enc = make([]byte, 32)
}
copy(enc, dhPubRepr[:])
- salsa20.XORKeyStream(enc, enc, state.rNonce[:], state.dsaPubH)
+ if conf.EncLess {
+ var err error
+ enc, err = EncLessEncode(state.dsaPubH, state.rNonce[:], enc)
+ if err != err {
+ panic(err)
+ }
+ } else {
+ salsa20.XORKeyStream(enc, enc, state.rNonce[:], state.dsaPubH)
+ }
data := append(state.rNonce[:], enc...)
data = append(data, idTag(state.Conf.Id, state.rNonce[:])...)
state.conn.Write(data)
// authenticated Peer is ready, then return nil.
func (h *Handshake) Server(data []byte) *Peer {
// R + ENC(H(DSAPub), R, El(CDHPub)) + IDtag
- if h.rNonce == nil && len(data) >= 48 {
- // Generate DH keypair
- var dhPubRepr *[32]byte
- h.dhPriv, dhPubRepr = dhKeypairGen()
-
+ if h.rNonce == nil && ((!h.Conf.EncLess && len(data) >= 48) ||
+ (h.Conf.EncLess && len(data) == EncLessEnlargeSize+MTU)) {
h.rNonce = new([RSize]byte)
copy(h.rNonce[:], data[:RSize])
- // Decrypt remote public key and compute shared key
+ // Decrypt remote public key
cDHRepr := new([32]byte)
- salsa20.XORKeyStream(
- cDHRepr[:],
- data[RSize:RSize+32],
- h.rNonce[:],
- h.dsaPubH,
- )
+ if h.Conf.EncLess {
+ out, err := EncLessDecode(
+ h.dsaPubH,
+ h.rNonce[:],
+ data[RSize:len(data)-xtea.BlockSize],
+ )
+ if err != nil {
+ log.Println("Unable to decode packet from", h.addr, err)
+ return nil
+ }
+ copy(cDHRepr[:], out)
+ } else {
+ salsa20.XORKeyStream(
+ cDHRepr[:],
+ data[RSize:RSize+32],
+ h.rNonce[:],
+ h.dsaPubH,
+ )
+ }
+
+ // Generate DH keypair
+ var dhPubRepr *[32]byte
+ h.dhPriv, dhPubRepr = dhKeypairGen()
+
+ // Compute shared key
cDH := new([32]byte)
extra25519.RepresentativeToPublicKey(cDH, cDHRepr)
h.key = dhKeyGen(h.dhPriv, cDH)
- encPub := make([]byte, 32)
- salsa20.XORKeyStream(encPub, dhPubRepr[:], h.rNonceNext(1), h.dsaPubH)
+ var encPub []byte
+ var err error
+ if h.Conf.EncLess {
+ encPub = make([]byte, MTU)
+ copy(encPub, dhPubRepr[:])
+ encPub, err = EncLessEncode(h.dsaPubH, h.rNonceNext(1), encPub)
+ if err != nil {
+ panic(err)
+ }
+ } else {
+ encPub = make([]byte, 32)
+ salsa20.XORKeyStream(encPub, dhPubRepr[:], h.rNonceNext(1), h.dsaPubH)
+ }
// Generate R* and encrypt them
h.rServer = new([RSize]byte)
- var err error
if _, err = Rand.Read(h.rServer[:]); err != nil {
log.Fatalln("Error reading random for R:", err)
}
log.Fatalln("Error reading random for S:", err)
}
var encRs []byte
- if h.Conf.Noise {
+ if h.Conf.Noise && !h.Conf.EncLess {
encRs = make([]byte, MTU-len(encPub)-xtea.BlockSize)
+ } else if h.Conf.EncLess {
+ encRs = make([]byte, MTU-xtea.BlockSize)
} else {
encRs = make([]byte, RSize+SSize)
}
copy(encRs, append(h.rServer[:], h.sServer[:]...))
