v0.9.11 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: May 2, 2024 License: MIT Imports: 36 Imported by: 0



Copyright (c) 2017-2020 Russell Magee Licensed under the terms of the MIT license (see LICENSE.mit in this distribution)

golang implementation by Russ Magee (rmagee_at_gmail.com)



View Source
const (
	KEX_HERRADURA256 = iota // this MUST be first for default if omitted in ctor
	KEX_NEWHOPE_SIMPLE // 'NewHopeLP-Simple' - https://eprint.iacr.org/2016/1157
	KEX_invalid = 255

KEX algorithm values

Specified (in string form) as the extensions parameter to xsnet.Dial() Alg is sent in a uint8 so there are up to 256 possible

View Source
const (
	CSENone            = 1024 + iota
	CSETruncCSO        // No CSOExitStatus in payload
	CSEStillOpen       // Channel closed unexpectedly
	CSEExecFail        // cmd.Start() (exec) failed
	CSEPtyExecFail     // pty.Start() (exec w/pty) failed
	CSEPtyGetNameFail  // failed to obtain pty name
	CSEKEXAlgDenied    // server rejected proposed KEX alg
	CSECipherAlgDenied // server rejected proposed Cipher alg
	CSEHMACAlgDenied   // server rejected proposed HMAC alg
	CSEConnDead        // connection keepalives expired

Extended exit status codes - indicate comm/pty issues rather than remote end normal UNIX exit codes

View Source
const (
	// Main connection/session control
	CSONone        = iota // No error, normal packet
	CSOHmacInvalid        // HMAC mismatch detected on remote end
	CSOTermSize           // set term size (rows:cols)
	CSOExitStatus         // Remote cmd exit status
	CSOChaff              // Dummy packet, do not pass beyond decryption

	// Tunnel setup/control/status
	CSOTunSetup     // client -> server tunnel setup request (dstport)
	CSOTunSetupAck  // server -> client tunnel setup ack
	CSOTunRefused   // server -> client: tunnel rport connection refused
	CSOTunData      // packet contains tunnel data [rport:data]
	CSOTunKeepAlive // client tunnel heartbeat
	CSOTunDisconn   // server -> client: tunnel rport disconnected
	CSOTunHangup    // client -> server: tunnel lport hung up
	CSOKeepAlive    // bidir keepalive packet to monitor main connection
	CSORekey        // TODO: rekey/re-select session cipher/hash algs

Channel Status/Op bytes - packet types

View Source
const (
	TunCtl_Client_Listen = 'a'

	TunCtl_Server_Dial = 'd' // server has dialled OK, client side can accept() conns


TunEndpoint.tunCtl control values - used to control workers for client or server tunnels depending on the code

View Source
const (
	CAlgAES256     = iota
	CAlgTwofish128 // golang.org/x/crypto/twofish
	CAlgBlowfish64 // golang.org/x/crypto/blowfish
	CAlgCryptMT1   //cryptmt using mtwist64

Session symmetric crypto algs

View Source
const (
	HmacSHA256 = iota

Session packet auth HMAC algs

View Source
const (
	CONone              = iota
	CORemodulateShields // if set, rekeying also reselects random cipher/hmac alg

Conn opts outside of basic kex/cipher/hmac connect config

View Source
const (
	REKEY_SECS_MIN       = 1
	REKEY_SECS_MAX       = 28800 // 8 hours
	CHAFF_FREQ_MSECS_MAX = 300000 // 5 minutes

Some bounds-checking consts

View Source
const (
	KCP_NONE = iota
View Source
const HMAC_CHK_SZ = 8 // leading bytes of HMAC to xmit for verification
View Source
const MAX_PAYLOAD_LEN = 2*1024*1024*1024 - 1

TODO: this should be small (max unfragmented packet size?)

View Source
const PAD_SZ = 32 // max size of padding applied to each packet


View Source
const XS_ID_AUTHTOKFILE = ".config/xs/.xs_id"


View Source
var (
	Log *logger.Writer // reg. syslog output (no -d)


func FrodoKEMAcceptSetup

func FrodoKEMAcceptSetup(c *net.Conn, hc *Conn) (err error)

func FrodoKEMDialSetup

func FrodoKEMDialSetup(c io.ReadWriter, hc *Conn) (err error)

func HKExAcceptSetup

func HKExAcceptSetup(c *net.Conn, hc *Conn) (err error)

func HKExDialSetup

func HKExDialSetup(c io.ReadWriter, hc *Conn) (err error)

func Init

func Init(d bool, c string, f logger.Priority)

func KyberAcceptSetup

func KyberAcceptSetup(c *net.Conn, hc *Conn) (err error)

func KyberDialSetup

func KyberDialSetup(c io.ReadWriter, hc *Conn) (err error)

func NewHopeAcceptSetup

func NewHopeAcceptSetup(c *net.Conn, hc *Conn) (err error)

