A client authenticator + test for path reflection

Author: willscott

authenticator/pathreflection.go

@@ -0,0 +1,196 @@
+package authenticator
+
+import (
+	"encoding/json"
+	"errors"
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+	"github.com/willscott/sp3"
+	"golang.org/x/net/proxy"
+
+	"log"
+	"math/rand"
+	"net"
+	"net/http"
+
+	"strings"
+)
+
+type PathReflectionAuth struct {
+	Dialer   proxy.Dialer
+	servers  map[string]string
+	clientIP net.IP
+	conn     net.Conn
+	done     chan<- string
+}
+
+//This should be kept in-sync with server/lib/pathreflection
+type pathReflectionState struct {
+	ServerIP       net.IP
+	ServerPort     uint16
+	ClientIP       net.IP
+	ClientPort     uint16
+	SequenceNumber uint32
+	AcknowledgementNumber uint32
+}
+
+// The default local port range for debian jessie
+const IP_LOCAL_PORT_LOW = 32768
+const IP_LOCAL_PORT_HIGH = 60999
+
+func CreatePathReflectionAuthFromURL(sp3Url string, clientIP net.IP) (*PathReflectionAuth, error) {
+	resp, err := http.Get(sp3Url)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	servers := map[string]interface{}{}
+	err = json.NewDecoder(resp.Body).Decode(&servers)
+	if err != nil {
+		return nil, err
+	}
+	typedServers := make(map[string]string)
+	for k := range servers {
+		typedServers[k] = k
+	}
+	return CreatePathReflectionAuth(typedServers, clientIP), nil
+}
+
+func CreatePathReflectionAuth(servers map[string]string, clientIP net.IP) *PathReflectionAuth {
+	pra := new(PathReflectionAuth)
+	pra.clientIP = clientIP
+	pra.servers = servers
+	return pra
+}
+
+func (p *PathReflectionAuth) Authenticate(done chan<- string) (sp3.AuthenticationMethod, []byte, error) {
+	p.done = done
+
+	// Choose an allowed host/ip
+	var addr string
+	var err error
+	if len(p.servers) == 0 {
+		return sp3.PATHREFLECTION, nil, errors.New("No servers configured for reflection.")
+	} else {
+		pos := rand.Int() % len(p.servers)
+		for k := range p.servers {
+			if pos == 0 {
+				addr = k
+				break
+			}
+			pos -= 1
+		}
+	}
+	log.Printf("Connection will be to %s", addr)
+	// Connect
+	if p.Dialer == nil {
+		p.Dialer = &net.Dialer{}
+	}
+	p.conn, err = p.Dialer.Dial("ip4:tcp", addr)
+	if err != nil {
+		return sp3.PATHREFLECTION, nil, err
+	}
+
+	// TCP Handshake
+	state := pathReflectionState{
+		p.clientIP,
+		uint16(IP_LOCAL_PORT_LOW + rand.Int()%(IP_LOCAL_PORT_HIGH-IP_LOCAL_PORT_LOW)),
+		net.ParseIP(addr),
+		uint16(80),
+		uint32(rand.Int()),
+		0,
+	}
+
+	iplayer := &layers.IPv4{
+		Version:  4,
+		IHL:      5,
+		TTL:      64,
+		Protocol: 6,
+		SrcIP:    state.ClientIP,
+		DstIP:    state.ServerIP,
+	}
+
+	tcplayer := &layers.TCP{
+		SrcPort: layers.TCPPort(state.ClientPort),
+		DstPort: layers.TCPPort(state.ServerPort),
+		Window:  4380,
+		Seq:     state.SequenceNumber,
+		SYN:     true,
+	}
+
+	buf := gopacket.NewSerializeBuffer()
+	tcplayer.SetNetworkLayerForChecksum(iplayer)
+	err = gopacket.SerializeLayers(buf, gopacket.SerializeOptions{
+		ComputeChecksums: true,
+		FixLengths:       true,
+	}, tcplayer)
+	if err != nil {
+		return sp3.PATHREFLECTION, nil, err
+	}
+	log.Printf("About to write SYN")
+	if _, err = p.conn.Write(buf.Bytes()); err != nil {
+		return sp3.PATHREFLECTION, nil, err
+	}
+
+	// Wait for a syn-ack to learn server's squence number.
+	log.Printf("Waiting for SYN-ACK")
+	synackbytes := make([]byte, 2048)
+	respn, err := p.conn.Read(synackbytes)
+	if err != nil {
+		return sp3.PATHREFLECTION, nil, err
+	}
+	rpkt := gopacket.NewPacket(synackbytes[0:respn], layers.LayerTypeTCP, gopacket.Lazy)
+	if tcpLayer := rpkt.Layer(layers.LayerTypeTCP); tcpLayer != nil {
+		tcp, _ := tcpLayer.(*layers.TCP)
+		state.AcknowledgementNumber = tcp.Seq + 1
+	} else {
+		return sp3.PATHREFLECTION, nil, errors.New("SYNACK not understood.")
+	}
+
+	// Set up the listener for server response to injected query.
+  go p.listen()
+
+	// Leak State
+	data, err := json.Marshal(state)
+	if err != nil {
+		return sp3.PATHREFLECTION, nil, err
+	}
+	return sp3.PATHREFLECTION, data, nil
+}
+
+func (p *PathReflectionAuth) listen() {
+	bufbytes := make([]byte, 2048)
+	respn, err := p.conn.Read(bufbytes)
+	log.Printf("Path Reflection got an incoming packet.")
+	if err != nil {
+		log.Printf("Couldn't read path reflection packet: %v", err)
+		p.done <- ""
+		return
+	}
+	rpkt := gopacket.NewPacket(bufbytes[0:respn], layers.LayerTypeTCP, gopacket.Default)
+	if payload := rpkt.ApplicationLayer(); payload != nil {
+		strpayload := string(payload.Payload())
+		idx := strings.Index(strpayload, "sp3.")
+		if idx == -1 {
+			p.done <- ""
+			return
+		}
+		idx += 4
+		end := strings.IndexFunc(strpayload[idx:], isbase64)
+		if end == -1 {
+			p.done <- ""
+			return
+		}
+		p.done <- strpayload[idx:idx + end]
+	} else {
+		err := rpkt.ErrorLayer()
+		log.Printf("Couldn't parse packet!", err)
+		p.done <- ""
+	}
+}
+
+func isbase64(c rune) bool {
+	val := (c >= '0' && c <= '9') || (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z')
+	return !val
+}