- salsa20.XORKeyStream(encRs, encRs, h.rNonce[:], h.key)
+ if h.Conf.EncLess {
+ encRs, err = EncLessEncode(h.key, h.rNonce[:], encRs)
+ if err != nil {
+ panic(err)
+ }
+ } else {
+ salsa20.XORKeyStream(encRs, encRs, h.rNonce[:], h.key)
+ }
// Send that to client
h.conn.Write(append(encPub, append(encRs, idTag(h.Conf.Id, encPub)...)...))
h.LastPing = time.Now()
} else
// ENC(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag
- if h.rClient == nil && len(data) >= 120 {
- // Decrypted Rs compare rServer
- dec := make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
- salsa20.XORKeyStream(
- dec,
- data[:RSize+RSize+SSize+ed25519.SignatureSize],
- h.rNonceNext(1),
- h.key,
- )
+ if h.rClient == nil && ((!h.Conf.EncLess && len(data) >= 120) ||
+ (h.Conf.EncLess && len(data) == EncLessEnlargeSize+MTU)) {
+ var dec []byte
+ var err error
+ if h.Conf.EncLess {
+ dec, err = EncLessDecode(
+ h.key,
+ h.rNonceNext(1),
+ data[:len(data)-xtea.BlockSize],
+ )
+ if err != nil {
+ log.Println("Unable to decode packet from", h.addr, err)
+ return nil
+ }
+ dec = dec[:RSize+RSize+SSize+ed25519.SignatureSize]
+ } else {
+ dec = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
+ salsa20.XORKeyStream(
+ dec,
+ data[:RSize+RSize+SSize+ed25519.SignatureSize],
+ h.rNonceNext(1),
+ h.key,
+ )
+ }
if subtle.ConstantTimeCompare(dec[:RSize], h.rServer[:]) != 1 {
log.Println("Invalid server's random number with", h.addr)
return nil
enc = make([]byte, RSize)
}
copy(enc, dec[RSize:RSize+RSize])
- salsa20.XORKeyStream(enc, enc, h.rNonceNext(2), h.key)
+ if h.Conf.EncLess {
+ enc, err = EncLessEncode(h.key, h.rNonceNext(2), enc)
+ if err != nil {
+ panic(err)
+ }
+ } else {
+ salsa20.XORKeyStream(enc, enc, h.rNonceNext(2), h.key)
+ }
h.conn.Write(append(enc, idTag(h.Conf.Id, enc)...))
// Switch peer
// authenticated Peer is ready, then return nil.
func (h *Handshake) Client(data []byte) *Peer {
// ENC(H(DSAPub), R+1, El(SDHPub)) + ENC(K, R, RS + SS) + IDtag
- if h.rServer == nil && h.key == nil && len(data) >= 80 {
- // Decrypt remote public key and compute shared key
+ if h.rServer == nil && h.key == nil &&
+ ((!h.Conf.EncLess && len(data) >= 80) ||
+ (h.Conf.EncLess && len(data) == 2*(EncLessEnlargeSize+MTU))) {
+ // Decrypt remote public key
sDHRepr := new([32]byte)
- salsa20.XORKeyStream(sDHRepr[:], data[:32], h.rNonceNext(1), h.dsaPubH)
+ var tmp []byte
+ var err error
+ if h.Conf.EncLess {
+ tmp, err = EncLessDecode(
+ h.dsaPubH,
+ h.rNonceNext(1),
+ data[:len(data)/2],
+ )
+ if err != nil {
+ log.Println("Unable to decode packet from", h.addr, err)
+ return nil
+ }
+ copy(sDHRepr[:], tmp[:32])
+ } else {
+ salsa20.XORKeyStream(
+ sDHRepr[:],
+ data[:32],
+ h.rNonceNext(1),
+ h.dsaPubH,
+ )
+ }
+
+ // Compute shared key
sDH := new([32]byte)
extra25519.RepresentativeToPublicKey(sDH, sDHRepr)
h.key = dhKeyGen(h.dhPriv, sDH)
// Decrypt Rs
- decRs := make([]byte, RSize+SSize)
- salsa20.XORKeyStream(decRs, data[SSize:32+RSize+SSize], h.rNonce[:], h.key)
h.rServer = new([RSize]byte)
- copy(h.rServer[:], decRs[:RSize])
h.sServer = new([SSize]byte)
- copy(h.sServer[:], decRs[RSize:])
+ if h.Conf.EncLess {
+ tmp, err = EncLessDecode(
+ h.key,
+ h.rNonce[:],
+ data[len(data)/2:len(data)-xtea.BlockSize],
+ )
+ if err != nil {
+ log.Println("Unable to decode packet from", h.addr, err)
+ return nil
+ }
+ copy(h.rServer[:], tmp[:RSize])
+ copy(h.sServer[:], tmp[RSize:RSize+SSize])
+ } else {
+ decRs := make([]byte, RSize+SSize)
+ salsa20.XORKeyStream(
+ decRs,
+ data[SSize:SSize+RSize+SSize],
+ h.rNonce[:],
+ h.key,
+ )
+ copy(h.rServer[:], decRs[:RSize])
+ copy(h.sServer[:], decRs[RSize:])
+ }
// Generate R* and signature and encrypt them
h.rClient = new([RSize]byte)
- var err error
if _, err = Rand.Read(h.rClient[:]); err != nil {
log.Fatalln("Error reading random for R:", err)
}
} else {
enc = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
}
- copy(enc,
- append(h.rServer[:],
- append(h.rClient[:],
- append(h.sClient[:], sign[:]...)...)...))
