xsnet

package
v0.9.12-2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 27, 2024 License: MIT Imports: 36 Imported by: 0

Documentation

Overview

Copyright (c) 2017-2020 Russell Magee Licensed under the terms of the MIT license (see LICENSE.mit in this distribution)

golang implementation by Russ Magee (rmagee_at_gmail.com)

Index

Constants

View Source 
const (
	KEX_HERRADURA256 = iota // this MUST be first for default if omitted in ctor
	KEX_HERRADURA512
	KEX_HERRADURA1024
	KEX_HERRADURA2048
	KEX_resvd4
	KEX_resvd5
	KEX_resvd6
	KEX_resvd7
	KEX_KYBER512
	KEX_KYBER768
	KEX_KYBER1024
	KEX_resvd11
	KEX_NEWHOPE
	KEX_NEWHOPE_SIMPLE // 'NewHopeLP-Simple' - https://eprint.iacr.org/2016/1157
	KEX_resvd14
	KEX_resvd15
	KEX_FRODOKEM_1344AES
	KEX_FRODOKEM_1344SHAKE
	KEX_FRODOKEM_976AES
	KEX_FRODOKEM_976SHAKE
	KEX_invalid = 255
)

KEX algorithm values

Specified (in string form) as the extensions parameter to xsnet.Dial() Alg is sent in a uint8 so there are up to 256 possible

View Source 
const (
	CSENone            = 1024 + iota
	CSETruncCSO        // No CSOExitStatus in payload
	CSEStillOpen       // Channel closed unexpectedly
	CSEExecFail        // cmd.Start() (exec) failed
	CSEPtyExecFail     // pty.Start() (exec w/pty) failed
	CSEPtyGetNameFail  // failed to obtain pty name
	CSEKEXAlgDenied    // server rejected proposed KEX alg
	CSECipherAlgDenied // server rejected proposed Cipher alg
	CSEHMACAlgDenied   // server rejected proposed HMAC alg
	CSEConnDead        // connection keepalives expired
	CSELoginTimeout
)

Extended exit status codes - indicate comm/pty issues rather than remote end normal UNIX exit codes

View Source 
const (
	// Main connection/session control
	CSONone        = iota // No error, normal packet
	CSOHmacInvalid        // HMAC mismatch detected on remote end
	CSOTermSize           // set term size (rows:cols)
	CSOExitStatus         // Remote cmd exit status
	CSOChaff              // Dummy packet, do not pass beyond decryption

	// Tunnel setup/control/status
	CSOTunSetup     // client -> server tunnel setup request (dstport)
	CSOTunSetupAck  // server -> client tunnel setup ack
	CSOTunRefused   // server -> client: tunnel rport connection refused
	CSOTunData      // packet contains tunnel data [rport:data]
	CSOTunKeepAlive // client tunnel heartbeat
	CSOTunDisconn   // server -> client: tunnel rport disconnected
	CSOTunHangup    // client -> server: tunnel lport hung up
	CSOKeepAlive    // bidir keepalive packet to monitor main connection
	CSORekey        // TODO: rekey/re-select session cipher/hash algs
)

Channel Status/Op bytes - packet types

View Source 
const (
	TunCtl_Client_Listen = 'a'

	TunCtl_Server_Dial = 'd' // server has dialled OK, client side can accept() conns

)

TunEndpoint.tunCtl control values - used to control workers for client or server tunnels depending on the code

View Source 
const (
	CAlgAES256     = iota
	CAlgTwofish128 // golang.org/x/crypto/twofish
	CAlgBlowfish64 // golang.org/x/crypto/blowfish
	CAlgCryptMT1   //cryptmt using mtwist64
	CAlgChaCha20_12
	CAlgHopscotch
	CAlgNoneDisallowed
)

Session symmetric crypto algs

View Source 
const (
	HmacSHA256 = iota
	HmacSHA512
	HmacWHIRLPOOL
	HmacNoneDisallowed
)

Session packet auth HMAC algs

View Source 
const (
	CONone              = iota
	CORemodulateShields // if set, rekeying also reselects random cipher/hmac alg
)

