Start of proto kexsh tool client/server

This commit is contained in:
Russ Magee 2018-01-13 10:01:27 -08:00
parent 78edf1c130
commit 942b8865cf
5 changed files with 69 additions and 40 deletions

View file

@ -11,10 +11,16 @@ import (
// Demo of a simple client that dials up to a simple test server to // Demo of a simple client that dials up to a simple test server to
// send data. // send data.
// Note this code is identical to standard tcp client code, save for //
// declaring a 'hkex' rather than a 'net' Dialer Conn. The KEx and // While conforming to the basic net.Conn interface HKex.Conn has extra
// encrypt/decrypt is done within the type. // capabilities designed to allow apps to define connection options,
// Compare to 'clientp.go' in this directory to see the equivalence. // encryption/hmac settings and operations across the encrypted channel.
//
// Initial setup is the same as using plain net.Dial(), but one may
// specify extra extension tags (strings) to set the cipher and hmac
// setting desired; as well as the intended operation mode for the
// connection (app-specific, passed through to the server to use or
// ignore at its discretion).
func main() { func main() {
var cAlg string var cAlg string
var hAlg string var hAlg string
@ -30,6 +36,7 @@ func main() {
fmt.Println("Err!") fmt.Println("Err!")
panic(err) panic(err)
} }
fmt.Fprintf(conn,"e") // tell server just to echo
_, err = io.Copy(conn, os.Stdin) _, err = io.Copy(conn, os.Stdin)
if err != nil && err.Error() != "EOF" { if err != nil && err.Error() != "EOF" {
fmt.Println(err) fmt.Println(err)

View file

@ -16,16 +16,12 @@ import (
// encrypt/decrypt is done within the type. // encrypt/decrypt is done within the type.
// Compare to 'clientp.go' in this directory to see the equivalence. // Compare to 'clientp.go' in this directory to see the equivalence.
func main() { func main() {
var cAlg string
var hAlg string
var server string var server string
flag.StringVar(&cAlg, "c", "C_AES_256", "cipher [\"C_AES_256\" | \"C_TWOFISH_128\" | \"C_BLOWFISH_64\"]")
flag.StringVar(&hAlg, "h", "H_SHA256", "hmac [\"H_SHA256\"]")
flag.StringVar(&server, "s", "localhost:2000", "server hostname/address[:port]") flag.StringVar(&server, "s", "localhost:2000", "server hostname/address[:port]")
flag.Parse() flag.Parse()
conn, err := hkex.Dial("tcp", server, cAlg, hAlg) conn, err := hkex.Dial("tcp", server)
if err != nil { if err != nil {
fmt.Println("Err!") fmt.Println("Err!")
panic(err) panic(err)

View file

@ -45,6 +45,7 @@ func main() {
ch := make(chan []byte) ch := make(chan []byte)
chN := 0 chN := 0
eCh := make(chan error) eCh := make(chan error)
var connOp *byte = nil
// Start a goroutine to read from our net connection // Start a goroutine to read from our net connection
go func(ch chan []byte, eCh chan error) { go func(ch chan []byte, eCh chan error) {
@ -57,12 +58,23 @@ func main() {
eCh <- err eCh <- err
return return
} }
if connOp == nil {
// Initial xmit - get op byte
// (TODO: determine valid ops
// for now 'e' (echo), 'i' (interactive), 'x' (exec), ... ?)
connOp = new(byte)
*connOp = data[0]
data = data[1:]
chN -= 1
fmt.Printf("[* connOp '%c']\n", *connOp)
}
// send data if we read some. // send data if we read some.
ch <- data[0:chN] ch <- data[0:chN]
} }
}(ch, eCh) }(ch, eCh)
ticker := time.Tick(time.Second/100) ticker := time.Tick(time.Second / 100)
Term: Term:
// continuously read from the connection // continuously read from the connection
for { for {

View file

@ -1,25 +1,8 @@
/* Herradura - a Key exchange scheme in the style of Diffie-Hellman Key Exchange.
Copyright (C) 2017 Omar Alejandro Herrera Reyna
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
golang implementation by Russ Magee (rmagee_at_gmail.com) */
package herradurakex package herradurakex
/* Support functions to set up encryption once an HKEx Conn has been /* Support functions to set up encryption once an HKEx Conn has been
established with FA exchange */ established with FA exchange and support channel operations
(echo, file-copy, remote-cmd, ...) */
import ( import (
"crypto/aes" "crypto/aes"
@ -46,6 +29,16 @@ const (
HmacNoneDisallowed HmacNoneDisallowed
) )
type ChanOp uint8
const (
ChanOpNop = '.'
ChanOpEcho = 'e' // For testing - echo client data to stderr
//ChanOpFileWrite = "w"
//ChanOpFileRead = "r"
//ChanOpRemoteCmd = "x"
)
/*TODO: HMAC derived from HKEx FA.*/ /*TODO: HMAC derived from HKEx FA.*/
/* Support functionality to set up encryption after a channel has /* Support functionality to set up encryption after a channel has
been negotiated via hkexnet.go been negotiated via hkexnet.go

