Security start

2020-11-29 22:06:38 +00:00 · 2020-11-29 22:06:38 +00:00 · 5066f8a823
commit 5066f8a823
parent 179025ad2b
8 changed files with 111 additions and 47 deletions
--- a/config/builder.go
+++ b/config/builder.go
@ -1,7 +1,10 @@
 package config

 import (
+	"encoding/base64"
 	"fmt"
+	"mpbl3p/crypto"
+	"mpbl3p/crypto/sharedkey"
 	"mpbl3p/proxy"
 	"mpbl3p/tcp"
 	"mpbl3p/tun"
@ -10,24 +13,33 @@ import (
 	"time"
 )

-// TODO: Delete this code as soon as an alternative is available
-type UselessMac struct{}
-
-func (UselessMac) CodeLength() int {
-	return 0
-}
-
-func (UselessMac) Generate([]byte) []byte {
-	return nil
-}
-
-func (u UselessMac) Verify([]byte, []byte) error {
-	return nil
-}
-
 func (c Configuration) Build() (*proxy.Proxy, error) {
 	p := proxy.NewProxy(0)
-	p.Generator = UselessMac{}
+
+	var g func() proxy.MacGenerator
+	var v func() proxy.MacVerifier
+
+	switch c.Host.Crypto {
+	case "None":
+		g = func() proxy.MacGenerator { return crypto.None{} }
+		v = func() proxy.MacVerifier { return crypto.None{} }
+	case "Blake2s":
+		key, err := base64.StdEncoding.DecodeString(c.Host.SharedKey)
+		if err != nil {
+			return nil, err
+		}
+		if _, err := sharedkey.NewBlake2s(key); err != nil {
+			return nil, err
+		}
+		g = func() proxy.MacGenerator {
+			g, _ := sharedkey.NewBlake2s(key)
+			return g
+		}
+		v = func() proxy.MacVerifier {
+			v, _ := sharedkey.NewBlake2s(key)
+			return v
+		}
+	}

 	if c.Host.InterfaceName == "" {
 		c.Host.InterfaceName = "nc%d"
@ -44,12 +56,12 @@ func (c Configuration) Build() (*proxy.Proxy, error) {
 	for _, peer := range c.Peers {
 		switch peer.Method {
 		case "TCP":
-			err := buildTcp(p, peer)
+			err := buildTcp(p, peer, g, v)
 			if err != nil {
 				return nil, err
 			}
 		case "UDP":
-			err := buildUdp(p, peer)
+			err := buildUdp(p, peer, g, v)
 			if err != nil {
 				return nil, err
 			}
@ -59,7 +71,7 @@ func (c Configuration) Build() (*proxy.Proxy, error) {
 	return p, nil
 }

-func buildTcp(p *proxy.Proxy, peer Peer) error {
+func buildTcp(p *proxy.Proxy, peer Peer, v func() proxy.MacGenerator, g func() proxy.MacVerifier) error {
 	if peer.RemoteHost != "" {
 		f, err := tcp.InitiateFlow(
 			fmt.Sprintf("%s:", peer.LocalHost),
@ -70,13 +82,13 @@ func buildTcp(p *proxy.Proxy, peer Peer) error {
 			return err
 		}

-		p.AddConsumer(f)
-		p.AddProducer(f, UselessMac{})
+		p.AddConsumer(f, v())
+		p.AddProducer(f, g())

 		return nil
 	}

-	err := tcp.NewListener(p, fmt.Sprintf("%s:%d", peer.LocalHost, peer.LocalPort), UselessMac{})
+	err := tcp.NewListener(p, fmt.Sprintf("%s:%d", peer.LocalHost, peer.LocalPort), g, v)
 	if err != nil {
 		return err
 	}
@ -84,23 +96,23 @@ func buildTcp(p *proxy.Proxy, peer Peer) error {
 	return nil
 }

-func buildUdp(p *proxy.Proxy, peer Peer) error {
+func buildUdp(p *proxy.Proxy, peer Peer, v func() proxy.MacGenerator, g func() proxy.MacVerifier) error {
 	var c func() udp.Congestion
 	switch peer.Congestion {
 	case "None":
-		c = func() udp.Congestion {return congestion.NewNone()}
+		c = func() udp.Congestion { return congestion.NewNone() }
 	default:
 		fallthrough
 	case "NewReno":
-		c = func() udp.Congestion {return congestion.NewNewReno()}
+		c = func() udp.Congestion { return congestion.NewNewReno() }
 	}

 	if peer.RemoteHost != "" {
 		f, err := udp.InitiateFlow(
 			fmt.Sprintf("%s:", peer.LocalHost),
 			fmt.Sprintf("%s:%d", peer.RemoteHost, peer.RemotePort),
-			UselessMac{},
-			UselessMac{},
+			crypto.None{},
+			crypto.None{},
 			c(),
 			time.Duration(peer.KeepAlive)*time.Second,
 		)
@ -109,19 +121,13 @@ func buildUdp(p *proxy.Proxy, peer Peer) error {
 			return err
 		}