Conn opts outside of basic kex/cipher/hmac connect config

View Source 
const (
	REKEY_SECS_MIN       = 1
	REKEY_SECS_MAX       = 28800 // 8 hours
	CHAFF_FREQ_MSECS_MIN = 1
	CHAFF_FREQ_MSECS_MAX = 300000 // 5 minutes
)

Some bounds-checking consts

View Source 
const (
	KCP_NONE = iota
	KCP_AES
	KCP_BLOWFISH
	KCP_CAST5
	KCP_SM4
	KCP_SALSA20
	KCP_SIMPLEXOR
	KCP_TEA
	KCP_3DES
	KCP_TWOFISH
	KCP_XTEA
)
View Source 
const HMAC_CHK_SZ = 8 // leading bytes of HMAC to xmit for verification
View Source 
const MAX_PAYLOAD_LEN = 2*1024*1024*1024 - 1

TODO: this should be small (max unfragmented packet size?)

View Source 
const PAD_SZ = 32 // max size of padding applied to each packet

---------------------------------------------------------------------

View Source 
const XS_ID_AUTHTOKFILE = ".config/xs/.xs_id"

Variables

View Source 
var (
	Log *logger.Writer // reg. syslog output (no -d)
)

Functions

func FrodoKEMAcceptSetup 

func FrodoKEMAcceptSetup(c *net.Conn, hc *Conn) (err error)

func FrodoKEMDialSetup 

func FrodoKEMDialSetup(c io.ReadWriter, hc *Conn) (err error)

func HKExAcceptSetup 

func HKExAcceptSetup(c *net.Conn, hc *Conn) (err error)

func HKExDialSetup 

func HKExDialSetup(c io.ReadWriter, hc *Conn) (err error)

func Init 

func Init(d bool, c string, f logger.Priority)

func KyberAcceptSetup 

func KyberAcceptSetup(c *net.Conn, hc *Conn) (err error)

func KyberDialSetup 

func KyberDialSetup(c io.ReadWriter, hc *Conn) (err error)

func NewHopeAcceptSetup 

func NewHopeAcceptSetup(c *net.Conn, hc *Conn) (err error)

func NewHopeDialSetup 

func NewHopeDialSetup(c io.ReadWriter, hc *Conn) (err error)

func NewHopeSimpleAcceptSetup 

func NewHopeSimpleAcceptSetup(c *net.Conn, hc *Conn) (err error)

func NewHopeSimpleDialSetup 

func NewHopeSimpleDialSetup(c io.ReadWriter, hc *Conn) (err error)

func SetKCPKeyAndSalt 

func SetKCPKeyAndSalt(key []byte, salt []byte)

Types

type COValue 

type COValue uint32

type CSCipherAlg 

type CSCipherAlg uint32

Available ciphers for hkex.Conn

func (*CSCipherAlg) String 

func (c *CSCipherAlg) String() string

type CSExtendedCode 

type CSExtendedCode uint32

Extended (>255 UNIX exit status) codes This indicate channel-related or internal errors

type CSHmacAlg 

type CSHmacAlg uint32

Available HMACs for hkex.Conn

func (*CSHmacAlg) String 

func (h *CSHmacAlg) String() string

type CSOType 

type CSOType uint32

Channel status Op byte type (see CSONone, ... and CSENone, ...)

type ChaffConfig 

type ChaffConfig struct {
	// contains filtered or unexported fields
}

chaffconfig captures attributes used to send chaff packets betwixt client and server connections, to obscure true traffic timing and patterns see: https://en.wikipedia.org/wiki/chaff_(countermeasure)

type Conn 

type Conn struct {
	WinCh chan WinSize
	Rows  uint16
	Cols  uint16

	Pproc int // proc ID of command run on this conn
	// contains filtered or unexported fields
}

Conn is a connection wrapping net.Conn with KEX & session state

func Dial 

func Dial(protocol string, ipport string, extensions ...string) (hc Conn, err error)

Dial as net.Dial(), but with implicit key exchange to set up secure channel on connect 

Can be called like net.Dial(), defaulting to C_AES_256/H_SHA256,
or additional extensions can be passed amongst the following:

"C_AES_256" | "C_TWOFISH_128" | ...

