+/*
+GoVPN -- simple secure free software virtual private network daemon
+Copyright (C) 2014-2016 Sergey Matveev <stargrave@stargrave.org>
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
package govpn
import (
PktSizeSize = 2
// Heartbeat rate, relative to Timeout
TimeoutHeartbeat = 4
+ // Minimal valid packet length
+ MinPktLength = 2 + 16 + 8
)
func newNonceCipher(key *[32]byte) *xtea.Cipher {
NoiseEnable bool
CPR int
CPRCycle time.Duration `json:"-"`
+ EncLess bool
// Cryptography related
Key *[SSize]byte `json:"-"`
HeartbeatSent int
// Receiver
- BusyR sync.Mutex
+ BusyR sync.Mutex `json:"-"`
bufR []byte
tagR *[TagSize]byte
keyAuthR *[SSize]byte
pktSizeR uint16
// Transmitter
- BusyT sync.Mutex
+ BusyT sync.Mutex `json:"-"`
bufT []byte
tagT *[TagSize]byte
keyAuthT *[SSize]byte
func (p *Peer) Zero() {
p.BusyT.Lock()
p.BusyR.Lock()
- sliceZero(p.Key[:])
- sliceZero(p.bufR)
- sliceZero(p.bufT)
- sliceZero(p.keyAuthR[:])
- sliceZero(p.keyAuthT[:])
+ SliceZero(p.Key[:])
+ SliceZero(p.bufR)
+ SliceZero(p.bufT)
+ SliceZero(p.keyAuthR[:])
+ SliceZero(p.keyAuthT[:])
p.BusyT.Unlock()
p.BusyR.Unlock()
}
+func (p *Peer) NonceExpectation(buf []byte) {
+ binary.BigEndian.PutUint64(buf, p.NonceExpect)
+ p.NonceCipher.Encrypt(buf, buf)
+}
+
func newPeer(isClient bool, addr string, conn io.Writer, conf *PeerConf, key *[SSize]byte) *Peer {
now := time.Now()
timeout := conf.Timeout
cprCycle := cprCycleCalculate(conf.CPR)
- noiseEnable := conf.NoiseEnable
+ noiseEnable := conf.Noise
if conf.CPR > 0 {
noiseEnable = true
timeout = cprCycle
timeout = timeout / TimeoutHeartbeat
}
+ bufSize := S20BS + MTU + NonceSize
+ if conf.EncLess {
+ bufSize += EncLessEnlargeSize
+ noiseEnable = true
+ }
peer := Peer{
Addr: addr,
Id: conf.Id,
NoiseEnable: noiseEnable,
CPR: conf.CPR,
CPRCycle: cprCycle,
+ EncLess: conf.EncLess,
Key: key,
NonceCipher: newNonceCipher(key),
Established: now,
LastPing: now,
- bufR: make([]byte, S20BS+MTU+NonceSize),
- bufT: make([]byte, S20BS+MTU+NonceSize),
+ bufR: make([]byte, bufSize),
+ bufT: make([]byte, bufSize),
tagR: new([TagSize]byte),
tagT: new([TagSize]byte),
keyAuthR: new([SSize]byte),
p.BusyT.Unlock()
return
}
- p.bufT[S20BS+0] = byte(0)
- p.bufT[S20BS+1] = byte(0)
+ p.bufT[S20BS+0] = 0
+ p.bufT[S20BS+1] = 0
p.HeartbeatSent++
} else {
// Copy payload to our internal buffer and we are ready to
p.BytesPayloadOut += int64(len(data))
}
- if p.NoiseEnable {
+ if p.NoiseEnable && !p.EncLess {
p.frameT = p.bufT[S20BS : S20BS+MTU-TagSize]
+ } else if p.EncLess {
+ p.frameT = p.bufT[S20BS : S20BS+MTU]
} else {
p.frameT = p.bufT[S20BS : S20BS+PktSizeSize+len(data)+NonceSize]
}
p.frameT[len(p.frameT)-NonceSize:],
p.frameT[len(p.frameT)-NonceSize:],
)
- for i := 0; i < SSize; i++ {
- p.bufT[i] = byte(0)
+ var out []byte
+ if p.EncLess {
+ var err error
+ out, err = EncLessEncode(
+ p.Key,
+ p.frameT[len(p.frameT)-NonceSize:],
+ p.frameT[:len(p.frameT)-NonceSize],
+ )
+ if err != nil {
+ panic(err)
+ }
+ out = append(out, p.frameT[len(p.frameT)-NonceSize:]...)
