/*
GoVPN -- simple secure free software virtual private network daemon
-Copyright (C) 2014-2016 Sergey Matveev <stargrave@stargrave.org>
+Copyright (C) 2014-2018 Sergey Matveev <stargrave@stargrave.org>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
"log"
"time"
+ "chacha20"
"github.com/agl/ed25519"
"github.com/agl/ed25519/extra25519"
- "github.com/dchest/blake2b"
+ "golang.org/x/crypto/blake2b"
"golang.org/x/crypto/curve25519"
- "golang.org/x/crypto/salsa20"
- "golang.org/x/crypto/xtea"
)
const (
Conf *PeerConf
dsaPubH *[ed25519.PublicKeySize]byte
key *[32]byte
- rNonce *[RSize]byte
+ rNonce *[16]byte
dhPriv *[32]byte // own private DH key
rServer *[RSize]byte // random string for authentication
rClient *[RSize]byte
}
}
-func (h *Handshake) rNonceNext(count uint64) []byte {
- nonce := make([]byte, RSize)
- nonceCurrent, _ := binary.Uvarint(h.rNonce[:])
- binary.PutUvarint(nonce, nonceCurrent+count)
+func (h *Handshake) rNonceNext(count uint64) *[16]byte {
+ nonce := new([16]byte)
+ nonceCurrent, _ := binary.Uvarint(h.rNonce[8:])
+ binary.PutUvarint(nonce[8:], nonceCurrent+count)
return nonce
}
}
// Generate ID tag from client identification and data.
-func idTag(id *PeerId, timeSync int, data []byte) []byte {
- ciph, err := xtea.NewCipher(id[:])
+func idTag(id *PeerID, timeSync int, data []byte) []byte {
+ enc := make([]byte, 8)
+ copy(enc, data)
+ AddTimeSync(timeSync, enc)
+ mac, err := blake2b.New256(id[:])
if err != nil {
panic(err)
}
- enc := make([]byte, xtea.BlockSize)
- copy(enc, data)
- AddTimeSync(timeSync, enc)
- ciph.Encrypt(enc, enc)
- return enc
+ mac.Write(enc)
+ sum := mac.Sum(nil)
+ return sum[len(sum)-8:]
}
// Start handshake's procedure from the client. It is the entry point
-// for starting the handshake procedure. // First handshake packet
-// will be sent immediately.
+// for starting the handshake procedure.
+// First handshake packet will be sent immediately.
func HandshakeStart(addr string, conn io.Writer, conf *PeerConf) *Handshake {
state := NewHandshake(addr, conn, conf)
var dhPubRepr *[32]byte
state.dhPriv, dhPubRepr = dhKeypairGen()
- state.rNonce = new([RSize]byte)
- if _, err := io.ReadFull(Rand, state.rNonce[:]); err != nil {
+ state.rNonce = new([16]byte)
+ if _, err := io.ReadFull(Rand, state.rNonce[8:]); err != nil {
log.Fatalln("Error reading random for nonce:", err)
}
var enc []byte
if conf.Noise {
- enc = make([]byte, conf.MTU-xtea.BlockSize-RSize)
+ enc = make([]byte, conf.MTU-8-RSize)
} else {
enc = make([]byte, 32)
}
copy(enc, dhPubRepr[:])
if conf.Encless {
var err error
- enc, err = EnclessEncode(state.dsaPubH, state.rNonce[:], enc)
+ enc, err = EnclessEncode(state.dsaPubH, state.rNonce, enc)
if err != err {
panic(err)
}
} else {
- salsa20.XORKeyStream(enc, enc, state.rNonce[:], state.dsaPubH)
+ chacha20.XORKeyStream(enc, enc, state.rNonce, state.dsaPubH)
}
- data := append(state.rNonce[:], enc...)
- data = append(data, idTag(state.Conf.Id, state.Conf.TimeSync, state.rNonce[:])...)
+ data := append(state.rNonce[8:], enc...)
+ data = append(data, idTag(state.Conf.ID, state.Conf.TimeSync, state.rNonce[8:])...)
state.conn.Write(data)
return state
}
// R + ENC(H(DSAPub), R, El(CDHPub)) + IDtag
if h.rNonce == nil && ((!h.Conf.Encless && len(data) >= 48) ||
(h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) {
- h.rNonce = new([RSize]byte)
- copy(h.rNonce[:], data[:RSize])
+ h.rNonce = new([16]byte)
+ copy(h.rNonce[8:], data[:RSize])
// Decrypt remote public key
cDHRepr := new([32]byte)
if h.Conf.Encless {
out, err := EnclessDecode(
h.dsaPubH,
- h.rNonce[:],
- data[RSize:len(data)-xtea.BlockSize],
+ h.rNonce,
+ data[RSize:len(data)-8],
)
if err != nil {
log.Println("Unable to decode packet from", h.addr, err)
}
copy(cDHRepr[:], out)
} else {
- salsa20.XORKeyStream(
- cDHRepr[:],
- data[RSize:RSize+32],
- h.rNonce[:],
- h.dsaPubH,
- )
+ chacha20.XORKeyStream(cDHRepr[:], data[RSize:RSize+32], h.rNonce, h.dsaPubH)
}
// Generate DH keypair
}
} else {
encPub = make([]byte, 32)
- salsa20.XORKeyStream(encPub, dhPubRepr[:], h.rNonceNext(1), h.dsaPubH)
+ chacha20.XORKeyStream(encPub, dhPubRepr[:], h.rNonceNext(1), h.dsaPubH)
}
// Generate R* and encrypt them
}
var encRs []byte
if h.Conf.Noise && !h.Conf.Encless {
- encRs = make([]byte, h.Conf.MTU-len(encPub)-xtea.BlockSize)
+ encRs = make([]byte, h.Conf.MTU-len(encPub)-8)
} else if h.Conf.Encless {
- encRs = make([]byte, h.Conf.MTU-xtea.BlockSize)
+ encRs = make([]byte, h.Conf.MTU-8)
} else {
encRs = make([]byte, RSize+SSize)
}
copy(encRs, append(h.rServer[:], h.sServer[:]...))
