INSTALL | 6 +-----
NEWS | 52 +---------------------------------------------------
README | 17 +++++++++--------
THANKS | 6 +-----
TODO | 4 ----
VERSION | 2 +-
cmd/govpn-client/main.go | 42 +++++++++++++++++++++++++++++-------------
cmd/govpn-server/main.go | 26 +++++++++++++++-----------
cmd/govpn-verifier/main.go | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
common.go | 31 ++++++-------------------------
doc/bugs.texi => doc/contacts.texi | 6 +++---
doc/client.texi | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++++
doc/cpr.texi | 10 ++++++++++
doc/developer.texi | 14 ++++++++++----
doc/download.texi | 10 ++++++++--
doc/example.texi | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++
doc/govpn.texi | 29 +++++++++++++++--------------
doc/handshake.texi | 100 ++++++++++++++++++++++++++++++++++++++---------------
doc/handshake.txt | 17 +++++++++--------
doc/identity.texi | 6 ++++++
doc/installation.texi | 20 ++++++++++++++++----
doc/keywords.texi | 12 ++++++++++++
doc/mtu.texi | 12 ++++++++++++
doc/news.texi | 106 +++++++++++++++++++++++++++++++++++++++++++++++++++++
doc/noise.texi | 13 +++++++++++++
doc/noncediff.texi | 17 +++++++++++++++++
doc/overview.texi | 91 ++++++++++++++++++++++++++++++-----------------------
doc/pake.texi | 30 ++++++++++++++++++++++++++++++
doc/precautions.texi | 5 +++++
doc/server.texi | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++
doc/stats.texi | 36 ++++++++++++++++++++++++++++++++++++
doc/thanks.texi | 19 +++++++++++++++++++
doc/timeout.texi | 14 ++++++++++++++
doc/transport.texi | 8 ++++++--
doc/user.texi | 164 +++++++++--------------------------------------------
doc/verifier.texi | 29 +++++++++++++++++++++++++++++
doc/verifierstruct.texi | 16 ++++++++++++++++
handshake.go | 176 +++++++++++++++++++++++++++++++----------------------
identify.go | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++---
makefile | 12 ++++++++++--
tap.go | 19 +++++++++++++------
transport.go | 197 ++++++++++++++++++++++++++++++++++-------------------
transport_test.go | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++
utils/newclient.sh | 8 ++++----
utils/storekey.sh | 19 +++++++++++++++++++
verifier.go | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/INSTALL b/INSTALL
old mode 100644
new mode 120000
index 0f2864b4104f041410be1f90e3c52231848bcbd1..09eda899cc0e1df858c1185a925f9d800aadc642
--- a/INSTALL
+++ b/INSTALL
@@ -1,5 +1 @@
-GoVPN is a program written on Go programming language. If you have set
-up $GOPATH environment properly, then simple "make all" should build
-govpn-client and govpn-server executable binaries.
-
-For details see either doc/govpn.info or doc/installation.texi.
+doc/installation.texi
\ No newline at end of file
diff --git a/NEWS b/NEWS
old mode 100644
new mode 120000
index 4bf946c8d21151a65b851251f90a25cf776fe1b0..8be52e420232a063e15ad94bdb5c9e3575056fe7
--- a/NEWS
+++ b/NEWS
@@ -1,51 +1 @@
-Release 2.4
------------
-* Added ability to optionally run built-in HTTP-server responding with
- JSON of all known connected peers information. Real-time client's
- statistics
-* Documentation is explicitly licensed under GNU FDL 1.3+
-
-Release 2.3
------------
-* Handshake packets became indistinguishable from the random.
- Now all GoVPN's traffic is the noise for men in the middle.
-* Handshake messages are smaller (16% traffic reduce).
-* Adversary now can not create malicious fake handshake packets that
- will force server to generate private DH key, preventing entropy
- consuming and resource heavy computations.
-
-Release 2.2
------------
-* Fixed several possible channel deadlocks.
-
-Release 2.1
------------
-* Fixed Linux-related building.
-
-Release 2.0
------------
-* Added clients identification.
-* Simultaneous several clients support by server.
-* Per-client up/down scripts.
-
-Release 1.5
------------
-* Nonce obfuscation/encryption.
-
-Release 1.4
------------
-* Performance optimizations.
-
-Release 1.3
------------
-* Heartbeat feature.
-* Rehandshake feature.
-* up- and down- optinal scripts.
-
-Release 1.1
------------
-* FreeBSD support.
-
-Release 1.0
------------
-* Initial stable release.
+doc/news.texi
\ No newline at end of file
diff --git a/README b/README
index a47dd94a7222f6b938ea7593a3cb5e73cb3f26d1..7fdd2e87e8c1d227e5a84bad6476aac5cabed460 100644
--- a/README
+++ b/README
@@ -1,10 +1,13 @@
GoVPN is simple secure free software virtual private network daemon,
-written on Go programming language. It uses Diffie-Hellman Encrypted Key
-Exchange (DH-EKE) for mutual zero-knowledge peers authentication and
-authenticated encrypted data transport. Other features include:
-IPv4/IPv6, rehandshake, heartbeat, pre-shared authentication keys (PSK),
-perfect forward secrecy (PFS), replay attack protection, JSON real-time
-statistics. GNU/Linux and FreeBSD support.
+aimed to be reviewable, secure, DPI-resistant, written on Go.
+
+It uses fast PAKE DH A-EKE for mutual strong zero-knowledge peers
+authentication. Data transport is encrypted, authenticated, hides
+message's length and timestamp. PFS property, resistance to dictionary
+attacks, replay attacks. Built-in heartbeating, rehandshaking, real-time
+statistics, IPv4/IPv6-compatibility. GNU/Linux and FreeBSD support.
+
+GoVPN is free software: see the file COPYING for copying conditions.
Home page: http://www.cypherpunks.ru/govpn/
also available as Tor hidden service: http://vabu56j2ep2rwv3b.onion/govpn/
@@ -18,7 +21,5 @@ subject "subscribe" to govpn-devel-request@lists.cypherpunks.ru.
Development Git source code repository currently is located here:
https://github.com/stargrave/govpn.git
-
-GoVPN is free software: see the file COPYING for copying conditions.
For futher information please read either doc/govpn.info or doc/govpn.texi.
diff --git a/THANKS b/THANKS
old mode 100644
new mode 120000
index c3172540fc02720b546f74b709d9bf650c4bccf0..7862103b6ce3dcb94d50a3a99cf56a073679a89e
--- a/THANKS
+++ b/THANKS
@@ -1,5 +1 @@
-* Applied Cryptography (C) 1996 Bruce Schneier
-* http://grouper.ieee.org/groups/1363/passwdPK/contributions/jablon.pdf
-* http://cr.yp.to/ecdh.html
-* http://cr.yp.to/snuffle.html
-* http://cr.yp.to/mac.html
+doc/thanks.texi
\ No newline at end of file
diff --git a/TODO b/TODO
index 63d6ef3c18755c3023c77845ad5ec731d2e0afbf..a2043caacde4e0a934049ddc1a15beca7921bbca 100644
--- a/TODO
+++ b/TODO
@@ -1,6 +1,2 @@
* Increase performance
-* Implement rate-control
-* Probably implement alternative Secure Remote Password protocol to allow
- human memorized passphrases to be used
* Randomize ports usage
-* Fragmentize packets, noise the traffic
diff --git a/VERSION b/VERSION
index 6b4950e3de2f6c99801a4f5e2ffa01669f358572..9f55b2ccb5f234fc6b87ada62389a3d73815d0d1 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.4
+3.0
diff --git a/cmd/govpn-client/main.go b/cmd/govpn-client/main.go
index b5f86f9657a0fae84ff5b7336d2f5a8f630cf00a..f49edf8de8c05be0a87c7633e18aaace92e5eeea 100644
--- a/cmd/govpn-client/main.go
+++ b/cmd/govpn-client/main.go
@@ -16,7 +16,7 @@ You should have received a copy of the GNU General Public License
along with this program. If not, see .
*/
-// Simple secure free software virtual private network daemon.
