diff --git a/README.md b/README.md index b9129f5..6eeccc4 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Bismuth Protocol [![Go Reference](https://pkg.go.dev/badge/git.greysoh.dev/imterah/bismuthd.svg)](https://pkg.go.dev/git.greysoh.dev/imterah/bismuthd) +# Bismuth Protocol The Bismuth protocol is a thin wrapper for any protocol that adds TLS-like features, without being TLS on its own. diff --git a/client/client.go b/client/client.go index bdb7cf6..7f49ba6 100644 --- a/client/client.go +++ b/client/client.go @@ -1,128 +1,67 @@ package client import ( + "crypto/cipher" + "crypto/rand" "fmt" "net" - "strings" core "git.greysoh.dev/imterah/bismuthd/commons" - "git.greysoh.dev/imterah/bismuthd/signingclient" "golang.org/x/crypto/chacha20poly1305" "github.com/ProtonMail/gopenpgp/v3/crypto" ) -func computeNodes(children []*BismuthSignResultData) (int, int) { - totalServerCount := 0 - passedServerCount := 0 +func (bismuth BismuthClient) encryptMessage(aead cipher.AEAD, msg []byte) ([]byte, error) { + nonce := make([]byte, aead.NonceSize(), aead.NonceSize()+len(msg)+aead.Overhead()) - for _, child := range children { - totalServerCount += 1 - - if child.IsTrusting { - passedServerCount += 1 - } - - if len(child.ChildNodes) != 0 { - recievedTotalCount, recievedPassedCount := computeNodes(child.ChildNodes) - - totalServerCount += recievedTotalCount - passedServerCount += recievedPassedCount - } + if _, err := rand.Read(nonce); err != nil { + return []byte{}, err } - return totalServerCount, passedServerCount + encryptedMsg := aead.Seal(nonce, nonce, msg, nil) + return encryptedMsg, nil } -// Initializes the client. Should be done automatically if you call New() -// -// If you don't call client.New(), you *MUST* call this function before running bismuth.Conn(). -func (bismuth *BismuthClient) InitializeClient() error { - if bismuth.pgp == nil { - bismuth.pgp = crypto.PGP() +func (bismuth BismuthClient) decryptMessage(aead cipher.AEAD, encMsg []byte) ([]byte, error) { + if len(encMsg) < aead.NonceSize() { + return []byte{}, fmt.Errorf("ciphertext too short") } - if bismuth.CertificateSignChecker == nil { - bismuth.CertificateSignChecker = func(host, certificateFingerprint string, isSelfSigned bool) bool { - fmt.Println("WARNING: Using stub CertificateSignChecker. Returing true and ignoring arguments") - return true - } + // Split nonce and ciphertext. + nonce, ciphertext := encMsg[:aead.NonceSize()], encMsg[aead.NonceSize():] + + // Decrypt the message and check it wasn't tampered with. + decryptedData, err := aead.Open(nil, nonce, ciphertext, nil) + + if err != nil { + return []byte{}, err } - if bismuth.AddCertificatesToSignCache == nil { - bismuth.AddCertificatesToSignCache = func(certificates []*BismuthCertificates) { - // do nothing - } - } - - if bismuth.ConnectToServer == nil { - bismuth.CheckIfCertificatesAreSigned = true - - bismuth.ConnectToServer = func(address string) (net.Conn, error) { - return net.Dial("tcp", address) - } - } - - bismuth.CheckIfCertificatesAreSigned = true - - return nil + return decryptedData, nil } -func (bismuth *BismuthClient) checkIfDomainIsTrusted(servers, advertisedDomains []string) ([]*BismuthSignResultData, error) { - signResultData := make([]*BismuthSignResultData, len(servers)) +// Bismuth Client +type BismuthClient struct { + // GOpenPGP public key + PublicKey *crypto.Key + // GOpenPGP private key + PrivateKey *crypto.Key - for index, server := range servers { - baseConn, err := bismuth.ConnectToServer(server) - - if err != nil { - return signResultData, err - } - - defer baseConn.Close() - - conn, signResultsForConn, err := bismuth.Conn(baseConn) - - if err != nil { - return signResultData, err - } - - isTrusted, err := signingclient.IsDomainTrusted(conn, signResultsForConn.ServerPublicKey.GetFingerprintBytes(), advertisedDomains) - - if signResultsForConn.OverallTrustScore < 50 { - isTrusted = false - } - - signResultData[index] = &BismuthSignResultData{ - IsTrusting: isTrusted, - ChildNodes: []*BismuthSignResultData{ - signResultsForConn.Node, - }, - } - } - - return signResultData, nil + pgp *crypto.PGPHandle } // Connects to a Bismuth server. This wraps an existing net.Conn interface. // The returned net.Conn is the server, but over bismuth. -func (bismuth *BismuthClient) Conn(conn net.Conn) (net.Conn, *BismuthSignResults, error) { +func (bismuth BismuthClient) Conn(conn net.Conn) (net.Conn, error) { // Yes, I'm aware defer exists. It won't work if I use it in this context. I'll shank anyone that complains // Exchange our public keys first - hostAndIP := conn.RemoteAddr().String() - hostAndIPColonIndex := strings.Index(hostAndIP, ":") - - if hostAndIPColonIndex == -1 { - return nil, nil, fmt.Errorf("failed to get colon in remote address") - } - - host := hostAndIP[:hostAndIPColonIndex] - ownKey, err := bismuth.PublicKey.GetPublicKey() if err != nil { conn.Close() - return nil, nil, err + return nil, err } pubKeyLengthBytes := make([]byte, 3) @@ -137,17 +76,17 @@ func (bismuth *BismuthClient) Conn(conn net.Conn) (net.Conn, *BismuthSignResults if _, err = conn.Read(messageMode); err != nil { conn.Close() - return nil, nil, err + return nil, err } if messageMode[0] != core.SendPublicKey { conn.Close() - return nil, nil, fmt.Errorf("server failed to return its public key") + return nil, fmt.Errorf("server failed to return its public key") } if _, err = conn.Read(pubKeyLengthBytes); err != nil { conn.Close() - return nil, nil, err + return nil, err } pubKeyLength = core.Int24ToInt32(pubKeyLengthBytes) @@ -155,14 +94,12 @@ func (bismuth *BismuthClient) Conn(conn net.Conn) (net.Conn, *BismuthSignResults if _, err = conn.Read(pubKeyBytes); err != nil { conn.Close() - return nil, nil, err + return nil, err } - serverPublicKey, err := crypto.NewKey(pubKeyBytes) - - if err != nil { + if _, err = crypto.NewKey(pubKeyBytes); err != nil { conn.Close() - return nil, nil, err + return nil, err } // Then exchange the symmetric key @@ -171,19 +108,19 @@ func (bismuth *BismuthClient) Conn(conn