Cloak/internal/server/TLS.go

package server

import (
	"crypto"
	"errors"
	"fmt"
	"github.com/cbeuw/Cloak/internal/common"
	"github.com/cbeuw/Cloak/internal/ecdh"
	"io"
	"math/rand"
	"net"

	log "github.com/sirupsen/logrus"
)

const appDataMaxLength = 16401

type TLS struct{}

var ErrBadClientHello = errors.New("non (or malformed) ClientHello")

func (TLS) String() string { return "TLS" }

func (TLS) processFirstPacket(clientHello []byte, privateKey crypto.PrivateKey) (fragments authFragments, respond Responder, err error) {
	ch, err := parseClientHello(clientHello)
	if err != nil {
		log.Debug(err)
		err = ErrBadClientHello
		return
	}

	fragments, err = TLS{}.unmarshalClientHello(ch, privateKey)
	if err != nil {
		err = fmt.Errorf("failed to unmarshal ClientHello into authFragments: %v", err)
		return
	}

	respond = TLS{}.makeResponder(ch.sessionId, fragments.sharedSecret)

	return
}

func (TLS) makeResponder(clientHelloSessionId []byte, sharedSecret [32]byte) Responder {
	respond := func(originalConn net.Conn, sessionKey [32]byte, randSource io.Reader) (preparedConn net.Conn, err error) {
		// the cert length needs to be the same for all handshakes belonging to the same session
		// we can use sessionKey as a seed here to ensure consistency
		possibleCertLengths := []int{42, 27, 68, 59, 36, 44, 46}
		rand.Seed(int64(sessionKey[0]))
		cert := make([]byte, possibleCertLengths[rand.Intn(len(possibleCertLengths))])
		common.RandRead(randSource, cert)

		var nonce [12]byte
		common.RandRead(randSource, nonce[:])
		encryptedSessionKey, err := common.AESGCMEncrypt(nonce[:], sharedSecret[:], sessionKey[:])
		if err != nil {
			return
		}
		var encryptedSessionKeyArr [48]byte
		copy(encryptedSessionKeyArr[:], encryptedSessionKey)

		reply := composeReply(clientHelloSessionId, nonce, encryptedSessionKeyArr, cert)
		_, err = originalConn.Write(reply)
		if err != nil {
			err = fmt.Errorf("failed to write TLS reply: %v", err)
			originalConn.Close()
			return
		}
		preparedConn = common.NewTLSConn(originalConn)
		return
	}
	return respond
}

func (TLS) unmarshalClientHello(ch *ClientHello, staticPv crypto.PrivateKey) (fragments authFragments, err error) {
	copy(fragments.randPubKey[:], ch.random)
	ephPub, ok := ecdh.Unmarshal(fragments.randPubKey[:])
	if !ok {
		err = ErrInvalidPubKey
		return
	}

	var sharedSecret []byte
	sharedSecret, err = ecdh.GenerateSharedSecret(staticPv, ephPub)
	if err != nil {
		return
	}

	copy(fragments.sharedSecret[:], sharedSecret)
	var keyShare []byte
	keyShare, err = parseKeyShare(ch.extensions[[2]byte{0x00, 0x33}])
	if err != nil {
		return
	}

	ctxTag := append(ch.sessionId, keyShare...)
	if len(ctxTag) != 64 {
		err = fmt.Errorf("%v: %v", ErrCiphertextLength, len(ctxTag))
		return
	}
	copy(fragments.ciphertextWithTag[:], ctxTag)
	return
}
Untested server 2018-10-09 15:07:54 +00:00			`package server`

			`import (`
Refactor touchStone 2019-08-31 20:40:50 +00:00			`"crypto"`
Untested server 2018-10-09 15:07:54 +00:00			`"errors"`
TLS1.3 2019-08-02 00:01:19 +00:00			`"fmt"`
Move common types to its own package 2020-04-08 23:39:40 +00:00			`"github.com/cbeuw/Cloak/internal/common"`
Refactor touchStone 2019-08-31 20:40:50 +00:00			`"github.com/cbeuw/Cloak/internal/ecdh"`
Purge impurity 2020-04-09 21:11:12 +00:00			`"io"`
			`"math/rand"`
Refactor Transport and add tests 2020-01-22 18:37:01 +00:00			`"net"`
Untested server 2018-10-09 15:07:54 +00:00
Refactor Transport and add tests 2020-01-22 18:37:01 +00:00			`log "github.com/sirupsen/logrus"`
			`)`
TLS1.3 2019-08-02 00:01:19 +00:00
Set frame size limit through multiplexer 2020-04-09 15:37:46 +00:00			`const appDataMaxLength = 16401`

Refactor Transport and add tests 2020-01-22 18:37:01 +00:00			`type TLS struct{}`
Untested server 2018-10-09 15:07:54 +00:00
Refactor Transport and add tests 2020-01-22 18:37:01 +00:00			`var ErrBadClientHello = errors.New("non (or malformed) ClientHello")`
Fix redirection 2019-08-03 12:26:57 +00:00
Refactor server transport 2020-04-08 20:37:21 +00:00			`func (TLS) String() string { return "TLS" }`
Fail to parse ClientHello if the TLS record layer Content Type and versions are wrong 2019-08-16 23:35:28 +00:00
Refactor authentication pipeline 2020-04-06 14:24:18 +00:00			`func (TLS) processFirstPacket(clientHello []byte, privateKey crypto.PrivateKey) (fragments authFragments, respond Responder, err error) {`
			`ch, err := parseClientHello(clientHello)`
Refactor Transport and add tests 2020-01-22 18:37:01 +00:00			`if err != nil {`
			`log.Debug(err)`
			`err = ErrBadClientHello`
			`return`
Untested server 2018-10-09 15:07:54 +00:00			`}`
Use AEAD to encrypt session key in ServerHello to provide authentication of the identity of the server 2019-08-06 22:59:29 +00:00
Refactor authentication pipeline 2020-04-06 14:24:18 +00:00			`fragments, err = TLS{}.unmarshalClientHello(ch, privateKey)`
Use AEAD to encrypt session key in ServerHello to provide authentication of the identity of the server 2019-08-06 22:59:29 +00:00			`if err != nil {`
Rename a struct 2020-04-06 13:29:38 +00:00			`err = fmt.Errorf("failed to unmarshal ClientHello into authFragments: %v", err)`
Refactor Transport and add tests 2020-01-22 18:37:01 +00:00			`return`
Use AEAD to encrypt session key in ServerHello to provide authentication of the identity of the server 2019-08-06 22:59:29 +00:00			`}`

