README.RU | 19 ++++++++++--------- VERSION | 2 +- common.mk | 4 ++-- doc/about.ru.texi | 26 ++++++++++++++++++++++++++ doc/about.texi | 25 +++++++++++++++++++++++++ doc/client.texi | 10 ++++++++-- doc/contacts.texi | 5 +++++ doc/cpr.texi | 2 ++ doc/developer.texi | 3 +++ doc/download.texi | 7 +++++++ doc/egd.texi | 3 +++ doc/encless.texi | 7 +++++++ doc/example.texi | 17 ++++++----------- doc/faq.ru.texi | 19 +++++++++++++++++++ doc/faq.texi | 32 ++++++++++++++++++++++++++++++++ doc/govpn.texi | 7 +++++++ doc/handshake.texi | 15 +++++++++++++++ doc/identity.texi | 2 ++ doc/installation.texi | 9 +++++++++ doc/integrity.texi | 4 ++++ doc/media.texi | 2 ++ doc/mtu.texi | 2 ++ doc/netproto.texi | 4 ++++ doc/news.texi | 30 ++++++++++++++++++++++++++++++ doc/noise.texi | 2 ++ doc/pake.texi | 38 ++++++++++++++++---------------------- doc/precautions.texi | 10 ++++++---- doc/proxy.texi | 5 +++++ doc/server.texi | 10 ++++++++++ doc/sources.texi | 6 ++++++ doc/stats.texi | 2 ++ doc/thanks.texi | 1 + doc/timeout.texi | 1 + doc/todo.texi | 1 + doc/transport.texi | 8 ++++++++ doc/user.texi | 6 +++++- doc/verifier.texi | 21 ++++++++++----------- doc/verifierstruct.texi | 4 ++++ src/govpn/cmd/govpn-client/main.go | 6 +++++- src/govpn/cmd/govpn-verifier/main.go | 12 ++++++++---- src/govpn/verifier.go | 26 +++++++++++++++++++++----- utils/makedist.sh | 9 +++++---- utils/newclient.sh | 11 +---------- utils/storekey.sh | 19 ------------------- diff --git a/README.RU b/README.RU index d6f5bfac819edddbb0769c19d0076e79ae553e58..a14edb0c9dc28d080159e540d396199039718b1c 100644 --- a/README.RU +++ b/README.RU @@ -6,23 +6,24 @@ Он использует быстрый сильный аутентифицируемый по парольной фразе несбалансированный протокол согласования ключей с двусторонней аутентификацией сторон (PAKE DH A-EKE). Зашифрованный, аутентифицируемый транспортный протокол передачи данных, скрывающий длины сообщений и их -временные характеристики. Свойство совершенной прямой секретности. -Устойчивость к: внесетевым (offline) атакам по словарю, атакам -повторного воспроизведения (replay), компрометации клиентских парольных -фраз на стороне сервера. Встроенные функции сердцебиения (heartbeat), -пересогласования ключей, статистика реального времени. Возможность -работы поверх UDP, TCP и HTTP прокси. Совместимость с IPv4 и IPv6. -Поддержка GNU/Linux и FreeBSD. +временные характеристики. Опциональный нешифрованный режим, который +всё-равно обеспечивает конфиденциальность и аутентичность данных. +Свойство совершенной прямой секретности. Устойчивость к: внесетевым +(offline) атакам по словарю, атакам повторного воспроизведения (replay), +компрометации клиентских парольных фраз на стороне сервера. Встроенные +функции сердцебиения (heartbeat), пересогласования ключей, статистика +реального времени. Возможность работы поверх UDP, TCP и HTTP прокси. +Совместимость с IPv4 и IPv6. Поддержка GNU/Linux и FreeBSD. GoVPN это свободное программное обеспечением: условия распространения находятся в файле COPYING. -Домашняя страница: http://govpn.info/ -> http://www.cypherpunks.ru/govpn/ +Домашняя страница: http://www.cypherpunks.ru/govpn/ (http://govpn.info/) также доступна как скрытый сервис Tor: http://vabu56j2ep2rwv3b.onion/govpn/ Пожалуйста все вопросы касающиеся использования GoVPN, отчёты об ошибках и патчи отправляйте в govpn-devel почтовую рассылку: -https://lists.cypherpunks.ru/mailman/listinfo/govpn-devel/ +https://lists.cypherpunks.ru/pipermail/govpn-devel/ Исходный код для разработчика находится в Git репозитории: http://git.cypherpunks.ru/cgit.cgi/govpn.git/ diff --git a/VERSION b/VERSION index a75b92f1ed766132f8e6b71376143c6a7111021a..ef425ca98208c00037caa6df391724cc8762d239 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -5.1 +5.2 diff --git a/common.mk b/common.mk index 30ac491b052e0d23d9ca91f384575b8da0e45c27..95349c4699392e8227b3f2be75dd2b2cfe697651 100644 --- a/common.mk +++ b/common.mk @@ -35,8 +35,8 @@ mkdir -p $(INFODIR) cp -f doc/govpn.info $(INFODIR) chmod 644 $(INFODIR)/govpn.info mkdir -p $(SHAREDIR) - cp -f utils/newclient.sh utils/storekey.sh $(SHAREDIR) - chmod 755 $(SHAREDIR)/newclient.sh $(SHAREDIR)/storekey.sh + cp -f utils/newclient.sh $(SHAREDIR) + chmod 755 $(SHAREDIR)/newclient.sh mkdir -p $(DOCDIR) cp -f -L AUTHORS INSTALL NEWS README README.RU THANKS $(DOCDIR) chmod 644 $(DOCDIR)/* diff --git a/doc/about.ru.texi b/doc/about.ru.texi index 12910b5f36ef6ed3483f6ae08eff2febba9c95f5..e301259441fe5e8aab9de1f31f6423ecbe1285f9 100644 --- a/doc/about.ru.texi +++ b/doc/about.ru.texi @@ -1,76 +1,102 @@ @node О демоне +@cindex About (russian) +@cindex Description (russian) +@cindex О демоне +@cindex Описание +@cindex Вступление @unnumbered Подробнее о демоне GoVPN GoVPN это простой демон виртуальных частных сетей, код которого нацелен на лёгкость чтения и анализа, безопасность, устойчивость к DPI/цензуре. @itemize + @item Свободное программное обеспечение, копилефт: лицензировано под условиями @url{https://www.gnu.org/licenses/gpl-3.0.ru.html, GPLv3+}. + @item Быстрый сильный @ref{PAKE, аутентифицируемый по парольной фразе} несбалансированный протокол @ref{Handshake, согласования ключей} с двусторонней аутентификацией сторон и нулевым неразглашением (PAKE DH A-EKE (Diffie-Hellman Augmented Encrypted Key Exchange)). + @item @ref{Verifier structure, Несбалансированные аутентификационные токены} устойчивые к внесетевым (offline) атакам по словарю. Используют усиленный по CPU и памяти алгоритм хэширования. Злоумышленник не может замаскироваться под клиента даже скомпрометировав базу данных токенов сервера. + @item Зашифрованный и аутентифицируемый @ref{Transport, транспортный протокол} передачи данных с 128-бит @ref{Developer, порогом безопасности} и современной криптографией. + @item Опциональный @ref{Encless, нешифрованный режим}: функции шифрования не применяются для исходящего