obfs4/common/drbg/hash_drbg.go

/*
 * Copyright (c) 2014, Yawning Angel <yawning at torproject dot org>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 *  * Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 *
 *  * Redistributions in binary form must reproduce the above copyright notice,
 *    this list of conditions and the following disclaimer in the documentation
 *    and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

// Package drbg implements a minimalistic DRBG based off SipHash-2-4 in OFB
// mode.
package drbg

import (
	"encoding/base64"
	"encoding/binary"
	"fmt"
	"hash"

	"github.com/dchest/siphash"

	"git.torproject.org/pluggable-transports/obfs4.git/common/csrand"
)

// Size is the length of the HashDrbg output.
const Size = siphash.Size

// SeedLength is the length of the HashDrbg seed.
const SeedLength = 16 + Size

// Seed is the initial state for a HashDrbg.  It consists of a SipHash-2-4
// key, and 8 bytes of initial data.
type Seed [SeedLength]byte

// Bytes returns a pointer to the raw HashDrbg seed.
func (seed *Seed) Bytes() *[SeedLength]byte {
	return (*[SeedLength]byte)(seed)
}

// Base64 returns the Base64 representation of the seed.
func (seed *Seed) Base64() string {
	return base64.StdEncoding.EncodeToString(seed.Bytes()[:])
}

// NewSeed returns a Seed initialized with the runtime CSPRNG.
func NewSeed() (seed *Seed, err error) {
	seed = new(Seed)
	if err = csrand.Bytes(seed.Bytes()[:]); err != nil {
		return nil, err
	}

	return
}

// SeedFromBytes creates a Seed from the raw bytes, truncating to SeedLength as
// appropriate.
func SeedFromBytes(src []byte) (seed *Seed, err error) {
	if len(src) < SeedLength {
		return nil, InvalidSeedLengthError(len(src))
	}

	seed = new(Seed)
	copy(seed.Bytes()[:], src)

	return
}

// SeedFromBase64 creates a Seed from the Base64 representation, truncating to
// SeedLength as appropriate.
func SeedFromBase64(encoded string) (seed *Seed, err error) {
	var raw []byte
	if raw, err = base64.StdEncoding.DecodeString(encoded); err != nil {
		return nil, err
	}

	return SeedFromBytes(raw)
}

// InvalidSeedLengthError is the error returned when the seed provided to the
// DRBG is an invalid length.
type InvalidSeedLengthError int

func (e InvalidSeedLengthError) Error() string {
	return fmt.Sprintf("invalid seed length: %d", int(e))
}

// HashDrbg is a CSDRBG based off of SipHash-2-4 in OFB mode.
type HashDrbg struct {
	sip hash.Hash64
	ofb [Size]byte
}

// NewHashDrbg makes a HashDrbg instance based off an optional seed.  The seed
// is truncated to SeedLength.
func NewHashDrbg(seed *Seed) (*HashDrbg, error) {
	drbg := new(HashDrbg)
	if seed == nil {
		var err error
		if seed, err = NewSeed(); err != nil {
			return nil, err
		}
	}
	drbg.sip = siphash.New(seed.Bytes()[:16])
	copy(drbg.ofb[:], seed.Bytes()[16:])

	return drbg, nil
}

// Int63 returns a uniformly distributed random integer [0, 1 << 63).
func (drbg *HashDrbg) Int63() int64 {
	block := drbg.NextBlock()
	ret := binary.BigEndian.Uint64(block)
	ret &= (1<<63 - 1)

	return int64(ret)
}

// Seed does nothing, call NewHashDrbg if you want to reseed.
func (drbg *HashDrbg) Seed(seed int64) {
	// No-op.
}