- salsa20.XORKeyStream(enc, enc, h.rNonceNext(1), h.key)
+ copy(enc, h.rServer[:])
+ copy(enc[RSize:], h.rClient[:])
+ copy(enc[RSize+RSize:], h.sClient[:])
+ copy(enc[RSize+RSize+SSize:], sign[:])
+ if h.Conf.EncLess {
+ enc, err = EncLessEncode(h.key, h.rNonceNext(1), enc)
+ if err != nil {
+ panic(err)
+ }
+ } else {
+ salsa20.XORKeyStream(enc, enc, h.rNonceNext(1), h.key)
+ }
// Send that to server
h.conn.Write(append(enc, idTag(h.Conf.Id, enc)...))
h.LastPing = time.Now()
} else
// ENC(K, R+2, RC) + IDtag
- if h.key != nil && len(data) >= 16 {
+ if h.key != nil && ((!h.Conf.EncLess && len(data) >= 16) ||
+ (h.Conf.EncLess && len(data) == EncLessEnlargeSize+MTU)) {
+ var err error
// Decrypt rClient
- dec := make([]byte, RSize)
- salsa20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key)
+ var dec []byte
+ if h.Conf.EncLess {
+ dec, err = EncLessDecode(
+ h.key,
+ h.rNonceNext(2),
+ data[:len(data)-xtea.BlockSize],
+ )
+ if err != nil {
+ log.Println("Unable to decode packet from", h.addr, err)
+ return nil
+ }
+ dec = dec[:RSize]
+ } else {
+ dec = make([]byte, RSize)
+ salsa20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key)
+ }
if subtle.ConstantTimeCompare(dec, h.rClient[:]) != 1 {
log.Println("Invalid client's random number with", h.addr)
return nil
NoiseEnable bool
CPR int
CPRCycle time.Duration `json:"-"`
+ EncLess bool
// Cryptography related
Key *[SSize]byte `json:"-"`
timeout = timeout / TimeoutHeartbeat
}
+ bufSize := S20BS + MTU + NonceSize
+ if conf.EncLess {
+ bufSize += EncLessEnlargeSize
+ noiseEnable = true
+ }
peer := Peer{
Addr: addr,
Id: conf.Id,
NoiseEnable: noiseEnable,
CPR: conf.CPR,
CPRCycle: cprCycle,
+ EncLess: conf.EncLess,
Key: key,
NonceCipher: newNonceCipher(key),
Established: now,
LastPing: now,
- bufR: make([]byte, S20BS+MTU+NonceSize),
- bufT: make([]byte, S20BS+MTU+NonceSize),
+ bufR: make([]byte, bufSize),
+ bufT: make([]byte, bufSize),
tagR: new([TagSize]byte),
tagT: new([TagSize]byte),
keyAuthR: new([SSize]byte),
p.BusyT.Unlock()
return
}
- p.bufT[S20BS+0] = byte(0)
- p.bufT[S20BS+1] = byte(0)
+ p.bufT[S20BS+0] = 0
+ p.bufT[S20BS+1] = 0
p.HeartbeatSent++
} else {
// Copy payload to our internal buffer and we are ready to
p.BytesPayloadOut += int64(len(data))
}
- if p.NoiseEnable {
+ if p.NoiseEnable && !p.EncLess {
p.frameT = p.bufT[S20BS : S20BS+MTU-TagSize]
+ } else if p.EncLess {
+ p.frameT = p.bufT[S20BS : S20BS+MTU]
} else {
p.frameT = p.bufT[S20BS : S20BS+PktSizeSize+len(data)+NonceSize]
}
p.frameT[len(p.frameT)-NonceSize:],
p.frameT[len(p.frameT)-NonceSize:],
)
- for i := 0; i < SSize; i++ {
- p.bufT[i] = byte(0)
+ var out []byte
+ if p.EncLess {
+ var err error
+ out, err = EncLessEncode(
+ p.Key,
+ p.frameT[len(p.frameT)-NonceSize:],
+ p.frameT[:len(p.frameT)-NonceSize],
+ )
+ if err != nil {
+ panic(err)
+ }
+ out = append(out, p.frameT[len(p.frameT)-NonceSize:]...)
