mirror of
https://gogs.blitter.com/RLabs/xs
synced 2024-08-14 10:26:42 +00:00
hmac tampering indication implemented -- local and remote-side
This commit is contained in:
parent
b45784e07b
commit
c56d4d9ad9
1 changed files with 18 additions and 4 deletions
22
hkexnet.go
22
hkexnet.go
|
@ -17,6 +17,7 @@ import (
|
||||||
"crypto/cipher"
|
"crypto/cipher"
|
||||||
"encoding/binary"
|
"encoding/binary"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"hash"
|
"hash"
|
||||||
"io"
|
"io"
|
||||||
|
@ -298,9 +299,18 @@ func (c Conn) Read(b []byte) (n int, err error) {
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var ctrlStatOp uint8
|
||||||
var hmacIn [4]uint8
|
var hmacIn [4]uint8
|
||||||
var payloadLen uint32
|
var payloadLen uint32
|
||||||
|
|
||||||
|
// Read ctrl/status opcode (for now, set nonzero on hmac mismatch)
|
||||||
|
err = binary.Read(c.c, binary.BigEndian, &ctrlStatOp)
|
||||||
|
if ctrlStatOp != 0 {
|
||||||
|
// Other side indicated channel tampering, close channel
|
||||||
|
c.Close()
|
||||||
|
return 1, errors.New("** ALERT - remote end detected HMAC mismatch - possible channel tampering **")
|
||||||
|
}
|
||||||
|
|
||||||
// Read the hmac and payload len first
|
// Read the hmac and payload len first
|
||||||
err = binary.Read(c.c, binary.BigEndian, &hmacIn)
|
err = binary.Read(c.c, binary.BigEndian, &hmacIn)
|
||||||
// Normal client 'exit' from interactive session will cause
|
// Normal client 'exit' from interactive session will cause
|
||||||
|
@ -362,10 +372,10 @@ func (c Conn) Read(b []byte) (n int, err error) {
|
||||||
hTmp := c.rm.Sum(nil)[0:4]
|
hTmp := c.rm.Sum(nil)[0:4]
|
||||||
log.Printf("<%04x) HMAC:(i)%s (c)%02x\r\n", decryptN, hex.EncodeToString([]byte(hmacIn[0:])), hTmp)
|
log.Printf("<%04x) HMAC:(i)%s (c)%02x\r\n", decryptN, hex.EncodeToString([]byte(hmacIn[0:])), hTmp)
|
||||||
|
|
||||||
// Puke if hmac didn't match, corrupted channel
|
// Log alert if hmac didn't match, corrupted channel
|
||||||
if !bytes.Equal(hTmp, []byte(hmacIn[0:])) || hmacIn[0] > 0xf8 {
|
if !bytes.Equal(hTmp, []byte(hmacIn[0:])) /*|| hmacIn[0] > 0xf8*/ {
|
||||||
fmt.Println("** ALERT - hmac mismatch, possible channel tampering **")
|
fmt.Println("** ALERT - hmac mismatch, possible channel tampering **")
|
||||||
c.Close()
|
_, _ = c.c.Write([]byte{0x1})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
retN := c.dBuf.Len()
|
retN := c.dBuf.Len()
|
||||||
|
@ -406,7 +416,11 @@ func (c Conn) Write(b []byte) (n int, err error) {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
log.Printf(" ->ctext:\r\n%s\r\n", hex.Dump(wb.Bytes()))
|
log.Printf(" ->ctext:\r\n%s\r\n", hex.Dump(wb.Bytes()))
|
||||||
|
|
||||||
|
var ctrlStatOp byte
|
||||||
|
ctrlStatOp = 0x00
|
||||||
|
_ = binary.Write(c.c, binary.BigEndian, &ctrlStatOp)
|
||||||
|
|
||||||
// Write hmac LSB, payloadLen followed by payload
|
// Write hmac LSB, payloadLen followed by payload
|
||||||
_ = binary.Write(c.c, binary.BigEndian, hmacOut)
|
_ = binary.Write(c.c, binary.BigEndian, hmacOut)
|
||||||
_ = binary.Write(c.c, binary.BigEndian, payloadLen)
|
_ = binary.Write(c.c, binary.BigEndian, payloadLen)
|
||||||
|
|
Loading…
Reference in a new issue