2 GoVPN -- simple secure free software virtual private network daemon
3 Copyright (C) 2014-2015 Sergey Matveev <stargrave@stargrave.org>
5 This program is free software: you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation, either version 3 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
30 "golang.org/x/crypto/curve25519"
31 "golang.org/x/crypto/salsa20"
32 "golang.org/x/crypto/salsa20/salsa"
33 "golang.org/x/crypto/xtea"
36 type Handshake struct {
41 dhPriv *[32]byte // own private DH key
42 key *[KeySize]byte // handshake encryption key
43 rServer *[8]byte // random string for authentication
45 sServer *[32]byte // secret string for main key calculation
49 func keyFromSecrets(server, client []byte) *[KeySize]byte {
51 for i := 0; i < 32; i++ {
52 k[i] = server[i] ^ client[i]
57 // Zero handshake's memory state
58 func (h *Handshake) Zero() {
60 sliceZero(h.rNonce[:])
63 sliceZero(h.dhPriv[:])
69 sliceZero(h.rServer[:])
72 sliceZero(h.rClient[:])
75 sliceZero(h.sServer[:])
78 sliceZero(h.sClient[:])
82 func (h *Handshake) rNonceNext() []byte {
83 nonce := make([]byte, 8)
84 nonceCurrent, _ := binary.Uvarint(h.rNonce[:])
85 binary.PutUvarint(nonce, nonceCurrent+1)
89 func dhPrivGen() *[32]byte {
91 if _, err := rand.Read(dh[:]); err != nil {
92 panic("Can not read random for DH private key")
97 func dhKeyGen(priv, pub *[32]byte) *[32]byte {
99 curve25519.ScalarMult(key, priv, pub)
100 salsa.HSalsa20(key, new([16]byte), key, &salsa.Sigma)
104 // Create new handshake state.
105 func HandshakeNew(addr *net.UDPAddr) *Handshake {
108 LastPing: time.Now(),
113 // Generate ID tag from client identification and data.
114 func idTag(id *PeerId, data []byte) []byte {
115 ciph, err := xtea.NewCipher(id[:])
119 enc := make([]byte, xtea.BlockSize)
120 ciph.Encrypt(enc, data[:xtea.BlockSize])
124 // Start handshake's procedure from the client.
125 // It is the entry point for starting the handshake procedure.
126 // You have to specify outgoing conn address, remote's addr address,
127 // our own identification and an encryption key. First handshake packet
128 // will be sent immediately.
129 func HandshakeStart(conn *net.UDPConn, addr *net.UDPAddr, id *PeerId, key *[32]byte) *Handshake {
130 state := HandshakeNew(addr)
132 state.dhPriv = dhPrivGen()
133 dhPub := new([32]byte)
134 curve25519.ScalarBaseMult(dhPub, state.dhPriv)
136 state.rNonce = new([8]byte)
137 if _, err := rand.Read(state.rNonce[:]); err != nil {
138 panic("Can not read random for handshake nonce")
140 enc := make([]byte, 32)
141 salsa20.XORKeyStream(enc, dhPub[:], state.rNonce[:], key)
142 data := append(state.rNonce[:], enc...)
143 data = append(data, idTag(id, state.rNonce[:])...)
144 if _, err := conn.WriteTo(data, addr); err != nil {
150 // Process handshake message on the server side.
151 // This function is intended to be called on server's side.
152 // Client identity, our outgoing conn connection and
153 // received data are required.
154 // If this is the final handshake message, then new Peer object
155 // will be created and used as a transport. If no mutually
156 // authenticated Peer is ready, then return nil.
