func newJSONServerState(stateDir string, js *jsonServerState) (err error) {
// Generate everything a server needs, using the cryptographic PRNG.
var st obfs4ServerState
rawID := make([]byte, ntor.NodeIDLength)
if err = csrand.Bytes(rawID); err != nil {
return
}
if st.nodeID, err = ntor.NewNodeID(rawID); err != nil {
return
}
if st.identityKey, err = ntor.NewKeypair(false); err != nil {
return
}
if st.drbgSeed, err = drbg.NewSeed(); err != nil {
return
}
st.iatMode = iatNone
// Encode it into JSON format and write the state file.
js.NodeID = st.nodeID.Hex()
js.PrivateKey = st.identityKey.Private().Hex()
js.PublicKey = st.identityKey.Public().Hex()
js.DrbgSeed = st.drbgSeed.Hex()
js.IATMode = st.iatMode
return writeJSONServerState(stateDir, js)
}
func (cert *obfs4ServerCert) unpack() (*ntor.NodeID, *ntor.PublicKey) {
if len(cert.raw) != certLength {
panic(fmt.Sprintf("cert length %d is invalid", len(cert.raw)))
}
nodeID, _ := ntor.NewNodeID(cert.raw[:ntor.NodeIDLength])
pubKey, _ := ntor.NewPublicKey(cert.raw[ntor.NodeIDLength:])
return nodeID, pubKey
}
func TestHandshakeNtorClient(t *testing.T) {
// Generate the server node id and id keypair, and ephemeral session keys.
nodeID, _ := ntor.NewNodeID([]byte("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13"))
idKeypair, _ := ntor.NewKeypair(false)
serverFilter, _ := replayfilter.New(replayTTL)
clientKeypair, err := ntor.NewKeypair(true)
if err != nil {
t.Fatalf("client: ntor.NewKeypair failed: %s", err)
}
serverKeypair, err := ntor.NewKeypair(true)
if err != nil {
t.Fatalf("server: ntor.NewKeypair failed: %s", err)
}
// Test client handshake padding.
for l := clientMinPadLength; l <= clientMaxPadLength; l++ {
// Generate the client state and override the pad length.
clientHs := newClientHandshake(nodeID, idKeypair.Public(), clientKeypair)
clientHs.padLen = l
// Generate what the client will send to the server.
clientBlob, err := clientHs.generateHandshake()
if err != nil {
t.Fatalf("[%d:0] clientHandshake.generateHandshake() failed: %s", l, err)
}
if len(clientBlob) > maxHandshakeLength {
t.Fatalf("[%d:0] Generated client body is oversized: %d", l, len(clientBlob))
}
if len(clientBlob) < clientMinHandshakeLength {
t.Fatalf("[%d:0] Generated client body is undersized: %d", l, len(clientBlob))
}
if len(clientBlob) != clientMinHandshakeLength+l {
t.Fatalf("[%d:0] Generated client body incorrect size: %d", l, len(clientBlob))
}
// Generate the server state and override the pad length.
serverHs := newServerHandshake(nodeID, idKeypair, serverKeypair)
serverHs.padLen = serverMinPadLength
// Parse the client handshake message.
serverSeed, err := serverHs.parseClientHandshake(serverFilter, clientBlob)
if err != nil {
t.Fatalf("[%d:0] serverHandshake.parseClientHandshake() failed: %s", l, err)
}
// Genrate what the server will send to the client.
serverBlob, err := serverHs.generateHandshake()
if err != nil {
t.Fatalf("[%d:0]: serverHandshake.generateHandshake() failed: %s", l, err)
}
// Parse the server handshake message.
clientHs.serverRepresentative = nil
n, clientSeed, err := clientHs.parseServerHandshake(serverBlob)
if err != nil {
t.Fatalf("[%d:0] clientHandshake.parseServerHandshake() failed: %s", l, err)
}
if n != len(serverBlob) {
t.Fatalf("[%d:0] clientHandshake.parseServerHandshake() has bytes remaining: %d", l, n)
}
// Ensure the derived shared secret is the same.
if 0 != bytes.Compare(clientSeed, serverSeed) {
t.Fatalf("[%d:0] client/server seed mismatch", l)
}
}
// Test oversized client padding.
clientHs := newClientHandshake(nodeID, idKeypair.Public(), clientKeypair)
if err != nil {
t.Fatalf("newClientHandshake failed: %s", err)
}
clientHs.padLen = clientMaxPadLength + 1
clientBlob, err := clientHs.generateHandshake()
if err != nil {
t.Fatalf("clientHandshake.generateHandshake() (forced oversize) failed: %s", err)
}
serverHs := newServerHandshake(nodeID, idKeypair, serverKeypair)
_, err = serverHs.parseClientHandshake(serverFilter, clientBlob)
if err == nil {
t.Fatalf("serverHandshake.parseClientHandshake() succeded (oversized)")
}
// Test undersized client padding.