if h.Conf.Encless {
- encRs, err = EnclessEncode(h.key, h.rNonce[:], encRs)
+ encRs, err = EnclessEncode(h.key, h.rNonce, encRs)
if err != nil {
panic(err)
}
} else {
- salsa20.XORKeyStream(encRs, encRs, h.rNonce[:], h.key)
+ chacha20.XORKeyStream(encRs, encRs, h.rNonce, h.key)
}
// Send that to client
h.conn.Write(append(encPub, append(
- encRs, idTag(h.Conf.Id, h.Conf.TimeSync, encPub)...,
+ encRs, idTag(h.Conf.ID, h.Conf.TimeSync, encPub)...,
)...))
h.LastPing = time.Now()
} else
dec, err = EnclessDecode(
h.key,
h.rNonceNext(1),
- data[:len(data)-xtea.BlockSize],
+ data[:len(data)-8],
)
if err != nil {
log.Println("Unable to decode packet from", h.addr, err)
dec = dec[:RSize+RSize+SSize+ed25519.SignatureSize]
} else {
dec = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
- salsa20.XORKeyStream(
+ chacha20.XORKeyStream(
dec,
data[:RSize+RSize+SSize+ed25519.SignatureSize],
h.rNonceNext(1),
// Send final answer to client
var enc []byte
if h.Conf.Noise {
- enc = make([]byte, h.Conf.MTU-xtea.BlockSize)
+ enc = make([]byte, h.Conf.MTU-8)
} else {
enc = make([]byte, RSize)
}
panic(err)
}
} else {
- salsa20.XORKeyStream(enc, enc, h.rNonceNext(2), h.key)
+ chacha20.XORKeyStream(enc, enc, h.rNonceNext(2), h.key)
}
- h.conn.Write(append(enc, idTag(h.Conf.Id, h.Conf.TimeSync, enc)...))
+ h.conn.Write(append(enc, idTag(h.Conf.ID, h.Conf.TimeSync, enc)...))
// Switch peer
peer := newPeer(
}
copy(sDHRepr[:], tmp[:32])
} else {
- salsa20.XORKeyStream(
- sDHRepr[:],
- data[:32],
- h.rNonceNext(1),
- h.dsaPubH,
- )
+ chacha20.XORKeyStream(sDHRepr[:], data[:32], h.rNonceNext(1), h.dsaPubH)
}
// Compute shared key
h.rServer = new([RSize]byte)
h.sServer = new([SSize]byte)
if h.Conf.Encless {
- tmp, err = EnclessDecode(
- h.key,
- h.rNonce[:],
- data[len(data)/2:len(data)-xtea.BlockSize],
- )
+ tmp, err = EnclessDecode(h.key, h.rNonce, data[len(data)/2:len(data)-8])
if err != nil {
log.Println("Unable to decode packet from", h.addr, err)
return nil
copy(h.sServer[:], tmp[RSize:RSize+SSize])
} else {
decRs := make([]byte, RSize+SSize)
- salsa20.XORKeyStream(
- decRs,
- data[SSize:SSize+RSize+SSize],
- h.rNonce[:],
- h.key,
- )
+ chacha20.XORKeyStream(decRs, data[SSize:SSize+RSize+SSize], h.rNonce, h.key)
copy(h.rServer[:], decRs[:RSize])
copy(h.sServer[:], decRs[RSize:])
}
var enc []byte
if h.Conf.Noise {
- enc = make([]byte, h.Conf.MTU-xtea.BlockSize)
+ enc = make([]byte, h.Conf.MTU-8)
} else {
enc = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
}
panic(err)
}
} else {
- salsa20.XORKeyStream(enc, enc, h.rNonceNext(1), h.key)
+ chacha20.XORKeyStream(enc, enc, h.rNonceNext(1), h.key)
}
// Send that to server
- h.conn.Write(append(enc, idTag(h.Conf.Id, h.Conf.TimeSync, enc)...))
+ h.conn.Write(append(enc, idTag(h.Conf.ID, h.Conf.TimeSync, enc)...))
h.LastPing = time.Now()
} else
// ENC(K, R+2, RC) + IDtag
// Decrypt rClient
var dec []byte
if h.Conf.Encless {
- dec, err = EnclessDecode(
- h.key,
- h.rNonceNext(2),
- data[:len(data)-xtea.BlockSize],
- )
+ dec, err = EnclessDecode(h.key, h.rNonceNext(2), data[:len(data)-8])
if err != nil {
log.Println("Unable to decode packet from", h.addr, err)
return nil
dec = dec[:RSize]
} else {
dec = make([]byte, RSize)
- salsa20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key)
+ chacha20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key)
}
if subtle.ConstantTimeCompare(dec, h.rClient[:]) != 1 {
log.Println("Invalid client's random number with", h.addr)