mirror of
https://gogs.blitter.com/RLabs/xs
synced 2024-08-14 10:26:42 +00:00
Compare commits
No commits in common. "0184e342845d267fde88b3cceb41922cc975f60f" and "232ee0e2ded89ff8810ff3055438f2c04ecb2c8e" have entirely different histories.
0184e34284
...
232ee0e2de
2 changed files with 227 additions and 250 deletions
46
xsd/xsd.go
46
xsd/xsd.go
|
|
@ -439,9 +439,9 @@ var (
|
||||||
aHMACAlgs allowedHMACAlgs
|
aHMACAlgs allowedHMACAlgs
|
||||||
)
|
)
|
||||||
|
|
||||||
type allowedKEXAlgs []string
|
type allowedKEXAlgs []string // TODO
|
||||||
type allowedCipherAlgs []string
|
type allowedCipherAlgs []string // TODO
|
||||||
type allowedHMACAlgs []string
|
type allowedHMACAlgs []string // TODO
|
||||||
|
|
||||||
func (a allowedKEXAlgs) allowed(k xsnet.KEXAlg) bool {
|
func (a allowedKEXAlgs) allowed(k xsnet.KEXAlg) bool {
|
||||||
for i := 0; i < len(a); i++ {
|
for i := 0; i < len(a); i++ {
|
||||||
|
|
@ -527,33 +527,9 @@ func main() {
|
||||||
flag.BoolVar(&useSystemPasswd, "s", true, "use system shadow passwds")
|
flag.BoolVar(&useSystemPasswd, "s", true, "use system shadow passwds")
|
||||||
flag.BoolVar(&dbg, "d", false, "debug logging")
|
flag.BoolVar(&dbg, "d", false, "debug logging")
|
||||||
|
|
||||||
flag.Var(&aKEXAlgs, "aK", `Allowed KEX algs (eg. '-aK KEXAlgA -aK KEXAlgB ...') (default: none)
|
flag.Var(&aKEXAlgs, "aK", `List of allowed KEX algs (eg. 'KEXAlgA KEXAlgB ... KEXAlgN') (default allow all)`)
|
||||||
KEX_all
|
flag.Var(&aCipherAlgs, "aC", `List of allowed ciphers (eg. 'CipherAlgA CipherAlgB ... CipherAlgN') (default allow all)`)
|
||||||
KEX_HERRADURA256
|
flag.Var(&aHMACAlgs, "aH", `List of allowed HMACs (eg. 'HMACAlgA HMACAlgB ... HMACAlgN') (default allow all)`)
|
||||||
KEX_HERRADURA512
|
|
||||||
KEX_HERRADURA1024
|
|
||||||
KEX_HERRADURA2048
|
|
||||||
KEX_KYBER512
|
|
||||||
KEX_KYBER768
|
|
||||||
KEX_KYBER1024
|
|
||||||
KEX_NEWHOPE
|
|
||||||
KEX_NEWHOPE_SIMPLE
|
|
||||||
KEX_FRODOKEM_1344AES
|
|
||||||
KEX_FRODOKEM_1344SHAKE
|
|
||||||
KEX_FRODOKEM_976AES
|
|
||||||
KEX_FRODOKEM_976SHAKE`)
|
|
||||||
flag.Var(&aCipherAlgs, "aC", `Allowed ciphers (eg. '-aC CAlgA -aC CAlgB ...') (default: none)
|
|
||||||
C_all
|
|
||||||
C_AES_256
|
|
||||||
C_TWOFISH_128
|
|
||||||
C_BLOWFISH_64
|
|
||||||
C_CRYPTMT1
|
|
||||||
C_HOPSCOTCH
|
|
||||||
C_CHACHA20_12`)
|
|
||||||
flag.Var(&aHMACAlgs, "aH", `Allowed HMACs (eg. '-aH HMACAlgA -aH HMACAlgB ...') (default: none)
|
|
||||||
H_all
|
|
||||||
H_SHA256
|
|
||||||
H_SHA512`)
|
|
||||||
|
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
|
|
||||||
|
|
@ -590,17 +566,17 @@ func main() {
|
||||||
|
|
||||||
// Set up allowed algs, if specified (default allow all)
|
// Set up allowed algs, if specified (default allow all)
|
||||||
if len(aKEXAlgs) == 0 {
|
if len(aKEXAlgs) == 0 {
|
||||||
aKEXAlgs = []string{"none"}
|
aKEXAlgs = []string{"KEX_all"}
|
||||||
}
|
}
|
||||||
logger.LogNotice(fmt.Sprintf("Allowed KEXAlgs: %v\n", aKEXAlgs)) // nolint: gosec,errcheck
|
logger.LogNotice(fmt.Sprintf("Allowed KEXAlgs: %v\n", aKEXAlgs)) // nolint: gosec,errcheck
|
||||||
|
|
||||||
if len(aCipherAlgs) == 0 {
|
if len(aCipherAlgs) == 0 {
|
||||||
aCipherAlgs = []string{"none"}
|
aCipherAlgs = []string{"C_all"}
|
||||||
}
|
}
|
||||||
logger.LogNotice(fmt.Sprintf("Allowed CipherAlgs: %v\n", aCipherAlgs)) // nolint: gosec,errcheck
|
logger.LogNotice(fmt.Sprintf("Allowed CipherAlgs: %v\n", aCipherAlgs)) // nolint: gosec,errcheck
|
||||||
|
|
||||||
if len(aHMACAlgs) == 0 {
|
if len(aHMACAlgs) == 0 {
|
||||||
aHMACAlgs = []string{"none"}
|
aHMACAlgs = []string{"H_all"}
|
||||||
}
|
}
|
||||||
logger.LogNotice(fmt.Sprintf("Allowed HMACAlgs: %v\n", aHMACAlgs)) // nolint: gosec,errcheck
|
logger.LogNotice(fmt.Sprintf("Allowed HMACAlgs: %v\n", aHMACAlgs)) // nolint: gosec,errcheck
|
||||||
|
|
||||||
|
|
@ -644,8 +620,7 @@ func main() {
|
||||||