+// Simple secure free software virtual private network daemon client.
package main
import (
@@ -25,6 +25,7 @@ "log"
"net"
"os"
"os/signal"
+ "time"
"govpn"
)
@@ -33,13 +34,15 @@ var (
remoteAddr = flag.String("remote", "", "Remote server address")
ifaceName = flag.String("iface", "tap0", "TAP network interface")
IDRaw = flag.String("id", "", "Client identification")
- keyPath = flag.String("key", "", "Path to authentication key file")
+ keyPath = flag.String("key", "", "Path to passphrase file")
upPath = flag.String("up", "", "Path to up-script")
downPath = flag.String("down", "", "Path to down-script")
stats = flag.String("stats", "", "Enable stats retrieving on host:port")
- mtu = flag.Int("mtu", 1500, "MTU")
+ mtu = flag.Int("mtu", 1452, "MTU for outgoing packets")
nonceDiff = flag.Int("noncediff", 1, "Allow nonce difference")
timeoutP = flag.Int("timeout", 60, "Timeout seconds")
+ noisy = flag.Bool("noise", false, "Enable noise appending")
+ cpr = flag.Int("cpr", 0, "Enable constant KiB/sec out traffic rate")
)
func main() {
@@ -49,16 +52,24 @@ var err error
log.SetFlags(log.Ldate | log.Lmicroseconds | log.Lshortfile)
govpn.MTU = *mtu
- govpn.Timeout = timeout
- govpn.Noncediff = *nonceDiff
id := govpn.IDDecode(*IDRaw)
- govpn.PeersInitDummy(id)
- key := govpn.KeyRead(*keyPath)
if id == nil {
panic("ID is not specified")
}
+ pub, priv := govpn.NewVerifier(id, govpn.StringFromFile(*keyPath))
+ conf := &govpn.PeerConf{
+ Id: id,
+ Timeout: time.Second * time.Duration(timeout),
+ Noncediff: *nonceDiff,
+ NoiseEnable: *noisy,
+ CPR: *cpr,
+ DSAPub: pub,
+ DSAPriv: priv,
+ }
+ govpn.PeersInitDummy(id, conf)
+
bind, err := net.ResolveUDPAddr("udp", "0.0.0.0:0")
if err != nil {
panic(err)
@@ -72,7 +83,11 @@ if err != nil {
panic(err)
}
- tap, ethSink, ethReady, _, err := govpn.TAPListen(*ifaceName)
+ tap, ethSink, ethReady, _, err := govpn.TAPListen(
+ *ifaceName,
+ time.Second*time.Duration(timeout),
+ *cpr,
+ )
if err != nil {
panic(err)
}
@@ -82,11 +97,12 @@ timeouts := 0
firstUpCall := true
var peer *govpn.Peer
var ethPkt []byte
- var udpPkt *govpn.UDPPkt
+ var udpPkt govpn.UDPPkt
var udpPktData []byte
knownPeers := govpn.KnownPeers(map[string]**govpn.Peer{remote.String(): &peer})
log.Println(govpn.VersionGet())
+ log.Println("Max MTU on TAP interface:", govpn.TAPMaxMTU())
if *stats != "" {
log.Println("Stats are going to listen on", *stats)
statsPort, err := net.Listen("tcp", *stats)
@@ -100,14 +116,14 @@ termSignal := make(chan os.Signal, 1)
signal.Notify(termSignal, os.Interrupt, os.Kill)
log.Println("Starting handshake")
- handshake := govpn.HandshakeStart(conn, remote, id, key)
+ handshake := govpn.HandshakeStart(conf, conn, remote)
MainCycle:
for {
if peer != nil && (peer.BytesIn+peer.BytesOut) > govpn.MaxBytesPerKey {
peer.Zero()
peer = nil
- handshake = govpn.HandshakeStart(conn, remote, id, key)
+ handshake = govpn.HandshakeStart(conf, conn, remote)
log.Println("Rehandshaking")
}
select {
@@ -126,7 +142,7 @@ timeouts++
if timeouts >= timeout {
break MainCycle
}
- if udpPkt == nil {
+ if udpPkt.Addr == nil {
udpReady <- struct{}{}
continue
}
@@ -143,7 +159,7 @@ log.Println("Invalid identity in handshake packet")
udpReady <- struct{}{}
continue
}
- if p := handshake.Client(id, conn, key, udpPktData); p != nil {
+ if p := handshake.Client(conn, udpPktData); p != nil {
log.Println("Handshake completed")
if firstUpCall {
go govpn.ScriptCall(*upPath, *ifaceName)
diff --git a/cmd/govpn-server/main.go b/cmd/govpn-server/main.go
index 2761d340a1b85b032731c31f9982675d225771a8..8aa26ec83bdb8878766fd28efd96c06f6a6e9d98 100644
--- a/cmd/govpn-server/main.go
+++ b/cmd/govpn-server/main.go
@@ -36,9 +36,7 @@ var (
bindAddr = flag.String("bind", "[::]:1194", "Bind to address")
peersPath = flag.String("peers", "peers", "Path to peers keys directory")
stats = flag.String("stats", "", "Enable stats retrieving on host:port")
- mtu = flag.Int("mtu", 1500, "MTU")
- nonceDiff = flag.Int("noncediff", 1, "Allow nonce difference")
- timeoutP = flag.Int("timeout", 60, "Timeout seconds")
+ mtu = flag.Int("mtu", 1452, "MTU for outgoing packets")
)
type PeerReadyEvent struct {
@@ -55,7 +53,7 @@ terminate chan struct{}
}
func NewPeerState(peer *govpn.Peer, iface string) *PeerState {
- tap, sink, ready, terminate, err := govpn.TAPListen(iface)
+ tap, sink, ready, terminate, err := govpn.TAPListen(iface, peer.Timeout, peer.CPR)
if err != nil {
log.Println("Unable to create Eth", err)
return nil
@@ -78,13 +76,11 @@ }
func main() {
flag.Parse()
- timeout := time.Second * time.Duration(*timeoutP)
+ timeout := time.Second * time.Duration(govpn.TimeoutDefault)
var err error
log.SetFlags(log.Ldate | log.Lmicroseconds | log.Lshortfile)
govpn.MTU = *mtu
- govpn.Timeout = *timeoutP
- govpn.Noncediff = *nonceDiff
govpn.PeersInit(*peersPath)
bind, err := net.ResolveUDPAddr("udp", *bindAddr)
@@ -113,14 +109,16 @@ peers := make(map[string]*PeerState)
peerReadySink := make(chan PeerReadyEvent)
knownPeers := govpn.KnownPeers(make(map[string]**govpn.Peer))
var peerReady PeerReadyEvent
- var udpPkt *govpn.UDPPkt
+ var udpPkt govpn.UDPPkt
var udpPktData []byte
var ethEvent EthEvent
var peerId *govpn.PeerId
+ var peerConf *govpn.PeerConf
var handshakeProcessForce bool
ethSink := make(chan EthEvent)
log.Println(govpn.VersionGet())
+ log.Println("Max MTU on TAP interface:", govpn.TAPMaxMTU())
if *stats != "" {
log.Println("Stats are going to listen on", *stats)
statsPort, err := net.Listen("tcp", *stats)
@@ -196,7 +194,7 @@ continue
}
ethEvent.peer.EthProcess(ethEvent.data, conn, ethEvent.ready)
case udpPkt = <-udpSink:
- if udpPkt == nil {
+ if udpPkt.Addr == nil {
udpReady <- struct{}{}
continue
}
@@ -211,12 +209,18 @@ log.Println("Unknown identity from", addr)
udpReady <- struct{}{}
continue
}
+ peerConf = peerId.Conf()
+ if peerConf == nil {
+ log.Println("Can not get peer configuration", peerId.String())
+ udpReady <- struct{}{}
+ continue
+ }
state, exists = states[addr]
if !exists {
- state = govpn.HandshakeNew(udpPkt.Addr)
+ state = govpn.HandshakeNew(udpPkt.Addr, peerConf)
states[addr] = state
}
- peer = state.Server(peerId, conn, udpPktData)
+ peer = state.Server(conn, udpPktData)
if peer != nil {
log.Println("Peer handshake finished", peer)
if _, exists = peers[addr]; exists {
diff --git a/cmd/govpn-verifier/main.go b/cmd/govpn-verifier/main.go
new file mode 100644
index 0000000000000000000000000000000000000000..e7cc0e9ec4a3ecf1c211298480523ca523a314e5
--- /dev/null
+++ b/cmd/govpn-verifier/main.go
@@ -0,0 +1,53 @@
+/*
+GoVPN -- simple secure free software virtual private network daemon
+Copyright (C) 2014-2015 Sergey Matveev
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see .
+*/
+
+// Verifier generator and validator for GoVPN VPN daemon.
+package main
+
+import (
+ "crypto/subtle"
+ "encoding/hex"
+ "flag"
+ "fmt"
+
+ "govpn"
+)
+
+var (
+ IDRaw = flag.String("id", "", "Client identification")
+ keyPath = flag.String("key", "", "Path to passphrase file")
+ verifierPath = flag.String("verifier", "", "Optional path to verifier")
+)
+
+func main() {
+ flag.Parse()
+ id := govpn.IDDecode(*IDRaw)
+ if id == nil {
+ panic("ID is not specified")
+ }
+ pub, _ := govpn.NewVerifier(id, govpn.StringFromFile(*keyPath))
+ if *verifierPath == "" {
+ fmt.Println(hex.EncodeToString(pub[:]))
+ } else {
+ verifier, err := hex.DecodeString(govpn.StringFromFile(*verifierPath))
+ if err != nil {
+ panic("Can not decode verifier")
+ }
+ fmt.Println(subtle.ConstantTimeCompare(verifier[:], pub[:]) == 1)
+ }
+}
diff --git a/common.go b/common.go
index 7eb40600c9fc0a868af4de56b26727a83b228736..fbafd56ab680de6afc61eb50f41890e1ed1babfc 100644
--- a/common.go
+++ b/common.go
@@ -19,19 +19,19 @@
package govpn
import (
- "encoding/hex"
- "io/ioutil"
"log"
"os"
"os/exec"
"runtime"
+)
+
+const (
+ TimeoutDefault = 60
)
var (
- MTU int
- Timeout int
- Noncediff int
- Version string
+ MTU int
+ Version string
)
// Call external program/script.
@@ -50,25 +50,6 @@ if err != nil {
log.Println("Script error", path, err, string(out))
}
return out, err
-}
-
-// Read authentication key from the file.
-// Key is 64 hexadecimal chars long.
