Cloak/internal/client/TLS.go

package client

import (
	"encoding/binary"
	"github.com/cbeuw/Cloak/internal/common"
	log "github.com/sirupsen/logrus"
	"net"
)

const appDataMaxLength = 16401

type clientHelloFields struct {
	random         []byte
	sessionId      []byte
	x25519KeyShare []byte
	sni            []byte
}

type browser interface {
	composeClientHello(clientHelloFields) []byte
}

func makeServerName(serverName string) []byte {
	serverNameListLength := make([]byte, 2)
	binary.BigEndian.PutUint16(serverNameListLength, uint16(len(serverName)+3))
	serverNameType := []byte{0x00} // host_name
	serverNameLength := make([]byte, 2)
	binary.BigEndian.PutUint16(serverNameLength, uint16(len(serverName)))
	ret := make([]byte, 2+1+2+len(serverName))
	copy(ret[0:2], serverNameListLength)
	copy(ret[2:3], serverNameType)
	copy(ret[3:5], serverNameLength)
	copy(ret[5:], serverName)
	return ret
}

// addExtensionRecord, add type, length to extension data
func addExtRec(typ []byte, data []byte) []byte {
	length := make([]byte, 2)
	binary.BigEndian.PutUint16(length, uint16(len(data)))
	ret := make([]byte, 2+2+len(data))
	copy(ret[0:2], typ)
	copy(ret[2:4], length)
	copy(ret[4:], data)
	return ret
}

func genStegClientHello(ai authenticationPayload, serverName string) (ret clientHelloFields) {
	// random is marshalled ephemeral pub key 32 bytes
	// The authentication ciphertext and its tag are then distributed among SessionId and X25519KeyShare
	ret.random = ai.randPubKey[:]
	ret.sessionId = ai.ciphertextWithTag[0:32]
	ret.x25519KeyShare = ai.ciphertextWithTag[32:64]
	ret.sni = makeServerName(serverName)
	return
}

type DirectTLS struct {
	*common.TLSConn
	browser browser
}

// NewClientTransport handles the TLS handshake for a given conn and returns the sessionKey
// if the server proceed with Cloak authentication
func (tls *DirectTLS) Handshake(rawConn net.Conn, authInfo AuthInfo) (sessionKey [32]byte, err error) {
	payload, sharedSecret := makeAuthenticationPayload(authInfo)
	chOnly := tls.browser.composeClientHello(genStegClientHello(payload, authInfo.MockDomain))
	chWithRecordLayer := common.AddRecordLayer(chOnly, common.Handshake, common.VersionTLS11)
	_, err = rawConn.Write(chWithRecordLayer)
	if err != nil {
		return
	}
	log.Trace("client hello sent successfully")
	tls.TLSConn = &common.TLSConn{Conn: rawConn}

	buf := make([]byte, 1024)
	log.Trace("waiting for ServerHello")
	_, err = tls.Read(buf)
	if err != nil {
		return
	}

	encrypted := append(buf[6:38], buf[84:116]...)
	nonce := encrypted[0:12]
	ciphertextWithTag := encrypted[12:60]
	sessionKeySlice, err := common.AESGCMDecrypt(nonce, sharedSecret[:], ciphertextWithTag)
	if err != nil {
		return
	}
	copy(sessionKey[:], sessionKeySlice)

	for i := 0; i < 2; i++ {
		// ChangeCipherSpec and EncryptedCert (in the format of application data)
		_, err = tls.Read(buf)
		if err != nil {
			return
		}
	}
	return sessionKey, nil

}
Refactor client TLS 2019-08-02 15:02:25 +00:00			`package client`
Untested client 2018-10-07 17:09:45 +00:00
			`import (`
			`"encoding/binary"`
Move common types to its own package 2020-04-08 23:39:40 +00:00			`"github.com/cbeuw/Cloak/internal/common"`
Refactor TLS handshake 2019-08-06 14:50:33 +00:00			`log "github.com/sirupsen/logrus"`
Purge impurity 2020-04-09 21:11:12 +00:00			`"net"`
Untested client 2018-10-07 17:09:45 +00:00			`)`

Set frame size limit through multiplexer 2020-04-09 15:37:46 +00:00			`const appDataMaxLength = 16401`

Refactor authentication data representations 2020-01-24 16:44:29 +00:00			`type clientHelloFields struct {`
			`random []byte`
			`sessionId []byte`
			`x25519KeyShare []byte`
			`sni []byte`
			`}`

Unexport some client.State fields 2019-08-16 23:18:19 +00:00			`type browser interface {`
Refactor authentication data representations 2020-01-24 16:44:29 +00:00			`composeClientHello(clientHelloFields) []byte`
Untested client 2018-10-07 17:09:45 +00:00			`}`

TLS1.3 2019-08-02 00:01:19 +00:00			`func makeServerName(serverName string) []byte {`
Untested client 2018-10-07 17:09:45 +00:00			`serverNameListLength := make([]byte, 2)`
			`binary.BigEndian.PutUint16(serverNameListLength, uint16(len(serverName)+3))`
			`serverNameType := []byte{0x00} // host_name`
			`serverNameLength := make([]byte, 2)`
			`binary.BigEndian.PutUint16(serverNameLength, uint16(len(serverName)))`
			`ret := make([]byte, 2+1+2+len(serverName))`
			`copy(ret[0:2], serverNameListLength)`
			`copy(ret[2:3], serverNameType)`
			`copy(ret[3:5], serverNameLength)`
			`copy(ret[5:], serverName)`
			`return ret`
			`}`

