hc.Cols) log.Printf("[TermSize pkt: rows %v cols %v]\n", hc.Rows, hc.Cols) hc.WinCh <- WinSize{hc.Rows, hc.Cols} case CSOExitStatus: if len(payloadBytes) > 0 { hc.SetStatus(CSOType(binary.BigEndian.Uint32(payloadBytes))) } else { logger.LogDebug(fmt.Sprintln("[truncated payload, cannot determine CSOExitStatus]")) hc.SetStatus(CSETruncCSO) } hc.Close() case CSOTunSetup: // server side tunnel setup in response to client lport := binary.BigEndian.Uint16(payloadBytes[0:2]) rport := binary.BigEndian.Uint16(payloadBytes[2:4]) if _, ok := (*hc.tuns)[rport]; !ok { // tunnel first-time open logger.LogDebug(fmt.Sprintf("[Server] Got Initial CSOTunSetup [%d:%d]", lport, rport)) hc.StartServerTunnel(lport, rport) } else { logger.LogDebug(fmt.Sprintf("[Server] Got CSOTunSetup [%d:%d]", lport, rport)) } (*hc.tuns)[rport].Ctl <- 'd' // Dial() rport case CSOTunSetupAck: lport := binary.BigEndian.Uint16(payloadBytes[0:2]) rport := binary.BigEndian.Uint16(payloadBytes[2:4]) if _, ok := (*hc.tuns)[rport]; !ok { // tunnel first-time open logger.LogDebug(fmt.Sprintf("[Client] Got Initial CSOTunSetupAck [%d:%d]", lport, rport)) hc.StartClientTunnel(lport, rport) } else { logger.LogDebug(fmt.Sprintf("[Client] Got CSOTunSetupAck [%d:%d]", lport, rport)) } (*hc.tuns)[rport].Ctl <- 'a' // Listen() for lport connection case CSOTunRefused: // client side receiving CSOTunRefused means the remote side // could not dial() rport. So we cannot yet listen() // for client-side on lport. lport := binary.BigEndian.Uint16(payloadBytes[0:2]) rport := binary.BigEndian.Uint16(payloadBytes[2:4]) logger.LogDebug(fmt.Sprintf("[Client] Got CSOTunRefused [%d:%d]", lport, rport)) if _, ok := (*hc.tuns)[rport]; ok { hc.MarkTunDead(rport) } else { logger.LogDebug(fmt.Sprintf("[Client] CSOTunRefused on already-closed tun [%d:%d]", lport, rport)) } case CSOTunDisconn: // server side's rport has disconnected (server lost) lport := binary.BigEndian.Uint16(payloadBytes[0:2]) rport := binary.BigEndian.Uint16(payloadBytes[2:4]) logger.LogDebug(fmt.Sprintf("[Client] Got CSOTunDisconn [%d:%d]", lport, rport)) if _, ok := (*hc.tuns)[rport]; ok { hc.MarkTunDead(rport) } else { logger.LogDebug(fmt.Sprintf("[Client] CSOTunDisconn on already-closed tun [%d:%d]", lport, rport)) } case CSOTunHangup: // client side's lport has hung up lport := binary.BigEndian.Uint16(payloadBytes[0:2]) rport := binary.BigEndian.Uint16(payloadBytes[2:4]) logger.LogDebug(fmt.Sprintf("[Server] Got CSOTunHangup [%d:%d]", lport, rport)) if _, ok := (*hc.tuns)[rport]; ok { hc.MarkTunDead(rport) } else { logger.LogDebug(fmt.Sprintf("[Server] CSOTunHangup to already-closed tun [%d:%d]", lport, rport)) } case CSOTunData: lport := binary.BigEndian.Uint16(payloadBytes[0:2]) rport := binary.BigEndian.Uint16(payloadBytes[2:4]) //fmt.Printf("[Got CSOTunData: [lport %d:rport %d] data:%v\n", lport, rport, payloadBytes[4:]) if _, ok := (*hc.tuns)[rport]; ok { if hc.logTunActivity { logger.LogDebug(fmt.Sprintf("[Writing data to rport [%d:%d]", lport, rport)) } (*hc.tuns)[rport].Data <- payloadBytes[4:] hc.ResetTunnelAge(rport) } else { logger.LogDebug(fmt.Sprintf("[Attempt to write data to closed tun [%d:%d]", lport, rport)) } case CSOTunKeepAlive: // client side has sent keepalive for tunnels -- if client // dies or exits unexpectedly the absence of this will // let the server know to hang up on Dial()ed server rports. _ = binary.BigEndian.Uint16(payloadBytes[0:2]) //logger.LogDebug(fmt.Sprintf("[Server] Got CSOTunKeepAlive")) // though CSOTunKeepAlive sends an endp (uint16), we don't use it, // preferring to refresh *all* tunnels on the message. // (?rlm 2023-11-04 -- TODO: verify this, it's been a while.) for _, t := range *hc.tuns { hc.Lock() t.KeepAlive = 0 hc.Unlock() } case