func NewHopeDialSetup

func NewHopeDialSetup(c io.ReadWriter, hc *Conn) (err error)

func NewHopeSimpleAcceptSetup

func NewHopeSimpleAcceptSetup(c *net.Conn, hc *Conn) (err error)

func NewHopeSimpleDialSetup

func NewHopeSimpleDialSetup(c io.ReadWriter, hc *Conn) (err error)

func SetKCPKeyAndSalt

func SetKCPKeyAndSalt(key []byte, salt []byte)


type COValue added in v0.9.7

type COValue uint32

type CSCipherAlg

type CSCipherAlg uint32

Available ciphers for hkex.Conn

func (*CSCipherAlg) String

func (c *CSCipherAlg) String() string

type CSExtendedCode

type CSExtendedCode uint32

Extended (>255 UNIX exit status) codes This indicate channel-related or internal errors

type CSHmacAlg

type CSHmacAlg uint32

Available HMACs for hkex.Conn

func (*CSHmacAlg) String

func (h *CSHmacAlg) String() string

type CSOType

type CSOType uint32

Channel status Op byte type (see CSONone, ... and CSENone, ...)

type ChaffConfig

type ChaffConfig struct {
	// contains filtered or unexported fields

chaffconfig captures attributes used to send chaff packets betwixt client and server connections, to obscure true traffic timing and patterns see: https://en.wikipedia.org/wiki/chaff_(countermeasure)

type Conn

type Conn struct {
	WinCh chan WinSize
	Rows  uint16
	Cols  uint16

	Pproc int // proc ID of command run on this conn
	// contains filtered or unexported fields

Conn is a connection wrapping net.Conn with KEX & session state

func Dial

func Dial(protocol string, ipport string, extensions ...string) (hc Conn, err error)

Dial as net.Dial(), but with implicit key exchange to set up secure channel on connect

Can be called like net.Dial(), defaulting to C_AES_256/H_SHA256,
or additional extensions can be passed amongst the following:

"C_AES_256" | "C_TWOFISH_128" | ...

"H_SHA256" | "H_SHA512" | ...

See go doc -u xsnet.applyConnExtensions

func (*Conn) AgeTunnel

func (hc *Conn) AgeTunnel(endp uint16) uint32

func (*Conn) CAlg

func (hc *Conn) CAlg() CSCipherAlg

func (*Conn) Close

func (hc *Conn) Close() (err error)

Close a hkex.Conn

func (*Conn) CollapseAllTunnels

func (hc *Conn) CollapseAllTunnels(client bool)

func (*Conn) ConnOpts

func (hc *Conn) ConnOpts() uint32

ConnOpts returns the cipher/hmac options value, which is sent to the peer but is not itself part of the KEx.

(Used for protocol-level negotiations after KEx such as cipher/HMAC algorithm options etc.)

func (*Conn) GetStatus

func (hc *Conn) GetStatus() CSOType

func (*Conn) HAlg

func (hc *Conn) HAlg() CSHmacAlg

func (*Conn) InitTunEndpoint

func (hc *Conn) InitTunEndpoint(lp uint16, p string, rp uint16)

func (*Conn) KEX

func (hc *Conn) KEX() KEXAlg

func (*Conn) LocalAddr

func (hc *Conn) LocalAddr() net.Addr

LocalAddr returns the local network address.

func (*Conn) Lock

func (hc *Conn) Lock()

func (*Conn) MarkTunDead

func (hc *Conn) MarkTunDead(endp uint16)

func (*Conn) Opts

func (hc *Conn) Opts() uint32

Opts returns the protocol options value, which is sent to the peer but is not itself part of the KEx or connection (cipher/hmac) setup.

Consumers of this lib may use this for protocol-level options not part of the KEx or encryption info used by the connection.

func (*Conn) Read

func (hc *Conn) Read(b []byte) (n int, err error)

Read into a byte slice

In addition to regular io.Reader behaviour this does demultiplexing of secured terminal comms and (if defined) tunnel traffic and session control packet processing.

See go doc io.Reader

func (*Conn) RekeyHelper added in v0.9.6

func (hc *Conn) RekeyHelper(intervalSecs uint)

func (*Conn) RemoteAddr

func (hc *Conn) RemoteAddr() net.Addr

RemoteAddr returns the remote network address.

func (*Conn) ResetKeepAlive added in v0.9.6

func (hc *Conn) ResetKeepAlive()

func (*Conn) ResetTunnelAge

func (hc *Conn) ResetTunnelAge(endp uint16)

func (*Conn) SetConnOpts

func (hc *Conn) SetConnOpts(copts uint32)

SetConnOpts sets the cipher/hmac options value, which is sent to the peer as part of KEx but not part of the KEx itself.

opts - bitfields for cipher and hmac alg. to use after KEx

func (*Conn) SetDeadline

func (hc *Conn) SetDeadline(t time.Time) error

SetDeadline sets the read and write deadlines associated with the connection. It is equivalent to calling both SetReadDeadline and SetWriteDeadline.