View file

@ -36,7 +36,8 @@ type Conn struct {
c net.Conn // which also implements io.Reader, io.Writer, ... c net.Conn // which also implements io.Reader, io.Writer, ...
h *HerraduraKEx h *HerraduraKEx
cipheropts uint32 // post-KEx cipher/hmac options cipheropts uint32 // post-KEx cipher/hmac options
opts uint32 // post-KEx protocol options opts uint32 // post-KEx protocol options (caller-defined)
op uint8 // post-KEx 'op' (caller-defined)
r cipher.Stream r cipher.Stream
w cipher.Stream w cipher.Stream
} }
@ -78,6 +79,26 @@ func (c *Conn) SetOpts(opts uint32) {
c.opts = opts c.opts = opts
} }
// Op returns the 'op' value, which is sent to the peer
// but is not itself part of the KEx or connection (cipher/hmac) setup.
//
// Consumers of this lib may use this to indicate connection-specific
// operations not part of the KEx or encryption info used by the connection.
func (c *Conn) Op() uint8 {
return c.op
}
// SetOp sets the 'op' value, which is sent to the peer
// but is not itself part of the KEx or connection (cipher/hmac) setup.
//
// Consumers of this lib may use this to indicate connection-specific
// operations not part of the KEx or encryption info used by the connection.
//
// op - a uint8, caller-defined
func (c *Conn) SetOp(op uint8) {
c.op = op
}
func (c *Conn) applyConnExtensions(extensions ...string) { func (c *Conn) applyConnExtensions(extensions ...string) {
for _, s := range extensions { for _, s := range extensions {
switch s { switch s {
@ -120,20 +141,20 @@ func Dial(protocol string, ipport string, extensions ...string) (hc *Conn, err e
if err != nil { if err != nil {
return nil, err return nil, err
} }
hc = &Conn{c: c, h: New(0, 0), cipheropts: 0, opts: 0, r: nil, w: nil} hc = &Conn{c: c, h: New(0, 0), cipheropts: 0, opts: 0, op:0, r: nil, w: nil}
hc.applyConnExtensions(extensions...) hc.applyConnExtensions(extensions...)
fmt.Fprintf(c, "0x%s\n%08x:%08x\n", hc.h.d.Text(16), fmt.Fprintf(c, "0x%s\n%08x:%08x:%02x\n", hc.h.d.Text(16),
hc.cipheropts, hc.opts) hc.cipheropts, hc.opts, hc.op)
d := big.NewInt(0) d := big.NewInt(0)
_, err = fmt.Fscanln(c, d) _, err = fmt.Fscanln(c, d)
if err != nil { if err != nil {
return nil, err return nil, err
} }
_, err = fmt.Fscanf(c, "%08x:%08x\n", _, err = fmt.Fscanf(c, "%08x:%08x:%02x\n",
&hc.cipheropts, &hc.opts) &hc.cipheropts, &hc.opts, &hc.op)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -197,15 +218,15 @@ func (hl *HKExListener) Accept() (hc Conn, err error) {
} }
fmt.Println("[Accepted]") fmt.Println("[Accepted]")
hc = Conn{c: c, h: New(0, 0), cipheropts: 0, opts: 0, r: nil, w: nil} hc = Conn{c: c, h: New(0, 0), cipheropts: 0, opts: 0, op:0, r: nil, w: nil}
d := big.NewInt(0) d := big.NewInt(0)
_, err = fmt.Fscanln(c, d) _, err = fmt.Fscanln(c, d)
if err != nil { if err != nil {
return hc, err return hc, err
} }
_, err = fmt.Fscanf(c, "%08x:%08x\n", _, err = fmt.Fscanf(c, "%08x:%08x:%02x\n",
&hc.cipheropts, &hc.opts) &hc.cipheropts, &hc.opts, &hc.op)
if err != nil { if err != nil {
return hc, err return hc, err
} }
@ -215,8 +236,8 @@ func (hl *HKExListener) Accept() (hc Conn, err error) {
hc.h.FA() hc.h.FA()
fmt.Printf("**(s)** FA:%s\n", hc.h.fa) fmt.Printf("**(s)** FA:%s\n", hc.h.fa)
fmt.Fprintf(c, "0x%s\n%08x:%08x\n", hc.h.d.Text(16), fmt.Fprintf(c, "0x%s\n%08x:%08x:%02x\n", hc.h.d.Text(16),
hc.cipheropts, hc.opts) hc.cipheropts, hc.opts, hc.op)
hc.r = hc.getStream(hc.h.fa) hc.r = hc.getStream(hc.h.fa)
hc.w = hc.getStream(hc.h.fa) hc.w = hc.getStream(hc.h.fa)