2 GoVPN -- simple secure free software virtual private network daemon
3 Copyright (C) 2014-2015 Sergey Matveev <stargrave@stargrave.org>
5 This program is free software: you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation, either version 3 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
29 "github.com/agl/ed25519"
30 "github.com/agl/ed25519/extra25519"
31 "golang.org/x/crypto/curve25519"
32 "golang.org/x/crypto/salsa20"
33 "golang.org/x/crypto/salsa20/salsa"
34 "golang.org/x/crypto/xtea"
42 type Handshake struct {
46 dsaPubH *[ed25519.PublicKeySize]byte
49 dhPriv *[32]byte // own private DH key
50 rServer *[RSize]byte // random string for authentication
52 sServer *[SSize]byte // secret string for main key calculation
56 func keyFromSecrets(server, client []byte) *[SSize]byte {
58 for i := 0; i < SSize; i++ {
59 k[i] = server[i] ^ client[i]
64 // Apply HSalsa20 function for data. Used to hash public keys.
65 func HApply(data *[32]byte) {
66 salsa.HSalsa20(data, new([16]byte), data, &salsa.Sigma)
69 // Zero handshake's memory state
70 func (h *Handshake) Zero() {
72 sliceZero(h.rNonce[:])
75 sliceZero(h.dhPriv[:])
81 sliceZero(h.dsaPubH[:])
84 sliceZero(h.rServer[:])
87 sliceZero(h.rClient[:])
90 sliceZero(h.sServer[:])
93 sliceZero(h.sClient[:])
97 func (h *Handshake) rNonceNext(count uint64) []byte {
98 nonce := make([]byte, RSize)
99 nonceCurrent, _ := binary.Uvarint(h.rNonce[:])
100 binary.PutUvarint(nonce, nonceCurrent+count)
104 func randRead(b []byte) error {
107 _, err = rand.Read(b)
114 func dhKeypairGen() (*[32]byte, *[32]byte) {
115 priv := new([32]byte)
117 repr := new([32]byte)
120 if err := randRead(priv[:]); err != nil {
121 log.Fatalln("Error reading random for DH private key:", err)
123 reprFound = extra25519.ScalarBaseMult(pub, repr, priv)
128 func dhKeyGen(priv, pub *[32]byte) *[32]byte {
130 curve25519.ScalarMult(key, priv, pub)
135 // Create new handshake state.
136 func HandshakeNew(addr *net.UDPAddr, conf *PeerConf) *Handshake {
139 LastPing: time.Now(),
142 state.dsaPubH = new([ed25519.PublicKeySize]byte)
143 copy(state.dsaPubH[:], state.Conf.DSAPub[:])
144 HApply(state.dsaPubH)
148 // Generate ID tag from client identification and data.
149 func idTag(id *PeerId, data []byte) []byte {
150 ciph, err := xtea.NewCipher(id[:])
154 enc := make([]byte, xtea.BlockSize)
155 ciph.Encrypt(enc, data[:xtea.BlockSize])
159 // Start handshake's procedure from the client. It is the entry point
160 // for starting the handshake procedure. You have to specify outgoing
161 // conn address, remote's addr address, our own peer configuration.
162 // First handshake packet will be sent immediately.
163 func HandshakeStart(conf *PeerConf, conn *net.UDPConn, addr *net.UDPAddr) *Handshake {
164 state := HandshakeNew(addr, conf)
166 var dhPubRepr *[32]byte
167 state.dhPriv, dhPubRepr = dhKeypairGen()
169 state.rNonce = new([RSize]byte)
170 if err := randRead(state.rNonce[:]); err != nil {
171 log.Fatalln("Error reading random for nonce:", err)
173 enc := make([]byte, 32)
174 salsa20.XORKeyStream(enc, dhPubRepr[:], state.rNonce[:], state.dsaPubH)
175 data := append(state.rNonce[:], enc...)
176 data = append(data, idTag(state.Conf.Id, state.rNonce[:])...)
177 conn.WriteToUDP(data, addr)
181 // Process handshake message on the server side.
182 // This function is intended to be called on server's side.
183 // Our outgoing conn connection and received data are required.
184 // If this is the final handshake message, then new Peer object
185 // will be created and used as a transport. If no mutually
186 // authenticated Peer is ready, then return nil.
187 func (h *Handshake) Server(conn *net.UDPConn, data []byte) *Peer {
188 // R + ENC(H(DSAPub), R, El(CDHPub)) + IDtag
189 if len(data) == 48 && h.rNonce == nil {
190 // Generate DH keypair
191 var dhPubRepr *[32]byte
192 h.dhPriv, dhPubRepr = dhKeypairGen()
194 h.rNonce = new([RSize]byte)
195 copy(h.rNonce[:], data[:RSize])
197 // Decrypt remote public key and compute shared key
198 cDHRepr := new([32]byte)
199 salsa20.XORKeyStream(
201 data[RSize:RSize+32],
206 extra25519.RepresentativeToPublicKey(cDH, cDHRepr)
207 h.key = dhKeyGen(h.dhPriv, cDH)
209 encPub := make([]byte, 32)
210 salsa20.XORKeyStream(encPub, dhPubRepr[:], h.rNonceNext(1), h.dsaPubH)
212 // Generate R* and encrypt them
213 h.rServer = new([RSize]byte)
214 if err := randRead(h.rServer[:]); err != nil {
215 log.Fatalln("Error reading random for R:", err)
217 h.sServer = new([SSize]byte)
218 if err := randRead(h.sServer[:]); err != nil {
219 log.Fatalln("Error reading random for S:", err)
221 encRs := make([]byte, RSize+SSize)
222 salsa20.XORKeyStream(encRs, append(h.rServer[:], h.sServer[:]...), h.rNonce[:], h.key)
224 // Send that to client
225 conn.WriteToUDP(append(encPub, append(encRs, idTag(h.Conf.Id, encPub)...)...), h.addr)
226 h.LastPing = time.Now()
228 // ENC(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag
229 if len(data) == 120 && h.rClient == nil {
230 // Decrypted Rs compare rServer
231 dec := make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
232 salsa20.XORKeyStream(
234 data[:RSize+RSize+SSize+ed25519.SignatureSize],
238 if subtle.ConstantTimeCompare(dec[:RSize], h.rServer[:]) != 1 {
239 log.Println("Invalid server's random number with", h.addr)
242 sign := new([ed25519.SignatureSize]byte)
243 copy(sign[:], dec[RSize+RSize+SSize:])
244 if !ed25519.Verify(h.Conf.DSAPub, h.key[:], sign) {
245 log.Println("Invalid signature from", h.addr)
249 // Send final answer to client
250 enc := make([]byte, RSize)
251 salsa20.XORKeyStream(enc, dec[RSize:RSize+RSize], h.rNonceNext(2), h.key)
252 conn.WriteToUDP(append(enc, idTag(h.Conf.Id, enc)...), h.addr)
259 keyFromSecrets(h.sServer[:], dec[RSize+RSize:RSize+RSize+SSize]))
260 h.LastPing = time.Now()
263 log.Println("Invalid handshake message from", h.addr)
268 // Process handshake message on the client side.
269 // This function is intended to be called on client's side.
270 // Our outgoing conn connection, authentication
271 // key and received data are required.
272 // If this is the final handshake message, then new Peer object
273 // will be created and used as a transport. If no mutually
274 // authenticated Peer is ready, then return nil.
275 func (h *Handshake) Client(conn *net.UDPConn, data []byte) *Peer {
277 case 80: // ENC(H(DSAPub), R+1, El(SDHPub)) + ENC(K, R, RS + SS) + IDtag
279 log.Println("Invalid handshake stage from", h.addr)
283 // Decrypt remote public key and compute shared key
284 sDHRepr := new([32]byte)
285 salsa20.XORKeyStream(sDHRepr[:], data[:32], h.rNonceNext(1), h.dsaPubH)
287 extra25519.RepresentativeToPublicKey(sDH, sDHRepr)
288 h.key = dhKeyGen(h.dhPriv, sDH)
291 decRs := make([]byte, RSize+SSize)
292 salsa20.XORKeyStream(decRs, data[SSize:32+RSize+SSize], h.rNonce[:], h.key)
293 h.rServer = new([RSize]byte)
294 copy(h.rServer[:], decRs[:RSize])
295 h.sServer = new([SSize]byte)
296 copy(h.sServer[:], decRs[RSize:])
298 // Generate R* and signature and encrypt them
299 h.rClient = new([RSize]byte)
300 if err := randRead(h.rClient[:]); err != nil {
301 log.Fatalln("Error reading random for R:", err)
303 h.sClient = new([SSize]byte)
304 if err := randRead(h.sClient[:]); err != nil {
305 log.Fatalln("Error reading random for S:", err)
307 sign := ed25519.Sign(h.Conf.DSAPriv, h.key[:])
309 enc := make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
310 salsa20.XORKeyStream(enc,
313 append(h.sClient[:], sign[:]...)...)...), h.rNonceNext(1), h.key)
315 // Send that to server
316 conn.WriteToUDP(append(enc, idTag(h.Conf.Id, enc)...), h.addr)
317 h.LastPing = time.Now()
318 case 16: // ENC(K, R+2, RC) + IDtag
320 log.Println("Invalid handshake stage from", h.addr)
325 dec := make([]byte, RSize)
326 salsa20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key)
327 if subtle.ConstantTimeCompare(dec, h.rClient[:]) != 1 {
328 log.Println("Invalid client's random number with", h.addr)
333 peer := newPeer(h.addr, h.Conf, 1, keyFromSecrets(h.sServer[:], h.sClient[:]))
334 h.LastPing = time.Now()
337 log.Println("Invalid handshake message from", h.addr)