/*
GoVPN -- simple secure free software virtual private network daemon
-Copyright (C) 2014-2015 Sergey Matveev <stargrave@stargrave.org>
+Copyright (C) 2014-2016 Sergey Matveev <stargrave@stargrave.org>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
package govpn
import (
- "crypto/rand"
"crypto/subtle"
"encoding/binary"
+ "io"
"log"
- "net"
"time"
"github.com/agl/ed25519"
)
type Handshake struct {
- addr *net.UDPAddr
+ addr string
+ conn io.Writer
LastPing time.Time
Conf *PeerConf
dsaPubH *[ed25519.PublicKeySize]byte
// Zero handshake's memory state
func (h *Handshake) Zero() {
if h.rNonce != nil {
- sliceZero(h.rNonce[:])
+ SliceZero(h.rNonce[:])
}
if h.dhPriv != nil {
- sliceZero(h.dhPriv[:])
+ SliceZero(h.dhPriv[:])
}
if h.key != nil {
- sliceZero(h.key[:])
+ SliceZero(h.key[:])
}
if h.dsaPubH != nil {
- sliceZero(h.dsaPubH[:])
+ SliceZero(h.dsaPubH[:])
}
if h.rServer != nil {
- sliceZero(h.rServer[:])
+ SliceZero(h.rServer[:])
}
if h.rClient != nil {
- sliceZero(h.rClient[:])
+ SliceZero(h.rClient[:])
}
if h.sServer != nil {
- sliceZero(h.sServer[:])
+ SliceZero(h.sServer[:])
}
if h.sClient != nil {
- sliceZero(h.sClient[:])
+ SliceZero(h.sClient[:])
}
}
repr := new([32]byte)
reprFound := false
for !reprFound {
- if _, err := rand.Read(priv[:]); err != nil {
- panic("Can not read random for DH private key")
+ if _, err := Rand.Read(priv[:]); err != nil {
+ log.Fatalln("Error reading random for DH private key:", err)
}
reprFound = extra25519.ScalarBaseMult(pub, repr, priv)
}
}
// Create new handshake state.
-func HandshakeNew(addr *net.UDPAddr, conf *PeerConf) *Handshake {
+func NewHandshake(addr string, conn io.Writer, conf *PeerConf) *Handshake {
state := Handshake{
addr: addr,
+ conn: conn,
LastPing: time.Now(),
Conf: conf,
}
state.dsaPubH = new([ed25519.PublicKeySize]byte)
- copy(state.dsaPubH[:], state.Conf.DSAPub[:])
+ copy(state.dsaPubH[:], state.Conf.Verifier.Pub[:])
HApply(state.dsaPubH)
return &state
}
}
// Start handshake's procedure from the client. It is the entry point
-// for starting the handshake procedure. You have to specify outgoing
-// conn address, remote's addr address, our own peer configuration.
-// First handshake packet will be sent immediately.
-func HandshakeStart(conf *PeerConf, conn *net.UDPConn, addr *net.UDPAddr) *Handshake {
- state := HandshakeNew(addr, conf)
-
+// for starting the handshake procedure. // First handshake packet
+// will be sent immediately.
+func HandshakeStart(addr string, conn io.Writer, conf *PeerConf) *Handshake {
+ state := NewHandshake(addr, conn, conf)
var dhPubRepr *[32]byte
state.dhPriv, dhPubRepr = dhKeypairGen()
state.rNonce = new([RSize]byte)
- if _, err := rand.Read(state.rNonce[:]); err != nil {
- panic("Can not read random for handshake nonce")
+ if _, err := Rand.Read(state.rNonce[:]); err != nil {
+ log.Fatalln("Error reading random for nonce:", err)
+ }
+ var enc []byte
+ if conf.Noise {
+ enc = make([]byte, MTU-xtea.BlockSize-RSize)
+ } else {
+ enc = make([]byte, 32)
}
- enc := make([]byte, 32)
- salsa20.XORKeyStream(enc, dhPubRepr[:], state.rNonce[:], state.dsaPubH)
+ copy(enc, dhPubRepr[:])
+ salsa20.XORKeyStream(enc, enc, state.rNonce[:], state.dsaPubH)
data := append(state.rNonce[:], enc...)
data = append(data, idTag(state.Conf.Id, state.rNonce[:])...)
