chan.go 5.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161
  1. package xsnet
  2. // Copyright (c) 2017-2020 Russell Magee
  3. // Licensed under the terms of the MIT license (see LICENSE.mit in this
  4. // distribution)
  5. //
  6. // golang implementation by Russ Magee (rmagee_at_gmail.com)
  7. /* Support functions to set up encryption once an HKEx Conn has been
  8. established with FA exchange and support channel operations
  9. (echo, file-copy, remote-cmd, ...) */
  10. import (
  11. "crypto"
  12. "crypto/aes"
  13. "crypto/cipher"
  14. "encoding/hex"
  15. "errors"
  16. "fmt"
  17. "hash"
  18. "log"
  19. "blitter.com/go/cryptmt"
  20. "github.com/aead/chacha20/chacha"
  21. "golang.org/x/crypto/blowfish"
  22. "golang.org/x/crypto/twofish"
  23. // hash algos must be manually imported thusly:
  24. // (Would be nice if the golang pkg docs were more clear
  25. // on this...)
  26. _ "crypto/sha256"
  27. _ "crypto/sha512"
  28. )
  29. // Expand keymat, if necessary, to a minimum of 2x(blocksize).
  30. // Keymat is used for initial key and the IV, hence the 2x.
  31. // This is occasionally necessary for smaller modes of KEX algorithms
  32. // (eg., KEX_HERRADURA256); perhaps an indication these should be
  33. // avoided in favour of larger modes.
  34. //
  35. // This is used for block ciphers; stream ciphers should do their
  36. // own key expansion.
  37. func expandKeyMat(keymat []byte, blocksize int) []byte {
  38. if len(keymat) < 2*blocksize {
  39. halg := crypto.SHA256
  40. mc := halg.New()
  41. if !halg.Available() {
  42. log.Fatal("hash not available!")
  43. }
  44. _, _ = mc.Write(keymat)
  45. var xpand []byte
  46. xpand = mc.Sum(xpand)
  47. keymat = append(keymat, xpand...)
  48. log.Println("[NOTE: keymat short - applying key expansion using SHA256]")
  49. }
  50. return keymat
  51. }
  52. /* Support functionality to set up encryption after a channel has
  53. been negotiated via xsnet.go
  54. */
  55. func (hc *Conn) getStream(keymat []byte) (rc cipher.Stream, mc hash.Hash, err error) {
  56. var key []byte
  57. var block cipher.Block
  58. var iv []byte
  59. var ivlen int
  60. copts := hc.cipheropts & 0xFF
  61. // TODO: each cipher alg case should ensure len(keymat.Bytes())
  62. // is >= 2*cipher.BlockSize (enough for both key and iv)
  63. switch copts {
  64. case CAlgAES256:
  65. keymat = expandKeyMat(keymat, aes.BlockSize)
  66. key = keymat[0:aes.BlockSize]
  67. block, err = aes.NewCipher(key)
  68. ivlen = aes.BlockSize
  69. iv = keymat[aes.BlockSize : aes.BlockSize+ivlen]
  70. rc = cipher.NewOFB(block, iv)
  71. log.Printf("[cipher AES_256 (%d)]\n", copts)
  72. case CAlgTwofish128:
  73. keymat = expandKeyMat(keymat, twofish.BlockSize)
  74. key = keymat[0:twofish.BlockSize]
  75. block, err = twofish.NewCipher(key)
  76. ivlen = twofish.BlockSize
  77. iv = keymat[twofish.BlockSize : twofish.BlockSize+ivlen]
  78. rc = cipher.NewOFB(block, iv)
  79. log.Printf("[cipher TWOFISH_128 (%d)]\n", copts)
  80. case CAlgBlowfish64:
  81. keymat = expandKeyMat(keymat, blowfish.BlockSize)
  82. key = keymat[0:blowfish.BlockSize]
  83. block, err = blowfish.NewCipher(key)
  84. ivlen = blowfish.BlockSize
  85. // N.b. Bounds enforcement of differing cipher algorithms
  86. // ------------------------------------------------------
  87. // cipher/aes and x/cipher/twofish appear to allow one to
  88. // pass an iv larger than the blockSize harmlessly to
  89. // cipher.NewOFB(); x/cipher/blowfish implementation will
  90. // segfault here if len(iv) is not exactly blowfish.BlockSize.
  91. //
  92. // I assume the other two check bounds and only
  93. // copy what's needed whereas blowfish does no such check.
  94. iv = keymat[blowfish.BlockSize : blowfish.BlockSize+ivlen]
  95. rc = cipher.NewOFB(block, iv)
  96. log.Printf("[cipher BLOWFISH_64 (%d)]\n", copts)
  97. case CAlgCryptMT1:
  98. rc = cryptmt.New(nil, nil, keymat)
  99. log.Printf("[cipher CRYPTMT1 (%d)]\n", copts)
  100. case CAlgChaCha20_12:
  101. keymat = expandKeyMat(keymat, chacha.KeySize)
  102. key = keymat[0:chacha.KeySize]
  103. ivlen = chacha.INonceSize
  104. iv = keymat[chacha.KeySize : chacha.KeySize+ivlen]
  105. rc, err = chacha.NewCipher(iv, key, chacha.INonceSize)
  106. if err != nil {
  107. log.Printf("[ChaCha20 config error]\n")
  108. fmt.Printf("[ChaCha20 config error]\n")
  109. }
  110. // TODO: SetCounter() to something derived from key or nonce or extra keymat?
  111. log.Printf("[cipher CHACHA20_12 (%d)]\n", copts)
  112. default:
  113. log.Printf("[invalid cipher (%d)]\n", copts)
  114. fmt.Printf("DOOFUS SET A VALID CIPHER ALG (%d)\n", copts)
  115. err = errors.New("hkexchan: INVALID CIPHER ALG")
  116. //os.Exit(1)
  117. }
  118. hopts := (hc.cipheropts >> 8) & 0xFF
  119. switch hopts {
  120. case HmacSHA256:
  121. log.Printf("[hash HmacSHA256 (%d)]\n", hopts)
  122. halg := crypto.SHA256
  123. mc = halg.New()
  124. if !halg.Available() {
  125. log.Fatal("hash not available!")
  126. }
  127. case HmacSHA512:
  128. log.Printf("[hash HmacSHA512 (%d)]\n", hopts)
  129. halg := crypto.SHA512
  130. mc = halg.New()
  131. if !halg.Available() {
  132. log.Fatal("hash not available!")
  133. }
  134. default:
  135. log.Printf("[invalid hmac (%d)]\n", hopts)
  136. fmt.Printf("DOOFUS SET A VALID HMAC ALG (%d)\n", hopts)
  137. err = errors.New("hkexchan: INVALID HMAC ALG")
  138. return
  139. //os.Exit(1)
  140. }
  141. if err != nil {
  142. // Feed the IV into the hmac: all traffic in the connection must
  143. // feed its data into the hmac afterwards, so both ends can xor
  144. // that with the stream to detect corruption.
  145. _, _ = mc.Write(iv)
  146. var currentHash []byte
  147. currentHash = mc.Sum(currentHash)
  148. log.Printf("Channel init hmac(iv):%s\n", hex.EncodeToString(currentHash))
  149. }
  150. return
  151. }