"H_SHA256" | "H_SHA512" | ...

See go doc -u xsnet.applyConnExtensions

func (*Conn) AgeTunnel 

func (hc *Conn) AgeTunnel(endp uint16) uint32

func (*Conn) CAlg 

func (hc *Conn) CAlg() CSCipherAlg

func (*Conn) Close 

func (hc *Conn) Close() (err error)

Close a hkex.Conn

func (*Conn) CollapseAllTunnels 

func (hc *Conn) CollapseAllTunnels(client bool)

func (*Conn) ConnOpts 

func (hc *Conn) ConnOpts() uint32

ConnOpts returns the cipher/hmac options value, which is sent to the peer but is not itself part of the KEx.

(Used for protocol-level negotiations after KEx such as cipher/HMAC algorithm options etc.)

func (*Conn) GetStatus 

func (hc *Conn) GetStatus() CSOType

func (*Conn) HAlg 

func (hc *Conn) HAlg() CSHmacAlg

func (*Conn) InitTunEndpoint 

func (hc *Conn) InitTunEndpoint(lp uint16, p string, rp uint16)

func (*Conn) KEX 

func (hc *Conn) KEX() KEXAlg

func (*Conn) LocalAddr 

func (hc *Conn) LocalAddr() net.Addr

LocalAddr returns the local network address.

func (*Conn) Lock 

func (hc *Conn) Lock()

func (*Conn) MarkTunDead 

func (hc *Conn) MarkTunDead(endp uint16)

func (*Conn) Opts 

func (hc *Conn) Opts() uint32

Opts returns the protocol options value, which is sent to the peer but is not itself part of the KEx or connection (cipher/hmac) setup.

Consumers of this lib may use this for protocol-level options not part of the KEx or encryption info used by the connection.

func (*Conn) Read 

func (hc *Conn) Read(b []byte) (n int, err error)

Read into a byte slice

In addition to regular io.Reader behaviour this does demultiplexing of secured terminal comms and (if defined) tunnel traffic and session control packet processing.

See go doc io.Reader

func (*Conn) RekeyHelper 

func (hc *Conn) RekeyHelper(intervalSecs uint)

func (*Conn) RemoteAddr 

func (hc *Conn) RemoteAddr() net.Addr

RemoteAddr returns the remote network address.

func (*Conn) ResetKeepAlive 

func (hc *Conn) ResetKeepAlive()

func (*Conn) ResetTunnelAge 

func (hc *Conn) ResetTunnelAge(endp uint16)

func (*Conn) SetConnOpts 

func (hc *Conn) SetConnOpts(copts uint32)

SetConnOpts sets the cipher/hmac options value, which is sent to the peer as part of KEx but not part of the KEx itself.

opts - bitfields for cipher and hmac alg. to use after KEx

func (*Conn) SetDeadline 

func (hc *Conn) SetDeadline(t time.Time) error

SetDeadline sets the read and write deadlines associated with the connection. It is equivalent to calling both SetReadDeadline and SetWriteDeadline.

A deadline is an absolute time after which I/O operations fail with a timeout (see type Error) instead of blocking. The deadline applies to all future and pending I/O, not just the immediately following call to Read or Write. After a deadline has been exceeded, the connection can be refreshed by setting a deadline in the future.

An idle timeout can be implemented by repeatedly extending the deadline after successful Read or Write calls.

A zero value for t means I/O operations will not time out.

func (*Conn) SetOpts 

func (hc *Conn) SetOpts(opts uint32)

SetOpts sets the protocol options value, which is sent to the peer but is not itself part of the KEx or connection (cipher/hmac) setup.

Consumers of this lib may use this for protocol-level options not part of the KEx of encryption info used by the connection.

opts - a uint32, caller-defined

func (*Conn) SetReadDeadline 

func (hc *Conn) SetReadDeadline(t time.Time) error

SetReadDeadline sets the deadline for future Read calls and any currently-blocked Read call. A zero value for t means Read will not time out.

func (*Conn) SetStatus 

func (hc *Conn) SetStatus(stat CSOType)

func (*Conn) SetWriteDeadline 

func (hc *Conn) SetWriteDeadline(t time.Time) error

SetWriteDeadline sets the deadline for future Write calls and any currently-blocked Write call. Even if write times out, it may return n > 0, indicating that some of the data was successfully written. A zero value for t means Write will not time out.

func (*Conn) SetupChaff 

func (hc *Conn) SetupChaff(msecsMin uint, msecsMax uint, szMax uint)

func (*Conn) ShutdownChaff 

func (hc *Conn) ShutdownChaff()

func (*Conn) ShutdownKeepAlive 

func (hc *Conn) ShutdownKeepAlive()

func (*Conn) ShutdownRekey 

func (hc *Conn) ShutdownRekey()

func (*Conn) ShutdownTun 

func (hc *Conn) ShutdownTun(endp uint16)

func (*Conn) StartClientTunnel 

func (hc *Conn) StartClientTunnel(lport, rport uint16)

func (*Conn) StartServerTunnel 

func (hc *Conn) StartServerTunnel(lport, rport uint16)

func (*Conn) StartupChaff 

func (hc *Conn) StartupChaff()

func (*Conn) StartupKeepAlive 

func (hc *Conn) StartupKeepAlive()

func (*Conn) TunIsAlive 

func (hc *Conn) TunIsAlive(endp uint16) bool

func (*Conn) TunIsNil 

func (hc *Conn) TunIsNil(endp uint16) bool

func (*Conn) Unlock 

func (hc *Conn) Unlock()

func (*Conn) Write 

func (hc *Conn) Write(b []byte) (n int, err error)

Write a byte slice

See go doc io.Writer

func (*Conn) WritePacket 

func (hc *Conn) WritePacket(b []byte, ctrlStatOp byte) (n int, err error)

Write a byte slice with specified ctrlStatOp byte

type HKExListener 

type HKExListener struct {
	// contains filtered or unexported fields
}

HKExListener is a Listener conforming to net.Listener

See go doc net.Listener

func Listen 

func Listen(proto string, ipport string, extensions ...string) (hl HKExListener, e error)

Listen for a connection

See go doc net.Listen

func (*HKExListener) Accept 

func (hl *HKExListener) Accept() (hc Conn, err error)

Accept a client connection, conforming to net.Listener.Accept()

See go doc net.Listener.Accept

func (*HKExListener) AcceptKCP 

func (hl *HKExListener) AcceptKCP() (c net.Conn, e error)

func (HKExListener) Addr 

func (hl HKExListener) Addr() net.Addr

Addr returns the listener's network address.

See go doc net.Listener.Addr

func (HKExListener) Close 

func (hl HKExListener) Close() error

Close a hkex Listener - closes the Listener. Any blocked Accept operations will be unblocked and return errors.

See go doc net.Listener.Close

type KCPAlg 

type KCPAlg uint8

for github.com/xtaci/kcp-go BlockCrypt alg selection

type KEXAlg 

type KEXAlg uint8

Sent from client to server in order to specify which algo shall be used (see xsnet.KEX_HERRADURA256, ...)

func (*KEXAlg) String 

func (k *KEXAlg) String() string

type TunEndpoint 

type TunEndpoint struct {
	Rport     uint16    // Names are from client's perspective
	Lport     uint16    // ... ie., RPort is on server, LPort is on client
	Peer      string    //net.Addr
	Died      bool      // set by client upon receipt of a CSOTunDisconn
	KeepAlive uint32    // must be reset by client to keep server dial() alive
	Ctl       chan rune //See TunCtl_* consts
	Data      chan []byte
}

TunEndpoint [securePort:peer:dataPort]

func (*TunEndpoint) String 

func (t *TunEndpoint) String() string

Return string (suitable as map key) for a tunnel endpoint

type WinSize 

type WinSize struct {
	Rows uint16
	Cols uint16
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.