mirror of https://gogs.blitter.com/RLabs/xs
572 lines
16 KiB
Go
572 lines
16 KiB
Go
// hkexnet.go - net.Conn compatible channel setup with encrypted/HMAC
|
|
// negotiation
|
|
|
|
// Copyright (c) 2017-2018 Russell Magee
|
|
// Licensed under the terms of the MIT license (see LICENSE.mit in this
|
|
// distribution)
|
|
//
|
|
// golang implementation by Russ Magee (rmagee_at_gmail.com)
|
|
|
|
package hkexsh
|
|
|
|
// Implementation of HKEx-wrapped versions of the golang standard
|
|
// net package interfaces, allowing clients and servers to simply replace
|
|
// 'net.Dial' and 'net.Listen' with 'hkex.Dial' and 'hkex.Listen'.
|
|
import (
|
|
"bytes"
|
|
"crypto/cipher"
|
|
"encoding/binary"
|
|
"encoding/hex"
|
|
"errors"
|
|
"fmt"
|
|
"hash"
|
|
"io"
|
|
"log"
|
|
"math/big"
|
|
"math/rand"
|
|
"net"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
)
|
|
|
|
const (
|
|
CSONone = iota // No error, normal packet
|
|
CSOHmacInvalid // HMAC mismatch detected on remote end
|
|
CSOTermSize // set term size (rows:cols)
|
|
CSOChaff // Dummy packet, do not pass beyond decryption
|
|
)
|
|
|
|
/*---------------------------------------------------------------------*/
|
|
|
|
type WinSize struct {
|
|
Rows uint16
|
|
Cols uint16
|
|
}
|
|
|
|
// Conn is a HKex connection - a drop-in replacement for net.Conn
|
|
type Conn struct {
|
|
c net.Conn // which also implements io.Reader, io.Writer, ...
|
|
h *HerraduraKEx
|
|
cipheropts uint32 // post-KEx cipher/hmac options
|
|
opts uint32 // post-KEx protocol options (caller-defined)
|
|
WinCh chan WinSize
|
|
Rows uint16
|
|
Cols uint16
|
|
|
|
Rwmut *sync.Mutex
|
|
chaff bool
|
|
chaffMsecsMin int //msecs min interval
|
|
chaffMsecsMax int //msecs max interval
|
|
|
|
r cipher.Stream //read cipherStream
|
|
rm hash.Hash
|
|
w cipher.Stream //write cipherStream
|
|
wm hash.Hash
|
|
dBuf *bytes.Buffer //decrypt buffer for Read()
|
|
}
|
|
|
|
// ConnOpts returns the cipher/hmac options value, which is sent to the
|
|
// peer but is not itself part of the KEx.
|
|
//
|
|
// (Used for protocol-level negotiations after KEx such as
|
|
// cipher/HMAC algorithm options etc.)
|
|
func (c Conn) ConnOpts() uint32 {
|
|
return c.cipheropts
|
|
}
|
|
|
|
// SetConnOpts sets the cipher/hmac options value, which is sent to the
|
|
// peer as part of KEx but not part of the KEx itself.
|
|
//
|
|
// opts - bitfields for cipher and hmac alg. to use after KEx
|
|
func (c *Conn) SetConnOpts(copts uint32) {
|
|
c.cipheropts = copts
|
|
}
|
|
|
|
// Opts returns the protocol options value, which is sent to the peer
|
|
// but is not itself part of the KEx or connection (cipher/hmac) setup.
|
|
//
|
|
// Consumers of this lib may use this for protocol-level options not part
|
|
// of the KEx or encryption info used by the connection.
|
|
func (c Conn) Opts() uint32 {
|
|
return c.opts
|
|
}
|
|
|
|
// SetOpts sets the protocol options value, which is sent to the peer
|
|
// but is not itself part of the KEx or connection (cipher/hmac) setup.
|
|
//
|
|
// Consumers of this lib may use this for protocol-level options not part
|
|
// of the KEx of encryption info used by the connection.