CSONone: hc.dBuf.Write(payloadBytes) default: logger.LogDebug(fmt.Sprintf("[Unknown CSOType:%d]", ctrlStatOp)) } } } retN := hc.dBuf.Len() if retN > len(b) { retN = len(b) } log.Printf("Read() got %d bytes\n", retN) copy(b, hc.dBuf.Next(retN)) return retN, nil } // Write a byte slice // // See go doc io.Writer func (hc *Conn) Write(b []byte) (n int, err error) { //logger.LogDebug("[+Write]") n, err = hc.WritePacket(b, CSONone) //logger.LogDebug("[-Write]") return n, err } // Write a byte slice with specified ctrlStatOp byte func (hc *Conn) WritePacket(b []byte, ctrlStatOp byte) (n int, err error) { hc.Lock() defer hc.Unlock() //log.Printf("[Encrypting...]\r\n") var hmacOut []uint8 var payloadLen uint32 if hc.m == nil || hc.wm == nil { return 0, errors.New("Secure chan not ready for writing") } //Padding prior to encryption padSz := rand.Intn(PAD_SZ-1) + 1 /*(rand.Intn(PAD_SZ) / 2) + (PAD_SZ / 2)*/ padLen := padSz - ((len(b) + padSz) % padSz) if padLen == padSz { // No padding required padLen = 0 } padBytes := make([]byte, padLen) rand.Read(padBytes) // For a little more confusion let's support padding either before // or after the payload. padSide := rand.Intn(2) if padSide == 0 { b = append([]byte{byte(padSide)}, append([]byte{byte(padLen)}, append(padBytes, b...)...)...) } else { b = append([]byte{byte(padSide)}, append([]byte{byte(padLen)}, append(b, padBytes...)...)...) } payloadLen = uint32(len(b)) if hc.logPlainText { log.Printf(" >:ptext:\r\n%s\r\n", hex.Dump(b[0:payloadLen])) } // NOTE releases prior to v0.9 used Authenticate-then-Encrypt, // which in block modes is insecure; however // 1) we use exclusively XOR-stream modes with random padding, // 2) are padding randomly either before or after the real payload, and // 3) the padding side indicator value itself is part of the ciphertext // ... thus are not subject to oracle attacks of the type used on SSL // (described in (Krawczyk 2001/2014, // https://link.springer.com/content/pdf/10.1007%2F3-540-44647-8_19.pdf) // // Nevertheless, to address any future concerns v0.9 onwards switches to // Encrypt-then-Auth and breaks interop with earlier versions. // -rlm 2020-12-15 var wb bytes.Buffer // The StreamWriter acts like a pipe, forwarding whatever is // written to it through the cipher, encrypting as it goes ws := &cipher.StreamWriter{S: hc.w, W: &wb} wN, err := ws.Write(b[0:payloadLen]) if err != nil { panic(err) } if wN < int(payloadLen) { panic("truncated Write to cipher *****") } if hc.logCipherText { log.Printf(" >:ctext:\r\n%s\r\n", hex.Dump(wb.Bytes())) } //fmt.Printf(" >:ctext:\r\n%s\r\n", hex.Dump(wb.Bytes())) // Calculate hmac on cipher payload hc.wm.Write(wb.Bytes()) hmacOut = hc.wm.Sum(nil)[0:HMAC_CHK_SZ] //finalize //log.Printf(" (%08x> HMAC(o):%s\r\n", payloadLen, hex.EncodeToString(hmacOut)) err = binary.Write(*hc.c, binary.BigEndian, &ctrlStatOp) if err == nil { // Write hmac LSB, payloadLen followed by payload err = binary.Write(*hc.c, binary.BigEndian, hmacOut) if err == nil { err = binary.Write(*hc.c, binary.BigEndian, payloadLen) if err == nil { n, err = (*hc.c).Write(wb.Bytes()) } else { //fmt.Println("[c]WriteError!") } } else { //fmt.Println("[b]WriteError!") } } else { //fmt.Println("[a]WriteError!") } if err != nil { log.Println(err) } // We must 'lie' to caller indicating the length of THEIR // data written (ie., not including the padding and padding headers) retN := n - 2 - int(padLen) if retN <= 0 { retN = 0 } return retN, err } func (hc *Conn) StartupChaff() { hc.chaff.shutdown = false log.Println("Chaffing ENABLED") hc.chaffHelper() } func (hc *Conn) ShutdownChaff() { hc.Lock() hc.chaff.shutdown = true hc.Unlock() log.Println("Chaffing SHUTDOWN") } func (hc *Conn) SetupChaff(msecsMin