X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=src%2Fgovpn%2Fhandshake.go;h=d9e86352dbde5e26b6a22d40e66859b8908d7e6d;hb=cb53249d78d1a4c175312fbe83bd3127e0067e4c;hp=6c5633c1a59db437bc943ee0ca00afece779b3cb;hpb=933703051138e099c2fde03861278477058c3517;p=govpn.git diff --git a/src/govpn/handshake.go b/src/govpn/handshake.go index 6c5633c..d9e8635 100644 --- a/src/govpn/handshake.go +++ b/src/govpn/handshake.go @@ -27,9 +27,9 @@ import ( "github.com/agl/ed25519" "github.com/agl/ed25519/extra25519" + "github.com/dchest/blake2b" "golang.org/x/crypto/curve25519" "golang.org/x/crypto/salsa20" - "golang.org/x/crypto/salsa20/salsa" "golang.org/x/crypto/xtea" ) @@ -61,11 +61,6 @@ func keyFromSecrets(server, client []byte) *[SSize]byte { return k } -// Apply HSalsa20 function for data. Used to hash public keys. -func HApply(data *[32]byte) { - salsa.HSalsa20(data, new([16]byte), data, &salsa.Sigma) -} - // Zero handshake's memory state func (h *Handshake) Zero() { if h.rNonce != nil { @@ -118,8 +113,8 @@ func dhKeypairGen() (*[32]byte, *[32]byte) { func dhKeyGen(priv, pub *[32]byte) *[32]byte { key := new([32]byte) curve25519.ScalarMult(key, priv, pub) - HApply(key) - return key + hashed := blake2b.Sum256(key[:]) + return &hashed } // Create new handshake state. @@ -132,7 +127,8 @@ func NewHandshake(addr string, conn io.Writer, conf *PeerConf) *Handshake { } state.dsaPubH = new([ed25519.PublicKeySize]byte) copy(state.dsaPubH[:], state.Conf.Verifier.Pub[:]) - HApply(state.dsaPubH) + hashed := blake2b.Sum256(state.dsaPubH[:]) + state.dsaPubH = &hashed return &state } @@ -161,14 +157,14 @@ func HandshakeStart(addr string, conn io.Writer, conf *PeerConf) *Handshake { } var enc []byte if conf.Noise { - enc = make([]byte, MTU-xtea.BlockSize-RSize) + enc = make([]byte, conf.MTU-xtea.BlockSize-RSize) } else { enc = make([]byte, 32) } copy(enc, dhPubRepr[:]) - if conf.EncLess { + if conf.Encless { var err error - enc, err = EncLessEncode(state.dsaPubH, state.rNonce[:], enc) + enc, err = EnclessEncode(state.dsaPubH, state.rNonce[:], enc) if err != err { panic(err) } @@ -188,15 +184,15 @@ func HandshakeStart(addr string, conn io.Writer, conf *PeerConf) *Handshake { // authenticated Peer is ready, then return nil. func (h *Handshake) Server(data []byte) *Peer { // R + ENC(H(DSAPub), R, El(CDHPub)) + IDtag - if h.rNonce == nil && ((!h.Conf.EncLess && len(data) >= 48) || - (h.Conf.EncLess && len(data) == EncLessEnlargeSize+MTU)) { + if h.rNonce == nil && ((!h.Conf.Encless && len(data) >= 48) || + (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) { h.rNonce = new([RSize]byte) copy(h.rNonce[:], data[:RSize]) // Decrypt remote public key cDHRepr := new([32]byte) - if h.Conf.EncLess { - out, err := EncLessDecode( + if h.Conf.Encless { + out, err := EnclessDecode( h.dsaPubH, h.rNonce[:], data[RSize:len(data)-xtea.BlockSize], @@ -226,10 +222,10 @@ func (h *Handshake) Server(data []byte) *Peer { var encPub []byte var err error - if h.Conf.EncLess { - encPub = make([]byte, MTU) + if h.Conf.Encless { + encPub = make([]byte, h.Conf.MTU) copy(encPub, dhPubRepr[:]) - encPub, err = EncLessEncode(h.dsaPubH, h.rNonceNext(1), encPub) + encPub, err = EnclessEncode(h.dsaPubH, h.rNonceNext(1), encPub) if err != nil { panic(err) } @@ -248,16 +244,16 @@ func (h *Handshake) Server(data []byte) *Peer { log.Fatalln("Error reading random for S:", err) } var encRs []byte - if h.Conf.Noise && !h.Conf.EncLess { - encRs = make([]byte, MTU-len(encPub)-xtea.BlockSize) - } else if h.Conf.EncLess { - encRs = make([]byte, MTU-xtea.BlockSize) + if h.Conf.Noise && !h.Conf.Encless { + encRs = make([]byte, h.Conf.MTU-len(encPub)-xtea.BlockSize) + } else