kirillius
/
Cloak
mirror of https://github.com/cbeuw/Cloak
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve the security of header obfuscation

This commit is contained in:
Qian Wang 2019-06-14 19:48:59 +10:00
parent f525643518
commit 078a382963
2 changed files with 49 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
internal/multiplex/crypto.go
View File

@ -7,17 +7,19 @@ import (
) )
type Crypto interface { type Crypto interface {
encrypt([]byte) ([]byte, error) encrypt([]byte, []byte) ([]byte, error)
decrypt([]byte) ([]byte, error) decrypt([]byte, []byte) ([]byte, error)
} }
type Plain struct{} type Plain struct{}
func (p *Plain) encrypt(plaintext []byte) ([]byte, error) { func (p *Plain) encrypt(plaintext []byte, nonce []byte) ([]byte, error) {
return plaintext, nil salt := make([]byte, 16)
rand.Read(salt)
return append(plaintext, salt...), nil
} }
func (p *Plain) decrypt(buf []byte) ([]byte, error) { func (p *Plain) decrypt(buf []byte, nonce []byte) ([]byte, error) {
return buf, nil return buf, nil
} }
@ -36,26 +38,23 @@ func MakeAESCipher(key []byte) (*AES, error) {
return &ret, nil return &ret, nil
} }
func (a *AES) encrypt(plaintext []byte) ([]byte, error) { func (a *AES) encrypt(plaintext []byte, nonce []byte) ([]byte, error) {
nonce := make([]byte, 12)
rand.Read(nonce)
aesgcm, err := cipher.NewGCM(a.cipher) aesgcm, err := cipher.NewGCM(a.cipher)
if err != nil { if err != nil {
return nil, err return nil, err
} }
ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil) ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil)
ret := make([]byte, 12+len(plaintext)+16) ret := make([]byte, len(plaintext)+16)
copy(ret[:12], nonce) copy(ret, ciphertext)
copy(ret[12:], ciphertext)
return ret, nil return ret, nil
} }
func (a *AES) decrypt(buf []byte) ([]byte, error) { func (a *AES) decrypt(ciphertext []byte, nonce []byte) ([]byte, error) {
aesgcm, err := cipher.NewGCM(a.cipher) aesgcm, err := cipher.NewGCM(a.cipher)
if err != nil { if err != nil {
return nil, err return nil, err
} }
plain, err := aesgcm.Open(nil, buf[:12], buf[12:], nil) plain, err := aesgcm.Open(nil, nonce, ciphertext, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }

60
internal/multiplex/obfs.go
View File

@ -5,37 +5,46 @@ import (
"crypto/sha1" "crypto/sha1"
"encoding/binary" "encoding/binary"
"errors" "errors"
"io"
) )
type Obfser func(*Frame) ([]byte, error) type Obfser func(*Frame) ([]byte, error)
type Deobfser func([]byte) (*Frame, error) type Deobfser func([]byte) (*Frame, error)
var u32 = binary.BigEndian.Uint32 var u32 = binary.BigEndian.Uint32
var putU32 = binary.BigEndian.PutUint32
const headerLen = 12 const headerLen = 12
func genXorKeys(key, nonce []byte) (i uint32, ii uint32, iii uint8) { func genXorKey(key, salt []byte) []byte {
h := sha1.New() h := sha1.New()
hashed := h.Sum(append(key, nonce...)) h.Write(append(key, salt...))
return u32(hashed[0:4]), u32(hashed[4:8]), hashed[8] return h.Sum(nil)[:12]
}
func xor(a []byte, b []byte) {
for i := range a {
a[i] ^= b[i]
}
} }
func MakeObfs(key []byte, algo Crypto) Obfser { func MakeObfs(key []byte, algo Crypto) Obfser {
obfs := func(f *Frame) ([]byte, error) { obfs := func(f *Frame) ([]byte, error) {
obfsedHeader := make([]byte, headerLen) // header: [StreamID 4 bytes][Seq 4 bytes][Closing 1 byte][random 3 bytes]
// header: [StreamID 4 bytes][Seq 4 bytes][Closing 1 byte][Nonce 3 bytes] header := make([]byte, headerLen)
io.ReadFull(rand.Reader, obfsedHeader[9:12]) putU32(header[0:4], f.StreamID)
i, ii, iii := genXorKeys(key, obfsedHeader[9:12]) putU32(header[4:8], f.Seq)
binary.BigEndian.PutUint32(obfsedHeader[0:4], f.StreamID^i) header[8] = f.Closing
binary.BigEndian.PutUint32(obfsedHeader[4:8], f.Seq^ii) rand.Read(header[9:12])
obfsedHeader[8] = f.Closing ^ iii
encryptedPayload, err := algo.encrypt(f.Payload) encryptedPayload, err := algo.encrypt(f.Payload, header)
if err != nil { if err != nil {
return nil, err return nil, err
} }
salt := encryptedPayload[len(encryptedPayload)-16:]
xorKey := genXorKey(key, salt)
xor(header, xorKey)
// Composing final obfsed message // Composing final obfsed message
// We don't use util.AddRecordLayer here to avoid unnecessary malloc // We don't use util.AddRecordLayer here to avoid unnecessary malloc
obfsed := make([]byte, 5+headerLen+len(encryptedPayload)) obfsed := make([]byte, 5+headerLen+len(encryptedPayload))
@ -43,9 +52,9 @@ func MakeObfs(key []byte, algo Crypto) Obfser {
obfsed[1] = 0x03 obfsed[1] = 0x03
obfsed[2] = 0x03 obfsed[2] = 0x03
binary.BigEndian.PutUint16(obfsed[3:5], uint16(headerLen+len(encryptedPayload))) binary.BigEndian.PutUint16(obfsed[3:5], uint16(headerLen+len(encryptedPayload)))
copy(obfsed[5:5+headerLen], obfsedHeader) copy(obfsed[5:5+headerLen], header)
copy(obfsed[5+headerLen:], encryptedPayload) copy(obfsed[5+headerLen:], encryptedPayload)
// obfsed: [record layer 5 bytes][cipherheader 12 bytes][payload] // obfsed: [record layer 5 bytes][obfsedheader 12 bytes][payload]
return obfsed, nil return obfsed, nil
} }
return obfs return obfs
@ -53,18 +62,23 @@ func MakeObfs(key []byte, algo Crypto) Obfser {
func MakeDeobfs(key []byte, algo Crypto) Deobfser { func MakeDeobfs(key []byte, algo Crypto) Deobfser {
deobfs := func(in []byte) (*Frame, error) { deobfs := func(in []byte) (*Frame, error) {
if len(in) < 5+headerLen { if len(in) < 5+headerLen+16 {
return nil, errors.New("Input cannot be shorter than 17 bytes") return nil, errors.New("Input cannot be shorter than 33 bytes")
} }
peeled := in[5:] peeled := in[5:]
i, ii, iii := genXorKeys(key, peeled[9:12])
streamID := u32(peeled[0:4]) ^ i
seq := u32(peeled[4:8]) ^ ii
closing := peeled[8] ^ iii
rawPayload := make([]byte, len(peeled)-headerLen) header := peeled[0:12]
copy(rawPayload, peeled[headerLen:]) payload := peeled[12:]
decryptedPayload, err := algo.decrypt(rawPayload) salt := peeled[len(peeled)-16:]
xorKey := genXorKey(key, salt)
xor(header, xorKey)
streamID := u32(header[0:4])
seq := u32(header[4:8])
closing := header[8]
decryptedPayload, err := algo.decrypt(payload, header)
if err != nil { if err != nil {
return nil, err return nil, err
} }