|
|
//
|
|
// opts - a uint32, caller-defined
|
|
func (c *Conn) SetOpts(opts uint32) {
|
|
c.opts = opts
|
|
}
|
|
|
|
func (c *Conn) applyConnExtensions(extensions ...string) {
|
|
for _, s := range extensions {
|
|
switch s {
|
|
case "C_AES_256":
|
|
log.Println("[extension arg = C_AES_256]")
|
|
c.cipheropts &= (0xFFFFFF00)
|
|
c.cipheropts |= CAlgAES256
|
|
break
|
|
case "C_TWOFISH_128":
|
|
log.Println("[extension arg = C_TWOFISH_128]")
|
|
c.cipheropts &= (0xFFFFFF00)
|
|
c.cipheropts |= CAlgTwofish128
|
|
break
|
|
case "C_BLOWFISH_64":
|
|
log.Println("[extension arg = C_BLOWFISH_64]")
|
|
c.cipheropts &= (0xFFFFFF00)
|
|
c.cipheropts |= CAlgBlowfish64
|
|
break
|
|
case "H_SHA256":
|
|
log.Println("[extension arg = H_SHA256]")
|
|
c.cipheropts &= (0xFFFF00FF)
|
|
c.cipheropts |= (HmacSHA256 << 8)
|
|
break
|
|
default:
|
|
log.Printf("[Dial ext \"%s\" ignored]\n", s)
|
|
break
|
|
}
|
|
}
|
|
}
|
|
|
|
// Dial as net.Dial(), but with implicit HKEx PeerD read on connect
|
|
// Can be called like net.Dial(), defaulting to C_AES_256/H_SHA256,
|
|
// or additional option arguments can be passed amongst the following:
|
|
//
|
|
// "C_AES_256" | "C_TWOFISH_128"
|
|
//
|
|
// "H_SHA256"
|
|
func Dial(protocol string, ipport string, extensions ...string) (hc *Conn, err error) {
|
|
// Open raw Conn c
|
|
c, err := net.Dial(protocol, ipport)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
// Init hkexnet.Conn hc over net.Conn c
|
|
hc = &Conn{c: c, h: New(0, 0), Rwmut: &sync.Mutex{}, dBuf: new(bytes.Buffer)}
|
|
hc.applyConnExtensions(extensions...)
|
|
|
|
// Send hkexnet.Conn parameters to remote side
|
|
// d is value for Herradura key exchange
|
|
fmt.Fprintf(c, "0x%s\n%08x:%08x\n", hc.h.d.Text(16),
|
|
hc.cipheropts, hc.opts)
|
|
|
|
d := big.NewInt(0)
|
|
_, err = fmt.Fscanln(c, d)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
_, err = fmt.Fscanf(c, "%08x:%08x\n",
|
|
&hc.cipheropts, &hc.opts)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
hc.h.PeerD = d
|
|
log.Printf("** D:%s\n", hc.h.d.Text(16))
|
|
log.Printf("**(c)** peerD:%s\n", hc.h.PeerD.Text(16))
|
|
hc.h.FA()
|
|
log.Printf("**(c)** FA:%s\n", hc.h.fa)
|
|
|
|
hc.r, hc.rm, err = hc.getStream(hc.h.fa)
|
|
hc.w, hc.wm, err = hc.getStream(hc.h.fa)
|
|
return
|
|
}
|
|
|
|
// Close a hkex.Conn
|
|
func (c Conn) Close() (err error) {
|
|
err = c.c.Close()
|
|
log.Println("[Conn Closing]")
|
|
return
|
|
}
|
|
|
|
// LocalAddr returns the local network address.
|
|
func (c Conn) LocalAddr() net.Addr {
|
|
return c.c.LocalAddr()
|
|
}
|
|
|
|
// RemoteAddr returns the remote network address.
|
|
func (c Conn) RemoteAddr() net.Addr {
|
|
return c.c.RemoteAddr()
|
|
}
|
|
|
|
// SetDeadline sets the read and write deadlines associated
|
|
// with the connection. It is equivalent to calling both
|
|
// SetReadDeadline and SetWriteDeadline.
