cloak: Start cloaking, add IPv4 IP cloaking

2024-11-24 21:09:30 +01:00 · 2017-06-23 07:21:45 +10:00 · 2017-06-23 07:21:45 +10:00 · bb56ad81cd
commit bb56ad81cd
parent 34964a9920
3 changed files with 150 additions and 1 deletions
--- a/irc/cloaking/cloak.go
+++ b/irc/cloaking/cloak.go
@ -0,0 +1,117 @@
+// Copyright (c) 2017 Daniel Oaks <daniel@danieloaks.net>
+// released under the MIT license
+
+// Package cloak implements IP address cloaking for IRC.
+package cloak
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"strings"
+
+	"crypto/sha512"
+	"encoding/base64"
+)
+
+const (
+	// MinKeyLength determines how many characters our cloak keys should be, minimum.
+	// This MUST NOT be higher in future releases, or else it will break existing,
+	// working cloaking for everyone using key lengths this long.
+	MinKeyLength = 50
+)
+
+var (
+	errNotIPv4             = errors.New("The given address is not an IPv4 address")
+	errConfigDisabled      = errors.New("Config has disabled IP cloaking")
+	errKeysTooShort        = fmt.Errorf("Cloaking keys too short (min: %d)", MinKeyLength)
+	errKeysNotRandomEnough = errors.New("Cloaking keys aren't random enough")
+)
+
+// Config controls whether we cloak, and if we do what values are used to do so.
+type Config struct {
+	// Enabled controls whether cloaking is performed.
+	Enabled bool
+	// IPv4KeyA is used to cloak the `a` part of the IP address.
+	IPv4KeyA string `yaml:"ipv4-key-a"`
+	// IPv4KeyB is used to cloak the `b` part of the IP address.
+	IPv4KeyB string `yaml:"ipv4-key-b"`
+	// IPv4KeyC is used to cloak the `c` part of the IP address.
+	IPv4KeyC string `yaml:"ipv4-key-c"`
+	// IPv4KeyD is used to cloak the `d` part of the IP address.
+	IPv4KeyD string `yaml:"ipv4-key-d"`
+}
+
+// IsRandomEnough makes sure people are using keys that are random enough.
+func IsRandomEnough(key string) bool {
+	return true
+}
+
+// toByteSlice is used for converting sha512 output from [64]byte to []byte.
+func toByteSlice(orig [64]byte) []byte {
+	var new []byte
+	for _, val := range orig {
+		new = append(new, val)
+	}
+	return new
+}
+
+// IPv4 returns a cloaked IPv4 address
+//
+// IPv4 addresses can be represented as a.b.c.d, where `a` is the least unique
+// part of the address and `d` is the most unique part.
+//
+// `a` is unique for a given a.*.*.*, and `d` is unique for a given, specific
+// a.b.c.d address. That is, if you have 1.2.3.4 and 2.3.4.4, the `d` part of
+// both addresses should differ to prevent discoverability. In the same way,
+// if you have 4.5.6.7 and 4.3.2.1 then the `a` part of those addresses will
+// be the same value. This ensures chanops can properly ban dodgy people as
+// they need to do so.
+func IPv4(address net.IP, config Config, netName string) (string, error) {
+	if !config.Enabled {
+		return "", errConfigDisabled
+	}
+
+	// make sure the IP address is an IPv4 address.
+	// from this point on we can assume `address` is a 4-byte slice
+	if address.To4() == nil {
+		return "", errNotIPv4
+	}
+
+	// check randomness of cloak keys
+	if len(config.IPv4KeyA) < MinKeyLength || len(config.IPv4KeyB) < MinKeyLength || len(config.IPv4KeyC) < MinKeyLength || len(config.IPv4KeyD) < MinKeyLength {
+		return "", errKeysTooShort
+	}
+	if !IsRandomEnough(config.IPv4KeyA) || !IsRandomEnough(config.IPv4KeyB) || !IsRandomEnough(config.IPv4KeyC) || !IsRandomEnough(config.IPv4KeyD) {
+		return "", errKeysNotRandomEnough
+	}
+
+	// get IP parts
+	address = address.To4()
+	partA := address[0]
+	partB := address[1]
+	partC := address[2]
+	partD := address[3]
+
+	// cloak `a` part of IP address.
+	fullKey := fmt.Sprintf("%d%s", partA, config.IPv4KeyA)
+	cryptoHashedKey := toByteSlice(sha512.Sum512([]byte(fullKey)))
+	partAHashed := strings.Trim(strings.Replace(base64.URLEncoding.EncodeToString(cryptoHashedKey), "_", "-", -1)[:16], "-")
+
+	// cloak `b` part of IP address.
+	fullKey = fmt.Sprintf("%d%d%s", partB, partA, config.IPv4KeyB)
+	cryptoHashedKey = toByteSlice(sha512.Sum512([]byte(fullKey)))
+	partBHashed := strings.Trim(strings.Replace(base64.URLEncoding.EncodeToString(cryptoHashedKey), "_", "-", -1)[:16], "-")
+
+	// cloak `c` part of IP address.
+	fullKey = fmt.Sprintf("%d%d%d%s", partC, partB, partA, config.IPv4KeyC)
+	cryptoHashedKey = toByteSlice(sha512.Sum512([]byte(fullKey)))
+	partCHashed := strings.Trim(strings.Replace(base64.URLEncoding.EncodeToString(cryptoHashedKey), "_", "-", -1)[:16], "-")
+
+	// cloak `d` part of IP address.
+	fullKey = fmt.Sprintf("%d%d%d%d%s", partD, partC, partB, partA, config.IPv4KeyD)
+	cryptoHashedKey = toByteSlice(sha512.Sum512([]byte(fullKey)))
+	partDHashed := strings.Trim(strings.Replace(base64.URLEncoding.EncodeToString(cryptoHashedKey), "_", "-", -1)[:16], "-")
+
+	return fmt.Sprintf("%s.%s.%s.%s.cloaked-%s", partAHashed, partBHashed, partCHashed, partDHashed, netName), nil
+}
--- a/irc/config.go
+++ b/irc/config.go
@ -11,9 +11,11 @@ import (
 	"fmt"
 	"io/ioutil"
 	"log"
+	"net"
 	"strings"
 	"time"

