X-Git-Url: http://www.git.cypherpunks.ru/?p=govpn.git;a=blobdiff_plain;f=src%2Fcypherpunks.ru%2Fgovpn%2Fhandshake.go;h=054c73e32f3718c7293fb575d91e6ea175a1f09b;hp=4f080eb34647c1494c3b78f6b2e9bdabf082177f;hb=8deaf99f98548064f51a3fe5a163456257c089bb;hpb=96b730405d6c9468e156a5386ca6b25a3bcdd3ec diff --git a/src/cypherpunks.ru/govpn/handshake.go b/src/cypherpunks.ru/govpn/handshake.go index 4f080eb..054c73e 100644 --- a/src/cypherpunks.ru/govpn/handshake.go +++ b/src/cypherpunks.ru/govpn/handshake.go @@ -1,6 +1,6 @@ /* GoVPN -- simple secure free software virtual private network daemon -Copyright (C) 2014-2016 Sergey Matveev +Copyright (C) 2014-2017 Sergey Matveev This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -25,12 +25,11 @@ import ( "log" "time" + "chacha20" "github.com/agl/ed25519" "github.com/agl/ed25519/extra25519" - "github.com/dchest/blake2b" + "golang.org/x/crypto/blake2b" "golang.org/x/crypto/curve25519" - "golang.org/x/crypto/salsa20" - "golang.org/x/crypto/xtea" ) const ( @@ -45,7 +44,7 @@ type Handshake struct { Conf *PeerConf dsaPubH *[ed25519.PublicKeySize]byte key *[32]byte - rNonce *[RSize]byte + rNonce *[16]byte dhPriv *[32]byte // own private DH key rServer *[RSize]byte // random string for authentication rClient *[RSize]byte @@ -89,10 +88,10 @@ func (h *Handshake) Zero() { } } -func (h *Handshake) rNonceNext(count uint64) []byte { - nonce := make([]byte, RSize) - nonceCurrent, _ := binary.Uvarint(h.rNonce[:]) - binary.PutUvarint(nonce, nonceCurrent+count) +func (h *Handshake) rNonceNext(count uint64) *[16]byte { + nonce := new([16]byte) + nonceCurrent, _ := binary.Uvarint(h.rNonce[8:]) + binary.PutUvarint(nonce[8:], nonceCurrent+count) return nonce } @@ -102,7 +101,7 @@ func dhKeypairGen() (*[32]byte, *[32]byte) { repr := new([32]byte) reprFound := false for !reprFound { - if _, err := Rand.Read(priv[:]); err != nil { + if _, err := io.ReadFull(Rand, priv[:]); err != nil { log.Fatalln("Error reading random for DH private key:", err) } reprFound = extra25519.ScalarBaseMult(pub, repr, priv) @@ -134,47 +133,48 @@ func NewHandshake(addr string, conn io.Writer, conf *PeerConf) *Handshake { // Generate ID tag from client identification and data. func idTag(id *PeerId, timeSync int, data []byte) []byte { - ciph, err := xtea.NewCipher(id[:]) + enc := make([]byte, 8) + copy(enc, data) + AddTimeSync(timeSync, enc) + mac, err := blake2b.New256(id[:]) if err != nil { panic(err) } - enc := make([]byte, xtea.BlockSize) - copy(enc, data) - AddTimeSync(timeSync, enc) - ciph.Encrypt(enc, enc) - return enc + mac.Write(enc) + sum := mac.Sum(nil) + return sum[len(sum)-8:] } // Start handshake's procedure from the client. It is the entry point -// for starting the handshake procedure. // First handshake packet -// will be sent immediately. +// for starting the handshake procedure. +// First handshake packet will be sent immediately. func HandshakeStart(addr string, conn io.Writer, conf *PeerConf) *Handshake { state := NewHandshake(addr, conn, conf) var dhPubRepr *[32]byte state.dhPriv, dhPubRepr = dhKeypairGen() - state.rNonce = new([RSize]byte) - if _, err := Rand.Read(state.rNonce[:]); err != nil { + state.rNonce = new([16]byte) + if _, err := io.ReadFull(Rand, state.rNonce[8:]); err != nil { log.Fatalln("Error reading random for nonce:", err) } var enc []byte if conf.Noise { - enc = make([]byte, conf.MTU-xtea.BlockSize-RSize) + enc = make([]byte, conf.MTU-8-RSize) } else { enc = make([]byte, 32) } copy(enc, dhPubRepr[:]) if conf.Encless { var err error - enc, err = EnclessEncode(state.dsaPubH, state.rNonce[:], enc) + enc, err = EnclessEncode(state.dsaPubH, state.rNonce, enc) if err != err { panic(err) } } else { - salsa20.XORKeyStream(enc, enc, state.rNonce[:], state.dsaPubH) + chacha20.XORKeyStream(enc, enc, state.rNonce, state.dsaPubH) } - data := append(state.rNonce[:], enc...) - data = append(data, idTag(state.Conf.Id, state.Conf.TimeSync, state.rNonce[:])...) + data := append(state.rNonce[8:], enc...) + data = append(data, idTag(state.Conf.Id, state.Conf.TimeSync, state.rNonce[8:])...) state.conn.Write(data) return state } @@ -188,16 +188,16 @@ func (h *Handshake) Server(data []byte) *Peer { // R + ENC(H(DSAPub), R, El(CDHPub)) + IDtag if h.rNonce == nil && ((!h.Conf.Encless && len(data) >= 48) || (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) { - h.rNonce = new([RSize]byte) - copy(h.rNonce[:], data[:RSize]) + h.rNonce = new([16]byte) + copy(h.rNonce[8:], data[:RSize]) // Decrypt remote public key cDHRepr := new([32]byte) if h.Conf.Encless { out, err := EnclessDecode( h.dsaPubH, - h.rNonce[:], - data[RSize:len(data)-xtea.BlockSize], + h.rNonce, + data[RSize:len(data)-8], ) if err != nil { log.Println("Unable to decode packet from", h.addr, err) @@ -205,12 +205,7 @@ func (h *Handshake) Server(data []byte) *Peer { } copy(cDHRepr[:], out) } else { - salsa20.XORKeyStream( - cDHRepr[:], - data[RSize:RSize+32], - h.rNonce[:], - h.dsaPubH, - ) + chacha20.XORKeyStream(cDHRepr[:], data[RSize:RSize+32], h.rNonce, h.dsaPubH) } // Generate DH keypair @@ -233,34 +228,34 @@ func (h *Handshake) Server(data []byte) *Peer { } } else { encPub = make([]byte, 32) - salsa20.XORKeyStream(encPub, dhPubRepr[:], h.rNonceNext(1), h.dsaPubH) + chacha20.XORKeyStream(encPub, dhPubRepr[:], h.rNonceNext(1), h.dsaPubH) } // Generate R* and encrypt them h.rServer = new([RSize]byte) - if _, err = Rand.Read(h.rServer[:]); err != nil { + if _, err = io.ReadFull(Rand, h.rServer[:]); err != nil { log.Fatalln("Error reading random for R:", err) } h.sServer = new([SSize]byte) - if _, err = Rand.Read(h.sServer[:]); err != nil { + if _, err = io.ReadFull(Rand, h.sServer[:]); err != nil { log.Fatalln("Error reading random for S:", err) } var encRs []byte if h.Conf.Noise && !h.Conf.Encless { - encRs = make([]byte, h.Conf.MTU-len(encPub)-xtea.BlockSize) + encRs = make([]byte, h.Conf.MTU-len(encPub)-8) } else if h.Conf.Encless { - encRs = make([]byte, h.Conf.MTU-xtea.BlockSize) + encRs = make([]byte, h.Conf.MTU-8) } else { encRs = make([]byte, RSize+SSize) } copy(encRs, append(h.rServer[:], h.sServer[:]...)) if h.Conf.Encless { - encRs, err = EnclessEncode(h.key, h.rNonce[:], encRs) + encRs, err = EnclessEncode(h.key, h.rNonce, encRs) if err != nil { panic(err) } } else { - salsa20.XORKeyStream(encRs, encRs, h.rNonce[:], h.key) + chacha20.XORKeyStream(encRs, encRs, h.rNonce, h.key) } // Send that to client @@ -278,7 +273,7 @@ func (h *Handshake) Server(data []byte) *Peer { dec, err = EnclessDecode( h.key, h.rNonceNext(1), - data[:len(data)-xtea.BlockSize], + data[:len(data)-8], ) if err != nil { log.Println("Unable to decode packet from", h.addr, err) @@ -287,7 +282,7 @@ func (h *Handshake) Server(data []byte) *Peer { dec = dec[:RSize+RSize+SSize+ed25519.SignatureSize] } else { dec = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize) - salsa20.XORKeyStream( + chacha20.XORKeyStream( dec, data[:RSize+RSize+SSize+ed25519.SignatureSize], h.rNonceNext(1), @@ -308,7 +303,7 @@ func (h *Handshake) Server(data []byte) *Peer { // Send final answer to client var enc []byte if h.Conf.Noise { - enc = make([]byte, h.Conf.MTU-xtea.BlockSize) + enc = make([]byte, h.Conf.MTU-8) } else { enc = make([]byte, RSize) } @@ -319,7 +314,7 @@ func (h *Handshake) Server(data []byte) *Peer { panic(err) } } else { - salsa20.XORKeyStream(enc, enc, h.rNonceNext(2), h.key) + chacha20.XORKeyStream(enc, enc, h.rNonceNext(2), h.key) } h.conn.Write(append(enc, idTag(h.Conf.Id, h.Conf.TimeSync, enc)...)) @@ -364,12 +359,7 @@ func (h *Handshake) Client(data []byte) *Peer { } copy(sDHRepr[:], tmp[:32]) } else { - salsa20.XORKeyStream( - sDHRepr[:], - data[:32], - h.rNonceNext(1), - h.dsaPubH, - ) + chacha20.XORKeyStream(sDHRepr[:], data[:32], h.rNonceNext(1), h.dsaPubH) } // Compute shared key @@ -381,11 +371,7 @@ func (h *Handshake) Client(data []byte) *Peer { h.rServer = new([RSize]byte) h.sServer = new([SSize]byte) if h.Conf.Encless { - tmp, err = EnclessDecode( - h.key, - h.rNonce[:], - data[len(data)/2:len(data)-xtea.BlockSize], - ) + tmp, err = EnclessDecode(h.key, h.rNonce, data[len(data)/2:len(data)-8]) if err != nil { log.Println("Unable to decode packet from", h.addr, err) return nil @@ -394,30 +380,25 @@ func (h *Handshake) Client(data []byte) *Peer { copy(h.sServer[:], tmp[RSize:RSize+SSize]) } else { decRs := make([]byte, RSize+SSize) - salsa20.XORKeyStream( - decRs, - data[SSize:SSize+RSize+SSize], - h.rNonce[:], - h.key, - ) + chacha20.XORKeyStream(decRs, data[SSize:SSize+RSize+SSize], h.rNonce, h.key) copy(h.rServer[:], decRs[:RSize]) copy(h.sServer[:], decRs[RSize:]) } // Generate R* and signature and encrypt them h.rClient = new([RSize]byte) - if _, err = Rand.Read(h.rClient[:]); err != nil { + if _, err = io.ReadFull(Rand, h.rClient[:]); err != nil { log.Fatalln("Error reading random for R:", err) } h.sClient = new([SSize]byte) - if _, err = Rand.Read(h.sClient[:]); err != nil { + if _, err = io.ReadFull(Rand, h.sClient[:]); err != nil { log.Fatalln("Error reading random for S:", err) } sign := ed25519.Sign(h.Conf.DSAPriv, h.key[:]) var enc []byte if h.Conf.Noise { - enc = make([]byte, h.Conf.MTU-xtea.BlockSize) + enc = make([]byte, h.Conf.MTU-8) } else { enc = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize) } @@ -431,7 +412,7 @@ func (h *Handshake) Client(data []byte) *Peer { panic(err) } } else { - salsa20.XORKeyStream(enc, enc, h.rNonceNext(1), h.key) + chacha20.XORKeyStream(enc, enc, h.rNonceNext(1), h.key) } // Send that to server @@ -445,11 +426,7 @@ func (h *Handshake) Client(data []byte) *Peer { // Decrypt rClient var dec []byte if h.Conf.Encless { - dec, err = EnclessDecode( - h.key, - h.rNonceNext(2), - data[:len(data)-xtea.BlockSize], - ) + dec, err = EnclessDecode(h.key, h.rNonceNext(2), data[:len(data)-8]) if err != nil { log.Println("Unable to decode packet from", h.addr, err) return nil @@ -457,7 +434,7 @@ func (h *Handshake) Client(data []byte) *Peer { dec = dec[:RSize] } else { dec = make([]byte, RSize) - salsa20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key) + chacha20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key) } if subtle.ConstantTimeCompare(dec, h.rClient[:]) != 1 { log.Println("Invalid client's random number with", h.addr)