/*
-govpn -- Simple secure virtual private network daemon
+GoVPN -- simple secure free software virtual private network daemon
Copyright (C) 2014-2015 Sergey Matveev <stargrave@stargrave.org>
This program is free software: you can redistribute it and/or modify
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-package main
+package govpn
import (
"crypto/rand"
"crypto/subtle"
"encoding/binary"
- "fmt"
+ "log"
"net"
+ "path"
"time"
"golang.org/x/crypto/curve25519"
- "golang.org/x/crypto/poly1305"
"golang.org/x/crypto/salsa20"
"golang.org/x/crypto/salsa20/salsa"
+ "golang.org/x/crypto/xtea"
)
type Handshake struct {
addr *net.UDPAddr
- lastPing time.Time
+ LastPing time.Time
+ Id PeerId
rNonce *[8]byte
- dhPriv *[32]byte // own private DH key
- key *[32]byte // handshake encryption key
- rServer *[8]byte // random string for authentication
+ dhPriv *[32]byte // own private DH key
+ key *[KeySize]byte // handshake encryption key
+ rServer *[8]byte // random string for authentication
rClient *[8]byte
sServer *[32]byte // secret string for main key calculation
sClient *[32]byte
}
-func KeyFromSecrets(server, client []byte) *[32]byte {
+func keyFromSecrets(server, client []byte) *[KeySize]byte {
k := new([32]byte)
for i := 0; i < 32; i++ {
k[i] = server[i] ^ client[i]
return k
}
-// Check if it is valid handshake-related message
-// Minimal size and last 16 zero bytes
-func isValidHandshakePkt(pkt []byte) bool {
- if len(pkt) < 24 {
- return false
+// Zero handshake's memory state
+func (h *Handshake) Zero() {
+ if h.rNonce != nil {
+ sliceZero(h.rNonce[:])
}
- for i := len(pkt) - poly1305.TagSize; i < len(pkt); i++ {
- if pkt[i] != '\x00' {
- return false
- }
+ if h.dhPriv != nil {
+ sliceZero(h.dhPriv[:])
+ }
+ if h.key != nil {
+ sliceZero(h.key[:])
+ }
+ if h.rServer != nil {
+ sliceZero(h.rServer[:])
+ }
+ if h.rClient != nil {
+ sliceZero(h.rClient[:])
+ }
+ if h.sServer != nil {
+ sliceZero(h.sServer[:])
+ }
+ if h.sClient != nil {
+ sliceZero(h.sClient[:])
}
- return true
}
func (h *Handshake) rNonceNext() []byte {
return key
}
-func HandshakeStart(conn *net.UDPConn, addr *net.UDPAddr, key *[32]byte) *Handshake {
- state := Handshake{}
- state.addr = addr
- state.lastPing = time.Now()
+// Create new handshake state.
+func HandshakeNew(addr *net.UDPAddr) *Handshake {
+ state := Handshake{
+ addr: addr,
+ LastPing: time.Now(),
+ }
+ return &state
+}
+
+// Generate ID tag from client identification and data.
+func idTag(id *PeerId, data []byte) []byte {
+ ciph, err := xtea.NewCipher(id[:])
+ if err != nil {
+ panic(err)
+ }
+ enc := make([]byte, xtea.BlockSize)
+ ciph.Encrypt(enc, data[:xtea.BlockSize])
+ return enc
+}
+
+// Start handshake's procedure from the client.
+// It is the entry point for starting the handshake procedure.
+// You have to specify outgoing conn address, remote's addr address,
+// our own identification and an encryption key. First handshake packet
+// will be sent immediately.
+func HandshakeStart(conn *net.UDPConn, addr *net.UDPAddr, id *PeerId, key *[32]byte) *Handshake {
+ state := HandshakeNew(addr)
state.dhPriv = dhPrivGen()
dhPub := new([32]byte)
}
enc := make([]byte, 32)
salsa20.XORKeyStream(enc, dhPub[:], state.rNonce[:], key)
-
- if _, err := conn.WriteTo(
- append(state.rNonce[:],
- append(enc, make([]byte, poly1305.TagSize)...)...), addr); err != nil {
+ data := append(state.rNonce[:], enc...)
+ data = append(data, idTag(id, state.rNonce[:])...)
+ if _, err := conn.WriteTo(data, addr); err != nil {
panic(err)
}
- return &state
+ return state
}
-func (h *Handshake) Server(noncediff uint64, conn *net.UDPConn, key *[32]byte, data []byte) *Peer {
- switch len(data) {
- case 56: // R + ENC(PSK, dh_client_pub) + NULLs
- fmt.Print("[HS1]")
- if h.rNonce != nil {
- fmt.Print("[S?]")
- return nil
- }
+// Process handshake message on the server side.
+// This function is intended to be called on server's side.
+// Client identity, our outgoing conn connection and
+// received data are required.
+// If this is the final handshake message, then new Peer object
+// will be created and used as a transport. If no mutually
+// authenticated Peer is ready, then return nil.
+func (h *Handshake) Server(id *PeerId, conn *net.UDPConn, data []byte) *Peer {
+ // R + ENC(PSK, dh_client_pub) + IDtag
+ if len(data) == 48 && h.rNonce == nil {
+ key := KeyRead(path.Join(PeersPath, id.String(), "key"))
+ h.Id = *id
// Generate private DH key
h.dhPriv = dhPrivGen()
// Send that to client
if _, err := conn.WriteTo(
- append(encPub,
- append(encRs, make([]byte, poly1305.TagSize)...)...), h.addr); err != nil {
+ append(encPub, append(encRs, idTag(id, encPub)...)...), h.addr); err != nil {
panic(err)
}
- fmt.Print("[OK]")
- case 64: // ENC(K, RS + RC + SC) + NULLs
- fmt.Print("[HS3]")
- if (h.rNonce == nil) || (h.rClient != nil) {
- fmt.Print("[S?]")
- return nil
- }
-
- // Decrypt Rs compare rServer
+ h.LastPing = time.Now()
+ } else
+ // ENC(K, RS + RC + SC) + IDtag
+ if len(data) == 56 && h.rClient == nil {
+ // Decrypted Rs compare rServer
decRs := make([]byte, 8+8+32)
salsa20.XORKeyStream(decRs, data[:8+8+32], h.rNonceNext(), h.key)
- if res := subtle.ConstantTimeCompare(decRs[:8], h.rServer[:]); res != 1 {
- fmt.Print("[rS?]")
+ if subtle.ConstantTimeCompare(decRs[:8], h.rServer[:]) != 1 {
+ log.Println("Invalid server's random number with", h.addr)
return nil
}
// Send final answer to client
enc := make([]byte, 8)
salsa20.XORKeyStream(enc, decRs[8:8+8], make([]byte, 8), h.key)
- if _, err := conn.WriteTo(append(enc, make([]byte, poly1305.TagSize)...), h.addr); err != nil {
+ if _, err := conn.WriteTo(append(enc, idTag(id, enc)...), h.addr); err != nil {
panic(err)
}
// Switch peer
- peer := Peer{
- addr: h.addr,
- nonceOur: noncediff + 0,
- nonceRecv: noncediff + 0,
- }
- peer.key = KeyFromSecrets(h.sServer[:], decRs[8+8:])
- fmt.Print("[OK]")
- return &peer
- default:
- fmt.Print("[HS?]")
+ peer := newPeer(h.addr, h.Id, 0, keyFromSecrets(h.sServer[:], decRs[8+8:]))
+ h.LastPing = time.Now()
+ return peer
+ } else {
+ log.Println("Invalid handshake message from", h.addr)
}
return nil
}
-func (h *Handshake) Client(noncediff uint64, conn *net.UDPConn, key *[32]byte, data []byte) *Peer {
+// Process handshake message on the client side.
+// This function is intended to be called on client's side.
+// Our outgoing conn connection, authentication
+// key and received data are required.
+// If this is the final handshake message, then new Peer object
+// will be created and used as a transport. If no mutually
+// authenticated Peer is ready, then return nil.
+func (h *Handshake) Client(id *PeerId, conn *net.UDPConn, key *[KeySize]byte, data []byte) *Peer {
switch len(data) {
- case 88: // ENC(PSK, dh_server_pub) + ENC(K, RS + SS) + NULLs
- fmt.Print("[HS2]")
+ case 80: // ENC(PSK, dh_server_pub) + ENC(K, RS + SS) + IDtag
if h.key != nil {
- fmt.Print("[S?]")
+ log.Println("Invalid handshake stage from", h.addr)
return nil
}
append(h.rClient[:], h.sClient[:]...)...), h.rNonceNext(), h.key)
// Send that to server
- if _, err := conn.WriteTo(append(encRs, make([]byte, poly1305.TagSize)...), h.addr); err != nil {
+ if _, err := conn.WriteTo(append(encRs, idTag(id, encRs)...), h.addr); err != nil {
panic(err)
}
- fmt.Print("[OK]")
- case 24: // ENC(K, RC) + NULLs
- fmt.Print("[HS4]")
+ h.LastPing = time.Now()
+ case 16: // ENC(K, RC) + IDtag
if h.key == nil {
- fmt.Print("[S?]")
+ log.Println("Invalid handshake stage from", h.addr)
return nil
}
// Decrypt rClient
dec := make([]byte, 8)
salsa20.XORKeyStream(dec, data[:8], make([]byte, 8), h.key)
- if res := subtle.ConstantTimeCompare(dec, h.rClient[:]); res != 1 {
- fmt.Print("[rC?]")
+ if subtle.ConstantTimeCompare(dec, h.rClient[:]) != 1 {
+ log.Println("Invalid client's random number with", h.addr)
return nil
}
// Switch peer
- peer := Peer{
- addr: h.addr,
- nonceOur: noncediff + 1,
- nonceRecv: noncediff + 0,
- }
- peer.key = KeyFromSecrets(h.sServer[:], h.sClient[:])
- fmt.Print("[OK]")
- return &peer
+ peer := newPeer(h.addr, h.Id, 1, keyFromSecrets(h.sServer[:], h.sClient[:]))
+ h.LastPing = time.Now()
+ return peer
default:
- fmt.Print("[HS?]")
+ log.Println("Invalid handshake message from", h.addr)
}
return nil
}