clientHs.padLen = clientMinPadLength - 1
clientBlob, err = clientHs.generateHandshake()
if err != nil {
t.Fatalf("clientHandshake.generateHandshake() (forced undersize) failed: %s", err)
}
serverHs = newServerHandshake(nodeID, idKeypair, serverKeypair)
_, err = serverHs.parseClientHandshake(serverFilter, clientBlob)
if err == nil {
t.Fatalf("serverHandshake.parseClientHandshake() succeded (undersized)")
}
}
func TestHandshakeNtorServer(t *testing.T) {
// Generate the server node id and id keypair, and ephemeral session keys.
nodeID, _ := ntor.NewNodeID([]byte("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13"))
idKeypair, _ := ntor.NewKeypair(false)
serverFilter, _ := replayfilter.New(replayTTL)
clientKeypair, err := ntor.NewKeypair(true)
if err != nil {
t.Fatalf("client: ntor.NewKeypair failed: %s", err)
}
serverKeypair, err := ntor.NewKeypair(true)
if err != nil {
t.Fatalf("server: ntor.NewKeypair failed: %s", err)
}
// Test server handshake padding.
for l := serverMinPadLength; l <= serverMaxPadLength+inlineSeedFrameLength; l++ {
// Generate the client state and override the pad length.
clientHs := newClientHandshake(nodeID, idKeypair.Public(), clientKeypair)
clientHs.padLen = clientMinPadLength
// Generate what the client will send to the server.
clientBlob, err := clientHs.generateHandshake()
if err != nil {
t.Fatalf("[%d:1] clientHandshake.generateHandshake() failed: %s", l, err)
}
if len(clientBlob) > maxHandshakeLength {
t.Fatalf("[%d:1] Generated client body is oversized: %d", l, len(clientBlob))
}
// Generate the server state and override the pad length.
serverHs := newServerHandshake(nodeID, idKeypair, serverKeypair)
serverHs.padLen = l
// Parse the client handshake message.
serverSeed, err := serverHs.parseClientHandshake(serverFilter, clientBlob)
if err != nil {
t.Fatalf("[%d:1] serverHandshake.parseClientHandshake() failed: %s", l, err)
}
// Genrate what the server will send to the client.
serverBlob, err := serverHs.generateHandshake()
if err != nil {
t.Fatalf("[%d:1]: serverHandshake.generateHandshake() failed: %s", l, err)
}
// Parse the server handshake message.
n, clientSeed, err := clientHs.parseServerHandshake(serverBlob)
if err != nil {
t.Fatalf("[%d:1] clientHandshake.parseServerHandshake() failed: %s", l, err)
}
if n != len(serverBlob) {
t.Fatalf("[%d:1] clientHandshake.parseServerHandshake() has bytes remaining: %d", l, n)
}
// Ensure the derived shared secret is the same.
if 0 != bytes.Compare(clientSeed, serverSeed) {
t.Fatalf("[%d:1] client/server seed mismatch", l)
}
}
// Test oversized client padding.
clientHs := newClientHandshake(nodeID, idKeypair.Public(), clientKeypair)
if err != nil {
t.Fatalf("newClientHandshake failed: %s", err)
}
clientHs.padLen = clientMaxPadLength + 1
clientBlob, err := clientHs.generateHandshake()
if err != nil {
t.Fatalf("clientHandshake.generateHandshake() (forced oversize) failed: %s", err)
}
serverHs := newServerHandshake(nodeID, idKeypair, serverKeypair)
_, err = serverHs.parseClientHandshake(serverFilter, clientBlob)
if err == nil {
t.Fatalf("serverHandshake.parseClientHandshake() succeded (oversized)")
}
// Test undersized client padding.
clientHs.padLen = clientMinPadLength - 1
clientBlob, err = clientHs.generateHandshake()
if err != nil {
t.Fatalf("clientHandshake.generateHandshake() (forced undersize) failed: %s", err)
}
serverHs = newServerHandshake(nodeID, idKeypair, serverKeypair)
_, err = serverHs.parseClientHandshake(serverFilter, clientBlob)
if err == nil {
t.Fatalf("serverHandshake.parseClientHandshake() succeded (undersized)")
}
// Test oversized server padding.
//
// NB: serverMaxPadLength isn't the real maxPadLength that triggers client
// rejection, because the implementation is written with the asusmption
// that the PRNG_SEED is also inlined with the response. Thus the client
// actually accepts longer padding. The server handshake test and this
// test adjust around that.
clientHs.padLen = clientMinPadLength
clientBlob, err = clientHs.generateHandshake()
if err != nil {
t.Fatalf("clientHandshake.generateHandshake() failed: %s", err)
}
serverHs = newServerHandshake(nodeID, idKeypair, serverKeypair)
serverHs.padLen = serverMaxPadLength + inlineSeedFrameLength + 1
_, err = serverHs.parseClientHandshake(serverFilter, clientBlob)
if err != nil {
t.Fatalf("serverHandshake.parseClientHandshake() failed: %s", err)
}
serverBlob, err := serverHs.generateHandshake()
if err != nil {
t.Fatalf("serverHandshake.generateHandshake() (forced oversize) failed: %s", err)
}
_, _, err = clientHs.parseServerHandshake(serverBlob)
if err == nil {
t.Fatalf("clientHandshake.parseServerHandshake() succeded (oversized)")
}
}