-func KeyRead(path string) *[KeySize]byte {
- keyData, err := ioutil.ReadFile(path)
- if err != nil {
- panic("Unable to read keyfile: " + err.Error())
- }
- if len(keyData) < 64 {
- panic("Key must be 64 hex characters long")
- }
- keyDecoded, err := hex.DecodeString(string(keyData[0:64]))
- if err != nil {
- panic("Unable to decode the key: " + err.Error())
- }
- key := new([KeySize]byte)
- copy(key[:], keyDecoded)
- return key
}
// Zero each byte
diff --git a/doc/bugs.texi b/doc/contacts.texi
rename from doc/bugs.texi
rename to doc/contacts.texi
index b81e6b5022d7afa09dad046bfcc0080f726aace7..9acdbf071f532c4a2938689b974b8e50ce92d0ac 100644
--- a/doc/bugs.texi
+++ b/doc/contacts.texi
@@ -1,9 +1,9 @@
-@node Reporting bugs
-@unnumbered Reporting bugs
+@node Contacts
+@unnumbered Contacts
Please send all questions, bug reports and patches to to
@email{govpn-devel@@lists.cypherpunks.ru} mailing list.
-Also it is used for announcements.
+Announcements go to this mailing list too.
Either visit @url{https://lists.cypherpunks.ru/mailman/listinfo/govpn-devel}
for information about subscription options and archived messages access, or
diff --git a/doc/client.texi b/doc/client.texi
new file mode 100644
index 0000000000000000000000000000000000000000..dfee4f19b68f9dc3c4c8f56490b0e1ca278c17a6
--- /dev/null
+++ b/doc/client.texi
@@ -0,0 +1,54 @@
+@node Client part
+@section Client part
+
+Except for common @code{-mtu}, @code{-stats} options client has the
+following ones:
+
+@table @code
+
+@item -remote
+Address (@code{host:port} format) of remote server we need to connect to.
+
+@item -iface
+TAP interface name.
+
+@item -id
+Our client's @ref{Identity} (hexadecimal string).
+
+@item -key
+Path to the file with the passphrase. See @ref{Verifier} for
+how to enter passphrase from stdin silently and store it in the file.
+
+@item -timeout
+@ref{Timeout} setting in seconds.
+
+@item -noncediff
+Allowable @ref{Nonce difference}.
+
+@item -noise
+Enable @ref{Noise}.
+
+@item -cpr
+Enable @ref{CPR} in KiB/sec.
+
+@item -up
+Optional path to script that will be executed after connection is
+established. Interface name will be given to it as a first argument.
+
+@item -down
+Same as @code{-up} above, but it is executed when connection is lost,
+when we exit.
+
+@end table
+
+Example up-script that calls DHCP client and IPv6 advertisement
+solicitation:
+
+@example
+client% cat > up.sh <> peers/CLIENTID/up.sh
+server% ip addr add 192.168.0.1/24 dev wlan0
+server% tunctl -t tap10
+server% ip link set mtu 1432 dev tap10
+server% ip addr add 172.16.0.1/24 dev tap10
+server% ip link set up dev tap10
+server% GOMAXPROC=4 govpn-server -bind 192.168.0.1:1194 -mtu 1472
+@end example
+
+@example
+client% umask 066
+client% utils/storekey.sh key.txt
+client% ip addr add 192.168.0.2/24 dev wlan0
+client% tunctl -t tap10
+client% ip link set mtu 1432 dev tap10
+client% ip addr add 172.16.0.2/24 dev tap10
+client% ip link set up dev tap10
+client% ip route add default via 172.16.0.1
+client% export GOMAXPROC=4
+client% while :; do
+ govpn-client -key key.txt -id CLIENTID -iface tap10 \
+ -remote 192.168.0.1:1194 -mtu 1472
+done
+@end example
+
+FreeBSD IPv6 client-server example:
+
+@example
+server% ifconfig em0 inet6 fe80::1/64
+server% GOMAXPROC=4 govpn-server -bind "fe80::1%em0"
+@end example
+
+@example
+client% ifconfig me0 inet6 -ifdisabled auto_linklocal
+client% ifconfig tap10
+client% ifconfig tap10 inet6 fc00::2/96 mtu 1412 up
+client% route -6 add default fc00::1
+client% export GOMAXPROC=4
+client% while :; do
+ govpn-client -key key.txt -id CLIENTID -iface tap10 \
+ -remote [fe80::1%me0]:1194
+done
+@end example
diff --git a/doc/govpn.texi b/doc/govpn.texi
index 8d365711980f65168bc3e3c9c642cfa299bcad3f..fe842b3a04d73c9f6944f52d6b60d629836f3d12 100644
--- a/doc/govpn.texi
+++ b/doc/govpn.texi
@@ -21,8 +21,16 @@
@node Top
@top GoVPN
-This manual is for GoVPN -- simple secure free software virtual private
-network (VPN) daemon, written entirely on Go programming language.
+GoVPN is simple secure free software virtual private network daemon,
+aimed to be reviewable, secure, DPI-resistant, written on Go.
+
+It uses fast PAKE DH A-EKE for mutual strong zero-knowledge peers
+authentication. Data transport is encrypted, authenticated, hides
+message's length and timestamp. PFS property, resistance to dictionary
+attacks, replay attacks. Built-in heartbeating, rehandshaking, real-time
+statistics, IPv4/IPv6-compatibility. GNU/Linux and FreeBSD support.
+
+@include keywords.texi
@menu
* Overview::
@@ -31,26 +39,18 @@ * Installation::
* Precautions::
* User manual::
* Developer manual::
-* Reporting bugs::
+* Contacts::
* Copying conditions::
+* Thanks::
@end menu
@include overview.texi
-
-@node News
-@unnumbered News
-
-@verbatiminclude ../NEWS
-
+@include news.texi
@include installation.texi
-
@include precautions.texi
-
@include user.texi
-
@include developer.texi
-
-@include bugs.texi
+@include contacts.texi
@node Copying conditions
@unnumbered Copying conditions
@@ -58,4 +58,5 @@
@insertcopying
@verbatiminclude fdl.txt
+@include thanks.texi
@bye
diff --git a/doc/handshake.texi b/doc/handshake.texi
index 533fef9cc90d16a068b266dd38a2ecaabefdf1c9..6f1e37e32a72098cb00abb3b28238fe8ae1cfcf2 100644
--- a/doc/handshake.texi
+++ b/doc/handshake.texi
@@ -4,45 +4,89 @@
@verbatiminclude handshake.utxt
Each handshake message ends with so called @code{IDtag}: it is an XTEA
-encrypted first 64 bits of each message with client's identity as a key.
-It is used to transmit identity and to mark packet as handshake message.
-Server can determine used identity by trying all possible known to him
-keys. It consumes resources, but XTEA is rather fast algorithm and
-handshake messages checking is seldom enough event.
+encrypted first 64 bits of each message with client's @ref{Identity} as
+a key. It is used to transmit identity and to mark packet as handshake
+message. Server can determine used identity by trying all possible known
+to him keys. It consumes resources, but XTEA is rather fast algorithm
+and handshake messages checking is seldom enough event.
+
+@strong{Preparation stage}:
@enumerate
@item
-client generates @code{CPubKey}, random 64bit @code{R} that is used as a
-nonce for encryption
+Client knows only his identity and passphrase written somewhere in the
+human. Server knows his identity and
+@ref{Verifier structure, verifier}: @code{DSAPub}.
@item
-@verb{|R + enc(PSK, R, CPubKey) + IDtag -> Server|} [48 bytes]
+Client computes verifier which produces @code{DSAPriv} and
+@code{DSAPub}. @code{H()} is @emph{HSalsa20} hash function.
@item
-server remembers clients address, decrypt @code{CPubKey}, generates
-@code{SPrivKey}/@code{SPubKey}, computes common shared key @code{K}
-(based on @code{CPubKey} and @code{SPrivKey}), generates 64bit random
-number @code{RS} and 256bit random @code{SS}. PSK-encryption uses
-incremented @code{R} (from previous message) for nonce
+Client generates DH keypair: @code{CDHPub} and @code{CDHPriv}.
+Also it generates random 64-bit @code{R} that is used as a nonce for
+symmetric encryption.
+@end enumerate
+
+@strong{Interaction stage}:
+
+@enumerate
@item
-@verb{|enc(PSK, R+1, SPubKey) + enc(K, R, RS + SS) + IDtag -> Client|} [80 bytes]
+@verb{|R + enc(H(DSAPub), R, CDHPub) + IDtag -> Server|} [48 bytes]
+
@item
-client decrypt @code{SPubKey}, computes @code{K}, decrypts @code{RS},
-@code{SS} with key @code{K}, remembers @code{SS}, generates 64bit random
-number @code{RC} and 256bit random @code{SC},
+@itemize @bullet
+@item Server remembers client address.
+@item Decrypts @code{CDHPub}.
+@item Generates DH keypair: @code{SDHPriv}/@code{SDHPub}.
+@item Computes common shared key @code{K = H(DH(SDHPriv, CDHPub))}.
+@item Generates 64-bit random number @code{RS}.
+@item Generates 256-bit pre-master secret @code{SS}.
