src/cypherpunks.ru/govpn/handshake.go

   1 /*
   2 GoVPN -- simple secure free software virtual private network daemon
   3 Copyright (C) 2014-2016 Sergey Matveev <stargrave@stargrave.org>
   4
   5 This program is free software: you can redistribute it and/or modify
   6 it under the terms of the GNU General Public License as published by
   7 the Free Software Foundation, either version 3 of the License, or
   8 (at your option) any later version.
   9
  10 This program is distributed in the hope that it will be useful,
  11 but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 GNU General Public License for more details.
  14
  15 You should have received a copy of the GNU General Public License
  16 along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 */
  18
  19 package govpn
  20
  21 import (
  22         "crypto/subtle"
  23         "encoding/binary"
  24         "io"
  25         "log"
  26         "time"
  27
  28         "github.com/agl/ed25519"
  29         "github.com/agl/ed25519/extra25519"
  30         "github.com/dchest/blake2b"
  31         "golang.org/x/crypto/curve25519"
  32         "golang.org/x/crypto/salsa20"
  33         "golang.org/x/crypto/xtea"
  34 )
  35
  36 const (
  37         RSize = 8
  38         SSize = 32
  39 )
  40
  41 type Handshake struct {
  42         addr     string
  43         conn     io.Writer
  44         LastPing time.Time
  45         Conf     *PeerConf
  46         dsaPubH  *[ed25519.PublicKeySize]byte
  47         key      *[32]byte
  48         rNonce   *[RSize]byte
  49         dhPriv   *[32]byte    // own private DH key
  50         rServer  *[RSize]byte // random string for authentication
  51         rClient  *[RSize]byte
  52         sServer  *[SSize]byte // secret string for main key calculation
  53         sClient  *[SSize]byte
  54 }
  55
  56 func keyFromSecrets(server, client []byte) *[SSize]byte {
  57         k := new([SSize]byte)
  58         for i := 0; i < SSize; i++ {
  59                 k[i] = server[i] ^ client[i]
  60         }
  61         return k
  62 }
  63
  64 // Zero handshake's memory state
  65 func (h *Handshake) Zero() {
  66         if h.rNonce != nil {
  67                 SliceZero(h.rNonce[:])
  68         }
  69         if h.dhPriv != nil {
  70                 SliceZero(h.dhPriv[:])
  71         }
  72         if h.key != nil {
  73                 SliceZero(h.key[:])
  74         }
  75         if h.dsaPubH != nil {
  76                 SliceZero(h.dsaPubH[:])
  77         }
  78         if h.rServer != nil {
  79                 SliceZero(h.rServer[:])
  80         }
  81         if h.rClient != nil {
  82                 SliceZero(h.rClient[:])
  83         }
  84         if h.sServer != nil {
  85                 SliceZero(h.sServer[:])
  86         }
  87         if h.sClient != nil {
  88                 SliceZero(h.sClient[:])
  89         }
  90 }
  91
  92 func (h *Handshake) rNonceNext(count uint64) []byte {
  93         nonce := make([]byte, RSize)
  94         nonceCurrent, _ := binary.Uvarint(h.rNonce[:])
  95         binary.PutUvarint(nonce, nonceCurrent+count)
  96         return nonce
  97 }
  98
  99 func dhKeypairGen() (*[32]byte, *[32]byte) {
 100         priv := new([32]byte)
 101         pub := new([32]byte)
 102         repr := new([32]byte)
 103         reprFound := false
 104         for !reprFound {
 105                 if _, err := Rand.Read(priv[:]); err != nil {
 106                         log.Fatalln("Error reading random for DH private key:", err)
 107                 }
 108                 reprFound = extra25519.ScalarBaseMult(pub, repr, priv)
 109         }
 110         return priv, repr
 111 }
 112
 113 func dhKeyGen(priv, pub *[32]byte) *[32]byte {
 114         key := new([32]byte)
 115         curve25519.ScalarMult(key, priv, pub)
 116         hashed := blake2b.Sum256(key[:])
 117         return &hashed
 118 }
 119
 120 // Create new handshake state.
 121 func NewHandshake(addr string, conn io.Writer, conf *PeerConf) *Handshake {
 122         state := Handshake{
 123                 addr:     addr,
 124                 conn:     conn,
 125                 LastPing: time.Now(),
 126                 Conf:     conf,
 127         }
 128         state.dsaPubH = new([ed25519.PublicKeySize]byte)
 129         copy(state.dsaPubH[:], state.Conf.Verifier.Pub[:])
 130         hashed := blake2b.Sum256(state.dsaPubH[:])
 131         state.dsaPubH = &hashed
 132         return &state
 133 }
 134
 135 // Generate ID tag from client identification and data.
