2 GoVPN -- simple secure free software virtual private network daemon
3 Copyright (C) 2014-2015 Sergey Matveev <stargrave@stargrave.org>
5 This program is free software: you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation, either version 3 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
30 "golang.org/x/crypto/curve25519"
31 "golang.org/x/crypto/poly1305"
32 "golang.org/x/crypto/salsa20"
33 "golang.org/x/crypto/salsa20/salsa"
34 "golang.org/x/crypto/xtea"
37 type Handshake struct {
42 dhPriv *[32]byte // own private DH key
43 key *[KeySize]byte // handshake encryption key
44 rServer *[8]byte // random string for authentication
46 sServer *[32]byte // secret string for main key calculation
50 func keyFromSecrets(server, client []byte) *[KeySize]byte {
52 for i := 0; i < 32; i++ {
53 k[i] = server[i] ^ client[i]
58 // Check if it is valid handshake-related message.
59 // Minimal size and last 16 zero bytes.
60 func IsValidHandshakePkt(pkt []byte) bool {
64 for i := len(pkt) - poly1305.TagSize; i < len(pkt); i++ {
72 // Zero handshake's memory state
73 func (h *Handshake) Zero() {
74 sliceZero(h.rNonce[:])
75 sliceZero(h.dhPriv[:])
78 sliceZero(h.rServer[:])
81 sliceZero(h.rClient[:])
84 sliceZero(h.sServer[:])
87 sliceZero(h.sClient[:])
91 func (h *Handshake) rNonceNext() []byte {
92 nonce := make([]byte, 8)
93 nonceCurrent, _ := binary.Uvarint(h.rNonce[:])
94 binary.PutUvarint(nonce, nonceCurrent+1)
98 func dhPrivGen() *[32]byte {
100 if _, err := rand.Read(dh[:]); err != nil {
101 panic("Can not read random for DH private key")
106 func dhKeyGen(priv, pub *[32]byte) *[32]byte {
108 curve25519.ScalarMult(key, priv, pub)
109 salsa.HSalsa20(key, new([16]byte), key, &salsa.Sigma)
113 // Create new handshake state.
114 func HandshakeNew(addr *net.UDPAddr) *Handshake {
117 LastPing: time.Now(),
122 // Start handshake's procedure from the client.
123 // It is the entry point for starting the handshake procedure.
124 // You have to specify outgoing conn address, remote's addr address,
125 // our own identification and an encryption key. First handshake packet
126 // will be sent immediately.
127 func HandshakeStart(conn *net.UDPConn, addr *net.UDPAddr, id *PeerId, key *[32]byte) *Handshake {
128 state := HandshakeNew(addr)
130 state.dhPriv = dhPrivGen()
131 dhPub := new([32]byte)
132 curve25519.ScalarBaseMult(dhPub, state.dhPriv)
134 state.rNonce = new([8]byte)
135 if _, err := rand.Read(state.rNonce[:]); err != nil {
136 panic("Can not read random for handshake nonce")
138 enc := make([]byte, 32)
139 salsa20.XORKeyStream(enc, dhPub[:], state.rNonce[:], key)
141 ciph, err := xtea.NewCipher(id[:])
145 rEnc := make([]byte, xtea.BlockSize)
146 ciph.Encrypt(rEnc, state.rNonce[:])
148 data := append(state.rNonce[:], enc...)
149 data = append(data, rEnc...)
150 data = append(data, '\x00')
151 data = append(data, make([]byte, poly1305.TagSize)...)
153 if _, err := conn.WriteTo(data, addr); err != nil {
159 // Process handshake message on the server side.
160 // This function is intended to be called on server's side.
161 // Our outgoing conn connection and received data are required.
162 // If this is the final handshake message, then new Peer object
163 // will be created and used as a transport. If no mutually
164 // authenticated Peer is ready, then return nil.