+	cloak "github.com/oragono/oragono/irc/cloaking"
 	"github.com/oragono/oragono/irc/custime"
 	"github.com/oragono/oragono/irc/logger"

@ -187,7 +189,8 @@ type StackImpactConfig struct {
 // Config defines the overall configuration.
 type Config struct {
 	Network struct {
-		Name string
+		Name       string
+		IPCloaking cloak.Config `yaml:"ip-cloaking"`
 	}

 	Server struct {
@ -418,6 +421,12 @@ func LoadConfig(filename string) (config *Config, err error) {
 			return nil, fmt.Errorf("STS port is incorrect, should be 0 if disabled: %d", config.Server.STS.Port)
 		}
 	}
+	if config.Network.IPCloaking.Enabled {
+		_, err := cloak.IPv4(net.ParseIP("8.8.8.8"), config.Network.IPCloaking, "Config")
+		if err != nil {
+			return nil, fmt.Errorf("IPv4 cloaking config is incorrect: %s", err.Error())
+		}
+	}
 	if config.Server.ConnectionThrottle.Enabled {
 		config.Server.ConnectionThrottle.Duration, err = time.ParseDuration(config.Server.ConnectionThrottle.DurationString)
 		if err != nil {
--- a/oragono.go
+++ b/oragono.go
@ -13,8 +13,11 @@ import (
 	"syscall"
 	"time"

+	"net"
+
 	"github.com/docopt/docopt-go"
 	"github.com/oragono/oragono/irc"
+	cloak "github.com/oragono/oragono/irc/cloaking"
 	"github.com/oragono/oragono/irc/logger"
 	"github.com/oragono/oragono/mkcerts"
 	stackimpact "github.com/stackimpact/stackimpact-go"
@ -38,6 +41,26 @@ Options:
 	-h --help          Show this screen.
 	--version          Show version.`

+	conf := cloak.Config{
+		Enabled:  true,
+		IPv4KeyA: "n6by5q4wn5ebw534g4e6rtnr6y5t^Nbnrt35NHrghn3rhrhrnr",
+		IPv4KeyB: "n6by5q4wn5ebw534g4e6rtnr6y5t^Nbnrt35NHrghn3rhrhrnr",
+		IPv4KeyC: "n6by5q4wn5ebw534g4e6rtnr6y5t^Nbnrt35NHrghn3rhrhrnr",
+		IPv4KeyD: "n6by5q4wn5ebw534g4e6rtnr6y5t^Nbnrt35NHrghn3rhrhrnr",
+	}
+	ip := net.ParseIP("8.8.8.8")
+	key, err := cloak.IPv4(ip, conf, "Tst")
+	fmt.Println(ip, key, err)
+	ip = net.ParseIP("9.4.8.8")
+	key, err = cloak.IPv4(ip, conf, "Tst")
+	fmt.Println(ip, key, err)
+	ip = net.ParseIP("8.4.2.8")
+	key, err = cloak.IPv4(ip, conf, "Tst")
+	fmt.Println(ip, key, err)
+	ip = net.ParseIP("8.4.2.1")
+	key, err = cloak.IPv4(ip, conf, "Tst")
+	fmt.Println(ip, key, err)
+
 	arguments, _ := docopt.Parse(usage, nil, true, version, false)

 	configfile := arguments["--conf"].(string)