Cloak/internal/multiplex/obfs.go

package multiplex

import (
	"crypto/aes"
	"crypto/cipher"
	"encoding/binary"
	"errors"
	"fmt"
	"github.com/cbeuw/Cloak/internal/common"
	"golang.org/x/crypto/chacha20poly1305"
	"golang.org/x/crypto/salsa20"
)

type Obfser func(*Frame, []byte, int) (int, error)
type Deobfser func([]byte) (*Frame, error)

var u32 = binary.BigEndian.Uint32
var u64 = binary.BigEndian.Uint64
var putU32 = binary.BigEndian.PutUint32
var putU64 = binary.BigEndian.PutUint64

const HEADER_LEN = 14

const (
	E_METHOD_PLAIN = iota
	E_METHOD_AES_GCM
	E_METHOD_CHACHA20_POLY1305
)

// Obfuscator is responsible for the obfuscation and deobfuscation of frames
type Obfuscator struct {
	// Used in Stream.Write. Add multiplexing headers, encrypt and add TLS header
	Obfs Obfser
	// Remove TLS header, decrypt and unmarshall frames
	Deobfs      Deobfser
	SessionKey  [32]byte
	minOverhead int
}

func MakeObfs(salsaKey [32]byte, payloadCipher cipher.AEAD) Obfser {
	obfs := func(f *Frame, buf []byte, payloadOffsetInBuf int) (int, error) {
		// we need the encrypted data to be at least 8 bytes to be used as nonce for salsa20 stream header encryption
		// this will be the case if the encryption method is an AEAD cipher, however for plain, it's well possible
		// that the frame payload is smaller than 8 bytes, so we need to add on the difference
		payloadLen := len(f.Payload)
		if payloadLen == 0 {
			return 0, errors.New("payload cannot be empty")
		}
		var extraLen int
		if payloadCipher == nil {
			if extraLen = 8 - payloadLen; extraLen < 0 {
				extraLen = 0
			}
		} else {
			extraLen = payloadCipher.Overhead()
			if extraLen < 8 {
				return 0, errors.New("AEAD's Overhead cannot be fewer than 8 bytes")
			}
		}

		usefulLen := HEADER_LEN + payloadLen + extraLen
		if len(buf) < usefulLen {
			return 0, errors.New("obfs buffer too small")
		}
		// we do as much in-place as possible to save allocation
		payload := buf[HEADER_LEN : HEADER_LEN+payloadLen]
		if payloadOffsetInBuf != HEADER_LEN {
			// if payload is not at the correct location in buffer
			copy(payload, f.Payload)
		}

		header := buf[:HEADER_LEN]
		putU32(header[0:4], f.StreamID)
		putU64(header[4:12], f.Seq)
		header[12] = f.Closing
		header[13] = byte(extraLen)

		if payloadCipher == nil {
			if extraLen != 0 { // read nonce
				extra := buf[usefulLen-extraLen : usefulLen]
				common.CryptoRandRead(extra)
			}
		} else {
			payloadCipher.Seal(payload[:0], header[:12], payload, nil)
		}

		nonce := buf[usefulLen-8 : usefulLen]
		salsa20.XORKeyStream(header, header, nonce, &salsaKey)

		return usefulLen, nil
	}
	return obfs
}

func MakeDeobfs(salsaKey [32]byte, payloadCipher cipher.AEAD) Deobfser {
	// stream header length + minimum data size (i.e. nonce size of salsa20)
	const minInputLen = HEADER_LEN + 8
	deobfs := func(in []byte) (*Frame, error) {
		if len(in) < minInputLen {
			return nil, fmt.Errorf("input size %v, but it cannot be shorter than %v bytes", len(in), minInputLen)
		}

		header := in[:HEADER_LEN]
		pldWithOverHead := in[HEADER_LEN:] // payload + potential overhead

		nonce := in[len(in)-8:]
		salsa20.XORKeyStream(header, header, nonce, &salsaKey)

		streamID := u32(header[0:4])
		seq := u64(header[4:12])
		closing := header[12]
		extraLen := header[13]

		usefulPayloadLen := len(pldWithOverHead) - int(extraLen)
		if usefulPayloadLen < 0 || usefulPayloadLen > len(pldWithOverHead) {
			return nil, errors.New("extra length is negative or extra length is greater than total pldWithOverHead length")
		}

		var outputPayload []byte

		if payloadCipher == nil {
			if extraLen == 0 {
				outputPayload = pldWithOverHead
			} else {
				outputPayload = pldWithOverHead[:usefulPayloadLen]
			}
		} else {
			_, err := payloadCipher.Open(pldWithOverHead[:0], header[:12], pldWithOverHead, nil)
			if err != nil {
				return nil, err
			}
			outputPayload = pldWithOverHead[:usefulPayloadLen]
		}

		ret := &Frame{
			StreamID: streamID,
			Seq:      seq,
			Closing:  closing,
			Payload:  outputPayload,
		}
		return ret, nil
	}
	return deobfs
}

func MakeObfuscator(encryptionMethod byte, sessionKey [32]byte) (obfuscator Obfuscator, err error) {
	obfuscator = Obfuscator{
		SessionKey: sessionKey,
	}
	var payloadCipher cipher.AEAD
	switch encryptionMethod {
	case E_METHOD_PLAIN:
		payloadCipher = nil
		obfuscator.minOverhead = 0
	case E_METHOD_AES_GCM:
		var c cipher.Block
		c, err = aes.NewCipher(sessionKey[:])
		if err != nil {
			return
		}
		payloadCipher, err = cipher.NewGCM(c)
		if err != nil {
			return
		}
		obfuscator.minOverhead = payloadCipher.Overhead()
	case E_METHOD_CHACHA20_POLY1305:
		payloadCipher, err = chacha20poly1305.New(sessionKey[:])
		if err != nil {
			return
		}
		obfuscator.minOverhead = payloadCipher.Overhead()
	default:
		return obfuscator, errors.New("Unknown encryption method")
	}

	obfuscator.Obfs = MakeObfs(sessionKey, payloadCipher)
	obfuscator.Deobfs = MakeDeobfs(sessionKey, payloadCipher)
	return
}
Refactor MakeObfs and MakeDeobfs 2018-12-09 23:45:06 +00:00			`package multiplex`
Untested client 2018-10-07 17:09:45 +00:00
			`import (`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`"crypto/aes"`
Fix bad cryptography 2019-07-31 23:16:33 +00:00			`"crypto/cipher"`
Untested client 2018-10-07 17:09:45 +00:00			`"encoding/binary"`
Refactor MakeObfs and MakeDeobfs 2018-12-09 23:45:06 +00:00			`"errors"`
Working direct WebSocket transport 2019-09-01 19:23:45 +00:00			`"fmt"`
Code cleanup and move stuff around 2020-04-14 00:53:28 +00:00			`"github.com/cbeuw/Cloak/internal/common"`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`"golang.org/x/crypto/chacha20poly1305"`
			`"golang.org/x/crypto/salsa20"`
Untested client 2018-10-07 17:09:45 +00:00			`)`

Explicitly allow buf overlap in obfs 2020-04-13 21:48:28 +00:00			`type Obfser func(*Frame, []byte, int) (int, error)`
Refactor MakeObfs and MakeDeobfs 2018-12-09 23:45:06 +00:00			`type Deobfser func([]byte) (*Frame, error)`

Redo the header obfuscation. Fix hiccups caused by short packets 2019-01-06 01:40:27 +00:00			`var u32 = binary.BigEndian.Uint32`
Use 64bit frame Seq to prevent nonce reuse 2019-08-27 14:06:28 +00:00			`var u64 = binary.BigEndian.Uint64`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00			`var putU32 = binary.BigEndian.PutUint32`
Use 64bit frame Seq to prevent nonce reuse 2019-08-27 14:06:28 +00:00			`var putU64 = binary.BigEndian.PutUint64`
Redo the header obfuscation. Fix hiccups caused by short packets 2019-01-06 01:40:27 +00:00
Use 64bit frame Seq to prevent nonce reuse 2019-08-27 14:06:28 +00:00			`const HEADER_LEN = 14`
Change the stream header format and reduce overhead 2019-01-13 21:28:57 +00:00
Use ENUM constants for encryption methods 2019-08-16 22:44:40 +00:00			`const (`
			`E_METHOD_PLAIN = iota`
			`E_METHOD_AES_GCM`
			`E_METHOD_CHACHA20_POLY1305`
			`)`

