mirror of
https://gitlab.com/yawning/obfs4.git
synced 2024-11-17 09:25:36 +00:00
184 lines
5.8 KiB
Go
184 lines
5.8 KiB
Go
|
/*
|
||
|
* Copyright (c) 2014, Yawning Angel <yawning at torproject dot org>
|
||
|
* All rights reserved.
|
||
|
*
|
||
|
* Redistribution and use in source and binary forms, with or without
|
||
|
* modification, are permitted provided that the following conditions are met:
|
||
|
*
|
||
|
* * Redistributions of source code must retain the above copyright notice,
|
||
|
* this list of conditions and the following disclaimer.
|
||
|
*
|
||
|
* * Redistributions in binary form must reproduce the above copyright notice,
|
||
|
* this list of conditions and the following disclaimer in the documentation
|
||
|
* and/or other materials provided with the distribution.
|
||
|
*
|
||
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
||
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||
|
* POSSIBILITY OF SUCH DAMAGE.
|
||
|
*/
|
||
|
|
||
|
// Package uniformdh implements the Tor Project's UniformDH key exchange
|
||
|
// mechanism as defined in the obfs3 protocol specification. This
|
||
|
// implementation is suitable for obfuscation but MUST NOT BE USED when strong
|
||
|
// security is required as it is not constant time.
|
||
|
package uniformdh
|
||
|
|
||
|
import (
|
||
|
"fmt"
|
||
|
"io"
|
||
|
"math/big"
|
||
|
)
|
||
|
|
||
|
const (
|
||
|
// Size is the size of a UniformDH key or shared secret in bytes.
|
||
|
Size = 1536 / 8
|
||
|
|
||
|
// modpStr is the RFC3526 1536-bit MODP Group (Group 5).
|
||
|
modpStr = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" +
|
||
|
"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" +
|
||
|
"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" +
|
||
|
"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" +
|
||
|
"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" +
|
||
|
"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" +
|
||
|
"83655D23DCA3AD961C62F356208552BB9ED529077096966D" +
|
||
|
"670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
|
||
|
|
||
|
g = 2
|
||
|
)
|
||
|
|
||
|
var modpGroup *big.Int
|
||
|
var gen *big.Int
|
||
|
|
||
|
// A PrivateKey represents a UniformDH private key.
|
||
|
type PrivateKey struct {
|
||
|
PublicKey
|
||
|
privateKey *big.Int
|
||
|
}
|
||
|
|
||
|
// A PublicKey represents a UniformDH public key.
|
||
|
type PublicKey struct {
|
||
|
bytes []byte
|
||
|
publicKey *big.Int
|
||
|
}
|
||
|
|
||
|
// Bytes returns the byte representation of a PublicKey.
|
||
|
func (pub *PublicKey) Bytes() (pubBytes []byte, err error) {
|
||
|
if len(pub.bytes) != Size || pub.bytes == nil {
|
||
|
return nil, fmt.Errorf("public key is not initialized")
|
||
|
}
|
||
|
pubBytes = make([]byte, Size)
|
||
|
copy(pubBytes, pub.bytes)
|
||
|
|
||
|
return
|
||
|
}
|
||
|
|
||
|
// SetBytes sets the PublicKey from a byte slice.
|
||
|
func (pub *PublicKey) SetBytes(pubBytes []byte) error {
|
||
|
if len(pubBytes) != Size {
|
||
|
return fmt.Errorf("public key length %d is not %d", len(pubBytes), Size)
|
||
|
}
|
||
|
pub.bytes = make([]byte, Size)
|
||
|
copy(pub.bytes, pubBytes)
|
||
|
pub.publicKey = new(big.Int).SetBytes(pub.bytes)
|
||
|
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
// GenerateKey generates a UniformDH keypair using the random source random.
