123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524 |
- /*
- * Copyright (c) 2015, Yawning Angel <yawning at schwanenlied dot me>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * * Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
- package scramblesuit
- import (
- "bytes"
- "crypto/aes"
- "crypto/cipher"
- "crypto/hmac"
- "crypto/sha256"
- "encoding/base32"
- "encoding/binary"
- "errors"
- "fmt"
- "hash"
- "io"
- "net"
- "time"
- "gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/goptlib"
- "gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/common/csrand"
- "gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/common/drbg"
- "gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/common/probdist"
- "gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/common/uniformdh"
- )
- const (
- passwordArg = "password"
- maxSegmentLength = 1448
- maxPayloadLength = 1427
- sharedSecretLength = 160 / 8 // k_B
- clientHandshakeTimeout = time.Duration(60) * time.Second
- minLenDistLength = 21
- maxLenDistLength = maxSegmentLength
- keyLength = 32 + 8 + 32
- pktPrngSeedLength = 32
- pktOverhead = macLength + pktHdrLength
- pktHdrLength = 2 + 2 + 1
- pktPayload = 1
- pktNewTicket = 1 << 1
- pktPrngSeed = 1 << 2
- )
- var (
- // ErrNotSupported is the error returned for a unsupported operation.
- ErrNotSupported = errors.New("scramblesuit: operation not supported")
- // ErrInvalidPacket is the error returned when a invalid packet is received.
- ErrInvalidPacket = errors.New("scramblesuit: invalid packet")
- zeroPadBytes [maxPayloadLength]byte
- )
- type ssSharedSecret [sharedSecretLength]byte
- type ssClientArgs struct {
- kB *ssSharedSecret
- sessionKey *uniformdh.PrivateKey
- }
- func newClientArgs(args *pt.Args) (ca *ssClientArgs, err error) {
- ca = &ssClientArgs{}
- if ca.kB, err = parsePasswordArg(args); err != nil {
- return nil, err
- }
- // Generate the client keypair before opening a connection since the time
- // taken is visible to an adversary. This key might not end up being used
- // if a session ticket is present, but this doesn't take that long.
- if ca.sessionKey, err = uniformdh.GenerateKey(csrand.Reader); err != nil {
- return nil, err
- }
- return
- }
- func parsePasswordArg(args *pt.Args) (*ssSharedSecret, error) {
- str, ok := args.Get(passwordArg)
- if !ok {
- return nil, fmt.Errorf("missing argument '%s'", passwordArg)
- }
- // To match the obfsproxy behavior, 'str' should contain a Base32 encoded
- // shared secret (k_B) used for handshaking.
- decoded, err := base32.StdEncoding.DecodeString(str)
- if err != nil {
- return nil, fmt.Errorf("failed to decode password: %s", err)
- }
- if len(decoded) != sharedSecretLength {
- return nil, fmt.Errorf("password length %d is invalid", len(decoded))
- }
- ss := new(ssSharedSecret)
- copy(ss[:], decoded)
- return ss, nil
- }
- type ssCryptoState struct {
- s cipher.Stream
- mac hash.Hash
- }
- func newCryptoState(aesKey []byte, ivPrefix []byte, macKey []byte) (*ssCryptoState, error) {
- // The ScrambleSuit CTR-AES256 link crypto uses an 8 byte prefix from the
- // KDF, and a 64 bit counter initialized to 1 as the IV. The initial value
- // of the counter isn't documented in the spec either.
- var initialCtr = []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}
- iv := make([]byte, 0, aes.BlockSize)
- iv = append(iv, ivPrefix...)
- iv = append(iv, initialCtr...)
- b, err := aes.NewCipher(aesKey)
- if err != nil {
- return nil, err
- }
- s := cipher.NewCTR(b, iv)
- mac := hmac.New(sha256.New, macKey)
- return &ssCryptoState{s: s, mac: mac}, nil
- }
- type ssConn struct {
- net.Conn
- isServer bool
- lenDist *probdist.WeightedDist
- receiveBuffer *bytes.Buffer
- receiveDecodedBuffer *bytes.Buffer
- receiveState ssRxState
- txCrypto *ssCryptoState
- rxCrypto *ssCryptoState
- ticketStore *ssTicketStore
- }
- type ssRxState struct {
- mac []byte
- hdr []byte
- totalLen int
- payloadLen int
- }
- func (conn *ssConn) Read(b []byte) (n int, err error) {
- // If the receive payload buffer is empty, consume data off the network.
