Marshall/transport interface (#178)

* min transport: add Connect() functionality

* obfs4 transport: add Connect() and Prepare()

* pkg/core: add core.go for ConjureHMAC function

* transport (obfs4): generate shared keys in station

* transport client: add keys to ClientTransport

* transports (obfs4): move ClientTransport functions to client.go

* transports (obfs4): remove ClientTransport functions

* reg transport test: use relative path instead of gopath

* transports test (min): use relative path instead of gopath

* transports internal test: use relative path

* min client: check conn.Write for err

* min/obfs4 transports: rename dd -> cj, rename Connect

* transport interface: change Prepare() -> PrepareKeys()

* transport interface: move obfs4 key generation

* transport interface: obfs4 key generation

* minor fix

---------

Co-authored-by: jmwample <[email protected]>

Author: marshallstone

application/registration_with_transport_test.go

@@ -36,7 +36,8 @@ func mockReceiveFromDetector() (*pb.ClientToStation, cj.ConjureSharedKeys) {
 }
 
 func TestManagerFunctionality(t *testing.T) {
-	testSubnetPath := os.Getenv("GOPATH") + "/src/github.com/refraction-networking/conjure/application/lib/test/phantom_subnets.toml"
+	cwd, _ := os.Getwd()
+	testSubnetPath := cwd + "/lib/test/phantom_subnets.toml"
 	os.Setenv("PHANTOM_SUBNET_LOCATION", testSubnetPath)
 
 	rm := cj.NewRegistrationManager(&cj.RegConfig{})

application/transports/wrapping/internal/tests/tests.go

@@ -21,7 +21,8 @@ var SharedSecret = []byte(`6a328b8ec2024dd92dd64332164cc0425ddbde40cb7b81e055bf7
 // SetupPhantomConnections registers one session with the provided transport and
 // registration manager using a pre-determined kay and phantom subnet file.
 func SetupPhantomConnections(manager *dd.RegistrationManager, transport pb.TransportType) (clientToPhantom net.Conn, serverFromPhantom net.Conn, reg *dd.DecoyRegistration) {
-	testSubnetPath := os.Getenv("GOPATH") + "/src/github.com/refraction-networking/conjure/application/lib/test/phantom_subnets.toml"
+	cwd, _ := os.Getwd()
+	testSubnetPath := cwd + "/../internal/tests/phantom_subnets.toml"
 	return SetupPhantomConnectionsSecret(manager, transport, SharedSecret, testSubnetPath)
 }
 

application/transports/wrapping/min/client.go

@@ -2,8 +2,11 @@ package min
 
 import (
 	"fmt"
+	"io"
+	"net"
 
 	"github.com/refraction-networking/conjure/application/transports"
+	core "github.com/refraction-networking/conjure/pkg/core"
 	pb "github.com/refraction-networking/gotapdance/protobuf"
 	"google.golang.org/protobuf/proto"
 )
@@ -14,7 +17,7 @@ import (
 type ClientTransport struct {
 	// Parameters are fields that will be shared with the station in the registration
 	Parameters *pb.GenericTransportParams
-
+	connectTag []byte
 	// // state tracks fields internal to the registrar that survive for the lifetime
 	// // of the transport session without being shared - i.e. local derived keys.
 	// state any
@@ -63,17 +66,18 @@ func (t *ClientTransport) GetDstPort(seed []byte, params any) (uint16, error) {
 	return transports.PortSelectorRange(portRangeMin, portRangeMax, seed)
 }
 
-// // Connect creates the connection to the phantom address negotiated in the registration phase of
-// // Conjure connection establishment.
-// func (t *ClientTransport) Connect(ctx context.Context, reg *cj.ConjureReg) (net.Conn, error) {
-// 	// conn, err := reg.getFirstConnection(ctx, reg.TcpDialer, phantoms)
-// 	// if err != nil {
-// 	// 	return nil, err
-// 	// }
+// WrapConn creates the connection to the phantom address negotiated in the registration phase of
+// Conjure connection establishment.
+func (t *ClientTransport) WrapConn(conn net.Conn) (net.Conn, error) {
+	// Send hmac(seed, str) bytes to indicate to station (min transport) generated during Prepare(...)
+	_, err := conn.Write(t.connectTag)
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
 
-// 	// // Send hmac(seed, str) bytes to indicate to station (min transport)
-// 	// connectTag := conjureHMAC(reg.keys.SharedSecret, "MinTrasportHMACString")
-// 	// conn.Write(connectTag)
-// 	// return conn, nil
-// 	return nil, nil
-// }
+func (t *ClientTransport) PrepareKeys(pubkey [32]byte, sharedSecret []byte, dRand io.Reader) error {
+	t.connectTag = core.ConjureHMAC(sharedSecret, "MinTransportHMACString")
+	return nil
+}

application/transports/wrapping/min/min.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"net"
 
