Cloak/internal/multiplex/obfs.go

package multiplex

import (
	"crypto/aes"
	"crypto/cipher"
	"crypto/rand"
	"encoding/binary"
	"errors"
	"golang.org/x/crypto/chacha20poly1305"
	"golang.org/x/crypto/salsa20"

	prand "math/rand"
)

type Obfser func(*Frame, []byte) (int, error)
type Deobfser func([]byte) (*Frame, error)

var u32 = binary.BigEndian.Uint32
var putU32 = binary.BigEndian.PutUint32

const HEADER_LEN = 12

const (
	E_METHOD_PLAIN = iota
	E_METHOD_AES_GCM
	E_METHOD_CHACHA20_POLY1305
)

func MakeObfs(salsaKey [32]byte, payloadCipher cipher.AEAD) Obfser {
	obfs := func(f *Frame, buf []byte) (int, error) {
		var extraLen uint8
		if payloadCipher == nil {
			if len(f.Payload) < 8 {
				extraLen = uint8(8 - len(f.Payload))
			}
		} else {
			extraLen = uint8(payloadCipher.Overhead())
		}

		usefulLen := 5 + HEADER_LEN + len(f.Payload) + int(extraLen)
		if len(buf) < usefulLen {
			return 0, errors.New("buffer is too small")
		}
		useful := buf[:usefulLen] // tls header + payload + potential overhead
		recordLayer := useful[0:5]
		header := useful[5 : 5+HEADER_LEN]
		encryptedPayload := useful[5+HEADER_LEN:]

		// header: [StreamID 4 bytes][Seq 4 bytes][Closing 1 byte][extraLen 1 bytes][random 2 bytes]
		putU32(header[0:4], f.StreamID)
		putU32(header[4:8], f.Seq)
		header[8] = f.Closing
		header[9] = extraLen
		prand.Read(header[10:12])

		if payloadCipher == nil {
			copy(encryptedPayload, f.Payload)
			if extraLen != 0 {
				rand.Read(encryptedPayload[len(encryptedPayload)-int(extraLen):])
			}
		} else {
			ciphertext := payloadCipher.Seal(nil, header, f.Payload, nil)
			copy(encryptedPayload, ciphertext)
		}

		nonce := encryptedPayload[len(encryptedPayload)-8:]
		salsa20.XORKeyStream(header, header, nonce, &salsaKey)

		// Composing final obfsed message
		// We don't use util.AddRecordLayer here to avoid unnecessary malloc
		recordLayer[0] = 0x17
		recordLayer[1] = 0x03
		recordLayer[2] = 0x03
		binary.BigEndian.PutUint16(recordLayer[3:5], uint16(HEADER_LEN+len(encryptedPayload)))
		return usefulLen, nil
	}
	return obfs
}

func MakeDeobfs(salsaKey [32]byte, payloadCipher cipher.AEAD) Deobfser {
	deobfs := func(in []byte) (*Frame, error) {
		if len(in) < 5+HEADER_LEN+8 {
			return nil, errors.New("Input cannot be shorter than 25 bytes")
		}

		peeled := make([]byte, len(in)-5)
		copy(peeled, in[5:])

		header := peeled[:12]
		pldWithOverHead := peeled[12:] // plaintext + potential overhead

		nonce := peeled[len(peeled)-8:]
		salsa20.XORKeyStream(header, header, nonce, &salsaKey)

		streamID := u32(header[0:4])
		seq := u32(header[4:8])
		closing := header[8]
		extraLen := header[9]

		usefulPayloadLen := len(pldWithOverHead) - int(extraLen)
		if usefulPayloadLen < 0 {
			return nil, errors.New("extra length is greater than total pldWithOverHead length")
		}

		var outputPayload []byte

		if payloadCipher == nil {
			if extraLen == 0 {
				outputPayload = pldWithOverHead
			} else {
				outputPayload = pldWithOverHead[:usefulPayloadLen]
			}
		} else {
			_, err := payloadCipher.Open(pldWithOverHead[:0], header, pldWithOverHead, nil)
			if err != nil {
				return nil, err
			}
			outputPayload = pldWithOverHead[:usefulPayloadLen]
		}

