// Server -> Client // - B: server public key // - signature: from server session public key, server name, client session public key func (verify *VerifyServerController) handlePairVerifyStart(in util.Container) (util.Container, error) { verify.step = VerifyStepStartResponse clientPublicKey := in.GetBytes(TagPublicKey) log.Debug.Println("-> A:", hex.EncodeToString(clientPublicKey)) if len(clientPublicKey) != 32 { return nil, errInvalidClientKeyLength } var otherPublicKey [32]byte copy(otherPublicKey[:], clientPublicKey) verify.session.GenerateSharedKeyWithOtherPublicKey(otherPublicKey) verify.session.SetupEncryptionKey([]byte("Pair-Verify-Encrypt-Salt"), []byte("Pair-Verify-Encrypt-Info")) device := verify.context.GetSecuredDevice() var material []byte material = append(material, verify.session.PublicKey[:]...) material = append(material, device.Name()...) material = append(material, clientPublicKey...) signature, err := crypto.ED25519Signature(device.PrivateKey(), material) if err != nil { log.Info.Println(err) return nil, err } // Encrypt encryptedOut := util.NewTLV8Container() encryptedOut.SetString(TagUsername, device.Name()) encryptedOut.SetBytes(TagSignature, signature) encryptedBytes, mac, _ := chacha20poly1305.EncryptAndSeal(verify.session.EncryptionKey[:], []byte("PV-Msg02"), encryptedOut.BytesBuffer().Bytes(), nil) out := util.NewTLV8Container() out.SetByte(TagSequence, verify.step.Byte()) out.SetBytes(TagPublicKey, verify.session.PublicKey[:]) out.SetBytes(TagEncryptedData, append(encryptedBytes, mac[:]...)) log.Debug.Println(" K:", hex.EncodeToString(verify.session.EncryptionKey[:])) log.Debug.Println(" B:", hex.EncodeToString(verify.session.PublicKey[:])) log.Debug.Println(" S:", hex.EncodeToString(verify.session.PrivateKey[:])) log.Debug.Println(" Shared:", hex.EncodeToString(verify.session.SharedKey[:])) log.Debug.Println("<- B:", hex.EncodeToString(out.GetBytes(TagPublicKey))) return out, nil }
// Client -> Server // - A: client public key // - M1: proof // // Server -> client // - M2: proof // or // - auth error func (setup *SetupClientController) handlePairStepVerifyResponse(in util.Container) (util.Container, error) { serverProof := in.GetBytes(TagProof) fmt.Println("-> M2:", hex.EncodeToString(serverProof)) if setup.session.IsServerProofValid(serverProof) == false { return nil, fmt.Errorf("M2 %s is invalid", hex.EncodeToString(serverProof)) } err := setup.session.SetupEncryptionKey([]byte("Pair-Setup-Encrypt-Salt"), []byte("Pair-Setup-Encrypt-Info")) if err != nil { return nil, err } fmt.Println(" K:", hex.EncodeToString(setup.session.EncryptionKey[:])) // 2) Send username, LTPK, signature as encrypted message hash, err := hkdf.Sha512(setup.session.PrivateKey, []byte("Pair-Setup-Controller-Sign-Salt"), []byte("Pair-Setup-Controller-Sign-Info")) var material []byte material = append(material, hash[:]...) material = append(material, setup.client.Name()...) material = append(material, setup.client.PublicKey()...) signature, err := crypto.ED25519Signature(setup.client.PrivateKey(), material) if err != nil { return nil, err } encryptedOut := util.NewTLV8Container() encryptedOut.SetString(TagUsername, setup.client.Name()) encryptedOut.SetBytes(TagPublicKey, []byte(setup.client.PublicKey())) encryptedOut.SetBytes(TagSignature, []byte(signature)) encryptedBytes, tag, err := chacha20poly1305.EncryptAndSeal(setup.session.EncryptionKey[:], []byte("PS-Msg05"), encryptedOut.BytesBuffer().Bytes(), nil) if err != nil { return nil, err } out := util.NewTLV8Container() out.SetByte(TagPairingMethod, 0) out.SetByte(TagSequence, PairStepKeyExchangeRequest.Byte()) out.SetBytes(TagEncryptedData, append(encryptedBytes, tag[:]...)) fmt.Println("<- Encrypted:", hex.EncodeToString(out.GetBytes(TagEncryptedData))) return out, nil }
