kirillius
/
Cloak
mirror of https://github.com/cbeuw/Cloak
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use a sessional ephemeral key as the main key instead of UID for forward security

This commit is contained in:
Qian Wang 2019-06-16 00:20:55 +10:00
parent 4a4879ea37
commit d781c7b1be
5 changed files with 24 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
cmd/ck-client/ck-client.go
View File

@ -200,9 +200,10 @@ start:
} }
} }
obfs := mux.MakeObfs(sta.UID, crypto) sessionKey := make([]byte, 32)
deobfs := mux.MakeDeobfs(sta.UID, crypto) rand.Read(sessionKey)
sesh := mux.MakeSession(sessionID, valve, obfs, deobfs, util.ReadTLS) sta.SessionKey = sessionKey
sesh := mux.MakeSession(sessionID, valve, mux.MakeObfs(sta.SessionKey, crypto), mux.MakeDeobfs(sta.SessionKey, crypto), util.ReadTLS)
var wg sync.WaitGroup var wg sync.WaitGroup
for i := 0; i < sta.NumConn; i++ { for i := 0; i < sta.NumConn; i++ {

4
cmd/ck-server/ck-server.go
View File

@ -70,7 +70,7 @@ func dispatchConnection(conn net.Conn, sta *server.State) {
return return
} }
isCloak, UID, sessionID, proxyMethod, encryptionMethod := server.TouchStone(ch, sta) isCloak, UID, sessionID, proxyMethod, encryptionMethod, sessionKey := server.TouchStone(ch, sta)
if !isCloak { if !isCloak {
log.Printf("+1 non Cloak TLS traffic from %v\n", conn.RemoteAddr()) log.Printf("+1 non Cloak TLS traffic from %v\n", conn.RemoteAddr())
goWeb(data) goWeb(data)
@ -173,7 +173,7 @@ func dispatchConnection(conn net.Conn, sta *server.State) {
return return
} }
sesh, existing, err := user.GetSession(sessionID, mux.MakeObfs(UID, crypto), mux.MakeDeobfs(UID, crypto), util.ReadTLS) sesh, existing, err := user.GetSession(sessionID, mux.MakeObfs(sessionKey, crypto), mux.MakeDeobfs(sessionKey, crypto), util.ReadTLS)
if err != nil { if err != nil {
user.DelSession(sessionID) user.DelSession(sessionID)
log.Println(err) log.Println(err)

9
internal/client/auth.go
View File

@ -34,7 +34,7 @@ func MakeRandomField(sta *State) []byte {
} }
func MakeSessionTicket(sta *State) []byte { func MakeSessionTicket(sta *State) []byte {
// sessionTicket: [marshalled ephemeral pub key 32 bytes][encrypted UID+sessionID 36 bytes, proxy method 16 bytes, encryption method 1 byte][16 bytes authentication tag][padding 91 bytes] // sessionTicket: [marshalled ephemeral pub key 32 bytes][encrypted UID+sessionID 36 bytes, proxy method 16 bytes, encryption method 1 byte, sessionKey 32 bytes][16 bytes authentication tag][padding 59 bytes]
// The first 12 bytes of the marshalled ephemeral public key is used as the nonce // The first 12 bytes of the marshalled ephemeral public key is used as the nonce
// for encrypting the UID // for encrypting the UID
tthInterval := sta.Now().Unix() / int64(sta.TicketTimeHint) tthInterval := sta.Now().Unix() / int64(sta.TicketTimeHint)
@ -53,14 +53,15 @@ func MakeSessionTicket(sta *State) []byte {
copy(ticket[0:32], ecdh.Marshal(ephKP.PublicKey)) copy(ticket[0:32], ecdh.Marshal(ephKP.PublicKey))
key := ecdh.GenerateSharedSecret(ephKP.PrivateKey, sta.staticPub) key := ecdh.GenerateSharedSecret(ephKP.PrivateKey, sta.staticPub)
plain := make([]byte, 53) plain := make([]byte, 85)
copy(plain, sta.UID) copy(plain, sta.UID)
binary.BigEndian.PutUint32(plain[32:36], sta.sessionID) binary.BigEndian.PutUint32(plain[32:36], sta.sessionID)
copy(plain[36:52], []byte(sta.ProxyMethod)) copy(plain[36:52], []byte(sta.ProxyMethod))
plain[52] = sta.EncryptionMethod plain[52] = sta.EncryptionMethod
copy(plain[53:85], sta.SessionKey)
cipher, _ := util.AESGCMEncrypt(ticket[0:12], key, plain) cipher, _ := util.AESGCMEncrypt(ticket[0:12], key, plain)
copy(ticket[32:101], cipher) copy(ticket[32:133], cipher)
// The purpose of adding sessionID is that, the generated padding of sessionTicket needs to be unpredictable. // The purpose of adding sessionID is that, the generated padding of sessionTicket needs to be unpredictable.
// As shown in auth.go, the padding is generated by a psudo random generator. The seed // As shown in auth.go, the padding is generated by a psudo random generator. The seed
// needs to be the same for each TicketTimeHint interval. However the value of epoch/TicketTimeHint // needs to be the same for each TicketTimeHint interval. However the value of epoch/TicketTimeHint
@ -71,6 +72,6 @@ func MakeSessionTicket(sta *State) []byte {
// With the sessionID value generated at startup of ckclient and used as a part of the seed, the // With the sessionID value generated at startup of ckclient and used as a part of the seed, the
// sessionTicket is still identical for each TicketTimeHint interval, but others won't be able to know // sessionTicket is still identical for each TicketTimeHint interval, but others won't be able to know
// how it was generated. It will also be different for each client. // how it was generated. It will also be different for each client.
copy(ticket[101:192], util.PsudoRandBytes(91, tthInterval+int64(sta.sessionID))) copy(ticket[133:192], util.PsudoRandBytes(59, tthInterval+int64(sta.sessionID)))
return ticket return ticket
} }