трафика, вместо них кодирование всё-равно обеспечивающее конфиденциальность. Юрисдикции и суды не могут вас вынудить выдать ключи шифрования или привлечь за использование шифрования. + @item Цензуроустойчивые сообщения транспорта и рукопожатия: неотличимые от шума с опциональным скрытием размеров сообщений. + @item Свойство @url{https://ru.wikipedia.org/wiki/Perfect_forward_secrecy, совершенной прямой секретности} (perfect forward secrecy). + @item Защита от атак повторного воспроизведения (replay) (используя одноразовые MAC). + @item Встроенные функции пересогласования ключей (ротация сессионных ключей) и сердцебиения (heartbeat). + @item Возможность скрывать размеры пакетов путём @ref{Noise, зашумления} данных. + @item Возможность скрывать временные характеристики полезной нагрузки путём @ref{CPR, постоянного по скорости} трафика. + @item Совместимость с @url{http://egd.sourceforge.net/, EGD} (демон сборки энтропии) генераторами псевдослучайных чисел. + @item Поддержка нескольких клиентов одновременно с специфичной для каждого конфигурацией. Клиенты имеют заранее установленный @ref{Identity, идентификатор}, невидимый третьим лицам (они анонимны для них). + @item Использует @url{https://ru.wikipedia.org/wiki/TUN/TAP, TAP} низлежащие сетевые интерфейсы. + @item Может работать поверх @ref{Network, UDP и TCP} или HTTP @ref{Proxy, прокси} для доступа к серверу. + @item Полностью IPv4 и IPv6 совместимый. + @item Опциональный встроенный HTTP-сервер для получения @ref{Stats, статистики} о подключённых клиентах в режиме реального времени в @url{http://json.org/, JSON} формате. + @item Сервер конфигурируется используя @url{http://yaml.org/, YAML} файл. + @item Написан на языке @url{https://golang.org/, Go} с простым кодом, ориентированным на лёгкость чтения и анализа. + @item Поддержка @url{https://www.gnu.org/, GNU}/Linux и @url{https://www.freebsd.org/, FreeBSD}. + @end itemize diff --git a/doc/about.texi b/doc/about.texi index ded06b642e2267f876cc66bcb4209c04ed176701..de1abe907534bee6e6aff56dfbe9dd4d1f2dad06 100644 --- a/doc/about.texi +++ b/doc/about.texi @@ -1,70 +1,95 @@ +@cindex About +@cindex Description +@cindex Introduction + GoVPN is simple free software virtual private network daemon, aimed to be reviewable, secure and @url{https://en.wikipedia.org/wiki/Deep_packet_inspection, DPI}/censorship-resistant. @itemize + @item Copylefted free software: licenced under @url{https://www.gnu.org/licenses/gpl-3.0.html, GPLv3+}. + @item Fast strong @ref{PAKE, passphrase authenticated} augmented @ref{Handshake, key agreement protocol} with zero-knowledge mutual peers authentication (PAKE DH A-EKE (Diffie-Hellman Augmented Encrypted Key Exchange)). + @item @ref{Verifier structure, Augmented authentication tokens} resistant to offline dictionary attacks. They use CPU and memory hardened hashing algorithm. An attacker can not masquerade a client even with server passphrase verifiers compromising. + @item Encrypted and authenticated @ref{Transport, payload transport} with 128-bit @ref{Developer, security margin} state-of-the-art cryptography. + @item Optional @ref{Encless, encryptionless mode} of operation: no encryption functions are applied for outgoing traffic, but still confidentiality preserving encoding. Jurisdictions and courts can not either force you to reveal encryption keys or sue for encryption usage. + @item Censorship resistant handshake and transport messages: fully indistinguishable from the noise with optionally hidden packets length. + @item @url{https://en.wikipedia.org/wiki/Forward_secrecy, Perfect forward secrecy} property. + @item Replay attack protection (using one-time MACs). + @item Built-in rehandshake (session key rotation) and heartbeat features. + @item Ability to hide packets length with the @ref{Noise, noise} data. + @item Ability to hide payload timestamps with @ref{CPR, constant packet rate} traffic. + @item Compatible with @url{http://egd.sourceforge.net/, EGD} (entropy gathering daemon) PRNGs. + @item Several simultaneous clients support with per-client configuration options. Clients have pre-established @ref{Identity, identity} invisible for third-parties (they are anonymous). + @item Uses @url{https://en.wikipedia.org/wiki/TAP_(network_driver), TAP} underlying network interfaces. + @item Can use @ref{Network, UDP and TCP} or HTTP @ref{Proxy, proxies} for accessing the server. + @item Fully IPv4 and IPv6 compatible. + @item Optional built-in HTTP-server for retrieving real-time @ref{Stats, statistics} information about known connected peers in @url{http://json.org/, JSON} format. + @item Server is configured through the @url{http://yaml.org/, YAML} file. + @item Written on @url{https://golang.org/, Go} programming language with simple code that can be read and reviewed. + @item @url{https://www.gnu.org/, GNU}/Linux and @url{https://www.freebsd.org/, FreeBSD} support. + @end itemize diff --git a/doc/client.texi b/doc/client.texi index 88e338e3090de2c05cf0c89241e4294712101e21..ba7503874b41e9e02e3b1334929ddbc4486fc3eb 100644 --- a/doc/client.texi +++ b/doc/client.texi @@ -1,4 +1,10 @@ @node Client +@cindex Client +@cindex Client part +@cindex Client configuration +@cindex Client side +@cindex Configuring client +@cindex govpn-client @section Client part Except for common @code{-stats}, @code{-egd} options client has the @@ -31,8 +37,8 @@ @item -verifier Our client's @ref{Verifier}. @item -key -Path to the file with the passphrase. See @ref{Verifier} for -how to enter passphrase from stdin silently and store it in the file. +Path to the file with the passphrase. If omitted, then you will be asked +to enter it in the terminal. @item -timeout @ref{Timeout} setting in seconds. diff --git a/doc/contacts.texi b/doc/contacts.texi index 3f96135deda517e4fc4fd734226e15b455504a1b..c6915ef350944909647745d6c69d37e541ff78fe 