|
|
//
|
|
// A deadline is an absolute time after which I/O operations
|
|
// fail with a timeout (see type Error) instead of
|
|
// blocking. The deadline applies to all future and pending
|
|
// I/O, not just the immediately following call to Read or
|
|
// Write. After a deadline has been exceeded, the connection
|
|
// can be refreshed by setting a deadline in the future.
|
|
//
|
|
// An idle timeout can be implemented by repeatedly extending
|
|
// the deadline after successful Read or Write calls.
|
|
//
|
|
// A zero value for t means I/O operations will not time out.
|
|
func (c Conn) SetDeadline(t time.Time) error {
|
|
return c.SetDeadline(t)
|
|
}
|
|
|
|
// SetWriteDeadline sets the deadline for future Write calls
|
|
// and any currently-blocked Write call.
|
|
// Even if write times out, it may return n > 0, indicating that
|
|
// some of the data was successfully written.
|
|
// A zero value for t means Write will not time out.
|
|
func (c Conn) SetWriteDeadline(t time.Time) error {
|
|
return c.SetWriteDeadline(t)
|
|
}
|
|
|
|
// SetReadDeadline sets the deadline for future Read calls
|
|
// and any currently-blocked Read call.
|
|
// A zero value for t means Read will not time out.
|
|
func (c Conn) SetReadDeadline(t time.Time) error {
|
|
return c.SetReadDeadline(t)
|
|
}
|
|
|
|
/*---------------------------------------------------------------------*/
|
|
|
|
// HKExListener is a Listener conforming to net.Listener
|
|
//
|
|
// See go doc net.Listener
|
|
type HKExListener struct {
|
|
l net.Listener
|
|
}
|
|
|
|
// Listen for a connection
|
|
//
|
|
// See go doc net.Listen
|
|
func Listen(protocol string, ipport string) (hl HKExListener, e error) {
|
|
l, err := net.Listen(protocol, ipport)
|
|
if err != nil {
|
|
return HKExListener{nil}, err
|
|
}
|
|
log.Println("[Listening]")
|
|
hl.l = l
|
|
return
|
|
}
|
|
|
|
// Close a hkex Listener - closes the Listener.
|
|
// Any blocked Accept operations will be unblocked and return errors.
|
|
//
|
|
// See go doc net.Listener.Close
|
|
func (hl HKExListener) Close() error {
|
|
log.Println("[Listener Closed]")
|
|
return hl.l.Close()
|
|
}
|
|
|
|
// Addr returns a the listener's network address.
|
|
//
|
|
// See go doc net.Listener.Addr
|
|
func (hl HKExListener) Addr() net.Addr {
|
|
return hl.l.Addr()
|
|
}
|
|
|
|
// Accept a client connection, conforming to net.Listener.Accept()
|
|
//
|
|
// See go doc net.Listener.Accept
|
|
func (hl HKExListener) Accept() (hc Conn, err error) {
|
|
// Open raw Conn c
|
|
c, err := hl.l.Accept()
|
|
if err != nil {
|
|
hc := Conn{c: nil, h: nil, cipheropts: 0, opts: 0, Rwmut: &sync.Mutex{},
|
|
r: nil, w: nil}
|
|
return hc, err
|
|
}
|
|
log.Println("[Accepted]")
|
|
|
|
hc = Conn{c: c, h: New(0, 0), WinCh: make(chan WinSize, 1),
|
|
Rwmut: &sync.Mutex{},
|
|
dBuf: new(bytes.Buffer)}
|
|
|
|
// Read in hkexnet.Conn parameters over raw Conn c
|