|
||
|
func GenerateKey(random io.Reader) (priv *PrivateKey, err error) {
|
||
|
privBytes := make([]byte, Size)
|
||
|
if _, err = io.ReadFull(random, privBytes); err != nil {
|
||
|
return
|
||
|
}
|
||
|
priv, err = generateKey(privBytes)
|
||
|
|
||
|
return
|
||
|
}
|
||
|
|
||
|
func generateKey(privBytes []byte) (priv *PrivateKey, err error) {
|
||
|
// This function does all of the actual heavy lifting of creating a public
|
||
|
// key from a raw 192 byte private key. It is split so that the KAT tests
|
||
|
// can be written easily, and not exposed since non-ephemeral keys are a
|
||
|
// terrible idea.
|
||
|
|
||
|
if len(privBytes) != Size {
|
||
|
return nil, fmt.Errorf("invalid private key size %d", len(privBytes))
|
||
|
}
|
||
|
|
||
|
// To pick a private UniformDH key, we pick a random 1536-bit number,
|
||
|
// and make it even by setting its low bit to 0
|
||
|
privBn := new(big.Int).SetBytes(privBytes)
|
||
|
wasEven := privBn.Bit(0) == 0
|
||
|
privBn = privBn.SetBit(privBn, 0, 0)
|
||
|
|
||
|
// Let x be that private key, and X = g^x (mod p).
|
||
|
pubBn := new(big.Int).Exp(gen, privBn, modpGroup)
|
||
|
pubAlt := new(big.Int).Sub(modpGroup, pubBn)
|
||
|
|
||
|
// When someone sends her public key to the other party, she randomly
|
||
|
// decides whether to send X or p-X. Use the lowest most bit of the
|
||
|
// private key here as the random coin flip since it is masked out and not
|
||
|
// used.
|
||
|
//
|
||
|
// Note: The spec doesn't explicitly specify it, but here we prepend zeros
|
||
|
// to the key so that it is always exactly Size bytes.
|
||
|
pubBytes := make([]byte, Size)
|
||
|
if wasEven {
|
||
|
err = prependZeroBytes(pubBytes, pubBn.Bytes())
|
||
|
} else {
|
||
|
err = prependZeroBytes(pubBytes, pubAlt.Bytes())
|
||
|
}
|
||
|
if err != nil {
|
||
|
return
|
||
|
}
|
||
|
|
||
|
priv = new(PrivateKey)
|
||
|
priv.PublicKey.bytes = pubBytes
|
||
|
priv.PublicKey.publicKey = pubBn
|
||
|
priv.privateKey = privBn
|
||
|
|
||
|
return
|
||
|
}
|
||
|
|
||
|
// Handshake generates a shared secret given a PrivateKey and PublicKey.
|
||
|
func Handshake(privateKey *PrivateKey, publicKey *PublicKey) (sharedSecret []byte, err error) {
|
||
|
// When a party wants to calculate the shared secret, she raises the
|
||
|
// foreign public key to her private key.
|
||
|
secretBn := new(big.Int).Exp(publicKey.publicKey, privateKey.privateKey, modpGroup)
|
||
|
sharedSecret = make([]byte, Size)
|
||
|
err = prependZeroBytes(sharedSecret, secretBn.Bytes())
|
||
|
|
||
|
return
|
||
|
}
|
||
|
|
||
|
func prependZeroBytes(dst, src []byte) error {
|
||
|
zeros := len(dst) - len(src)
|
||
|
if zeros < 0 {
|
||
|
return fmt.Errorf("src length is greater than destination: %d", zeros)
|
||
|
}
|
||
|
for i := 0; i < zeros; i++ {
|
||
|
dst[i] = 0
|
||
|
}
|
||
|
copy(dst[zeros:], src)
|
||
|
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
func init() {
|
||
|
// Load the MODP group and the generator.
|
||
|
var ok bool
|
||
|
modpGroup, ok = new(big.Int).SetString(modpStr, 16)
|
||
|
if !ok {
|
||
|
panic("Failed to load the RFC3526 MODP Group")
|
||
|
}
|
||
|
gen = big.NewInt(g)
|
||
|
}
|