100644 --- a/doc/contacts.texi +++ b/doc/contacts.texi @@ -1,4 +1,9 @@ @node Contacts +@cindex Contacts +@cindex Feedback +@cindex Support +@cindex Help +@cindex Maillist @unnumbered Contacts Please send questions regarding the use of GoVPN, bug reports and patches to diff --git a/doc/cpr.texi b/doc/cpr.texi index 5ea57177df8520442865eadd9ce1eab07ac5cc67..f4259f80511e1e4173d1ec00974c7363629f2c76 100644 --- a/doc/cpr.texi +++ b/doc/cpr.texi @@ -1,4 +1,6 @@ @node CPR +@cindex CPR +@cindex Constant Packet Rate @subsection Constant Packet Rate Constant Packet Rate is used to hide fact of underlying payload packets diff --git a/doc/developer.texi b/doc/developer.texi index 4293f800c06d8084790c564e26768c911d4509a4..30dd12f312c9bd5e38ba7dcd6c400b6504a0f533 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -1,4 +1,7 @@ @node Developer +@cindex Developer manual +@cindex Developer +@cindex Cryptography @unnumbered Developer manual Pay attention how to get @ref{Sources, development source code}. diff --git a/doc/download.texi b/doc/download.texi index 2217f3c30d6827f6c79dc56cb4306909a1e76e71..c67efed684884b400544b86f556a70e63634a140 100644 --- a/doc/download.texi +++ b/doc/download.texi @@ -1,10 +1,17 @@ @node Tarballs +@cindex Download +@cindex Tarball +@cindex Prepared tarballs @section Prepared tarballs You can obtain releases source code prepared tarballs from the links below: @multitable {XXXXX} {XXXX KiB} {link sign} {xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} @headitem Version @tab Size @tab Tarball @tab SHA256 checksum + +@item 5.1 @tab 287 KiB +@tab @url{download/govpn-5.1.tar.xz, link} @url{download/govpn-5.1.tar.xz.sig, sign} +@tab @code{0d456c5683287dca31f8c3302eb9a9329feab82bc1fbdb0098fca991513536d1} @item 5.0 @tab 237 KiB @tab @url{download/govpn-5.0.tar.xz, link} @url{download/govpn-5.0.tar.xz.sig, sign} diff --git a/doc/egd.texi b/doc/egd.texi index c0006db3ac601ae52bb3595339956d8409d75b20..9984a20c1437f1f8d3b6138a315f3a47405e7076 100644 --- a/doc/egd.texi +++ b/doc/egd.texi @@ -1,4 +1,7 @@ @node EGD +@cindex EGD +@cindex Entropy Gathering Daemon +@cindex Entropy @subsection Entropy Gathering Daemon Overall security mainly depends on client side: diff --git a/doc/encless.texi b/doc/encless.texi index 6d44191ebdc1c5d492ffc321568e146f8d2acada..fd267c73be4a78ee592f426707eb38c43d65c2dd 100644 --- a/doc/encless.texi +++ b/doc/encless.texi @@ -1,4 +1,11 @@ @node Encless +@cindex Encryptionless +@cindex Encryptionless mode +@cindex Chaffing-and-Winnowing +@cindex AONT +@cindex All-Or-Nothing-Transformation +@cindex OAEP +@cindex SAEP+ @subsection Encryptionless mode Some jurisdictions can force user to reveal his encryption keys. However diff --git a/doc/example.texi b/doc/example.texi index f4f80f4bafebaf3bb22ab21a241252f15f4872cc..fe00545854bd630794b5afedcd5920369aa202ae 100644 --- a/doc/example.texi +++ b/doc/example.texi @@ -1,4 +1,7 @@ @node Example +@cindex Example +@cindex Example usage +@cindex Tutorial @section Example usage Let's assume that there is some insecure link between your computer and @@ -19,9 +22,11 @@ @strong{Prepare the client}. Generate client's verifier for Alice as an example: +@cindex newclient.sh + @verbatim client% ./utils/newclient.sh Alice -Enter passphrase: +Passphrase: Your client verifier is: $argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg Place the following YAML configuration entry on the server's side: @@ -30,11 +35,6 @@ Alice: up: /path/to/up.sh iface: or TAP interface name verifier: $argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg$KCNIqfS4DGsBTtVytamAzcISgrlEWvNxan1UfBrFu10 - -Verifier was generated with: - - ./utils/storekey.sh /tmp/passphrase - govpn-verifier -key /tmp/passphrase @end verbatim @strong{Prepare the server}. Add this entry to @code{peers.yaml} @@ -49,7 +49,6 @@ @strong{Prepare network on GNU/Linux IPv4 server}: @example -server% umask 077 server% ip addr add 192.168.0.1/24 dev wlan0 server% tunctl -t tap10 server% ip addr add 172.16.0.1/24 dev tap10 @@ -65,8 +64,6 @@ @strong{Prepare network on GNU/Linux IPv4 client}: @example -client% umask 066 -client% utils/storekey.sh key.txt client% ip addr add 192.168.0.2/24 dev wlan0 client% tunctl -t tap10 client% ip addr add 172.16.0.2/24 dev tap10 @@ -77,7 +74,6 @@ @strong{Run client daemon itself}: @example client% govpn-client \ - -key key.txt \ -verifier '$argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg' \ -iface tap10 \ -remote 192.168.0.1:1194 @@ -96,7 +92,6 @@ client% ifconfig tap10 client% ifconfig tap10 inet6 fc00::2/96 up client% route -6 add default fc00::1 client% govpn-client \ - -key key.txt \ -verifier '$argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg' \ -iface tap10 \ -remote "[fe80::1%me0]":1194 diff --git a/doc/faq.ru.texi b/doc/faq.ru.texi index 10f7fda6672b2dc0ad4683856d80e4abdb8b556d..903513760a44a2ff37e337532574378a0a9b608b 100644 --- a/doc/faq.ru.texi +++ b/doc/faq.ru.texi @@ -1,4 +1,7 @@ @node ЧАВО +@cindex FAQ (russian) +@cindex ЧАВО +@cindex Часто задаваемые вопросы @unnumbered Часто задаваемые вопросы @table @asis @@ -39,6 +42,7 @@ пароли): 100-200 символов, что даёт возможность использовать её как высокоэнтропийный ключ. Вам нужно доверять только себе, не аппаратному токену или другому устройству хранения. Это удобно. +@cindex Настройка сети @item Почему вся настройка сети делается вручную? Потому-что существует так много вариантов использования, конфигураций и установок, что или я поддерживаю их всех, или использую громоздкие @@ -57,10 +61,13 @@ долгоживущие ключи будут скомпрометированы. Это свойство работает на уровне сессии: оно не спасёт если сессионный ключ скомпрометирован из памяти. +@cindex Анонимность +@cindex Анонимные клиенты @item Что вы подразумеваете когда говорите что клиенты анонимны? Что третьей лицо не может отличить одного клиента от