|
// d is value for Herradura key exchange
|
|
d := big.NewInt(0)
|
|
_, err = fmt.Fscanln(c, d)
|
|
log.Printf("[Got d:%v]", d)
|
|
if err != nil {
|
|
return hc, err
|
|
}
|
|
_, err = fmt.Fscanf(c, "%08x:%08x\n",
|
|
&hc.cipheropts, &hc.opts)
|
|
log.Printf("[Got cipheropts, opts:%v, %v]", hc.cipheropts, hc.opts)
|
|
if err != nil {
|
|
return hc, err
|
|
}
|
|
hc.h.PeerD = d
|
|
log.Printf("** D:%s\n", hc.h.d.Text(16))
|
|
log.Printf("**(s)** peerD:%s\n", hc.h.PeerD.Text(16))
|
|
hc.h.FA()
|
|
log.Printf("**(s)** FA:%s\n", hc.h.fa)
|
|
|
|
fmt.Fprintf(c, "0x%s\n%08x:%08x\n", hc.h.d.Text(16),
|
|
hc.cipheropts, hc.opts)
|
|
|
|
hc.r, hc.rm, err = hc.getStream(hc.h.fa)
|
|
hc.w, hc.wm, err = hc.getStream(hc.h.fa)
|
|
return
|
|
}
|
|
|
|
/*---------------------------------------------------------------------*/
|
|
|
|
// Read into a byte slice
|
|
//
|
|
// See go doc io.Reader
|
|
func (c Conn) Read(b []byte) (n int, err error) {
|
|
//log.Printf("[Decrypting...]\r\n")
|
|
for {
|
|
//log.Printf("c.dBuf.Len(): %d\n", c.dBuf.Len())
|
|
if c.dBuf.Len() > 0 /* len(b) */ {
|
|
break
|
|
}
|
|
|
|
var ctrlStatOp uint8
|
|
var hmacIn [4]uint8
|
|
var payloadLen uint32
|
|
|
|
// Read ctrl/status opcode (CSOHmacInvalid on hmac mismatch)
|
|
err = binary.Read(c.c, binary.BigEndian, &ctrlStatOp)
|
|
log.Printf("[ctrlStatOp: %v]\n", ctrlStatOp)
|
|
if ctrlStatOp == CSOHmacInvalid {
|
|
// Other side indicated channel tampering, close channel
|
|
c.Close()
|
|
return 1, errors.New("** ALERT - remote end detected HMAC mismatch - possible channel tampering **")
|
|
}
|
|
|
|
// Read the hmac and payload len first
|
|
err = binary.Read(c.c, binary.BigEndian, &hmacIn)
|
|
// Normal client 'exit' from interactive session will cause
|
|
// (on server side) err.Error() == "<iface/addr info ...>: use of closed network connection"
|
|
if err != nil {
|
|
if !strings.HasSuffix(err.Error(), "use of closed network connection") {
|
|
log.Println("unexpected Read() err:", err)
|
|
} else {
|
|
log.Println("[Client hung up]")
|
|
}
|
|
return 0, err
|
|
}
|
|
|
|
err = binary.Read(c.c, binary.BigEndian, &payloadLen)
|
|
if err != nil {
|
|
if err.Error() != "EOF" {
|
|
panic(err)
|
|
// Cannot just return 0, err here - client won't hang up properly
|
|
// when 'exit' from shell. TODO: try server sending ctrlStatOp to
|
|
// indicate to Reader? -rlm 20180428
|
|
}
|
|
}
|
|
|
|
if payloadLen > 16384 {
|
|
log.Printf("[Insane payloadLen:%v]\n", payloadLen)
|
|
c.Close()
|
|
return 1, errors.New("Insane payloadLen")
|
|
}
|
|
//log.Println("payloadLen:", payloadLen)
|
|
|
|
var payloadBytes = make([]byte, payloadLen)
|
|
n, err = io.ReadFull(c.c, payloadBytes)
|
|
//log.Print(" << Read ", n, " payloadBytes")
|
|
|
|
// Normal client 'exit' from interactive session will cause
|
|
// (on server side) err.Error() == "<iface/addr info ...>: use of closed network connection"
|
|
