]> Cypherpunks.ru repositories - govpn.git/blob - src/cypherpunks.ru/govpn/handshake.go
projects / govpn.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Replace (X)Salsa20 with ChaCha20
[govpn.git] / src / cypherpunks.ru / govpn / handshake.go
1 /*
2 GoVPN -- simple secure free software virtual private network daemon
3 Copyright (C) 2014-2016 Sergey Matveev <stargrave@stargrave.org>
4
5 This program is free software: you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation, either version 3 of the License, or
8 (at your option) any later version.
9
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13 GNU General Public License for more details.
14
15 You should have received a copy of the GNU General Public License
16 along with this program.  If not, see <http://www.gnu.org/licenses/>.
17 */
18
19 package govpn
20
21 import (
22         "crypto/subtle"
23         "encoding/binary"
24         "io"
25         "log"
26         "time"
27
28         "chacha20"
29         "github.com/agl/ed25519"
30         "github.com/agl/ed25519/extra25519"
31         "golang.org/x/crypto/blake2b"
32         "golang.org/x/crypto/curve25519"
33 )
34
35 const (
36         RSize = 8
37         SSize = 32
38 )
39
40 type Handshake struct {
41         addr     string
42         conn     io.Writer
43         LastPing time.Time
44         Conf     *PeerConf
45         dsaPubH  *[ed25519.PublicKeySize]byte
46         key      *[32]byte
47         rNonce   *[16]byte
48         dhPriv   *[32]byte    // own private DH key
49         rServer  *[RSize]byte // random string for authentication
50         rClient  *[RSize]byte
51         sServer  *[SSize]byte // secret string for main key calculation
52         sClient  *[SSize]byte
53 }
54
55 func keyFromSecrets(server, client []byte) *[SSize]byte {
56         k := new([SSize]byte)
57         for i := 0; i < SSize; i++ {
58                 k[i] = server[i] ^ client[i]
59         }
60         return k
61 }
62
63 // Zero handshake's memory state
64 func (h *Handshake) Zero() {
65         if h.rNonce != nil {
66                 SliceZero(h.rNonce[:])
67         }
68         if h.dhPriv != nil {
69                 SliceZero(h.dhPriv[:])
70         }
71         if h.key != nil {
72                 SliceZero(h.key[:])
73         }
74         if h.dsaPubH != nil {
75                 SliceZero(h.dsaPubH[:])
76         }
77         if h.rServer != nil {
78                 SliceZero(h.rServer[:])
79         }
80         if h.rClient != nil {
81                 SliceZero(h.rClient[:])
82         }
83         if h.sServer != nil {
84                 SliceZero(h.sServer[:])
85         }
86         if h.sClient != nil {
87                 SliceZero(h.sClient[:])
88         }
89 }
90
91 func (h *Handshake) rNonceNext(count uint64) *[16]byte {
92         nonce := new([16]byte)
93         nonceCurrent, _ := binary.Uvarint(h.rNonce[8:])
94         binary.PutUvarint(nonce[8:], nonceCurrent+count)
95         return nonce
96 }
97
98 func dhKeypairGen() (*[32]byte, *[32]byte) {
99         priv := new([32]byte)
100         pub := new([32]byte)
101         repr := new([32]byte)
102         reprFound := false
103         for !reprFound {
104                 if _, err := io.ReadFull(Rand, priv[:]); err != nil {
105                         log.Fatalln("Error reading random for DH private key:", err)
106                 }
107                 reprFound = extra25519.ScalarBaseMult(pub, repr, priv)
108         }
109         return priv, repr
110 }
111
112 func dhKeyGen(priv, pub *[32]byte) *[32]byte {
113         key := new([32]byte)
114         curve25519.ScalarMult(key, priv, pub)
115         hashed := blake2b.Sum256(key[:])
116         return &hashed
117 }
118
119 // Create new handshake state.
120 func NewHandshake(addr string, conn io.Writer, conf *PeerConf) *Handshake {
121         state := Handshake{
122                 addr:     addr,
123                 conn:     conn,
124                 LastPing: time.Now(),
125                 Conf:     conf,
126         }
127         state.dsaPubH = new([ed25519.PublicKeySize]byte)
128         copy(state.dsaPubH[:], state.Conf.Verifier.Pub[:])
129         hashed := blake2b.Sum256(state.dsaPubH[:])
130         state.dsaPubH = &hashed
131         return &state
132 }
133
134 // Generate ID tag from client identification and data.
