]> Cypherpunks.ru repositories - govpn.git/blob - src/cypherpunks.ru/govpn/handshake.go
projects / govpn.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge branch 'develop'
[govpn.git] / src / cypherpunks.ru / govpn / handshake.go
1 /*
2 GoVPN -- simple secure free software virtual private network daemon
3 Copyright (C) 2014-2016 Sergey Matveev <stargrave@stargrave.org>
4
5 This program is free software: you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation, either version 3 of the License, or
8 (at your option) any later version.
9
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13 GNU General Public License for more details.
14
15 You should have received a copy of the GNU General Public License
16 along with this program.  If not, see <http://www.gnu.org/licenses/>.
17 */
18
19 package govpn
20
21 import (
22         "crypto/subtle"
23         "encoding/binary"
24         "io"
25         "log"
26         "time"
27
28         "github.com/agl/ed25519"
29         "github.com/agl/ed25519/extra25519"
30         "github.com/dchest/blake2b"
31         "golang.org/x/crypto/curve25519"
32         "golang.org/x/crypto/salsa20"
33         "golang.org/x/crypto/xtea"
34 )
35
36 const (
37         RSize = 8
38         SSize = 32
39 )
40
41 type Handshake struct {
42         addr     string
43         conn     io.Writer
44         LastPing time.Time
45         Conf     *PeerConf
46         dsaPubH  *[ed25519.PublicKeySize]byte
47         key      *[32]byte
48         rNonce   *[RSize]byte
49         dhPriv   *[32]byte    // own private DH key
50         rServer  *[RSize]byte // random string for authentication
51         rClient  *[RSize]byte
52         sServer  *[SSize]byte // secret string for main key calculation
53         sClient  *[SSize]byte
54 }
55
56 func keyFromSecrets(server, client []byte) *[SSize]byte {
57         k := new([SSize]byte)
58         for i := 0; i < SSize; i++ {
59                 k[i] = server[i] ^ client[i]
60         }
61         return k
62 }
63
64 // Zero handshake's memory state
65 func (h *Handshake) Zero() {
66         if h.rNonce != nil {
67                 SliceZero(h.rNonce[:])
68         }
69         if h.dhPriv != nil {
70                 SliceZero(h.dhPriv[:])
71         }
72         if h.key != nil {
73                 SliceZero(h.key[:])
74         }
75         if h.dsaPubH != nil {
76                 SliceZero(h.dsaPubH[:])
77         }
78         if h.rServer != nil {
79                 SliceZero(h.rServer[:])
80         }
81         if h.rClient != nil {
82                 SliceZero(h.rClient[:])
83         }
84         if h.sServer != nil {
85                 SliceZero(h.sServer[:])
86         }
87         if h.sClient != nil {
88                 SliceZero(h.sClient[:])
89         }
90 }
91
92 func (h *Handshake) rNonceNext(count uint64) []byte {
93         nonce := make([]byte, RSize)
94         nonceCurrent, _ := binary.Uvarint(h.rNonce[:])
95         binary.PutUvarint(nonce, nonceCurrent+count)
96         return nonce
97 }
98
99 func dhKeypairGen() (*[32]byte, *[32]byte) {
100         priv := new([32]byte)
101         pub := new([32]byte)
102         repr := new([32]byte)
103         reprFound := false
104         for !reprFound {
105                 if _, err := Rand.Read(priv[:]); err != nil {
106                         log.Fatalln("Error reading random for DH private key:", err)
107                 }
108                 reprFound = extra25519.ScalarBaseMult(pub, repr, priv)
109         }
110         return priv, repr
111 }
112
113 func dhKeyGen(priv, pub *[32]byte) *[32]byte {
114         key := new([32]byte)
115         curve25519.ScalarMult(key, priv, pub)
116         hashed := blake2b.Sum256(key[:])
117         return &hashed
118 }
119
120 // Create new handshake state.
121 func NewHandshake(addr string, conn io.Writer, conf *PeerConf) *Handshake {
122         state := Handshake{
123                 addr:     addr,
124                 conn:     conn,
125                 LastPing: time.Now(),
126                 Conf:     conf,
127         }
128         state.dsaPubH = new([ed25519.PublicKeySize]byte)
129         copy(state.dsaPubH[:], state.Conf.Verifier.Pub[:])
130         hashed := blake2b.Sum256(state.dsaPubH[:])
131         state.dsaPubH = &hashed
132         return &state
133 }
134
135 // Generate ID tag from client identification and data.
136 func idTag(id *PeerId, data []byte) []byte {
137         ciph, err := xtea.NewCipher(id[:])
138         if err != nil {
139                 panic(err)
140         }
141         enc := make([]byte, xtea.BlockSize)
142         ciph.Encrypt(enc, data[:xtea.BlockSize])
143         return enc
144 }
145
146 // Start handshake's procedure from the client. It is the entry point
147 // for starting the handshake procedure. // First handshake packet
148 // will be sent immediately.
149 func HandshakeStart(addr string, conn io.Writer, conf *PeerConf) *Handshake {
150         state := NewHandshake(addr, conn, conf)
151         var dhPubRepr *[32]byte
152         state.dhPriv, dhPubRepr = dhKeypairGen()
153
154         state.rNonce = new([RSize]byte)
155         if _, err := Rand.Read(state.rNonce[:]); err != nil {
156                 log.Fatalln("Error reading random for nonce:", err)
157         }
158         var enc []byte
159         if conf.Noise {
160                 enc = make([]byte, conf.MTU-xtea.BlockSize-RSize)
161         } else {
162                 enc = make([]byte, 32)
163         }
164         copy(enc, dhPubRepr[:])
165         if conf.Encless {
166                 var err error
167                 enc, err = EnclessEncode(state.dsaPubH, state.rNonce[:], enc)
168                 if err != err {
169                         panic(err)
170                 }
171         } else {
172                 salsa20.XORKeyStream(enc, enc, state.rNonce[:], state.dsaPubH)
173         }
174         data := append(state.rNonce[:], enc...)
175         data = append(data, idTag(state.Conf.Id, state.rNonce[:])...)
176         state.conn.Write(data)
177         return state
178 }
179
180 // Process handshake message on the server side.
181 // This function is intended to be called on server's side.
182 // If this is the final handshake message, then new Peer object
183 // will be created and used as a transport. If no mutually
184 // authenticated Peer is ready, then return nil.
185 func (h *Handshake) Server(data []byte) *Peer {
186         // R + ENC(H(DSAPub), R, El(CDHPub)) + IDtag
187         if h.rNonce == nil && ((!h.Conf.Encless && len(data) >= 48) ||
188                 (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
189                 h.rNonce = new([RSize]byte)
190                 copy(h.rNonce[:], data[:RSize])
191
192                 // Decrypt remote public key
193                 cDHRepr := new([32]byte)
194                 if h.Conf.Encless {
195                         out, err := EnclessDecode(
196                                 h.dsaPubH,
197                                 h.rNonce[:],
198                                 data[RSize:len(data)-xtea.BlockSize],
199                         )
200                         if err != nil {
201                                 log.Println("Unable to decode packet from", h.addr, err)
202                                 return nil
203                         }
204                         copy(cDHRepr[:], out)
205                 } else {
206                         salsa20.XORKeyStream(
207                                 cDHRepr[:],
208                                 data[RSize:RSize+32],
209                                 h.rNonce[:],
210                                 h.dsaPubH,
211                         )
212                 }
213
214                 // Generate DH keypair
215                 var dhPubRepr *[32]byte
216                 h.dhPriv, dhPubRepr = dhKeypairGen()
217
218                 // Compute shared key
219                 cDH := new([32]byte)
220                 extra25519.RepresentativeToPublicKey(cDH, cDHRepr)
221                 h.key = dhKeyGen(h.dhPriv, cDH)
222
223                 var encPub []byte
224                 var err error
225                 if h.Conf.Encless {
226                         encPub = make([]byte, h.Conf.MTU)
227                         copy(encPub, dhPubRepr[:])
228                         encPub, err = EnclessEncode(h.dsaPubH, h.rNonceNext(1), encPub)
229                         if err != nil {
230                                 panic(err)
231                         }
232                 } else {
233                         encPub = make([]byte, 32)
234                         salsa20.XORKeyStream(encPub, dhPubRepr[:], h.rNonceNext(1), h.dsaPubH)
235                 }
236
237                 // Generate R* and encrypt them
238                 h.rServer = new([RSize]byte)
239                 if _, err = Rand.Read(h.rServer[:]); err != nil {
240                         log.Fatalln("Error reading random for R:", err)
241                 }
242                 h.sServer = new([SSize]byte)
243                 if _, err = Rand.Read(h.sServer[:]); err != nil {
244                         log.Fatalln("Error reading random for S:", err)
245                 }
246                 var encRs []byte
247                 if h.Conf.Noise && !h.Conf.Encless {
248                         encRs = make([]byte, h.Conf.MTU-len(encPub)-xtea.BlockSize)
249                 } else if h.Conf.Encless {
250                         encRs = make([]byte, h.Conf.MTU-xtea.BlockSize)
251                 } else {
252                         encRs = make([]byte, RSize+SSize)
253                 }
254                 copy(encRs, append(h.rServer[:], h.sServer[:]...))