Code cleanup 2020-04-08 11:18:20 +00:00			`// Obfuscator is responsible for the obfuscation and deobfuscation of frames`
			`type Obfuscator struct {`
			`// Used in Stream.Write. Add multiplexing headers, encrypt and add TLS header`
			`Obfs Obfser`
			`// Remove TLS header, decrypt and unmarshall frames`
Set frame size limit through multiplexer 2020-04-09 15:37:46 +00:00			`Deobfs Deobfser`
			`SessionKey [32]byte`
			`minOverhead int`
Code cleanup 2020-04-08 11:18:20 +00:00			`}`

Refactor client side transport (breaks server) 2020-04-08 19:53:09 +00:00			`func MakeObfs(salsaKey [32]byte, payloadCipher cipher.AEAD) Obfser {`
Explicitly allow buf overlap in obfs 2020-04-13 21:48:28 +00:00			`obfs := func(f *Frame, buf []byte, payloadOffsetInBuf int) (int, error) {`
More comments 2019-08-20 21:43:04 +00:00			`// we need the encrypted data to be at least 8 bytes to be used as nonce for salsa20 stream header encryption`
			`// this will be the case if the encryption method is an AEAD cipher, however for plain, it's well possible`
			`// that the frame payload is smaller than 8 bytes, so we need to add on the difference`
Explicitly allow buf overlap in obfs 2020-04-13 21:48:28 +00:00			`payloadLen := len(f.Payload)`
			`if payloadLen == 0 {`
			`return 0, errors.New("payload cannot be empty")`
			`}`
Eliminate some bounds check 2020-04-12 15:10:48 +00:00			`var extraLen int`
Buffer reuse in obfs 2019-08-04 09:38:49 +00:00			`if payloadCipher == nil {`
Explicitly allow buf overlap in obfs 2020-04-13 21:48:28 +00:00			`if extraLen = 8 - payloadLen; extraLen < 0 {`
Eliminate some bounds check 2020-04-12 15:10:48 +00:00			`extraLen = 0`
Buffer reuse in obfs 2019-08-04 09:38:49 +00:00			`}`
			`} else {`
Eliminate some bounds check 2020-04-12 15:10:48 +00:00			`extraLen = payloadCipher.Overhead()`
			`if extraLen < 8 {`
			`return 0, errors.New("AEAD's Overhead cannot be fewer than 8 bytes")`
			`}`
Buffer reuse in obfs 2019-08-04 09:38:49 +00:00			`}`
Explicitly allow buf overlap in obfs 2020-04-13 21:48:28 +00:00
			`usefulLen := HEADER_LEN + payloadLen + extraLen`
			`if len(buf) < usefulLen {`
			`return 0, errors.New("obfs buffer too small")`
Buffer reuse in obfs 2019-08-04 09:38:49 +00:00			`}`
More comments 2019-08-20 21:43:04 +00:00			`// we do as much in-place as possible to save allocation`
Explicitly allow buf overlap in obfs 2020-04-13 21:48:28 +00:00			`payload := buf[HEADER_LEN : HEADER_LEN+payloadLen]`
			`if payloadOffsetInBuf != HEADER_LEN {`
			`// if payload is not at the correct location in buffer`
			`copy(payload, f.Payload)`
			`}`
More comments 2019-08-20 21:43:04 +00:00
Explicitly allow buf overlap in obfs 2020-04-13 21:48:28 +00:00			`header := buf[:HEADER_LEN]`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00			`putU32(header[0:4], f.StreamID)`
Use 64bit frame Seq to prevent nonce reuse 2019-08-27 14:06:28 +00:00			`putU64(header[4:12], f.Seq)`
			`header[12] = f.Closing`
Eliminate some bounds check 2020-04-12 15:10:48 +00:00			`header[13] = byte(extraLen)`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00
Refactor payload cipher 2019-07-31 23:43:33 +00:00			`if payloadCipher == nil {`
Eliminate some bounds check 2020-04-12 15:10:48 +00:00			`if extraLen != 0 { // read nonce`
Explicitly allow buf overlap in obfs 2020-04-13 21:48:28 +00:00			`extra := buf[usefulLen-extraLen : usefulLen]`
Code cleanup and move stuff around 2020-04-14 00:53:28 +00:00			`common.CryptoRandRead(extra)`
Buffer reuse in obfs 2019-08-04 09:38:49 +00:00			`}`
Refactor payload cipher 2019-07-31 23:43:33 +00:00			`} else {`
Explicitly allow buf overlap in obfs 2020-04-13 21:48:28 +00:00			`payloadCipher.Seal(payload[:0], header[:12], payload, nil)`
Use AES-GCM instead of CTR 2019-06-09 14:03:28 +00:00			`}`
Add optional encryption 2019-06-09 11:05:41 +00:00
Explicitly allow buf overlap in obfs 2020-04-13 21:48:28 +00:00			`nonce := buf[usefulLen-8 : usefulLen]`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`salsa20.XORKeyStream(header, header, nonce, &salsaKey)`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00
Buffer reuse in obfs 2019-08-04 09:38:49 +00:00			`return usefulLen, nil`
Untested client 2018-10-07 17:09:45 +00:00			`}`
			`return obfs`
			`}`