+@end itemize
+
@item
-@verb{|enc(K, R+1, RS + RC + SC) + IDtag -> Server|} [56 bytes]
+@verb{|enc(H(DSAPub), R+1, SDHPub) + enc(K, R, RS + SS) + IDtag -> Client|} [80 bytes]
+
@item
-server decrypt @code{RS}, @code{RC}, @code{SC} with key @code{K},
-compares @code{RS} with it's own one send before, computes final main
-encryption key @code{S = SS XOR SC}
+@itemize @bullet
+@item Client decrypts @code{SDHPub}.
+@item Computes @code{K}.
+@item Decrypts @code{RS} and @code{SS}.
+@item Remembers @code{SS}.
+@item Generates 64-bit random number @code{RC}.
+@item Generates 256-bit pre-master secret @code{SC}.
+@item Signs with @code{DSAPriv} key @code{K}.
+@end itemize
+
@item
-@verb{|ENC(K, 0, RC) + IDtag -> Client|} [16 bytes]
+@verb{|enc(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag -> Server|} [120 bytes]
+
@item
-server switches to the new client
+@itemize @bullet
+ @item Server decrypts @code{RS}, @code{RC}, @code{SC},
+ @code{Sign(DSAPriv, K)}.
+
+ @item Compares @code{RS} with it's own one sent before. Server
+ decrypts @code{RS}, @code{RC}, @code{SC} with key @code{K}, compares
+ @code{RS} with it's own one sent before.
+
+ @item Verifies @code{K} signature with verifier @code{DSAPub}.
+
+ @item Computes final session encryption key:
+ @code{MasterKey=SS XOR SC}.
+@end itemize
+
@item
-client decrypts @code{RC} and compares with it's own generated one,
-computes final main encryption key @code{S}
+@verb{|ENC(K, R+2, RC) + IDtag -> Client|} [16 bytes]
+
+@item
+@itemize @bullet
+@item Client decrypts @code{RC}
+@item Compares with it's own one sent before.
+@item Computes final session encryption key as server did.
+@end itemize
+
@end enumerate
-Where PSK is 256bit pre-shared key. @code{R*} are required for handshake
-randomization and two-way authentication. K key is used only during
-handshake. DH public keys can be trivially derived from private ones.
+@code{MasterKey} is high entropy 256-bit key. @code{K} DH-derived one
+has 128-bit security margin and that is why are not in use except in
+handshake process. @code{R*} are required for handshake randomization
+and two-way authentication.
diff --git a/doc/handshake.txt b/doc/handshake.txt
index b36d9f3e8b5500d2d0a1654d57314ca61f7d6136..8c3eb3898be080c96303456a928645b296292610 100644
--- a/doc/handshake.txt
+++ b/doc/handshake.txt
@@ -3,19 +3,20 @@ participant Client
participant Server
Client -> Client : R=rand(64bit)
-Client -> Client : CPrivKey=rand(256bit)
-Client -> Server : R, enc(PSK, R, CPubKey)
-Server -> Server : SPrivKey=rand(256bit)
-Server -> Server : K=DH(SPrivKey, CPubKey)
+Client -> Client : CDHPriv=rand(256bit)
+Client -> Server : R, enc(H(DSAPub), R, CDHPub)
+Server -> Server : SDHPriv=rand(256bit)
+Server -> Server : K=H(DH(SDHPriv, CDHPub))
Server -> Server : RS=rand(64bit)
Server -> Server : SS=rand(256bit)
-Server -> Client : enc(PSK, R+1, SPubKey); enc(K, R, RS+SS)
-Client -> Client : K=DH(CPrivKey, SPubKey)
+Server -> Client : enc(H(DSAPub), R+1, SDHPub); enc(K, R, RS+SS)
+Client -> Client : K=H(DH(CDHPriv, SDHPub))
Client -> Client : RC=rand(64bit); SC=rand(256bit)
-Client -> Server : enc(K, R+1, RS+RC+SC)
+Client -> Server : enc(K, R+1, RS+RC+SC+Sign(DSAPriv, K))
Server -> Server : compare(RS)
+Server -> Server : Verify(DSAPub, Sign(DSAPriv, K), K)
Server -> Server : MasterKey=SS XOR SC
-Server -> Client : enc(K, 0x00, RC)
+Server -> Client : enc(K, R+2, RC)
Client -> Client : compare(RC)
Client -> Client : MasterKey=SS XOR SC
@enduml
diff --git a/doc/identity.texi b/doc/identity.texi
new file mode 100644
index 0000000000000000000000000000000000000000..3288d2ef55eeae508c4b4bc992bd97b88ac44c84
--- /dev/null
+++ b/doc/identity.texi
@@ -0,0 +1,6 @@
+@node Identity
+@section Identity
+
+Client's identity is 128-bit string. It is not secret, so can be
+transmitted and stored in the clear. However handshake applies PRP on it
+to make DPI and deanonymization much harder to success.
diff --git a/doc/installation.texi b/doc/installation.texi
index 5aa954311a92ab2755fdeb1acbc1752af6b923fd..13d215919fbcbc194eba6f804edc6c1ffcc60fd1 100644
--- a/doc/installation.texi
+++ b/doc/installation.texi
@@ -2,11 +2,23 @@ @node Installation
@unnumbered Installation
GoVPN is written on @url{http://golang.org/, Go programming language},
-with @code{golang.org/x/crypto} libraries dependencies.
@url{https://www.gnu.org/software/make/, GNU Make} is recommended for
convenient building. @url{https://www.gnu.org/software/texinfo/, Texinfo}
is used for building documentation.
+Required libraries, dependencies (they are installed automatically when
+using @emph{Make}):
+
+@multitable @columnfractions .40 .20 .40
+@headitem Library @tab Platform @tab Licence
+@item @code{golang.org/x/crypto/poly1305} @tab All @tab BSD 3-Clause
+@item @code{golang.org/x/crypto/salsa20} @tab All @tab BSD 3-Clause
+@item @code{golang.org/x/crypto/xtea} @tab All @tab BSD 3-Clause
+@item @code{golang.org/x/crypto/pbkdf2} @tab All @tab BSD 3-Clause
+@item @code{github.com/agl/ed25519} @tab All @tab BSD 3-Clause
+@item @code{github.com/bigeagle/water} @tab GNU/Linux @tab BSD 3-Clause
+@end multitable
+
@include download.texi
You @strong{have to} verify downloaded archives integrity and check
@@ -17,12 +29,12 @@ download signature provided with the tarball.
For the very first time you have to import signing public keys. They
are provided below, but be sure that you are reading them from the
-trusted source. Alternatively check this page from other sources (Tor's
-hidden service for example) and look for the mailing list announcements.
+trusted source. Alternatively check this page from
+@ref{Contacts, other sources} and look for the mailing list announcements.
For example you can get tarball, set proper @code{$GOPATH} and run
@code{make} (that will install all necessary libraries and build
-client/server binaries) like this:
+@emph{govpn-client}, @emph{govpn-server}, @emph{govpn-verifier} binaries:
@example
% mkdir -p govpn/src
diff --git a/doc/keywords.texi b/doc/keywords.texi
new file mode 100644
index 0000000000000000000000000000000000000000..39a20e33dc439b44312ebc9a965701d04d04ab9d
--- /dev/null
+++ b/doc/keywords.texi
@@ -0,0 +1,12 @@
+Some keywords describing this project: encryption, authentication, key
+exchange, EKE, Diffie-Hellman, DH, DH-EKE, Augmented EKE, A-EKE,
+security, encrypted key exchange, 128-bit margin, DPI, censorship,
+resistance, free software, GPLv3+, reviewability, easy, simple,
+Curve25519, Ed25519, SHA-512, Salsa20, Poly1305, AEAD, XTEA, PBKDF2,
+PRP, signatures, asymmetric cryptography, zero-knowledge password proof,
+PAKE, password, passphrase, password authenticated key exchange, perfect
+forward secrecy, PFS, MAC, nonce, verifier, rehandshake, heartbeat,
+replay attack, MiTM, length hiding, timestamps hiding, noise, constant
+traffic, constant packet rate, CPR, TAP, TAP, VPN, GNU, Linux, FreeBSD,
+IPv6, dictionary attack, mutual authentication, simultaneous clients,
+JSON, HTTP-server, statistics, PRNG, traffic analysis, Go, golang.
diff --git a/doc/mtu.texi b/doc/mtu.texi
new file mode 100644
index 0000000000000000000000000000000000000000..e8c5c228c670b9e402f9f4b1a9f32d2696711d4a
--- /dev/null
+++ b/doc/mtu.texi
@@ -0,0 +1,12 @@
+@node MTU
+@section MTU
+
+MTU command line argument is maximum allowable size of outgoing GoVPN's
+packets. It varies and depends on your environment, so probably has to
+be tuned. By default MTU equals to 1452 bytes: 40 bytes per IPv6 and 8
+bytes per UDP.
+
+Underlying TAP interface has lower MTU value -- 42 bytes smaller: 26
+bytes overhead on transport message and 14 bytes for Ethernet frame.
+Client and server will print what MTU value should be used on TAP
+interface.
diff --git a/doc/news.texi b/doc/news.texi
new file mode 100644
index 0000000000000000000000000000000000000000..75ec725137b1b9640dd0dc3bb7e0b1505ff05aa8
--- /dev/null
+++ b/doc/news.texi
@@ -0,0 +1,106 @@
+@node News
+@unnumbered News
+
+@table @strong
+@item Release 3.0
+@itemize @bullet
+@item
+EKE protocol is replaced by Augmented-EKE and static symmetric (both
+sides have it) pre-shared key replaced with server-side verifier. This
+requires, 64 more bytes in handshake traffic, Ed25519 dependency with
+corresponding sign/verify computations, PBKDF2 dependency and its
+usage on the client side during handshake.
