mirror
/
oragono
mirror of https://github.com/oragono/oragono
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 66 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4610 Commits
19 Branches
Tree: 23c7218bf1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '23c7218bf1'
${ noResults }
oragono/irc/cloaks/cloaks.go

cloaks.go 2.6KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495 
  1. // Copyright (c) 2019 Shivaram Lingamneni

  2. 

  3. package cloaks

  4. 

  5. import (

  6. 	"fmt"

  7. 	"net"

  8. 

  9. 	"golang.org/x/crypto/sha3"

  10. 

  11. 	"github.com/ergochat/ergo/irc/utils"

  12. )

  13. 

  14. type CloakConfig struct {

  15. 	Enabled            bool

  16. 	EnabledForAlwaysOn bool `yaml:"enabled-for-always-on"`

  17. 	Netname            string

  18. 	CidrLenIPv4        int    `yaml:"cidr-len-ipv4"`

  19. 	CidrLenIPv6        int    `yaml:"cidr-len-ipv6"`

  20. 	NumBits            int    `yaml:"num-bits"`

  21. 	LegacySecretValue  string `yaml:"secret"`

  22. 

  23. 	secret   string

  24. 	numBytes int

  25. 	ipv4Mask net.IPMask

  26. 	ipv6Mask net.IPMask

  27. }

  28. 

  29. func (cloakConfig *CloakConfig) Initialize() {

  30. 	// sanity checks:

  31. 	numBits := cloakConfig.NumBits

  32. 	if 0 == numBits {

  33. 		numBits = 64

  34. 	} else if 256 < numBits {

  35. 		numBits = 256

  36. 	}

  37. 

  38. 	// derived values:

  39. 	cloakConfig.numBytes = numBits / 8

  40. 	// round up to the nearest byte

  41. 	if numBits%8 != 0 {

  42. 		cloakConfig.numBytes += 1

  43. 	}

  44. 	cloakConfig.ipv4Mask = net.CIDRMask(cloakConfig.CidrLenIPv4, 32)

  45. 	cloakConfig.ipv6Mask = net.CIDRMask(cloakConfig.CidrLenIPv6, 128)

  46. }

  47. 

  48. func (cloakConfig *CloakConfig) SetSecret(secret string) {

  49. 	cloakConfig.secret = secret

  50. }

  51. 

  52. // simple cloaking algorithm: normalize the IP to its CIDR,

  53. // then hash the resulting bytes with a secret key,

  54. // then truncate to the desired length, b32encode, and append the fake TLD.

  55. func (config *CloakConfig) ComputeCloak(ip net.IP) string {

  56. 	if !config.Enabled {

  57. 		return ""

  58. 	} else if config.NumBits == 0 || config.secret == "" {

  59. 		return config.Netname

  60. 	}

  61. 

  62. 	var masked net.IP

  63. 	v4ip := ip.To4()

  64. 	if v4ip != nil {

  65. 		masked = v4ip.Mask(config.ipv4Mask)

  66. 	} else {

  67. 		masked = ip.Mask(config.ipv6Mask)

  68. 	}

  69. 	return config.macAndCompose(masked)

  70. }

  71. 

  72. func (config *CloakConfig) macAndCompose(b []byte) string {

  73. 	// SHA3(K || M):

  74. 	// https://crypto.stackexchange.com/questions/17735/is-hmac-needed-for-a-sha-3-based-mac

  75. 	input := make([]byte, len(config.secret)+len(b))

  76. 	copy(input, config.secret[:])

  77. 	copy(input[len(config.secret):], b)

  78. 	digest := sha3.Sum512(input)

  79. 	b32digest := utils.B32Encoder.EncodeToString(digest[:config.numBytes])

  80. 	return fmt.Sprintf("%s.%s", b32digest, config.Netname)

  81. }

  82. 

  83. func (config *CloakConfig) ComputeAccountCloak(accountName string) string {

  84. 	// XXX don't bother checking EnabledForAlwaysOn, since if it's disabled,

  85. 	// we need to use the server name which we don't have

  86. 	if config.NumBits == 0 || config.secret == "" {

  87. 		return config.Netname

  88. 	}

  89. 

  90. 	// pad with 16 initial bytes of zeroes, avoiding any possibility of collision

  91. 	// with a masked IP that could be an input to ComputeCloak:

  92. 	paddedAccountName := make([]byte, 16+len(accountName))

  93. 	copy(paddedAccountName[16:], accountName[:])

  94. 	return config.macAndCompose(paddedAccountName)

  95. }