X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=handshake.go;h=d1516406d3dd4e92b99642dad7188eebb0ac8eba;hb=refs%2Fheads%2Fdevelop;hp=73cb4e2d35f39c3256e81d278328d30e38ff6c3b;hpb=7917cab90f07d111c20c754f5085fc86c9ab45a2;p=govpn.git diff --git a/handshake.go b/handshake.go index 73cb4e2..d151640 100644 --- a/handshake.go +++ b/handshake.go @@ -1,11 +1,10 @@ /* GoVPN -- simple secure free software virtual private network daemon -Copyright (C) 2014-2015 Sergey Matveev +Copyright (C) 2014-2020 Sergey Matveev This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by -the Free Software Foundation, either version 3 of the License, or -(at your option) any later version. +the Free Software Foundation, version 3 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -19,19 +18,18 @@ along with this program. If not, see . package govpn import ( - "crypto/rand" "crypto/subtle" "encoding/binary" + "io" "log" - "net" "time" + "go.cypherpunks.ru/govpn/v7/internal/chacha20" + "github.com/agl/ed25519" "github.com/agl/ed25519/extra25519" + "golang.org/x/crypto/blake2b" "golang.org/x/crypto/curve25519" - "golang.org/x/crypto/salsa20" - "golang.org/x/crypto/salsa20/salsa" - "golang.org/x/crypto/xtea" ) const ( @@ -40,12 +38,13 @@ const ( ) type Handshake struct { - addr *net.UDPAddr + addr string + conn io.Writer LastPing time.Time Conf *PeerConf dsaPubH *[ed25519.PublicKeySize]byte key *[32]byte - rNonce *[RSize]byte + rNonce *[16]byte dhPriv *[32]byte // own private DH key rServer *[RSize]byte // random string for authentication rClient *[RSize]byte @@ -61,43 +60,38 @@ func keyFromSecrets(server, client []byte) *[SSize]byte { return k } -// Apply HSalsa20 function for data. Used to hash public keys. -func HApply(data *[32]byte) { - salsa.HSalsa20(data, new([16]byte), data, &salsa.Sigma) -} - // Zero handshake's memory state func (h *Handshake) Zero() { if h.rNonce != nil { - sliceZero(h.rNonce[:]) + SliceZero(h.rNonce[:]) } if h.dhPriv != nil { - sliceZero(h.dhPriv[:]) + SliceZero(h.dhPriv[:]) } if h.key != nil { - sliceZero(h.key[:]) + SliceZero(h.key[:]) } if h.dsaPubH != nil { - sliceZero(h.dsaPubH[:]) + SliceZero(h.dsaPubH[:]) } if h.rServer != nil { - sliceZero(h.rServer[:]) + SliceZero(h.rServer[:]) } if h.rClient != nil { - sliceZero(h.rClient[:]) + SliceZero(h.rClient[:]) } if h.sServer != nil { - sliceZero(h.sServer[:]) + SliceZero(h.sServer[:]) } if h.sClient != nil { - sliceZero(h.sClient[:]) + SliceZero(h.sClient[:]) } } -func (h *Handshake) rNonceNext(count uint64) []byte { - nonce := make([]byte, RSize) - nonceCurrent, _ := binary.Uvarint(h.rNonce[:]) - binary.PutUvarint(nonce, nonceCurrent+count) +func (h *Handshake) rNonceNext(count uint64) *[16]byte { + nonce := new([16]byte) + nonceCurrent, _ := binary.Uvarint(h.rNonce[8:]) + binary.PutUvarint(nonce[8:], nonceCurrent+count) return nonce } @@ -107,8 +101,8 @@ func dhKeypairGen() (*[32]byte, *[32]byte) { repr := new([32]byte) reprFound := false for !reprFound { - if _, err := rand.Read(priv[:]); err != nil { - panic("Can not read random for DH private key") + if _, err := io.ReadFull(Rand, priv[:]); err != nil { + log.Fatalln("Error reading random for DH private key:", err) } reprFound = extra25519.ScalarBaseMult(pub, repr, priv) } @@ -118,141 +112,218 @@ func dhKeypairGen() (*[32]byte, *[32]byte) { func dhKeyGen(priv, pub *[32]byte) *[32]byte { key := new([32]byte) curve25519.ScalarMult(key, priv, pub) - HApply(key) - return key + hashed := blake2b.Sum256(key[:]) + return &hashed } // Create new handshake state. -func HandshakeNew(addr *net.UDPAddr, conf *PeerConf) *Handshake { +func NewHandshake(addr string, conn io.Writer, conf *PeerConf) *Handshake { state := Handshake{ addr: addr, + conn: conn, LastPing: time.Now(), Conf: conf, } state.dsaPubH = new([ed25519.PublicKeySize]byte) - copy(state.dsaPubH[:], state.Conf.DSAPub[:]) - HApply(state.dsaPubH) + copy(state.dsaPubH[:], state.Conf.Verifier.Pub[:]) + hashed := blake2b.Sum256(state.dsaPubH[:]) + state.dsaPubH = &hashed return &state } // Generate ID tag from client identification and data. -func idTag(id *PeerId, data []byte) []byte { - ciph, err := xtea.NewCipher(id[:]) +func idTag(id *PeerID, timeSync int, data []byte) []byte { + enc := make([]byte, 8) + copy(enc, data) + AddTimeSync(timeSync, enc) + mac, err := blake2b.New256(id[:]) if err != nil { panic(err) } - enc := make([]byte, xtea.BlockSize) - ciph.Encrypt(enc, data[:xtea.BlockSize]) - return enc + mac.Write(enc) + sum := mac.Sum(nil) + return sum[len(sum)-8:] } // Start handshake's procedure from the client. It is the entry point -// for starting the handshake procedure. You have to specify outgoing -// conn address, remote's addr address, our own peer configuration. +// for starting the handshake procedure. // First handshake packet will be sent immediately. -func HandshakeStart(conf *PeerConf, conn *net.UDPConn, addr *net.UDPAddr) *Handshake { - state := HandshakeNew(addr, conf) - +func HandshakeStart(addr string, conn io.Writer, conf *PeerConf) *Handshake { + state := NewHandshake(addr, conn, conf) var dhPubRepr *[32]byte state.dhPriv, dhPubRepr = dhKeypairGen() - state.rNonce = new([RSize]byte) - if _, err := rand.Read(state.rNonce[:]); err != nil { - panic("Can not read random for handshake nonce") + state.rNonce = new([16]byte) + if _, err := io.ReadFull(Rand, state.rNonce[8:]); err != nil { + log.Fatalln("Error reading random for nonce:", err) } - enc := make([]byte, 32) - salsa20.XORKeyStream(enc, dhPubRepr[:], state.rNonce[:], state.dsaPubH) - data := append(state.rNonce[:], enc...) - data = append(data, idTag(state.Conf.Id, state.rNonce[:])...) - if _, err := conn.WriteTo(data, addr); err != nil { - panic(err) + var enc []byte + if conf.Noise { + enc = make([]byte, conf.MTU-8-RSize) + } else { + enc = make([]byte, 32) } + copy(enc, dhPubRepr[:]) + if conf.Encless { + var err error + enc, err = EnclessEncode(state.dsaPubH, state.rNonce, enc) + if err != err { + panic(err) + } + } else { + chacha20.XORKeyStream(enc, enc, state.rNonce, state.dsaPubH) + } + data := append(state.rNonce[8:], enc...) + data = append(data, idTag(state.Conf.ID, state.Conf.TimeSync, state.rNonce[8:])...) + state.conn.Write(data) return state } // Process handshake message on the server side. // This function is intended to be called on server's side. -// Our outgoing conn connection and received data are required. // If this is the final handshake message, then new Peer object // will be created and used as a transport. If no mutually // authenticated Peer is ready, then return nil. -func (h *Handshake) Server(conn *net.UDPConn, data []byte) *Peer { +func (h *Handshake) Server(data []byte) *Peer { // R + ENC(H(DSAPub), R, El(CDHPub)) + IDtag - if len(data) == 48 && h.rNonce == nil { + if h.rNonce == nil && ((!h.Conf.Encless && len(data) >= 48) || + (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) { + h.rNonce = new([16]byte) + copy(h.rNonce[8:], data[:RSize]) + + // Decrypt remote public key + cDHRepr := new([32]byte) + if h.Conf.Encless { + out, err := EnclessDecode( + h.dsaPubH, + h.rNonce, + data[RSize:len(data)-8], + ) + if err != nil { + log.Println("Unable to decode packet from", h.addr, err) + return nil + } + copy(cDHRepr[:], out) + } else { + chacha20.XORKeyStream(cDHRepr[:], data[RSize:RSize+32], h.rNonce, h.dsaPubH) + } + // Generate DH keypair var dhPubRepr *[32]byte h.dhPriv, dhPubRepr = dhKeypairGen() - h.rNonce = new([RSize]byte) - copy(h.rNonce[:], data[:RSize]) - - // Decrypt remote public key and compute shared key - cDHRepr := new([32]byte) - salsa20.XORKeyStream( - cDHRepr[:], - data[RSize:RSize+32], - h.rNonce[:], - h.dsaPubH, - ) + // Compute shared key cDH := new([32]byte) extra25519.RepresentativeToPublicKey(cDH, cDHRepr) h.key = dhKeyGen(h.dhPriv, cDH) - encPub := make([]byte, 32) - salsa20.XORKeyStream(encPub, dhPubRepr[:], h.rNonceNext(1), h.dsaPubH) + var encPub []byte + var err error + if h.Conf.Encless { + encPub = make([]byte, h.Conf.MTU) + copy(encPub, dhPubRepr[:]) + encPub, err = EnclessEncode(h.dsaPubH, h.rNonceNext(1), encPub) + if err != nil { + panic(err) + } + } else { + encPub = make([]byte, 32) + chacha20.XORKeyStream(encPub, dhPubRepr[:], h.rNonceNext(1), h.dsaPubH) + } // Generate R* and encrypt them h.rServer = new([RSize]byte) - if _, err := rand.Read(h.rServer[:]); err != nil { - panic("Can not read random for handshake random key") + if _, err = io.ReadFull(Rand, h.rServer[:]); err != nil { + log.Fatalln("Error reading random for R:", err) } h.sServer = new([SSize]byte) - if _, err := rand.Read(h.sServer[:]); err != nil { - panic("Can not read random for handshake shared key") + if _, err = io.ReadFull(Rand, h.sServer[:]); err != nil { + log.Fatalln("Error reading random for S:", err) + } + var encRs []byte + if h.Conf.Noise && !h.Conf.Encless { + encRs = make([]byte, h.Conf.MTU-len(encPub)-8) + } else if h.Conf.Encless { + encRs = make([]byte, h.Conf.MTU-8) + } else { + encRs = make([]byte, RSize+SSize) + } + copy(encRs, append(h.rServer[:], h.sServer[:]...)) + if h.Conf.Encless { + encRs, err = EnclessEncode(h.key, h.rNonce, encRs) + if err != nil { + panic(err) + } + } else { + chacha20.XORKeyStream(encRs, encRs, h.rNonce, h.key) } - encRs := make([]byte, RSize+SSize) - salsa20.XORKeyStream(encRs, append(h.rServer[:], h.sServer[:]...), h.rNonce[:], h.key) // Send that to client - if _, err := conn.WriteTo( - append(encPub, append(encRs, idTag(h.Conf.Id, encPub)...)...), h.addr); err != nil { - panic(err) - } + h.conn.Write(append(encPub, append( + encRs, idTag(h.Conf.ID, h.Conf.TimeSync, encPub)..., + )...)) h.LastPing = time.Now() } else // ENC(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag - if len(data) == 120 && h.rClient == nil { - // Decrypted Rs compare rServer - dec := make([]byte, RSize+RSize+SSize+ed25519.SignatureSize) - salsa20.XORKeyStream( - dec, - data[:RSize+RSize+SSize+ed25519.SignatureSize], - h.rNonceNext(1), - h.key, - ) + if h.rClient == nil && ((!h.Conf.Encless && len(data) >= 120) || + (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) { + var dec []byte + var err error + if h.Conf.Encless { + dec, err = EnclessDecode( + h.key, + h.rNonceNext(1), + data[:len(data)-8], + ) + if