- if _, err := conn.WriteTo(data, addr); err != nil {
- panic(err)
- }
+ state.conn.Write(data)
return state
}
// Process handshake message on the server side.
// This function is intended to be called on server's side.
-// Our outgoing conn connection and received data are required.
// If this is the final handshake message, then new Peer object
// will be created and used as a transport. If no mutually
// authenticated Peer is ready, then return nil.
-func (h *Handshake) Server(conn *net.UDPConn, data []byte) *Peer {
+func (h *Handshake) Server(data []byte) *Peer {
// R + ENC(H(DSAPub), R, El(CDHPub)) + IDtag
- if len(data) == 48 && h.rNonce == nil {
+ if h.rNonce == nil && len(data) >= 48 {
// Generate DH keypair
var dhPubRepr *[32]byte
h.dhPriv, dhPubRepr = dhKeypairGen()
// Generate R* and encrypt them
h.rServer = new([RSize]byte)
- if _, err := rand.Read(h.rServer[:]); err != nil {
- panic("Can not read random for handshake random key")
+ var err error
+ if _, err = Rand.Read(h.rServer[:]); err != nil {
+ log.Fatalln("Error reading random for R:", err)
}
h.sServer = new([SSize]byte)
- if _, err := rand.Read(h.sServer[:]); err != nil {
- panic("Can not read random for handshake shared key")
+ if _, err = Rand.Read(h.sServer[:]); err != nil {
+ log.Fatalln("Error reading random for S:", err)
+ }
+ var encRs []byte
+ if h.Conf.Noise {
+ encRs = make([]byte, MTU-len(encPub)-xtea.BlockSize)
+ } else {
+ encRs = make([]byte, RSize+SSize)
}
- encRs := make([]byte, RSize+SSize)
- salsa20.XORKeyStream(encRs, append(h.rServer[:], h.sServer[:]...), h.rNonce[:], h.key)
+ copy(encRs, append(h.rServer[:], h.sServer[:]...))
+ salsa20.XORKeyStream(encRs, encRs, h.rNonce[:], h.key)
// Send that to client
- if _, err := conn.WriteTo(
- append(encPub, append(encRs, idTag(h.Conf.Id, encPub)...)...), h.addr); err != nil {
- panic(err)
- }
+ h.conn.Write(append(encPub, append(encRs, idTag(h.Conf.Id, encPub)...)...))
h.LastPing = time.Now()
} else
// ENC(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag
- if len(data) == 120 && h.rClient == nil {
+ if h.rClient == nil && len(data) >= 120 {
// Decrypted Rs compare rServer
dec := make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
salsa20.XORKeyStream(
}
sign := new([ed25519.SignatureSize]byte)
copy(sign[:], dec[RSize+RSize+SSize:])
- if !ed25519.Verify(h.Conf.DSAPub, h.key[:], sign) {
+ if !ed25519.Verify(h.Conf.Verifier.Pub, h.key[:], sign) {
log.Println("Invalid signature from", h.addr)
return nil
}
// Send final answer to client
- enc := make([]byte, RSize)
- salsa20.XORKeyStream(enc, dec[RSize:RSize+RSize], h.rNonceNext(2), h.key)
- if _, err := conn.WriteTo(append(enc, idTag(h.Conf.Id, enc)...), h.addr); err != nil {
- panic(err)
+ var enc []byte
+ if h.Conf.Noise {
+ enc = make([]byte, MTU-xtea.BlockSize)
+ } else {
+ enc = make([]byte, RSize)
}
+ copy(enc, dec[RSize:RSize+RSize])
+ salsa20.XORKeyStream(enc, enc, h.rNonceNext(2), h.key)
+ h.conn.Write(append(enc, idTag(h.Conf.Id, enc)...))
// Switch peer
peer := newPeer(
+ false,
h.addr,
+ h.conn,
h.Conf,
- 0,
keyFromSecrets(h.sServer[:], dec[RSize+RSize:RSize+RSize+SSize]))
h.LastPing = time.Now()
return peer
// Process handshake message on the client side.
// This function is intended to be called on client's side.
-// Our outgoing conn connection, authentication
-// key and received data are required.
// If this is the final handshake message, then new Peer object
// will be created and used as a transport. If no mutually
// authenticated Peer is ready, then return nil.
-func (h *Handshake) Client(conn *net.UDPConn, data []byte) *Peer {
- switch len(data) {
- case 80: // ENC(H(DSAPub), R+1, El(SDHPub)) + ENC(K, R, RS + SS) + IDtag
- if h.key != nil {
- log.Println("Invalid handshake stage from", h.addr)
- return nil
- }
-
+func (h *Handshake) Client(data []byte) *Peer {
+ // ENC(H(DSAPub), R+1, El(SDHPub)) + ENC(K, R, RS + SS) + IDtag
+ if h.rServer == nil && h.key == nil && len(data) >= 80 {
// Decrypt remote public key and compute shared key
sDHRepr := new([32]byte)
salsa20.XORKeyStream(sDHRepr[:], data[:32], h.rNonceNext(1), h.dsaPubH)
// Generate R* and signature and encrypt them
h.rClient = new([RSize]byte)
- if _, err := rand.Read(h.rClient[:]); err != nil {
- panic("Can not read random for handshake random key")
+ var err error
+ if _, err = Rand.Read(h.rClient[:]); err != nil {
+ log.Fatalln("Error reading random for R:", err)
}
h.sClient = new([SSize]byte)
- if _, err := rand.Read(h.sClient[:]); err != nil {
- panic("Can not read random for handshake shared key")
+ if _, err = Rand.Read(h.sClient[:]); err != nil {
+ log.Fatalln("Error reading random for S:", err)
}
sign := ed25519.Sign(h.Conf.DSAPriv, h.key[:])
- enc := make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
- salsa20.XORKeyStream(enc,
+ var enc []byte
+ if h.Conf.Noise {
+ enc = make([]byte, MTU-xtea.BlockSize)
+ } else {
+ enc = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
+ }
+ copy(enc,
append(h.rServer[:],
append(h.rClient[:],
- append(h.sClient[:], sign[:]...)...)...), h.rNonceNext(1), h.key)
+ append(h.sClient[:], sign[:]...)...)...))
+ salsa20.XORKeyStream(enc, enc, h.rNonceNext(1), h.key)
// Send that to server
- if _, err := conn.WriteTo(append(enc, idTag(h.Conf.Id, enc)...), h.addr); err != nil {
- panic(err)
- }
+ h.conn.Write(append(enc, idTag(h.Conf.Id, enc)...))
h.LastPing = time.Now()
- case 16: // ENC(K, R+2, RC) + IDtag
- if h.key == nil {
- log.Println("Invalid handshake stage from", h.addr)
- return nil
- }
-
+ } else
+ // ENC(K, R+2, RC) + IDtag
+ if h.key != nil && len(data) >= 16 {
// Decrypt rClient
dec := make([]byte, RSize)
salsa20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key)
}
// Switch peer
- peer := newPeer(h.addr, h.Conf, 1, keyFromSecrets(h.sServer[:], h.sClient[:]))
+ peer := newPeer(
+ true,
+ h.addr,
+ h.conn,
+ h.Conf,
+ keyFromSecrets(h.sServer[:], h.sClient[:]),
+ )
h.LastPing = time.Now()
return peer
- default:
- log.Println("Invalid handshake message from", h.addr)
+ } else {
+ log.Println("Invalid handshake stage from", h.addr)
}
return nil
}