135 func idTag(id *PeerId, timeSync int, data []byte) []byte {
136         enc := make([]byte, 8)
137         copy(enc, data)
138         AddTimeSync(timeSync, enc)
139         mac, err := blake2b.New256(id[:])
140         if err != nil {
141                 panic(err)
142         }
143         mac.Write(enc)
144         mac.Sum(enc[:0])
145         return enc
146 }
147
148 // Start handshake's procedure from the client. It is the entry point
149 // for starting the handshake procedure. // First handshake packet
150 // will be sent immediately.
151 func HandshakeStart(addr string, conn io.Writer, conf *PeerConf) *Handshake {
152         state := NewHandshake(addr, conn, conf)
153         var dhPubRepr *[32]byte
154         state.dhPriv, dhPubRepr = dhKeypairGen()
155
156         state.rNonce = new([16]byte)
157         if _, err := io.ReadFull(Rand, state.rNonce[8:]); err != nil {
158                 log.Fatalln("Error reading random for nonce:", err)
159         }
160         var enc []byte
161         if conf.Noise {
162                 enc = make([]byte, conf.MTU-8-RSize)
163         } else {
164                 enc = make([]byte, 32)
165         }
166         copy(enc, dhPubRepr[:])
167         if conf.Encless {
168                 var err error
169                 enc, err = EnclessEncode(state.dsaPubH, state.rNonce, enc)
170                 if err != err {
171                         panic(err)
172                 }
173         } else {
174                 chacha20.XORKeyStream(enc, enc, state.rNonce, state.dsaPubH)
175         }
176         data := append(state.rNonce[8:], enc...)
177         data = append(data, idTag(state.Conf.Id, state.Conf.TimeSync, state.rNonce[8:])...)
178         state.conn.Write(data)
179         return state
180 }
181
182 // Process handshake message on the server side.
183 // This function is intended to be called on server's side.
184 // If this is the final handshake message, then new Peer object
185 // will be created and used as a transport. If no mutually
186 // authenticated Peer is ready, then return nil.
187 func (h *Handshake) Server(data []byte) *Peer {
188         // R + ENC(H(DSAPub), R, El(CDHPub)) + IDtag
189         if h.rNonce == nil && ((!h.Conf.Encless && len(data) >= 48) ||
190                 (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
191                 h.rNonce = new([16]byte)
192                 copy(h.rNonce[8:], data[:RSize])
193
194                 // Decrypt remote public key
195                 cDHRepr := new([32]byte)
196                 if h.Conf.Encless {
197                         out, err := EnclessDecode(
198                                 h.dsaPubH,
199                                 h.rNonce,
200                                 data[RSize:len(data)-8],
201                         )
202                         if err != nil {
203                                 log.Println("Unable to decode packet from", h.addr, err)
204                                 return nil
205                         }
206                         copy(cDHRepr[:], out)
207                 } else {
208                         chacha20.XORKeyStream(cDHRepr[:], data[RSize:RSize+32], h.rNonce, h.dsaPubH)
209                 }
210
211                 // Generate DH keypair
212                 var dhPubRepr *[32]byte
213                 h.dhPriv, dhPubRepr = dhKeypairGen()
214
215                 // Compute shared key
216                 cDH := new([32]byte)
217                 extra25519.RepresentativeToPublicKey(cDH, cDHRepr)
218                 h.key = dhKeyGen(h.dhPriv, cDH)
219
220                 var encPub []byte
221                 var err error
222                 if h.Conf.Encless {
223                         encPub = make([]byte, h.Conf.MTU)
224                         copy(encPub, dhPubRepr[:])
225                         encPub, err = EnclessEncode(h.dsaPubH, h.rNonceNext(1), encPub)
226                         if err != nil {
227                                 panic(err)
228                         }
229                 } else {
230                         encPub = make([]byte, 32)
231                         chacha20.XORKeyStream(encPub, dhPubRepr[:], h.rNonceNext(1), h.dsaPubH)
232                 }
233
234                 // Generate R* and encrypt them
235                 h.rServer = new([RSize]byte)
236                 if _, err = io.ReadFull(Rand, h.rServer[:]); err != nil {
237                         log.Fatalln("Error reading random for R:", err)
238                 }
239                 h.sServer = new([SSize]byte)
240                 if _, err = io.ReadFull(Rand, h.sServer[:]); err != nil {
241                         log.Fatalln("Error reading random for S:", err)
242                 }
243                 var encRs []byte
244                 if h.Conf.Noise && !h.Conf.Encless {
245                         encRs = make([]byte, h.Conf.MTU-len(encPub)-8)
246                 } else if h.Conf.Encless {
247                         encRs = make([]byte, h.Conf.MTU-8)
248                 } else {
249                         encRs = make([]byte, RSize+SSize)
250                 }
251                 copy(encRs, append(h.rServer[:], h.sServer[:]...))