другого, смотря на трафик (транспортный или рукопожатия). +@cindex Цензуроустойчивость @item Что вы подразумеваете под цензуроустойчивостью? Невозможность определить GoVPN ли это трафик или просто @code{cat /dev/urandom | nc somehost}. Если вы не можете отличить один @@ -78,6 +85,11 @@ конфиденциальность и аутентичность передаваемых данных! Но имейте в виду, что этот режим требователен к ресурсам и трафику и пока работает только в TCP режиме. +@item Вы думаете нешифрованный режим с его случайными данными поможет в суде? +Если всё что не может быть прочитано кем-угодно считается шифрованием, +то нет, этот режим вам не поможет. Представьте что вы говорите на другом +иностранном языке или просто используете другую схему кодирования данных. + @item Когда я должен использовать @ref{Noise, noise} опцию? В большинстве случаев она вам не нужна без включённого @ref{CPR, постоянного по скорости трафика} (CPR). Без CPR и шума, в @@ -93,5 +105,12 @@ UMAC алгоритмом -- в большинстве случаев потребление ресурсов TCP/UDP слоёв будет выше чем проверка UMAC. Каждое сообщение рукопожатия обрабатывается только если зашифрованный @ref{Identity, идентификатор} клиента найден: он использует быстрый PRP без потребления энтропии. + +@item Почему YAML для конфигурации? +Есть не так много хорошо известных форматов позволяющих комментировать, +легко редактировать людьми (XML совсем не дружелюбен к человеку, JSON +более менее). Возможно самое важное свойство это шаблоны YAML: очень +удобно сохранить много клиентов, имеющих схожие настройки, в одном +конфигурационном файле. @end table diff --git a/doc/faq.texi b/doc/faq.texi index 0ac8de80d22a9573668da03bed7b689da19b7579..c9da019f1e2000b887469846527041e618d393a0 100644 --- a/doc/faq.texi +++ b/doc/faq.texi @@ -1,19 +1,24 @@ @node FAQ +@cindex FAQ +@cindex Frequently Asked Questions @unnumbered Frequently Asked Questions @table @asis +@cindex TLS @item Why do not you use TLS? It is complicated protocol. It uses Authenticate-then-Encrypt ordering of algorithms -- it is not secure. Moreover its libraries are huge and hard to read, review and analyze. +@cindex SSH @item Why do not you use SSH? Its first protocol versions used A-a-E ordering, however later ones supports even ChaCha20-Poly1305 algorithms. But its source code is not so trivial and rather big to read and review. OpenSSH does not support strong zero-knowledge password authentication. +@cindex IPsec @item Why do not you use IPsec? It is rather good protocol, supported by all modern OSes. But it lacks strong zero-knowledge password authentication and, again, its code is @@ -24,6 +29,8 @@ For the same reasons: most of software do not provide strong password authentication, high cryptographic protocol security, and most of this software is written in C -- it is hard to write right on it. +@cindex Why Go +@cindex Go @item Why GoVPN is written on Go? Go is very easy to read, review and support. It makes complex code writing a harder task. It provides everything needed to the C language: @@ -38,12 +45,17 @@ 100-200 characters, that gives ability to use it as a high-entropy key. You need to trust only yourself, not hardware token or some other storage device. It is convenient. +@cindex Network configuration @item Why all network configuration must be done manually? Because there are so many use-cases and setups, so many various protocols, that either I support all of them, or use complicated protocol setups like PPP, or just give right of the choice to the administrator. VPN is only just a layer. +@cindex Windows +@cindex Microsoft Windows +@cindex Apple OS X +@cindex OS X @item Why there is no either OS X or Windows support? Any closed source proprietary systems do not give ability to control the computer. You can not securely use cryptography-related stuff without @@ -55,10 +67,15 @@ You can not decrypt previously saved traffic by compromising long-lived keys. PFS property is per-session level: it won't protect from leaking the session key from the memory. +@cindex Anonymity +@cindex Anonymous clients @item What do you mean by saying that clients are anonymous? That third-party can not differentiate one client from another looking at the traffic (transport and handshake). +@cindex Censorship +@cindex Censorship resistance +@cindex DPI resistance @item What do you mean by censorship resistance? Unability to distinguish either is it GoVPN-traffic is passing by, or just @code{cat /dev/urandom | nc somehost}. If you can not differentiate @@ -75,6 +92,12 @@ provides confidentiality and authenticity of transmitted data! But pay attention that this mode is traffic and resource hungry and currently operate only in TCP mode. +@item Do you think encryptionless mode with all those random data helps in court? +If anything that can not be read by anyone is considered encryption, +then no, encryptionless mode won't help you. Imagine that either you are +talking on another foreign language, or just use another date encoding +scheme. + @item When should I use @ref{Noise, noise} option? In most cases you won't need it without @ref{CPR, constant packer rate} turned on. Without CPR and noise options GoVPN traffic (like TLS, IPsec, @@ -83,11 +106,20 @@ timestamps and sizes. You can run traffic analysis and predict what is going on in the network. With CPR option enabled you can tell either somebody is online, or not -- nothing less, nothing more. +@cindex DoS @item Can I DoS (denial of service) the daemon? Each transport packet is authenticated first with the very fast UMAC algorithm -- in most cases resource consumption of TCP/UDP layers will be higher then UMAC verifying. Each handshake message is processed only when an encrypted client's @ref{Identity, identity} is found: it uses fast PRP without any entropy usage. + +@cindex Why YAML +@item Why YAML for configuration? +There are