// Encrypt return the encrypted data by splitting it into packets // [ length (2 bytes)] [ data ] [ auth (16 bytes)] func (s *secureSession) Encrypt(r io.Reader) (io.Reader, error) { packets := packetsFromBytes(r) var buf bytes.Buffer for _, p := range packets { var nonce [8]byte binary.LittleEndian.PutUint64(nonce[:], s.encryptCount) s.encryptCount++ bLength := make([]byte, 2) binary.LittleEndian.PutUint16(bLength, uint16(p.length)) encrypted, mac, err := chacha20poly1305.EncryptAndSeal(s.encryptKey[:], nonce[:], p.value, bLength[:]) if err != nil { return nil, err } buf.Write(bLength[:]) buf.Write(encrypted) buf.Write(mac[:]) } return &buf, nil }
// Server -> Client // - B: server public key // - encrypted message // - username // - signature: from server session public key, server name, client session public key // // Client -> Server // - encrypted message // - username // - signature: from client session public key, server name, server session public key, func (verify *VerifyClientController) handlePairStepVerifyResponse(in util.Container) (util.Container, error) { serverPublicKey := in.GetBytes(TagPublicKey) if len(serverPublicKey) != 32 { return nil, fmt.Errorf("Invalid server public key size %d", len(serverPublicKey)) } var otherPublicKey [32]byte copy(otherPublicKey[:], serverPublicKey) verify.session.GenerateSharedKeyWithOtherPublicKey(otherPublicKey) verify.session.SetupEncryptionKey([]byte("Pair-Verify-Encrypt-Salt"), []byte("Pair-Verify-Encrypt-Info")) fmt.Println("Client") fmt.Println("-> B:", hex.EncodeToString(serverPublicKey)) fmt.Println(" S:", hex.EncodeToString(verify.session.PrivateKey[:])) fmt.Println("Shared:", hex.EncodeToString(verify.session.SharedKey[:])) fmt.Println(" K:", hex.EncodeToString(verify.session.EncryptionKey[:])) // Decrypt data := in.GetBytes(TagEncryptedData) message := data[:(len(data) - 16)] var mac [16]byte copy(mac[:], data[len(message):]) // 16 byte (MAC) decryptedBytes, err := chacha20poly1305.DecryptAndVerify(verify.session.EncryptionKey[:], []byte("PV-Msg02"), message, mac, nil) if err != nil { return nil, err } decryptedIn, err := util.NewTLV8ContainerFromReader(bytes.NewBuffer(decryptedBytes)) if err != nil { return nil, err } username := decryptedIn.GetString(TagUsername) signature := decryptedIn.GetBytes(TagSignature) fmt.Println(" Username:"******" Signature:", hex.EncodeToString(signature)) // Validate signature var material []byte material = append(material, verify.session.OtherPublicKey[:]...) material = append(material, username...) material = append(material, verify.session.PublicKey[:]...) entity := verify.database.EntityWithName(username) if entity == nil { return nil, fmt.Errorf("Server %s is unknown", username) } if len(entity.PublicKey()) == 0 { return nil, fmt.Errorf("No LTPK available for client %s", username) } if crypto.ValidateED25519Signature(entity.PublicKey(), material, signature) == false { return nil, fmt.Errorf("Could not validate signature") } out := util.NewTLV8Container() out.SetByte(TagSequence, VerifyStepFinishRequest.Byte()) encryptedOut := util.NewTLV8Container() encryptedOut.SetString(TagUsername, verify.client.Name()) material = make([]byte, 0) material = append(material, verify.session.PublicKey[:]...) material = append(material, verify.client.Name()...) material = append(material, verify.session.OtherPublicKey[:]...) signature, err = crypto.ED25519Signature(verify.client.PrivateKey(), material) if err != nil { return nil, err } encryptedOut.SetBytes(TagSignature, signature) encryptedBytes, mac, _ := chacha20poly1305.EncryptAndSeal(verify.session.EncryptionKey[:], []byte("PV-Msg03"), encryptedOut.BytesBuffer().Bytes(), nil) out.SetBytes(TagEncryptedData, append(encryptedBytes, mac[:]...)) return out, nil }