 136 func idTag(id *PeerId, timeSync int, data []byte) []byte {
 137         ciph, err := xtea.NewCipher(id[:])
 138         if err != nil {
 139                 panic(err)
 140         }
 141         enc := make([]byte, xtea.BlockSize)
 142         copy(enc, data)
 143         AddTimeSync(timeSync, enc)
 144         ciph.Encrypt(enc, enc)
 145         return enc
 146 }
 147
 148 // Start handshake's procedure from the client. It is the entry point
 149 // for starting the handshake procedure. // First handshake packet
 150 // will be sent immediately.
 151 func HandshakeStart(addr string, conn io.Writer, conf *PeerConf) *Handshake {
 152         state := NewHandshake(addr, conn, conf)
 153         var dhPubRepr *[32]byte
 154         state.dhPriv, dhPubRepr = dhKeypairGen()
 155
 156         state.rNonce = new([RSize]byte)
 157         if _, err := Rand.Read(state.rNonce[:]); err != nil {
 158                 log.Fatalln("Error reading random for nonce:", err)
 159         }
 160         var enc []byte
 161         if conf.Noise {
 162                 enc = make([]byte, conf.MTU-xtea.BlockSize-RSize)
 163         } else {
 164                 enc = make([]byte, 32)
 165         }
 166         copy(enc, dhPubRepr[:])
 167         if conf.Encless {
 168                 var err error
 169                 enc, err = EnclessEncode(state.dsaPubH, state.rNonce[:], enc)
 170                 if err != err {
 171                         panic(err)
 172                 }
 173         } else {
 174                 salsa20.XORKeyStream(enc, enc, state.rNonce[:], state.dsaPubH)
 175         }
 176         data := append(state.rNonce[:], enc...)
 177         data = append(data, idTag(state.Conf.Id, state.Conf.TimeSync, state.rNonce[:])...)
 178         state.conn.Write(data)
 179         return state
 180 }
 181
 182 // Process handshake message on the server side.
 183 // This function is intended to be called on server's side.
 184 // If this is the final handshake message, then new Peer object
 185 // will be created and used as a transport. If no mutually
 186 // authenticated Peer is ready, then return nil.
 187 func (h *Handshake) Server(data []byte) *Peer {
 188         // R + ENC(H(DSAPub), R, El(CDHPub)) + IDtag
 189         if h.rNonce == nil && ((!h.Conf.Encless && len(data) >= 48) ||
 190                 (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
 191                 h.rNonce = new([RSize]byte)
 192                 copy(h.rNonce[:], data[:RSize])
 193
 194                 // Decrypt remote public key
 195                 cDHRepr := new([32]byte)
 196                 if h.Conf.Encless {
 197                         out, err := EnclessDecode(
 198                                 h.dsaPubH,
 199                                 h.rNonce[:],
 200                                 data[RSize:len(data)-xtea.BlockSize],
 201                         )
 202                         if err != nil {
 203                                 log.Println("Unable to decode packet from", h.addr, err)
 204                                 return nil
 205                         }
 206                         copy(cDHRepr[:], out)
 207                 } else {
 208                         salsa20.XORKeyStream(
 209                                 cDHRepr[:],
 210                                 data[RSize:RSize+32],
 211                                 h.rNonce[:],
 212                                 h.dsaPubH,
 213                         )
 214                 }
 215
 216                 // Generate DH keypair
 217                 var dhPubRepr *[32]byte
 218                 h.dhPriv, dhPubRepr = dhKeypairGen()
 219
 220                 // Compute shared key
 221                 cDH := new([32]byte)
 222                 extra25519.RepresentativeToPublicKey(cDH, cDHRepr)
 223                 h.key = dhKeyGen(h.dhPriv, cDH)
 224
 225                 var encPub []byte
 226                 var err error
 227                 if h.Conf.Encless {
 228                         encPub = make([]byte, h.Conf.MTU)
 229                         copy(encPub, dhPubRepr[:])
 230                         encPub, err = EnclessEncode(h.dsaPubH, h.rNonceNext(1), encPub)
 231                         if err != nil {
 232                                 panic(err)
 233                         }
 234                 } else {
 235                         encPub = make([]byte, 32)
 236                         salsa20.XORKeyStream(encPub, dhPubRepr[:], h.rNonceNext(1), h.dsaPubH)
 237                 }
 238
 239                 // Generate R* and encrypt them
 240                 h.rServer = new([RSize]byte)
 241                 if _, err = Rand.Read(h.rServer[:]); err != nil {
 242                         log.Fatalln("Error reading random for R:", err)
 243                 }
 244                 h.sServer = new([SSize]byte)
 245                 if _, err = Rand.Read(h.sServer[:]); err != nil {
 246                         log.Fatalln("Error reading random for S:", err)
 247                 }
 248                 var encRs []byte
 249                 if h.Conf.Noise && !h.Conf.Encless {
 250                         encRs = make([]byte, h.Conf.MTU-len(encPub)-xtea.BlockSize)
 251                 } else if h.Conf.Encless {
 252                         encRs = make([]byte, h.Conf.MTU-xtea.BlockSize)
 253                 } else {
 254                         encRs = make([]byte, RSize+SSize)
 255                 }
 256                 copy(encRs, append(h.rServer[:], h.sServer[:]...))