net.Conn) (net.Conn, *BismuthSignResults if _, err = conn.Read(messageMode); err != nil { conn.Close() - return nil, nil, err + return nil, err } if messageMode[0] != core.SwitchToSymmetricKey { conn.Close() - return nil, nil, fmt.Errorf("server failed to return symmetric key") + return nil, fmt.Errorf("server failed to return symmetric key") } encryptedSymmKeyLengthInBytes := make([]byte, 3) if _, err = conn.Read(encryptedSymmKeyLengthInBytes); err != nil { conn.Close() - return nil, nil, err + return nil, err } encryptedSymmKeyLength := core.Int24ToInt32(encryptedSymmKeyLengthInBytes) @@ -191,186 +128,31 @@ func (bismuth *BismuthClient) Conn(conn net.Conn) (net.Conn, *BismuthSignResults if _, err = conn.Read(encryptedSymmKey); err != nil { conn.Close() - return nil, nil, err + return nil, err } decHandleForSymmKey, err := bismuth.pgp.Decryption().DecryptionKey(bismuth.PrivateKey).New() if err != nil { - conn.Close() - return nil, nil, err + return nil, err } decryptedSymmKey, err := decHandleForSymmKey.Decrypt(encryptedSymmKey, crypto.Bytes) if err != nil { - conn.Close() - return nil, nil, err + return nil, err } symmKeyInfo := decryptedSymmKey.Bytes() if symmKeyInfo[0] != core.XChaCha20Poly1305 { conn.Close() - return nil, nil, fmt.Errorf("unsupported encryption method recieved") + return nil, fmt.Errorf("unsupported encryption method recieved") } symmKey := symmKeyInfo[1 : chacha20poly1305.KeySize+1] aead, err := chacha20poly1305.NewX(symmKey) - // Request trusted domains - - trustedDomainsRequest := make([]byte, 1) - trustedDomainsRequest[0] = core.GetTrustedDomains - - encryptedTrustedDomainRequest, err := bismuth.encryptMessage(aead, trustedDomainsRequest) - - if err != nil { - conn.Close() - return nil, nil, err - } - - trustedDomainLength := make([]byte, 3) - core.Int32ToInt24(trustedDomainLength, uint32(len(encryptedTrustedDomainRequest))) - - conn.Write(trustedDomainLength) - conn.Write(encryptedTrustedDomainRequest) - - if _, err = conn.Read(trustedDomainLength); err != nil { - conn.Close() - return nil, nil, err - } - - encryptedTrustedDomainResponse := make([]byte, core.Int24ToInt32(trustedDomainLength)) - - if _, err = conn.Read(encryptedTrustedDomainResponse); err != nil { - conn.Close() - return nil, nil, err - } - - trustedDomainResponse, err := bismuth.decryptMessage(aead, encryptedTrustedDomainResponse) - - if err != nil { - conn.Close() - return nil, nil, err - } - - if trustedDomainResponse[0] != core.GetTrustedDomains { - conn.Close() - return nil, nil, fmt.Errorf("server failed to return its signing servers") - } - - trustedDomains := strings.Split(string(trustedDomainResponse[1:]), "\n") - - // Request signing servers - - signingServerRequest := make([]byte, 1) - signingServerRequest[0] = core.GetSigningServers - - encryptedSigningServerRequest, err := bismuth.encryptMessage(aead, signingServerRequest) - - if err != nil { - conn.Close() - return nil, nil, err - } - - signingRequestLength := make([]byte, 3) - core.Int32ToInt24(signingRequestLength, uint32(len(encryptedSigningServerRequest))) - - conn.Write(signingRequestLength) - conn.Write(encryptedSigningServerRequest) - - if _, err = conn.Read(signingRequestLength); err != nil { - conn.Close() - return nil, nil, err - } - - encryptedSigningRequestResponse := make([]byte, core.Int24ToInt32(signingRequestLength)) - - if _, err = conn.Read(encryptedSigningRequestResponse); err != nil { - conn.Close() - return nil, nil, err - } - - signingServerResponse, err := bismuth.decryptMessage(aead, encryptedSigningRequestResponse) - - if err != nil { - conn.Close() - return nil, nil, err - } - - if signingServerResponse[0] != core.GetSigningServers { - conn.Close() - return nil, nil, fmt.Errorf("server failed to return its signing servers") - } - - // Check if the server is signed - - signingServers := strings.Split(string(signingServerResponse[1:]), "\n") - isServerSelfSigned := len(signingServers)-1 == 0 || len(trustedDomains)-1 == 0 - - rootNode := &BismuthSignResultData{ - ChildNodes: []*BismuthSignResultData{}, - IsTrusting: false, - } - - signResults := BismuthSignResults{ - OverallTrustScore: 0, - ServerPublicKey: serverPublicKey, - Node: rootNode, - } - - totalServerCount, passedServerCount := 0, 0 - - if bismuth.CheckIfCertificatesAreSigned { - serverKeyFingerprint := serverPublicKey.GetFingerprint() - isCertSigned := bismuth.CertificateSignChecker(host, serverKeyFingerprint, isServerSelfSigned) - - if !isServerSelfSigned || !isCertSigned { - domainTrustResults, err := bismuth.checkIfDomainIsTrusted(signingServers, trustedDomains) - - if err == nil { - rootNode.ChildNodes = domainTrustResults - totalServerCount, passedServerCount = computeNodes(rootNode.ChildNodes) - } else { - fmt.Printf("ERROR: failed to verify servers (%s).\n", err.Error()) - signResults.OverallTrustScore = 0 - } - } else if isCertSigned { - rootNode.IsTrusting = isCertSigned - - totalServerCount, passedServerCount = 1, 1 - rootNode.IsTrusting = true - } - } else { - totalServerCount, passedServerCount = 1, 1 - } - - if totalServerCount != 0 { - signResults.OverallTrustScore = int((float32(passedServerCount) / float32(totalServerCount)) * 100) - } - - // After that, we send what host we are connecting to (enables fronting/proxy services) - - hostInformation := make([]byte, 1+len(host)) - - hostInformation[0] = core.ClientSendHost - copy(hostInformation[1:], []byte(host)) - - encryptedHostInformationPacket, err := bismuth.encryptMessage(aead, hostInformation) - - if err != nil { - conn.Close() - return nil, nil, err - } - - hostInformationSize := make([]byte, 3) - - core.Int32ToInt24(hostInformationSize, uint32(len(encryptedHostInformationPacket))) - - conn.Write(hostInformationSize) - conn.Write(encryptedHostInformationPacket) - // Start proxying startForwardingPacket := []byte{ @@ -381,7 +163,7 @@ func (bismuth *BismuthClient) Conn(conn net.Conn) (net.Conn, *BismuthSignResults if err != nil { conn.Close() - return nil, nil, err + return nil, err } encryptedForwardPacketPacketSize := make([]byte, 3) @@ -403,5 +185,32 @@ func (bismuth *BismuthClient) Conn(conn net.Conn) (net.Conn, *BismuthSignResults return core.BismuthConnWrapped{ Bismuth: &bmConn, - }, &signResults, nil + }, nil +} + +// Creates a new BismuthClient. +// +// Both `pubKey` and `privKey` are armored PGP public and private keys respectively. +func New(pubKey string, privKey string) (*BismuthClient, error) { + publicKey, err := crypto.NewKeyFromArmored(pubKey) + + if err != nil { + return nil, err + } + + privateKey, err := crypto.NewKeyFromArmored(privKey) + + if err != nil { + return nil, err + } + + pgp := crypto.PGP() + + bismuth := BismuthClient{ + PublicKey: publicKey, + PrivateKey: privateKey, + pgp: pgp, + } + + return &bismuth, nil } diff --git a/client/typing.go b/client/typing.go deleted file mode 100644 index 873a94f..0000000 --- a/client/typing.go +++ /dev/null @@ -1,93 +0,0 @@ -package client - -import ( - "net" - - "github.com/ProtonMail/gopenpgp/v3/crypto" -) - -// Bismuth Client -type BismuthClient struct { - // GOpenPGP public key for the client - PublicKey *crypto.Key - // GOpenPGP private key for the client - PrivateKey *crypto.Key - - // Check if the certificates are signed if enabled. - // - // If true, "cross-verifies" the server to make sure the certificates are signed. - // - // If false, all certificates will be reported as being self signed because we can't - // really prove otherwise. - CheckIfCertificatesAreSigned bool - - // Checks to see if a certificate is trusted in the client cache. - // - // - `host`: The host of the server. - // - `certificateFingerprint`: A fingerprint of the servers key. - // - `isSelfSigned`: If true, the certificate is either actually self-signed, or - // verification is dsabled (CheckIfCertificatesAreSigned in BismuthClient is false) - // - // This function will only be called if client.CheckIfCertificatesAreSigned is true. - // - // Example usage inside the Bismuth client source: - // client.CertificateSignChecker("example.com:9090", "6c5eaff6f5c65e65e6f6ce6fc", false, true) - CertificateSignChecker func(host, certificateFingerprint string, isSelfSigned bool) bool - - // If any certificates are false in the certificate cache, and the client has determined that - // they may need to be added, this function will get called. - // - // All of the certificates that will be called by this function in arguments are ones that - // client.CertificateSignChecker has reported to be untrustworthy, but not all untrustworthy - // certificates will be reported, as they can be trusted by future nodes that you have already - // trusted. - // - // This function will only be called if client.CheckIfCertificatesAreSigned is true. - AddCertificatesToSignCache func(certificates []*BismuthCertificates) - - // Connects to a server. - // This function will only be called if client.CheckIfCertificatesAreSigned is true. - // - // Example usage in the client source: - // client.ConnectToServer("google.com:80") - ConnectToServer func(address string) (net.Conn, error) - - // GopenPGP instance - pgp *crypto.PGPHandle -} - -// Sign result data for the node -type BismuthSignResultData struct { - // Future node pointers in the tree - ChildNodes []*BismuthSignResultData - - // If true, the server is already trusting this node - IsTrusting bool -} - -type BismuthSignResults struct { - // Overall trust score calculated - OverallTrustScore int - // Parent node in tree for sign results - Node *BismuthSignResultData - - // GopenPGP public key - ServerPublicKey *crypto.Key -} - -type BismuthCertificates struct { - // The host of the server - Host string - // A fingerprint of the servers key - CertificateFingerprint string - // Certificate UserID - CertificateUsername string - CertificateMail string - - // If true, the certificate is self signed - IsSelfSigned bool - - // If true, the client should not prompt the user, and automatically - // add the certificate instead. - ShouldAutomaticallyAdd bool -} diff --git a/client/utils.go b/client/utils.go deleted file mode 100644 index dc236f5..0000000 --- a/client/utils.go +++ /dev/null @@ -1,68 +0,0 @@ -package client - -import ( - "crypto/cipher" - "crypto/rand" - "fmt" - - "github.com/ProtonMail/gopenpgp/v3/crypto" -) - -func (bismuth BismuthClient) encryptMessage(aead cipher.AEAD, msg []byte) ([]byte, error) { - nonce := make([]byte, aead.NonceSize(), aead.NonceSize()+len(msg)+aead.Overhead()) - - if _, err := rand.Read(nonce); err != nil { - return []byte{}, err - } - - encryptedMsg := aead.Seal(nonce, nonce, msg, nil) - return encryptedMsg, nil -} - -func (bismuth BismuthClient) decryptMessage(aead cipher.AEAD, encMsg []byte) ([]byte, error) { - if len(encMsg) < aead.NonceSize() { - return []byte{}, fmt.Errorf("ciphertext too short") - } - - // Split nonce and ciphertext. - nonce, ciphertext := encMsg[:aead.NonceSize()], encMsg[aead.NonceSize():] - - // Decrypt the message and check it wasn't tampered with. - decryptedData, err := aead.Open(nil, nonce, ciphertext, nil) - - if err != nil { - return []byte{}, err - } - - return decryptedData, nil -} - -// Creates a new BismuthClient. -// -// Both `pubKey` and `privKey` are armored PGP public and private keys respectively. -func New(pubKey string, privKey string) (*BismuthClient, error) { - publicKey, err := crypto.NewKeyFromArmored(pubKey) - - if err != nil { - return nil, err - } - - privateKey, err := crypto.NewKeyFromArmored(privKey) - - if err != nil { - return nil, err - } - - bismuth := BismuthClient{ - PublicKey: publicKey, - PrivateKey: privateKey, - } - - err = bismuth.InitializeClient() - - if err != nil { - return nil, err - } - - return &bismuth, nil -} diff --git a/commons/enum.go b/commons/enum.go index 3c7f4ff..be1848f 100644 --- a/commons/enum.go +++ b/commons/enum.go @@ -2,41 +2,32 @@ package commons -// Core Protocol Commands +// Commands const ( - // Sending public key back and forth + // SendPublicKey: Sending public key back and forth SendPublicKey = iota - // Sent by the client along with the symmetric key that is going to be used + // SwitchToSymmetricKey: Sent by the client along with the symmetric key that is going to be used SwitchToSymmetricKey + // ClientSendHost: Currently unimplemented. // Client sends what host they are connecting to. ClientSendHost + // GetSigningServers: Currently unimplemented. // Gets the signing servers trusting/signing the current server. GetSigningServers + // GetTrustedDomains: Currently unimplemented. // Gets the domains that are supported by this certificate (should be cross-checked) GetTrustedDomains - // Starts forwarding traffic over this protocol. + // InitiateForwarding: Starts forwarding traffic over this protocol. InitiateForwarding ) -// Validation API Commands -const ( - // Checks if the domains are valid for a specified key - AreDomainsValidForKey = iota - // Validate a server and keys - ValidateKey - // Status codes - Success - Failure - InternalError -) - -// Encryption Algorithms +// Encryption algorithms const ( // Default and only encryption algorithm XChaCha20Poly1305 = iota ) -// Unsigned Integer Limits +// Unsigned integer limits const ( BitLimit24 = 16_777_215 BitLimit16 = 65535 diff --git a/main.go b/main.go index 373320d..4ded7a1 100644 --- a/main.go +++ b/main.go @@ -3,7 +3,6 @@ package main import ( "context" _ "embed" - "encoding/hex" "fmt" "net" "os" @@ -12,8 +11,6 @@ import ( "git.greysoh.dev/imterah/bismuthd/client" core "git.greysoh.dev/imterah/bismuthd/commons" "git.greysoh.dev/imterah/bismuthd/server" - "git.greysoh.dev/imterah/bismuthd/signingclient" - "git.greysoh.dev/imterah/bismuthd/signingserver" "github.com/charmbracelet/log" "github.com/urfave/cli/v2" "tailscale.com/net/socks5" @@ -22,7 +19,7 @@ import ( //go:embed ascii.txt var asciiArt string -func clientEntrypoint(cCtx *cli.Context) error { +func bismuthClientEntrypoint(cCtx *cli.Context) error { pubKeyFile, err := os.ReadFile(cCtx.String("pubkey")) if err != nil { @@ -40,8 +37,6 @@ func clientEntrypoint(cCtx *cli.Context) error { bismuth, err := client.New(pubKey, privKey) - log.Debugf("My key fingerprint is: %s", bismuth.PublicKey.GetFingerprint()) - if err != nil { return err } @@ -87,15 +82,13 @@ func clientEntrypoint(cCtx *cli.Context) error { return nil, err } - conn, returnData, err := bismuth.Conn(conn) + conn, err = bismuth.Conn(conn) if err != nil && err.Error() != "EOF" { log.Errorf("failed to initialize bismuth connection to '%s:%s': '%s'", ip, port, err.Error()) return nil, err } - log.Debugf("Server key fingerprint for '%s' is: %s", addr, returnData.ServerPublicKey.GetFingerprint()) - return conn, err } else { conn, err := net.Dial(network, addr) @@ -117,17 +110,8 @@ func clientEntrypoint(cCtx *cli.Context) error { return nil } -func serverEntrypoint(cCtx *cli.Context) error { - var domainList []string - var signServers []string - - if cCtx.String("domain-names") != "" { - domainList = strings.Split(cCtx.String("domain-names"), ":") - } - - if cCtx.String("signing-servers") != "" { - signServers = strings.Split(cCtx.String("signing-servers"), ";") - } +func bismuthServerEntrypoint(cCtx *cli.Context) error { + relayServers := []string{} pubKeyFile, err := os.ReadFile(cCtx.String("pubkey")) @@ -146,8 +130,7 @@ func serverEntrypoint(cCtx *cli.Context) error { network := fmt.Sprintf("%s:%s", cCtx.String("source-ip"), cCtx.String("source-port")) - bismuth, err := server.New(pubKey, privKey, signServers, domainList, core.XChaCha20Poly1305) - bismuth.HandleConnection = func(connBismuth net.Conn, _ *server.ClientMetadata) error { + bismuth, err := server.NewBismuthServer(pubKey, privKey, relayServers, core.XChaCha20Poly1305, func(connBismuth net.Conn) error { connDialed, err := net.Dial("tcp", network) if err != nil { @@ -200,7 +183,7 @@ func serverEntrypoint(cCtx *cli.Context) error { }() return nil - } + }) if err != nil { return err @@ -218,206 +201,23 @@ func serverEntrypoint(cCtx *cli.Context) error { for { conn, err := listener.Accept() - - if err != nil { - log.Warnf("failed to accept connection: '%s'", err.Error()) - continue - } - log.Debugf("Recieved connection from '%s'", conn.RemoteAddr().String()) - go func() { - err := bismuth.HandleProxy(conn) - - if err != nil && err.Error() != "EOF" { - log.Warnf("connection crashed/dropped during proxy handling: '%s'", err.Error()) - } - }() - } -} - -func signingServerEntrypoint(cCtx *cli.Context) error { - log.Warn("Using the built-in bismuth signing server in production is a horrible idea as it has no validation!") - log.Warn("Consider writing using a custom solution that's based on the signing server code, rather than the default implementation.") - - var domainList []string - var signServers []string - - if cCtx.String("domain-names") != "" { - domainList = strings.Split(cCtx.String("domain-names"), ":") - } - - if cCtx.String("signing-servers") != "" { - signServers = strings.Split(cCtx.String("signing-servers"), ";") - } - - pubKeyFile, err := os.ReadFile(cCtx.String("pubkey")) - - if err != nil { - return err - } - - privKeyFile, err := os.ReadFile(cCtx.String("privkey")) - - if err != nil { - return err - } - - pubKey := string(pubKeyFile) - privKey := string(privKeyFile) - - listener, err := net.Listen("tcp", fmt.Sprintf("%s:%s", cCtx.String("ip"), cCtx.String("port"))) - - if err != nil { - return err - } - - bismuthServer, err := server.New(pubKey, privKey, signServers, domainList, core.XChaCha20Poly1305) - - if err != nil { - return nil - } - - // I'd like to use the SigningServer struct, but I can't really do that - _, err = signingserver.New(bismuthServer) - - if err != nil { - return nil - } - - defer listener.Close() - - log.Info("Bismuth signing server is listening...") - - for { - conn, err := listener.Accept() - if err != nil { log.Warn(err.Error()) continue } - log.Debugf("Recieved connection from '%s'", conn.RemoteAddr().String()) - go func() { - err = bismuthServer.HandleProxy(conn) + err := bismuth.HandleProxy(conn) if err != nil && err.Error() != "EOF" { - log.Warnf("connection crashed/dropped during proxy handling: '%s'", err.Error()) - return + log.Warnf("Connection