From 4a81683e44a56b3a50dbd3537acb67ea17296012 Mon Sep 17 00:00:00 2001 From: Andy Wang Date: Tue, 14 Apr 2020 01:53:28 +0100 Subject: [PATCH] Code cleanup and move stuff around --- cmd/ck-server/keygen.go | 4 +-- internal/client/TLS.go | 3 +-- internal/client/auth.go | 4 +-- internal/client/chrome.go | 4 +-- internal/client/connector.go | 3 +-- internal/client/firefox.go | 4 +-- internal/client/websocket.go | 3 +-- internal/common/copy.go | 12 --------- internal/{util/util.go => common/crypto.go} | 29 +-------------------- internal/multiplex/obfs.go | 4 +-- internal/multiplex/session.go | 6 ++--- internal/server/TLS.go | 7 +++-- internal/server/TLSAux.go | 4 +-- internal/server/auth.go | 4 +-- internal/server/dispatcher.go | 3 +-- internal/server/websocket.go | 6 ++--- internal/util/util_test.go | 23 ---------------- 17 files changed, 28 insertions(+), 95 deletions(-) rename internal/{util/util.go => common/crypto.go} (71%) delete mode 100644 internal/util/util_test.go diff --git a/cmd/ck-server/keygen.go b/cmd/ck-server/keygen.go index 2835d86..78fffd5 100644 --- a/cmd/ck-server/keygen.go +++ b/cmd/ck-server/keygen.go @@ -3,13 +3,13 @@ package main import ( "crypto/rand" "encoding/base64" + "github.com/cbeuw/Cloak/internal/common" "github.com/cbeuw/Cloak/internal/ecdh" - "github.com/cbeuw/Cloak/internal/util" ) func generateUID() string { UID := make([]byte, 16) - util.CryptoRandRead(UID) + common.CryptoRandRead(UID) return base64.StdEncoding.EncodeToString(UID) } diff --git a/internal/client/TLS.go b/internal/client/TLS.go index 7962551..9693a6b 100644 --- a/internal/client/TLS.go +++ b/internal/client/TLS.go @@ -3,7 +3,6 @@ package client import ( "encoding/binary" "github.com/cbeuw/Cloak/internal/common" - "github.com/cbeuw/Cloak/internal/util" log "github.com/sirupsen/logrus" "net" ) @@ -84,7 +83,7 @@ func (tls *DirectTLS) Handshake(rawConn net.Conn, authInfo AuthInfo) (sessionKey encrypted := append(buf[6:38], buf[84:116]...) nonce := encrypted[0:12] ciphertextWithTag := encrypted[12:60] - sessionKeySlice, err := util.AESGCMDecrypt(nonce, sharedSecret[:], ciphertextWithTag) + sessionKeySlice, err := common.AESGCMDecrypt(nonce, sharedSecret[:], ciphertextWithTag) if err != nil { return } diff --git a/internal/client/auth.go b/internal/client/auth.go index 4b86887..1a2a343 100644 --- a/internal/client/auth.go +++ b/internal/client/auth.go @@ -2,8 +2,8 @@ package client import ( "encoding/binary" + "github.com/cbeuw/Cloak/internal/common" "github.com/cbeuw/Cloak/internal/ecdh" - "github.com/cbeuw/Cloak/internal/util" ) const ( @@ -41,7 +41,7 @@ func makeAuthenticationPayload(authInfo AuthInfo) (ret authenticationPayload, sh } copy(sharedSecret[:], ecdh.GenerateSharedSecret(ephPv, authInfo.ServerPubKey)) - ciphertextWithTag, _ := util.AESGCMEncrypt(ret.randPubKey[:12], sharedSecret[:], plaintext) + ciphertextWithTag, _ := common.AESGCMEncrypt(ret.randPubKey[:12], sharedSecret[:], plaintext) copy(ret.ciphertextWithTag[:], ciphertextWithTag[:]) return } diff --git a/internal/client/chrome.go b/internal/client/chrome.go index ac7ca79..b5cfa50 100644 --- a/internal/client/chrome.go +++ b/internal/client/chrome.go @@ -5,7 +5,7 @@ package client import ( "encoding/binary" "encoding/hex" - "github.com/cbeuw/Cloak/internal/util" + "github.com/cbeuw/Cloak/internal/common" ) type Chrome struct{} @@ -14,7 +14,7 @@ func makeGREASE() []byte { // see