- for conn.receiveDecodedBuffer.Len() == 0 {
- if err = conn.readPackets(); err != nil {
- break
- }
- }
- // Service the read request using buffered payload.
- if conn.receiveDecodedBuffer.Len() > 0 {
- n, _ = conn.receiveDecodedBuffer.Read(b)
- }
- return
- }
- func (conn *ssConn) Write(b []byte) (n int, err error) {
- var frameBuf bytes.Buffer
- p := b
- toSend := len(p)
- for toSend > 0 {
- // Send as much payload as will fit into each frame as possible.
- wrLen := len(p)
- if wrLen > maxPayloadLength {
- wrLen = maxPayloadLength
- }
- payload := p[:wrLen]
- if err = conn.makePacket(&frameBuf, pktPayload, payload, 0); err != nil {
- return 0, err
- }
- toSend -= wrLen
- p = p[wrLen:]
- n += wrLen
- }
- // Pad out the burst as appropriate.
- if err = conn.padBurst(&frameBuf, conn.lenDist.Sample()); err != nil {
- return 0, err
- }
- // Write and return.
- _, err = conn.Conn.Write(frameBuf.Bytes())
- return
- }
- func (conn *ssConn) SetDeadline(t time.Time) error {
- return ErrNotSupported
- }
- func (conn *ssConn) SetReadDeadline(t time.Time) error {
- return ErrNotSupported
- }
- func (conn *ssConn) SetWriteDeadline(t time.Time) error {
- return ErrNotSupported
- }
- func (conn *ssConn) makePacket(w io.Writer, pktType byte, data []byte, padLen int) error {
- payloadLen := len(data)
- totalLen := payloadLen + padLen
- if totalLen > maxPayloadLength {
- panic(fmt.Sprintf("BUG: makePacket() len(data) + padLen > maxPayloadLength: %d + %d > %d", len(data), padLen, maxPayloadLength))
- }
- // Build the packet header (total length, payload length, flags),
- // and append the payload and padding.
- pkt := make([]byte, pktHdrLength, pktHdrLength+payloadLen+padLen)
- binary.BigEndian.PutUint16(pkt[0:], uint16(totalLen))
- binary.BigEndian.PutUint16(pkt[2:], uint16(payloadLen))
- pkt[4] = pktType
- pkt = append(pkt, data...)
- pkt = append(pkt, zeroPadBytes[:padLen]...)
- // Encrypt the packet, and calculate the MAC.
- conn.txCrypto.s.XORKeyStream(pkt, pkt)
- conn.txCrypto.mac.Reset()
- _, _ = conn.txCrypto.mac.Write(pkt)
- mac := conn.txCrypto.mac.Sum(nil)[:macLength]
- // Write out MAC | Packet. Note that this does not go onto the network
- // yet, as w is a byte.Buffer (This is done so each call to conn.Write()
- // gets padding added).
- if _, err := w.Write(mac); err != nil {
- return err
- }
- _, err := w.Write(pkt)
- return err
- }
- func (conn *ssConn) readPackets() error {
- // Consume and buffer up to 1 MSS worth of data.
- var buf [maxSegmentLength]byte
- rdLen, rdErr := conn.Conn.Read(buf[:])
- conn.receiveBuffer.Write(buf[:rdLen])
- // Process incoming packets incrementally. conn.receiveState stores
- // the results of partial processing.
- for conn.receiveBuffer.Len() > 0 {
- if conn.receiveState.mac == nil {
- // Read and store the packet MAC.
- if conn.receiveBuffer.Len() < macLength {
- break
- }
- mac := make([]byte, macLength)
- _, _ = conn.receiveBuffer.Read(mac)
- conn.receiveState.mac = mac
- }
- if conn.receiveState.hdr == nil {
- // Read and store the packet header.
- if conn.receiveBuffer.Len() < pktHdrLength {
- break
- }
- hdr := make([]byte, pktHdrLength)
- _, _ = conn.receiveBuffer.Read(hdr)
- // Add the encrypted packet header to the HMAC instance, and then
- // decrypt it so that the length of the packet can be determined.