conn, err := l.Accept()
|
conn, err := l.Accept()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("Accept() got error(%v), hanging up.\n", err)
|
log.Printf("Accept() got error(%v), hanging up.\n", err)
|
||||||
} else {
|
} else if !aKEXAlgs.allowed(conn.KEX()) {
|
||||||
if !aKEXAlgs.allowed(conn.KEX()) {
|
|
||||||
log.Printf("Accept() rejected for banned KEX alg %d, hanging up.\n", conn.KEX())
|
log.Printf("Accept() rejected for banned KEX alg %d, hanging up.\n", conn.KEX())
|
||||||
conn.SetStatus(xsnet.CSEKEXAlgDenied)
|
conn.SetStatus(xsnet.CSEKEXAlgDenied)
|
||||||
conn.Close()
|
conn.Close()
|
||||||
|
|
@ -872,7 +847,6 @@ func main() {
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
}(&conn) // nolint: errcheck
|
}(&conn) // nolint: errcheck
|
||||||
} // algs valid and not blacklisted
|
|
||||||
} // Accept() success
|
} // Accept() success
|
||||||
} //endfor
|
} //endfor
|
||||||
//logger.LogNotice(fmt.Sprintln("[Exiting]")) // nolint: gosec,errcheck
|
//logger.LogNotice(fmt.Sprintln("[Exiting]")) // nolint: gosec,errcheck
|
||||||
|
|
|
||||||
13
xsnet/net.go
13
xsnet/net.go
|
|
@ -25,7 +25,6 @@ package xsnet
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"crypto/cipher"
|
"crypto/cipher"
|
||||||
crand "crypto/rand"
|
|
||||||
"encoding/binary"
|
"encoding/binary"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"errors"
|
"errors"
|
||||||
|
|
@ -40,6 +39,7 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
crand "crypto/rand"
|
||||||
|
|
||||||
hkex "blitter.com/go/herradurakex"
|
hkex "blitter.com/go/herradurakex"
|
||||||
"blitter.com/go/kyber"
|
"blitter.com/go/kyber"
|
||||||
|
|
@ -169,11 +169,11 @@ func (hc *Conn) HAlg() CSHmacAlg {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *CSHmacAlg) String() string {
|
func (h *CSHmacAlg) String() string {
|
||||||
switch *h & 0x0FF {
|
switch (*h >> 8) & 0x0FF {
|
||||||
case HmacSHA256:
|
case HmacSHA256:
|
||||||
return "H_SHA256"
|
return "H_SHA256"
|
||||||
case HmacSHA512:
|
case HmacSHA512:
|
||||||
return "H_SHA512"
|
return "C_SHA512"
|
||||||
default:
|
default:
|
||||||
return "H_ERR_UNK"
|
return "H_ERR_UNK"
|
||||||
}
|
}
|
||||||
|
|
@ -296,7 +296,7 @@ func _new(kexAlg KEXAlg, conn *net.Conn) (hc *Conn, e error) {
|
||||||
case KEX_FRODOKEM_976AES:
|
case KEX_FRODOKEM_976AES:
|
||||||
fallthrough
|
fallthrough
|
||||||
case KEX_FRODOKEM_976SHAKE:
|
case KEX_FRODOKEM_976SHAKE:
|
||||||
//log.Printf("[KEx alg %d is valid]\n", kexAlg)
|
log.Printf("[KEx alg %d accepted]\n", kexAlg)
|
||||||
default:
|
default:
|
||||||
// UNREACHABLE: _getkexalgnum() guarantees a valid KEX value
|
// UNREACHABLE: _getkexalgnum() guarantees a valid KEX value
|
||||||
hc.kex = KEX_HERRADURA512
|
hc.kex = KEX_HERRADURA512
|
||||||
|
|
@ -672,6 +672,7 @@ func FrodoKEMAcceptSetup(c *net.Conn, hc *Conn) (err error) {
|
||||||
}
|
}
|
||||||
pubB, secB := kem.Keygen()
|
pubB, secB := kem.Keygen()
|
||||||
|
|
||||||
|
|
||||||
// [Alice sends use a public key (na, ea)
|
// [Alice sends use a public key (na, ea)
|
||||||
pubA_bigint := big.NewInt(0)
|
pubA_bigint := big.NewInt(0)
|
||||||
_, err = fmt.Fscanf(*c, "0x%x\n", pubA_bigint)
|
_, err = fmt.Fscanf(*c, "0x%x\n", pubA_bigint)
|
||||||
|
|
@ -1172,8 +1173,10 @@ func (hl *HKExListener) Accept() (hc Conn, err error) {
|
||||||
return Conn{}, err
|
return Conn{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Finally, ensure alg proposed by client is allowed by server config
|
||||||
|
//if hc.kex.String() {
|
||||||
log.Println("[hc.Accept successful]")
|
log.Println("[hc.Accept successful]")
|
||||||
return hc, err
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
/*---------------------------------------------------------------------*/
|
/*---------------------------------------------------------------------*/
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue