Kandy22
diff --git a/‎internal/multiplex/obfs.go‎
Lines changed: 78 additions & 99 deletions b/‎internal/multiplex/obfs.go‎
Lines changed: 78 additions & 99 deletions
diff --git a/‎internal/multiplex/obfs_test.go‎
Lines changed: 58 additions & 28 deletions b/‎internal/multiplex/obfs_test.go‎
Lines changed: 58 additions & 28 deletions
@@ -11,9 +11,6 @@ import (
 	"golang.org/x/crypto/salsa20"
 )
 
-type Obfser func(*Frame, []byte, int) (int, error)
-type Deobfser func(*Frame, []byte) error
-
 var u32 = binary.BigEndian.Uint32
 var u64 = binary.BigEndian.Uint64
 var putU32 = binary.BigEndian.PutUint32
@@ -30,21 +27,15 @@ const (
 
 // Obfuscator is responsible for serialisation, obfuscation, and optional encryption of data frames.
 type Obfuscator struct {
-	// Used in Stream.Write. Add multiplexing headers, encrypt and add TLS header
-	Obfs Obfser
-	// Remove TLS header, decrypt and unmarshall frames
-	Deobfs     Deobfser
+	payloadCipher cipher.AEAD
+
 	SessionKey [32]byte
 
 	maxOverhead int
 }
 
-// MakeObfs returns a function of type Obfser. An Obfser takes three arguments:
-// a *Frame with all the field set correctly, a []byte as buffer to put encrypted
-// message in, and an int called payloadOffsetInBuf to be used when *Frame.payload
-// is in the byte slice used as buffer (2nd argument). payloadOffsetInBuf specifies
-// the index at which data belonging to *Frame.Payload starts in the buffer.
-func MakeObfs(salsaKey [32]byte, payloadCipher cipher.AEAD) Obfser {
+// obfuscate adds multiplexing headers, encrypt and add TLS header
+func (o *Obfuscator) obfuscate(f *Frame, buf []byte, payloadOffsetInBuf int) (int, error) {
 	// The method here is to use the first payloadCipher.NonceSize() bytes of the serialised frame header
 	// as iv/nonce for the AEAD cipher to encrypt the frame payload. Then we use
 	// the authentication tag produced appended to the end of the ciphertext (of size payloadCipher.Overhead())
@@ -76,109 +67,99 @@ func MakeObfs(salsaKey [32]byte, payloadCipher cipher.AEAD) Obfser {
 	// We can't ensure its uniqueness ourselves, which is why plaintext mode must only be used when the user input
 	// is already random-like. For Cloak it would normally mean that the user is using a proxy protocol that sends
 	// encrypted data.
-	obfs := func(f *Frame, buf []byte, payloadOffsetInBuf int) (int, error) {
-		payloadLen := len(f.Payload)
-		if payloadLen == 0 {
-			return 0, errors.New("payload cannot be empty")
+	payloadLen := len(f.Payload)
+	if payloadLen == 0 {
+		return 0, errors.New("payload cannot be empty")
+	}
+	var extraLen int
+	if o.payloadCipher == nil {
+		extraLen = salsa20NonceSize - payloadLen
+		if extraLen < 0 {
+			// if our payload is already greater than 8 bytes
+			extraLen = 0
 		}
-		var extraLen int
-		if payloadCipher == nil {
-			extraLen = salsa20NonceSize - payloadLen
-			if extraLen < 0 {
-				// if our payload is already greater than 8 bytes
-				extraLen = 0
-			}
-		} else {
-			extraLen = payloadCipher.Overhead()
-			if extraLen < salsa20NonceSize {
-				return 0, errors.New("AEAD's Overhead cannot be fewer than 8 bytes")
-			}
+	} else {
+		extraLen = o.payloadCipher.Overhead()
+		if extraLen < salsa20NonceSize {
+			return 0, errors.New("AEAD's Overhead cannot be fewer than 8 bytes")
 		}
+	}
 
-		usefulLen := frameHeaderLength + payloadLen + extraLen
-		if len(buf) < usefulLen {
-			return 0, errors.New("obfs buffer too small")
-		}
-		// we do as much in-place as possible to save allocation
-		payload := buf[frameHeaderLength : frameHeaderLength+payloadLen]
-		if payloadOffsetInBuf != frameHeaderLength {
-			// if payload is not at the correct location in buffer
-			copy(payload, f.Payload)
-		}
+	usefulLen := frameHeaderLength + payloadLen + extraLen
+	if len(buf) < usefulLen {
+		return 0, errors.New("obfs buffer too small")
+	}
+	// we do as much in-place as possible to save allocation
+	payload := buf[frameHeaderLength : frameHeaderLength+payloadLen]
+	if payloadOffsetInBuf != frameHeaderLength {
+		// if payload is not at the correct location in buffer
+		copy(payload, f.Payload)
+	}
 