if err != nil && err.Error() != "EOF" {
|
|
if !strings.HasSuffix(err.Error(), "use of closed network connection") {
|
|
log.Println("unexpected Read() err:", err)
|
|
} else {
|
|
log.Println("[Client hung up]")
|
|
}
|
|
}
|
|
|
|
log.Printf(" <:ctext:\r\n%s\r\n", hex.Dump(payloadBytes[:n]))
|
|
|
|
db := bytes.NewBuffer(payloadBytes[:n]) //copying payloadBytes to db
|
|
// The StreamReader acts like a pipe, decrypting
|
|
// whatever is available and forwarding the result
|
|
// to the parameter of Read() as a normal io.Reader
|
|
rs := &cipher.StreamReader{S: c.r, R: db}
|
|
// The caller isn't necessarily reading the full payload so we need
|
|
// to decrypt ot an intermediate buffer, draining it on demand of caller
|
|
decryptN, err := rs.Read(payloadBytes)
|
|
log.Printf(" <-ptext:\r\n%s\r\n", hex.Dump(payloadBytes[:n]))
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
// Throw away pkt if it's chaff (ie., caller to Read() won't see this data)
|
|
if ctrlStatOp == CSOChaff {
|
|
log.Printf("[Chaff pkt, discarded (len %d)]\n", decryptN)
|
|
} else if ctrlStatOp == CSOTermSize {
|
|
fmt.Sscanf(string(payloadBytes), "%d %d", &c.Rows, &c.Cols)
|
|
log.Printf("[TermSize pkt: rows %v cols %v]\n", c.Rows, c.Cols)
|
|
c.WinCh <- WinSize{c.Rows, c.Cols}
|
|
} else {
|
|
c.dBuf.Write(payloadBytes)
|
|
//log.Printf("c.dBuf: %s\n", hex.Dump(c.dBuf.Bytes()))
|
|
}
|
|
|
|
// Re-calculate hmac, compare with received value
|
|
c.rm.Write(payloadBytes)
|
|
hTmp := c.rm.Sum(nil)[0:4]
|
|
log.Printf("<%04x) HMAC:(i)%s (c)%02x\r\n", decryptN, hex.EncodeToString([]byte(hmacIn[0:])), hTmp)
|
|
|
|
// Log alert if hmac didn't match, corrupted channel
|
|
if !bytes.Equal(hTmp, []byte(hmacIn[0:])) /*|| hmacIn[0] > 0xf8*/ {
|
|
fmt.Println("** ALERT - detected HMAC mismatch, possible channel tampering **")
|
|
_, _ = c.c.Write([]byte{CSOHmacInvalid})
|
|
}
|
|
}
|
|
|
|
retN := c.dBuf.Len()
|
|
if retN > len(b) {
|
|
retN = len(b)
|
|
}
|
|
|
|
log.Printf("Read() got %d bytes\n", retN)
|
|
copy(b, c.dBuf.Next(retN))
|
|
//log.Printf("As Read() returns, c.dBuf is %d long: %s\n", c.dBuf.Len(), hex.Dump(c.dBuf.Bytes()))
|
|
return retN, nil
|
|
}
|
|
|
|
// Write a byte slice
|
|
//
|
|
// See go doc io.Writer
|
|
func (c Conn) Write(b []byte) (n int, err error) {
|
|
n, err = c.WritePacket(b, CSONone)
|
|
return n, err
|
|
}
|
|
|
|
// Write a byte slice with specified ctrlStatusOp byte
|
|
func (c Conn) WritePacket(b []byte, op byte) (n int, err error) {
|
|
//log.Printf("[Encrypting...]\r\n")
|
|
var hmacOut []uint8
|
|
var payloadLen uint32
|
|
|
|
// N.B. Originally this Lock() surrounded only the
|
|
// calls to binary.Write(c.c ..) however there appears
|
|
// to be some other unshareable state in the Conn
|
|
// struct that must be protected to serialize main and
|
|
// chaff data written to it.
|
|
//
|
|
// Would be nice to determine if the mutex scope
|
|
// could be tightened.