Make key lengths explicit 2020-04-07 20:15:28 +00:00			`respond = TLS{}.makeResponder(ch.sessionId, fragments.sharedSecret)`
Refactor authentication pipeline 2020-04-06 14:24:18 +00:00
			`return`
			`}`

Make key lengths explicit 2020-04-07 20:15:28 +00:00			`func (TLS) makeResponder(clientHelloSessionId []byte, sharedSecret [32]byte) Responder {`
Purge impurity 2020-04-09 21:11:12 +00:00			`respond := func(originalConn net.Conn, sessionKey [32]byte, randSource io.Reader) (preparedConn net.Conn, err error) {`
			`// the cert length needs to be the same for all handshakes belonging to the same session`
			`// we can use sessionKey as a seed here to ensure consistency`
			`possibleCertLengths := []int{42, 27, 68, 59, 36, 44, 46}`
			`rand.Seed(int64(sessionKey[0]))`
			`cert := make([]byte, possibleCertLengths[rand.Intn(len(possibleCertLengths))])`
Code cleanup and move stuff around 2020-04-14 00:53:28 +00:00			`common.RandRead(randSource, cert)`
Purge impurity 2020-04-09 21:11:12 +00:00
			`var nonce [12]byte`
Code cleanup and move stuff around 2020-04-14 00:53:28 +00:00			`common.RandRead(randSource, nonce[:])`
			`encryptedSessionKey, err := common.AESGCMEncrypt(nonce[:], sharedSecret[:], sessionKey[:])`
Purge impurity 2020-04-09 21:11:12 +00:00			`if err != nil {`
			`return`
			`}`
			`var encryptedSessionKeyArr [48]byte`
			`copy(encryptedSessionKeyArr[:], encryptedSessionKey)`

Remove impossible error 2020-04-10 13:11:01 +00:00			`reply := composeReply(clientHelloSessionId, nonce, encryptedSessionKeyArr, cert)`
Refactor server transport 2020-04-08 20:37:21 +00:00			`_, err = originalConn.Write(reply)`
Refactor Transport and add tests 2020-01-22 18:37:01 +00:00			`if err != nil {`
			`err = fmt.Errorf("failed to write TLS reply: %v", err)`
Reduce the amount of goroutines in tests 2020-04-11 22:09:51 +00:00			`originalConn.Close()`
Refactor Transport and add tests 2020-01-22 18:37:01 +00:00			`return`
			`}`
Use a pre-made buffer for TLSConn.Write 2020-10-17 12:46:22 +00:00			`preparedConn = common.NewTLSConn(originalConn)`
Refactor Transport and add tests 2020-01-22 18:37:01 +00:00			`return`
Untested server 2018-10-09 15:07:54 +00:00			`}`
Refactor authentication pipeline 2020-04-06 14:24:18 +00:00			`return respond`
Untested server 2018-10-09 15:07:54 +00:00			`}`
Refactor TLS handshake 2019-08-06 14:50:33 +00:00
Refactor authentication pipeline 2020-04-06 14:24:18 +00:00			`func (TLS) unmarshalClientHello(ch *ClientHello, staticPv crypto.PrivateKey) (fragments authFragments, err error) {`
Rename a struct 2020-04-06 13:29:38 +00:00			`copy(fragments.randPubKey[:], ch.random)`
			`ephPub, ok := ecdh.Unmarshal(fragments.randPubKey[:])`
Refactor touchStone 2019-08-31 20:40:50 +00:00			`if !ok {`
			`err = ErrInvalidPubKey`
			`return`
			`}`

Update deprecated curve25519 functions and defend against low-order point attacks 2020-12-21 16:37:33 +00:00			`var sharedSecret []byte`
			`sharedSecret, err = ecdh.GenerateSharedSecret(staticPv, ephPub)`
			`if err != nil {`
			`return`
			`}`

			`copy(fragments.sharedSecret[:], sharedSecret)`
Refactor touchStone 2019-08-31 20:40:50 +00:00			`var keyShare []byte`
			`keyShare, err = parseKeyShare(ch.extensions[[2]byte{0x00, 0x33}])`
			`if err != nil {`
			`return`
			`}`

Make authentication info arrays 2020-01-24 15:13:26 +00:00			`ctxTag := append(ch.sessionId, keyShare...)`
			`if len(ctxTag) != 64 {`
			`err = fmt.Errorf("%v: %v", ErrCiphertextLength, len(ctxTag))`
Refactor touchStone 2019-08-31 20:40:50 +00:00			`return`
			`}`
Rename a struct 2020-04-06 13:29:38 +00:00			`copy(fragments.ciphertextWithTag[:], ctxTag)`
Refactor touchStone 2019-08-31 20:40:50 +00:00			`return`
			`}`