authenticator/pathreflection_test.go

@@ -0,0 +1,76 @@
+package authenticator
+
+import (
+	"encoding/json"
+	"github.com/willscott/sp3"
+	"github.com/willscott/sp3/server/lib"
+	"net"
+	"testing"
+)
+
+type MockDialer struct {
+	net.Conn
+}
+
+func (m *MockDialer) Dial(network, address string) (net.Conn, error) {
+	return m.Conn, nil
+}
+
+func TestAuthenticate(t *testing.T) {
+	servconf := server.Config{8888, "eth0", "0", "0", "../server/pathreflection.json"}
+	serv := server.NewServer(servconf)
+	if serv == nil {
+		t.Fatal("Could not start server.")
+	}
+	go serv.Serve()
+
+	// Create path reflection authenticator.
+	auth, err := CreatePathReflectionAuthFromURL("http://localhost:8888/pathreflection.json", net.IP{0, 0, 0, 0})
+	if err != nil {
+		t.Fatal("Could not create reflection auth from local server.", err)
+	}
+
+	// Make a dummy dialer.
+	authClientConn, authConnServer := net.Pipe()
+	auth.Dialer = &MockDialer{authClientConn}
+
+	// Receive initial syn which authenticator should send out.
+	connBuf := make([]byte, 2048)
+	go func() {
+		n, err := authConnServer.Read(connBuf)
+		if err != nil {
+			t.Fatal("Authenticator failed to establish connection.")
+		}
+		connBuf = connBuf[0:n]
+		// Send the syn-ack.
+		authConnServer.Write(connBuf)
+	}()
+
+	// Authenticate
+	done := make(chan string, 1)
+	mode, opts, err := auth.Authenticate(done)
+	if err != nil || mode != sp3.PATHREFLECTION || opts == nil || len(connBuf) == 0 {
+		t.Fatal("Could not begin auth process", err)
+	}
+
+	// Send the injected packet.
+	server.TestSpoofChannel = make(chan []byte, 1)
+	decodeopts := &server.PathReflectionState{}
+	if err = json.Unmarshal(opts, decodeopts); err != nil {
+		t.Fatal("Could not understand auth opts", err)
+	}
+	challenge, err := server.SendPathReflectionChallenge(servconf, decodeopts)
+	if err != nil {
+		t.Fatal("Could not generate auth pkg", err)
+	}
+
+	// Strip off the ip header.
+	injectPkt := <- server.TestSpoofChannel
+	authConnServer.Write(injectPkt[20:])
+
+	// auth hsould now be done
+	token := <-done
+	if token != challenge {
+		t.Fatal("Authentication extracted wrong token from response.")
+	}
+}

client.go

@@ -47,7 +47,7 @@ func Dial(sp3server url.URL, destination net.IP, auth Authenticator, dialer *web
 	go conn.readLoop()
 