if h.Conf.Encless { + encRs = make([]byte, h.Conf.MTU-xtea.BlockSize) } else { encRs = make([]byte, RSize+SSize) } copy(encRs, append(h.rServer[:], h.sServer[:]...)) - if h.Conf.EncLess { - encRs, err = EncLessEncode(h.key, h.rNonce[:], encRs) + if h.Conf.Encless { + encRs, err = EnclessEncode(h.key, h.rNonce[:], encRs) if err != nil { panic(err) } @@ -270,12 +266,12 @@ func (h *Handshake) Server(data []byte) *Peer { h.LastPing = time.Now() } else // ENC(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag - if h.rClient == nil && ((!h.Conf.EncLess && len(data) >= 120) || - (h.Conf.EncLess && len(data) == EncLessEnlargeSize+MTU)) { + if h.rClient == nil && ((!h.Conf.Encless && len(data) >= 120) || + (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) { var dec []byte var err error - if h.Conf.EncLess { - dec, err = EncLessDecode( + if h.Conf.Encless { + dec, err = EnclessDecode( h.key, h.rNonceNext(1), data[:len(data)-xtea.BlockSize], @@ -308,13 +304,13 @@ func (h *Handshake) Server(data []byte) *Peer { // Send final answer to client var enc []byte if h.Conf.Noise { - enc = make([]byte, MTU-xtea.BlockSize) + enc = make([]byte, h.Conf.MTU-xtea.BlockSize) } else { enc = make([]byte, RSize) } copy(enc, dec[RSize:RSize+RSize]) - if h.Conf.EncLess { - enc, err = EncLessEncode(h.key, h.rNonceNext(2), enc) + if h.Conf.Encless { + enc, err = EnclessEncode(h.key, h.rNonceNext(2), enc) if err != nil { panic(err) } @@ -346,14 +342,14 @@ func (h *Handshake) Server(data []byte) *Peer { func (h *Handshake) Client(data []byte) *Peer { // ENC(H(DSAPub), R+1, El(SDHPub)) + ENC(K, R, RS + SS) + IDtag if h.rServer == nil && h.key == nil && - ((!h.Conf.EncLess && len(data) >= 80) || - (h.Conf.EncLess && len(data) == 2*(EncLessEnlargeSize+MTU))) { + ((!h.Conf.Encless && len(data) >= 80) || + (h.Conf.Encless && len(data) == 2*(EnclessEnlargeSize+h.Conf.MTU))) { // Decrypt remote public key sDHRepr := new([32]byte) var tmp []byte var err error - if h.Conf.EncLess { - tmp, err = EncLessDecode( + if h.Conf.Encless { + tmp, err = EnclessDecode( h.dsaPubH, h.rNonceNext(1), data[:len(data)/2], @@ -380,8 +376,8 @@ func (h *Handshake) Client(data []byte) *Peer { // Decrypt Rs h.rServer = new([RSize]byte) h.sServer = new([SSize]byte) - if h.Conf.EncLess { - tmp, err = EncLessDecode( + if h.Conf.Encless { + tmp, err = EnclessDecode( h.key, h.rNonce[:], data[len(data)/2:len(data)-xtea.BlockSize], @@ -417,7 +413,7 @@ func (h *Handshake) Client(data []byte) *Peer { var enc []byte if h.Conf.Noise { - enc = make([]byte, MTU-xtea.BlockSize) + enc = make([]byte, h.Conf.MTU-xtea.BlockSize) } else { enc = make([]byte, RSize+RSize+SSize+ed25519.SignatureSize) } @@ -425,8 +421,8 @@ func (h *Handshake) Client(data []byte) *Peer { copy(enc[RSize:], h.rClient[:]) copy(enc[RSize+RSize:], h.sClient[:]) copy(enc[RSize+RSize+SSize:], sign[:]) - if h.Conf.EncLess { - enc, err = EncLessEncode(h.key, h.rNonceNext(1), enc) + if h.Conf.Encless { + enc, err = EnclessEncode(h.key, h.rNonceNext(1), enc) if err != nil { panic(err) } @@ -439,13 +435,13 @@ func (h *Handshake) Client(data []byte) *Peer { h.LastPing = time.Now() } else // ENC(K, R+2, RC) + IDtag - if h.key != nil && ((!h.Conf.EncLess && len(data) >= 16) || - (h.Conf.EncLess && len(data) == EncLessEnlargeSize+MTU)) { + if h.key != nil && ((!h.Conf.Encless && len(data) >= 16) || + (h.Conf.Encless && len(data) == EnclessEnlargeSize+h.Conf.MTU)) { var err error // Decrypt rClient var dec []byte - if h.Conf.EncLess { - dec, err = EncLessDecode( + if h.Conf.Encless { + dec, err = EnclessDecode( h.key, h.rNonceNext(2), data[:len(data)-xtea.BlockSize],