func (sf *obfs4ServerFactory) WrapConn(conn net.Conn) (net.Conn, error) {
// Not much point in having a separate newObfs4ServerConn routine when
// wrapping requires using values from the factory instance.
// Generate the session keypair *before* consuming data from the peer, to
// attempt to mask the rejection sampling due to use of Elligator2. This
// might be futile, but the timing differential isn't very large on modern
// hardware, and there are far easier statistical attacks that can be
// mounted as a distinguisher.
sessionKey, err := ntor.NewKeypair(true)
if err != nil {
return nil, err
}
lenDist := probdist.New(sf.lenSeed, 0, framing.MaximumSegmentLength, biasedDist)
var iatDist *probdist.WeightedDist
if sf.iatSeed != nil {
iatDist = probdist.New(sf.iatSeed, 0, maxIATDelay, biasedDist)
}
c := &obfs4Conn{conn, true, lenDist, iatDist, sf.iatMode, bytes.NewBuffer(nil), bytes.NewBuffer(nil), nil, nil}
startTime := time.Now()
if err = c.serverHandshake(sf, sessionKey); err != nil {
c.closeAfterDelay(sf, startTime)
return nil, err
}
return c, nil
}
func newJSONServerState(stateDir string, js *jsonServerState) (err error) {
// Generate everything a server needs, using the cryptographic PRNG.
var st obfs4ServerState
rawID := make([]byte, ntor.NodeIDLength)
if err = csrand.Bytes(rawID); err != nil {
return
}
if st.nodeID, err = ntor.NewNodeID(rawID); err != nil {
return
}
if st.identityKey, err = ntor.NewKeypair(false); err != nil {
return
}
if st.drbgSeed, err = drbg.NewSeed(); err != nil {
return
}
st.iatMode = iatNone
// Encode it into JSON format and write the state file.
js.NodeID = st.nodeID.Hex()
js.PrivateKey = st.identityKey.Private().Hex()
js.PublicKey = st.identityKey.Public().Hex()
js.DrbgSeed = st.drbgSeed.Hex()
js.IATMode = st.iatMode
return writeJSONServerState(stateDir, js)
}
func (cf *obfs4ClientFactory) ParseArgs(args *pt.Args) (interface{}, error) {
var nodeID *ntor.NodeID
var publicKey *ntor.PublicKey
// The "new" (version >= 0.0.3) bridge lines use a unified "cert" argument
// for the Node ID and Public Key.
certStr, ok := args.Get(certArg)
if ok {
cert, err := serverCertFromString(certStr)
if err != nil {
return nil, err
}
nodeID, publicKey = cert.unpack()
} else {
// The "old" style (version <= 0.0.2) bridge lines use separate Node ID
// and Public Key arguments in Base16 encoding and are a UX disaster.
nodeIDStr, ok := args.Get(nodeIDArg)
if !ok {
return nil, fmt.Errorf("missing argument '%s'", nodeIDArg)
}
var err error
if nodeID, err = ntor.NodeIDFromHex(nodeIDStr); err != nil {
return nil, err
}
publicKeyStr, ok := args.Get(publicKeyArg)
if !ok {
return nil, fmt.Errorf("missing argument '%s'", publicKeyArg)
}
if publicKey, err = ntor.PublicKeyFromHex(publicKeyStr); err != nil {
return nil, err
}
}
// IAT config is common across the two bridge line formats.
iatStr, ok := args.Get(iatArg)
if !ok {
return nil, fmt.Errorf("missing argument '%s'", iatArg)
}
iatMode, err := strconv.Atoi(iatStr)
if err != nil || iatMode < iatNone || iatMode > iatParanoid {
return nil, fmt.Errorf("invalid iat-mode '%d'", iatMode)
}
// Generate the session key pair before connectiong to hide the Elligator2
// rejection sampling from network observers.
sessionKey, err := ntor.NewKeypair(true)
if err != nil {
return nil, err
}
return &obfs4ClientArgs{nodeID, publicKey, sessionKey, iatMode}, nil
}
func TestHandshakeNtorClient(t *testing.T) {
// Generate the server node id and id keypair, and ephemeral session keys.