not so many well-known formats that allow commenting, easy +editing by human (XML is not human friendly at all, JSON is more or +less). Probably the most useful feature is YAML's templates: it is very +convenient for storing many clients sharing the same options in the +configuration file. @end table diff --git a/doc/govpn.texi b/doc/govpn.texi index 7fab9f37734bf745115d85b7c3828e6cd07e10be..73e69084f21512616a984fc582c7b60124bc78ca 100644 --- a/doc/govpn.texi +++ b/doc/govpn.texi @@ -40,6 +40,7 @@ * Thanks:: * In the media: Media. * TODO:: * Copying conditions:: +* Concept index:: @end menu @include about.ru.texi @@ -60,4 +61,10 @@ @unnumbered Copying conditions @insertcopying @verbatiminclude fdl.txt + +@node Concept index +@unnumbered Concept index + +@printindex cp + @bye diff --git a/doc/handshake.texi b/doc/handshake.texi index f19fde0c153d9f0b7afe9bd2411aee9916d233a4..3efe97d636b470fd05632db271fc73164707d588 100644 --- a/doc/handshake.texi +++ b/doc/handshake.texi @@ -1,4 +1,19 @@ @node Handshake +@cindex Handshake +@cindex Handshake protocol +@cindex Diffie-Hellman +@cindex ed25519 +@cindex curve25519 +@cindex Elligator +@cindex Perfect Forward Secrecy +@cindex PFS +@cindex IDtag +@cindex Shared key +@cindex DH-EKE +@cindex DH +@cindex EKE +@cindex A-EKE +@cindex DH-A-EKE @section Handshake protocol @verbatiminclude handshake.utxt diff --git a/doc/identity.texi b/doc/identity.texi index 3a37790cab5f9b132a69ef345058089d60d322f3..d74e6cfd14e8b76540e3419f0edbd2f1cd1df5a8 100644 --- a/doc/identity.texi +++ b/doc/identity.texi @@ -1,4 +1,6 @@ @node Identity +@cindex Client identity +@cindex Identity @subsection Identity Client's identity is 128-bit string. It is not secret, so can be diff --git a/doc/installation.texi b/doc/installation.texi index c6ac214207974fd8693e2df8e406214868b8f1b0..ca95bb1bd216693decec0da5af1550503326bca9 100644 --- a/doc/installation.texi +++ b/doc/installation.texi @@ -1,4 +1,13 @@ @node Installation +@cindex Installation +@cindex Getting GoVPN +@cindex Requirements +@cindex Dependencies +@cindex Ports +@cindex Packages +@cindex FreeBSD +@cindex AUR +@cindex Texinfo @unnumbered Installation Possibly GoVPN already exists in your distribution: diff --git a/doc/integrity.texi b/doc/integrity.texi index ccbb5c875da28c9e666790adfce6e2bead579cca..b9c6ff522b52b4b363a6cf93b201e19d518803fa 100644 --- a/doc/integrity.texi +++ b/doc/integrity.texi @@ -1,4 +1,8 @@ @node Integrity +@cindex Integrity +@cindex Tarball integrity +@cindex PGP +@cindex Public key @section Tarballs integrity check You @strong{have to} verify downloaded archives integrity and check diff --git a/doc/media.texi b/doc/media.texi index b129c0dd1b69c40f679e4e433ba72513bb97cbe4..332ed6388af68af9c1492733475c020cdca957bc 100644 --- a/doc/media.texi +++ b/doc/media.texi @@ -1,4 +1,6 @@ @node Media +@cindex In the media +@cindex Articles @unnumbered In the media @itemize diff --git a/doc/mtu.texi b/doc/mtu.texi index 29930b641063de86616d4589872a73a5240a5528..2206c553c9a4c5b63ea48d4a205bec9b3c33d755 100644 --- a/doc/mtu.texi +++ b/doc/mtu.texi @@ -1,4 +1,6 @@ @node MTU +@cindex MTU +@cindex Maximum Transmission Unit @subsection Maximum Transmission Unit MTU option tells what maximum transmission unit is expected to get from diff --git a/doc/netproto.texi b/doc/netproto.texi index d57edb35ab0dbdf5a95a85dd48ed9b7ce05856bc..f5b26f4072336b988fa4b2bab21e4a7b7973dac8 100644 --- a/doc/netproto.texi +++ b/doc/netproto.texi @@ -1,4 +1,8 @@ @node Network +@cindex Transport +@cindex Network transport +@cindex TCP +@cindex UDP @subsection Network transport You can use either UDP or TCP underlying network transport protocols. diff --git a/doc/news.texi b/doc/news.texi index d70471509ce0a18727ad6a0c8475a2979881bf40..608613a93689fd2ca87430ac8dfe02190c5a8ccc 100644 --- a/doc/news.texi +++ b/doc/news.texi @@ -1,9 +1,19 @@ @node News +@cindex Releases +@cindex News @unnumbered News @table @strong +@item Release 5.2 +@cindex Release 5.2 +@itemize +@item Ability to read passphrases directly from the terminal (user's +input) without using of keyfiles. @code{storekey.sh} utility removed. +@end itemize + @item Release 5.1 +@cindex Release 5.1 @itemize @item Server is configured using @url{http://yaml.org/, YAML} file. It is very convenient to have comments and templates, comparing to JSON. @@ -12,6 +22,7 @@ with @emph{BLAKE2b} in handshake code. @end itemize @item Release 5.0 +@cindex Release 5.0 @itemize @item New optional @ref{Encless, encryptionless mode} of operation. Technically no encryption functions are applied for outgoing packets, so @@ -25,12 +36,14 @@ @item @code{govpn-verifier} utility also can use @ref{EGD}. @end itemize @item Release 4.2 +@cindex Release 4.2 @itemize @item Fixed non-critical bug when server may fail if up-script is not executed successfully. @end itemize @item Release 4.1 +@cindex Release 4.1 @itemize @item @url{https://password-hashing.net/#argon2, Argon2d} is used instead of PBKDF2 for password verifier hashing. @@ -39,6 +52,7 @@ server-side configuration and the code. @end itemize @item Release 4.0 +@cindex Release 4.0 @itemize @item Handshake messages can be noised: their messages lengths are hidden. Now they are indistinguishable from transport messages. @@ -48,6 +62,7 @@ @item Single JSON file server configuration. @end itemize @item Release 3.5 +@cindex Release 3.5 @itemize @item Ability to use @ref{Network, TCP} network transport. Server can listen on both UDP and TCP sockets. @@ -59,6 +74,7 @@ reasons. @end itemize @item Release 3.4 +@cindex Release 3.4 @itemize @item Ability to use external @ref{EGD}-compatible PRNGs. Now you are able to use GoVPN even on systems with the bad @code{/dev/random}, @@ -69,6 +85,7 @@ without performance degradation related to inbound packets reordering. @end itemize @item Release 3.3 +@cindex Release 3.3 @itemize @item Compatibility with an old GNU Make 3.x. Previously only BSD Make and GNU Make 4.x were supported. @@ -79,6 +96,7 @@ @item Updated user manual examples. @end itemize @item Release 3.2 +@cindex Release 3.2 @itemize @item Deterministic building: dependent libraries source code commits are @@ -91,6 +109,7 @@ FreeBSD Make compatibility. GNU Make is not necessary anymore. @end itemize @item Release 3.1 +@cindex Release 3.1 @itemize @item Diffie-Hellman public keys are encoded with Elligator algorithm when @@ -101,6 +120,7 @@ consume twice entropy for DH key generation in average. @end itemize @item Release 3.0 +@cindex Release 3.0 @itemize @item EKE protocol is replaced by Augmented-EKE and static symmetric (both @@ -133,6 +153,7 @@ @code{-cpr} configuration options for server. @end itemize @item Release 2.4 +@cindex Release 2.4 @itemize @item Added ability to optionally run built-in HTTP-server responding with @@ -144,6 +165,7 @@ Documentation is explicitly licenced under GNU FDL 1.3+. @end itemize @item Release 2.3 +@cindex Release 2.3 @itemize @item Handshake packets became indistinguishable from the random. @@ -159,16 +181,19 @@ consuming and resource heavy computations. @end itemize @item Release 2.2 +@cindex Release 2.2 @itemize @item Fixed several possible channel deadlocks. @end itemize @item Release 2.1 +@cindex Release 2.1 @itemize @item Fixed Linux-related building. @end itemize @item Release 2.0 +@cindex Release 2.0 @itemize @item Added clients identification. @item Simultaneous several clients support by server. @@ -176,16 +201,19 @@ @item Per-client up/down scripts. @end itemize @item Release 1.5 +@cindex Release 1.5 @itemize @item Nonce obfuscation/encryption. @end itemize @item Release 1.4 +@cindex Release 1.4 @itemize @item Performance optimizations. @end itemize @item Release 1.3 +@cindex Release 1.3 @itemize @item Heartbeat feature. @item Rehandshake feature. @@ -193,11 +221,13 @@ @item up- and down- optinal scripts. @end itemize @item Release 1.1 +@cindex Release 1.1 @itemize @item FreeBSD support. @end itemize @item Release 1.0 +@cindex Release 1.0 @itemize @item Initial stable release. @end itemize diff --git a/doc/noise.texi b/doc/noise.texi index 5df68a984a27b2e340b32cfe415811186dd13007..9e171d12d4088ac4edc2c69b7236c6430d5c4a75 100644 --- a/doc/noise.texi +++ b/doc/noise.texi @@ -1,4 +1,6 @@ @node Noise +@cindex Noise +@cindex Timestamps @subsection Noise So-called noise is used to hide underlying payload packets length. diff --git a/doc/pake.texi b/doc/pake.texi index b80f5697f51fc964eb0be98a4d6c173b2b0310fb..d343a49d3ff6d49b31d4ab4831cdd7dedf28be37 100644 --- a/doc/pake.texi +++ b/doc/pake.texi @@ -1,30 +1,24 @@ @node PAKE +@cindex Password Authenticated Key Agreement +@cindex PAKE @subsection Password Authenticated Key Agreement -Previously we used pre-shared high-entropy long-term static key for -client-server authentication. Is is secure, but not convenient for some -user use-cases: +GoVPN uses strong password authentication. That means that it uses human +memorable @strong{passphrases}, instead of some small high-entropy keys +that must be carried with himself. Passphrases differ from passwords: +they are long string of low-entropy characters -- they are easy to +remember and can have high overall entropy. + +Strong zero-knowledge authentication means that: @itemize -@item Compromising of passphrase files on either server or client side -allows attacker to masquerade himself a client. -@item To prevent compromising of keys on the client side, one needs some -kind of passphrase protected secure storage (like either PGP with -decryption to the memory, or full-disk encryption). +@item compromising of passphrase files on either server or client sides +won't allow attackers to masquerade himself the client; +@item no need of protected secure storage on the server's side to keep +keys in safety. @end itemize -Overall security on the client side is concentrated in passphrase -(high-entropy password), so it is convenient to use it in GoVPN -directly, without static on-disk keys. That is why we use passphrase -authenticated key agreement. - -We use "passphrase" term instead of "password". Technically there may be -no difference between them. But as a rule passphrases are @strong{long} -strings with low entropy characters. Because of low entropy characters, -they are memorable. Because of their quantity, they acts as a high -entropy source. - Passphrases are entered directly by the human on the client side. Server -side stores previously shared so-called @ref{Verifier, verifier}. Verifier -contains dictionary attack resistant password derivative. Attacker can not -use it to act as a client. +side stores pre-shared @ref{Verifier, verifier}, containing dictionary +attack resistant passphrase derivative. Attacker can not use it to act +as a client. diff --git a/doc/precautions.texi b/doc/precautions.texi index fbf45d13a4636b2315c7ec52f504362b53858e5c..04017782e069b0e0aa3b03b0342ae6f6f0bb66c8 100644 --- a/doc/precautions.texi +++ b/doc/precautions.texi @@ -1,12 +1,14 @@ @node Precautions +@cindex Dangers +@cindex Precautions @unnumbered Precautions @enumerate @item -We use password (passphrase) authentication, so overall security fully -depends on its strength. You @strong{should} use long, high-entropy -passphrases. Also remember to keep passphrase in temporary file and read -it securely as described in @ref{Verifier, verifier}. +We use passphrase authentication, so overall security fully depends on +its strength. You @strong{should} use long, high-entropy passphrases. +Also remember to keep passphrase in temporary file and read it securely +as described in @ref{Verifier, verifier}. @item You must @strong{never} use the same key for multiple clients. diff --git a/doc/proxy.texi b/doc/proxy.texi index