Refactor client side transport (breaks server) 2020-04-08 19:53:09 +00:00			`func MakeDeobfs(salsaKey [32]byte, payloadCipher cipher.AEAD) Deobfser {`
			`// stream header length + minimum data size (i.e. nonce size of salsa20)`
Eliminate some bounds check 2020-04-12 15:10:48 +00:00			`const minInputLen = HEADER_LEN + 8`
Refactor MakeObfs and MakeDeobfs 2018-12-09 23:45:06 +00:00			`deobfs := func(in []byte) (*Frame, error) {`
Fix test, improve err message and fix nil interface casting 2020-04-08 14:58:46 +00:00			`if len(in) < minInputLen {`
			`return nil, fmt.Errorf("input size %v, but it cannot be shorter than %v bytes", len(in), minInputLen)`
Refactor MakeObfs and MakeDeobfs 2018-12-09 23:45:06 +00:00			`}`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00
Refactor client side transport (breaks server) 2020-04-08 19:53:09 +00:00			`header := in[:HEADER_LEN]`
			`pldWithOverHead := in[HEADER_LEN:] // payload + potential overhead`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00
Refactor client side transport (breaks server) 2020-04-08 19:53:09 +00:00			`nonce := in[len(in)-8:]`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`salsa20.XORKeyStream(header, header, nonce, &salsaKey)`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00
			`streamID := u32(header[0:4])`
Use 64bit frame Seq to prevent nonce reuse 2019-08-27 14:06:28 +00:00			`seq := u64(header[4:12])`
			`closing := header[12]`
			`extraLen := header[13]`
Improve the security of header obfuscation 2019-06-14 09:48:59 +00:00
Optimise deobfs 2019-08-07 16:53:34 +00:00			`usefulPayloadLen := len(pldWithOverHead) - int(extraLen)`
Eliminate some bounds check 2020-04-12 15:10:48 +00:00			`if usefulPayloadLen < 0 \|\| usefulPayloadLen > len(pldWithOverHead) {`
			`return nil, errors.New("extra length is negative or extra length is greater than total pldWithOverHead length")`
Fix a potential make len<0 2019-08-07 16:22:40 +00:00			`}`
Optimise deobfs 2019-08-07 16:53:34 +00:00
			`var outputPayload []byte`
Add optional encryption 2019-06-09 11:05:41 +00:00
Refactor payload cipher 2019-07-31 23:43:33 +00:00			`if payloadCipher == nil {`
Optimise deobfs 2019-08-07 16:53:34 +00:00			`if extraLen == 0 {`
			`outputPayload = pldWithOverHead`
			`} else {`
			`outputPayload = pldWithOverHead[:usefulPayloadLen]`
			`}`
Refactor payload cipher 2019-07-31 23:43:33 +00:00			`} else {`
Use 64bit frame Seq to prevent nonce reuse 2019-08-27 14:06:28 +00:00			`_, err := payloadCipher.Open(pldWithOverHead[:0], header[:12], pldWithOverHead, nil)`
Refactor payload cipher 2019-07-31 23:43:33 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Optimise deobfs 2019-08-07 16:53:34 +00:00			`outputPayload = pldWithOverHead[:usefulPayloadLen]`
Refactor payload cipher 2019-07-31 23:43:33 +00:00			`}`
