"crypto/subtle"
"encoding/binary"
"io"
- "log"
"time"
"chacha20"
+ "github.com/Sirupsen/logrus"
"github.com/agl/ed25519"
"github.com/agl/ed25519/extra25519"
+ "github.com/pkg/errors"
"golang.org/x/crypto/blake2b"
"golang.org/x/crypto/curve25519"
)
RSize = 8
// SSize is size in bytes of shared secret half
SSize = 32
+
+ wrapIDTag = "idTag id:%q timeSync:%d"
)
// Handshake is state of a handshake/negotiation between client and server
sClient *[SSize]byte
}
+// LogFields return a logrus compatible logging context
+func (h *Handshake) LogFields() logrus.Fields {
+ const prefix = "hs_"
+ return logrus.Fields{
+ prefix + "remote": h.addr,
+ prefix + "last_ping": h.LastPing.String(),
+ prefix + "id": h.Conf.ID.String(),
+ }
+}
+
func keyFromSecrets(server, client []byte) *[SSize]byte {
k := new([SSize]byte)
for i := 0; i < SSize; i++ {
return nonce
}
-func dhKeypairGen() (*[32]byte, *[32]byte) {
+func dhKeypairGen() (*[32]byte, *[32]byte, error) {
priv := new([32]byte)
pub := new([32]byte)
repr := new([32]byte)
reprFound := false
for !reprFound {
if _, err := io.ReadFull(Rand, priv[:]); err != nil {
- log.Fatalln("Error reading random for DH private key:", err)
+ return nil, nil, errors.Wrapf(err, wrapIoReadFull, "Rand")
}
reprFound = extra25519.ScalarBaseMult(pub, repr, priv)
}
- return priv, repr
+ return priv, repr, nil
}
func dhKeyGen(priv, pub *[32]byte) *[32]byte {
}
// Generate ID tag from client identification and data.
-func idTag(id *PeerID, timeSync int, data []byte) []byte {
+func idTag(id *PeerID, timeSync int, data []byte) ([]byte, error) {
enc := make([]byte, 8)
copy(enc, data)
AddTimeSync(timeSync, enc)
mac, err := blake2b.New256(id[:])
if err != nil {
- panic(err)
+ return nil, errors.Wrap(err, wrapBlake2bNew256)
+ }
+ if _, err = mac.Write(enc); err != nil {
+ return nil, errors.Wrap(err, "mac.Write")
}
- mac.Write(enc)
sum := mac.Sum(nil)
- return sum[len(sum)-8:]
+ return sum[len(sum)-8:], nil
}
// HandshakeStarts start handshake's procedure from the client.
// It is the entry point for starting the handshake procedure.
// First handshake packet will be sent immediately.
-func HandshakeStart(addr string, conn io.Writer, conf *PeerConf) *Handshake {
+func HandshakeStart(addr string, conn io.Writer, conf *PeerConf) (*Handshake, error) {
state := NewHandshake(addr, conn, conf)
- var dhPubRepr *[32]byte
- state.dhPriv, dhPubRepr = dhKeypairGen()
+ var (
+ dhPubRepr *[32]byte
+ err error
+ )
+ if state.dhPriv, dhPubRepr, err = dhKeypairGen(); err != nil {
+ return nil, errors.Wrap(err, "dhKeypairGen")
+ }
state.rNonce = new([16]byte)
if _, err := io.ReadFull(Rand, state.rNonce[8:]); err != nil {
- log.Fatalln("Error reading random for nonce:", err)
+ return nil, errors.Wrapf(err, wrapIoReadFull, "Rand")
}
var enc []byte
if conf.Noise {
}
copy(enc, dhPubRepr[:])
if conf.Encless {
- var err error
enc, err = EnclessEncode(state.dsaPubH, state.rNonce, enc)
if err != err {
- panic(err)
+ return nil, errors.Wrap(err, wrapEnclessDecode)
}
} else {
chacha20.XORKeyStream(enc, enc, state.rNonce, state.dsaPubH)
}
+ tag, err := idTag(state.Conf.ID, state.Conf.TimeSync, state.rNonce[8:])
+ if err != nil {
+ return nil, errors.Wrapf(err, wrapIDTag, state.Conf.ID.String(), state.Conf.TimeSync)
+ }
data := append(state.rNonce[8:], enc...)
- data = append(data, idTag(state.Conf.ID, state.Conf.TimeSync, state.rNonce[8:])...)
- state.conn.Write(data)
- return state
+ data = append(data, tag...)
+ if _, err = state.conn.Write(data); err != nil {
+ return nil, errors.Wrap(err, "state.conn.Write")
+ }
+ return state, nil
}
// Server processes handshake message on the server side.