b0f08fc97644a51300683ec5641fc02e632350ad..a314b798efb3c7a4ed31b260b6270335d4c78d9d 100644 --- a/doc/proxy.texi +++ b/doc/proxy.texi @@ -1,4 +1,9 @@ @node Proxy +@cindex Proxy +@cindex HTTP proxy +@cindex HTTP authentication +@cindex CONNECT +@cindex HTTP @subsection Proxy You can proxy your requests through HTTP using CONNECT method. This can diff --git a/doc/server.texi b/doc/server.texi index 0882ff2d3ea62315c7dc1a6475f3237ab38a872c..ee132bdac8ae003c1ec18f70d0491665a43af41e 100644 --- a/doc/server.texi +++ b/doc/server.texi @@ -1,4 +1,9 @@ @node Server +@cindex Server +@cindex Server part +@cindex Server configuration +@cindex Server side +@cindex govpn-server @section Server part Except for common @code{-stats}, @code{-egd} options server has the @@ -21,6 +26,9 @@ Start trivial HTTP @ref{Proxy} server on specified @emph{host:port}. @end table +@cindex YAML +@cindex YAML configuration +@cindex Configuration file Configuration file is YAML file with following example structure: @verbatim @@ -44,6 +52,8 @@ must output interface's name to stdout (first output line). For example up-script can be just @code{echo tap10}, or more advanced like the following one: + +@cindex up-script @example #!/bin/sh diff --git a/doc/sources.texi b/doc/sources.texi index 862fa86dfeb057c8ea4ae58f97a91736bafe2ffd..f1eb3eb90f31f20a3e2699e9238309f8099875d1 100644 --- a/doc/sources.texi +++ b/doc/sources.texi @@ -1,4 +1,10 @@ @node Sources +@cindex Sources +@cindex Source code +@cindex Development source code +@cindex Git +@cindex Repository +@cindex Mirrors @section Development source code Development source code contains the latest version of the code. It may diff --git a/doc/stats.texi b/doc/stats.texi index c543137a808a08dfe755e3083d755805aab50d23..0c147005d802ebb5593e70c84f06ae71fedcabd8 100644 --- a/doc/stats.texi +++ b/doc/stats.texi @@ -1,4 +1,6 @@ @node Stats +@cindex Stats +@cindex Statistics @subsection Statistics Both client and server has ability to show statistics about known diff --git a/doc/thanks.texi b/doc/thanks.texi index d551819bcc3734ff66e4c294145cf27a69d858dc..aed296addb680dcee2740ee482b5c7f0797ce666 100644 --- a/doc/thanks.texi +++ b/doc/thanks.texi @@ -1,4 +1,5 @@ @node Thanks +@cindex Thanks @unnumbered Thanks Thanks for contributions and suggestions to: diff --git a/doc/timeout.texi b/doc/timeout.texi index 89dd5b011579ae16c80dc05bf8d1f28eea33bcab..89dcf1e500c8c76e4714c967e75455edc02b2e99 100644 --- a/doc/timeout.texi +++ b/doc/timeout.texi @@ -1,4 +1,5 @@ @node Timeout +@cindex Timeout @subsection Timeout Because of stateless UDP nature there is no way to reliably know if diff --git a/doc/todo.texi b/doc/todo.texi index 520192c6ac01901d009024313d60f99ff7df4330..f77ab2f0009238a492e6663700c354e2ea4d9fa6 100644 --- a/doc/todo.texi +++ b/doc/todo.texi @@ -1,4 +1,5 @@ @node TODO +@cindex TODO @unnumbered TODO @itemize diff --git a/doc/transport.texi b/doc/transport.texi index 4b8413b23e470b0cb58543ecaa4c92c89d572731..3b894ec99a146b61e797950f9c867adf1bf30f35 100644 --- a/doc/transport.texi +++ b/doc/transport.texi @@ -1,4 +1,12 @@ @node Transport +@cindex Transport +@cindex Transport protocol +@cindex Salsa20 +@cindex PRP +@cindex Nonce +@cindex Poly1305 +@cindex XTEA +@cindex Serial @section Transport protocol @verbatim diff --git a/doc/user.texi b/doc/user.texi index d2118b30be55b78f09fb8ce38a3a4fe01723dcdb..ca2e81c4c371d638c86f7d183171682393d7a67b 100644 --- a/doc/user.texi +++ b/doc/user.texi @@ -1,7 +1,10 @@ @node User +@cindex User +@cindex User manual @unnumbered User manual -Announcements about updates and new releases can be found in @ref{Contacts}. +Announcements about updates and new releases can be found in +@ref{Contacts, contacts}. GoVPN is split into two pieces: @ref{Client} and @ref{Server}. Each of them work on top of @ref{Network, UDP/TCP} and TAP virtual network @@ -9,6 +12,7 @@ interfaces. GoVPN is just a tunnelling of Ethernet frames, nothing less, nothing more. All you IP-related network management is not touched by VPN at all. You can automate it using up and down shell scripts. +@cindex Performance What network performance can user expect? For example single @emph{Intel i5-2450M 2.5 GHz} core on @emph{FreeBSD 10.2 amd64} with @emph{Go 1.5.1} gives 786 Mbps (UDP transport) throughput. diff --git a/doc/verifier.texi b/doc/verifier.texi index bb364d747f6568f5b52e24fe3321571e82c08043..861bef0a25ee6cbd76146b8e0211571f908f3f5d 100644 --- a/doc/verifier.texi +++ b/doc/verifier.texi @@ -1,15 +1,13 @@ @node Verifier +@cindex Verifier +@cindex govpn-verifier @subsection Verifier -Verifier is created using @code{govpn-verifier} utility. But currently -Go does not provide native instruments to read passwords without echoing -them to stdout. You can use @code{utils/storekey.sh} script to read them -silently. +Verifier is created using @code{govpn-verifier} utility. @example -% utils/storekey.sh mypass.txt -Enter passphrase:[hello world] -% govpn-verifier -key mypass.txt +% govpn-verifier +Passphrase:[hello world] $argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg$KCNIqfS4DGsBTtVytamAzcISgrlEWvNxan1UfBrFu10 $argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg @end example @@ -22,10 +20,11 @@ You can check passphrase against verifier by specifying @code{-verifier} option with the path to verifier file: @example -% govpn-verifier -key mypass.txt -verifier '$argon2d...' +% govpn-verifier -verifier '$argon2d...' +Passphrase:[hello world] true @end example -Plaintext passphrases @strong{must} be stored on volatile memory, for -example either in memory disk, or on encrypted filesystem with -restrictive permissions to the file. +Optionally you can store plaintext passphrases on volatile memory +(memory disk, encrypted filesystem with restrictive permissions to the +file) and provide @code{-key} option. diff --git