+
+A-EKE with PBKDF2-based verifiers is resistant to dictionary attacks,
+can use human memorable passphrases instead of static keys and
+server-side verifiers can not be used for authentication (compromised
+server does not leak client's authentication keys/passphrases).
+
+@item
+Changed transport message structure: added payload packet's length.
+This will increase transport overhead for two bytes, but heartbeat
+packets became smaller
+
+@item
+Ability to hide underlying packets lengths by appending noise, junk
+data during transmission. Each packet can be fill up-ed to it's
+maximal MTU size.
+
+@item
+Ability to hide underlying packets appearance rate, by generating
+Constant Packet Rate traffic. This includes noise generation too.
+@item
+Per-peer @code{-timeout}, @code{-noncediff}, @code{-noise} and
+@code{-cpr} configuration options for server.
+@end itemize
+
+@item Release 2.4
+@itemize @bullet
+@item
+Added ability to optionally run built-in HTTP-server responding with
+JSON of all known connected peers information. Real-time client's
+statistics.
+
+@item
+Documentation is explicitly licensed under GNU FDL 1.3+.
+@end itemize
+
+@item Release 2.3
+@itemize @bullet
+@item
+Handshake packets became indistinguishable from the random.
+Now all GoVPN's traffic is the noise for men in the middle.
+
+@item
+Handshake messages are smaller (16% traffic reduce).
+
+@item
+Adversary now can not create malicious fake handshake packets that
+will force server to generate private DH key, preventing entropy
+consuming and resource heavy computations.
+@end itemize
+
+@item Release 2.2
+@itemize @bullet
+@item Fixed several possible channel deadlocks.
+@end itemize
+
+@item Release 2.1
+@itemize @bullet
+@item Fixed Linux-related building.
+@end itemize
+
+@item Release 2.0
+@itemize @bullet
+@item Added clients identification.
+@item Simultaneous several clients support by server.
+@item Per-client up/down scripts.
+@end itemize
+
+@item Release 1.5
+@itemize @bullet
+@item Nonce obfuscation/encryption.
+@end itemize
+
+@item Release 1.4
+@itemize @bullet
+@item Performance optimizations.
+@end itemize
+
+@item Release 1.3
+@itemize @bullet
+@item Heartbeat feature.
+@item Rehandshake feature.
+@item up- and down- optinal scripts.
+@end itemize
+
+@item Release 1.1
+@itemize @bullet
+@item FreeBSD support.
+@end itemize
+
+@item Release 1.0
+@itemize @bullet
+@item Initial stable release.
+@end itemize
+@end table
diff --git a/doc/noise.texi b/doc/noise.texi
new file mode 100644
index 0000000000000000000000000000000000000000..06ee1de2051a830a542505f4d8a54fb2c0b417eb
--- /dev/null
+++ b/doc/noise.texi
@@ -0,0 +1,13 @@
+@node Noise
+@section Noise
+
+So-called noise is used to hide underlying payload packets lengths.
+Without it GoVPN provides confidentiality and authenticity of messages,
+but not their timestamps of appearance and sizes.
+
+You may turn on @code{-noise} option, that forces to fill up all
+outgoing packets to their maximum (MTU) size. As it can be applied only
+to outgoing traffic, you should enable it on both sides in most cases.
+
+Pay attention that this can dramatically @strong{increase} your traffic!
+It is turned off by default.
diff --git a/doc/noncediff.texi b/doc/noncediff.texi
new file mode 100644
index 0000000000000000000000000000000000000000..7ce3aa25c8b42ae94a3d95702f383b50f6965635
--- /dev/null
+++ b/doc/noncediff.texi
@@ -0,0 +1,17 @@
+@node Nonce difference
+@section Nonce difference
+
+GoVPN prevents replay attacks by remembering the last used nonce in
+messages from the remote peer. All incoming messages must have higher
+nonce number (technically it is counter), otherwise they are dropped.
+
+Because of UDP nature that does not guarantee packet ordering during
+transmission, GoVPN will drop valid non-replayed UDP packets. That leads
+to performance decrease.
+
+In most cases there is no need in so strict nonce boundaries and
+@code{-noncediff} command line option allows to create the window of
+allowable nonce differences. This is trade-off between highest security
+and possible performance degradation. For example @code{-noncediff 128}
+works rather well (no packet drops) with 1 Gbps link with two switches.
+By default no nonce differences are allowed (highest security).
diff --git a/doc/overview.texi b/doc/overview.texi
index 7c5bcc087d53e24f94f5deebf4a9a8d958f81a7e..f6b81ac771075f02233896e49d58619ac6f45b16 100644
--- a/doc/overview.texi
+++ b/doc/overview.texi
@@ -1,35 +1,49 @@
@node Overview
@unnumbered Overview
-GoVPN is simple secure virtual private network daemon. It uses
-@url{https://en.wikipedia.org/wiki/Encrypted_key_exchange, Diffie-Hellman Encrypted Key Exchange}
-(DH-EKE) for mutual zero-knowledge peers authentication and
-authenticated encrypted data transport. It is written entirely on
-@url{http://golang.org/, Go programming language}.
+GoVPN is simple secure virtual private network daemon, written entirely
+on @url{http://golang.org/, Go programming language}.
-All packets captured on network interface are encrypted, authenticated
-and sent to remote server, that writes them to his interface, and vice
-versa. Client and server use pre-shared authentication key (PSK) and
-128-bit identification key. There are heartbeat packets used to prevent
-session termination because of peers inactivity.
+Reviewability, high 128-bit security margin and
+@url{https://en.wikipedia.org/wiki/Deep_packet_inspection, DPI}
+censorship resistance in mind in free software solution are the main
+goals for that daemon. Most modern widespread protocols and their
+implementations in software are too complex to be reviewed, analyzed and
+modified.
-Handshake is used to mutually authenticate peers, exchange common secret
-per-session encryption key and check UDP transport availability.
+State off art cryptography technologies includes:
+@url{http://cr.yp.to/snuffle.html, Salsa20} stream encryption,
+@url{http://143.53.36.235:8080/tea.htm, XTEA} PRP,
+@url{http://cr.yp.to/mac.html, Poly1305} message authentication,
+@url{https://en.wikipedia.org/wiki/PBKDF2} password-based key derivation
+function based on @url{https://en.wikipedia.org/wiki/SHA-2, SHA-512}
+hash function,
+@url{https://en.wikipedia.org/wiki/Encrypted_key_exchange,
+Diffie-Hellman Augmented Encrypted Key Exchange}
+(DH-A-EKE) powered by @url{http://cr.yp.to/ecdh.html, Curve25519} and
+@url{http://ed25519.cr.yp.to/, Ed25519} signatures.
+Strong
+@url{https://en.wikipedia.org/wiki/Zero-knowledge_password_proof, zero-knowledge}
+mutual authentication with key exchange stage is invulnerable
+to man-in-the-middle attacks.
+@url{https://en.wikipedia.org/wiki/Forward_secrecy, Perfect forward secrecy}
+property guarantee that compromising of long-term authentication
+pre-shared key can not lead to previously captured traffic decrypting.
+Compromising of peers password file on server side won't allow attacker
+to masquerade as the client, because of asymmetric @strong{verifiers}
+usage, resistant to dictionary attacks. Rehandshaking ensures session
+keys rotation. MAC authentication with one-time keys protects against
+@url{https://en.wikipedia.org/wiki/Replay_attack, replay attacks}.
-Because of UDP and authentication overhead: each packet grows in size
-during transmission, so you have to lower you maximum transmission unit
-(MTU) on virtual network interface.
+Server can work with several clients simultaneously. Each client is
+@strong{identified} by 128-bit key, that does not leak during handshake
+and each client stays @strong{anonymous} for MiTM and DPI. All settings
+are applied per-peer separately.
-High security is the goal for that daemon. It uses fast cryptography
-algorithms with 128bit security margin, strong mutual zero-knowledge
-authentication and perfect-forward secrecy property. An attacker can not
-know anything about payload (except it's size and time) from captured
-traffic, even if pre-shared key is compromised. Rehandshake is performed
-by client every 4 GiB of transfered data.
-
-Each client also has it's own identification key and server works with
-all of them independently. Identification key is not secret, but it is
-encrypted (obfuscated) during transmission.
+Optional ability to hide payload packets lengths by appending
+@strong{noise} to them during transmission. Ability to generate constant
+packet rate traffic (@strong{CPR}) that will hide even the fact of
+packets appearance, their timestamps.
The only platform specific requirement is TAP network interface support.
API to that kind of device is different, OS dependent and non portable.
