2 GoVPN -- simple secure free software virtual private network daemon
3 Copyright (C) 2014-2017 Sergey Matveev <stargrave@stargrave.org>
5 This program is free software: you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation, either version 3 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 "github.com/Sirupsen/logrus"
29 "github.com/agl/ed25519"
30 "github.com/agl/ed25519/extra25519"
31 "github.com/pkg/errors"
32 "golang.org/x/crypto/blake2b"
33 "golang.org/x/crypto/curve25519"
37 // RSize is size in bytes of channel binding random value
39 // SSize is size in bytes of shared secret half
42 wrapIDTag = "idTag id:%q timeSync:%d"
45 // Handshake is state of a handshake/negotiation between client and server
46 type Handshake struct {
51 dsaPubH *[ed25519.PublicKeySize]byte
54 dhPriv *[32]byte // own private DH key
55 rServer *[RSize]byte // random string for authentication
57 sServer *[SSize]byte // secret string for main key calculation
61 // LogFields return a logrus compatible logging context
62 func (h *Handshake) LogFields() logrus.Fields {
65 prefix + "remote": h.addr,
66 prefix + "last_ping": h.LastPing.String(),
67 prefix + "id": h.Conf.ID.String(),
71 func keyFromSecrets(server, client []byte) *[SSize]byte {
73 for i := 0; i < SSize; i++ {
74 k[i] = server[i] ^ client[i]
79 // Zero handshake's memory state
80 func (h *Handshake) Zero() {
82 SliceZero(h.rNonce[:])
85 SliceZero(h.dhPriv[:])
91 SliceZero(h.dsaPubH[:])
94 SliceZero(h.rServer[:])
97 SliceZero(h.rClient[:])
100 SliceZero(h.sServer[:])
102 if h.sClient != nil {
103 SliceZero(h.sClient[:])
107 func (h *Handshake) rNonceNext(count uint64) *[16]byte {
108 nonce := new([16]byte)
109 nonceCurrent, _ := binary.Uvarint(h.rNonce[8:])
110 binary.PutUvarint(nonce[8:], nonceCurrent+count)
114 func dhKeypairGen() (*[32]byte, *[32]byte, error) {
115 priv := new([32]byte)
117 repr := new([32]byte)
120 if _, err := io.ReadFull(Rand, priv[:]); err != nil {
121 return nil, nil, errors.Wrapf(err, wrapIoReadFull, "Rand")
123 reprFound = extra25519.ScalarBaseMult(pub, repr, priv)
125 return priv, repr, nil
128 func dhKeyGen(priv, pub *[32]byte) *[32]byte {
130 curve25519.ScalarMult(key, priv, pub)
131 hashed := blake2b.Sum256(key[:])
135 // NewHandshake creates new handshake state.
136 func NewHandshake(addr string, conn io.Writer, conf *PeerConf) *Handshake {
140 LastPing: time.Now(),
143 state.dsaPubH = new([ed25519.PublicKeySize]byte)
144 copy(state.dsaPubH[:], state.Conf.Verifier.Pub[:])
145 hashed := blake2b.Sum256(state.dsaPubH[:])
146 state.dsaPubH = &hashed
150 // Generate ID tag from client identification and data.
151 func idTag(id *PeerID, timeSync int, data []byte) ([]byte, error) {
152 enc := make([]byte, 8)
154 AddTimeSync(timeSync, enc)
155 mac, err := blake2b.New256(id[:])
157 return nil, errors.Wrap(err, wrapBlake2bNew256)
159 if _, err = mac.Write(enc); err != nil {
160 return nil, errors.Wrap(err, "mac.Write")
163 return sum[len(sum)-8:], nil
166 // HandshakeStarts starts handshake's procedure from the client.
167 // It is the entry point for starting the handshake procedure.
168 // First handshake packet will be sent immediately.
169 func HandshakeStart(addr string, conn io.Writer, conf *PeerConf) (*Handshake, error) {
170 state := NewHandshake(addr, conn, conf)
171 var dhPubRepr *[32]byte
173 if state.dhPriv, dhPubRepr, err = dhKeypairGen(); err != nil {
174 return nil, errors.Wrap(err, "dhKeypairGen")
177 state.rNonce = new([16]byte)
178 if _, err := io.ReadFull(Rand, state.rNonce[8:]); err != nil {
179 return nil, errors.Wrapf(err, wrapIoReadFull, "Rand")
183 enc = make([]byte, conf.MTU-8-RSize)
185 enc = make([]byte, 32)
187 copy(enc, dhPubRepr[:])
189 enc, err = EnclessEncode(state.dsaPubH, state.rNonce, enc)
191 return nil, errors.Wrap(err, wrapEnclessDecode)
194 chacha20.XORKeyStream(enc, enc, state.rNonce, state.dsaPubH)
196 tag, err := idTag(state.Conf.ID, state.Conf.TimeSync, state.rNonce[8:])
198 return nil, errors.Wrapf(err, wrapIDTag, state.Conf.ID.String(), state.Conf.TimeSync)
200 data := append(state.rNonce[8:], enc...)
