Cloak/internal/server/TLS.go
2020-04-09 22:11:12 +01:00

102 lines
2.8 KiB
Go

package server
import (
"crypto"
"errors"
"fmt"
"github.com/cbeuw/Cloak/internal/common"
"github.com/cbeuw/Cloak/internal/ecdh"
"github.com/cbeuw/Cloak/internal/util"
"io"
"math/rand"
"net"
log "github.com/sirupsen/logrus"
)
const appDataMaxLength = 16401
type TLS struct{}
var ErrBadClientHello = errors.New("non (or malformed) ClientHello")
func (TLS) String() string { return "TLS" }
func (TLS) processFirstPacket(clientHello []byte, privateKey crypto.PrivateKey) (fragments authFragments, respond Responder, err error) {
ch, err := parseClientHello(clientHello)
if err != nil {
log.Debug(err)
err = ErrBadClientHello
return
}
fragments, err = TLS{}.unmarshalClientHello(ch, privateKey)
if err != nil {
err = fmt.Errorf("failed to unmarshal ClientHello into authFragments: %v", err)
return
}
respond = TLS{}.makeResponder(ch.sessionId, fragments.sharedSecret)
return
}
func (TLS) makeResponder(clientHelloSessionId []byte, sharedSecret [32]byte) Responder {
respond := func(originalConn net.Conn, sessionKey [32]byte, randSource io.Reader) (preparedConn net.Conn, err error) {
// the cert length needs to be the same for all handshakes belonging to the same session
// we can use sessionKey as a seed here to ensure consistency
possibleCertLengths := []int{42, 27, 68, 59, 36, 44, 46}
rand.Seed(int64(sessionKey[0]))
cert := make([]byte, possibleCertLengths[rand.Intn(len(possibleCertLengths))])
util.RandRead(randSource, cert)
var nonce [12]byte
util.RandRead(randSource, nonce[:])
encryptedSessionKey, err := util.AESGCMEncrypt(nonce[:], sharedSecret[:], sessionKey[:])
if err != nil {
return
}
var encryptedSessionKeyArr [48]byte
copy(encryptedSessionKeyArr[:], encryptedSessionKey)
reply, err := composeReply(clientHelloSessionId, nonce, encryptedSessionKeyArr, cert)
if err != nil {
err = fmt.Errorf("failed to compose TLS reply: %v", err)
return
}
_, err = originalConn.Write(reply)
if err != nil {
err = fmt.Errorf("failed to write TLS reply: %v", err)
go originalConn.Close()
return
}
preparedConn = &common.TLSConn{Conn: originalConn}
return
}
return respond
}
func (TLS) unmarshalClientHello(ch *ClientHello, staticPv crypto.PrivateKey) (fragments authFragments, err error) {
copy(fragments.randPubKey[:], ch.random)
ephPub, ok := ecdh.Unmarshal(fragments.randPubKey[:])
if !ok {
err = ErrInvalidPubKey
return
}
copy(fragments.sharedSecret[:], ecdh.GenerateSharedSecret(staticPv, ephPub))
var keyShare []byte
keyShare, err = parseKeyShare(ch.extensions[[2]byte{0x00, 0x33}])
if err != nil {
return
}
ctxTag := append(ch.sessionId, keyShare...)
if len(ctxTag) != 64 {
err = fmt.Errorf("%v: %v", ErrCiphertextLength, len(ctxTag))
return
}
copy(fragments.ciphertextWithTag[:], ctxTag)
return
}