// NextBlock returns the next 8 byte DRBG block.
func (drbg *HashDrbg) NextBlock() []byte {
	drbg.sip.Write(drbg.ofb[:])
	copy(drbg.ofb[:], drbg.sip.Sum(nil))

	ret := make([]byte, Size)
	copy(ret, drbg.ofb[:])
	return ret
}
Move the SipHash DRBG off into it's own package. 2014-06-02 16:47:30 +00:00			`/*`
			`* Copyright (c) 2014, Yawning Angel <yawning at torproject dot org>`
			`* All rights reserved.`
			`*`
			`* Redistribution and use in source and binary forms, with or without`
			`* modification, are permitted provided that the following conditions are met:`
			`*`
			`* * Redistributions of source code must retain the above copyright notice,`
			`* this list of conditions and the following disclaimer.`
			`*`
			`* * Redistributions in binary form must reproduce the above copyright notice,`
			`* this list of conditions and the following disclaimer in the documentation`
			`* and/or other materials provided with the distribution.`
			`*`
			`* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"`
			`* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
			`* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE`
			`* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE`
			`* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR`
			`* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF`
			`* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS`
			`* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN`
			`* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)`
			`* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE`
			`* POSSIBILITY OF SUCH DAMAGE.`
			`*/`

			`// Package drbg implements a minimalistic DRBG based off SipHash-2-4 in OFB`
			`// mode.`
			`package drbg`

			`import (`
			`"encoding/base64"`
			`"encoding/binary"`
			`"fmt"`
			`"hash"`

			`"github.com/dchest/siphash"`

Massive cleanup/code reorg. * Changed obfs4proxy to be more like obfsproxy in terms of design, including being an easy framework for developing new TCP/IP style pluggable transports. * Added support for also acting as an obfs2/obfs3 client or bridge as a transition measure (and because the code itself is trivial). * Massively cleaned up the obfs4 and related code to be easier to read, and more idiomatic Go-like in style. * To ease deployment, obfs4proxy will now autogenerate the node-id, curve25519 keypair, and drbg seed if none are specified, and save them to a JSON file in the pt_state directory (Fixes Tor bug #12605). 2014-08-17 17:11:03 +00:00			`"git.torproject.org/pluggable-transports/obfs4.git/common/csrand"`
Move the SipHash DRBG off into it's own package. 2014-06-02 16:47:30 +00:00			`)`

			`// Size is the length of the HashDrbg output.`
			`const Size = siphash.Size`

			`// SeedLength is the length of the HashDrbg seed.`
Change how the length obfsucation mask is derived. Instead of using the nonce for the secret box, just use SipHash-2-4 in OFB mode instead. The IV is generated as part of the KDF. This simplifies the code a decent amount and also is better on the off chance that SipHash-2-4 does not avalanche as well as it is currently assumed. While here, also decouple the fact that this implementation of obfs4 uses a PRNG with 24 bytes of internal state for protocol polymorphism instead of 32 bytes (that the spec requires). THIS CHANGE BREAKS WIRE PROTCOL COMPATIBILITY. 2014-06-02 17:50:01 +00:00			`const SeedLength = 16 + Size`
Move the SipHash DRBG off into it's own package. 2014-06-02 16:47:30 +00:00
			`// Seed is the initial state for a HashDrbg. It consists of a SipHash-2-4`
Change how the length obfsucation mask is derived. Instead of using the nonce for the secret box, just use SipHash-2-4 in OFB mode instead. The IV is generated as part of the KDF. This simplifies the code a decent amount and also is better on the off chance that SipHash-2-4 does not avalanche as well as it is currently assumed. While here, also decouple the fact that this implementation of obfs4 uses a PRNG with 24 bytes of internal state for protocol polymorphism instead of 32 bytes (that the spec requires). THIS CHANGE BREAKS WIRE PROTCOL COMPATIBILITY. 2014-06-02 17:50:01 +00:00			`// key, and 8 bytes of initial data.`
Move the SipHash DRBG off into it's own package. 2014-06-02 16:47:30 +00:00			`type Seed [SeedLength]byte`

			`// Bytes returns a pointer to the raw HashDrbg seed.`
			`func (seed Seed) Bytes() [SeedLength]byte {`
			`return (*[SeedLength]byte)(seed)`
			`}`

			`// Base64 returns the Base64 representation of the seed.`
			`func (seed *Seed) Base64() string {`
			`return base64.StdEncoding.EncodeToString(seed.Bytes()[:])`
			`}`

