server.go 5.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196
  1. // server.go - Transport server implementation.
  2. // Copyright (C) 2016 Yawning Angel.
  3. //
  4. // This program is free software: you can redistribute it and/or modify
  5. // it under the terms of the GNU Affero General Public License as
  6. // published by the Free Software Foundation, either version 3 of the
  7. // License, or (at your option) any later version.
  8. //
  9. // This program is distributed in the hope that it will be useful,
  10. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  12. // GNU Affero General Public License for more details.
  13. //
  14. // You should have received a copy of the GNU Affero General Public License
  15. // along with this program. If not, see <http://www.gnu.org/licenses/>.
  16. package basket2
  17. import (
  18. "net"
  19. "git.schwanenlied.me/yawning/basket2.git/crypto/identity"
  20. "git.schwanenlied.me/yawning/basket2.git/crypto/rand"
  21. "git.schwanenlied.me/yawning/basket2.git/handshake"
  22. )
  23. // ServerConfig is the server configuration parameters to use when
  24. // constructing a ServerConn.
  25. type ServerConfig struct {
  26. ServerPrivateKey *identity.PrivateKey
  27. KEXMethods []handshake.KEXMethod
  28. PaddingMethods []PaddingMethod
  29. AuthPolicy AuthPolicy
  30. ReplayFilter handshake.ReplayFilter
  31. // PaddingParamFn is the function called at handshake time to obtain the
  32. // per-connection padding parameters used to instantiate the server side
  33. // padding algorithm (that will also be propagated back to the client).
  34. PaddingParamFn func(PaddingMethod) ([]byte, error)
  35. }
  36. // ServerConn is a server side client connection instance, that implements the
  37. // net.Conn interface.
  38. type ServerConn struct {
  39. commonConn
  40. config *ServerConfig
  41. handshakeState *handshake.ServerHandshake
  42. }
  43. // Handshake associates a ServerConn with an established net.Conn, and executes
  44. // the authenticated/encrypted/obfuscated key exchange, and optionally
  45. // authenticates the client.
  46. func (s *ServerConn) Handshake(conn net.Conn) (err error) {
  47. // Pass or fail, obliterate the handshake state.
  48. defer s.handshakeState.Reset()
  49. defer func() {
  50. if err != nil {
  51. s.setState(stateError)
  52. }
  53. }()
  54. // Initalize the underlying conn structure, and transition to the
  55. // handshaking state.
  56. if err = s.initConn(conn); err != nil {
  57. return
  58. }
  59. // Receive the client's handshake request.
  60. var reqExtData []byte
  61. if reqExtData, err = s.handshakeState.RecvHandshakeReq(s.rawConn); err != nil {
  62. return
  63. }
  64. // Parse the request extData to see which padding algorithm(s) the
  65. // peer wants us to select from.
  66. if len(reqExtData) < minReqExtDataSize {
  67. return ErrInvalidExtData
  68. }
  69. if reqExtData[0] != ProtocolVersion {
  70. return ErrInvalidExtData
  71. }
  72. if int(reqExtData[1]) != len(reqExtData)-2 {
  73. return ErrInvalidExtData
  74. }
  75. paddingMethod := PaddingInvalid
  76. for _, v := range reqExtData[2:] {
  77. if paddingOk(PaddingMethod(v), s.config.PaddingMethods) {
  78. paddingMethod = PaddingMethod(v)
  79. break
  80. }
  81. }
  82. if paddingMethod == PaddingInvalid {
  83. return ErrInvalidPadding
  84. }
  85. var paddingParams []byte
  86. if paddingParams, err = s.config.PaddingParamFn(paddingMethod); err != nil {
  87. return
  88. }
  89. // Build the response extData.
  90. respExtData := make([]byte, 0, minRespExtDataSize+len(paddingParams))
  91. respExtData = append(respExtData, ProtocolVersion)
  92. respExtData = append(respExtData, byte(s.config.AuthPolicy))
  93. respExtData = append(respExtData, byte(paddingMethod))
  94. respExtData = append(respExtData, paddingParams...)
  95. // Determine the response padding length by adding padding required to
  96. // bring the response size up to the minimum target length, and then
  97. // adding a random amount of padding.
  98. padLen := handshake.MinHandshakeSize - (handshake.MessageSize + len(respExtData))
  99. if padLen < 0 { // Should never happen.
  100. panic("basket2: handshake response exceeds payload capacity")
  101. }
  102. padLen += s.mRNG.Intn(handshake.MaxHandshakeSize - handshake.MinHandshakeSize)
  103. // Send the handshake response and derive the session keys.
  104. var keys *handshake.SessionKeys
  105. if keys, err = s.handshakeState.SendHandshakeResp(s.rawConn, respExtData, padLen); err != nil {
  106. return
  107. }
  108. defer keys.Reset()
  109. // Initialize the frame decoder/encoder with the session key material.
  110. if err = s.initFraming(keys.KDF); err != nil {
  111. return
  112. }
  113. // Bring the chosen padding algorithm online.
  114. if err = s.setPadding(paddingMethod, paddingParams); err != nil {
  115. return
  116. }
  117. // Authenticate the client if needed.
  118. if s.config.AuthPolicy == AuthMust {
  119. if err = s.authenticate(keys.TranscriptDigest); err != nil {
  120. return
  121. }
  122. }
  123. // The connection is now fully established.
  124. if err = s.setState(stateEstablished); err != nil {
  125. return
  126. }
  127. return nil
  128. }
  129. func (s *ServerConn) authenticate(transcriptDigest []byte) error {
  130. if err := s.setState(stateAuthenticate); err != nil {
  131. return err
  132. }
  133. // Receive the peer's authenticate frame.
  134. // Verify that the peer has signed keys.TranscriptDigest.
  135. // Send an authetication response.
  136. return ErrNotSupported
  137. }
  138. // NewServerConn initializes a ServerConn. Unlike NewClientConn this step may
  139. // and should be done right before Handshake is ready to be called.
  140. func NewServerConn(config *ServerConfig) (*ServerConn, error) {
  141. var err error
  142. if len(config.KEXMethods) == 0 {
  143. panic("basket2: no KEXMethods")
  144. }
  145. if len(config.PaddingMethods) == 0 {
  146. panic("basket2: no PaddingMethods")
  147. }
  148. if config.ReplayFilter == nil {
  149. panic("basket2: no replay filter")
  150. }
  151. if config.ServerPrivateKey == nil {
  152. panic("basket2: no server private key")
  153. }
  154. if config.PaddingParamFn == nil {
  155. config.PaddingParamFn = DefaultPaddingParams
  156. }
  157. s := new(ServerConn)
  158. s.config = config
  159. s.isClient = false
  160. if s.handshakeState, err = handshake.NewServerHandshake(rand.Reader, config.KEXMethods, config.ReplayFilter, config.ServerPrivateKey); err != nil {
  161. return nil, err
  162. }
  163. return s, nil
  164. }
  165. var _ net.Conn = (*ServerConn)(nil)