		ret := &Frame{
			StreamID: streamID,
			Seq:      seq,
			Closing:  closing,
			Payload:  outputPayload,
		}
		return ret, nil
	}
	return deobfs
}

func GenerateObfs(encryptionMethod byte, sessionKey []byte) (obfuscator *Obfuscator, err error) {
	if len(sessionKey) != 32 {
		err = errors.New("sessionKey size must be 32 bytes")
	}

	var salsaKey [32]byte
	copy(salsaKey[:], sessionKey)

	var payloadCipher cipher.AEAD
	switch encryptionMethod {
	case E_METHOD_PLAIN:
		payloadCipher = nil
	case E_METHOD_AES_GCM:
		var c cipher.Block
		c, err = aes.NewCipher(sessionKey)
		if err != nil {
			return
		}
		payloadCipher, err = cipher.NewGCM(c)
		if err != nil {
			return
		}
	case E_METHOD_CHACHA20_POLY1305:
		payloadCipher, err = chacha20poly1305.New(sessionKey)
		if err != nil {
			return
		}
	default:
		return nil, errors.New("Unknown encryption method")
	}

	obfuscator = &Obfuscator{
		MakeObfs(salsaKey, payloadCipher),
		MakeDeobfs(salsaKey, payloadCipher),
		sessionKey,
	}
	return
}
Refactor MakeObfs and MakeDeobfs 2018-12-09 23:45:06 +00:00			`package multiplex`
Untested client 2018-10-07 17:09:45 +00:00
			`import (`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`"crypto/aes"`
Fix bad cryptography 2019-07-31 23:16:33 +00:00			`"crypto/cipher"`
Redo the header obfuscation. Fix hiccups caused by short packets 2019-01-06 01:40:27 +00:00			`"crypto/rand"`
Untested client 2018-10-07 17:09:45 +00:00			`"encoding/binary"`
Refactor MakeObfs and MakeDeobfs 2018-12-09 23:45:06 +00:00			`"errors"`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`"golang.org/x/crypto/chacha20poly1305"`
			`"golang.org/x/crypto/salsa20"`
Buffer reuse in obfs 2019-08-04 09:38:49 +00:00
			`prand "math/rand"`
Untested client 2018-10-07 17:09:45 +00:00			`)`

Buffer reuse in obfs 2019-08-04 09:38:49 +00:00			`type Obfser func(*Frame, []byte) (int, error)`
Refactor MakeObfs and MakeDeobfs 2018-12-09 23:45:06 +00:00			`type Deobfser func([]byte) (*Frame, error)`

Redo the header obfuscation. Fix hiccups caused by short packets 2019-01-06 01:40:27 +00:00			`var u32 = binary.BigEndian.Uint32`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00			`var putU32 = binary.BigEndian.PutUint32`
Redo the header obfuscation. Fix hiccups caused by short packets 2019-01-06 01:40:27 +00:00
Memory optimisation 2019-07-27 23:15:27 +00:00			`const HEADER_LEN = 12`
Change the stream header format and reduce overhead 2019-01-13 21:28:57 +00:00
Use ENUM constants for encryption methods 2019-08-16 22:44:40 +00:00			`const (`
			`E_METHOD_PLAIN = iota`
			`E_METHOD_AES_GCM`
			`E_METHOD_CHACHA20_POLY1305`
			`)`

Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`func MakeObfs(salsaKey [32]byte, payloadCipher cipher.AEAD) Obfser {`
Buffer reuse in obfs 2019-08-04 09:38:49 +00:00			`obfs := func(f *Frame, buf []byte) (int, error) {`
			`var extraLen uint8`
			`if payloadCipher == nil {`
			`if len(f.Payload) < 8 {`
			`extraLen = uint8(8 - len(f.Payload))`
			`}`
			`} else {`
			`extraLen = uint8(payloadCipher.Overhead())`
			`}`