// Client -> Server // - encrypted tlv8: entity ltpk, entity name and signature (of H, entity name, ltpk) // - auth tag (mac) // // Server // - Validate signature of encrpyted tlv8 // - Read and store entity ltpk and name // // Server -> Client // - encrpyted tlv8: bridge ltpk, bridge name, signature (of hash, bridge name, ltpk) func (setup *SetupServerController) handleKeyExchange(in util.Container) (util.Container, error) { out := util.NewTLV8Container() setup.step = PairStepKeyExchangeResponse out.SetByte(TagSequence, setup.step.Byte()) data := in.GetBytes(TagEncryptedData) message := data[:(len(data) - 16)] var mac [16]byte copy(mac[:], data[len(message):]) // 16 byte (MAC) log.Debug.Println("-> Message:", hex.EncodeToString(message)) log.Debug.Println("-> MAC:", hex.EncodeToString(mac[:])) decrypted, err := chacha20poly1305.DecryptAndVerify(setup.session.EncryptionKey[:], []byte("PS-Msg05"), message, mac, nil) if err != nil { setup.reset() log.Info.Panic(err) out.SetByte(TagErrCode, ErrCodeUnknown.Byte()) // return error 1 } else { decryptedBuf := bytes.NewBuffer(decrypted) in, err := util.NewTLV8ContainerFromReader(decryptedBuf) if err != nil { return nil, err } username := in.GetString(TagUsername) clientltpk := in.GetBytes(TagPublicKey) signature := in.GetBytes(TagSignature) log.Debug.Println("-> Username:"******"-> ltpk:", hex.EncodeToString(clientltpk)) log.Debug.Println("-> Signature:", hex.EncodeToString(signature)) // Calculate hash `H` hash, _ := hkdf.Sha512(setup.session.PrivateKey, []byte("Pair-Setup-Controller-Sign-Salt"), []byte("Pair-Setup-Controller-Sign-Info")) var material []byte material = append(material, hash[:]...) material = append(material, []byte(username)...) material = append(material, clientltpk...) if crypto.ValidateED25519Signature(clientltpk, material, signature) == false { log.Debug.Println("ed25519 signature is invalid") setup.reset() out.SetByte(TagErrCode, ErrCodeAuthenticationFailed.Byte()) // return error 2 } else { log.Debug.Println("ed25519 signature is valid") // Store entity ltpk and name entity := db.NewEntity(username, clientltpk, nil) setup.database.SaveEntity(entity) log.Debug.Printf("Stored ltpk '%s' for entity '%s'\n", hex.EncodeToString(clientltpk), username) ltpk := setup.device.PublicKey() ltsk := setup.device.PrivateKey() // Send username, ltpk, signature as encrypted message hash, err := hkdf.Sha512(setup.session.PrivateKey, []byte("Pair-Setup-Accessory-Sign-Salt"), []byte("Pair-Setup-Accessory-Sign-Info")) material = make([]byte, 0) material = append(material, hash[:]...) material = append(material, []byte(setup.session.Username)...) material = append(material, ltpk...) signature, err := crypto.ED25519Signature(ltsk, material) if err != nil { log.Info.Panic(err) return nil, err } tlvPairKeyExchange := util.NewTLV8Container() tlvPairKeyExchange.SetBytes(TagUsername, setup.session.Username) tlvPairKeyExchange.SetBytes(TagPublicKey, ltpk) tlvPairKeyExchange.SetBytes(TagSignature, []byte(signature)) log.Debug.Println("<- Username:"******"<- ltpk:", hex.EncodeToString(tlvPairKeyExchange.GetBytes(TagPublicKey))) log.Debug.Println("<- Signature:", hex.EncodeToString(tlvPairKeyExchange.GetBytes(TagSignature))) encrypted, mac, _ := chacha20poly1305.EncryptAndSeal(setup.session.EncryptionKey[:], []byte("PS-Msg06"), tlvPairKeyExchange.BytesBuffer().Bytes(), nil) out.SetByte(TagSequence, PairStepKeyExchangeRequest.Byte()) out.SetBytes(TagEncryptedData, append(encrypted, mac[:]...)) } } return out, nil }