-	dd "github.com/refraction-networking/conjure/application/lib"
+	cj "github.com/refraction-networking/conjure/application/lib"
 	"github.com/refraction-networking/conjure/application/transports"
 	pb "github.com/refraction-networking/gotapdance/protobuf"
 	"google.golang.org/protobuf/types/known/anypb"
@@ -37,7 +37,7 @@ func (Transport) LogPrefix() string { return "MIN" }
 // GetIdentifier takes in a registration and returns an identifier for it. This
 // identifier should be unique for each registration on a given phantom;
 // registrations on different phantoms can have the same identifier.
-func (Transport) GetIdentifier(d *dd.DecoyRegistration) string {
+func (Transport) GetIdentifier(d *cj.DecoyRegistration) string {
 	return string(d.Keys.ConjureHMAC("MinTrasportHMACString"))
 }
 
@@ -75,7 +75,7 @@ func (Transport) ParseParams(libVersion uint, data *anypb.Any) (any, error) {
 //
 // If the returned error is nil or non-nil and non-{ transports.ErrTryAgain,
 // transports.ErrNotTransport }, the caller may no longer use data or conn.
-func (Transport) WrapConnection(data *bytes.Buffer, c net.Conn, originalDst net.IP, regManager *dd.RegistrationManager) (*dd.DecoyRegistration, net.Conn, error) {
+func (Transport) WrapConnection(data *bytes.Buffer, c net.Conn, originalDst net.IP, regManager *cj.RegistrationManager) (*cj.DecoyRegistration, net.Conn, error) {
 	if data.Len() < minTagLength {
 		return nil, nil, transports.ErrTryAgain
 	}

application/transports/wrapping/min/min_test.go

@@ -17,7 +17,8 @@ import (
 )
 
 func TestSuccessfulWrap(t *testing.T) {
-	testSubnetPath := os.Getenv("GOPATH") + "/src/github.com/refraction-networking/conjure/application/lib/test/phantom_subnets.toml"
+	cwd, _ := os.Getwd()
+	testSubnetPath := cwd + "/../../../lib/test/phantom_subnets.toml"
 	os.Setenv("PHANTOM_SUBNET_LOCATION", testSubnetPath)
 
 	var transport Transport
@@ -108,7 +109,7 @@ func TestTryParamsToDstPort(t *testing.T) {
 	clv := randomizeDstPortMinVersion
 	seed, _ := hex.DecodeString("0000000000000000000000000000000000")
 
-	cases := []struct{
+	cases := []struct {
 		r bool
 		p uint16
 	}{{true, 58047}, {false, 443}}

application/transports/wrapping/obfs4/client.go

@@ -2,9 +2,13 @@ package obfs4
 
 import (
 	"fmt"
+	"io"
+	"net"
 
+	pt "git.torproject.org/pluggable-transports/goptlib.git"
 	"github.com/refraction-networking/conjure/application/transports"
 	pb "github.com/refraction-networking/gotapdance/protobuf"
+	"gitlab.com/yawning/obfs4.git/transports/obfs4"
 
 	"google.golang.org/protobuf/proto"
 )
@@ -14,6 +18,7 @@ import (
 // the station side Transport struct has one instance to be re-used for all sessions.
 type ClientTransport struct {
 	Parameters *pb.GenericTransportParams
+	keys       Obfs4Keys
 }
 
 // Name returns a string identifier for the Transport for logging
@@ -59,8 +64,39 @@ func (t *ClientTransport) GetDstPort(seed []byte, params any) (uint16, error) {
 	return transports.PortSelectorRange(portRangeMin, portRangeMax, seed)
 }
 
-// // Connect creates the connection to the phantom address negotiated in the registration phase of
-// // Conjure connection establishment.
-// func (*ClientTransport) Connect(ctx context.Context, reg *cj.ConjureReg) (net.Conn, error) {
-// 	return nil, nil
-// }
+// WrapConn creates the connection to the phantom address negotiated in the registration phase of
+// Conjure connection establishment.
+func (t ClientTransport) WrapConn(conn net.Conn) (net.Conn, error) {
+	obfsTransport := obfs4.Transport{}
+	args := pt.Args{}
+
+	args.Add("node-id", t.keys.NodeID.Hex())
+	args.Add("public-key", t.keys.PublicKey.Hex())
+	args.Add("iat-mode", "1")
+
+	c, err := obfsTransport.ClientFactory("")
+	if err != nil {
+		return nil, fmt.Errorf("failed to create client factory")
+	}
+
+	parsedArgs, err := c.ParseArgs(&args)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse obfs4 args")
+	}
+
+	d := func(network, address string) (net.Conn, error) {
+		return conn, nil
+	}
+
+	return c.Dial("tcp", "", d, parsedArgs)
+}
+
+func (t *ClientTransport) PrepareKeys(pubkey [32]byte, sharedSecret []byte, dRand io.Reader) error {
+	// Generate shared keys
+	var err error
+	t.keys, err = generateObfs4Keys(dRand)
+	if err != nil {
+		return err
+	}
+	return nil
+}