-		p.AddConsumer(f)
-		p.AddProducer(f, UselessMac{})
+		p.AddConsumer(f, v())
+		p.AddProducer(f, g())

 		return nil
 	}

-	err := udp.NewListener(
-		p,
-		fmt.Sprintf("%s:%d", peer.LocalHost, peer.LocalPort),
-		UselessMac{},
-		UselessMac{},
-		c,
-	)
+	err := udp.NewListener(p, fmt.Sprintf("%s:%d", peer.LocalHost, peer.LocalPort), g, v, c)
 	if err != nil {
 		return err
 	}
--- a/config/config.go
+++ b/config/config.go
@ -10,12 +10,13 @@ type Configuration struct {
 }

 type Host struct {
-	PrivateKey    string `validate:"required"`
 	InterfaceName string
+
+	Crypto string `validate:"required,oneof=None Blake2s"`
+	SharedKey string `validate:"required_if=Crypto Blake2s"`
 }

 type Peer struct {
-	PublicKey string `validate:"required"`
 	Method    string `validate:"oneof=TCP UDP"`

 	LocalHost string `validate:"omitempty,ip"`
--- a/crypto/none.go
+++ b/crypto/none.go
@ -0,0 +1,15 @@
+package crypto
+
+type None struct{}
+
+func (None) CodeLength() int {
+	return 0
+}
+
+func (None) Generate([]byte) []byte {
+	return nil
+}
+
+func (None) Verify([]byte, []byte) error {
+	return nil
+}
--- a/crypto/sharedkey/blake2s.go
+++ b/crypto/sharedkey/blake2s.go
@ -0,0 +1,40 @@
+package sharedkey
+
+import (
+	"bytes"
+	"golang.org/x/crypto/blake2s"
+	"mpbl3p/shared"
+)
+
+type Blake2s struct {
+	key []byte
+}
+
+func NewBlake2s(key []byte) (*Blake2s, error) {
+	_, err := blake2s.New128(key)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Blake2s{key: key}, nil
+}
+
+func (b Blake2s) CodeLength() int {
+	return blake2s.Size128
+}
+
+func (b Blake2s) Generate(d []byte) []byte {
+	h, _ := blake2s.New128(b.key)
+	h.Write(d)
+	return h.Sum([]byte{})
+}
+
+func (b Blake2s) Verify(d []byte, s []byte) error {
+	h, _ := blake2s.New128(b.key)
+	h.Write(d)
+	sum := h.Sum([]byte{})
+	if !bytes.Equal(sum, s) {
+		return shared.ErrBadChecksum
+	}
+	return nil
+}
--- a/go.mod
+++ b/go.mod
@ -7,5 +7,6 @@ require (
 	github.com/pkg/taptun v0.0.0-20160424131934-bbbd335672ab
 	github.com/smartystreets/goconvey v1.6.4 // indirect
 	github.com/stretchr/testify v1.4.0
+	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
 	gopkg.in/ini.v1 v1.62.0
 )
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@ -31,8 +31,6 @@ type Proxy struct {
 	Source Source
 	Sink   Sink

-	Generator MacGenerator
-
 	proxyChan chan Packet
 	sinkChan  chan Packet
 }
@ -67,7 +65,7 @@ func (p Proxy) Start() {
 	}()
 }

-func (p Proxy) AddConsumer(c Consumer) {
+func (p Proxy) AddConsumer(c Consumer, g MacGenerator) {
 	go func() {
 		_, reconnectable := c.(Reconnectable)

@ -85,7 +83,7 @@ func (p Proxy) AddConsumer(c Consumer) {
 			}

 			for c.IsAlive() {
-				if err := c.Consume(<-p.proxyChan, p.Generator); err != nil {
+				if err := c.Consume(<-p.proxyChan, g); err != nil {
 					log.Println(err)
 					break
 				}
--- a/tcp/listener.go
+++ b/tcp/listener.go
@ -6,7 +6,7 @@ import (
 	"net"
 )

-func NewListener(p *proxy.Proxy, local string, v proxy.MacVerifier) error {
+func NewListener(p *proxy.Proxy, local string, v func() proxy.MacVerifier, g func() proxy.MacGenerator) error {
 	laddr, err := net.ResolveTCPAddr("tcp", local)
 	if err != nil {
 		return err
@ -33,8 +33,8 @@ func NewListener(p *proxy.Proxy, local string, v proxy.MacVerifier) error {

 			log.Printf("received new tcp connection: %v\n", f)

-			p.AddConsumer(&f)
-			p.AddProducer(&f, v)
+			p.AddConsumer(&f, g())
+			p.AddProducer(&f, v())
 		}
 	}()

--- a/udp/listener.go
+++ b/udp/listener.go
@ -25,7 +25,7 @@ func fromUdpAddress(address net.UDPAddr) ComparableUdpAddress {
 	}
 }

-func NewListener(p *proxy.Proxy, local string, v proxy.MacVerifier, g proxy.MacGenerator, c func() Congestion) error {
+func NewListener(p *proxy.Proxy, local string, v func() proxy.MacVerifier, g func() proxy.MacGenerator, c func() Congestion) error {
 	laddr, err := net.ResolveUDPAddr("udp", local)
 	if err != nil {
 		return err
@ -63,6 +63,9 @@ func NewListener(p *proxy.Proxy, local string, v proxy.MacVerifier, g proxy.MacG
 				continue
 			}

+			v := v()
+			g := g()
+
 			f := newFlow(c(), v)

 			f.writer = pconn
@ -75,7 +78,7 @@ func NewListener(p *proxy.Proxy, local string, v proxy.MacVerifier, g proxy.MacG

 			receivedConnections[raddr] = &f

-			p.AddConsumer(&f)
+			p.AddConsumer(&f, g)
 			p.AddProducer(&f, v)

 			log.Println("handling...")