crashed/dropped during proxy handling: '%s'", err.Error()) } }() } } -func verifyCert(cCtx *cli.Context) error { - domainList := strings.Split(cCtx.String("domain-names"), ":") - pubKeyFile, err := os.ReadFile(cCtx.String("pubkey")) - - if err != nil { - return err - } - - privKeyFile, err := os.ReadFile(cCtx.String("privkey")) - - if err != nil { - return err - } - - pubKey := string(pubKeyFile) - privKey := string(privKeyFile) - - bismuthClient, err := client.New(pubKey, privKey) - - if err != nil { - return err - } - - dialedConn, err := net.Dial("tcp", cCtx.String("signing-server")) - - if err != nil { - return err - } - - conn, certResults, err := bismuthClient.Conn(dialedConn) - - if err != nil { - return err - } - - if certResults.OverallTrustScore < 50 { - return fmt.Errorf("overall trust score is below 50 percent for certificate") - } - - fmt.Println("Sending signing request to sign server...") - - hasBeenTrusted, err := signingclient.RequestDomainToBeTrusted(conn, domainList, "") - - if hasBeenTrusted { - fmt.Println("Server has been successfully signed.") - } else { - fmt.Println("Server has not been successfully signed.") - os.Exit(1) - } - - return nil -} - -func signCert(cCtx *cli.Context) error { - domainList := strings.Split(cCtx.String("domain-names"), ":") - keyFingerprint, err := hex.DecodeString(cCtx.String("key-fingerprint")) - - if err != nil { - return err - } - - pubKeyFile, err := os.ReadFile(cCtx.String("pubkey")) - - if err != nil { - return err - } - - privKeyFile, err := os.ReadFile(cCtx.String("privkey")) - - if err != nil { - return err - } - - pubKey := string(pubKeyFile) - privKey := string(privKeyFile) - - bismuthClient, err := client.New(pubKey, privKey) - - if err != nil { - return err - } - - dialedConn, err := net.Dial("tcp", cCtx.String("signing-server")) - - if err != nil { - return err - } - - conn, certResults, err := bismuthClient.Conn(dialedConn) - - if err != nil { - return err - } - - if certResults.OverallTrustScore < 50 { - return fmt.Errorf("overall trust score is below 50 percent for certificate") - } - - isTrusted, err := signingclient.IsDomainTrusted(conn, keyFingerprint, domainList) - fmt.Printf("Certificate trust status: %t\n", isTrusted) - - if !isTrusted { - os.Exit(1) - } - - return nil -} - func main() { fmt.Println(asciiArt) fmt.Print("Implementation of the Bismuth protocol\n\n") @@ -482,7 +282,7 @@ func main() { }, }, Usage: "client for the Bismuth protocol", - Action: clientEntrypoint, + Action: bismuthClientEntrypoint, }, { Name: "server", @@ -508,14 +308,6 @@ func main() { Usage: "port to connect to", Required: true, }, - &cli.StringFlag{ - Name: "signing-servers", - Usage: "servers trusting/\"signing\" the public key. seperated using semicolons", - }, - &cli.StringFlag{ - Name: "domain-names", - Usage: "domain names the key is authorized to use. seperated using colons", - }, &cli.StringFlag{ Name: "dest-ip", Usage: "IP to listen on", @@ -528,109 +320,7 @@ func main() { }, }, Usage: "server for the Bismuth protocol", - Action: serverEntrypoint, - }, - { - Name: "test-sign-server", - Aliases: []string{"tss"}, - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "pubkey", - Usage: "path to PGP public key", - Required: true, - }, - &cli.StringFlag{ - Name: "privkey", - Usage: "path to PGP private key", - Required: true, - }, - &cli.StringFlag{ - Name: "ip", - Usage: "IP to listen on", - Value: "0.0.0.0", - }, - &cli.StringFlag{ - Name: "port", - Usage: "port to listen on", - Value: "9090", - }, - &cli.StringFlag{ - Name: "signing-servers", - Usage: "servers trusting/\"signing\" the public key. seperated using semicolons", - }, - &cli.StringFlag{ - Name: "domain-names", - Usage: "domain names the key is authorized to use. seperated using colons", - }, - }, - Usage: "test signing server for the Bismuth protocol", - Action: signingServerEntrypoint, - }, - { - Name: "sign-tool", - Aliases: []string{"st"}, - Subcommands: []*cli.Command{ - { - Name: "is-verified", - Aliases: []string{"i", "iv", "cv"}, - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "key-fingerprint", - Usage: "fingerprint of key", - Required: true, - }, - &cli.StringFlag{ - Name: "pubkey", - Usage: "path to PGP public key", - }, - &cli.StringFlag{ - Name: "privkey", - Usage: "path to PGP private key", - }, - &cli.StringFlag{ - Name: "domain-names", - Usage: "domain names the key is authorized to use. seperated using colons", - Required: true, - }, - &cli.StringFlag{ - Name: "signing-server", - Usage: "signing server to use", - Required: true, - }, - }, - Usage: "check if a certificate is verified for Bismuth", - Action: signCert, - }, - { - Name: "verify-cert", - Aliases: []string{"v", "vc"}, - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "pubkey", - Usage: "path to PGP public key", - Required: true, - }, - &cli.StringFlag{ - Name: "privkey", - Usage: "path to PGP private key", - Required: true, - }, - &cli.StringFlag{ - Name: "domain-names", - Usage: "domain names the key is authorized to use. seperated using colons", - Required: true, - }, - &cli.StringFlag{ - Name: "signing-server", - Usage: "signing server to use", - Required: true, - }, - }, - Usage: "verifies certificate for Bismuth", - Action: verifyCert, - }, - }, - Usage: "signing tool for Bismuth", + Action: bismuthServerEntrypoint, }, }, } diff --git a/server/server.go b/server/server.go index c6f6c7f..4e1c183 100644 --- a/server/server.go +++ b/server/server.go @@ -1,6 +1,7 @@ package server import ( + "fmt" "net" core "git.greysoh.dev/imterah/bismuthd/commons" @@ -12,6 +13,54 @@ import ( "golang.org/x/crypto/chacha20poly1305" ) +// Bismuth Server +type BismuthServer struct { + // Public key to use for transmission + PublicKey *crypto.Key + // Private key to use for transmission + PrivateKey *crypto.Key + + pgp *crypto.PGPHandle + + // Algorithm to use for encryption (currently XChaCha20Poly1305 is the only option) + SymmetricEncryptionAlgorithm int + // Servers that are signing this server. If none, this server becomes self-signed + // in the