			`usefulLen := 5 + HEADER_LEN + len(f.Payload) + int(extraLen)`
			`if len(buf) < usefulLen {`
			`return 0, errors.New("buffer is too small")`
			`}`
Rename a variable and modify a test 2019-08-07 18:08:37 +00:00			`useful := buf[:usefulLen] // tls header + payload + potential overhead`
			`recordLayer := useful[0:5]`
			`header := useful[5 : 5+HEADER_LEN]`
			`encryptedPayload := useful[5+HEADER_LEN:]`
Memory optimisation 2019-07-27 23:15:27 +00:00
Buffer reuse in obfs 2019-08-04 09:38:49 +00:00			`// header: [StreamID 4 bytes][Seq 4 bytes][Closing 1 byte][extraLen 1 bytes][random 2 bytes]`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00			`putU32(header[0:4], f.StreamID)`
			`putU32(header[4:8], f.Seq)`
			`header[8] = f.Closing`
Buffer reuse in obfs 2019-08-04 09:38:49 +00:00			`header[9] = extraLen`
			`prand.Read(header[10:12])`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00
Refactor payload cipher 2019-07-31 23:43:33 +00:00			`if payloadCipher == nil {`
			`copy(encryptedPayload, f.Payload)`
Buffer reuse in obfs 2019-08-04 09:38:49 +00:00			`if extraLen != 0 {`
			`rand.Read(encryptedPayload[len(encryptedPayload)-int(extraLen):])`
			`}`
Refactor payload cipher 2019-07-31 23:43:33 +00:00			`} else {`
			`ciphertext := payloadCipher.Seal(nil, header, f.Payload, nil)`
			`copy(encryptedPayload, ciphertext)`
Use AES-GCM instead of CTR 2019-06-09 14:03:28 +00:00			`}`
Add optional encryption 2019-06-09 11:05:41 +00:00
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`nonce := encryptedPayload[len(encryptedPayload)-8:]`
			`salsa20.XORKeyStream(header, header, nonce, &salsaKey)`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00
optimisations 2018-10-20 16:03:39 +00:00			`// Composing final obfsed message`
			`// We don't use util.AddRecordLayer here to avoid unnecessary malloc`
Memory optimisation 2019-07-27 23:15:27 +00:00			`recordLayer[0] = 0x17`
			`recordLayer[1] = 0x03`
			`recordLayer[2] = 0x03`
			`binary.BigEndian.PutUint16(recordLayer[3:5], uint16(HEADER_LEN+len(encryptedPayload)))`
Buffer reuse in obfs 2019-08-04 09:38:49 +00:00			`return usefulLen, nil`
Untested client 2018-10-07 17:09:45 +00:00			`}`
			`return obfs`
			`}`

Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`func MakeDeobfs(salsaKey [32]byte, payloadCipher cipher.AEAD) Deobfser {`
Refactor MakeObfs and MakeDeobfs 2018-12-09 23:45:06 +00:00			`deobfs := func(in []byte) (*Frame, error) {`
Buffer reuse in obfs 2019-08-04 09:38:49 +00:00			`if len(in) < 5+HEADER_LEN+8 {`
Optimise deobfs 2019-08-07 16:53:34 +00:00			`return nil, errors.New("Input cannot be shorter than 25 bytes")`
Refactor MakeObfs and MakeDeobfs 2018-12-09 23:45:06 +00:00			`}`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00
Optimise deobfs 2019-08-07 16:53:34 +00:00			`peeled := make([]byte, len(in)-5)`
			`copy(peeled, in[5:])`