-		header := buf[:frameHeaderLength]
-		putU32(header[0:4], f.StreamID)
-		putU64(header[4:12], f.Seq)
-		header[12] = f.Closing
-		header[13] = byte(extraLen)
-
-		if payloadCipher == nil {
-			if extraLen != 0 { // read nonce
-				extra := buf[usefulLen-extraLen : usefulLen]
-				common.CryptoRandRead(extra)
-			}
-		} else {
-			payloadCipher.Seal(payload[:0], header[:payloadCipher.NonceSize()], payload, nil)
+	header := buf[:frameHeaderLength]
+	putU32(header[0:4], f.StreamID)
+	putU64(header[4:12], f.Seq)
+	header[12] = f.Closing
+	header[13] = byte(extraLen)
+
+	if o.payloadCipher == nil {
+		if extraLen != 0 { // read nonce
+			extra := buf[usefulLen-extraLen : usefulLen]
+			common.CryptoRandRead(extra)
 		}
+	} else {
+		o.payloadCipher.Seal(payload[:0], header[:o.payloadCipher.NonceSize()], payload, nil)
+	}
 
-		nonce := buf[usefulLen-salsa20NonceSize : usefulLen]
-		salsa20.XORKeyStream(header, header, nonce, &salsaKey)
+	nonce := buf[usefulLen-salsa20NonceSize : usefulLen]
+	salsa20.XORKeyStream(header, header, nonce, &o.SessionKey)
 
-		return usefulLen, nil
-	}
-	return obfs
+	return usefulLen, nil
 }
 
-// MakeDeobfs returns a function Deobfser. A Deobfser takes in a single byte slice,
-// containing the message to be decrypted, and returns a *Frame containing the frame
-// information and plaintext
-func MakeDeobfs(salsaKey [32]byte, payloadCipher cipher.AEAD) Deobfser {
-	// frame header length + minimum data size (i.e. nonce size of salsa20)
-	const minInputLen = frameHeaderLength + salsa20NonceSize
-	deobfs := func(f *Frame, in []byte) error {
-		if len(in) < minInputLen {
-			return fmt.Errorf("input size %v, but it cannot be shorter than %v bytes", len(in), minInputLen)
-		}
+// deobfuscate removes TLS header, decrypt and unmarshall frames
+func (o *Obfuscator) deobfuscate(f *Frame, in []byte) error {
+	if len(in) < frameHeaderLength+salsa20NonceSize {
+		return fmt.Errorf("input size %v, but it cannot be shorter than %v bytes", len(in), frameHeaderLength+salsa20NonceSize)
+	}
 
-		header := in[:frameHeaderLength]
-		pldWithOverHead := in[frameHeaderLength:] // payload + potential overhead
+	header := in[:frameHeaderLength]
+	pldWithOverHead := in[frameHeaderLength:] // payload + potential overhead
 
-		nonce := in[len(in)-salsa20NonceSize:]
-		salsa20.XORKeyStream(header, header, nonce, &salsaKey)
+	nonce := in[len(in)-salsa20NonceSize:]
+	salsa20.XORKeyStream(header, header, nonce, &o.SessionKey)
 
-		streamID := u32(header[0:4])
-		seq := u64(header[4:12])
-		closing := header[12]
-		extraLen := header[13]
+	streamID := u32(header[0:4])
+	seq := u64(header[4:12])
+	closing := header[12]
+	extraLen := header[13]
 
-		usefulPayloadLen := len(pldWithOverHead) - int(extraLen)
-		if usefulPayloadLen < 0 || usefulPayloadLen > len(pldWithOverHead) {
-			return errors.New("extra length is negative or extra length is greater than total pldWithOverHead length")
-		}
+	usefulPayloadLen := len(pldWithOverHead) - int(extraLen)
+	if usefulPayloadLen < 0 || usefulPayloadLen > len(pldWithOverHead) {
+		return errors.New("extra length is negative or extra length is greater than total pldWithOverHead length")
+	}
 
