src/cypherpunks.ru/govpn/handshake.go

   1 /*
   2 GoVPN -- simple secure free software virtual private network daemon
   3 Copyright (C) 2014-2016 Sergey Matveev <stargrave@stargrave.org>
   4
   5 This program is free software: you can redistribute it and/or modify
   6 it under the terms of the GNU General Public License as published by
   7 the Free Software Foundation, either version 3 of the License, or
   8 (at your option) any later version.
   9
  10 This program is distributed in the hope that it will be useful,
  11 but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 GNU General Public License for more details.
  14
  15 You should have received a copy of the GNU General Public License
  16 along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 */
  18
  19 package govpn
  20
  21 import (
  22         "crypto/subtle"
  23         "encoding/binary"
  24         "io"
  25         "log"
  26         "time"
  27
  28         "github.com/agl/ed25519"
  29         "github.com/agl/ed25519/extra25519"
  30         "golang.org/x/crypto/blake2b"
  31         "golang.org/x/crypto/curve25519"
  32         "golang.org/x/crypto/salsa20"
  33 )
  34
  35 const (
  36         RSize = 8
  37         SSize = 32
  38 )
  39
  40 type Handshake struct {
  41         addr     string
  42         conn     io.Writer
  43         LastPing time.Time
  44         Conf     *PeerConf
  45         dsaPubH  *[ed25519.PublicKeySize]byte
  46         key      *[32]byte
  47         rNonce   *[RSize]byte
  48         dhPriv   *[32]byte    // own private DH key
  49         rServer  *[RSize]byte // random string for authentication
  50         rClient  *[RSize]byte
  51         sServer  *[SSize]byte // secret string for main key calculation
  52         sClient  *[SSize]byte
  53 }
  54
  55 func keyFromSecrets(server, client []byte) *[SSize]byte {
  56         k := new([SSize]byte)
  57         for i := 0; i < SSize; i++ {
  58                 k[i] = server[i] ^ client[i]
  59         }
  60         return k
  61 }
  62
  63 // Zero handshake's memory state
  64 func (h *Handshake) Zero() {
  65         if h.rNonce != nil {
  66                 SliceZero(h.rNonce[:])
  67         }
  68         if h.dhPriv != nil {
  69                 SliceZero(h.dhPriv[:])
  70         }
  71         if h.key != nil {
  72                 SliceZero(h.key[:])
  73         }
  74         if h.dsaPubH != nil {
  75                 SliceZero(h.dsaPubH[:])
  76         }
  77         if h.rServer != nil {
  78                 SliceZero(h.rServer[:])
  79         }
  80         if h.rClient != nil {
  81                 SliceZero(h.rClient[:])
  82         }
  83         if h.sServer != nil {
  84                 SliceZero(h.sServer[:])
  85         }
  86         if h.sClient != nil {
  87                 SliceZero(h.sClient[:])
  88         }
  89 }
  90
  91 func (h *Handshake) rNonceNext(count uint64) []byte {
  92         nonce := make([]byte, RSize)
  93         nonceCurrent, _ := binary.Uvarint(h.rNonce[:])
  94         binary.PutUvarint(nonce, nonceCurrent+count)
  95         return nonce
  96 }
  97
  98 func dhKeypairGen() (*[32]byte, *[32]byte) {
  99         priv := new([32]byte)
 100         pub := new([32]byte)
 101         repr := new([32]byte)
 102         reprFound := false
 103         for !reprFound {
 104                 if _, err := io.ReadFull(Rand, priv[:]); err != nil {
 105                         log.Fatalln("Error reading random for DH private key:", err)
 106                 }
 107                 reprFound = extra25519.ScalarBaseMult(pub, repr, priv)
 108         }
 109         return priv, repr
 110 }
 111
 112 func dhKeyGen(priv, pub *[32]byte) *[32]byte {
 113         key := new([32]byte)
 114         curve25519.ScalarMult(key, priv, pub)
 115         hashed := blake2b.Sum256(key[:])
 116         return &hashed
 117 }
 118
 119 // Create new handshake state.
 120 func NewHandshake(addr string, conn io.Writer, conf *PeerConf) *Handshake {
 121         state := Handshake{
 122                 addr:     addr,
 123                 conn:     conn,
 124                 LastPing: time.Now(),
 125                 Conf:     conf,
 126         }
 127         state.dsaPubH = new([ed25519.PublicKeySize]byte)
 128         copy(state.dsaPubH[:], state.Conf.Verifier.Pub[:])
 129         hashed := blake2b.Sum256(state.dsaPubH[:])
 130         state.dsaPubH = &hashed
 131         return &state
 132 }
 133
 134 // Generate ID tag from client identification and data.