err != nil { + log.Println("Unable to decode packet from", h.addr, err) + return nil + } + dec = dec[:RSize+RSize+SSize+ed25519.SignatureSize] + } else { + dec = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize) + chacha20.XORKeyStream( + dec, + data[:RSize+RSize+SSize+ed25519.SignatureSize], + h.rNonceNext(1), + h.key, + ) + } if subtle.ConstantTimeCompare(dec[:RSize], h.rServer[:]) != 1 { log.Println("Invalid server's random number with", h.addr) return nil } sign := new([ed25519.SignatureSize]byte) copy(sign[:], dec[RSize+RSize+SSize:]) - if !ed25519.Verify(h.Conf.DSAPub, h.key[:], sign) { + if !ed25519.Verify(h.Conf.Verifier.Pub, h.key[:], sign) { log.Println("Invalid signature from", h.addr) return nil } // Send final answer to client - enc := make([]byte, RSize) - salsa20.XORKeyStream(enc, dec[RSize:RSize+RSize], h.rNonceNext(2), h.key) - if _, err := conn.WriteTo(append(enc, idTag(h.Conf.Id, enc)...), h.addr); err != nil { - panic(err) + var enc []byte + if h.Conf.Noise { + enc = make([]byte, h.Conf.MTU-8) + } else { + enc = make([]byte, RSize) + } + copy(enc, dec[RSize:RSize+RSize]) + if h.Conf.Encless { + enc, err = EnclessEncode(h.key, h.rNonceNext(2), enc) + if err != nil { + panic(err) + } + } else { + chacha20.XORKeyStream(enc, enc, h.rNonceNext(2), h.key) } + h.conn.Write(append(enc, idTag(h.Conf.ID, h.Conf.TimeSync, enc)...)) // Switch peer peer := newPeer( + false, h.addr, + h.conn, h.Conf, - 0, keyFromSecrets(h.sServer[:], dec[RSize+RSize:RSize+RSize+SSize])) h.LastPing = time.Now() return peer @@ -264,76 +335,124 @@ func (h *Handshake) Server(conn *net.UDPConn, data []byte) *Peer { // Process handshake message on the client side. // This function is intended to be called on client's side. -// Our outgoing conn connection, authentication -// key and received data are required. // If this is the final handshake message, then new Peer object // will be created and used as a transport. If no mutually // authenticated Peer is ready, then return nil. -func (h *Handshake) Client(conn *net.UDPConn, data []byte) *Peer { - switch len(data) { - case 80: // ENC(H(DSAPub), R+1, El(SDHPub)) + ENC(K, R, RS + SS) + IDtag - if h.key != nil { - log.Println("Invalid handshake stage from", h.addr) - return nil +func (h *Handshake) Client(data []byte) *Peer { + // ENC(H(DSAPub), R+1, El(SDHPub)) + ENC(K, R, RS + SS) + IDtag + if h.rServer == nil && h.key == nil && + ((!h.Conf.Encless && len(data) >= 80) || + (h.Conf.Encless && len(data) == 2*(EnclessEnlargeSize+h.Conf.MTU))) { + // Decrypt remote public key + sDHRepr := new([32]byte) + var tmp []byte + var err error + if h.Conf.Encless { + tmp, err = EnclessDecode( + h.dsaPubH, + h.rNonceNext(1), + data[:len(data)/2], + ) + if err != nil { + log.Println("Unable to decode packet from", h.addr, err) + return nil + } + copy(sDHRepr[:], tmp[:32]) + } else { + chacha20.XORKeyStream(sDHRepr[:], data[:32], h.rNonceNext(1), h.dsaPubH) } - // Decrypt remote public key and compute shared key - sDHRepr := new([32]byte) - salsa20.XORKeyStream(sDHRepr[:], data[:32], h.rNonceNext(1), h.dsaPubH) + // Compute shared key sDH := new([32]byte) extra25519.RepresentativeToPublicKey(sDH, sDHRepr) h.key = dhKeyGen(h.dhPriv, sDH) // Decrypt Rs - decRs := make([]byte, RSize+SSize) - salsa20.XORKeyStream(decRs, data[SSize:32+RSize+SSize], h.rNonce[:], h.key) h.rServer = new([RSize]byte) - copy(h.rServer[:], decRs[:RSize]) h.sServer = new([SSize]byte) - copy(h.sServer[:], decRs[RSize:]) + if h.Conf.Encless { + tmp, err = EnclessDecode(h.key, h.rNonce, data[len(data)/2:len(data)-8]) + if err != nil { + log.Println("Unable to decode packet from", h.addr, err) + return nil + } + copy(h.rServer[:], tmp[:RSize]) + copy(h.sServer[:], tmp[RSize:RSize+SSize]) + } else { + decRs := make([]byte, RSize+SSize) + chacha20.XORKeyStream(decRs, data[SSize:SSize+RSize+SSize], h.rNonce, h.key) + copy(h.rServer[:], decRs[:RSize]) + copy(h.sServer[:], decRs[RSize:]) + } // Generate R* and signature and encrypt them h.rClient = new([RSize]byte) - if _, err := rand.Read(h.rClient[:]); err != nil { - panic("Can not read random for handshake random key") + if _, err = io.ReadFull(Rand, h.rClient[:]); err != nil { + log.Fatalln("Error reading random for R:", err) } h.sClient = new([SSize]byte) - if _, err := rand.Read(h.sClient[:]); err != nil { - panic("Can not read random for handshake shared key") + if _, err = io.ReadFull(Rand, h.sClient[:]); err != nil { + log.Fatalln("Error reading random for S:", err) } sign := ed25519.Sign(h.Conf.DSAPriv, h.key[:]) - enc := make([]byte, RSize+RSize+SSize+ed25519.SignatureSize) - salsa20.XORKeyStream(enc, - append(h.rServer[:], - append(h.rClient[:], - append(h.sClient[:], sign[:]...)...)...), h.rNonceNext(1), h.key) - - // Send that to server - if _, err := conn.WriteTo(append(enc, idTag(h.Conf.Id, enc)...), h.addr); err != nil { - panic(err) + var enc []byte + if h.Conf.Noise { + enc = make([]byte, h.Conf.MTU-8) + } else { + enc = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize) } - h.LastPing = time.Now() - case 16: // ENC(K, R+2, RC) + IDtag - if h.key == nil { - log.Println("Invalid handshake stage from", h.addr) - return nil + copy(enc, h.rServer[:]) + copy(enc[RSize:], h.rClient[:]) + copy(enc[RSize+RSize:], h.sClient[:]) + copy(enc[RSize+RSize+SSize:], sign[:]) + if h.Conf.Encless { + enc, err = EnclessEncode(h.key, h.rNonceNext(1), enc) + if err != nil { + panic(err) + } + } else { + chacha20.XORKeyStream(enc, enc, h.rNonceNext(1), h.key) } + // Send that to server + h.conn.Write(append(enc, idTag(h.Conf.ID, h.Conf.TimeSync, enc)...)) + h.LastPing = time.Now() + } else + // ENC(K, R+2, RC) + IDtag + if h.key != nil && ((!h.Conf.Encless && len(data) >= 16) || + (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) { + var err error // Decrypt rClient - dec := make([]byte, RSize) - salsa20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key) + var dec []byte + if h.Conf.Encless { + dec, err = EnclessDecode(h.key, h.rNonceNext(2), data[:len(data)-8]) + if err != nil { + log.Println("Unable to decode packet from", h.addr, err) + return nil + } + dec = dec[:RSize] + } else { + dec = make([]byte, RSize) + chacha20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key) + } if subtle.ConstantTimeCompare(dec, h.rClient[:]) != 1 { log.Println("Invalid client's random number with", h.addr) return nil } // Switch peer - peer := newPeer(h.addr, h.Conf, 1, keyFromSecrets(h.sServer[:], h.sClient[:])) + peer := newPeer( + true, + h.addr, + h.conn, + h.Conf, + keyFromSecrets(h.sServer[:], h.sClient[:]), + ) h.LastPing = time.Now() return peer - default: - log.Println("Invalid handshake message from", h.addr) + } else { + log.Println("Invalid handshake stage from", h.addr) } return nil }