xsd: Added -aK,-aC,-aH to control accepted client proposals

2024-08-14 10:26:42 +00:00 · 2019-12-15 11:38:04 -08:00 · 2019-12-15 11:38:04 -08:00 · d4f50bfdc0
commit d4f50bfdc0
parent 9b90c0558e
4 changed files with 199 additions and 20 deletions
--- a/xsnet/consts.go
+++ b/xsnet/consts.go
@ -29,6 +29,7 @@ const (
 	KEX_NEWHOPE_SIMPLE // 'NewHopeLP-Simple' - https://eprint.iacr.org/2016/1157
 	KEX_resvd14
 	KEX_resvd15
+	KEX_invalid = 255
 )

 // Sent from client to server in order to specify which
@ -38,12 +39,15 @@ type KEXAlg uint8
 // Extended exit status codes - indicate comm/pty issues
 // rather than remote end normal UNIX exit codes
 const (
-	CSENone           = 1024 + iota
-	CSETruncCSO       // No CSOExitStatus in payload
-	CSEStillOpen      // Channel closed unexpectedly
-	CSEExecFail       // cmd.Start() (exec) failed
-	CSEPtyExecFail    // pty.Start() (exec w/pty) failed
-	CSEPtyGetNameFail // failed to obtain pty name
+	CSENone            = 1024 + iota
+	CSETruncCSO        // No CSOExitStatus in payload
+	CSEStillOpen       // Channel closed unexpectedly
+	CSEExecFail        // cmd.Start() (exec) failed
+	CSEPtyExecFail     // pty.Start() (exec w/pty) failed
+	CSEPtyGetNameFail  // failed to obtain pty name
+	CSEKEXAlgDenied    // server rejected proposed KEX alg
+	CSECipherAlgDenied // server rejected proposed Cipher alg
+	CSEHMACAlgDenied   // server rejected proposed HMAC alg
 )

 // Extended (>255 UNIX exit status) codes
--- a/xsnet/net.go
+++ b/xsnet/net.go
@ -70,9 +70,10 @@ type (

 	// Conn is a connection wrapping net.Conn with KEX & session state
 	Conn struct {
-		kex KEXAlg      // KEX/KEM proposal (client -> server)
-		m   *sync.Mutex // (internal)
-		c   *net.Conn   // which also implements io.Reader, io.Writer, ...
+		kex KEXAlg // KEX/KEM proposal (client -> server)
+
+		m *sync.Mutex // (internal)
+		c *net.Conn   // which also implements io.Reader, io.Writer, ...

 		logCipherText  bool // somewhat expensive, for debugging
 		logPlainText   bool // INSECURE and somewhat expensive, for debugging
@ -105,6 +106,67 @@ func (t *TunEndpoint) String() string {
 	return fmt.Sprintf("[%d:%s:%d]", t.Lport, t.Peer, t.Rport)
 }

+func (k *KEXAlg) String() string {
+	switch *k {
+	case KEX_HERRADURA256:
+		return "KEX_HERRADURA256"
+	case KEX_HERRADURA512:
+		return "KEX_HERRADURA512"
+	case KEX_HERRADURA1024:
+		return "KEX_HERRADURA1024"
+	case KEX_HERRADURA2048:
+		return "KEX_HERRADURA2048"
+	case KEX_KYBER512:
+		return "KEX_KYBER512"
+	case KEX_KYBER768:
+		return "KEX_KYBER768"
+	case KEX_KYBER1024:
+		return "KEX_KYBER1024"
+	case KEX_NEWHOPE:
+		return "KEX_NEWHOPE"
+	case KEX_NEWHOPE_SIMPLE:
+		return "KEX_NEWHOPE_SIMPLE"
+	default:
+		return "KEX_ERR_UNK"
+	}
+}
+
+func (hc *Conn) CAlg() CSCipherAlg {
+	return CSCipherAlg(hc.cipheropts & 0x0FF)
+}
+
+func (c *CSCipherAlg) String() string {
+	switch *c & 0x0FF {
+	case CAlgAES256:
+		return "C_AES_256"
+	case CAlgTwofish128:
+		return "C_TWOFISH_128"
+	case CAlgBlowfish64:
+		return "C_BLOWFISH_64"
+	case CAlgCryptMT1:
+		return "C_CRYPTMT1"
+	case CAlgWanderer:
+		return "C_WANDERER"
+	default:
+		return "C_ERR_UNK"
+	}
+}
+
+func (hc *Conn) HAlg() CSHmacAlg {
+	return CSHmacAlg((hc.cipheropts >> 8) & 0x0FF)
+}
+
+func (h *CSHmacAlg) String() string {
+	switch (*h >> 8) & 0x0FF {
+	case HmacSHA256:
+		return "H_SHA256"
+	case HmacSHA512:
+		return "C_SHA512"
+	default:
+		return "H_ERR_UNK"
+	}
+}
+
 func _initLogging(d bool, c string, f logger.Priority) {
 	if Log == nil {
 		Log, _ = logger.New(f, fmt.Sprintf("%s:xsnet", c))
@ -129,6 +191,10 @@ func (hc *Conn) Unlock() {
 	hc.m.Unlock()
 }

+func (hc Conn) KEX() KEXAlg {
+	return hc.kex
+}
+
 func (hc Conn) GetStatus() CSOType {
 	return *hc.closeStat
 }
@ -935,6 +1001,9 @@ func (hl *HKExListener) Accept() (hc Conn, err error) {
 	default:
 		return Conn{}, err
 	}
+
+	// Finally, ensure alg proposed by client is allowed by server config
+	//if hc.kex.String() {
 	log.Println("[hc.Accept successful]")
 	return
 }