nodeID, _ := ntor.NewNodeID([]byte("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13"))
idKeypair, _ := ntor.NewKeypair(false)
serverFilter, _ := replayfilter.New(replayTTL)
clientKeypair, err := ntor.NewKeypair(true)
if err != nil {
t.Fatalf("client: ntor.NewKeypair failed: %s", err)
}
serverKeypair, err := ntor.NewKeypair(true)
if err != nil {
t.Fatalf("server: ntor.NewKeypair failed: %s", err)
}
// Test client handshake padding.
for l := clientMinPadLength; l <= clientMaxPadLength; l++ {
// Generate the client state and override the pad length.
clientHs := newClientHandshake(nodeID, idKeypair.Public(), clientKeypair)
clientHs.padLen = l
// Generate what the client will send to the server.
clientBlob, err := clientHs.generateHandshake()
if err != nil {
t.Fatalf("[%d:0] clientHandshake.generateHandshake() failed: %s", l, err)
}
if len(clientBlob) > maxHandshakeLength {
t.Fatalf("[%d:0] Generated client body is oversized: %d", l, len(clientBlob))
}
if len(clientBlob) < clientMinHandshakeLength {
t.Fatalf("[%d:0] Generated client body is undersized: %d", l, len(clientBlob))
}
if len(clientBlob) != clientMinHandshakeLength+l {
t.Fatalf("[%d:0] Generated client body incorrect size: %d", l, len(clientBlob))
}
// Generate the server state and override the pad length.
serverHs := newServerHandshake(nodeID, idKeypair, serverKeypair)
serverHs.padLen = serverMinPadLength
// Parse the client handshake message.
serverSeed, err := serverHs.parseClientHandshake(serverFilter, clientBlob)
if err != nil {
t.Fatalf("[%d:0] serverHandshake.parseClientHandshake() failed: %s", l, err)
}
// Genrate what the server will send to the client.
serverBlob, err := serverHs.generateHandshake()
if err != nil {
t.Fatalf("[%d:0]: serverHandshake.generateHandshake() failed: %s", l, err)
}
// Parse the server handshake message.
clientHs.serverRepresentative = nil
n, clientSeed, err := clientHs.parseServerHandshake(serverBlob)
if err != nil {
t.Fatalf("[%d:0] clientHandshake.parseServerHandshake() failed: %s", l, err)
}
if n != len(serverBlob) {
t.Fatalf("[%d:0] clientHandshake.parseServerHandshake() has bytes remaining: %d", l, n)
}
// Ensure the derived shared secret is the same.
if 0 != bytes.Compare(clientSeed, serverSeed) {
t.Fatalf("[%d:0] client/server seed mismatch", l)
}
}
// Test oversized client padding.
clientHs := newClientHandshake(nodeID, idKeypair.Public(), clientKeypair)
if err != nil {
t.Fatalf("newClientHandshake failed: %s", err)
}
clientHs.padLen = clientMaxPadLength + 1
clientBlob, err := clientHs.generateHandshake()
if err != nil {
t.Fatalf("clientHandshake.generateHandshake() (forced oversize) failed: %s", err)
}
serverHs := newServerHandshake(nodeID, idKeypair, serverKeypair)
_, err = serverHs.parseClientHandshake(serverFilter, clientBlob)
if err == nil {
t.Fatalf("serverHandshake.parseClientHandshake() succeded (oversized)")
}
// Test undersized client padding.
clientHs.padLen = clientMinPadLength - 1
clientBlob, err = clientHs.generateHandshake()
if err != nil {
t.Fatalf("clientHandshake.generateHandshake() (forced undersize) failed: %s", err)
}
serverHs = newServerHandshake(nodeID, idKeypair, serverKeypair)
_, err = serverHs.parseClientHandshake(serverFilter, clientBlob)
if err == nil {
t.Fatalf("serverHandshake.parseClientHandshake() succeded (undersized)")
}
}
func TestHandshakeNtorServer(t *testing.T) {
// Generate the server node id and id keypair, and ephemeral session keys.
nodeID, _ := ntor.NewNodeID([]byte("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13"))
idKeypair, _ := ntor.NewKeypair(false)
serverFilter, _ := replayfilter.New(replayTTL)
clientKeypair, err := ntor.NewKeypair(true)
if err != nil {
t.Fatalf("client: ntor.NewKeypair failed: %s", err)
}
serverKeypair, err := ntor.NewKeypair(true)
if err != nil {
t.Fatalf("server: ntor.NewKeypair failed: %s", err)
}
// Test server handshake padding.