252                 if h.Conf.Encless {
253                         encRs, err = EnclessEncode(h.key, h.rNonce, encRs)
254                         if err != nil {
255                                 panic(err)
256                         }
257                 } else {
258                         chacha20.XORKeyStream(encRs, encRs, h.rNonce, h.key)
259                 }
260
261                 // Send that to client
262                 h.conn.Write(append(encPub, append(
263                         encRs, idTag(h.Conf.Id, h.Conf.TimeSync, encPub)...,
264                 )...))
265                 h.LastPing = time.Now()
266         } else
267         // ENC(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag
268         if h.rClient == nil && ((!h.Conf.Encless && len(data) >= 120) ||
269                 (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
270                 var dec []byte
271                 var err error
272                 if h.Conf.Encless {
273                         dec, err = EnclessDecode(
274                                 h.key,
275                                 h.rNonceNext(1),
276                                 data[:len(data)-8],
277                         )
278                         if err != nil {
279                                 log.Println("Unable to decode packet from", h.addr, err)
280                                 return nil
281                         }
282                         dec = dec[:RSize+RSize+SSize+ed25519.SignatureSize]
283                 } else {
284                         dec = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
285                         chacha20.XORKeyStream(
286                                 dec,
287                                 data[:RSize+RSize+SSize+ed25519.SignatureSize],
288                                 h.rNonceNext(1),
289                                 h.key,
290                         )
291                 }
292                 if subtle.ConstantTimeCompare(dec[:RSize], h.rServer[:]) != 1 {
293                         log.Println("Invalid server's random number with", h.addr)
294                         return nil
295                 }
296                 sign := new([ed25519.SignatureSize]byte)
297                 copy(sign[:], dec[RSize+RSize+SSize:])
298                 if !ed25519.Verify(h.Conf.Verifier.Pub, h.key[:], sign) {
299                         log.Println("Invalid signature from", h.addr)
300                         return nil
301                 }
302
303                 // Send final answer to client
304                 var enc []byte
305                 if h.Conf.Noise {
306                         enc = make([]byte, h.Conf.MTU-8)
307                 } else {
308                         enc = make([]byte, RSize)
309                 }
310                 copy(enc, dec[RSize:RSize+RSize])
311                 if h.Conf.Encless {
312                         enc, err = EnclessEncode(h.key, h.rNonceNext(2), enc)
313                         if err != nil {
314                                 panic(err)
315                         }
316                 } else {
317                         chacha20.XORKeyStream(enc, enc, h.rNonceNext(2), h.key)
318                 }
319                 h.conn.Write(append(enc, idTag(h.Conf.Id, h.Conf.TimeSync, enc)...))
320
321                 // Switch peer
322                 peer := newPeer(
323                         false,
324                         h.addr,
325                         h.conn,
326                         h.Conf,
327                         keyFromSecrets(h.sServer[:], dec[RSize+RSize:RSize+RSize+SSize]))
328                 h.LastPing = time.Now()
329                 return peer
330         } else {
331                 log.Println("Invalid handshake message from", h.addr)
332         }
333         return nil
334 }
335
336 // Process handshake message on the client side.
337 // This function is intended to be called on client's side.
338 // If this is the final handshake message, then new Peer object
339 // will be created and used as a transport. If no mutually
340 // authenticated Peer is ready, then return nil.