clients eyes + SigningServers []string + + // Called after a successful handshake & connection. + HandleConnection func(conn net.Conn) error +} + +func (bismuth BismuthServer) encryptMessage(aead cipher.AEAD, msg []byte) ([]byte, error) { + nonce := make([]byte, aead.NonceSize(), aead.NonceSize()+len(msg)+aead.Overhead()) + + if _, err := rand.Read(nonce); err != nil { + return []byte{}, err + } + + encryptedMsg := aead.Seal(nonce, nonce, msg, nil) + return encryptedMsg, nil +} + +func (bismuth BismuthServer) decryptMessage(aead cipher.AEAD, encMsg []byte) ([]byte, error) { + if len(encMsg) < aead.NonceSize() { + return []byte{}, fmt.Errorf("ciphertext too short") + } + + // Split nonce and ciphertext. + nonce, ciphertext := encMsg[:aead.NonceSize()], encMsg[aead.NonceSize():] + + // Decrypt the message and check it wasn't tampered with. + decryptedData, err := aead.Open(nil, nonce, ciphertext, nil) + + if err != nil { + return []byte{}, err + } + + return decryptedData, nil +} + // Called to handle a connnection for Bismuth. The conn argument is the client you'd like to handle func (bismuth BismuthServer) HandleProxy(conn net.Conn) error { serverState := "keyHandshake" @@ -162,54 +211,7 @@ func (bismuth BismuthServer) HandleProxy(conn net.Conn) error { return err } - switch packet[0] { - case core.GetSigningServers: - totalPacketContents := make([]byte, 1) - totalPacketContents[0] = core.GetSigningServers - - for index, signServer := range bismuth.SigningServers { - totalPacketContents = append(totalPacketContents, []byte(signServer)...) - - if index+1 != len(bismuth.SigningServers) { - totalPacketContents = append(totalPacketContents, '\n') - } - } - - encryptedPacket, err := bismuth.encryptMessage(aead, totalPacketContents) - - if err != nil { - return err - } - - encryptedPacketLength := make([]byte, 3) - core.Int32ToInt24(encryptedPacketLength, uint32(len(encryptedPacket))) - - conn.Write(encryptedPacketLength) - conn.Write(encryptedPacket) - case core.GetTrustedDomains: - totalPacketContents := make([]byte, 1) - totalPacketContents[0] = core.GetTrustedDomains - - for index, trustedDomain := range bismuth.TrustedDomains { - totalPacketContents = append(totalPacketContents, []byte(trustedDomain)...) - - if index+1 != len(bismuth.TrustedDomains) { - totalPacketContents = append(totalPacketContents, '\n') - } - } - - encryptedPacket, err := bismuth.encryptMessage(aead, totalPacketContents) - - if err != nil { - return err - } - - encryptedPacketLength := make([]byte, 3) - core.Int32ToInt24(encryptedPacketLength, uint32(len(encryptedPacket))) - - conn.Write(encryptedPacketLength) - conn.Write(encryptedPacket) - case core.InitiateForwarding: + if packet[0] == core.InitiateForwarding { bmConn := core.BismuthConn{ Aead: aead, PassedConn: conn, @@ -218,16 +220,42 @@ func (bismuth BismuthServer) HandleProxy(conn net.Conn) error { bmConn.DoInitSteps() - metadata := ClientMetadata{ - ClientPublicKey: clientPublicKey, - } - err := bismuth.HandleConnection(core.BismuthConnWrapped{ Bismuth: &bmConn, - }, &metadata) + }) return err } } } } + +// Initializes a Bismuth server. +// +// Both `pubKey` and `privKey` are armored PGP public and private keys respectively. +func NewBismuthServer(pubKey string, privKey string, signServers []string, encryptionAlgo int, connHandler func(conn net.Conn) error) (*BismuthServer, error) { + publicKey, err := crypto.NewKeyFromArmored(pubKey) + + if err != nil { + return nil, err + } + + privateKey, err := crypto.NewKeyFromArmored(privKey) + + if err != nil { + return nil, err + } + + pgp := crypto.PGP() + + bismuth := BismuthServer{ + PublicKey: publicKey, + PrivateKey: privateKey, + HandleConnection: connHandler, + SigningServers: signServers, + SymmetricEncryptionAlgorithm: encryptionAlgo, + pgp: pgp, + } + + return &bismuth, nil +} diff --git a/server/typing.go b/server/typing.go deleted file mode 100644 index bab25c4..0000000 --- a/server/typing.go +++ /dev/null @@ -1,36 +0,0 @@ -package server - -import ( - "net" - - "github.com/ProtonMail/gopenpgp/v3/crypto" -) - -// Bismuth Server -type BismuthServer struct { - // Public key to use for transmission - PublicKey *crypto.Key - // Private key to use for transmission - PrivateKey *crypto.Key - - // GopenPGP instance - pgp *crypto.PGPHandle - - // Algorithm to use for encryption (currently XChaCha20Poly1305 is the only option) - SymmetricEncryptionAlgorithm int - // Servers that are signing this server. If none, this server becomes self-signed - // in the clients eyes. - SigningServers []string - // Domains that the certificate is authorized to use. This will be checked by the - // signing servers. - TrustedDomains []string - - // Called after a successful handshake & connection. - HandleConnection func(conn net.Conn, metadata *ClientMetadata) error -} - -// Metadata from the client that may be helpful for the server to have. -type ClientMetadata struct { - // Client's public key - ClientPublicKey *crypto.Key -} diff --git a/server/utils.go b/server/utils.go deleted file mode 100644 index aff3186..0000000 --- a/server/utils.go +++ /dev/null @@ -1,68 +0,0 @@ -package server - -import ( - "crypto/cipher" - "crypto/rand" - "fmt" - - "github.com/ProtonMail/gopenpgp/v3/crypto" -) - -func (bismuth BismuthServer) encryptMessage(aead cipher.AEAD, msg []byte) ([]byte, error) { - nonce := make([]byte, aead.NonceSize(), aead.NonceSize()+len(msg)+aead.Overhead()) - - if _, err := rand.Read(nonce); err != nil { - return []byte{}, err - } - - encryptedMsg := aead.Seal(nonce, nonce, msg, nil) - return encryptedMsg, nil -} - -func (bismuth BismuthServer) decryptMessage(aead cipher.AEAD, encMsg []byte) ([]byte, error) { - if len(encMsg) < aead.NonceSize() { - return []byte{}, fmt.Errorf("ciphertext too short") - } - - // Split nonce and ciphertext. - nonce, ciphertext := encMsg[:aead.NonceSize()], encMsg[aead.NonceSize():] - - // Decrypt the message and check it wasn't tampered with. - decryptedData, err := aead.Open(nil, nonce, ciphertext, nil) - - if err != nil { - return []byte{}, err - } - - return decryptedData, nil -} - -// Initializes a Bismuth server. -// -// Both `pubKey` and `privKey` are armored PGP public and private keys respectively. -func New(pubKey string, privKey string, signServers []string, trustedDomains []string, encryptionAlgo int) (*BismuthServer, error) { - publicKey, err := crypto.NewKeyFromArmored(pubKey) - - if err != nil { - return nil, err - } - - privateKey, err := crypto.NewKeyFromArmored(privKey) - - if err != nil { - return nil, err - } - - pgp := crypto.PGP() - - bismuth := BismuthServer{ - PublicKey: publicKey, - PrivateKey: privateKey, - SigningServers: signServers, - TrustedDomains: trustedDomains, - SymmetricEncryptionAlgorithm: encryptionAlgo, - pgp: pgp, - } - - return &bismuth, nil -} diff --git a/signingclient/signingclient.go b/signingclient/signingclient.go deleted file mode 100644 index 0fe3ebb..0000000 --- a/signingclient/signingclient.go +++ /dev/null @@ -1,69 +0,0 @@ -package signingclient - -import ( - "encoding/binary" - "net" - "strings" - - core "git.greysoh.dev/imterah/bismuthd/commons" -) - -func IsDomainTrusted(conn net.Conn, keyFingerprint []byte, domainList []string) (bool, error) { - domainListAsString := strings.Join(domainList, "\n") - - keyFingerprintSize := len(keyFingerprint) - domainListSize := len(domainListAsString) - - domainTrustedCommand := make([]byte, 1+2+2+keyFingerprintSize+domainListSize) - - domainTrustedCommand[0] = core.AreDomainsValidForKey - currentOffset := 1 - - binary.BigEndian.PutUint16(domainTrustedCommand[currentOffset:currentOffset+2], uint16(keyFingerprintSize)) - copy(domainTrustedCommand[2+currentOffset:2+currentOffset+keyFingerprintSize], keyFingerprint) - - currentOffset += 2 + keyFingerprintSize - - binary.BigEndian.PutUint16(domainTrustedCommand[currentOffset:currentOffset+2], uint16(domainListSize)) - copy(domainTrustedCommand[2+currentOffset:2+currentOffset+domainListSize], []byte(domainListAsString)) - - conn.Write(domainTrustedCommand) - - requestResponse := make([]byte, 1) - - if _, err := conn.Read(requestResponse); err != nil { - return false, err - } - - return requestResponse[0] == core.Success, nil -} - -func RequestDomainToBeTrusted(conn net.Conn, domainList []string, additionalInformation string) (bool, error) { - domainListAsString := strings.Join(domainList, "\n") - - domainListSize := len(domainListAsString) - additionalInfoSize := len(additionalInformation) - - requestDomainTrust := make([]byte, 1+2+2+domainListSize+additionalInfoSize) - - requestDomainTrust[0] = core.ValidateKey - currentOffset := 1 - - binary.BigEndian.PutUint16(requestDomainTrust[currentOffset:currentOffset+2], uint16(domainListSize)) - copy(requestDomainTrust[2+currentOffset:2+currentOffset+domainListSize], []byte(domainListAsString)) - - currentOffset += 2 + domainListSize - - binary.BigEndian.PutUint16(requestDomainTrust[currentOffset:currentOffset+2], uint16(additionalInfoSize)) - copy(requestDomainTrust[2:currentOffset:2+currentOffset+additionalInfoSize], []byte(additionalInformation)) - - conn.Write(requestDomainTrust) - - requestResponse := make([]byte, 1) - - if _, err := conn.Read(requestResponse); err != nil { - return false, err - } - - return requestResponse[0] == core.Success, nil -} diff --git a/signingserver/signingserver.go b/signingserver/signingserver.go deleted file mode 100644 index 0ff29e7..0000000 --- a/signingserver/signingserver.go +++ /dev/null @@ -1,198 +0,0 @@ -package signingserver - -import ( - "crypto/sha256" - "encoding/binary" - "encoding/hex" - "fmt" - "net" - "strings" - - core "git.greysoh.dev/imterah/bismuthd/commons" - "git.greysoh.dev/imterah/bismuthd/server" -) - -func (signServer *BismuthSigningServer) InitializeServer() error { - if signServer.AddVerifyHandler == nil { - fmt.Println("WARN: You are using the default AddVerifyHandler in SignServer! This is a bad idea. Please write your own implementation!") - - signServer.AddVerifyHandler = func(serverAddr string, serverKeyFingerprint string, serverDomainList []string, additionalClientProvidedInfo string) (bool, error) { - domainListHash := sha256.Sum256([]byte(strings.Join(serverDomainList, ":"))) - - signServer.builtInVerifyMapStore[serverAddr+".fingerprint"] = serverKeyFingerprint - signServer.builtInVerifyMapStore[serverAddr+".domainListHash"] = hex.EncodeToString(domainListHash[:]) - - return true, nil - } - } - - if signServer.VerifyServerHandler == nil { - fmt.Println("WARN: You are using the default VerifyServerHandler in SignServer! This is a bad idea. Please write your own implementation!") - - signServer.VerifyServerHandler = func(serverAddr string, serverKeyFingerprint string, serverDomainList []string) (bool, error) { - domainListHash := sha256.Sum256([]byte(strings.Join(serverDomainList, ":"))) - domainListHashHex := hex.EncodeToString(domainListHash[:]) - - if storedKeyFingerprint, ok := signServer.builtInVerifyMapStore[serverAddr+".fingerprint"]; ok { - if storedKeyFingerprint != serverKeyFingerprint { - return false, nil - } - } else { - return false, nil - } - - if storedDomainListHashHex, ok := signServer.builtInVerifyMapStore[serverAddr+".domainListHash"]; ok { - if storedDomainListHashHex != domainListHashHex { - return false, nil - } - } else { - return false, nil - } - - return true, nil - } - } - - if signServer.builtInVerifyMapStore == nil { - signServer.builtInVerifyMapStore = map[string]string{} - } - - signServer.BismuthServer.HandleConnection = signServer.connHandler - return nil -} - -func (signServer *BismuthSigningServer) connHandler(conn net.Conn, metadata *server.ClientMetadata) error { - defer conn.Close() - requestType := make([]byte, 1) - - hostAndIP := conn.RemoteAddr().String() - hostAndIPColonIndex := strings.Index(hostAndIP, ":") - - if hostAndIPColonIndex == -1 { - return fmt.Errorf("failed to get colon in remote address") - } - - host := hostAndIP[:hostAndIPColonIndex] - clientKeyFingerprint := metadata.ClientPublicKey.GetFingerprint() - - for { - if _, err := conn.Read(requestType); err != nil { - return err - } - - if requestType[0] == core.AreDomainsValidForKey { - // This is probably a bit too big, but I'd like to air on the side of caution here... - keyFingerprintLength := make([]byte, 2) - - if _, err := conn.Read(keyFingerprintLength); err != nil { - return err - } - - keyFingerprintBytes := make([]byte, binary.BigEndian.Uint16(keyFingerprintLength)) - - if _, err := conn.Read(keyFingerprintBytes); err != nil { - return err - } - - keyFingerprint := hex.EncodeToString(keyFingerprintBytes) - serverDomainListLength := make([]byte, 2) - - if _, err := conn.Read(serverDomainListLength); err != nil { - return err - } - - serverDomainListBytes := make([]byte, binary.BigEndian.Uint16(serverDomainListLength)) - - if _, err := conn.Read(serverDomainListBytes); err != nil { - return err - } - - serverDomainList := strings.Split(string(serverDomainListBytes), "\n") - - // We can't trust anything if they aren't advertising any domains/IPs - if len(serverDomainList) == 0 { - requestResponse := make([]byte, 1) - requestResponse[0] = core.Failure - - conn.Write(requestResponse) - continue - } - - isVerified, err := signServer.VerifyServerHandler(host, keyFingerprint, serverDomainList) - - if err != nil { - requestResponse := make([]byte, 1) - requestResponse[0] = core.InternalError - - conn.Write(requestResponse) - - return err - } - - if isVerified { - requestResponse := make([]byte, 1) - requestResponse[0] = core.Success - - conn.Write(requestResponse) - } else { - requestResponse := make([]byte, 1) - requestResponse[0] = core.Failure - - conn.Write(requestResponse) - } - } else if requestType[0] == core.ValidateKey { - // This is probably a bit too big, but I'd like to air on the side of caution here... - serverDomainListLength := make([]byte, 2) - - if _, err := conn.Read(serverDomainListLength); err != nil { - return err - } - - serverDomainListBytes := make([]byte, binary.BigEndian.Uint16(serverDomainListLength)) - - if _, err := conn.Read(serverDomainListBytes); err != nil { - return err - } - - serverDomainList := strings.Split(string(serverDomainListBytes), "\n") - - additionalArgumentsLength := make([]byte, 2) - var additionalArgumentsSize uint16 - - if _, err := conn.Read(additionalArgumentsLength); err != nil { - return err - } - - additionalArgumentsSize = binary.BigEndian.Uint16(additionalArgumentsLength) - additionalArguments := "" - - if additionalArgumentsSize != 0 { - additionalArgumentsBytes := make([]byte, additionalArgumentsSize) - - if _, err := conn.Read(additionalArgumentsBytes); err != nil { - return err - } - - additionalArguments = string(additionalArgumentsBytes) - } - - isAddedToTrust, err := signServer.AddVerifyHandler(host, clientKeyFingerprint, serverDomainList, additionalArguments) - - if err != nil { - return err - } - - if isAddedToTrust { - requestResponse := make([]byte, 1) - requestResponse[0] = core.Success - - conn.Write(requestResponse) - } else { - requestResponse := make([]byte, 1) - requestResponse[0] = core.Failure - - conn.Write(requestResponse) - } - } - } -} diff --git a/signingserver/typing.go b/signingserver/typing.go deleted file mode 100644 index e15f7cd..0000000 --- a/signingserver/typing.go +++ /dev/null @@ -1,14 +0,0 @@ -package signingserver - -import "git.greysoh.dev/imterah/bismuthd/server" - -type AddVerifyHandlerCallback func(serverAddr string, serverKeyFingerprint string, serverAdvertisedTrustList []string, additionalClientProvidedInfo string) (bool, error) -type VerifyServerHandlerCallback func(serverAddr string, serverKeyFingerprint string, serverDomainList []string) (bool, error) - -type BismuthSigningServer struct { - BismuthServer *server.BismuthServer - - AddVerifyHandler AddVerifyHandlerCallback - VerifyServerHandler VerifyServerHandlerCallback - builtInVerifyMapStore map[string]string -} diff --git a/signingserver/utils.go b/signingserver/utils.go deleted file mode 100644 index 955524a..0000000 --- a/signingserver/utils.go +++ /dev/null @@ -1,15 +0,0 @@ -package signingserver - -import "git.greysoh.dev/imterah/bismuthd/server" - -func New(bismuthServer *server.BismuthServer) (*BismuthSigningServer, error) { - signServer := BismuthSigningServer{ - BismuthServer: bismuthServer, - } - - if err := signServer.InitializeServer(); err != nil { - return nil, err - } - - return &signServer, nil -} diff --git a/tests/integration_test.go b/tests/integration_test.go index bc2e9da..9e56be7 100644 --- a/tests/integration_test.go +++ b/tests/integration_test.go @@ -19,7 +19,6 @@ var testProtocolTxRxBufCount = 32 // Tests protocol transmitting and receiving // This is designed to be a nightmare scenario for the protocol to push the limits on what would be possible. func TestProtocolTxRx(t *testing.T) { - t.Log("running tests") pubKeyCli, privKeyCli, err := CreateKeyring("alice", "alice@contoso.com") if err != nil { @@ -53,9 +52,7 @@ func TestProtocolTxRx(t *testing.T) { t.Fatalf("failed to listen on TCP for localhost (%s)", err.Error()) } - bismuth, err := server.New(pubKeyServ, privKeyServ, []string{}, []string{}, commons.XChaCha20Poly1305) - - bismuth.HandleConnection = func(conn net.Conn, _ *server.ClientMetadata) error { + bismuth, err := server.NewBismuthServer(pubKeyServ, privKeyServ, []string{}, commons.XChaCha20Poly1305, func(conn net.Conn) error { for entryCount, randomDataSlice := range randomDataSlices { _, err = conn.Write(randomDataSlice) @@ -65,7 +62,7 @@ func TestProtocolTxRx(t *testing.T) { } return nil - } + }) // TODO: fix these warnings? go func() { @@ -89,15 +86,13 @@ func TestProtocolTxRx(t *testing.T) { t.Fatalf("failed to initialize bismuthClient (%s)", err.Error()) } - bismuthClient.CheckIfCertificatesAreSigned = false - originalConn, err := net.Dial("tcp", "127.0.0.1:"+strconv.Itoa(port)) if err != nil { t.Fatalf("failed to connect to bismuth server (%s)", err.Error()) } - conn, _, err := bismuthClient.Conn(originalConn) + conn, err := bismuthClient.Conn(originalConn) if err != nil { t.Fatalf("bismuth client failed to handshake when connecting to server (%s)", err.Error())