https://tools.ietf.org/html/draft-davidben-tls-grease-01 // This is exclusive to Chrome. var one [1]byte - util.CryptoRandRead(one[:]) + common.CryptoRandRead(one[:]) sixteenth := one[0] % 16 monoGREASE := sixteenth*16 + 0xA doubleGREASE := []byte{monoGREASE, monoGREASE} diff --git a/internal/client/connector.go b/internal/client/connector.go index 350d911..d7a6792 100644 --- a/internal/client/connector.go +++ b/internal/client/connector.go @@ -9,7 +9,6 @@ import ( "time" mux "github.com/cbeuw/Cloak/internal/multiplex" - "github.com/cbeuw/Cloak/internal/util" log "github.com/sirupsen/logrus" ) @@ -20,7 +19,7 @@ func MakeSession(connConfig RemoteConnConfig, authInfo AuthInfo, dialer common.D // sessionID is usergenerated. There shouldn't be a security concern because the scope of // sessionID is limited to its UID. quad := make([]byte, 4) - util.RandRead(authInfo.WorldState.Rand, quad) + common.RandRead(authInfo.WorldState.Rand, quad) authInfo.SessionId = binary.BigEndian.Uint32(quad) } else { authInfo.SessionId = 0 diff --git a/internal/client/firefox.go b/internal/client/firefox.go index 3e53db8..3d2950f 100644 --- a/internal/client/firefox.go +++ b/internal/client/firefox.go @@ -5,7 +5,7 @@ package client import ( "encoding/binary" "encoding/hex" - "github.com/cbeuw/Cloak/internal/util" + "github.com/cbeuw/Cloak/internal/common" ) type Firefox struct{} @@ -19,7 +19,7 @@ func (f *Firefox) composeExtensions(SNI []byte, keyShare []byte) []byte { copy(ret[6:38], hidden) ret[38], ret[39] = 0x00, 0x17 // group secp256r1 ret[40], ret[41] = 0x00, 0x41 // length 65 - util.CryptoRandRead(ret[42:107]) + common.CryptoRandRead(ret[42:107]) return ret } // extension length is always 399, and server name length is variable diff --git a/internal/client/websocket.go b/internal/client/websocket.go index 86a1698..3e4cf05 100644 --- a/internal/client/websocket.go +++ b/internal/client/websocket.go @@ -5,7 +5,6 @@ import ( "errors" "fmt" "github.com/cbeuw/Cloak/internal/common" - "github.com/cbeuw/Cloak/internal/util" "github.com/gorilla/websocket" utls "github.com/refraction-networking/utls" "net" @@ -55,7 +54,7 @@ func (ws *WSOverTLS) Handshake(rawConn net.Conn, authInfo AuthInfo) (sessionKey } reply := buf[:60] - sessionKeySlice, err := util.AESGCMDecrypt(reply[:12], sharedSecret[:], reply[12:]) + sessionKeySlice, err := common.AESGCMDecrypt(reply[:12], sharedSecret[:], reply[12:]) if err != nil { return } diff --git a/internal/common/copy.go b/internal/common/copy.go index bf5ffb7..e09e837 100644 --- a/internal/common/copy.go +++ b/internal/common/copy.go @@ -53,20 +53,8 @@ func Copy(dst net.Conn, src net.Conn, srcReadTimeout time.Duration) (written int return rt.ReadFrom(src) } - //if buf == nil { size := 32 * 1024 - /* - if l, ok := src.(*LimitedReader); ok && int64(size) > l.N { - if l.N < 1 { - size = 1 - } else { - size = int(l.N) - } - } - - */ buf := make([]byte, size) - //} for { if srcReadTimeout != 0 { // TODO: don't rely on setreaddeadline diff --git a/internal/util/util.go b/internal/common/crypto.go similarity index 71% rename from internal/util/util.go rename to internal/common/crypto.go index e8bd666..f5585c9 100644 --- a/internal/util/util.go +++ b/internal/common/crypto.go @@ -1,4 +1,4 @@ -package util +package common import ( "crypto/aes" @@ -60,30 +60,3 @@ func RandRead(randSource io.Reader, buf []byte) { } log.Fatal("Cannot get cryptographic random bytes after 10 retries") } - -/* -func Pipe(dst net.Conn, src net.Conn, srcReadTimeout time.Duration) { - // The maximum size of TLS message will be 16380+14+16. 