-		var outputPayload []byte
+	var outputPayload []byte
 
-		if payloadCipher == nil {
-			if extraLen == 0 {
-				outputPayload = pldWithOverHead
-			} else {
-				outputPayload = pldWithOverHead[:usefulPayloadLen]
-			}
+	if o.payloadCipher == nil {
+		if extraLen == 0 {
+			outputPayload = pldWithOverHead
 		} else {
-			_, err := payloadCipher.Open(pldWithOverHead[:0], header[:payloadCipher.NonceSize()], pldWithOverHead, nil)
-			if err != nil {
-				return err
-			}
 			outputPayload = pldWithOverHead[:usefulPayloadLen]
 		}
-
-		f.StreamID = streamID
-		f.Seq = seq
-		f.Closing = closing
-		f.Payload = outputPayload
-		return nil
+	} else {
+		_, err := o.payloadCipher.Open(pldWithOverHead[:0], header[:o.payloadCipher.NonceSize()], pldWithOverHead, nil)
+		if err != nil {
+			return err
+		}
+		outputPayload = pldWithOverHead[:usefulPayloadLen]
 	}
-	return deobfs
+
+	f.StreamID = streamID
+	f.Seq = seq
+	f.Closing = closing
+	f.Payload = outputPayload
+	return nil
 }
 
 func MakeObfuscator(encryptionMethod byte, sessionKey [32]byte) (obfuscator Obfuscator, err error) {
@@ -217,7 +198,5 @@ func MakeObfuscator(encryptionMethod byte, sessionKey [32]byte) (obfuscator Obfu
 		}
 	}
 
-	obfuscator.Obfs = MakeObfs(sessionKey, payloadCipher)
-	obfuscator.Deobfs = MakeDeobfs(sessionKey, payloadCipher)
 	return
 }
@@ -19,14 +19,14 @@ func TestGenerateObfs(t *testing.T) {
 		obfsBuf := make([]byte, 512)
 		_testFrame, _ := quick.Value(reflect.TypeOf(&Frame{}), rand.New(rand.NewSource(42)))
 		testFrame := _testFrame.Interface().(*Frame)
-		i, err := obfuscator.Obfs(testFrame, obfsBuf, 0)
+		i, err := obfuscator.obfuscate(testFrame, obfsBuf, 0)
 		if err != nil {
 			ct.Error("failed to obfs ", err)
 			return
 		}
 
 		var resultFrame Frame
-		err = obfuscator.Deobfs(&resultFrame, obfsBuf[:i])
+		err = obfuscator.deobfuscate(&resultFrame, obfsBuf[:i])
 		if err != nil {
 			ct.Error("failed to deobfs ", err)
 			return
@@ -88,40 +88,57 @@ func BenchmarkObfs(b *testing.B) {
 		c, _ := aes.NewCipher(key[:])
 		payloadCipher, _ := cipher.NewGCM(c)
 
-		obfs := MakeObfs(key, payloadCipher)
+		obfuscator := Obfuscator{
+			payloadCipher: payloadCipher,
+			SessionKey:    key,
+			maxOverhead:   payloadCipher.Overhead(),
+		}
+
 		b.SetBytes(int64(len(testFrame.Payload)))
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
-			obfs(testFrame, obfsBuf, 0)
+			obfuscator.obfuscate(testFrame, obfsBuf, 0)
 		}
 	})
 	b.Run("AES128GCM", func(b *testing.B) {
 		c, _ := aes.NewCipher(key[:16])
 		payloadCipher, _ := cipher.NewGCM(c)
 
-		obfs := MakeObfs(key, payloadCipher)
+		obfuscator := Obfuscator{
+			payloadCipher: payloadCipher,
+			SessionKey:    key,
+			maxOverhead:   payloadCipher.Overhead(),
+		}
 		b.SetBytes(int64(len(testFrame.Payload)))
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
-			obfs(testFrame, obfsBuf, 0)
+			obfuscator.obfuscate(testFrame, obfsBuf, 0)
 		}
 	})
 	b.Run("plain", func(b *testing.B) {
-		obfs := MakeObfs(key, nil)
+		obfuscator := Obfuscator{
+			payloadCipher: nil,
+			SessionKey:    key,
+			maxOverhead:   salsa20NonceSize,
+		}
 		b.SetBytes(int64(len(testFrame.Payload)))
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
-			obfs(testFrame, obfsBuf, 0)
+			obfuscator.obfuscate(testFrame, obfsBuf, 0)
 		}
 	})
 	b.Run("chacha20Poly1305", func(b *testing.B) {
-		payloadCipher, _ := chacha20poly1305.New(key[:16])
+		payloadCipher, _ := chacha20poly1305.New(key[:])
 