157 func (h *Handshake) Server(id *PeerId, conn *net.UDPConn, data []byte) *Peer {
158 // R + ENC(PSK, dh_client_pub) + IDtag
159 if len(data) == 48 && h.rNonce == nil {
160 key := KeyRead(path.Join(PeersPath, id.String(), "key"))
163 // Generate private DH key
164 h.dhPriv = dhPrivGen()
165 dhPub := new([32]byte)
166 curve25519.ScalarBaseMult(dhPub, h.dhPriv)
168 // Decrypt remote public key and compute shared key
170 salsa20.XORKeyStream(dec[:], data[8:8+32], data[:8], key)
171 h.key = dhKeyGen(h.dhPriv, dec)
173 // Compute nonce and encrypt our public key
174 h.rNonce = new([8]byte)
175 copy(h.rNonce[:], data[:8])
177 encPub := make([]byte, 32)
178 salsa20.XORKeyStream(encPub, dhPub[:], h.rNonceNext(), key)
180 // Generate R* and encrypt them
181 h.rServer = new([8]byte)
182 if _, err := rand.Read(h.rServer[:]); err != nil {
183 panic("Can not read random for handshake random key")
185 h.sServer = new([32]byte)
186 if _, err := rand.Read(h.sServer[:]); err != nil {
187 panic("Can not read random for handshake shared key")
189 encRs := make([]byte, 8+32)
190 salsa20.XORKeyStream(encRs, append(h.rServer[:], h.sServer[:]...), h.rNonce[:], h.key)
192 // Send that to client
193 if _, err := conn.WriteTo(
194 append(encPub, append(encRs, idTag(id, encPub)...)...), h.addr); err != nil {
197 h.LastPing = time.Now()
199 // ENC(K, RS + RC + SC) + IDtag
200 if len(data) == 56 && h.rClient == nil {
201 // Decrypted Rs compare rServer
202 decRs := make([]byte, 8+8+32)
203 salsa20.XORKeyStream(decRs, data[:8+8+32], h.rNonceNext(), h.key)
204 if subtle.ConstantTimeCompare(decRs[:8], h.rServer[:]) != 1 {
205 log.Println("Invalid server's random number with", h.addr)
209 // Send final answer to client
210 enc := make([]byte, 8)
211 salsa20.XORKeyStream(enc, decRs[8:8+8], make([]byte, 8), h.key)
212 if _, err := conn.WriteTo(append(enc, idTag(id, enc)...), h.addr); err != nil {
217 peer := newPeer(h.addr, h.Id, 0, keyFromSecrets(h.sServer[:], decRs[8+8:]))
218 h.LastPing = time.Now()
221 log.Println("Invalid handshake message from", h.addr)
226 // Process handshake message on the client side.
227 // This function is intended to be called on client's side.
228 // Our outgoing conn connection, authentication
229 // key and received data are required.
230 // If this is the final handshake message, then new Peer object
231 // will be created and used as a transport. If no mutually
232 // authenticated Peer is ready, then return nil.
233 func (h *Handshake) Client(id *PeerId, conn *net.UDPConn, key *[KeySize]byte, data []byte) *Peer {
235 case 80: // ENC(PSK, dh_server_pub) + ENC(K, RS + SS) + IDtag
237 log.Println("Invalid handshake stage from", h.addr)
241 // Decrypt remote public key and compute shared key
243 salsa20.XORKeyStream(dec[:], data[:32], h.rNonceNext(), key)
244 h.key = dhKeyGen(h.dhPriv, dec)
247 decRs := make([]byte, 8+32)
248 salsa20.XORKeyStream(decRs, data[32:32+8+32], h.rNonce[:], h.key)
249 h.rServer = new([8]byte)
250 copy(h.rServer[:], decRs[:8])
251 h.sServer = new([32]byte)
252 copy(h.sServer[:], decRs[8:])
254 // Generate R* and encrypt them
255 h.rClient = new([8]byte)
256 if _, err := rand.Read(h.rClient[:]); err != nil {
257 panic("Can not read random for handshake random key")
259 h.sClient = new([32]byte)
260 if _, err := rand.Read(h.sClient[:]); err != nil {
261 panic("Can not read random for handshake shared key")
263 encRs := make([]byte, 8+8+32)
264 salsa20.XORKeyStream(encRs,
266 append(h.rClient[:], h.sClient[:]...)...), h.rNonceNext(), h.key)
268 // Send that to server
269 if _, err := conn.WriteTo(append(encRs, idTag(id, encRs)...), h.addr); err != nil {
272 h.LastPing = time.Now()
273 case 16: // ENC(K, RC) + IDtag
275 log.Println("Invalid handshake stage from", h.addr)
280 dec := make([]byte, 8)
281 salsa20.XORKeyStream(dec, data[:8], make([]byte, 8), h.key)
282 if subtle.ConstantTimeCompare(dec, h.rClient[:]) != 1 {
283 log.Println("Invalid client's random number with", h.addr)
288 peer := newPeer(h.addr, h.Id, 1, keyFromSecrets(h.sServer[:], h.sClient[:]))
289 h.LastPing = time.Now()
292 log.Println("Invalid handshake message from", h.addr)