165 func (h *Handshake) Server(conn *net.UDPConn, data []byte) *Peer {
167 case 65: // R + ENC(PSK, dh_client_pub) + xtea(ID, R) + NULL + NULLs
169 log.Println("Invalid handshake stage from", h.addr)
173 // Try to determine client's ID
174 id := IDsCache.Find(data[:8], data[8+32:8+32+8])
176 log.Println("Unknown identity from", h.addr)
179 key := KeyRead(path.Join(PeersPath, id.String(), "key"))
182 // Generate private DH key
183 h.dhPriv = dhPrivGen()
184 dhPub := new([32]byte)
185 curve25519.ScalarBaseMult(dhPub, h.dhPriv)
187 // Decrypt remote public key and compute shared key
189 salsa20.XORKeyStream(dec[:], data[8:8+32], data[:8], key)
190 h.key = dhKeyGen(h.dhPriv, dec)
192 // Compute nonce and encrypt our public key
193 h.rNonce = new([8]byte)
194 copy(h.rNonce[:], data[:8])
196 encPub := make([]byte, 32)
197 salsa20.XORKeyStream(encPub, dhPub[:], h.rNonceNext(), key)
199 // Generate R* and encrypt them
200 h.rServer = new([8]byte)
201 if _, err := rand.Read(h.rServer[:]); err != nil {
202 panic("Can not read random for handshake random key")
204 h.sServer = new([32]byte)
205 if _, err := rand.Read(h.sServer[:]); err != nil {
206 panic("Can not read random for handshake shared key")
208 encRs := make([]byte, 8+32)
209 salsa20.XORKeyStream(encRs, append(h.rServer[:], h.sServer[:]...), h.rNonce[:], h.key)
211 // Send that to client
212 if _, err := conn.WriteTo(
214 append(encRs, make([]byte, poly1305.TagSize)...)...), h.addr); err != nil {
217 h.LastPing = time.Now()
218 case 64: // ENC(K, RS + RC + SC) + NULLs
219 if (h.rNonce == nil) || (h.rClient != nil) {
220 log.Println("Invalid handshake stage from", h.addr)
224 // Decrypted Rs compare rServer
225 decRs := make([]byte, 8+8+32)
226 salsa20.XORKeyStream(decRs, data[:8+8+32], h.rNonceNext(), h.key)
227 if subtle.ConstantTimeCompare(decRs[:8], h.rServer[:]) != 1 {
228 log.Println("Invalid server's random number with", h.addr)
232 // Send final answer to client
233 enc := make([]byte, 8)
234 salsa20.XORKeyStream(enc, decRs[8:8+8], make([]byte, 8), h.key)
235 if _, err := conn.WriteTo(append(enc, make([]byte, poly1305.TagSize)...), h.addr); err != nil {
240 peer := newPeer(h.addr, h.Id, 0, keyFromSecrets(h.sServer[:], decRs[8+8:]))
241 h.LastPing = time.Now()
244 log.Println("Invalid handshake message from", h.addr)
249 // Process handshake message on the client side.
250 // This function is intended to be called on client's side.
251 // Our outgoing conn connection, authentication key and received data
252 // are required. Client does not work with identities, as he is the
253 // only one, so key is a requirement.
254 // If this is the final handshake message, then new Peer object
255 // will be created and used as a transport. If no mutually
256 // authenticated Peer is ready, then return nil.
257 func (h *Handshake) Client(conn *net.UDPConn, key *[KeySize]byte, data []byte) *Peer {
259 case 88: // ENC(PSK, dh_server_pub) + ENC(K, RS + SS) + NULLs
261 log.Println("Invalid handshake stage from", h.addr)
265 // Decrypt remote public key and compute shared key
267 salsa20.XORKeyStream(dec[:], data[:32], h.rNonceNext(), key)
268 h.key = dhKeyGen(h.dhPriv, dec)
271 decRs := make([]byte, 8+32)
272 salsa20.XORKeyStream(decRs, data[32:32+8+32], h.rNonce[:], h.key)
273 h.rServer = new([8]byte)
274 copy(h.rServer[:], decRs[:8])
275 h.sServer = new([32]byte)
276 copy(h.sServer[:], decRs[8:])
278 // Generate R* and encrypt them
279 h.rClient = new([8]byte)
280 if _, err := rand.Read(h.rClient[:]); err != nil {
281 panic("Can not read random for handshake random key")
283 h.sClient = new([32]byte)
284 if _, err := rand.Read(h.sClient[:]); err != nil {
285 panic("Can not read random for handshake shared key")
287 encRs := make([]byte, 8+8+32)
288 salsa20.XORKeyStream(encRs,
290 append(h.rClient[:], h.sClient[:]...)...), h.rNonceNext(), h.key)
292 // Send that to server
293 if _, err := conn.WriteTo(append(encRs, make([]byte, poly1305.TagSize)...), h.addr); err != nil {
296 h.LastPing = time.Now()
297 case 24: // ENC(K, RC) + NULLs
299 log.Println("Invalid handshake stage from", h.addr)
304 dec := make([]byte, 8)
305 salsa20.XORKeyStream(dec, data[:8], make([]byte, 8), h.key)
306 if subtle.ConstantTimeCompare(dec, h.rClient[:]) != 1 {
307 log.Println("Invalid client's random number with", h.addr)
312 peer := newPeer(h.addr, h.Id, 1, keyFromSecrets(h.sServer[:], h.sClient[:]))
313 h.LastPing = time.Now()
316 log.Println("Invalid handshake message from", h.addr)