 	// Wait for Authenticator to finish challenge.
-	AuthLoop:
+AuthLoop:
 	for {
 		select {
 		case challenge := <-finished:
@@ -149,7 +149,7 @@ func (s *Sp3Conn) ReadFrom(b []byte) (n int, addr net.Addr, err error) {
 	return 0, nil, errors.New("SP3 Connections do not receive data.")
 }
 
-func extractHost(addr net.Addr) (string) {
+func extractHost(addr net.Addr) string {
 	host, _, err := net.SplitHostPort(addr.String())
 	if err != nil || len(host) == 0 {
 		return addr.String()

server/lib/pathreflection.go

@@ -20,15 +20,16 @@ import (
 )
 
 type PathReflectionState struct {
-	serverIP       net.IP
-	serverPort     uint16
-	clientIP       net.IP
-	clientPort     uint16
-	sequenceNumber uint32
+	ServerIP       net.IP
+	ServerPort     uint16
+	ClientIP       net.IP
+	ClientPort     uint16
+	SequenceNumber uint32
+	AcknowledgementNumber uint32
 }
 
-func getPathReflectionServers() map[string]string {
-	data, err := ioutil.ReadFile("pathreflection.json")
+func getPathReflectionServers(path string) map[string]string {
+	data, err := ioutil.ReadFile(path)
 	if err != nil {
 		log.Fatalf("Couldn't read path reflection config: %s", err)
 		return nil
@@ -49,15 +50,23 @@ func genToken() (string, error) {
 		return "", err
 	}
 	encoded := base64.StdEncoding.EncodeToString(b)
-	return encoded, nil
+	// remove non alphanumeric characters
+	output := ""
+	for _, code := range encoded {
+		if code == '+' || code == '/' || code == '=' {
+			continue
+		}
+		output = output + string(code)
+	}
+	return output, nil
 }
 
-func PathReflectionServerTrusted(state *PathReflectionState) bool {
-	_, ok := getPathReflectionServers()[state.serverIP.String()]
+func PathReflectionServerTrusted(conf Config, state *PathReflectionState) bool {
+	_, ok := getPathReflectionServers(conf.PathReflectionFile)[state.ServerIP.String()]
 	return ok
 }
 
-func SendPathReflectionChallenge(state *PathReflectionState) (string, error) {
+func SendPathReflectionChallenge(conf Config, state *PathReflectionState) (string, error) {
 	token, err := genToken()
 	if err != nil {
 		return "", err
@@ -71,17 +80,20 @@ func SendPathReflectionChallenge(state *PathReflectionState) (string, error) {
 		IHL:      5,
 		TTL:      64,
 		Protocol: 6,
-		SrcIP:    state.clientIP,
-		DstIP:    state.serverIP,
+		SrcIP:    state.ClientIP,
+		DstIP:    state.ServerIP,
 	}
 	tcp := &layers.TCP{
-		SrcPort: layers.TCPPort(state.clientPort),
-		DstPort: layers.TCPPort(state.serverPort),
+		SrcPort: layers.TCPPort(state.ClientPort),
+		DstPort: layers.TCPPort(state.ServerPort),
 		Window:  4380,
-		Seq:     state.sequenceNumber,
+		Seq:     state.SequenceNumber,
+		Ack:     state.AcknowledgementNumber,
+		ACK:     true,
+		DataOffset: 5,
 	}
 	tcp.SetNetworkLayerForChecksum(ip)
-	host := getPathReflectionServers()[state.serverIP.String()]
+	host := getPathReflectionServers(conf.PathReflectionFile)[state.ServerIP.String()]
 	request := "GET /sp3." + token + "/ HTTP/1.0\r\nHost: " + host + "\r\n\r\n"
 	ip.Length = 20 + 20 + uint16(len(request))
 	payload := gopacket.Payload([]byte(request))
@@ -90,7 +102,7 @@ func SendPathReflectionChallenge(state *PathReflectionState) (string, error) {
 	}
 
 	//send.
-	if err = SpoofIPv4Message(buf.Bytes(), state.clientIP, state.serverIP); err != nil {
+	if err = SpoofIPv4Message(buf.Bytes(), state.ClientIP, state.ServerIP); err != nil {
 		return "", err
 	}
 

server/lib/pathreflection_test.go

@@ -15,8 +15,10 @@ func TestGenPacket(t *testing.T) {
 		net.IP{127, 0, 0, 1},
 		uint16(8081),
 		0,
+		0,
 	}
-	challenge, err := SendPathReflectionChallenge(state)
+	conf := Config{0, "", "", "", "../pathreflection.json"}
+	challenge, err := SendPathReflectionChallenge(conf, state)
 	if err != nil {
 		t.Fatal("Error sending challenge", err)
 	}