 135 func idTag(id *PeerId, timeSync int, data []byte) []byte {
 136         enc := make([]byte, 8)
 137         copy(enc, data)
 138         AddTimeSync(timeSync, enc)
 139         mac, err := blake2b.New256(id[:])
 140         if err != nil {
 141                 panic(err)
 142         }
 143         mac.Write(enc)
 144         mac.Sum(enc[:0])
 145         return enc
 146 }
 147
 148 // Start handshake's procedure from the client. It is the entry point
 149 // for starting the handshake procedure. // First handshake packet
 150 // will be sent immediately.
 151 func HandshakeStart(addr string, conn io.Writer, conf *PeerConf) *Handshake {
 152         state := NewHandshake(addr, conn, conf)
 153         var dhPubRepr *[32]byte
 154         state.dhPriv, dhPubRepr = dhKeypairGen()
 155
 156         state.rNonce = new([RSize]byte)
 157         if _, err := io.ReadFull(Rand, state.rNonce[:]); err != nil {
 158                 log.Fatalln("Error reading random for nonce:", err)
 159         }
 160         var enc []byte
 161         if conf.Noise {
 162                 enc = make([]byte, conf.MTU-8-RSize)
 163         } else {
 164                 enc = make([]byte, 32)
 165         }
 166         copy(enc, dhPubRepr[:])
 167         if conf.Encless {
 168                 var err error
 169                 enc, err = EnclessEncode(state.dsaPubH, state.rNonce[:], enc)
 170                 if err != err {
 171                         panic(err)
 172                 }
 173         } else {
 174                 salsa20.XORKeyStream(enc, enc, state.rNonce[:], state.dsaPubH)
 175         }
 176         data := append(state.rNonce[:], enc...)
 177         data = append(data, idTag(state.Conf.Id, state.Conf.TimeSync, state.rNonce[:])...)
 178         state.conn.Write(data)
 179         return state
 180 }
 181
 182 // Process handshake message on the server side.
 183 // This function is intended to be called on server's side.
 184 // If this is the final handshake message, then new Peer object
 185 // will be created and used as a transport. If no mutually
 186 // authenticated Peer is ready, then return nil.
 187 func (h *Handshake) Server(data []byte) *Peer {
 188         // R + ENC(H(DSAPub), R, El(CDHPub)) + IDtag
 189         if h.rNonce == nil && ((!h.Conf.Encless && len(data) >= 48) ||
 190                 (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
 191                 h.rNonce = new([RSize]byte)
 192                 copy(h.rNonce[:], data[:RSize])
 193
 194                 // Decrypt remote public key
 195                 cDHRepr := new([32]byte)
 196                 if h.Conf.Encless {
 197                         out, err := EnclessDecode(
 198                                 h.dsaPubH,
 199                                 h.rNonce[:],
 200                                 data[RSize:len(data)-8],
 201                         )
 202                         if err != nil {
 203                                 log.Println("Unable to decode packet from", h.addr, err)
 204                                 return nil
 205                         }
 206                         copy(cDHRepr[:], out)
 207                 } else {
 208                         salsa20.XORKeyStream(cDHRepr[:], data[RSize:RSize+32], h.rNonce[:], h.dsaPubH)
 209                 }
 210
 211                 // Generate DH keypair
 212                 var dhPubRepr *[32]byte
 213                 h.dhPriv, dhPubRepr = dhKeypairGen()
 214
 215                 // Compute shared key
 216                 cDH := new([32]byte)
 217                 extra25519.RepresentativeToPublicKey(cDH, cDHRepr)
 218                 h.key = dhKeyGen(h.dhPriv, cDH)
 219
 220                 var encPub []byte
 221                 var err error
 222                 if h.Conf.Encless {
 223                         encPub = make([]byte, h.Conf.MTU)
 224                         copy(encPub, dhPubRepr[:])
 225                         encPub, err = EnclessEncode(h.dsaPubH, h.rNonceNext(1), encPub)
 226                         if err != nil {
 227                                 panic(err)
 228                         }
 229                 } else {
 230                         encPub = make([]byte, 32)
 231                         salsa20.XORKeyStream(encPub, dhPubRepr[:], h.rNonceNext(1), h.dsaPubH)
 232                 }
 233
 234                 // Generate R* and encrypt them
 235                 h.rServer = new([RSize]byte)
 236                 if _, err = io.ReadFull(Rand, h.rServer[:]); err != nil {
 237                         log.Fatalln("Error reading random for R:", err)
 238                 }
 239                 h.sServer = new([SSize]byte)
 240                 if _, err = io.ReadFull(Rand, h.sServer[:]); err != nil {
 241                         log.Fatalln("Error reading random for S:", err)
 242                 }
 243                 var encRs []byte
 244                 if h.Conf.Noise && !h.Conf.Encless {
 245                         encRs = make([]byte, h.Conf.MTU-len(encPub)-8)
 246                 } else if h.Conf.Encless {
 247                         encRs = make([]byte, h.Conf.MTU-8)
 248                 } else {
 249                         encRs = make([]byte, RSize+SSize)
 250                 }
 251                 copy(encRs, append(h.rServer[:], h.sServer[:]...))