201 data = append(data, tag...)
202 if _, err = state.conn.Write(data); err != nil {
203 return nil, errors.Wrap(err, "state.conn.Write")
208 // Server processes handshake message on the server side.
209 // This function is intended to be called on server's side.
210 // If this is the final handshake message, then new Peer object
211 // will be created and used as a transport.
212 func (h *Handshake) Server(data []byte) (*Peer, error) {
213 // R + ENC(H(DSAPub), R, El(CDHPub)) + IDtag
214 if h.rNonce == nil && ((!h.Conf.Encless && len(data) >= 48) ||
215 (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
216 h.rNonce = new([16]byte)
217 copy(h.rNonce[8:], data[:RSize])
219 // Decrypt remote public key
220 cDHRepr := new([32]byte)
222 out, err := EnclessDecode(
225 data[RSize:len(data)-8],
228 return nil, errors.Wrap(err, wrapEnclessDecode)
230 copy(cDHRepr[:], out)
232 chacha20.XORKeyStream(cDHRepr[:], data[RSize:RSize+32], h.rNonce, h.dsaPubH)
235 // Generate DH keypair
236 var dhPubRepr *[32]byte
238 if h.dhPriv, dhPubRepr, err = dhKeypairGen(); err != nil {
239 return nil, errors.Wrap(err, "dhKeypairGen")
242 // Compute shared key
244 extra25519.RepresentativeToPublicKey(cDH, cDHRepr)
245 h.key = dhKeyGen(h.dhPriv, cDH)
249 encPub = make([]byte, h.Conf.MTU)
250 copy(encPub, dhPubRepr[:])
251 encPub, err = EnclessEncode(h.dsaPubH, h.rNonceNext(1), encPub)
253 return nil, errors.Wrap(err, wrapEnclessEncode)
256 encPub = make([]byte, 32)
257 chacha20.XORKeyStream(encPub, dhPubRepr[:], h.rNonceNext(1), h.dsaPubH)
260 // Generate R* and encrypt them
261 h.rServer = new([RSize]byte)
262 if _, err = io.ReadFull(Rand, h.rServer[:]); err != nil {
263 return nil, errors.Wrapf(err, wrapIoReadFull, "Rand")
265 h.sServer = new([SSize]byte)
266 if _, err = io.ReadFull(Rand, h.sServer[:]); err != nil {
267 return nil, errors.Wrapf(err, wrapIoReadFull, "Rand")
270 if h.Conf.Noise && !h.Conf.Encless {
271 encRs = make([]byte, h.Conf.MTU-len(encPub)-8)
272 } else if h.Conf.Encless {
273 encRs = make([]byte, h.Conf.MTU-8)
275 encRs = make([]byte, RSize+SSize)
277 copy(encRs, append(h.rServer[:], h.sServer[:]...))
279 encRs, err = EnclessEncode(h.key, h.rNonce, encRs)
281 return nil, errors.Wrap(err, wrapEnclessEncode)
284 chacha20.XORKeyStream(encRs, encRs, h.rNonce, h.key)
287 tag, err := idTag(h.Conf.ID, h.Conf.TimeSync, encPub)
289 return nil, errors.Wrapf(err, wrapIDTag, h.Conf.ID.String(), h.Conf.TimeSync)
292 // Send that to client
293 _, err = h.conn.Write(append(encPub, append(
297 return nil, errors.Wrap(err, "conn.Write")
299 h.LastPing = time.Now()
301 // ENC(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag
302 if h.rClient == nil && ((!h.Conf.Encless && len(data) >= 120) ||
303 (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
307 dec, err = EnclessDecode(
313 return nil, errors.Wrap(err, wrapEnclessDecode)
315 dec = dec[:RSize+RSize+SSize+ed25519.SignatureSize]
317 dec = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
318 chacha20.XORKeyStream(
320 data[:RSize+RSize+SSize+ed25519.SignatureSize],
325 if subtle.ConstantTimeCompare(dec[:RSize], h.rServer[:]) != 1 {
326 return nil, errors.New("Invalid server's random number")
328 sign := new([ed25519.SignatureSize]byte)
329 copy(sign[:], dec[RSize+RSize+SSize:])
330 if !ed25519.Verify(h.Conf.Verifier.Pub, h.key[:], sign) {
331 return nil, errors.New("Invalid signature")
334 // Send final answer to client
337 enc = make([]byte, h.Conf.MTU-8)
339 enc = make([]byte, RSize)
341 copy(enc, dec[RSize:RSize+RSize])
343 enc, err = EnclessEncode(h.key, h.rNonceNext(2), enc)
345 return nil, errors.Wrap(err, wrapEnclessEncode)
348 chacha20.XORKeyStream(enc, enc, h.rNonceNext(2), h.key)
350 tag, err := idTag(h.Conf.ID, h.Conf.TimeSync, enc)
352 return nil, errors.Wrapf(err, wrapIDTag, h.Conf.ID.String(), h.Conf.TimeSync)
354 if _, err = h.conn.Write(append(enc, tag...)); err != nil {
355 return nil, errors.Wrap(err, "conn.Write")
359 peer, err := newPeer(
364 keyFromSecrets(h.sServer[:], dec[RSize+RSize:RSize+RSize+SSize]))
366 return nil, errors.Wrap(err, "newPeer")
368 h.LastPing = time.Now()
374 // Client processes handshake message on the client side.