255                 if h.Conf.Encless {
256                         encRs, err = EnclessEncode(h.key, h.rNonce[:], encRs)
257                         if err != nil {
258                                 panic(err)
259                         }
260                 } else {
261                         salsa20.XORKeyStream(encRs, encRs, h.rNonce[:], h.key)
262                 }
263
264                 // Send that to client
265                 h.conn.Write(append(encPub, append(encRs, idTag(h.Conf.Id, encPub)...)...))
266                 h.LastPing = time.Now()
267         } else
268         // ENC(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag
269         if h.rClient == nil && ((!h.Conf.Encless && len(data) >= 120) ||
270                 (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
271                 var dec []byte
272                 var err error
273                 if h.Conf.Encless {
274                         dec, err = EnclessDecode(
275                                 h.key,
276                                 h.rNonceNext(1),
277                                 data[:len(data)-xtea.BlockSize],
278                         )
279                         if err != nil {
280                                 log.Println("Unable to decode packet from", h.addr, err)
281                                 return nil
282                         }
283                         dec = dec[:RSize+RSize+SSize+ed25519.SignatureSize]
284                 } else {
285                         dec = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
286                         salsa20.XORKeyStream(
287                                 dec,
288                                 data[:RSize+RSize+SSize+ed25519.SignatureSize],
289                                 h.rNonceNext(1),
290                                 h.key,
291                         )
292                 }
293                 if subtle.ConstantTimeCompare(dec[:RSize], h.rServer[:]) != 1 {
294                         log.Println("Invalid server's random number with", h.addr)
295                         return nil
296                 }
297                 sign := new([ed25519.SignatureSize]byte)
298                 copy(sign[:], dec[RSize+RSize+SSize:])
299                 if !ed25519.Verify(h.Conf.Verifier.Pub, h.key[:], sign) {
300                         log.Println("Invalid signature from", h.addr)
301                         return nil
302                 }
303
304                 // Send final answer to client
305                 var enc []byte
306                 if h.Conf.Noise {
307                         enc = make([]byte, h.Conf.MTU-xtea.BlockSize)
308                 } else {
309                         enc = make([]byte, RSize)
310                 }
311                 copy(enc, dec[RSize:RSize+RSize])
312                 if h.Conf.Encless {
313                         enc, err = EnclessEncode(h.key, h.rNonceNext(2), enc)
314                         if err != nil {
315                                 panic(err)
316                         }
317                 } else {
318                         salsa20.XORKeyStream(enc, enc, h.rNonceNext(2), h.key)
319                 }
320                 h.conn.Write(append(enc, idTag(h.Conf.Id, enc)...))
321
322                 // Switch peer
323                 peer := newPeer(
324                         false,
325                         h.addr,
326                         h.conn,
327                         h.Conf,
328                         keyFromSecrets(h.sServer[:], dec[RSize+RSize:RSize+RSize+SSize]))
329                 h.LastPing = time.Now()
330                 return peer
331         } else {
332                 log.Println("Invalid handshake message from", h.addr)
333         }
334         return nil
335 }
336
337 // Process handshake message on the client side.
338 // This function is intended to be called on client's side.
339 // If this is the final handshake message, then new Peer object
340 // will be created and used as a transport. If no mutually
341 // authenticated Peer is ready, then return nil.