application/transports/wrapping/obfs4/keys.go

@@ -0,0 +1,40 @@
+package obfs4
+
+import (
+	"io"
+
+	"gitlab.com/yawning/obfs4.git/common/ntor"
+	"golang.org/x/crypto/curve25519"
+)
+
+type Obfs4Keys struct {
+	PrivateKey *ntor.PrivateKey
+	PublicKey  *ntor.PublicKey
+	NodeID     *ntor.NodeID
+}
+
+func generateObfs4Keys(rand io.Reader) (Obfs4Keys, error) {
+	keys := Obfs4Keys{
+		PrivateKey: new(ntor.PrivateKey),
+		PublicKey:  new(ntor.PublicKey),
+		NodeID:     new(ntor.NodeID),
+	}
+
+	_, err := rand.Read(keys.PrivateKey[:])
+	if err != nil {
+		return keys, err
+	}
+
+	keys.PrivateKey[0] &= 248
+	keys.PrivateKey[31] &= 127
+	keys.PrivateKey[31] |= 64
+
+	pub, err := curve25519.X25519(keys.PrivateKey[:], curve25519.Basepoint)
+	if err != nil {
+		return keys, err
+	}
+	copy(keys.PublicKey[:], pub)
+
+	_, err = rand.Read(keys.NodeID[:])
+	return keys, err
+}

application/transports/wrapping/obfs4/obfs4.go

@@ -6,7 +6,7 @@ import (
 	"net"
 
 	pt "git.torproject.org/pluggable-transports/goptlib.git"
-	dd "github.com/refraction-networking/conjure/application/lib"
+	cj "github.com/refraction-networking/conjure/application/lib"
 	"github.com/refraction-networking/conjure/application/transports"
 	pb "github.com/refraction-networking/gotapdance/protobuf"
 	"gitlab.com/yawning/obfs4.git/common/drbg"
@@ -34,7 +34,7 @@ func (Transport) Name() string { return "obfs4" }
 func (Transport) LogPrefix() string { return "OBFS4" }
 
 // GetIdentifier implements the station Transport interface
-func (Transport) GetIdentifier(r *dd.DecoyRegistration) string {
+func (Transport) GetIdentifier(r *cj.DecoyRegistration) string {
 	return string(r.Keys.Obfs4Keys.PublicKey.Bytes()[:]) + string(r.Keys.Obfs4Keys.NodeID.Bytes()[:])
 }
 
@@ -66,7 +66,7 @@ func (Transport) ParseParams(libVersion uint, data *anypb.Any) (any, error) {
 }
 
 // WrapConnection implements the station Transport interface
-func (Transport) WrapConnection(data *bytes.Buffer, c net.Conn, phantom net.IP, regManager *dd.RegistrationManager) (*dd.DecoyRegistration, net.Conn, error) {
+func (Transport) WrapConnection(data *bytes.Buffer, c net.Conn, phantom net.IP, regManager *cj.RegistrationManager) (*cj.DecoyRegistration, net.Conn, error) {
 	if data.Len() < ClientMinHandshakeLength {
 		return nil, nil, transports.ErrTryAgain
 	}
@@ -119,8 +119,8 @@ func (Transport) WrapConnection(data *bytes.Buffer, c net.Conn, phantom net.IP,
 // This function makes the assumption that any identifier with length 52 is an obfs4 registration.
 // This may not be strictly true, but any other identifier will simply fail to form a connection and
 // should be harmless.
-func getObfs4Registrations(regManager *dd.RegistrationManager, darkDecoyAddr net.IP) []*dd.DecoyRegistration {
-	var regs []*dd.DecoyRegistration
+func getObfs4Registrations(regManager *cj.RegistrationManager, darkDecoyAddr net.IP) []*cj.DecoyRegistration {
+	var regs []*cj.DecoyRegistration
 
 	for identifier, r := range regManager.GetRegistrations(darkDecoyAddr) {
 		if len(identifier) == ntor.PublicKeyLength+ntor.NodeIDLength {

pkg/core/core.go

@@ -0,0 +1,13 @@
+package core
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+)
+
+// ConjureHMAC implements the hmak that can then be used for further hkdf key generation
+func ConjureHMAC(key []byte, str string) []byte {
+	hash := hmac.New(sha256.New, key)
+	hash.Write([]byte(str))
+	return hash.Sum(nil)
+}