341 func (h *Handshake) Client(data []byte) *Peer {
342         // ENC(H(DSAPub), R+1, El(SDHPub)) + ENC(K, R, RS + SS) + IDtag
343         if h.rServer == nil && h.key == nil &&
344                 ((!h.Conf.Encless && len(data) >= 80) ||
345                         (h.Conf.Encless && len(data) == 2*(EnclessEnlargeSize+h.Conf.MTU))) {
346                 // Decrypt remote public key
347                 sDHRepr := new([32]byte)
348                 var tmp []byte
349                 var err error
350                 if h.Conf.Encless {
351                         tmp, err = EnclessDecode(
352                                 h.dsaPubH,
353                                 h.rNonceNext(1),
354                                 data[:len(data)/2],
355                         )
356                         if err != nil {
357                                 log.Println("Unable to decode packet from", h.addr, err)
358                                 return nil
359                         }
360                         copy(sDHRepr[:], tmp[:32])
361                 } else {
362                         chacha20.XORKeyStream(sDHRepr[:], data[:32], h.rNonceNext(1), h.dsaPubH)
363                 }
364
365                 // Compute shared key
366                 sDH := new([32]byte)
367                 extra25519.RepresentativeToPublicKey(sDH, sDHRepr)
368                 h.key = dhKeyGen(h.dhPriv, sDH)
369
370                 // Decrypt Rs
371                 h.rServer = new([RSize]byte)
372                 h.sServer = new([SSize]byte)
373                 if h.Conf.Encless {
374                         tmp, err = EnclessDecode(h.key, h.rNonce, data[len(data)/2:len(data)-8])
375                         if err != nil {
376                                 log.Println("Unable to decode packet from", h.addr, err)
377                                 return nil
378                         }
379                         copy(h.rServer[:], tmp[:RSize])
380                         copy(h.sServer[:], tmp[RSize:RSize+SSize])
381                 } else {
382                         decRs := make([]byte, RSize+SSize)
383                         chacha20.XORKeyStream(decRs, data[SSize:SSize+RSize+SSize], h.rNonce, h.key)
384                         copy(h.rServer[:], decRs[:RSize])
385                         copy(h.sServer[:], decRs[RSize:])
386                 }
387
388                 // Generate R* and signature and encrypt them
389                 h.rClient = new([RSize]byte)
390                 if _, err = io.ReadFull(Rand, h.rClient[:]); err != nil {
391                         log.Fatalln("Error reading random for R:", err)
392                 }
393                 h.sClient = new([SSize]byte)
394                 if _, err = io.ReadFull(Rand, h.sClient[:]); err != nil {
395                         log.Fatalln("Error reading random for S:", err)
396                 }
397                 sign := ed25519.Sign(h.Conf.DSAPriv, h.key[:])
398
399                 var enc []byte
400                 if h.Conf.Noise {
401                         enc = make([]byte, h.Conf.MTU-8)
402                 } else {
403                         enc = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
404                 }
405                 copy(enc, h.rServer[:])
406                 copy(enc[RSize:], h.rClient[:])
407                 copy(enc[RSize+RSize:], h.sClient[:])
408                 copy(enc[RSize+RSize+SSize:], sign[:])
409                 if h.Conf.Encless {
410                         enc, err = EnclessEncode(h.key, h.rNonceNext(1), enc)
411                         if err != nil {
412                                 panic(err)
413                         }
414                 } else {
415                         chacha20.XORKeyStream(enc, enc, h.rNonceNext(1), h.key)
416                 }
417
418                 // Send that to server
419                 h.conn.Write(append(enc, idTag(h.Conf.Id, h.Conf.TimeSync, enc)...))
420                 h.LastPing = time.Now()
421         } else
422         // ENC(K, R+2, RC) + IDtag
423         if h.key != nil && ((!h.Conf.Encless && len(data) >= 16) ||
424                 (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
425                 var err error
426                 // Decrypt rClient
427                 var dec []byte
428                 if h.Conf.Encless {
429                         dec, err = EnclessDecode(h.key, h.rNonceNext(2), data[:len(data)-8])
430                         if err != nil {
431                                 log.Println("Unable to decode packet from", h.addr, err)
432                                 return nil
433                         }
434                         dec = dec[:RSize]
435                 } else {
436                         dec = make([]byte, RSize)
437                         chacha20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key)
438                 }
439                 if subtle.ConstantTimeCompare(dec, h.rClient[:]) != 1 {
440                         log.Println("Invalid client's random number with", h.addr)
441                         return nil
442                 }
443
444                 // Switch peer
445                 peer := newPeer(
446                         true,
447                         h.addr,
448                         h.conn,
449                         h.Conf,
450                         keyFromSecrets(h.sServer[:], h.sClient[:]),
451                 )
452                 h.LastPing = time.Now()
453                 return peer
454         } else {
455                 log.Println("Invalid handshake stage from", h.addr)
456         }
457         return nil
458 }
Simple secure free software VPN daemon