client.go 5.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169
  1. // client.go - Transport client implementation.
  2. // Copyright (C) 2016 Yawning Angel.
  3. //
  4. // This program is free software: you can redistribute it and/or modify
  5. // it under the terms of the GNU Affero General Public License as
  6. // published by the Free Software Foundation, either version 3 of the
  7. // License, or (at your option) any later version.
  8. //
  9. // This program is distributed in the hope that it will be useful,
  10. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  12. // GNU Affero General Public License for more details.
  13. //
  14. // You should have received a copy of the GNU Affero General Public License
  15. // along with this program. If not, see <http://www.gnu.org/licenses/>.
  16. package basket2
  17. import (
  18. "net"
  19. "git.schwanenlied.me/yawning/basket2.git/crypto/identity"
  20. "git.schwanenlied.me/yawning/basket2.git/crypto/rand"
  21. "git.schwanenlied.me/yawning/basket2.git/handshake"
  22. )
  23. // ClientConfig is the client configuration parameters to use when
  24. // constructing a ClientConn.
  25. type ClientConfig struct {
  26. KEXMethod handshake.KEXMethod
  27. PaddingMethods []PaddingMethod
  28. ServerPublicKey *identity.PublicKey
  29. }
  30. // ClientConn is a client connection instance, that implements the net.Conn
  31. // interface.
  32. type ClientConn struct {
  33. commonConn
  34. config *ClientConfig
  35. handshakeState *handshake.ClientHandshake
  36. }
  37. // Handshake associates a ClientConn with an established net.Conn, and executes
  38. // the authenticated/encrypted/obfuscated key exchange, and optionally
  39. // authenticates the client with the server.
  40. func (c *ClientConn) Handshake(conn net.Conn) (err error) {
  41. // Pass or fail, obliterate the handshake state.
  42. defer c.handshakeState.Reset()
  43. defer func() {
  44. if err != nil {
  45. c.setState(stateError)
  46. }
  47. }()
  48. // Initalize the underlying conn structure, and transition to the
  49. // handshaking state.
  50. if err = c.initConn(conn); err != nil {
  51. return
  52. }
  53. // Build the request extData to negotiate padding algorithms.
  54. reqExtData := make([]byte, 0, 1+1+len(c.config.PaddingMethods))
  55. reqExtData = append(reqExtData, ProtocolVersion)
  56. reqExtData = append(reqExtData, byte(len(c.config.PaddingMethods)))
  57. for _, v := range c.config.PaddingMethods {
  58. reqExtData = append(reqExtData, byte(v))
  59. }
  60. // Determine the request padding length by adding padding required to
  61. // bring the request size up to the minimum target length, and then
  62. // adding a random amount of padding.
  63. //
  64. // All requests on the wire will be of length [min, max).
  65. padLen := handshake.MinHandshakeSize - (handshake.MessageSize + len(reqExtData))
  66. if padLen < 0 { // Should never happen.
  67. panic("basket2: handshake request exceeds payload capacity")
  68. }
  69. padLen += c.mRNG.Intn(handshake.MaxHandshakeSize - handshake.MinHandshakeSize)
  70. // Send the request, receive the response, and derive the session keys.
  71. var keys *handshake.SessionKeys
  72. var respExtData []byte
  73. if keys, respExtData, err = c.handshakeState.Handshake(c.rawConn, reqExtData, padLen); err != nil {
  74. return
  75. }
  76. defer keys.Reset()
  77. // Parse the response extData to see which padding algorithm to use,
  78. // and if authentication is possible/required.
  79. if len(respExtData) < minRespExtDataSize {
  80. return ErrInvalidExtData
  81. }
  82. if respExtData[0] != ProtocolVersion {
  83. return ErrInvalidExtData
  84. }
  85. authPolicy := AuthPolicy(respExtData[1])
  86. paddingMethod := PaddingMethod(respExtData[2])
  87. paddingParams := respExtData[minRespExtDataSize:]
  88. // Validate that the negotiated padding method is contained in our request.
  89. if !paddingOk(paddingMethod, c.config.PaddingMethods) {
  90. return ErrInvalidPadding
  91. }
  92. // Initialize the frame encoder/decoder with the session key material.
  93. if err = c.initFraming(keys.KDF); err != nil {
  94. return
  95. }
  96. // Bring the chosen padding algorithm online.
  97. if err = c.setPadding(paddingMethod, paddingParams); err != nil {
  98. return
  99. }
  100. // Authenticate if needed.
  101. if authPolicy == AuthMust {
  102. if err = c.authenticate(keys.TranscriptDigest); err != nil {
  103. return
  104. }
  105. }
  106. // The connection is now fully established.
  107. if err = c.setState(stateEstablished); err != nil {
  108. return
  109. }
  110. return nil
  111. }
  112. func (c *ClientConn) authenticate(transcriptDigest []byte) error {
  113. if err := c.setState(stateAuthenticate); err != nil {
  114. return err
  115. }
  116. // Sign TranscriptDigest, and send the authentication request.
  117. // Receive the authentication response.
  118. return ErrNotSupported
  119. }
  120. // NewClientConn initializes a ClientConn. This step should be done offline,
  121. // as timing variation due to the Elligator 2 rejection sampling may leak
  122. // information regarding the obfuscation method.
  123. func NewClientConn(config *ClientConfig) (*ClientConn, error) {
  124. var err error
  125. if len(config.PaddingMethods) == 0 {
  126. panic("basket2: no requested padding methods")
  127. }
  128. if len(config.PaddingMethods) > 255 {
  129. panic("basket2: too many padding methods")
  130. }
  131. if config.ServerPublicKey == nil {
  132. panic("basket2: no server public key")
  133. }
  134. c := new(ClientConn)
  135. c.config = config
  136. c.isClient = true
  137. if c.handshakeState, err = handshake.NewClientHandshake(rand.Reader, config.KEXMethod, config.ServerPublicKey); err != nil {
  138. return nil, err
  139. }
  140. return c, nil
  141. }
  142. var _ net.Conn = (*ClientConn)(nil)