			`// NewSeed returns a Seed initialized with the runtime CSPRNG.`
			`func NewSeed() (seed *Seed, err error) {`
			`seed = new(Seed)`
Massive cleanup/code reorg. * Changed obfs4proxy to be more like obfsproxy in terms of design, including being an easy framework for developing new TCP/IP style pluggable transports. * Added support for also acting as an obfs2/obfs3 client or bridge as a transition measure (and because the code itself is trivial). * Massively cleaned up the obfs4 and related code to be easier to read, and more idiomatic Go-like in style. * To ease deployment, obfs4proxy will now autogenerate the node-id, curve25519 keypair, and drbg seed if none are specified, and save them to a JSON file in the pt_state directory (Fixes Tor bug #12605). 2014-08-17 17:11:03 +00:00			`if err = csrand.Bytes(seed.Bytes()[:]); err != nil {`
Move the SipHash DRBG off into it's own package. 2014-06-02 16:47:30 +00:00			`return nil, err`
			`}`

			`return`
			`}`

Change how the length obfsucation mask is derived. Instead of using the nonce for the secret box, just use SipHash-2-4 in OFB mode instead. The IV is generated as part of the KDF. This simplifies the code a decent amount and also is better on the off chance that SipHash-2-4 does not avalanche as well as it is currently assumed. While here, also decouple the fact that this implementation of obfs4 uses a PRNG with 24 bytes of internal state for protocol polymorphism instead of 32 bytes (that the spec requires). THIS CHANGE BREAKS WIRE PROTCOL COMPATIBILITY. 2014-06-02 17:50:01 +00:00			`// SeedFromBytes creates a Seed from the raw bytes, truncating to SeedLength as`
			`// appropriate.`
Move the SipHash DRBG off into it's own package. 2014-06-02 16:47:30 +00:00			`func SeedFromBytes(src []byte) (seed *Seed, err error) {`
Change how the length obfsucation mask is derived. Instead of using the nonce for the secret box, just use SipHash-2-4 in OFB mode instead. The IV is generated as part of the KDF. This simplifies the code a decent amount and also is better on the off chance that SipHash-2-4 does not avalanche as well as it is currently assumed. While here, also decouple the fact that this implementation of obfs4 uses a PRNG with 24 bytes of internal state for protocol polymorphism instead of 32 bytes (that the spec requires). THIS CHANGE BREAKS WIRE PROTCOL COMPATIBILITY. 2014-06-02 17:50:01 +00:00			`if len(src) < SeedLength {`
Move the SipHash DRBG off into it's own package. 2014-06-02 16:47:30 +00:00			`return nil, InvalidSeedLengthError(len(src))`
			`}`

			`seed = new(Seed)`
			`copy(seed.Bytes()[:], src)`

			`return`
			`}`

Change how the length obfsucation mask is derived. Instead of using the nonce for the secret box, just use SipHash-2-4 in OFB mode instead. The IV is generated as part of the KDF. This simplifies the code a decent amount and also is better on the off chance that SipHash-2-4 does not avalanche as well as it is currently assumed. While here, also decouple the fact that this implementation of obfs4 uses a PRNG with 24 bytes of internal state for protocol polymorphism instead of 32 bytes (that the spec requires). THIS CHANGE BREAKS WIRE PROTCOL COMPATIBILITY. 2014-06-02 17:50:01 +00:00			`// SeedFromBase64 creates a Seed from the Base64 representation, truncating to`
			`// SeedLength as appropriate.`
Move the SipHash DRBG off into it's own package. 2014-06-02 16:47:30 +00:00			`func SeedFromBase64(encoded string) (seed *Seed, err error) {`
			`var raw []byte`
Massive cleanup/code reorg. * Changed obfs4proxy to be more like obfsproxy in terms of design, including being an easy framework for developing new TCP/IP style pluggable transports. * Added support for also acting as an obfs2/obfs3 client or bridge as a transition measure (and because the code itself is trivial). * Massively cleaned up the obfs4 and related code to be easier to read, and more idiomatic Go-like in style. * To ease deployment, obfs4proxy will now autogenerate the node-id, curve25519 keypair, and drbg seed if none are specified, and save them to a JSON file in the pt_state directory (Fixes Tor bug #12605). 2014-08-17 17:11:03 +00:00			`if raw, err = base64.StdEncoding.DecodeString(encoded); err != nil {`
Move the SipHash DRBG off into it's own package. 2014-06-02 16:47:30 +00:00			`return nil, err`
			`}`