-		obfs := MakeObfs(key, payloadCipher)
+		obfuscator := Obfuscator{
+			payloadCipher: payloadCipher,
+			SessionKey:    key,
+			maxOverhead:   payloadCipher.Overhead(),
+		}
 		b.SetBytes(int64(len(testFrame.Payload)))
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
-			obfs(testFrame, obfsBuf, 0)
+			obfuscator.obfuscate(testFrame, obfsBuf, 0)
 		}
 	})
 }
@@ -143,57 +160,70 @@ func BenchmarkDeobfs(b *testing.B) {
 	b.Run("AES256GCM", func(b *testing.B) {
 		c, _ := aes.NewCipher(key[:])
 		payloadCipher, _ := cipher.NewGCM(c)
+		obfuscator := Obfuscator{
+			payloadCipher: payloadCipher,
+			SessionKey:    key,
+			maxOverhead:   payloadCipher.Overhead(),
+		}
 
-		obfs := MakeObfs(key, payloadCipher)
-		n, _ := obfs(testFrame, obfsBuf, 0)
-		deobfs := MakeDeobfs(key, payloadCipher)
+		n, _ := obfuscator.obfuscate(testFrame, obfsBuf, 0)
 
 		frame := new(Frame)
 		b.SetBytes(int64(n))
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
-			deobfs(frame, obfsBuf[:n])
+			obfuscator.deobfuscate(frame, obfsBuf[:n])
 		}
 	})
 	b.Run("AES128GCM", func(b *testing.B) {
 		c, _ := aes.NewCipher(key[:16])
 		payloadCipher, _ := cipher.NewGCM(c)
 
-		obfs := MakeObfs(key, payloadCipher)
-		n, _ := obfs(testFrame, obfsBuf, 0)
-		deobfs := MakeDeobfs(key, payloadCipher)
+		obfuscator := Obfuscator{
+			payloadCipher: payloadCipher,
+			SessionKey:    key,
+			maxOverhead:   payloadCipher.Overhead(),
+		}
+		n, _ := obfuscator.obfuscate(testFrame, obfsBuf, 0)
 
 		frame := new(Frame)
 		b.ResetTimer()
 		b.SetBytes(int64(n))
 		for i := 0; i < b.N; i++ {
-			deobfs(frame, obfsBuf[:n])
+			obfuscator.deobfuscate(frame, obfsBuf[:n])
 		}
 	})
 	b.Run("plain", func(b *testing.B) {
-		obfs := MakeObfs(key, nil)
-		n, _ := obfs(testFrame, obfsBuf, 0)
-		deobfs := MakeDeobfs(key, nil)
+		obfuscator := Obfuscator{
+			payloadCipher: nil,
+			SessionKey:    key,
+			maxOverhead:   salsa20NonceSize,
+		}
+		n, _ := obfuscator.obfuscate(testFrame, obfsBuf, 0)
 
 		frame := new(Frame)
 		b.ResetTimer()
 		b.SetBytes(int64(n))
 		for i := 0; i < b.N; i++ {
-			deobfs(frame, obfsBuf[:n])
+			obfuscator.deobfuscate(frame, obfsBuf[:n])
 		}
 	})
 	b.Run("chacha20Poly1305", func(b *testing.B) {
-		payloadCipher, _ := chacha20poly1305.New(key[:16])
+		payloadCipher, _ := chacha20poly1305.New(key[:])
+
+		obfuscator := Obfuscator{
+			payloadCipher: nil,
+			SessionKey:    key,
+			maxOverhead:   payloadCipher.Overhead(),
+		}
 
-		obfs := MakeObfs(key, payloadCipher)
-		n, _ := obfs(testFrame, obfsBuf, 0)
-		deobfs := MakeDeobfs(key, payloadCipher)
+		n, _ := obfuscator.obfuscate(testFrame, obfsBuf, 0)
 
 		frame := new(Frame)
 		b.ResetTimer()
 		b.SetBytes(int64(n))
 		for i := 0; i < b.N; i++ {
-			deobfs(frame, obfsBuf[:n])
+			obfuscator.deobfuscate(frame, obfsBuf[:n])
 		}
 	})
 }