+ } else {
+ for i := 0; i < SSize; i++ {
+ p.bufT[i] = 0
+ }
+ salsa20.XORKeyStream(
+ p.bufT[:S20BS+len(p.frameT)-NonceSize],
+ p.bufT[:S20BS+len(p.frameT)-NonceSize],
+ p.frameT[len(p.frameT)-NonceSize:],
+ p.Key,
+ )
+ copy(p.keyAuthT[:], p.bufT[:SSize])
+ poly1305.Sum(p.tagT, p.frameT, p.keyAuthT)
+ atomic.AddInt64(&p.BytesOut, int64(len(p.frameT)+TagSize))
+ out = append(p.tagT[:], p.frameT...)
}
- salsa20.XORKeyStream(
- p.bufT[:S20BS+len(p.frameT)-NonceSize],
- p.bufT[:S20BS+len(p.frameT)-NonceSize],
- p.frameT[len(p.frameT)-NonceSize:],
- p.Key,
- )
-
- copy(p.keyAuthT[:], p.bufT[:SSize])
- poly1305.Sum(p.tagT, p.frameT, p.keyAuthT)
-
- atomic.AddInt64(&p.BytesOut, int64(len(p.frameT)+TagSize))
p.FramesOut++
if p.CPRCycle != time.Duration(0) {
}
p.LastSent = p.now
- p.Conn.Write(append(p.tagT[:], p.frameT...))
+ p.Conn.Write(out)
p.BusyT.Unlock()
}
if len(data) < MinPktLength {
return false
}
+ var out []byte
p.BusyR.Lock()
- for i := 0; i < SSize; i++ {
- p.bufR[i] = byte(0)
- }
- copy(p.bufR[S20BS:], data[TagSize:])
- salsa20.XORKeyStream(
- p.bufR[:S20BS+len(data)-TagSize-NonceSize],
- p.bufR[:S20BS+len(data)-TagSize-NonceSize],
- data[len(data)-NonceSize:],
- p.Key,
- )
-
- copy(p.keyAuthR[:], p.bufR[:SSize])
- copy(p.tagR[:], data[:TagSize])
- if !poly1305.Verify(p.tagR, data[TagSize:], p.keyAuthR) {
- p.FramesUnauth++
- p.BusyR.Unlock()
- return false
+ if p.EncLess {
+ var err error
+ out, err = EncLessDecode(
+ p.Key,
+ data[len(data)-NonceSize:],
+ data[:len(data)-NonceSize],
+ )
+ if err != nil {
+ p.FramesUnauth++
+ p.BusyR.Unlock()
+ return false
+ }
+ } else {
+ for i := 0; i < SSize; i++ {
+ p.bufR[i] = 0
+ }
+ copy(p.bufR[S20BS:], data[TagSize:])
+ salsa20.XORKeyStream(
+ p.bufR[:S20BS+len(data)-TagSize-NonceSize],
+ p.bufR[:S20BS+len(data)-TagSize-NonceSize],
+ data[len(data)-NonceSize:],
+ p.Key,
+ )
+ copy(p.keyAuthR[:], p.bufR[:SSize])
+ copy(p.tagR[:], data[:TagSize])
+ if !poly1305.Verify(p.tagR, data[TagSize:], p.keyAuthR) {
+ p.FramesUnauth++
+ p.BusyR.Unlock()
+ return false
+ }
+ out = p.bufR[S20BS:]
}
// Check if received nonce is known to us in either of two buckets.
p.FramesIn++
atomic.AddInt64(&p.BytesIn, int64(len(data)))
p.LastPing = time.Now()
- p.pktSizeR = binary.BigEndian.Uint16(p.bufR[S20BS : S20BS+PktSizeSize])
+ p.pktSizeR = binary.BigEndian.Uint16(out[:PktSizeSize])
if p.pktSizeR == 0 {
p.HeartbeatRecv++
return false
}
p.BytesPayloadIn += int64(p.pktSizeR)
- tap.Write(p.bufR[S20BS+PktSizeSize : S20BS+PktSizeSize+p.pktSizeR])
+ tap.Write(out[PktSizeSize : PktSizeSize+p.pktSizeR])
p.BusyR.Unlock()
return true
}