			`header := peeled[:12]`
			`pldWithOverHead := peeled[12:] // plaintext + potential overhead`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`nonce := peeled[len(peeled)-8:]`
			`salsa20.XORKeyStream(header, header, nonce, &salsaKey)`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00
			`streamID := u32(header[0:4])`
			`seq := u32(header[4:8])`
			`closing := header[8]`
Buffer reuse in obfs 2019-08-04 09:38:49 +00:00			`extraLen := header[9]`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00
Optimise deobfs 2019-08-07 16:53:34 +00:00			`usefulPayloadLen := len(pldWithOverHead) - int(extraLen)`
			`if usefulPayloadLen < 0 {`
			`return nil, errors.New("extra length is greater than total pldWithOverHead length")`
Fix a potential make len<0 2019-08-07 16:22:40 +00:00			`}`
Optimise deobfs 2019-08-07 16:53:34 +00:00
			`var outputPayload []byte`
Add optional encryption 2019-06-09 11:05:41 +00:00
Refactor payload cipher 2019-07-31 23:43:33 +00:00			`if payloadCipher == nil {`
Optimise deobfs 2019-08-07 16:53:34 +00:00			`if extraLen == 0 {`
			`outputPayload = pldWithOverHead`
			`} else {`
			`outputPayload = pldWithOverHead[:usefulPayloadLen]`
			`}`
Refactor payload cipher 2019-07-31 23:43:33 +00:00			`} else {`
Optimise deobfs 2019-08-07 16:53:34 +00:00			`_, err := payloadCipher.Open(pldWithOverHead[:0], header, pldWithOverHead, nil)`
Refactor payload cipher 2019-07-31 23:43:33 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Optimise deobfs 2019-08-07 16:53:34 +00:00			`outputPayload = pldWithOverHead[:usefulPayloadLen]`
Refactor payload cipher 2019-07-31 23:43:33 +00:00			`}`
I just did a joint and I need to commit before things go wrong 2019-06-14 12:28:14 +00:00
Refactor MakeObfs and MakeDeobfs 2018-12-09 23:45:06 +00:00			`ret := &Frame{`
Stream closing is now ordered 2018-10-27 22:35:46 +00:00			`StreamID: streamID,`
			`Seq: seq,`
			`Closing: closing,`
I just did a joint and I need to commit before things go wrong 2019-06-14 12:28:14 +00:00			`Payload: outputPayload,`
Untested client 2018-10-07 17:09:45 +00:00			`}`
Refactor MakeObfs and MakeDeobfs 2018-12-09 23:45:06 +00:00			`return ret, nil`
Untested client 2018-10-07 17:09:45 +00:00			`}`
			`return deobfs`
			`}`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00
			`func GenerateObfs(encryptionMethod byte, sessionKey []byte) (obfuscator *Obfuscator, err error) {`
			`if len(sessionKey) != 32 {`
			`err = errors.New("sessionKey size must be 32 bytes")`
			`}`

			`var salsaKey [32]byte`
			`copy(salsaKey[:], sessionKey)`

			`var payloadCipher cipher.AEAD`
			`switch encryptionMethod {`
Use ENUM constants for encryption methods 2019-08-16 22:44:40 +00:00			`case E_METHOD_PLAIN:`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`payloadCipher = nil`
Use ENUM constants for encryption methods 2019-08-16 22:44:40 +00:00			`case E_METHOD_AES_GCM:`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`var c cipher.Block`
Force aead key sizes as 32 bytes due to chacha20-poly1305 2019-08-06 23:15:55 +00:00			`c, err = aes.NewCipher(sessionKey)`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`if err != nil {`
			`return`
			`}`
			`payloadCipher, err = cipher.NewGCM(c)`
			`if err != nil {`
			`return`
			`}`
Use ENUM constants for encryption methods 2019-08-16 22:44:40 +00:00			`case E_METHOD_CHACHA20_POLY1305:`
Force aead key sizes as 32 bytes due to chacha20-poly1305 2019-08-06 23:15:55 +00:00			`payloadCipher, err = chacha20poly1305.New(sessionKey)`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`if err != nil {`
			`return`
			`}`
			`default:`
			`return nil, errors.New("Unknown encryption method")`
			`}`

			`obfuscator = &Obfuscator{`
			`MakeObfs(salsaKey, payloadCipher),`
			`MakeDeobfs(salsaKey, payloadCipher),`
			`sessionKey,`
			`}`
			`return`
			`}`