Add optional cipher/hmac algo remodulate on rekey

2024-08-14 10:26:42 +00:00 · 2023-12-02 01:58:30 -08:00 · 2023-12-02 01:58:30 -08:00 · 32b669192b
commit 32b669192b
parent e82d968381
6 changed files with 103 additions and 11 deletions
--- a/xsd/xsd.go
+++ b/xsd/xsd.go
@ -530,12 +530,14 @@ func main() { //nolint:funlen,gocyclo
 	var dbg bool
 	var laddr string
 	var rekeySecs uint
+	var remodSupported bool // true: when rekeying, switch to random cipher/hmac alg

 	var useSystemPasswd bool

 	flag.BoolVar(&vopt, "v", false, "show version")
 	flag.UintVar(&rekeySecs, "r", 300, "rekey interval in `secs`")
-	flag.StringVar(&laddr, "l", ":2000", "interface[:port] to listen") //nolint:gomnd,lll
+	flag.BoolVar(&remodSupported, "R", false, "Borg Countermeasures (remodulate cipher/hmac alg on each rekey)")
+	flag.StringVar(&laddr, "l", ":2000", "interface[:port] to listen")                                                                                                                                                                                                         //nolint:gomnd,lll
 	flag.StringVar(&kcpMode, "K", "unused", `set to one of ["KCP_NONE","KCP_AES", "KCP_BLOWFISH", "KCP_CAST5", "KCP_SM4", "KCP_SALSA20", "KCP_SIMPLEXOR", "KCP_TEA", "KCP_3DES", "KCP_TWOFISH", "KCP_XTEA"] to use KCP (github.com/xtaci/kcp-go) reliable UDP instead of TCP`) //nolint:lll
 	flag.BoolVar(&useSysLogin, "L", false, "use system login")
 	flag.BoolVar(&chaffEnabled, "e", true, "enable chaff pkts")
@ -702,6 +704,22 @@ func main() { //nolint:funlen,gocyclo
 			} else {
 				log.Println("Accepted client")

+				// Only enable cipher alg changes on re-key if we were told
+				// to support it (launching xsd with -R), *and* the client
+				// proposes to use it.
+				if !remodSupported {
+					if (conn.Opts() & xsnet.CORemodulateShields) != 0 {
+						logger.LogDebug("[client proposed cipher/hmac remod, but we don't support it.]")
+						conn.Close()
+						continue
+					}
+				} else {
+					if conn.Opts()&xsnet.CORemodulateShields != 0 {
+						logger.LogDebug("[cipher/hmac remodulation active]")
+					} else {
+						logger.LogDebug("[cipher/hmac remodulation inactive]")
+					}
+				}
 				conn.RekeyHelper(rekeySecs)

 				// Set up chaffing to client