342 func (h *Handshake) Client(data []byte) *Peer {
343         // ENC(H(DSAPub), R+1, El(SDHPub)) + ENC(K, R, RS + SS) + IDtag
344         if h.rServer == nil && h.key == nil &&
345                 ((!h.Conf.Encless && len(data) >= 80) ||
346                         (h.Conf.Encless && len(data) == 2*(EnclessEnlargeSize+h.Conf.MTU))) {
347                 // Decrypt remote public key
348                 sDHRepr := new([32]byte)
349                 var tmp []byte
350                 var err error
351                 if h.Conf.Encless {
352                         tmp, err = EnclessDecode(
353                                 h.dsaPubH,
354                                 h.rNonceNext(1),
355                                 data[:len(data)/2],
356                         )
357                         if err != nil {
358                                 log.Println("Unable to decode packet from", h.addr, err)
359                                 return nil
360                         }
361                         copy(sDHRepr[:], tmp[:32])
362                 } else {
363                         salsa20.XORKeyStream(
364                                 sDHRepr[:],
365                                 data[:32],
366                                 h.rNonceNext(1),
367                                 h.dsaPubH,
368                         )
369                 }
370
371                 // Compute shared key
372                 sDH := new([32]byte)
373                 extra25519.RepresentativeToPublicKey(sDH, sDHRepr)
374                 h.key = dhKeyGen(h.dhPriv, sDH)
375
376                 // Decrypt Rs
377                 h.rServer = new([RSize]byte)
378                 h.sServer = new([SSize]byte)
379                 if h.Conf.Encless {
380                         tmp, err = EnclessDecode(
381                                 h.key,
382                                 h.rNonce[:],
383                                 data[len(data)/2:len(data)-xtea.BlockSize],
384                         )
385                         if err != nil {
386                                 log.Println("Unable to decode packet from", h.addr, err)
387                                 return nil
388                         }
389                         copy(h.rServer[:], tmp[:RSize])
390                         copy(h.sServer[:], tmp[RSize:RSize+SSize])
391                 } else {
392                         decRs := make([]byte, RSize+SSize)
393                         salsa20.XORKeyStream(
394                                 decRs,
395                                 data[SSize:SSize+RSize+SSize],
396                                 h.rNonce[:],
397                                 h.key,
398                         )
399                         copy(h.rServer[:], decRs[:RSize])
400                         copy(h.sServer[:], decRs[RSize:])
401                 }
402
403                 // Generate R* and signature and encrypt them
404                 h.rClient = new([RSize]byte)
405                 if _, err = Rand.Read(h.rClient[:]); err != nil {
406                         log.Fatalln("Error reading random for R:", err)
407                 }
408                 h.sClient = new([SSize]byte)
409                 if _, err = Rand.Read(h.sClient[:]); err != nil {
410                         log.Fatalln("Error reading random for S:", err)
411                 }
412                 sign := ed25519.Sign(h.Conf.DSAPriv, h.key[:])
413
414                 var enc []byte
415                 if h.Conf.Noise {
416                         enc = make([]byte, h.Conf.MTU-xtea.BlockSize)
417                 } else {
418                         enc = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
419                 }
420                 copy(enc, h.rServer[:])
421                 copy(enc[RSize:], h.rClient[:])
422                 copy(enc[RSize+RSize:], h.sClient[:])
423                 copy(enc[RSize+RSize+SSize:], sign[:])
424                 if h.Conf.Encless {
425                         enc, err = EnclessEncode(h.key, h.rNonceNext(1), enc)
426                         if err != nil {
427                                 panic(err)
428                         }
429                 } else {
430                         salsa20.XORKeyStream(enc, enc, h.rNonceNext(1), h.key)
431                 }
432
433                 // Send that to server
434                 h.conn.Write(append(enc, idTag(h.Conf.Id, enc)...))
435                 h.LastPing = time.Now()
436         } else
437         // ENC(K, R+2, RC) + IDtag
438         if h.key != nil && ((!h.Conf.Encless && len(data) >= 16) ||
439                 (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
440                 var err error
441                 // Decrypt rClient
442                 var dec []byte
443                 if h.Conf.Encless {
444                         dec, err = EnclessDecode(
445                                 h.key,
446                                 h.rNonceNext(2),
447                                 data[:len(data)-xtea.BlockSize],
448                         )
449                         if err != nil {
450                                 log.Println("Unable to decode packet from", h.addr, err)
451                                 return nil
452                         }
453                         dec = dec[:RSize]
454                 } else {
455                         dec = make([]byte, RSize)
456                         salsa20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key)
457                 }
458                 if subtle.ConstantTimeCompare(dec, h.rClient[:]) != 1 {
459                         log.Println("Invalid client's random number with", h.addr)
460                         return nil
461                 }
462
463                 // Switch peer
464                 peer := newPeer(
465                         true,
466                         h.addr,
467                         h.conn,
468                         h.Conf,
469                         keyFromSecrets(h.sServer[:], h.sClient[:]),
470                 )
471                 h.LastPing = time.Now()
472                 return peer
473         } else {
474                 log.Println("Invalid handshake stage from", h.addr)
475         }
476         return nil
477 }
Simple secure free software VPN daemon