uint, msecsMax uint, szMax uint) { // Enforce bounds on chaff frequency and pkt size hc.Lock() if hc.chaff.msecsMin < CHAFF_FREQ_MSECS_MIN { hc.chaff.msecsMin = CHAFF_FREQ_MSECS_MIN } if hc.chaff.msecsMax > CHAFF_FREQ_MSECS_MAX { hc.chaff.msecsMax = CHAFF_FREQ_MSECS_MAX } hc.Unlock() hc.chaff.msecsMin = msecsMin //move these to params of chaffHelper() ? hc.chaff.msecsMax = msecsMax hc.chaff.szMax = szMax } func (hc *Conn) ShutdownRekey() { hc.Lock() hc.rekey = 0 hc.Unlock() } func (hc *Conn) RekeyHelper(intervalSecs uint) { if intervalSecs < REKEY_SECS_MIN { intervalSecs = REKEY_SECS_MIN } if intervalSecs > REKEY_SECS_MAX { intervalSecs = REKEY_SECS_MAX } go func() { hc.Lock() hc.rekey = intervalSecs hc.Unlock() for { hc.Lock() rekey := hc.rekey hc.Unlock() if rekey != 0 { jitter := rand.Intn(int(rekey)) / 4 rekey = rekey - uint(jitter) if rekey < 1 { rekey = 1 } //logger.LogDebug(fmt.Sprintf("[rekeyHelper Loop]\n")) time.Sleep(time.Duration(rekey) * time.Second) // Send rekey to other end rekeyData := make([]byte, 64) _, err := crand.Read(rekeyData) //logger.LogDebug(fmt.Sprintf("[rekey [%02x %02x %02x ...]\n", // rekeyData[0], rekeyData[1], rekeyData[2])) //logger.LogDebug("[+rekeyHelper]") _, err = hc.WritePacket(rekeyData, CSORekey) hc.Lock() if (hc.opts & CORemodulateShields) != 0 { hc.cipheropts = getNewStreamAlgs(rekeyData[0], rekeyData[1]) } hc.w, hc.wm, err = hc.getStream(rekeyData) //logger.LogDebug("[-rekeyHelper]") hc.Unlock() if err != nil { log.Printf("[rekey WritePacket err! (%v) rekey dying ...]\n", err) return } } else { return } } }() } // Helper routine to spawn a chaffing goroutine for each Conn func (hc *Conn) chaffHelper() { go func() { var nextDuration int for { //logger.LogDebug(fmt.Sprintf("[chaffHelper Loop]\n")) hc.Lock() shutdown := hc.chaff.shutdown hc.Unlock() if !shutdown { var bufTmp []byte bufTmp = make([]byte, rand.Intn(int(hc.chaff.szMax))) min := int(hc.chaff.msecsMin) nextDuration = rand.Intn(int(hc.chaff.msecsMax)-min) + min _, _ = rand.Read(bufTmp) //logger.LogDebug("[+chaffHelper]") _, err := hc.WritePacket(bufTmp, CSOChaff) //logger.LogDebug("[-chaffHelper]") if err != nil { log.Println("[ *** error - chaffHelper shutting down *** ]") hc.Lock() hc.chaff.shutdown = true hc.Unlock() break } } else { log.Println("[ *** chaffHelper shutting down *** ]") break } time.Sleep(time.Duration(nextDuration) * time.Millisecond) } }() } func (hc *Conn) StartupKeepAlive() { hc.ResetKeepAlive() log.Println("KeepAlive ENABLED") hc.keepaliveHelper() } func (hc *Conn) ShutdownKeepAlive() { log.Println("Conn SHUTDOWN") hc.Close() } func (hc *Conn) ResetKeepAlive() { hc.Lock() hc.keepalive = 3 hc.Unlock() log.Println("KeepAlive RESET") } // Helper routine to spawn a keepalive goroutine for each Conn func (hc *Conn) keepaliveHelper() { go func() { for { nextDuration := 10000 bufTmp := []byte{0x55, 0xaa} //logger.LogDebug("[+keepaliveHelper]") _, err := hc.WritePacket(bufTmp, CSOKeepAlive) //logger.LogDebug("[-keepaliveHelper]") //logger.LogDebug(fmt.Sprintf("[keepalive]\n")) if err != nil { logger.LogDebug(fmt.Sprintf("[ *** error - keepaliveHelper quitting *** ]\n")) break } time.Sleep(time.Duration(nextDuration) * time.Millisecond) hc.Lock() hc.keepalive -= 1 hc.Unlock() //logger.LogDebug(fmt.Sprintf("[keepAlive is now %d]\n", hc.keepalive)) //if rand.Intn(8) == 0 { // hc.keepalive = 0 //} if hc.keepalive == 0 { logger.LogDebug(fmt.Sprintf("*** keepaliveHelper shutting down\n")) hc.SetStatus(CSEConnDead) hc.ShutdownKeepAlive() if hc.Pproc != 0 { //fmt.Printf("[pid %d needs to be killed]\n", hc.Pproc) //syscall.Kill(hc.Pproc, syscall.SIGABRT) //nolint:errcheck //exec.Command("taskkill", "/f", "/pid", strconv.Itoa(hc.Pproc)).Run() hc.kill() } break } } }() }