375 // This function is intended to be called on client's side.
376 // If this is the final handshake message, then new Peer object
377 // will be created and used as a transport. If no mutually
378 // authenticated Peer is ready, then return nil.
379 func (h *Handshake) Client(data []byte) (*Peer, error) {
380 // ENC(H(DSAPub), R+1, El(SDHPub)) + ENC(K, R, RS + SS) + IDtag
381 if h.rServer == nil && h.key == nil &&
382 ((!h.Conf.Encless && len(data) >= 80) ||
383 (h.Conf.Encless && len(data) == 2*(EnclessEnlargeSize+h.Conf.MTU))) {
384 // Decrypt remote public key
385 sDHRepr := new([32]byte)
389 tmp, err = EnclessDecode(
395 return nil, errors.Wrap(err, wrapEnclessDecode)
397 copy(sDHRepr[:], tmp[:32])
399 chacha20.XORKeyStream(sDHRepr[:], data[:32], h.rNonceNext(1), h.dsaPubH)
402 // Compute shared key
404 extra25519.RepresentativeToPublicKey(sDH, sDHRepr)
405 h.key = dhKeyGen(h.dhPriv, sDH)
408 h.rServer = new([RSize]byte)
409 h.sServer = new([SSize]byte)
411 tmp, err = EnclessDecode(h.key, h.rNonce, data[len(data)/2:len(data)-8])
413 return nil, errors.Wrap(err, wrapEnclessDecode)
415 copy(h.rServer[:], tmp[:RSize])
416 copy(h.sServer[:], tmp[RSize:RSize+SSize])
418 decRs := make([]byte, RSize+SSize)
419 chacha20.XORKeyStream(decRs, data[SSize:SSize+RSize+SSize], h.rNonce, h.key)
420 copy(h.rServer[:], decRs[:RSize])
421 copy(h.sServer[:], decRs[RSize:])
424 // Generate R* and signature and encrypt them
425 h.rClient = new([RSize]byte)
426 if _, err = io.ReadFull(Rand, h.rClient[:]); err != nil {
427 return nil, errors.Wrapf(err, wrapIoReadFull, "Rand")
429 h.sClient = new([SSize]byte)
430 if _, err = io.ReadFull(Rand, h.sClient[:]); err != nil {
431 return nil, errors.Wrapf(err, wrapIoReadFull, "Rand")
433 sign := ed25519.Sign(h.Conf.DSAPriv, h.key[:])
437 enc = make([]byte, h.Conf.MTU-8)
439 enc = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
441 copy(enc, h.rServer[:])
442 copy(enc[RSize:], h.rClient[:])
443 copy(enc[RSize+RSize:], h.sClient[:])
444 copy(enc[RSize+RSize+SSize:], sign[:])
446 enc, err = EnclessEncode(h.key, h.rNonceNext(1), enc)
448 return nil, errors.Wrap(err, wrapEnclessEncode)
451 chacha20.XORKeyStream(enc, enc, h.rNonceNext(1), h.key)
454 tag, err := idTag(h.Conf.ID, h.Conf.TimeSync, enc)
456 return nil, errors.Wrapf(err, wrapIDTag, h.Conf.ID.String(), h.Conf.TimeSync)
459 // Send that to server
460 if _, err = h.conn.Write(append(enc, tag...)); err != nil {
461 return nil, errors.Wrap(err, "conn.Write")
463 h.LastPing = time.Now()
465 // ENC(K, R+2, RC) + IDtag
466 if h.key != nil && ((!h.Conf.Encless && len(data) >= 16) ||
467 (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
472 dec, err = EnclessDecode(h.key, h.rNonceNext(2), data[:len(data)-8])
474 return nil, errors.Wrap(err, wrapEnclessDecode)
478 dec = make([]byte, RSize)
479 chacha20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key)
481 if subtle.ConstantTimeCompare(dec, h.rClient[:]) != 1 {
482 return nil, errors.New("Invalid client's random number")
486 peer, err := newPeer(
491 keyFromSecrets(h.sServer[:], h.sClient[:]),
494 return nil, errors.Wrap(err, "newPeer")
496 h.LastPing = time.Now()
500 // no peer yet, no error