@@ -40,7 +54,7 @@
@itemize @bullet
@item
Copylefted free software: licensed under
-@url{http://www.gnu.org/licenses/gpl-3.0.html, GPLv3+}
+@url{https://www.gnu.org/licenses/gpl-3.0.html, GPLv3+}
@item
Works with @url{https://en.wikipedia.org/wiki/TAP_(network_driver), TAP}
network interfaces on top of UDP entirely
@@ -48,23 +62,20 @@ @item
@url{https://www.gnu.org/, GNU}/Linux and
@url{http://www.freebsd.org/, FreeBSD} support
@item IPv6 compatible
-@item Encrypted and authenticated transport
+@item Encrypted and authenticated payload transport
@item Relatively fast handshake
-@item
-@url{https://en.wikipedia.org/wiki/Replay_attack, Replay attack} protection
-@item
-@url{https://en.wikipedia.org/wiki/Forward_secrecy, Perfect forward secrecy}
-(if long-term pre-shared keys are compromised, no captured traffic can
-be decrypted anyway)
-@item
-Mutual two-side authentication (noone will send real network interface
-data unless the other side is authenticated)
-@item
-@url{https://en.wikipedia.org/wiki/Zero-knowledge_password_proof, Zero knowledge}
-authentication (pre-shared key is not transmitted in any form between
-the peers, not even it's hash value)
+@item Password-authenticated key exchange
+@item Server-side password verifiers are secure against dictionary attacks
+@item Attacker can not masquerade a client even with password files compromising
+@item Replay attack protection
+@item Perfect forward secrecy property
+@item Mutual two-side authentication
+@item Zero knowledge authentication
@item Built-in rehandshake and heartbeat features
@item Several simultaneous clients support
+@item Per-client configuration options
+@item Hiding of payload packets length with noise
+@item Hiding of payload packets timestamps with constant packet rate traffic
@item Optional built-in HTTP-server for retrieving information about
known connected peers in @url{http://json.org/, JSON} format
@end itemize
diff --git a/doc/pake.texi b/doc/pake.texi
new file mode 100644
index 0000000000000000000000000000000000000000..535165e463206d8de7eb3b8720164bffcc936b92
--- /dev/null
+++ b/doc/pake.texi
@@ -0,0 +1,30 @@
+@node PAKE
+@section PAKE
+
+Previously we used pre-shared high-entropy long-term static key for
+client-server authentication. Is is secure, but not convenient for some
+user use-cases:
+
+@itemize @bullet
+@item Compromising of password files on either server or client side
+allows attacker to masquerade himself a client.
+@item To prevent compromising of keys on the client side, one needs some
+kind of passphrase protected secure storage (like either PGP with
+decryption to the memory, or full-disk encryption).
+@end itemize
+
+Overall security on the client side is concentrated in passphrase
+(high-entropy password), so it is convenient to use it in GoVPN
+directly, without static on-disk keys. That is why we use password
+authenticated key agreement.
+
+We use "passphrase" term instead of "password". Technically there may be
+no difference between them. But as a rule passphrases are @strong{long}
+strings with low entropy characters. Because of low entropy characters,
+they are memorable. Because of their quantity, they acts as a high
+entropy source.
+
+Passphrases are entered directly by the human on the client side. Server
+side stores previously shared so-called @ref{Verifier}. Verifier contains
+dictionary attack resistant password derivative. Attacker can not use it
+to act as a client.
diff --git a/doc/precautions.texi b/doc/precautions.texi
index bae37b3ec4e5d02e167d8488264aed1f468c6dd6..93b179e427f6829246d6a45e4b70bb0cb0f8068e 100644
--- a/doc/precautions.texi
+++ b/doc/precautions.texi
@@ -17,3 +17,8 @@ Also you should @strong{never} use one key for multiple clients. Salsa20
encryption is randomized in each session, but it depends again on PRNG.
If it fails, produces equal values at least once, then all you traffic
related to that key could be decrypted.
+
+We use password (passphrase) authentication, so overall security fully
+depends on it's strength. So you should use long, high-entropy
+passphrases. Also remember to keep passphrase on temporary file as
+described in @ref{Verifier}.
diff --git a/doc/server.texi b/doc/server.texi
new file mode 100644
index 0000000000000000000000000000000000000000..c5f2eb29e8213190bbae74e3574d53b16e2acc10
--- /dev/null
+++ b/doc/server.texi
@@ -0,0 +1,76 @@
+@node Server part
+@section Server part
+
+Except for common @code{-mtu}, @code{-stats} options server has the
+following ones:
+
+@table @code
+@item -bind
+Address (@code{host:port} format) we must bind to.
+@item -peers
+Path to the directory containing peers information, database.
+@end table
+
+Peers directory must contain subdirectories with the names of client's
+identities in hexadecimal notation. Each subdirectory has the following
+files:
+
+@table @code
+
+@item verifier
+@strong{Required}. Contains corresponding verifier used to authenticate
+the client in hexadecimal notation. See @ref{Verifier} for how
+to create it.
+
+@item up.sh
+@strong{Required}. up-script executes each time connection with the
+client is established. It's @emph{stdout} output must contain TAP
+interface name on the first string. This script can be simple
+@code{echo tap10}, or maybe more advanced like this:
+ @example
+ #!/bin/sh
+ $tap=$(ifconfig tap create)
+ ifconfig $tap inet6 fc00::1/96 mtu 1412 up
+ echo $tap
+ @end example
+
+@item down.sh
+Optional. Same as @code{up.sh} above, but executes when connection is
+lost.
+
+@item name
+Optional. Contains human readable username. Used to beauty output of
+@ref{Stats}.
+
+@item timeout
+Optional. Contains @ref{Timeout} setting (decimal notation) in seconds.
+Otherwise default minute timeout will be used.
+
+@item noncediff
+Optional. Contains allowable @ref{Nonce difference} setting (decimal
+notation).
+
+@item noise
+Optional. Contains either "1" (enable @ref{Noise} adding), or "0".
+
+@item cpr
+Optional. Contains @ref{CPR} setting (decimal notation) in KiB/sec.
+
+@end table
+
+Each minute server refreshes peers directory contents and adds newly
+appeared identities, deletes an obsolete ones.
+
+You can use convenient @code{utils/newclient.sh} script for new client
+creation:
+
+@example
+% ./utils/newclient.sh Alice
+Place verifier to peers/9b40701bdaf522f2b291cb039490312/verifier
+@end example
+
+@code{9b40701bdaf522f2b291cb039490312} is client's identification.
+@code{peers/9b40701bdaf522f2b291cb039490312/name} contains @emph{Alice},
+@code{peers/9b40701bdaf522f2b291cb039490312/verifier} contains dummy
+verifier and @code{peers/9b40701bdaf522f2b291cb039490312/up.sh} contains
+currently dummy empty up-script.
diff --git a/doc/stats.texi b/doc/stats.texi
new file mode 100644
index 0000000000000000000000000000000000000000..f6284e0cad03b52d0ebe1b6eb3ebeedb3a5eff85
--- /dev/null
+++ b/doc/stats.texi
@@ -0,0 +1,36 @@
+@node Stats
+@section Stats
+
+Both client and server has ability to show statistics about known
+connected peers. You retrieve them by downloading JSON from built-in
+background HTTP-server. You can enable it by specifying
+@code{-stats host:port} argument.
+
+Actually it is not full-fledged HTTP-server: it just accepts connection,
+reads from it (does not parse anything) and writes dummy headers with
+JSON document.
+
+@verbatim
+% govpn-server [...] -stats "[::1]:5678"
+% curl http://localhost:5678/ | jq .
+[
+ {
+ "HeartbeatSent": 1,
+ "HeartbeatRecv": 2,
+ "FramesDup": 0,
+ "FramesUnauth": 0,
+ "Addr": {
+ "Zone": "igb1",
+ "Port": 12989,
+ "IP": "fe80::221:ccff:feb9:ba7f"
+ },
+ "Id": "stargrave",
+ "LastPing": "2015-04-30T22:05:49.426616166+03:00",
+ "LastSent": "2015-04-30T22:05:49.426704138+03:00",
+ "BytesIn": 1392774,
+ "BytesOut": 17228877,
+ "FramesIn": 12412,
+ "FramesOut": 16588
+ }
+]
+@end verbatim
diff --git a/doc/thanks.texi b/doc/thanks.texi
new file mode 100644
index 0000000000000000000000000000000000000000..69223702f4e025fee3b04e6f777eefbe98ab78bd
--- /dev/null
+++ b/doc/thanks.texi
@@ -0,0 +1,19 @@
+@node Thanks
+@unnumbered Thanks
+
+@itemize @bullet
+@item
+@url{https://www.schneier.com/books/applied_cryptography/, Applied Cryptography}
+@copyright{} 1996 Bruce Schneier
+@item
+@url{http://tnlandforms.us/cns05/speke.pdf, Strong Password-Only Authenticated Key Exchange}
+@copyright{} 1996 David P. Jablon
+@item
+@url{https://www.cs.columbia.edu/~smb/papers/aeke.pdf, Augmented Encrypted Key Exchange}:
+a Password-Based Protocol Secure Against Dictionary Attacks and Password
+File Compromise @copyright{} Steven M. Belloving, Michael Merrit
+@item @url{http://cr.yp.to/ecdh.html, A state-of-the-art Diffie-Hellman function}
+@item @url{http://cr.yp.to/snuffle.html, Snuffle 2005: the Salsa20 encryption function}
+@item @url{http://cr.yp.to/mac.html, A state-of-the-art message-authentication code}
+@item @url{http://ed25519.cr.yp.to/, Ed25519: high-speed high-security signatures}
+@end itemize
diff --git a/doc/timeout.texi b/doc/timeout.texi
new file mode 100644
index 0000000000000000000000000000000000000000..e750177b3aa4f6c2e61093cffa0f5dffb746891f
--- /dev/null
+++ b/doc/timeout.texi
@@ -0,0 +1,14 @@
+@node Timeout
+@section Timeout
+
+Because of stateless UDP nature there is no way to reliably know if
+remote peer is alive. That is why timeouts are necessary. If no packets
+are sent during timeout period, then remote peer is considered to be
+dead. Timeout option should be synchronized both for server and client.