// This function is intended to be called on server's side.
// If this is the final handshake message, then new Peer object
-// will be created and used as a transport. If no mutually
-// authenticated Peer is ready, then return nil.
-func (h *Handshake) Server(data []byte) *Peer {
+// will be created and used as a transport.
+func (h *Handshake) Server(data []byte) (*Peer, error) {
// R + ENC(H(DSAPub), R, El(CDHPub)) + IDtag
if h.rNonce == nil && ((!h.Conf.Encless && len(data) >= 48) ||
(h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
data[RSize:len(data)-8],
)
if err != nil {
- log.Println("Unable to decode packet from", h.addr, err)
- return nil
+ return nil, errors.Wrap(err, wrapEnclessDecode)
}
copy(cDHRepr[:], out)
} else {
// Generate DH keypair
var dhPubRepr *[32]byte
- h.dhPriv, dhPubRepr = dhKeypairGen()
+ var err error
+ if h.dhPriv, dhPubRepr, err = dhKeypairGen(); err != nil {
+ return nil, errors.Wrap(err, "dhKeypairGen")
+ }
// Compute shared key
cDH := new([32]byte)
h.key = dhKeyGen(h.dhPriv, cDH)
var encPub []byte
- var err error
if h.Conf.Encless {
encPub = make([]byte, h.Conf.MTU)
copy(encPub, dhPubRepr[:])
encPub, err = EnclessEncode(h.dsaPubH, h.rNonceNext(1), encPub)
if err != nil {
- panic(err)
+ return nil, errors.Wrap(err, wrapEnclessEncode)
}
} else {
encPub = make([]byte, 32)
// Generate R* and encrypt them
h.rServer = new([RSize]byte)
if _, err = io.ReadFull(Rand, h.rServer[:]); err != nil {
- log.Fatalln("Error reading random for R:", err)
+ return nil, errors.Wrapf(err, wrapIoReadFull, "Rand")
}
h.sServer = new([SSize]byte)
if _, err = io.ReadFull(Rand, h.sServer[:]); err != nil {
- log.Fatalln("Error reading random for S:", err)
+ return nil, errors.Wrapf(err, wrapIoReadFull, "Rand")
}
var encRs []byte
if h.Conf.Noise && !h.Conf.Encless {
if h.Conf.Encless {
encRs, err = EnclessEncode(h.key, h.rNonce, encRs)
if err != nil {
- panic(err)
+ return nil, errors.Wrap(err, wrapEnclessEncode)
}
} else {
chacha20.XORKeyStream(encRs, encRs, h.rNonce, h.key)
}
+ tag, err := idTag(h.Conf.ID, h.Conf.TimeSync, encPub)
+ if err != nil {
+ return nil, errors.Wrapf(err, wrapIDTag, h.Conf.ID.String(), h.Conf.TimeSync)
+ }
+
// Send that to client
- h.conn.Write(append(encPub, append(
- encRs, idTag(h.Conf.ID, h.Conf.TimeSync, encPub)...,
+ _, err = h.conn.Write(append(encPub, append(
+ encRs, tag...,
)...))
+ if err != nil {
+ return nil, errors.Wrap(err, "conn.Write")
+ }
h.LastPing = time.Now()
} else
// ENC(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag
data[:len(data)-8],
)
if err != nil {
- log.Println("Unable to decode packet from", h.addr, err)
- return nil
+ return nil, errors.Wrap(err, wrapEnclessDecode)
}
dec = dec[:RSize+RSize+SSize+ed25519.SignatureSize]
} else {
)
}
if subtle.ConstantTimeCompare(dec[:RSize], h.rServer[:]) != 1 {
- log.Println("Invalid server's random number with", h.addr)
- return nil
+ return nil, errors.New("Invalid server's random number")
}
sign := new([ed25519.SignatureSize]byte)
copy(sign[:], dec[RSize+RSize+SSize:])
if !ed25519.Verify(h.Conf.Verifier.Pub, h.key[:], sign) {
- log.Println("Invalid signature from", h.addr)
- return nil
+ return nil, errors.New("Invalid signature")
}
// Send final answer to client
if h.Conf.Encless {
enc, err = EnclessEncode(h.key, h.rNonceNext(2), enc)
if err != nil {
- panic(err)
+ return nil, errors.Wrap(err, wrapEnclessEncode)
}
} else {
chacha20.XORKeyStream(enc, enc, h.rNonceNext(2), h.key)
}
- h.conn.Write(append(enc, idTag(h.Conf.ID, h.Conf.TimeSync, enc)...))