 257                 if h.Conf.Encless {
 258                         encRs, err = EnclessEncode(h.key, h.rNonce[:], encRs)
 259                         if err != nil {
 260                                 panic(err)
 261                         }
 262                 } else {
 263                         salsa20.XORKeyStream(encRs, encRs, h.rNonce[:], h.key)
 264                 }
 265
 266                 // Send that to client
 267                 h.conn.Write(append(encPub, append(
 268                         encRs, idTag(h.Conf.Id, h.Conf.TimeSync, encPub)...,
 269                 )...))
 270                 h.LastPing = time.Now()
 271         } else
 272         // ENC(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag
 273         if h.rClient == nil && ((!h.Conf.Encless && len(data) >= 120) ||
 274                 (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
 275                 var dec []byte
 276                 var err error
 277                 if h.Conf.Encless {
 278                         dec, err = EnclessDecode(
 279                                 h.key,
 280                                 h.rNonceNext(1),
 281                                 data[:len(data)-xtea.BlockSize],
 282                         )
 283                         if err != nil {
 284                                 log.Println("Unable to decode packet from", h.addr, err)
 285                                 return nil
 286                         }
 287                         dec = dec[:RSize+RSize+SSize+ed25519.SignatureSize]
 288                 } else {
 289                         dec = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
 290                         salsa20.XORKeyStream(
 291                                 dec,
 292                                 data[:RSize+RSize+SSize+ed25519.SignatureSize],
 293                                 h.rNonceNext(1),
 294                                 h.key,
 295                         )
 296                 }
 297                 if subtle.ConstantTimeCompare(dec[:RSize], h.rServer[:]) != 1 {
 298                         log.Println("Invalid server's random number with", h.addr)
 299                         return nil
 300                 }
 301                 sign := new([ed25519.SignatureSize]byte)
 302                 copy(sign[:], dec[RSize+RSize+SSize:])
 303                 if !ed25519.Verify(h.Conf.Verifier.Pub, h.key[:], sign) {
 304                         log.Println("Invalid signature from", h.addr)
 305                         return nil
 306                 }
 307
 308                 // Send final answer to client
 309                 var enc []byte
 310                 if h.Conf.Noise {
 311                         enc = make([]byte, h.Conf.MTU-xtea.BlockSize)
 312                 } else {
 313                         enc = make([]byte, RSize)
 314                 }
 315                 copy(enc, dec[RSize:RSize+RSize])
 316                 if h.Conf.Encless {
 317                         enc, err = EnclessEncode(h.key, h.rNonceNext(2), enc)
 318                         if err != nil {
 319                                 panic(err)
 320                         }
 321                 } else {
 322                         salsa20.XORKeyStream(enc, enc, h.rNonceNext(2), h.key)
 323                 }
 324                 h.conn.Write(append(enc, idTag(h.Conf.Id, h.Conf.TimeSync, enc)...))
 325
 326                 // Switch peer
 327                 peer := newPeer(
 328                         false,
 329                         h.addr,
 330                         h.conn,
 331                         h.Conf,
 332                         keyFromSecrets(h.sServer[:], dec[RSize+RSize:RSize+RSize+SSize]))
 333                 h.LastPing = time.Now()
 334                 return peer
 335         } else {
 336                 log.Println("Invalid handshake message from", h.addr)
 337         }
 338         return nil
 339 }
 340
 341 // Process handshake message on the client side.
 342 // This function is intended to be called on client's side.
 343 // If this is the final handshake message, then new Peer object
 344 // will be created and used as a transport. If no mutually
 345 // authenticated Peer is ready, then return nil.