- conn.rxCrypto.mac.Reset()
- _, _ = conn.rxCrypto.mac.Write(hdr)
- conn.rxCrypto.s.XORKeyStream(hdr, hdr)
- // Store the plaintext packet header, and host byte order length
- // values.
- totalLen := int(binary.BigEndian.Uint16(hdr[0:]))
- payloadLen := int(binary.BigEndian.Uint16(hdr[2:]))
- if payloadLen > totalLen || totalLen > maxPayloadLength {
- return ErrInvalidPacket
- }
- conn.receiveState.hdr = hdr
- conn.receiveState.totalLen = totalLen
- conn.receiveState.payloadLen = payloadLen
- }
- var data []byte
- if conn.receiveState.totalLen > 0 {
- // If the packet actually has payload (including padding), read,
- // digest and decrypt it.
- if conn.receiveBuffer.Len() < conn.receiveState.totalLen {
- break
- }
- data = make([]byte, conn.receiveState.totalLen)
- _, _ = conn.receiveBuffer.Read(data)
- _, _ = conn.rxCrypto.mac.Write(data)
- conn.rxCrypto.s.XORKeyStream(data, data)
- }
- // Authenticate the packet, by comparing the received MAC with the one
- // calculated over the ciphertext consumed off the network.
- cmpMAC := conn.rxCrypto.mac.Sum(nil)[:macLength]
- if !hmac.Equal(cmpMAC, conn.receiveState.mac[:]) {
- return ErrInvalidPacket
- }
- // Based on the packet flags, do something useful with the payload.
- data = data[:conn.receiveState.payloadLen]
- switch conn.receiveState.hdr[4] {
- case pktPayload:
- // User data, write it into the decoded payload buffer so that Read
- // calls can be serviced.
- conn.receiveDecodedBuffer.Write(data)
- case pktNewTicket:
- // New Session Ticket to be used for future handshakes, store it in
- // the Session Ticket store.
- if conn.isServer || len(data) != ticketKeyLength+ticketLength {
- return ErrInvalidPacket
- }
- conn.ticketStore.storeTicket(conn.RemoteAddr(), data)
- case pktPrngSeed:
- // New PRNG_SEED for the protocol polymorphism. Regenerate the
- // length obfuscation probability distribution.
- if conn.isServer || len(data) != pktPrngSeedLength {
- return ErrInvalidPacket
- }
- seed, err := drbg.SeedFromBytes(data)
- if err != nil {
- return ErrInvalidPacket
- }
- conn.lenDist.Reset(seed)
- default:
- return ErrInvalidPacket
- }
- // Done processing a packet, clear the partial state.
- conn.receiveState.mac = nil
- conn.receiveState.hdr = nil
- conn.receiveState.totalLen = 0
- conn.receiveState.payloadLen = 0
- }
- return rdErr
- }
- func (conn *ssConn) clientHandshake(kB *ssSharedSecret, sessionKey *uniformdh.PrivateKey) error {
- if conn.isServer {
- return fmt.Errorf("clientHandshake called on server connection")
- }
- // Query the Session Ticket store to see if there is a stored session
- // ticket.
- ticket, err := conn.ticketStore.getTicket(conn.RemoteAddr())
- if err != nil {
- return err
- } else if ticket != nil {
- // Ok, there is an existing ticket, so attempt to do a Session Ticket
- // handshake. Until we write to the network, failures are non-fatal as
- // we can transition gracefully into doing a UniformDH handshake.
- // Derive the keys from the prestored master key received with the
- // ticket. This is done before the actual handshake since the
- // handshake uses the outgoing HMAC-SHA256-128 key for authentication.
- if err = conn.initCrypto(ticket.key[:]); err != nil {
- goto handshakeUDH
- }
- // Generate and send the ticket handshake. There is no response, since
- // both sides have the keying material.
- hs := newTicketClientHandshake(conn.txCrypto.mac, ticket)
- blob, err := hs.generateHandshake()
- if err != nil {
- goto handshakeUDH
- }
- if _, err = conn.Conn.Write(blob); err != nil {
- return err
- }
- return nil
- }
- handshakeUDH:
- // No session ticket, so take the slow path and do a UniformDH based
- // handshake.
- // Generate and send the client handshake.
- hs := newDHClientHandshake(kB, sessionKey)
- blob, err := hs.generateHandshake()
- if err != nil {
- return err
- }
- if _, err = conn.Conn.Write(blob); err != nil {
- return err
- }
- // Consume the server handshake. Since we don't actually know the length
- // of the respose, we need to consume data off the network till we either
- // find the tail marker + MAC digest indicating that a handshake response
- // has been received, or the maximum handshake size passes without a valid
- // response.
- var hsBuf [maxHandshakeLength]byte
- for {
- var n int
- if n, err = conn.Conn.Read(hsBuf[:]); err != nil {
- return err
- }
- conn.receiveBuffer.Write(hsBuf[:n])
- // Attempt to process all the data seen so far as a response.
- var seed []byte
- n, seed, err = hs.parseServerHandshake(conn.receiveBuffer.Bytes())
- if err == errMarkNotFoundYet {
- // No response found yet, keep trying.
- continue
- } else if err != nil {
- return err
- }
- // Ok, done processing the handshake, discard the response, and do the
- // key derivation based off the calculated shared secret.
- _ = conn.receiveBuffer.Next(n)
- err = conn.initCrypto(seed)
- return err
- }
- }
- func (conn *ssConn) initCrypto(seed []byte) error {
- // Use HKDF-SHA256 (Expand only, no Extract) to generate session keys from
- // initial keying material.
- okm := hkdfExpand(sha256.New, seed, nil, kdfSecretLength)
- var err error
- conn.txCrypto, err = newCryptoState(okm[0:32], okm[32:40], okm[80:112])
- if err != nil {
- return err
- }
- conn.rxCrypto, err = newCryptoState(okm[40:72], okm[72:80], okm[112:144])
- if err != nil {
- return err
- }
- return nil
- }
- func (conn *ssConn) padBurst(burst *bytes.Buffer, sampleLen int) error {
- // Burst contains the fully encrypted+MACed outgoing payload that will be
- // written to the network. Pad it out so that the last segment (based on
- // the ScrambleSuit MTU) is sampleLen bytes.
- dataLen := burst.Len() % maxSegmentLength
- padLen := 0
- if sampleLen >= dataLen {
- padLen = sampleLen - dataLen
- } else {
- padLen = (maxSegmentLength - dataLen) + sampleLen
- }
- if padLen < pktOverhead {
- // The padLen is less than the MAC + packet header in length, so
- // two packets are required.
- padLen += maxSegmentLength
- }
- if padLen == 0 {
- return nil
- }
- if padLen > maxSegmentLength {
- // Note: packetmorpher.py: getPadding is slightly wrong and only
- // accounts for one of the two packet headers.
- if err := conn.makePacket(burst, pktPayload, nil, 700-pktOverhead); err != nil {
- return err
- }
- return conn.makePacket(burst, pktPayload, nil, padLen-(700+2*pktOverhead))
- }
- return conn.makePacket(burst, pktPayload, nil, padLen-pktOverhead)
- }
- func newScrambleSuitClientConn(conn net.Conn, tStore *ssTicketStore, ca *ssClientArgs) (net.Conn, error) {
- // At this point we have kB and our session key, so we can directly
- // start handshaking and seeing what happens.
- // Seed the initial polymorphism distribution.
- seed, err := drbg.NewSeed()
- if err != nil {
- return nil, err
- }
- dist := probdist.New(seed, minLenDistLength, maxLenDistLength, true)
- // Allocate the client structure.
- c := &ssConn{conn, false, dist, bytes.NewBuffer(nil), bytes.NewBuffer(nil), ssRxState{}, nil, nil, tStore}
- // Start the handshake timeout.
- deadline := time.Now().Add(clientHandshakeTimeout)
- if err := conn.SetDeadline(deadline); err != nil {
- return nil, err
- }
- // Attempt to handshake.
- if err := c.clientHandshake(ca.kB, ca.sessionKey); err != nil {
- return nil, err
- }
- // Stop the handshake timeout.
- if err := conn.SetDeadline(time.Time{}); err != nil {
- return nil, err
- }
- return c, nil
- }
|