			`return SeedFromBytes(raw)`
			`}`

			`// InvalidSeedLengthError is the error returned when the seed provided to the`
			`// DRBG is an invalid length.`
			`type InvalidSeedLengthError int`

			`func (e InvalidSeedLengthError) Error() string {`
			`return fmt.Sprintf("invalid seed length: %d", int(e))`
			`}`

			`// HashDrbg is a CSDRBG based off of SipHash-2-4 in OFB mode.`
			`type HashDrbg struct {`
			`sip hash.Hash64`
			`ofb [Size]byte`
			`}`

			`// NewHashDrbg makes a HashDrbg instance based off an optional seed. The seed`
			`// is truncated to SeedLength.`
Massive cleanup/code reorg. * Changed obfs4proxy to be more like obfsproxy in terms of design, including being an easy framework for developing new TCP/IP style pluggable transports. * Added support for also acting as an obfs2/obfs3 client or bridge as a transition measure (and because the code itself is trivial). * Massively cleaned up the obfs4 and related code to be easier to read, and more idiomatic Go-like in style. * To ease deployment, obfs4proxy will now autogenerate the node-id, curve25519 keypair, and drbg seed if none are specified, and save them to a JSON file in the pt_state directory (Fixes Tor bug #12605). 2014-08-17 17:11:03 +00:00			`func NewHashDrbg(seed Seed) (HashDrbg, error) {`
Move the SipHash DRBG off into it's own package. 2014-06-02 16:47:30 +00:00			`drbg := new(HashDrbg)`
Massive cleanup/code reorg. * Changed obfs4proxy to be more like obfsproxy in terms of design, including being an easy framework for developing new TCP/IP style pluggable transports. * Added support for also acting as an obfs2/obfs3 client or bridge as a transition measure (and because the code itself is trivial). * Massively cleaned up the obfs4 and related code to be easier to read, and more idiomatic Go-like in style. * To ease deployment, obfs4proxy will now autogenerate the node-id, curve25519 keypair, and drbg seed if none are specified, and save them to a JSON file in the pt_state directory (Fixes Tor bug #12605). 2014-08-17 17:11:03 +00:00			`if seed == nil {`
			`var err error`
			`if seed, err = NewSeed(); err != nil {`
			`return nil, err`
			`}`
			`}`
Move the SipHash DRBG off into it's own package. 2014-06-02 16:47:30 +00:00			`drbg.sip = siphash.New(seed.Bytes()[:16])`
			`copy(drbg.ofb[:], seed.Bytes()[16:])`

Massive cleanup/code reorg. * Changed obfs4proxy to be more like obfsproxy in terms of design, including being an easy framework for developing new TCP/IP style pluggable transports. * Added support for also acting as an obfs2/obfs3 client or bridge as a transition measure (and because the code itself is trivial). * Massively cleaned up the obfs4 and related code to be easier to read, and more idiomatic Go-like in style. * To ease deployment, obfs4proxy will now autogenerate the node-id, curve25519 keypair, and drbg seed if none are specified, and save them to a JSON file in the pt_state directory (Fixes Tor bug #12605). 2014-08-17 17:11:03 +00:00			`return drbg, nil`
Move the SipHash DRBG off into it's own package. 2014-06-02 16:47:30 +00:00			`}`

			`// Int63 returns a uniformly distributed random integer [0, 1 << 63).`
			`func (drbg *HashDrbg) Int63() int64 {`
			`block := drbg.NextBlock()`
			`ret := binary.BigEndian.Uint64(block)`
			`ret &= (1<<63 - 1)`

			`return int64(ret)`
			`}`

			`// Seed does nothing, call NewHashDrbg if you want to reseed.`
			`func (drbg *HashDrbg) Seed(seed int64) {`
			`// No-op.`
			`}`

			`// NextBlock returns the next 8 byte DRBG block.`
			`func (drbg *HashDrbg) NextBlock() []byte {`
			`drbg.sip.Write(drbg.ofb[:])`
			`copy(drbg.ofb[:], drbg.sip.Sum(nil))`

			`ret := make([]byte, Size)`
			`copy(ret, drbg.ofb[:])`
			`return ret`
			`}`