+
+If there were no packets at all during fourth part of timeout, then
+special heartbeat packet is sent. So VPN connection should be alive all
+the time, even if there is no traffic in corresponding TAP interfaces.
+@strong{Beware}: this consumes traffic.
+
+Stale peers and handshake states are cleaned up every timeout period.
diff --git a/doc/transport.texi b/doc/transport.texi
index d0cb75642564dbee51a693c1943fd9bbe9657840..b76286138f63af78bb9f43bc02ec5d774d1e5716 100644
--- a/doc/transport.texi
+++ b/doc/transport.texi
@@ -2,8 +2,8 @@ @node Transport protocol
@section Transport protocol
@verbatim
-ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA) +
- AUTH(ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA))
+ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA_SIZE+DATA+NOISE) +
+ AUTH(ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA_SIZE+DATA+NOISE))
@end verbatim
All transport and handshake messages are indistinguishable from
@@ -24,6 +24,10 @@ Encrypted @code{SERIAL} is used as a nonce for @code{DATA} encryption:
encryption key is different during each handshake, so (key, nonce) pair
is always used only once. @code{ENC} is Salsa20 cipher, with established
session @code{KEY} and encrypted @code{SERIAL} used as a nonce.
+@code{DATA_SIZE} is @emph{uint16} storing length of the @code{DATA}.
+
+@code{NOISE} is optional. It is just some junk data, intended to fill up
+packet to MTU size. This is useful for concealing payload packets length.
@code{AUTH} is Poly1305 authentication function. First 256 bits of
Salsa20 output are used as a one-time key for @code{AUTH}. Next 256 bits
diff --git a/doc/user.texi b/doc/user.texi
index 193e9456979fb238b2f584598fa21e0ec4827101..3080ce1f1ff3974939c64a568b061802936337cc 100644
--- a/doc/user.texi
+++ b/doc/user.texi
@@ -1,146 +1,38 @@
@node User manual
@unnumbered User manual
-Announcements about updates and new releases can be found in
-@ref{Reporting bugs}.
+Announcements about updates and new releases can be found in @ref{Contacts}.
GoVPN is split into two pieces: client and server. Each of them work on
-top of UDP and TAP virtual network interfaces. Client and server have
-several common configuration command line options:
-
-@table @asis
-@item Timeout
-Because of stateless UDP nature there is no way to know if
-remote peer is dead, but after some timeout. Client and server
-heartbeats each other every third part of heartbeat. Also this timeout
-is the time when server purge his obsolete handshake and peers states.
-@item Allowable nonce difference
-To prevent replay attacks we just remember latest received nonce number
-from the remote peer and drop those who has lower ones. Because UDP
-packets can be reordered: that behaviour can lead to dropping of not
-replayed ones. This option gives ability to create some window of
-allowable difference. That opens the door for replay attacks for narrow
-time interval.
-@item MTU
-Maximum transmission unit, maximum frame size that is acceptable on TAP
-interface.
-@end table
-
-Client needs to know his identification, path to the authentication key,
-remote server's address, TAP interface name, and optional path to up and
-down scripts, that will be executed after connection is either initiated
-or terminated.
-
-Server needs to know only the address to listen on and path to directory
-containing peers information. This directory must contain subdirectories
-with the names equal to client's identifications. Each of them must have
-@strong{key} file with corresponding authentication key, @strong{up.sh}
-script that has to print interface's name on the first output line.
-Optionally there can be @code{down.sh} that will be executed when client
-disconnects, and @code{name} file containing human readable client's name.
-
-Each of them have ability to show statistics about known connected
-peers. If you specify @emph{host:port} in @code{-stats} argument, then
-it will run HTTP server on it, responding with JSON documents.
+top of UDP and TAP virtual network interfaces. GoVPN is just a
+tunnelling of Ethernet frames, nothing less, nothing more. All you
+IP-related network management is not touched by VPN at all. You can
+automate it using up and down shell scripts.
@menu
+* Identity::
+* PAKE:: Password Authenticated Key Agreement
+* Timeout::
+* Nonce difference::
+* MTU:: Maximum Transmission Unit
+* Stats::
+* Noise::
+* CPR:: Constant Packet Rate
+* Verifier::
+* Client part::
+* Server part::
* Example usage::
@end menu
-@node Example usage
-@section Example usage
-
-Let's assume that there is some insecure link between your computer and
-WiFi-reachable gateway. You have got preconfigured @code{wlan0} network
-interface with 192.168.0/24 network. You want to create virtual
-encrypted and authenticated 172.16.0/24 network and use it as a default
-transport. MTU for that wlan0 is 1500 bytes. GoVPN will say that maximum
-MTU for the link is 1476, however it does not take in account TAP's
-Ethernet frame header length, that in my case is 14 bytes long (1476 - 14).
-
-Do not forget about setting @code{GOMAXPROC} environment variable for
-using more than one CPU.
-
-At first you have to generate client's authentication key and client's
-unique identification. There is @code{utils/newclient.sh} script for
-convenience.
-
-@example
-% ./utils/newclient.sh Alice
-9b40701bdaf522f2b291cb039490312
-@end example
-
-@code{9b40701bdaf522f2b291cb039490312} is client's identification.
-@code{peers/9b40701bdaf522f2b291cb039490312/name} contains @emph{Alice},
-@code{peers/9b40701bdaf522f2b291cb039490312/key} contains authentication key and
-@code{peers/9b40701bdaf522f2b291cb039490312/up.sh} contains currently
-dummy empty up-script.
-
-GNU/Linux IPv4 client-server example:
-
-@example
-server% echo "echo tap10" >> peers/CLIENTID/up.sh
-server% ip addr add 192.168.0.1/24 dev wlan0
-server% tunctl -t tap10
-server% ip link set mtu 1462 dev tap10
-server% ip addr add 172.16.0.1/24 dev tap10
-server% ip link set up dev tap10
-server% GOMAXPROC=4 govpn-server -bind 192.168.0.1:1194
-@end example
-
-@example
-client% umask 066
-client% echo MYLONG64HEXKEY > key.txt
-client% ip addr add 192.168.0.2/24 dev wlan0
-client% tunctl -t tap10
-client% ip link set mtu 1462 dev tap10
-client% ip addr add 172.16.0.2/24 dev tap10
-client% ip link set up dev tap10
-client% ip route add default via 172.16.0.1
-client% export GOMAXPROC=4
-client% while :; do
- govpn-client -key key.txt -id CLIENTID -iface tap10 -remote 192.168.0.1:1194
-done
-@end example
-
-FreeBSD IPv6 client-server example, with stats enabled on the server
-(localhost's 5678 port):
-
-@example
-server% cat > peers/CLIENTID/up.sh < up.sh < 0 {
+ noiseEnable = true
+ timeout = cprCycle
+ } else {
+ timeout = timeout / TimeoutHeartbeat
+ }
peer := Peer{
Addr: addr,
- LastPing: time.Now(),
- Id: id,
- NonceOur: uint64(Noncediff + nonce),
- NonceRecv: uint64(Noncediff + 0),
+ Timeout: timeout,
+ Established: now,
+ LastPing: now,
+ Id: conf.Id,
+ NoiseEnable: noiseEnable,
+ CPR: conf.CPR,
+ CPRCycle: cprCycle,
+ Noncediff: conf.Noncediff,
+ NonceOur: uint64(conf.Noncediff + nonce),
+ NonceRecv: uint64(conf.Noncediff + 0),
Key: key,
NonceCipher: newNonceCipher(key),
buf: make([]byte, MTU+S20BS),
tag: new([poly1305.TagSize]byte),
- keyAuth: new([KeySize]byte),
+ keyAuth: new([SSize]byte),
nonce: make([]byte, NonceSize),
}
return &peer
@@ -227,9 +268,9 @@ // udpPkt is received data, related to the peer tap interface and
// ConnListen'es synchronization channel used to tell him that he is
// free to receive new packets. Authenticated and decrypted packets
// will be written to the interface immediately (except heartbeat ones).
