Port Randomization (#156)

* update station-to-detector for port randomization

* merge master for removal of time package

* add a test for Session lookup. Hashmap up to 10m seems to work fine

* intermediate pust

* process udp and tcp pacets in detetor - tests failing

* passing existing tests for proto and dst dependent map keys

* better test, cargo format

* tracking udp vs tcp and adding transport params to transports

* update transports to implement port selection interfaces

* tests passing, but no new tests confirming behavior yet

* add tests for simple port selection using mock

* add tests for reg ingest corner cases

* use selected phantom port for liveness tests

* detector always matches on dst port update tests and formatiing checks

* add randomization for bidirectional registration processor, add client transport types, simplify transport interface(s)

* no need to fix typo in this PR

* update name in protobuf

* revisit station -> detecor pipeline on the station side

* lints and protobuf changes

* update github actions to minumum 1.18 golang version

* prelim fixes from unidirectional tests on dev box

* clean up cj-reg logging so I can find real reg errors

* forgot to parse transport params in bidirectional regprocessor

* github action fixes and tun interface iptables rules for udp

* fmt fixes anf github action error

Author: jmwample

.github/workflows/build.yml

@@ -36,8 +36,8 @@ jobs:
           sudo apt-get install protobuf-compiler gcc curl git wget software-properties-common -y -q
           sudo apt-get install libzmq3-dev libssl-dev pkg-config libgmp3-dev -y -q
           sudo add-apt-repository universe
-          wget https://packages.ntop.org/apt-stable/20.04/all/apt-ntop-stable.deb
-          sudo apt install ./apt-ntop-stable.deb
+          wget https://packages.ntop.org/apt/20.04/all/apt-ntop.deb
+          sudo apt install ./apt-ntop.deb
           sudo apt-get update
           sudo apt-get install pfring
           echo "Apt dependencies installed"

.github/workflows/golang.yml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.16.x, 1.17.x, 1.18.x, stable]
+        go-version: [1.18.x, 1.19.x, stable]
 
     runs-on: ubuntu-latest
     steps:

Cargo.toml

@@ -25,7 +25,7 @@ chrono = "0.4.23"
 pnet = "0.31.0"
 arrayref = "0.3.2"
 log = "0.3.6"
-rand = "0.4.2"
+rand = "0.8.5"
 errno = "0.2.3"
 tuntap = { git = "https://github.com/ewust/tuntap.rs" }
 ipnetwork = "^0.14.0"

application/lib/conjure.go

@@ -45,21 +45,21 @@ func generateObfs4Keys(rand io.Reader) (Obfs4Keys, error) {
 }
 
 type ConjureSharedKeys struct {
-	SharedSecret                                              []byte
-	FspKey, FspIv, VspKey, VspIv, MasterSecret, DarkDecoySeed []byte
-	Obfs4Keys                                                 Obfs4Keys
+	SharedSecret                                            []byte
+	FspKey, FspIv, VspKey, VspIv, MasterSecret, ConjureSeed []byte
+	Obfs4Keys                                               Obfs4Keys
 }
 
 func GenSharedKeys(sharedSecret []byte, tt pb.TransportType) (ConjureSharedKeys, error) {
 	tdHkdf := hkdf.New(sha256.New, sharedSecret, []byte("conjureconjureconjureconjure"), nil)
 	keys := ConjureSharedKeys{
-		SharedSecret:  sharedSecret,
-		FspKey:        make([]byte, 16),
-		FspIv:         make([]byte, 12),
-		VspKey:        make([]byte, 16),
-		VspIv:         make([]byte, 12),
-		MasterSecret:  make([]byte, 48),
-		DarkDecoySeed: make([]byte, 16),
+		SharedSecret: sharedSecret,
+		FspKey:       make([]byte, 16),
+		FspIv:        make([]byte, 12),
+		VspKey:       make([]byte, 16),
+		VspIv:        make([]byte, 12),
+		MasterSecret: make([]byte, 48),
+		ConjureSeed:  make([]byte, 16),
 	}
 
 	if _, err := tdHkdf.Read(keys.FspKey); err != nil {
@@ -77,7 +77,7 @@ func GenSharedKeys(sharedSecret []byte, tt pb.TransportType) (ConjureSharedKeys,
 	if _, err := tdHkdf.Read(keys.MasterSecret); err != nil {
 		return keys, err
 	}
-	if _, err := tdHkdf.Read(keys.DarkDecoySeed); err != nil {
+	if _, err := tdHkdf.Read(keys.ConjureSeed); err != nil {
 		return keys, err
 	}
 

application/lib/phantom_selector.go

@@ -20,6 +20,15 @@ const (
 	phantomHkdfMinVersion         uint = 2
 )
 
+var (
+	// ErrLegacyAddrSelectBug indicates that we have hit a corner case in a legacy address selection
+	// algorithm that causes phantom address selection to fail.
+	ErrLegacyAddrSelectBug = errors.New("no valid addresses specified")
+	// ErrMissingAddrs indicates that no subnets were provided with addresses to select from. This
+	// is only valid for phantomHkdfMinVersion and newer.
+	ErrMissingAddrs = errors.New("no valid addresses specified to select")
+)
+
 // getSubnetsVarint - return EITHER all subnet strings as one composite array if
 // we are selecting unweighted, or return the array associated with the (seed)
 // selected array of subnet strings based on the associated weights
@@ -276,7 +285,7 @@ func selectPhantomImplVarint(seed []byte, subnets []*net.IPNet) (net.IP, error)
 
 	// If the total number of addresses is 0 something has gone wrong
 	if addressTotal.Cmp(big.NewInt(0)) <= 0 {
-		return nil, fmt.Errorf("no valid addresses specified")
+		return nil, ErrLegacyAddrSelectBug
 	}
 
 	// Pick a value using the seed in the range of between 0 and the total
@@ -345,7 +354,7 @@ func selectPhantomImplV0(seed []byte, subnets []*net.IPNet) (net.IP, error) {
 	}
 
 	if addressTotal.Cmp(big.NewInt(0)) <= 0 {
-		return nil, fmt.Errorf("no valid addresses specified")
+		return nil, ErrLegacyAddrSelectBug
 	}
 
 	id := &big.Int{}
@@ -365,7 +374,7 @@ func selectPhantomImplV0(seed []byte, subnets []*net.IPNet) (net.IP, error) {
 		}
 	}
 	if result == nil {
-		return nil, errors.New("let's rewrite the phantom address selector")
+		return nil, ErrLegacyAddrSelectBug
 	}
 	return result, nil
 }
@@ -479,7 +488,7 @@ func selectPhantomImplHkdf(seed []byte, subnets []*net.IPNet) (net.IP, error) {
 
 	// If the total number of addresses is 0 something has gone wrong
 	if addressTotal.Cmp(big.NewInt(0)) <= 0 {
-		return nil, fmt.Errorf("no valid addresses specified")
+		return nil, ErrMissingAddrs
 	}
 
 	// Pick a value using the seed in the range of between 0 and the total