2 govpn -- high-performance secure virtual private network daemon
3 Copyright (C) 2014 Sergey Matveev <stargrave@stargrave.org>
5 This program is free software: you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation, either version 3 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
31 "code.google.com/p/go.crypto/poly1305"
32 "code.google.com/p/go.crypto/salsa20"
36 remoteAddr = flag.String("remote", "", "Remote server address")
37 bindAddr = flag.String("bind", "", "Bind to address")
38 ifaceName = flag.String("iface", "tap0", "TAP network interface")
39 keyPath = flag.String("key", "", "Path to authentication key file")
40 mtu = flag.Int("mtu", 1500, "MTU")
41 timeoutP = flag.Int("timeout", 60, "Timeout seconds")
42 verboseP = flag.Bool("v", false, "Increase verbosity")
48 // S20BS is Salsa20's internal blocksize in bytes
51 HeartBeatMark = "\x00\x00\x00HEARTBEAT"
61 key *[KeySize]byte // encryption key
62 nonceOur uint64 // nonce for our messages
63 nonceRecv uint64 // latest received nonce from remote peer
75 log.SetFlags(log.Ldate | log.Lmicroseconds | log.Lshortfile)
78 keyData, err := ioutil.ReadFile(*keyPath)
80 panic("Unable to read keyfile: " + err.Error())
82 if len(keyData) < 64 {
83 panic("Key must be 64 hex characters long")
85 keyDecoded, err := hex.DecodeString(string(keyData[0:64]))
87 panic("Unable to decode the key: " + err.Error())
89 key := new([KeySize]byte)
90 copy(key[:], keyDecoded)
94 // Interface listening
95 maxIfacePktSize := *mtu - poly1305.TagSize - NonceSize
96 log.Println("Max MTU", maxIfacePktSize, "on interface", *ifaceName)
97 iface := NewTAP(*ifaceName)
98 ethBuf := make([]byte, maxIfacePktSize)
99 ethSink := make(chan int)
100 ethSinkReady := make(chan bool)
104 n, err := iface.Read(ethBuf)
113 // Network address parsing
114 if (len(*bindAddr) > 1 && len(*remoteAddr) > 1) ||
115 (len(*bindAddr) == 0 && len(*remoteAddr) == 0) {
116 panic("Either -bind or -remote must be specified only")
118 var conn *net.UDPConn
119 var remote *net.UDPAddr
121 bindTo := "0.0.0.0:0"
123 if len(*bindAddr) > 1 {
128 bind, err := net.ResolveUDPAddr("udp", bindTo)
132 conn, err = net.ListenUDP("udp", bind)
137 if len(*remoteAddr) > 1 {
138 remote, err = net.ResolveUDPAddr("udp", *remoteAddr)
144 udpBuf := make([]byte, *mtu)
145 udpSink := make(chan *UDPPkt)
146 udpSinkReady := make(chan bool)
147 go func(conn *net.UDPConn) {
150 conn.SetReadDeadline(time.Now().Add(time.Second))
151 n, addr, err := conn.ReadFromUDP(udpBuf)
158 udpSink <- &UDPPkt{addr, n}
166 var udpPktData []byte
174 states := make(map[string]*Handshake)
175 nonce := make([]byte, NonceSize)
176 keyAuth := new([KeySize]byte)
177 tag := new([poly1305.TagSize]byte)
178 buf := make([]byte, *mtu+S20BS)
179 emptyKey := make([]byte, KeySize)
180 ethPkt := make([]byte, maxIfacePktSize)
181 udpPktDataBuf := make([]byte, *mtu)
184 states[remote.String()] = HandshakeStart(conn, remote, key)
187 heartbeat := time.Tick(time.Second * time.Duration(timeout/3))
188 heartbeatMark := []byte(HeartBeatMark)
197 go func() { ethSink <- -1 }()
198 case udpPkt = <-udpSink:
200 if !serverMode && timeouts >= timeout {
207 copy(udpPktDataBuf, udpBuf[:udpPkt.size])
209 udpPktData = udpPktDataBuf[:udpPkt.size]
210 if isValidHandshakePkt(udpPktData) {
211 addr = udpPkt.addr.String()
212 state, exists := states[addr]
215 state = &Handshake{addr: udpPkt.addr}
218 p = state.Server(conn, key, udpPktData)
224 p = state.Client(conn, key, udpPktData)
236 nonceRecv, _ := binary.Uvarint(udpPktData[:8])
237 if peer.nonceRecv >= nonceRecv {
241 copy(buf[:KeySize], emptyKey)
242 copy(tag[:], udpPktData[udpPkt.size-poly1305.TagSize:])
243 copy(buf[S20BS:], udpPktData[NonceSize:udpPkt.size-poly1305.TagSize])
244 salsa20.XORKeyStream(
245 buf[:S20BS+udpPkt.size-poly1305.TagSize],
246 buf[:S20BS+udpPkt.size-poly1305.TagSize],
247 udpPktData[:NonceSize],
250 copy(keyAuth[:], buf[:KeySize])
251 if !poly1305.Verify(tag, udpPktData[:udpPkt.size-poly1305.TagSize], keyAuth) {
255 peer.nonceRecv = nonceRecv
257 frame = buf[S20BS : S20BS+udpPkt.size-NonceSize-poly1305.TagSize]
258 if string(frame[0:HeartBeatSize]) == HeartBeatMark {
261 if _, err := iface.Write(frame); err != nil {
262 log.Println("Error writing to iface: ", err)
267 case ethPktSize = <-ethSink:
268 if ethPktSize > maxIfacePktSize {
269 panic("Too large packet on interface")
276 copy(ethPkt, ethBuf[:ethPktSize])
279 copy(ethPkt, heartbeatMark)
280 ethPktSize = HeartBeatSize
282 peer.nonceOur = peer.nonceOur + 2
283 binary.PutUvarint(nonce, peer.nonceOur)
284 copy(buf[:KeySize], emptyKey)
285 copy(buf[S20BS:], ethPkt[:ethPktSize])
286 salsa20.XORKeyStream(buf, buf, nonce, peer.key)
287 copy(buf[S20BS-NonceSize:S20BS], nonce)
288 copy(keyAuth[:], buf[:KeySize])
289 dataToSend := buf[S20BS-NonceSize : S20BS+ethPktSize]
290 poly1305.Sum(tag, dataToSend, keyAuth)
291 if _, err := conn.WriteTo(append(dataToSend, tag[:]...), peer.addr); err != nil {
292 log.Println("Error sending UDP", err)