+ tag, err := idTag(h.Conf.ID, h.Conf.TimeSync, enc)
+ if err != nil {
+ return nil, errors.Wrapf(err, wrapIDTag, h.Conf.ID.String(), h.Conf.TimeSync)
+ }
+ if _, err = h.conn.Write(append(enc, tag...)); err != nil {
+ return nil, errors.Wrap(err, "conn.Write")
+ }
// Switch peer
- peer := newPeer(
+ peer, err := newPeer(
false,
h.addr,
h.conn,
h.Conf,
keyFromSecrets(h.sServer[:], dec[RSize+RSize:RSize+RSize+SSize]))
+ if err != nil {
+ return nil, errors.Wrap(err, "newPeer")
+ }
h.LastPing = time.Now()
- return peer
- } else {
- log.Println("Invalid handshake message from", h.addr)
+ return peer, nil
}
- return nil
+ return nil, nil
}
// Client processes handshake message on the client side.
// If this is the final handshake message, then new Peer object
// will be created and used as a transport. If no mutually
// authenticated Peer is ready, then return nil.
-func (h *Handshake) Client(data []byte) *Peer {
+func (h *Handshake) Client(data []byte) (*Peer, error) {
// ENC(H(DSAPub), R+1, El(SDHPub)) + ENC(K, R, RS + SS) + IDtag
if h.rServer == nil && h.key == nil &&
((!h.Conf.Encless && len(data) >= 80) ||
data[:len(data)/2],
)
if err != nil {
- log.Println("Unable to decode packet from", h.addr, err)
- return nil
+ return nil, errors.Wrap(err, wrapEnclessDecode)
}
copy(sDHRepr[:], tmp[:32])
} else {
if h.Conf.Encless {
tmp, err = EnclessDecode(h.key, h.rNonce, data[len(data)/2:len(data)-8])
if err != nil {
- log.Println("Unable to decode packet from", h.addr, err)
- return nil
+ return nil, errors.Wrap(err, wrapEnclessDecode)
}
copy(h.rServer[:], tmp[:RSize])
copy(h.sServer[:], tmp[RSize:RSize+SSize])
// Generate R* and signature and encrypt them
h.rClient = new([RSize]byte)
if _, err = io.ReadFull(Rand, h.rClient[:]); err != nil {
- log.Fatalln("Error reading random for R:", err)
+ return nil, errors.Wrapf(err, wrapIoReadFull, "Rand")
}
h.sClient = new([SSize]byte)
if _, err = io.ReadFull(Rand, h.sClient[:]); err != nil {
- log.Fatalln("Error reading random for S:", err)
+ return nil, errors.Wrapf(err, wrapIoReadFull, "Rand")
}
sign := ed25519.Sign(h.Conf.DSAPriv, h.key[:])
if h.Conf.Encless {
enc, err = EnclessEncode(h.key, h.rNonceNext(1), enc)
if err != nil {
- panic(err)
+ return nil, errors.Wrap(err, wrapEnclessEncode)
}
} else {
chacha20.XORKeyStream(enc, enc, h.rNonceNext(1), h.key)
}
+ tag, err := idTag(h.Conf.ID, h.Conf.TimeSync, enc)
+ if err != nil {
+ return nil, errors.Wrapf(err, wrapIDTag, h.Conf.ID.String(), h.Conf.TimeSync)
+ }
+
// Send that to server
- h.conn.Write(append(enc, idTag(h.Conf.ID, h.Conf.TimeSync, enc)...))
+ if _, err = h.conn.Write(append(enc, tag...)); err != nil {
+ return nil, errors.Wrap(err, "conn.Write")
+ }
h.LastPing = time.Now()
} else
// ENC(K, R+2, RC) + IDtag
if h.Conf.Encless {
dec, err = EnclessDecode(h.key, h.rNonceNext(2), data[:len(data)-8])
if err != nil {
- log.Println("Unable to decode packet from", h.addr, err)
- return nil
+ return nil, errors.Wrap(err, wrapEnclessDecode)
}
dec = dec[:RSize]
} else {
chacha20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key)
}
if subtle.ConstantTimeCompare(dec, h.rClient[:]) != 1 {
- log.Println("Invalid client's random number with", h.addr)
- return nil
+ return nil, errors.New("Invalid client's random number")
}
// Switch peer
- peer := newPeer(
+ peer, err := newPeer(
true,
h.addr,
h.conn,
h.Conf,
keyFromSecrets(h.sServer[:], h.sClient[:]),
)
+ if err != nil {
+ return nil, errors.Wrap(err, "newPeer")
+ }
h.LastPing = time.Now()
- return peer
- } else {
- log.Println("Invalid handshake stage from", h.addr)
+ return peer, nil
}
- return nil
+
+ // no peer yet, no error
+ return nil, nil
}