 252                 if h.Conf.Encless {
 253                         encRs, err = EnclessEncode(h.key, h.rNonce[:], encRs)
 254                         if err != nil {
 255                                 panic(err)
 256                         }
 257                 } else {
 258                         salsa20.XORKeyStream(encRs, encRs, h.rNonce[:], h.key)
 259                 }
 260
 261                 // Send that to client
 262                 h.conn.Write(append(encPub, append(
 263                         encRs, idTag(h.Conf.Id, h.Conf.TimeSync, encPub)...,
 264                 )...))
 265                 h.LastPing = time.Now()
 266         } else
 267         // ENC(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag
 268         if h.rClient == nil && ((!h.Conf.Encless && len(data) >= 120) ||
 269                 (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
 270                 var dec []byte
 271                 var err error
 272                 if h.Conf.Encless {
 273                         dec, err = EnclessDecode(
 274                                 h.key,
 275                                 h.rNonceNext(1),
 276                                 data[:len(data)-8],
 277                         )
 278                         if err != nil {
 279                                 log.Println("Unable to decode packet from", h.addr, err)
 280                                 return nil
 281                         }
 282                         dec = dec[:RSize+RSize+SSize+ed25519.SignatureSize]
 283                 } else {
 284                         dec = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
 285                         salsa20.XORKeyStream(
 286                                 dec,
 287                                 data[:RSize+RSize+SSize+ed25519.SignatureSize],
 288                                 h.rNonceNext(1),
 289                                 h.key,
 290                         )
 291                 }
 292                 if subtle.ConstantTimeCompare(dec[:RSize], h.rServer[:]) != 1 {
 293                         log.Println("Invalid server's random number with", h.addr)
 294                         return nil
 295                 }
 296                 sign := new([ed25519.SignatureSize]byte)
 297                 copy(sign[:], dec[RSize+RSize+SSize:])
 298                 if !ed25519.Verify(h.Conf.Verifier.Pub, h.key[:], sign) {
 299                         log.Println("Invalid signature from", h.addr)
 300                         return nil
 301                 }
 302
 303                 // Send final answer to client
 304                 var enc []byte
 305                 if h.Conf.Noise {
 306                         enc = make([]byte, h.Conf.MTU-8)
 307                 } else {
 308                         enc = make([]byte, RSize)
 309                 }
 310                 copy(enc, dec[RSize:RSize+RSize])
 311                 if h.Conf.Encless {
 312                         enc, err = EnclessEncode(h.key, h.rNonceNext(2), enc)
 313                         if err != nil {
 314                                 panic(err)
 315                         }
 316                 } else {
 317                         salsa20.XORKeyStream(enc, enc, h.rNonceNext(2), h.key)
 318                 }
 319                 h.conn.Write(append(enc, idTag(h.Conf.Id, h.Conf.TimeSync, enc)...))
 320
 321                 // Switch peer
 322                 peer := newPeer(
 323                         false,
 324                         h.addr,
 325                         h.conn,
 326                         h.Conf,
 327                         keyFromSecrets(h.sServer[:], dec[RSize+RSize:RSize+RSize+SSize]))
 328                 h.LastPing = time.Now()
 329                 return peer
 330         } else {
 331                 log.Println("Invalid handshake message from", h.addr)
 332         }
 333         return nil
 334 }
 335
 336 // Process handshake message on the client side.
 337 // This function is intended to be called on client's side.
 338 // If this is the final handshake message, then new Peer object
 339 // will be created and used as a transport. If no mutually
 340 // authenticated Peer is ready, then return nil.