+ } else {
+ for i := 0; i < SSize; i++ {
+ p.bufT[i] = 0
+ }
+ salsa20.XORKeyStream(
+ p.bufT[:S20BS+len(p.frameT)-NonceSize],
+ p.bufT[:S20BS+len(p.frameT)-NonceSize],
+ p.frameT[len(p.frameT)-NonceSize:],
+ p.Key,
+ )
+ copy(p.keyAuthT[:], p.bufT[:SSize])
+ poly1305.Sum(p.tagT, p.frameT, p.keyAuthT)
+ atomic.AddInt64(&p.BytesOut, int64(len(p.frameT)+TagSize))
+ out = append(p.tagT[:], p.frameT...)
}
- salsa20.XORKeyStream(
- p.bufT[:S20BS+len(p.frameT)-NonceSize],
- p.bufT[:S20BS+len(p.frameT)-NonceSize],
- p.frameT[len(p.frameT)-NonceSize:],
- p.Key,
- )
-
- copy(p.keyAuthT[:], p.bufT[:SSize])
- poly1305.Sum(p.tagT, p.frameT, p.keyAuthT)
-
- atomic.AddInt64(&p.BytesOut, int64(len(p.frameT)+TagSize))
p.FramesOut++
if p.CPRCycle != time.Duration(0) {
}
p.LastSent = p.now
- p.Conn.Write(append(p.tagT[:], p.frameT...))
+ p.Conn.Write(out)
p.BusyT.Unlock()
}
func (p *Peer) PktProcess(data []byte, tap io.Writer, reorderable bool) bool {
- p.BusyR.Lock()
- for i := 0; i < SSize; i++ {
- p.bufR[i] = byte(0)
- }
- copy(p.bufR[S20BS:], data[TagSize:])
- salsa20.XORKeyStream(
- p.bufR[:S20BS+len(data)-TagSize-NonceSize],
- p.bufR[:S20BS+len(data)-TagSize-NonceSize],
- data[len(data)-NonceSize:],
- p.Key,
- )
-
- copy(p.keyAuthR[:], p.bufR[:SSize])
- copy(p.tagR[:], data[:TagSize])
- if !poly1305.Verify(p.tagR, data[TagSize:], p.keyAuthR) {
- p.FramesUnauth++
- p.BusyR.Unlock()
+ if len(data) < MinPktLength {
return false
}
+ var out []byte
+ p.BusyR.Lock()
+ if p.EncLess {
+ var err error
+ out, err = EncLessDecode(
+ p.Key,
+ data[len(data)-NonceSize:],
+ data[:len(data)-NonceSize],
+ )
+ if err != nil {
+ p.FramesUnauth++
+ p.BusyR.Unlock()
+ return false
+ }
+ } else {
+ for i := 0; i < SSize; i++ {
+ p.bufR[i] = 0
+ }
+ copy(p.bufR[S20BS:], data[TagSize:])
+ salsa20.XORKeyStream(
+ p.bufR[:S20BS+len(data)-TagSize-NonceSize],
+ p.bufR[:S20BS+len(data)-TagSize-NonceSize],
+ data[len(data)-NonceSize:],
+ p.Key,
+ )
+ copy(p.keyAuthR[:], p.bufR[:SSize])
+ copy(p.tagR[:], data[:TagSize])
+ if !poly1305.Verify(p.tagR, data[TagSize:], p.keyAuthR) {
+ p.FramesUnauth++
+ p.BusyR.Unlock()
+ return false
+ }
+ out = p.bufR[S20BS:]
+ }
// Check if received nonce is known to us in either of two buckets.
// If yes, then this is ignored duplicate.
p.FramesIn++
atomic.AddInt64(&p.BytesIn, int64(len(data)))
p.LastPing = time.Now()
- p.pktSizeR = binary.BigEndian.Uint16(p.bufR[S20BS : S20BS+PktSizeSize])
+ p.pktSizeR = binary.BigEndian.Uint16(out[:PktSizeSize])
if p.pktSizeR == 0 {
p.HeartbeatRecv++
p.BusyR.Unlock()
return true
}
+ if int(p.pktSizeR) > len(data)-MinPktLength {
+ return false
+ }
p.BytesPayloadIn += int64(p.pktSizeR)
- tap.Write(p.bufR[S20BS+PktSizeSize : S20BS+PktSizeSize+p.pktSizeR])
+ tap.Write(out[PktSizeSize : PktSizeSize+p.pktSizeR])
p.BusyR.Unlock()
return true
}