-func (p *Peer) UDPProcess(udpPkt []byte, tap *TAP, ready chan struct{}) bool {
+func (p *Peer) UDPProcess(udpPkt []byte, tap io.Writer, ready chan struct{}) bool {
size := len(udpPkt)
- copy(p.buf[:KeySize], Emptiness)
+ copy(p.buf, Emptiness)
copy(p.tag[:], udpPkt[size-poly1305.TagSize:])
copy(p.buf[S20BS:], udpPkt[NonceSize:size-poly1305.TagSize])
salsa20.XORKeyStream(
@@ -238,7 +279,7 @@ p.buf[:S20BS+size-poly1305.TagSize],
udpPkt[:NonceSize],
p.Key,
)
- copy(p.keyAuth[:], p.buf[:KeySize])
+ copy(p.keyAuth[:], p.buf[:SSize])
if !poly1305.Verify(p.tag, udpPkt[:size-poly1305.TagSize], p.keyAuth) {
ready <- struct{}{}
p.FramesUnauth++
@@ -246,60 +287,78 @@ return false
}
p.NonceCipher.Decrypt(p.buf, udpPkt[:NonceSize])
p.nonceRecv, _ = binary.Uvarint(p.buf[:NonceSize])
- if int(p.NonceRecv)-Noncediff >= 0 && int(p.nonceRecv) < int(p.NonceRecv)-Noncediff {
+ if int(p.NonceRecv)-p.Noncediff >= 0 && int(p.nonceRecv) < int(p.NonceRecv)-p.Noncediff {
ready <- struct{}{}
p.FramesDup++
return false
}
ready <- struct{}{}
+ p.FramesIn++
+ p.BytesIn += int64(size)
p.LastPing = time.Now()
p.NonceRecv = p.nonceRecv
- p.frame = p.buf[S20BS : S20BS+size-NonceSize-poly1305.TagSize]
- p.BytesIn += int64(len(p.frame))
- p.FramesIn++
- if subtle.ConstantTimeCompare(p.frame[:HeartbeatSize], HeartbeatMark) == 1 {
+ p.pktSize, _ = binary.Uvarint(p.buf[S20BS : S20BS+PktSizeSize])
+ if p.pktSize == 0 {
p.HeartbeatRecv++
return true
}
+ p.frame = p.buf[S20BS+PktSizeSize : S20BS+PktSizeSize+p.pktSize]
+ p.BytesPayloadIn += int64(p.pktSize)
tap.Write(p.frame)
return true
}
+type WriteToer interface {
+ WriteTo([]byte, net.Addr) (int, error)
+}
+
// Process incoming Ethernet packet.
// ethPkt is received data, conn is our outgoing connection.
// ready channel is TAPListen's synchronization channel used to tell him
// that he is free to receive new packets. Encrypted and authenticated
// packets will be sent to remote Peer side immediately.
-func (p *Peer) EthProcess(ethPkt []byte, conn *net.UDPConn, ready chan struct{}) {
+func (p *Peer) EthProcess(ethPkt []byte, conn WriteToer, ready chan struct{}) {
now := time.Now()
size := len(ethPkt)
// If this heartbeat is necessary
- if size == 0 && !p.LastSent.Add(heartbeatPeriodGet()).Before(now) {
+ if size == 0 && !p.LastSent.Add(p.Timeout).Before(now) {
return
}
- copy(p.buf[:KeySize], Emptiness)
+ copy(p.buf, Emptiness)
if size > 0 {
- copy(p.buf[S20BS:], ethPkt)
+ copy(p.buf[S20BS+PktSizeSize:], ethPkt)
ready <- struct{}{}
+ binary.PutUvarint(p.buf[S20BS:S20BS+PktSizeSize], uint64(size))
+ p.BytesPayloadOut += int64(size)
} else {
p.HeartbeatSent++
- copy(p.buf[S20BS:], HeartbeatMark)
- size = HeartbeatSize
}
- p.NonceOur = p.NonceOur + 2
+ p.NonceOur += 2
copy(p.nonce, Emptiness)
binary.PutUvarint(p.nonce, p.NonceOur)
p.NonceCipher.Encrypt(p.nonce, p.nonce)
salsa20.XORKeyStream(p.buf, p.buf, p.nonce, p.Key)
copy(p.buf[S20BS-NonceSize:S20BS], p.nonce)
- copy(p.keyAuth[:], p.buf[:KeySize])
- p.frame = p.buf[S20BS-NonceSize : S20BS+size]
+ copy(p.keyAuth[:], p.buf[:SSize])
+ if p.NoiseEnable {
+ p.frame = p.buf[S20BS-NonceSize : S20BS+MTU-NonceSize-poly1305.TagSize]
+ } else {
+ p.frame = p.buf[S20BS-NonceSize : S20BS+PktSizeSize+size]
+ }
poly1305.Sum(p.tag, p.frame, p.keyAuth)
- p.BytesOut += int64(len(p.frame))
+ p.BytesOut += int64(len(p.frame) + poly1305.TagSize)
p.FramesOut++
+
+ if p.CPRCycle != time.Duration(0) {
+ p.willSentCycle = p.LastSent.Add(p.CPRCycle)
+ if p.willSentCycle.After(now) {
+ time.Sleep(p.willSentCycle.Sub(now))
+ now = p.willSentCycle
+ }
+ }
p.LastSent = now
if _, err := conn.WriteTo(append(p.frame, p.tag[:]...), p.Addr); err != nil {
log.Println("Error sending UDP", err)
diff --git a/transport_test.go b/transport_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..0dc54f992b24210a9623c8a60683651a5d6656c1
--- /dev/null
+++ b/transport_test.go
@@ -0,0 +1,69 @@
+package govpn
+
+import (
+ "net"
+ "testing"
+ "time"
+)
+
+var (
+ peer *Peer
+ plaintext []byte
+ ready chan struct{}
+ dummy = &Dummy{}
+ ciphertext []byte
+ addr *net.UDPAddr
+ peerId *PeerId
+ conf *PeerConf
+)
+
+func init() {
+ MTU = 1500
+ addr, _ = net.ResolveUDPAddr("udp", "[::1]:1")
+ peerId = IDDecode("ffffffffffffffffffffffffffffffff")
+ conf = &PeerConf{
+ Id: peerId,
+ Timeout: time.Second * time.Duration(TimeoutDefault),
+ Noncediff: 1,
+ NoiseEnable: false,
+ CPR: 0,
+ }
+ peer = newPeer(addr, conf, 128, new([SSize]byte))
+ plaintext = make([]byte, 789)
+ ready = make(chan struct{})
+ go func() {
+ for {
+ <-ready
+ }
+ }()
+}
+
+type Dummy struct{}
+
+func (d *Dummy) WriteTo(b []byte, addr net.Addr) (int, error) {
+ ciphertext = b
+ return len(b), nil
+}
+
+func (d *Dummy) Write(p []byte) (n int, err error) {
+ return len(p), nil
+}
+
+func BenchmarkEnc(b *testing.B) {
+ b.ResetTimer()
+ for i := 0; i < b.N; i++ {
+ peer.NonceOur = 128
+ peer.EthProcess(plaintext, dummy, ready)
+ }
+}
+
+func BenchmarkDec(b *testing.B) {
+ peer.EthProcess(plaintext, dummy, ready)
+ peer = newPeer(addr, conf, 128, new([SSize]byte))
+ b.ResetTimer()
+ for i := 0; i < b.N; i++ {
+ if !peer.UDPProcess(ciphertext, dummy, ready) {
+ b.Fail()
+ }
+ }
+}
diff --git a/utils/newclient.sh b/utils/newclient.sh
index 68469b66aa63047f9019937506dc9d2087ba3c7a..ab86a7fdb23dde0009948ccba3190ad063387927 100755
--- a/utils/newclient.sh
+++ b/utils/newclient.sh
@@ -9,8 +9,8 @@
[ -n "$1" ] || {
cat <
EOF
@@ -21,8 +21,8 @@ username=$1
peerid=$(getrand 16)
umask 077
mkdir -p peers/$peerid
-getrand 32 > peers/$peerid/key
+echo '0000000000000000000000000000000000000000000000000000000000000000' > peers/$peerid/verifier
echo $username > peers/$peerid/name
echo '#!/bin/sh' > peers/$peerid/up.sh
chmod 700 peers/$peerid/up.sh
-echo $peerid
+echo Place verifier to peers/$peerid/verifier
diff --git a/utils/storekey.sh b/utils/storekey.sh
new file mode 100755
index 0000000000000000000000000000000000000000..299883d67a37033a6d9813a08d54a9b8824d8e27
--- /dev/null
+++ b/utils/storekey.sh
@@ -0,0 +1,19 @@
+#!/bin/sh -e
+
+[ -n "$1" ] || {
+ cat <
+EOF
+ exit 1
+}
+
+echo -n Enter passphrase:
+stty -echo
+read passphrase
+stty echo
+umask 077
+cat > $1 <
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see .
+*/
+
+package govpn
+
+import (
+ "bytes"
+ "crypto/sha512"
+ "io/ioutil"
+ "strings"
+
+ "github.com/agl/ed25519"
+ "golang.org/x/crypto/pbkdf2"
+)
+
+const (
+ PBKDF2Iters = 1 << 16
+)
+
+// Create verifier from supplied password for given PeerId.
+func NewVerifier(id *PeerId, password string) (*[ed25519.PublicKeySize]byte, *[ed25519.PrivateKeySize]byte) {
+ r := pbkdf2.Key(
+ []byte(password),
+ id[:],
+ PBKDF2Iters,
+ ed25519.PrivateKeySize,
+ sha512.New,
+ )
+ defer sliceZero(r)
+ src := bytes.NewBuffer(r)
+ pub, priv, err := ed25519.GenerateKey(src)
+ if err != nil {
+ panic("Unable to generate Ed25519 keypair" + err.Error())
+ }
+ return pub, priv
+}
+
+// Read string from the file, trimming newline. Panics if error occured.
+func StringFromFile(path string) string {
+ s, err := ioutil.ReadFile(path)
+ if err != nil {
+ panic("Can not read string from" + path)
+ }
+ return strings.TrimRight(string(s), "\n")
+}