 341 func (h *Handshake) Client(data []byte) *Peer {
 342         // ENC(H(DSAPub), R+1, El(SDHPub)) + ENC(K, R, RS + SS) + IDtag
 343         if h.rServer == nil && h.key == nil &&
 344                 ((!h.Conf.Encless && len(data) >= 80) ||
 345                         (h.Conf.Encless && len(data) == 2*(EnclessEnlargeSize+h.Conf.MTU))) {
 346                 // Decrypt remote public key
 347                 sDHRepr := new([32]byte)
 348                 var tmp []byte
 349                 var err error
 350                 if h.Conf.Encless {
 351                         tmp, err = EnclessDecode(
 352                                 h.dsaPubH,
 353                                 h.rNonceNext(1),
 354                                 data[:len(data)/2],
 355                         )
 356                         if err != nil {
 357                                 log.Println("Unable to decode packet from", h.addr, err)
 358                                 return nil
 359                         }
 360                         copy(sDHRepr[:], tmp[:32])
 361                 } else {
 362                         salsa20.XORKeyStream(sDHRepr[:], data[:32], h.rNonceNext(1), h.dsaPubH)
 363                 }
 364
 365                 // Compute shared key
 366                 sDH := new([32]byte)
 367                 extra25519.RepresentativeToPublicKey(sDH, sDHRepr)
 368                 h.key = dhKeyGen(h.dhPriv, sDH)
 369
 370                 // Decrypt Rs
 371                 h.rServer = new([RSize]byte)
 372                 h.sServer = new([SSize]byte)
 373                 if h.Conf.Encless {
 374                         tmp, err = EnclessDecode(
 375                                 h.key,
 376                                 h.rNonce[:],
 377                                 data[len(data)/2:len(data)-8],
 378                         )
 379                         if err != nil {
 380                                 log.Println("Unable to decode packet from", h.addr, err)
 381                                 return nil
 382                         }
 383                         copy(h.rServer[:], tmp[:RSize])
 384                         copy(h.sServer[:], tmp[RSize:RSize+SSize])
 385                 } else {
 386                         decRs := make([]byte, RSize+SSize)
 387                         salsa20.XORKeyStream(decRs, data[SSize:SSize+RSize+SSize], h.rNonce[:], h.key)
 388                         copy(h.rServer[:], decRs[:RSize])
 389                         copy(h.sServer[:], decRs[RSize:])
 390                 }
 391
 392                 // Generate R* and signature and encrypt them
 393                 h.rClient = new([RSize]byte)
 394                 if _, err = io.ReadFull(Rand, h.rClient[:]); err != nil {
 395                         log.Fatalln("Error reading random for R:", err)
 396                 }
 397                 h.sClient = new([SSize]byte)
 398                 if _, err = io.ReadFull(Rand, h.sClient[:]); err != nil {
 399                         log.Fatalln("Error reading random for S:", err)
 400                 }
 401                 sign := ed25519.Sign(h.Conf.DSAPriv, h.key[:])
 402
 403                 var enc []byte
 404                 if h.Conf.Noise {
 405                         enc = make([]byte, h.Conf.MTU-8)
 406                 } else {
 407                         enc = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
 408                 }
 409                 copy(enc, h.rServer[:])
 410                 copy(enc[RSize:], h.rClient[:])
 411                 copy(enc[RSize+RSize:], h.sClient[:])
 412                 copy(enc[RSize+RSize+SSize:], sign[:])
 413                 if h.Conf.Encless {
 414                         enc, err = EnclessEncode(h.key, h.rNonceNext(1), enc)
 415                         if err != nil {
 416                                 panic(err)
 417                         }
 418                 } else {
 419                         salsa20.XORKeyStream(enc, enc, h.rNonceNext(1), h.key)
 420                 }
 421
 422                 // Send that to server
 423                 h.conn.Write(append(enc, idTag(h.Conf.Id, h.Conf.TimeSync, enc)...))
 424                 h.LastPing = time.Now()
 425         } else
 426         // ENC(K, R+2, RC) + IDtag
 427         if h.key != nil && ((!h.Conf.Encless && len(data) >= 16) ||
 428                 (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
 429                 var err error
 430                 // Decrypt rClient
 431                 var dec []byte
 432                 if h.Conf.Encless {
 433                         dec, err = EnclessDecode(h.key, h.rNonceNext(2), data[:len(data)-8])
 434                         if err != nil {
 435                                 log.Println("Unable to decode packet from", h.addr, err)
 436                                 return nil
 437                         }
 438                         dec = dec[:RSize]
 439                 } else {
 440                         dec = make([]byte, RSize)
 441                         salsa20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key)
 442                 }
 443                 if subtle.ConstantTimeCompare(dec, h.rClient[:]) != 1 {
 444                         log.Println("Invalid client's random number with", h.addr)
 445                         return nil
 446                 }
 447
 448                 // Switch peer
 449                 peer := newPeer(
 450                         true,
 451                         h.addr,
 452                         h.conn,
 453                         h.Conf,
 454                         keyFromSecrets(h.sServer[:], h.sClient[:]),
 455                 )
 456                 h.LastPing = time.Now()
 457                 return peer
 458         } else {
 459                 log.Println("Invalid handshake stage from", h.addr)
 460         }
 461         return nil
 462 }