1
internal/client/state.go
View File

@ -33,6 +33,7 @@ type State struct {
Now func() time.Time Now func() time.Time
sessionID uint32 sessionID uint32
SessionKey []byte
UID []byte UID []byte
staticPub crypto.PublicKey staticPub crypto.PublicKey
keyPairsM sync.RWMutex keyPairsM sync.RWMutex

12
internal/server/auth.go
View File

@ -12,15 +12,15 @@ import (
) )
// input ticket, return UID // input ticket, return UID
func decryptSessionTicket(staticPv crypto.PrivateKey, ticket []byte) ([]byte, uint32, string, byte) { func decryptSessionTicket(staticPv crypto.PrivateKey, ticket []byte) ([]byte, uint32, string, byte, []byte) {
ephPub, _ := ecdh.Unmarshal(ticket[0:32]) ephPub, _ := ecdh.Unmarshal(ticket[0:32])
key := ecdh.GenerateSharedSecret(staticPv, ephPub) key := ecdh.GenerateSharedSecret(staticPv, ephPub)
plain, err := util.AESGCMDecrypt(ticket[0:12], key, ticket[32:101]) plain, err := util.AESGCMDecrypt(ticket[0:12], key, ticket[32:133])
if err != nil { if err != nil {
return nil, 0, "", 0x00 return nil, 0, "", 0x00, nil
} }
sessionID := binary.BigEndian.Uint32(plain[32:36]) sessionID := binary.BigEndian.Uint32(plain[32:36])
return plain[0:32], sessionID, string(bytes.Trim(plain[36:52], "\x00")), plain[52] return plain[0:32], sessionID, string(bytes.Trim(plain[36:52], "\x00")), plain[52], plain[53:85]
} }
func validateRandom(random []byte, UID []byte, time int64) bool { func validateRandom(random []byte, UID []byte, time int64) bool {
@ -35,7 +35,7 @@ func validateRandom(random []byte, UID []byte, time int64) bool {
h.Write(preHash) h.Write(preHash)
return bytes.Equal(h.Sum(nil)[0:16], random[16:32]) return bytes.Equal(h.Sum(nil)[0:16], random[16:32])
} }
func TouchStone(ch *ClientHello, sta *State) (isCK bool, UID []byte, sessionID uint32, proxyMethod string, encryptionMethod byte) { func TouchStone(ch *ClientHello, sta *State) (isCK bool, UID []byte, sessionID uint32, proxyMethod string, encryptionMethod byte, sessionKey []byte) {
var random [32]byte var random [32]byte
copy(random[:], ch.random) copy(random[:], ch.random)
@ -53,7 +53,7 @@ func TouchStone(ch *ClientHello, sta *State) (isCK bool, UID []byte, sessionID u
if len(ticket) < 68 { if len(ticket) < 68 {
return return
} }
UID, sessionID, proxyMethod, encryptionMethod = decryptSessionTicket(sta.staticPv, ticket) UID, sessionID, proxyMethod, encryptionMethod, sessionKey = decryptSessionTicket(sta.staticPv, ticket)
if len(UID) < 32 { if len(UID) < 32 {
return return
} }