			`// addExtensionRecord, add type, length to extension data`
			`func addExtRec(typ []byte, data []byte) []byte {`
			`length := make([]byte, 2)`
			`binary.BigEndian.PutUint16(length, uint16(len(data)))`
			`ret := make([]byte, 2+2+len(data))`
			`copy(ret[0:2], typ)`
			`copy(ret[2:4], length)`
			`copy(ret[4:], data)`
			`return ret`
			`}`

Refactor client config 2020-04-06 12:07:16 +00:00			`func genStegClientHello(ai authenticationPayload, serverName string) (ret clientHelloFields) {`
Refactor makeAuthenticationPayload to allow easier tests 2020-01-25 10:19:45 +00:00			`// random is marshalled ephemeral pub key 32 bytes`
			`// The authentication ciphertext and its tag are then distributed among SessionId and X25519KeyShare`
Refactor authentication data representations 2020-01-24 16:44:29 +00:00			`ret.random = ai.randPubKey[:]`
			`ret.sessionId = ai.ciphertextWithTag[0:32]`
			`ret.x25519KeyShare = ai.ciphertextWithTag[32:64]`
			`ret.sni = makeServerName(serverName)`
			`return`
			`}`

websocket over TLS 2019-09-02 13:03:10 +00:00			`type DirectTLS struct {`
Move common types to its own package 2020-04-08 23:39:40 +00:00			`*common.TLSConn`
Refactor client side transport (breaks server) 2020-04-08 19:53:09 +00:00			`browser browser`
Client side plain websocket 2019-08-31 17:01:39 +00:00			`}`

Refactor client side transport (breaks server) 2020-04-08 19:53:09 +00:00			`// NewClientTransport handles the TLS handshake for a given conn and returns the sessionKey`
More comments 2019-08-20 21:43:04 +00:00			`// if the server proceed with Cloak authentication`
Export fields for testing 2020-04-10 13:09:48 +00:00			`func (tls *DirectTLS) Handshake(rawConn net.Conn, authInfo AuthInfo) (sessionKey [32]byte, err error) {`
Purge impurity 2020-04-09 21:11:12 +00:00			`payload, sharedSecret := makeAuthenticationPayload(authInfo)`
Refactor client config 2020-04-06 12:07:16 +00:00			`chOnly := tls.browser.composeClientHello(genStegClientHello(payload, authInfo.MockDomain))`
Move common types to its own package 2020-04-08 23:39:40 +00:00			`chWithRecordLayer := common.AddRecordLayer(chOnly, common.Handshake, common.VersionTLS11)`
Refactor client side transport (breaks server) 2020-04-08 19:53:09 +00:00			`_, err = rawConn.Write(chWithRecordLayer)`
Refactor TLS handshake 2019-08-06 14:50:33 +00:00			`if err != nil {`
			`return`
			`}`
			`log.Trace("client hello sent successfully")`
Move common types to its own package 2020-04-08 23:39:40 +00:00			`tls.TLSConn = &common.TLSConn{Conn: rawConn}`
Refactor TLS handshake 2019-08-06 14:50:33 +00:00
			`buf := make([]byte, 1024)`
			`log.Trace("waiting for ServerHello")`
Refactor client side transport (breaks server) 2020-04-08 19:53:09 +00:00			`_, err = tls.Read(buf)`
Refactor TLS handshake 2019-08-06 14:50:33 +00:00			`if err != nil {`
			`return`
			`}`
Use AEAD to encrypt session key in ServerHello to provide authentication of the identity of the server 2019-08-06 22:59:29 +00:00
Refactor client side transport (breaks server) 2020-04-08 19:53:09 +00:00			`encrypted := append(buf[6:38], buf[84:116]...)`
Use AEAD to encrypt session key in ServerHello to provide authentication of the identity of the server 2019-08-06 22:59:29 +00:00			`nonce := encrypted[0:12]`
More comments 2019-08-20 21:43:04 +00:00			`ciphertextWithTag := encrypted[12:60]`
Code cleanup and move stuff around 2020-04-14 00:53:28 +00:00			`sessionKeySlice, err := common.AESGCMDecrypt(nonce, sharedSecret[:], ciphertextWithTag)`
Use AEAD to encrypt session key in ServerHello to provide authentication of the identity of the server 2019-08-06 22:59:29 +00:00			`if err != nil {`
			`return`
			`}`
Make key lengths explicit 2020-04-07 20:15:28 +00:00			`copy(sessionKey[:], sessionKeySlice)`
Use AEAD to encrypt session key in ServerHello to provide authentication of the identity of the server 2019-08-06 22:59:29 +00:00
Let the server send a mock encrypted certificate after ChangeCipherSuite to imitate real behaviour more closely 2019-08-06 23:28:08 +00:00			`for i := 0; i < 2; i++ {`
			`// ChangeCipherSpec and EncryptedCert (in the format of application data)`
Refactor client side transport (breaks server) 2020-04-08 19:53:09 +00:00			`_, err = tls.Read(buf)`
Let the server send a mock encrypted certificate after ChangeCipherSuite to imitate real behaviour more closely 2019-08-06 23:28:08 +00:00			`if err != nil {`
			`return`
			`}`
Refactor TLS handshake 2019-08-06 14:50:33 +00:00			`}`
Refactor client side transport (breaks server) 2020-04-08 19:53:09 +00:00			`return sessionKey, nil`
Refactor TLS handshake 2019-08-06 14:50:33 +00:00
			`}`