|
|
c.Rwmut.Lock()
|
|
{
|
|
log.Printf(" :>ptext:\r\n%s\r\n", hex.Dump(b))
|
|
|
|
payloadLen = uint32(len(b))
|
|
|
|
// Calculate hmac on payload
|
|
c.wm.Write(b)
|
|
hmacOut = c.wm.Sum(nil)[0:4]
|
|
|
|
log.Printf(" (%04x> HMAC(o):%s\r\n", payloadLen, hex.EncodeToString(hmacOut))
|
|
|
|
var wb bytes.Buffer
|
|
// The StreamWriter acts like a pipe, forwarding whatever is
|
|
// written to it through the cipher, encrypting as it goes
|
|
ws := &cipher.StreamWriter{S: c.w, W: &wb}
|
|
_, err = ws.Write(b)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
log.Printf(" ->ctext:\r\n%s\r\n", hex.Dump(wb.Bytes()))
|
|
|
|
ctrlStatOp := op
|
|
|
|
err = binary.Write(c.c, binary.BigEndian, &ctrlStatOp)
|
|
if err == nil {
|
|
// Write hmac LSB, payloadLen followed by payload
|
|
err = binary.Write(c.c, binary.BigEndian, hmacOut)
|
|
if err == nil {
|
|
err = binary.Write(c.c, binary.BigEndian, payloadLen)
|
|
if err == nil {
|
|
n, err = c.c.Write(wb.Bytes())
|
|
}
|
|
}
|
|
}
|
|
}
|
|
c.Rwmut.Unlock()
|
|
|
|
if err != nil {
|
|
//panic(err)
|
|
log.Println(err)
|
|
}
|
|
return
|
|
}
|
|
|
|
func (c *Conn) Chaff(enable bool, msecsMin int, msecsMax int, szMax int) {
|
|
c.chaff = enable
|
|
c.chaffMsecsMin = msecsMin //move these to params of chaffHelper() ?
|
|
c.chaffMsecsMax = msecsMax
|
|
|
|
if enable {
|
|
log.Println("Chaffing ENABLED")
|
|
c.chaffHelper(szMax)
|
|
}
|
|
}
|
|
|
|
// Helper routine to spawn a chaffing goroutine for each Conn
|
|
func (c *Conn) chaffHelper(szMax int) {
|
|
go func() {
|
|
for {
|
|
var nextDuration int
|
|
if c.chaff {
|
|
chaff := make([]byte, rand.Intn(szMax))
|
|
min := c.chaffMsecsMin
|
|
nextDuration = rand.Intn(c.chaffMsecsMax-min) + min
|
|
_, _ = rand.Read(chaff)
|
|
_, err := c.WritePacket(chaff, CSOChaff)
|
|
if err != nil {
|
|
log.Println("[ *** error - chaffHelper quitting *** ]")
|
|
break
|
|
}
|
|
}
|
|
time.Sleep(time.Duration(nextDuration) * time.Millisecond)
|
|
}
|
|
}()
|
|
}
|
|
|
|
// hkexsh.Copy() is a modified version of io.Copy()
|
|
func Copy(dst io.Writer, src io.Reader) (written int64, err error) {
|
|
// If the reader has a WriteTo method, use it to do the copy.
|
|
// Avoids an allocation and a copy.
|
|
if wt, ok := src.(io.WriterTo); ok {
|
|
return wt.WriteTo(dst)
|
|
}
|
|
// Similarly, if the writer has a ReadFrom method, use it to do the copy.
|
|
if rt, ok := dst.(io.ReaderFrom); ok {
|
|
return rt.ReadFrom(src)
|
|
}
|
|
|
|
buf := make([]byte, 32*1024)
|
|
for {
|
|
nr, er := src.Read(buf)
|
|
if nr > 0 {
|
|
nw, ew := dst.Write(buf[0:nr])
|
|
if nw > 0 {
|
|
written += int64(nw)
|
|
}
|
|
if ew != nil {
|
|
err = ew
|
|
break
|
|
}
|
|
if nr != nw {
|
|
err = io.ErrShortWrite
|
|
break
|
|
}
|
|
}
|
|
if er != nil {
|
|
if er != io.EOF {
|
|
err = er
|
|
}
|
|
break
|
|
}
|
|
}
|
|
return written, err
|
|
}
|