a/doc/verifierstruct.texi b/doc/verifierstruct.texi index 792506dd9f93ac95f4509998c07b8ce2db8cbf14..51cf2893e3b2bf564485df76ee36bed9f4d6686b 100644 --- a/doc/verifierstruct.texi +++ b/doc/verifierstruct.texi @@ -1,4 +1,8 @@ @node Verifier structure +@cindex Verifier structure +@cindex Argon2 +@cindex Argon2d +@cindex Salt @section Verifier structure Verifier is a derivative of the password. It is resistant to diff --git a/src/govpn/cmd/govpn-client/main.go b/src/govpn/cmd/govpn-client/main.go index c4414050937f20e9740a3233d6e2d0c1fcac193e..e73854cb482e1246fdfa96fdb1188de17e69ecf1 100644 --- a/src/govpn/cmd/govpn-client/main.go +++ b/src/govpn/cmd/govpn-client/main.go @@ -74,7 +74,11 @@ verifier, err := govpn.VerifierFromString(*verifierRaw) if err != nil { log.Fatalln(err) } - priv := verifier.PasswordApply(govpn.StringFromFile(*keyPath)) + key, err := govpn.KeyRead(*keyPath) + if err != nil { + log.Fatalln("Unable to read the key", err) + } + priv := verifier.PasswordApply(key) if *encless { if *proto != "tcp" { log.Fatalln("Currently encryptionless mode works only with TCP") diff --git a/src/govpn/cmd/govpn-verifier/main.go b/src/govpn/cmd/govpn-verifier/main.go index a7c16f0bbe37971cb1f0e47da8c25ff92a192bc8..10bd90b0902e2c934c8c435cc3b5e5e9dbce1a48 100644 --- a/src/govpn/cmd/govpn-verifier/main.go +++ b/src/govpn/cmd/govpn-verifier/main.go @@ -20,7 +20,7 @@ // Verifier generator and validator for GoVPN VPN daemon. package main import ( - "crypto/subtle" + "bytes" "flag" "fmt" "log" @@ -41,6 +41,10 @@ func main() { flag.Parse() if *egdPath != "" { govpn.EGDInit(*egdPath) + } + key, err := govpn.KeyRead(*keyPath) + if err != nil { + log.Fatalln("Unable to read the key", err) } if *verifier == "" { id := new([govpn.IDSize]byte) @@ -49,7 +53,7 @@ log.Fatalln(err) } pid := govpn.PeerId(*id) v := govpn.VerifierNew(*mOpt, *tOpt, *pOpt, &pid) - v.PasswordApply(govpn.StringFromFile(*keyPath)) + v.PasswordApply(key) fmt.Println(v.LongForm()) fmt.Println(v.ShortForm()) return @@ -62,6 +66,6 @@ if v.Pub == nil { log.Fatalln("Verifier does not contain public key") } pub := *v.Pub - v.PasswordApply(govpn.StringFromFile(*keyPath)) - fmt.Println(subtle.ConstantTimeCompare(v.Pub[:], pub[:]) == 1) + v.PasswordApply(key) + fmt.Println(bytes.Equal(v.Pub[:], pub[:])) } diff --git a/src/govpn/verifier.go b/src/govpn/verifier.go index ba51846ce23eb17c42b4a9b9fcc5d0333f848bbc..0dc9388188ad0e1f0c29eec611e7218cae32b687 100644 --- a/src/govpn/verifier.go +++ b/src/govpn/verifier.go @@ -29,6 +29,7 @@ "strings" "github.com/agl/ed25519" "github.com/magical/argon2" + "golang.org/x/crypto/ssh/terminal" ) const ( @@ -117,11 +118,26 @@ base64.RawStdEncoding.EncodeToString(v.Pub[:]), ) } -// Read string from the file, trimming newline. -func StringFromFile(path string) string { - s, err := ioutil.ReadFile(path) +// Read the key either from text file (if path is specified), or +// from the terminal. +func KeyRead(path string) (string, error) { + var p []byte + var err error + var pass string + if path == "" { + fmt.Print("Passphrase:") + p, err = terminal.ReadPassword(0) + fmt.Print("\n") + pass = string(p) + } else { + p, err = ioutil.ReadFile(path) + pass = strings.TrimRight(string(p), "\n") + } if err != nil { - log.Fatalln("Can not read string from", path, err) + return "", err } - return strings.TrimRight(string(s), "\n") + if len(pass) == 0 { + return "", errors.New("Empty passphrase submitted") + } + return pass, err } diff --git a/utils/makedist.sh b/utils/makedist.sh index 3c5ce99b78416e1b2d3764212c229a56dd024a7f..2a6ee311f36610e0de9c7080fe83defb77b79d0b 100755 --- a/utils/makedist.sh +++ b/utils/makedist.sh @@ -9,12 +9,12 @@ [ -n "$release" ] git clone . $tmp/govpn-$release repos=" - src/github.com/bigeagle/water src/github.com/agl/ed25519 - src/github.com/magical/argon2 + src/github.com/bigeagle/water src/github.com/dchest/blake2b + src/github.com/go-yaml/yaml + src/github.com/magical/argon2 src/golang.org/x/crypto - src/github.com/go-yaml/yaml " for repo in $repos; do git clone $repo $tmp/govpn-$release/$repo @@ -32,6 +32,7 @@ golang.org/x/crypto/README golang.org/x/crypto/curve25519 golang.org/x/crypto/poly1305 golang.org/x/crypto/salsa20 +golang.org/x/crypto/ssh/terminal golang.org/x/crypto/xtea EOF tar cfCI - src $tmp/includes | tar xfC - $tmp @@ -143,8 +144,8 @@ ----------------8<-----------------8<-----------------8<---------------- Домашняя страница GoVPN: http://www.cypherpunks.ru/govpn/ (http://govpn.info/) -Коротко о демоне: http://www.cypherpunks.ru/govpn/O-demone.html также доступна как скрытый сервис Tor: http://vabu56j2ep2rwv3b.onion/govpn/ +Коротко о демоне: http://www.cypherpunks.ru/govpn/O-demone.html Исходный код и его подпись для этой версии находится здесь: diff --git a/utils/newclient.sh b/utils/newclient.sh index 44c7ef5e977c044a369a26ad1c1ce185dcaad996..aebc975b52e2f0f37c9810e925963733094e6781 100755 --- a/utils/newclient.sh +++ b/utils/newclient.sh @@ -14,11 +14,7 @@ exit 1 } username=$1 -umask 077 -passphrase=$(mktemp) -$(dirname $0)/storekey.sh $passphrase -verifier=$(govpn-verifier -key $passphrase) -rm -f $passphrase +verifier=$(govpn-verifier) verifierS=$(echo $verifier | sed 's/^\(.*\) .*$/\1/') verifierC=$(echo $verifier | sed 's/^.* \(.*\)$/\1/') echo @@ -32,9 +28,4 @@ $username: up: /path/to/up.sh iface: or TAP interface name verifier: $verifierS - -Verifier was generated with: - - $(dirname $0)/storekey.sh /tmp/passphrase - govpn-verifier -key /tmp/passphrase EOF diff --git a/utils/storekey.sh b/utils/storekey.sh deleted file mode 100755 index 299883d67a37033a6d9813a08d54a9b8824d8e27..0000000000000000000000000000000000000000 --- a/utils/storekey.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -e - -[ -n "$1" ] || { - cat < -EOF - exit 1 -} - -echo -n Enter passphrase: -stty -echo -read passphrase -stty echo -umask 077 -cat > $1 <