I just did a joint and I need to commit before things go wrong 2019-06-14 12:28:14 +00:00
Refactor MakeObfs and MakeDeobfs 2018-12-09 23:45:06 +00:00			`ret := &Frame{`
Stream closing is now ordered 2018-10-27 22:35:46 +00:00			`StreamID: streamID,`
			`Seq: seq,`
			`Closing: closing,`
I just did a joint and I need to commit before things go wrong 2019-06-14 12:28:14 +00:00			`Payload: outputPayload,`
Untested client 2018-10-07 17:09:45 +00:00			`}`
Refactor MakeObfs and MakeDeobfs 2018-12-09 23:45:06 +00:00			`return ret, nil`
Untested client 2018-10-07 17:09:45 +00:00			`}`
			`return deobfs`
			`}`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00
Avoid unnecessary pass by pointer 2020-04-10 15:09:05 +00:00			`func MakeObfuscator(encryptionMethod byte, sessionKey [32]byte) (obfuscator Obfuscator, err error) {`
			`obfuscator = Obfuscator{`
Set frame size limit through multiplexer 2020-04-09 15:37:46 +00:00			`SessionKey: sessionKey,`
			`}`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`var payloadCipher cipher.AEAD`
			`switch encryptionMethod {`
Use ENUM constants for encryption methods 2019-08-16 22:44:40 +00:00			`case E_METHOD_PLAIN:`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`payloadCipher = nil`
Set frame size limit through multiplexer 2020-04-09 15:37:46 +00:00			`obfuscator.minOverhead = 0`
Use ENUM constants for encryption methods 2019-08-16 22:44:40 +00:00			`case E_METHOD_AES_GCM:`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`var c cipher.Block`
Make key lengths explicit 2020-04-07 20:15:28 +00:00			`c, err = aes.NewCipher(sessionKey[:])`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`if err != nil {`
			`return`
			`}`
			`payloadCipher, err = cipher.NewGCM(c)`
			`if err != nil {`
			`return`
			`}`
Set frame size limit through multiplexer 2020-04-09 15:37:46 +00:00			`obfuscator.minOverhead = payloadCipher.Overhead()`
Use ENUM constants for encryption methods 2019-08-16 22:44:40 +00:00			`case E_METHOD_CHACHA20_POLY1305:`
Make key lengths explicit 2020-04-07 20:15:28 +00:00			`payloadCipher, err = chacha20poly1305.New(sessionKey[:])`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`if err != nil {`
			`return`
			`}`
Set frame size limit through multiplexer 2020-04-09 15:37:46 +00:00			`obfuscator.minOverhead = payloadCipher.Overhead()`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`default:`
Avoid unnecessary pass by pointer 2020-04-10 15:09:05 +00:00			`return obfuscator, errors.New("Unknown encryption method")`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`}`

Set frame size limit through multiplexer 2020-04-09 15:37:46 +00:00			`obfuscator.Obfs = MakeObfs(sessionKey, payloadCipher)`
			`obfuscator.Deobfs = MakeDeobfs(sessionKey, payloadCipher)`
Use exclusively salsa20 for header encryption 2019-08-03 21:05:06 +00:00			`return`
			`}`