for l := serverMinPadLength; l <= serverMaxPadLength+inlineSeedFrameLength; l++ {
// Generate the client state and override the pad length.
clientHs := newClientHandshake(nodeID, idKeypair.Public(), clientKeypair)
clientHs.padLen = clientMinPadLength
// Generate what the client will send to the server.
clientBlob, err := clientHs.generateHandshake()
if err != nil {
t.Fatalf("[%d:1] clientHandshake.generateHandshake() failed: %s", l, err)
}
if len(clientBlob) > maxHandshakeLength {
t.Fatalf("[%d:1] Generated client body is oversized: %d", l, len(clientBlob))
}
// Generate the server state and override the pad length.
serverHs := newServerHandshake(nodeID, idKeypair, serverKeypair)
serverHs.padLen = l
// Parse the client handshake message.
serverSeed, err := serverHs.parseClientHandshake(serverFilter, clientBlob)
if err != nil {
t.Fatalf("[%d:1] serverHandshake.parseClientHandshake() failed: %s", l, err)
}
// Genrate what the server will send to the client.
serverBlob, err := serverHs.generateHandshake()
if err != nil {
t.Fatalf("[%d:1]: serverHandshake.generateHandshake() failed: %s", l, err)
}
// Parse the server handshake message.
n, clientSeed, err := clientHs.parseServerHandshake(serverBlob)
if err != nil {
t.Fatalf("[%d:1] clientHandshake.parseServerHandshake() failed: %s", l, err)
}
if n != len(serverBlob) {
t.Fatalf("[%d:1] clientHandshake.parseServerHandshake() has bytes remaining: %d", l, n)
}
// Ensure the derived shared secret is the same.
if 0 != bytes.Compare(clientSeed, serverSeed) {
t.Fatalf("[%d:1] client/server seed mismatch", l)
}
}
// Test oversized client padding.
clientHs := newClientHandshake(nodeID, idKeypair.Public(), clientKeypair)
if err != nil {
t.Fatalf("newClientHandshake failed: %s", err)
}
clientHs.padLen = clientMaxPadLength + 1
clientBlob, err := clientHs.generateHandshake()
if err != nil {
t.Fatalf("clientHandshake.generateHandshake() (forced oversize) failed: %s", err)
}
serverHs := newServerHandshake(nodeID, idKeypair, serverKeypair)
_, err = serverHs.parseClientHandshake(serverFilter, clientBlob)
if err == nil {
t.Fatalf("serverHandshake.parseClientHandshake() succeded (oversized)")
}
// Test undersized client padding.
clientHs.padLen = clientMinPadLength - 1
clientBlob, err = clientHs.generateHandshake()
if err != nil {
t.Fatalf("clientHandshake.generateHandshake() (forced undersize) failed: %s", err)
}
serverHs = newServerHandshake(nodeID, idKeypair, serverKeypair)
_, err = serverHs.parseClientHandshake(serverFilter, clientBlob)
if err == nil {
t.Fatalf("serverHandshake.parseClientHandshake() succeded (undersized)")
}
// Test oversized server padding.
//
// NB: serverMaxPadLength isn't the real maxPadLength that triggers client
// rejection, because the implementation is written with the asusmption
// that the PRNG_SEED is also inlined with the response. Thus the client
// actually accepts longer padding. The server handshake test and this
// test adjust around that.
clientHs.padLen = clientMinPadLength
clientBlob, err = clientHs.generateHandshake()
if err != nil {
t.Fatalf("clientHandshake.generateHandshake() failed: %s", err)
}
serverHs = newServerHandshake(nodeID, idKeypair, serverKeypair)
serverHs.padLen = serverMaxPadLength + inlineSeedFrameLength + 1
_, err = serverHs.parseClientHandshake(serverFilter, clientBlob)
if err != nil {
t.Fatalf("serverHandshake.parseClientHandshake() failed: %s", err)
}
serverBlob, err := serverHs.generateHandshake()
if err != nil {
t.Fatalf("serverHandshake.generateHandshake() (forced oversize) failed: %s", err)
}
_, _, err = clientHs.parseServerHandshake(serverBlob)
if err == nil {
t.Fatalf("clientHandshake.parseServerHandshake() succeded (oversized)")
}
}