 346 func (h *Handshake) Client(data []byte) *Peer {
 347         // ENC(H(DSAPub), R+1, El(SDHPub)) + ENC(K, R, RS + SS) + IDtag
 348         if h.rServer == nil && h.key == nil &&
 349                 ((!h.Conf.Encless && len(data) >= 80) ||
 350                         (h.Conf.Encless && len(data) == 2*(EnclessEnlargeSize+h.Conf.MTU))) {
 351                 // Decrypt remote public key
 352                 sDHRepr := new([32]byte)
 353                 var tmp []byte
 354                 var err error
 355                 if h.Conf.Encless {
 356                         tmp, err = EnclessDecode(
 357                                 h.dsaPubH,
 358                                 h.rNonceNext(1),
 359                                 data[:len(data)/2],
 360                         )
 361                         if err != nil {
 362                                 log.Println("Unable to decode packet from", h.addr, err)
 363                                 return nil
 364                         }
 365                         copy(sDHRepr[:], tmp[:32])
 366                 } else {
 367                         salsa20.XORKeyStream(
 368                                 sDHRepr[:],
 369                                 data[:32],
 370                                 h.rNonceNext(1),
 371                                 h.dsaPubH,
 372                         )
 373                 }
 374
 375                 // Compute shared key
 376                 sDH := new([32]byte)
 377                 extra25519.RepresentativeToPublicKey(sDH, sDHRepr)
 378                 h.key = dhKeyGen(h.dhPriv, sDH)
 379
 380                 // Decrypt Rs
 381                 h.rServer = new([RSize]byte)
 382                 h.sServer = new([SSize]byte)
 383                 if h.Conf.Encless {
 384                         tmp, err = EnclessDecode(
 385                                 h.key,
 386                                 h.rNonce[:],
 387                                 data[len(data)/2:len(data)-xtea.BlockSize],
 388                         )
 389                         if err != nil {
 390                                 log.Println("Unable to decode packet from", h.addr, err)
 391                                 return nil
 392                         }
 393                         copy(h.rServer[:], tmp[:RSize])
 394                         copy(h.sServer[:], tmp[RSize:RSize+SSize])
 395                 } else {
 396                         decRs := make([]byte, RSize+SSize)
 397                         salsa20.XORKeyStream(
 398                                 decRs,
 399                                 data[SSize:SSize+RSize+SSize],
 400                                 h.rNonce[:],
 401                                 h.key,
 402                         )
 403                         copy(h.rServer[:], decRs[:RSize])
 404                         copy(h.sServer[:], decRs[RSize:])
 405                 }
 406
 407                 // Generate R* and signature and encrypt them
 408                 h.rClient = new([RSize]byte)
 409                 if _, err = Rand.Read(h.rClient[:]); err != nil {
 410                         log.Fatalln("Error reading random for R:", err)
 411                 }
 412                 h.sClient = new([SSize]byte)
 413                 if _, err = Rand.Read(h.sClient[:]); err != nil {
 414                         log.Fatalln("Error reading random for S:", err)
 415                 }
 416                 sign := ed25519.Sign(h.Conf.DSAPriv, h.key[:])
 417
 418                 var enc []byte
 419                 if h.Conf.Noise {
 420                         enc = make([]byte, h.Conf.MTU-xtea.BlockSize)
 421                 } else {
 422                         enc = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
 423                 }
 424                 copy(enc, h.rServer[:])
 425                 copy(enc[RSize:], h.rClient[:])
 426                 copy(enc[RSize+RSize:], h.sClient[:])
 427                 copy(enc[RSize+RSize+SSize:], sign[:])
 428                 if h.Conf.Encless {
 429                         enc, err = EnclessEncode(h.key, h.rNonceNext(1), enc)
 430                         if err != nil {
 431                                 panic(err)
 432                         }
 433                 } else {
 434                         salsa20.XORKeyStream(enc, enc, h.rNonceNext(1), h.key)
 435                 }
 436
 437                 // Send that to server
 438                 h.conn.Write(append(enc, idTag(h.Conf.Id, h.Conf.TimeSync, enc)...))
 439                 h.LastPing = time.Now()
 440         } else
 441         // ENC(K, R+2, RC) + IDtag
 442         if h.key != nil && ((!h.Conf.Encless && len(data) >= 16) ||
 443                 (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
 444                 var err error
 445                 // Decrypt rClient
 446                 var dec []byte
 447                 if h.Conf.Encless {
 448                         dec, err = EnclessDecode(
 449                                 h.key,
 450                                 h.rNonceNext(2),
 451                                 data[:len(data)-xtea.BlockSize],
 452                         )
 453                         if err != nil {
 454                                 log.Println("Unable to decode packet from", h.addr, err)
 455                                 return nil
 456                         }
 457                         dec = dec[:RSize]
 458                 } else {
 459                         dec = make([]byte, RSize)
 460                         salsa20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key)
 461                 }
 462                 if subtle.ConstantTimeCompare(dec, h.rClient[:]) != 1 {
 463                         log.Println("Invalid client's random number with", h.addr)
 464                         return nil
 465                 }
 466
 467                 // Switch peer
 468                 peer := newPeer(
 469                         true,
 470                         h.addr,
 471                         h.conn,
 472                         h.Conf,
 473                         keyFromSecrets(h.sServer[:], h.sClient[:]),
 474                 )
 475                 h.LastPing = time.Now()
 476                 return peer
 477         } else {
 478                 log.Println("Invalid handshake stage from", h.addr)
 479         }
 480         return nil
 481 }