14 because of the stream header and 16 - // because of the salt/mac - // 16408 is the max TLS message size on Firefox - buf := make([]byte, 16378) - for { - if srcReadTimeout != 0 { - src.SetReadDeadline(time.Now().Add(srcReadTimeout)) - } - i, err := io.ReadAtLeast(src, buf, 1) - if err != nil { - dst.Close() - src.Close() - return - } - _, err = dst.Write(buf[:i]) - if err != nil { - dst.Close() - src.Close() - return - } - } -} - -*/ diff --git a/internal/multiplex/obfs.go b/internal/multiplex/obfs.go index 457a4a2..18b1499 100644 --- a/internal/multiplex/obfs.go +++ b/internal/multiplex/obfs.go @@ -6,7 +6,7 @@ import ( "encoding/binary" "errors" "fmt" - "github.com/cbeuw/Cloak/internal/util" + "github.com/cbeuw/Cloak/internal/common" "golang.org/x/crypto/chacha20poly1305" "golang.org/x/crypto/salsa20" ) @@ -78,7 +78,7 @@ func MakeObfs(salsaKey [32]byte, payloadCipher cipher.AEAD) Obfser { if payloadCipher == nil { if extraLen != 0 { // read nonce extra := buf[usefulLen-extraLen : usefulLen] - util.CryptoRandRead(extra) + common.CryptoRandRead(extra) } } else { payloadCipher.Seal(payload[:0], header[:12], payload, nil) diff --git a/internal/multiplex/session.go b/internal/multiplex/session.go index e05fcf4..62c2517 100644 --- a/internal/multiplex/session.go +++ b/internal/multiplex/session.go @@ -3,7 +3,7 @@ package multiplex import ( "errors" "fmt" - "github.com/cbeuw/Cloak/internal/util" + "github.com/cbeuw/Cloak/internal/common" "net" "sync" "sync/atomic" @@ -252,9 +252,9 @@ func (sesh *Session) passiveClose() error { func genRandomPadding() []byte { lenB := make([]byte, 1) - util.CryptoRandRead(lenB) + common.CryptoRandRead(lenB) pad := make([]byte, lenB[0]) - util.CryptoRandRead(pad) + common.CryptoRandRead(pad) return pad } diff --git a/internal/server/TLS.go b/internal/server/TLS.go index ea53ca1..49463fa 100644 --- a/internal/server/TLS.go +++ b/internal/server/TLS.go @@ -6,7 +6,6 @@ import ( "fmt" "github.com/cbeuw/Cloak/internal/common" "github.com/cbeuw/Cloak/internal/ecdh" - "github.com/cbeuw/Cloak/internal/util" "io" "math/rand" "net" @@ -48,11 +47,11 @@ func (TLS) makeResponder(clientHelloSessionId []byte, sharedSecret [32]byte) Res possibleCertLengths := []int{42, 27, 68, 59, 36, 44, 46} rand.Seed(int64(sessionKey[0])) cert := make([]byte, possibleCertLengths[rand.Intn(len(possibleCertLengths))]) - util.RandRead(randSource, cert) + common.RandRead(randSource, cert) var nonce [12]byte - util.RandRead(randSource, nonce[:]) - encryptedSessionKey, err := util.AESGCMEncrypt(nonce[:], sharedSecret[:], sessionKey[:]) + common.RandRead(randSource, nonce[:]) + encryptedSessionKey, err := common.AESGCMEncrypt(nonce[:], sharedSecret[:], sessionKey[:]) if err != nil { return } diff --git a/internal/server/TLSAux.go b/internal/server/TLSAux.go index 7ffa8f1..ca759ed 100644 --- a/internal/server/TLSAux.go +++ b/internal/server/TLSAux.go @@ -6,7 +6,7 @@ import ( "encoding/hex" "errors" "fmt" - "github.com/cbeuw/Cloak/internal/util" + "github.com/cbeuw/Cloak/internal/common" ) // ClientHello contains every field in a ClientHello message @@ -176,7 +176,7 @@ func composeServerHello(sessionId []byte, nonce [12]byte, encryptedSessionKeyWit keyShare, _ := hex.DecodeString("00330024001d0020") keyExchange := make([]byte, 32) copy(keyExchange, encryptedSessionKeyWithTag[20:48]) - util.CryptoRandRead(keyExchange[28:32]) + common.CryptoRandRead(keyExchange[28:32]) serverHello[9] = append(keyShare, keyExchange...) serverHello[10], _ = hex.DecodeString("002b00020304") diff --git a/internal/server/auth.go b/internal/server/auth.go index d6fd6bd..c0c97c5 100644 --- a/internal/server/auth.go +++ b/internal/server/auth.go @@ -5,7 +5,7 @@ import ( "encoding/binary" "errors" "fmt" - "github.com/cbeuw/Cloak/internal/util" + "github.com/cbeuw/Cloak/internal/common" "time" log "github.com/sirupsen/logrus" @@ -36,7 +36,7 @@ var ErrUnreconisedProtocol = errors.New("unreconised protocol") // decryptClientInfo checks if a the authFragments are valid. It doesn't check if the UID is authorised func decryptClientInfo(fragments authFragments, serverTime time.Time) (info ClientInfo, err error) { var plaintext []byte - plaintext, err = util.AESGCMDecrypt(fragments.randPubKey[0:12], fragments.sharedSecret[:], fragments.ciphertextWithTag[:]) + plaintext, err = common.AESGCMDecrypt(fragments.randPubKey[0:12], fragments.sharedSecret[:], fragments.ciphertextWithTag[:]) if err != nil { return } diff --git a/internal/server/dispatcher.go b/internal/server/dispatcher.go index 4b6fdcd..4f17039 100644 --- a/internal/server/dispatcher.go +++ b/internal/server/dispatcher.go @@ -4,7 +4,6 @@ import ( "bytes" "encoding/base64" "github.com/cbeuw/Cloak/internal/common" - "github.com/cbeuw/Cloak/internal/util" "io" "net" "net/http" @@ -77,7 +76,7 @@ func dispatchConnection(conn net.Conn, sta *State) { } var sessionKey [32]byte - util.RandRead(sta.WorldState.Rand, sessionKey[:]) + common.RandRead(sta.WorldState.Rand, sessionKey[:]) obfuscator, err := mux.MakeObfuscator(ci.EncryptionMethod, sessionKey) if err != nil { log.Error(err) diff --git a/internal/server/websocket.go b/internal/server/websocket.go index e70617f..2b192b9 100644 --- a/internal/server/websocket.go +++ b/internal/server/websocket.go @@ -7,8 +7,8 @@ import ( "encoding/base64" "errors" "fmt" + "github.com/cbeuw/Cloak/internal/common" "github.com/cbeuw/Cloak/internal/ecdh" - "github.com/cbeuw/Cloak/internal/util" "io" "net" "net/http" @@ -49,10 +49,10 @@ func (WebSocket) makeResponder(reqPacket []byte, sharedSecret [32]byte) Responde <-handler.finished preparedConn = handler.conn nonce := make([]byte, 12) - util.RandRead(randSource, nonce) + common.RandRead(randSource, nonce) // reply: [12 bytes nonce][32 bytes encrypted session key][16 bytes authentication tag] - encryptedKey, err := util.AESGCMEncrypt(nonce, sharedSecret[:], sessionKey[:]) // 32 + 16 = 48 bytes + encryptedKey, err := common.AESGCMEncrypt(nonce, sharedSecret[:], sessionKey[:]) // 32 + 16 = 48 bytes if err != nil { err = fmt.Errorf("failed to encrypt reply: %v", err) return diff --git a/internal/util/util_test.go b/internal/util/util_test.go deleted file mode 100644 index f340281..0000000 --- a/internal/util/util_test.go +++ /dev/null @@ -1,23 +0,0 @@ -package util - -/* -func BenchmarkPipe(b *testing.B) { - reader := rand.New(rand.NewSource(42)) - buf := make([]byte, 16380) - for i := 0; i < b.N; i++ { - n, err := io.ReadAtLeast(reader, buf, 1) - if err != nil { - b.Error(err) - return - } - n, err = ioutil.Discard.Write(buf[:n]) - if err != nil { - b.Error(err) - return - } - b.SetBytes(int64(n)) - } -} - - -*/