A deadline is an absolute time after which I/O operations fail with a timeout (see type Error) instead of blocking. The deadline applies to all future and pending I/O, not just the immediately following call to Read or Write. After a deadline has been exceeded, the connection can be refreshed by setting a deadline in the future.

An idle timeout can be implemented by repeatedly extending the deadline after successful Read or Write calls.

A zero value for t means I/O operations will not time out.

func (*Conn) SetOpts

func (hc *Conn) SetOpts(opts uint32)

SetOpts sets the protocol options value, which is sent to the peer but is not itself part of the KEx or connection (cipher/hmac) setup.

Consumers of this lib may use this for protocol-level options not part of the KEx of encryption info used by the connection.

opts - a uint32, caller-defined

func (*Conn) SetReadDeadline

func (hc *Conn) SetReadDeadline(t time.Time) error

SetReadDeadline sets the deadline for future Read calls and any currently-blocked Read call. A zero value for t means Read will not time out.

func (*Conn) SetStatus

func (hc *Conn) SetStatus(stat CSOType)

func (*Conn) SetWriteDeadline

func (hc *Conn) SetWriteDeadline(t time.Time) error

SetWriteDeadline sets the deadline for future Write calls and any currently-blocked Write call. Even if write times out, it may return n > 0, indicating that some of the data was successfully written. A zero value for t means Write will not time out.

func (*Conn) SetupChaff

func (hc *Conn) SetupChaff(msecsMin uint, msecsMax uint, szMax uint)

func (*Conn) ShutdownChaff

func (hc *Conn) ShutdownChaff()

func (*Conn) ShutdownKeepAlive added in v0.9.6

func (hc *Conn) ShutdownKeepAlive()

func (*Conn) ShutdownRekey added in v0.9.6

func (hc *Conn) ShutdownRekey()

func (*Conn) ShutdownTun

func (hc *Conn) ShutdownTun(endp uint16)

func (*Conn) StartClientTunnel

func (hc *Conn) StartClientTunnel(lport, rport uint16)

func (*Conn) StartServerTunnel

func (hc *Conn) StartServerTunnel(lport, rport uint16)

func (*Conn) StartupChaff added in v0.9.6

func (hc *Conn) StartupChaff()

func (*Conn) StartupKeepAlive added in v0.9.6

func (hc *Conn) StartupKeepAlive()

func (*Conn) TunIsAlive

func (hc *Conn) TunIsAlive(endp uint16) bool

func (*Conn) TunIsNil

func (hc *Conn) TunIsNil(endp uint16) bool

func (*Conn) Unlock

func (hc *Conn) Unlock()

func (*Conn) Write

func (hc *Conn) Write(b []byte) (n int, err error)

Write a byte slice

See go doc io.Writer

func (*Conn) WritePacket

func (hc *Conn) WritePacket(b []byte, ctrlStatOp byte) (n int, err error)

Write a byte slice with specified ctrlStatOp byte

type HKExListener

type HKExListener struct {
	// contains filtered or unexported fields

HKExListener is a Listener conforming to net.Listener

See go doc net.Listener

func Listen

func Listen(proto string, ipport string, extensions ...string) (hl HKExListener, e error)

Listen for a connection

See go doc net.Listen

func (*HKExListener) Accept

func (hl *HKExListener) Accept() (hc Conn, err error)

Accept a client connection, conforming to net.Listener.Accept()

See go doc net.Listener.Accept

func (*HKExListener) AcceptKCP

func (hl *HKExListener) AcceptKCP() (c net.Conn, e error)

func (HKExListener) Addr

func (hl HKExListener) Addr() net.Addr

Addr returns the listener's network address.

See go doc net.Listener.Addr

func (HKExListener) Close

func (hl HKExListener) Close() error

Close a hkex Listener - closes the Listener. Any blocked Accept operations will be unblocked and return errors.

See go doc net.Listener.Close

type KCPAlg

type KCPAlg uint8

for github.com/xtaci/kcp-go BlockCrypt alg selection

type KEXAlg

type KEXAlg uint8

Sent from client to server in order to specify which algo shall be used (see xsnet.KEX_HERRADURA256, ...)

func (*KEXAlg) String

func (k *KEXAlg) String() string

type TunEndpoint

type TunEndpoint struct {
	Rport     uint16    // Names are from client's perspective
	Lport     uint16    // ... ie., RPort is on server, LPort is on client
	Peer      string    //net.Addr
	Died      bool      // set by client upon receipt of a CSOTunDisconn
	KeepAlive uint32    // must be reset by client to keep server dial() alive
	Ctl       chan rune //See TunCtl_* consts
	Data      chan []byte

TunEndpoint [securePort:peer:dataPort]

func (*TunEndpoint) String

func (t *TunEndpoint) String() string

Return string (suitable as map key) for a tunnel endpoint

type WinSize

type WinSize struct {
	Rows uint16
	Cols uint16

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL