From 9a5ef6e33490971fc5af5538cdf98e800b692ea7 Mon Sep 17 00:00:00 2001 From: Sergey Matveev Date: Sun, 10 Jan 2016 21:12:12 +0300 Subject: [PATCH] [DOC] Add various concept indexes Signed-off-by: Sergey Matveev --- doc/about.ru.texi | 5 +++++ doc/about.texi | 4 ++++ doc/client.texi | 6 ++++++ doc/contacts.texi | 5 +++++ doc/cpr.texi | 2 ++ doc/developer.texi | 3 +++ doc/download.texi | 3 +++ doc/egd.texi | 3 +++ doc/encless.texi | 7 +++++++ doc/example.texi | 5 +++++ doc/faq.ru.texi | 7 +++++++ doc/faq.texi | 21 +++++++++++++++++++++ doc/govpn.texi | 7 +++++++ doc/handshake.texi | 15 +++++++++++++++ doc/identity.texi | 2 ++ doc/installation.texi | 9 +++++++++ doc/integrity.texi | 4 ++++ doc/media.texi | 2 ++ doc/mtu.texi | 2 ++ doc/netproto.texi | 4 ++++ doc/news.texi | 23 +++++++++++++++++++++++ doc/noise.texi | 2 ++ doc/pake.texi | 2 ++ doc/precautions.texi | 10 ++++++---- doc/proxy.texi | 5 +++++ doc/server.texi | 10 ++++++++++ doc/sources.texi | 6 ++++++ doc/stats.texi | 2 ++ doc/thanks.texi | 1 + doc/timeout.texi | 1 + doc/todo.texi | 1 + doc/transport.texi | 8 ++++++++ doc/user.texi | 6 +++++- doc/verifier.texi | 3 +++ doc/verifierstruct.texi | 4 ++++ 35 files changed, 195 insertions(+), 5 deletions(-) diff --git a/doc/about.ru.texi b/doc/about.ru.texi index a5bdb3e..e301259 100644 --- a/doc/about.ru.texi +++ b/doc/about.ru.texi @@ -1,4 +1,9 @@ @node О демоне +@cindex About (russian) +@cindex Description (russian) +@cindex О демоне +@cindex Описание +@cindex Вступление @unnumbered Подробнее о демоне GoVPN GoVPN это простой демон виртуальных частных сетей, код которого нацелен diff --git a/doc/about.texi b/doc/about.texi index e04faa1..de1abe9 100644 --- a/doc/about.texi +++ b/doc/about.texi @@ -1,3 +1,7 @@ +@cindex About +@cindex Description +@cindex Introduction + GoVPN is simple free software virtual private network daemon, aimed to be reviewable, secure and @url{https://en.wikipedia.org/wiki/Deep_packet_inspection, DPI}/censorship-resistant. diff --git a/doc/client.texi b/doc/client.texi index 88e338e..f184577 100644 --- a/doc/client.texi +++ b/doc/client.texi @@ -1,4 +1,10 @@ @node Client +@cindex Client +@cindex Client part +@cindex Client configuration +@cindex Client side +@cindex Configuring client +@cindex govpn-client @section Client part Except for common @code{-stats}, @code{-egd} options client has the diff --git a/doc/contacts.texi b/doc/contacts.texi index 3f96135..c6915ef 100644 --- a/doc/contacts.texi +++ b/doc/contacts.texi @@ -1,4 +1,9 @@ @node Contacts +@cindex Contacts +@cindex Feedback +@cindex Support +@cindex Help +@cindex Maillist @unnumbered Contacts Please send questions regarding the use of GoVPN, bug reports and patches to diff --git a/doc/cpr.texi b/doc/cpr.texi index 5ea5717..f4259f8 100644 --- a/doc/cpr.texi +++ b/doc/cpr.texi @@ -1,4 +1,6 @@ @node CPR +@cindex CPR +@cindex Constant Packet Rate @subsection Constant Packet Rate Constant Packet Rate is used to hide fact of underlying payload packets diff --git a/doc/developer.texi b/doc/developer.texi index 4293f80..30dd12f 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -1,4 +1,7 @@ @node Developer +@cindex Developer manual +@cindex Developer +@cindex Cryptography @unnumbered Developer manual Pay attention how to get @ref{Sources, development source code}. diff --git a/doc/download.texi b/doc/download.texi index 3df97fd..c67efed 100644 --- a/doc/download.texi +++ b/doc/download.texi @@ -1,4 +1,7 @@ @node Tarballs +@cindex Download +@cindex Tarball +@cindex Prepared tarballs @section Prepared tarballs You can obtain releases source code prepared tarballs from the links below: diff --git a/doc/egd.texi b/doc/egd.texi index c0006db..9984a20 100644 --- a/doc/egd.texi +++ b/doc/egd.texi @@ -1,4 +1,7 @@ @node EGD +@cindex EGD +@cindex Entropy Gathering Daemon +@cindex Entropy @subsection Entropy Gathering Daemon Overall security mainly depends on client side: diff --git a/doc/encless.texi b/doc/encless.texi index 6d44191..fd267c7 100644 --- a/doc/encless.texi +++ b/doc/encless.texi @@ -1,4 +1,11 @@ @node Encless +@cindex Encryptionless +@cindex Encryptionless mode +@cindex Chaffing-and-Winnowing +@cindex AONT +@cindex All-Or-Nothing-Transformation +@cindex OAEP +@cindex SAEP+ @subsection Encryptionless mode Some jurisdictions can force user to reveal his encryption keys. However diff --git a/doc/example.texi b/doc/example.texi index f4f80f4..8a52ef7 100644 --- a/doc/example.texi +++ b/doc/example.texi @@ -1,4 +1,7 @@ @node Example +@cindex Example +@cindex Example usage +@cindex Tutorial @section Example usage Let's assume that there is some insecure link between your computer and @@ -19,6 +22,8 @@ software: download, @ref{Integrity, check the signature}, compile. @strong{Prepare the client}. Generate client's verifier for Alice as an example: +@cindex newclient.sh + @verbatim client% ./utils/newclient.sh Alice Enter passphrase: diff --git a/doc/faq.ru.texi b/doc/faq.ru.texi index 10f7fda..22ac58e 100644 --- a/doc/faq.ru.texi +++ b/doc/faq.ru.texi @@ -1,4 +1,7 @@ @node ЧАВО +@cindex FAQ (russian) +@cindex ЧАВО +@cindex Часто задаваемые вопросы @unnumbered Часто задаваемые вопросы @table @asis @@ -39,6 +42,7 @@ Go очень легко читается, поддаётся ревью и по высокоэнтропийный ключ. Вам нужно доверять только себе, не аппаратному токену или другому устройству хранения. Это удобно. +@cindex Настройка сети @item Почему вся настройка сети делается вручную? Потому-что существует так много вариантов использования, конфигураций и установок, что или я поддерживаю их всех, или использую громоздкие @@ -57,10 +61,13 @@ Go очень легко читается, поддаётся ревью и по уровне сессии: оно не спасёт если сессионный ключ скомпрометирован из памяти. +@cindex Анонимность +@cindex Анонимные клиенты @item Что вы подразумеваете когда говорите что клиенты анонимны? Что третьей лицо не может отличить одного клиента от другого, смотря на трафик (транспортный или рукопожатия). +@cindex Цензуроустойчивость @item Что вы подразумеваете под цензуроустойчивостью? Невозможность определить GoVPN ли это трафик или просто @code{cat /dev/urandom | nc somehost}. Если вы не можете отличить один diff --git a/doc/faq.texi b/doc/faq.texi index 0ac8de8..e6986cd 100644 --- a/doc/faq.texi +++ b/doc/faq.texi @@ -1,19 +1,24 @@ @node FAQ +@cindex FAQ +@cindex Frequently Asked Questions @unnumbered Frequently Asked Questions @table @asis +@cindex TLS @item Why do not you use TLS? It is complicated protocol. It uses Authenticate-then-Encrypt ordering of algorithms -- it is not secure. Moreover its libraries are huge and hard to read, review and analyze. +@cindex SSH @item Why do not you use SSH? Its first protocol versions used A-a-E ordering, however later ones supports even ChaCha20-Poly1305 algorithms. But its source code is not so trivial and rather big to read and review. OpenSSH does not support strong zero-knowledge password authentication. +@cindex IPsec @item Why do not you use IPsec? It is rather good protocol, supported by all modern OSes. But it lacks strong zero-knowledge password authentication and, again, its code is @@ -24,6 +29,8 @@ For the same reasons: most of software do not provide strong password authentication, high cryptographic protocol security, and most of this software is written in C -- it is hard to write right on it. +@cindex Why Go +@cindex Go @item Why GoVPN is written on Go? Go is very easy to read, review and support. It makes complex code writing a harder task. It provides everything needed to the C language: @@ -38,12 +45,17 @@ Human is capable of memorizing rather long passphrases (not passwords): You need to trust only yourself, not hardware token or some other storage device. It is convenient. +@cindex Network configuration @item Why all network configuration must be done manually? Because there are so many use-cases and setups, so many various protocols, that either I support all of them, or use complicated protocol setups like PPP, or just give right of the choice to the administrator. VPN is only just a layer. +@cindex Windows +@cindex Microsoft Windows +@cindex Apple OS X +@cindex OS X @item Why there is no either OS X or Windows support? Any closed source proprietary systems do not give ability to control the computer. You can not securely use cryptography-related stuff without @@ -55,10 +67,18 @@ You can not decrypt previously saved traffic by compromising long-lived keys. PFS property is per-session level: it won't protect from leaking the session key from the memory. +@cindex Anonymity +@cindex Anonymous clients @item What do you mean by saying that clients are anonymous? That third-party can not differentiate one client from another looking at the traffic (transport and handshake). +@cindex Censorship +@cindex Censorship resistance +@cindex Censorship resistant +@cindex DPI resistant +@cindex DPI resistance +@cindex DPI @item What do you mean by censorship resistance? Unability to distinguish either is it GoVPN-traffic is passing by, or just @code{cat /dev/urandom | nc somehost}. If you can not differentiate @@ -83,6 +103,7 @@ timestamps and sizes. You can run traffic analysis and predict what is going on in the network. With CPR option enabled you can tell either somebody is online, or not -- nothing less, nothing more. +@cindex DoS @item Can I DoS (denial of service) the daemon? Each transport packet is authenticated first with the very fast UMAC algorithm -- in most cases resource consumption of TCP/UDP layers will diff --git a/doc/govpn.texi b/doc/govpn.texi index 7fab9f3..73e6908 100644 --- a/doc/govpn.texi +++ b/doc/govpn.texi @@ -40,6 +40,7 @@ A copy of the license is included in the section entitled "Copying conditions". * In the media: Media. * TODO:: * Copying conditions:: +* Concept index:: @end menu @include about.ru.texi @@ -60,4 +61,10 @@ A copy of the license is included in the section entitled "Copying conditions". @insertcopying @verbatiminclude fdl.txt + +@node Concept index +@unnumbered Concept index + +@printindex cp + @bye diff --git a/doc/handshake.texi b/doc/handshake.texi index f19fde0..3efe97d 100644 --- a/doc/handshake.texi +++ b/doc/handshake.texi @@ -1,4 +1,19 @@ @node Handshake +@cindex Handshake +@cindex Handshake protocol +@cindex Diffie-Hellman +@cindex ed25519 +@cindex curve25519 +@cindex Elligator +@cindex Perfect Forward Secrecy +@cindex PFS +@cindex IDtag +@cindex Shared key +@cindex DH-EKE +@cindex DH +@cindex EKE +@cindex A-EKE +@cindex DH-A-EKE @section Handshake protocol @verbatiminclude handshake.utxt diff --git a/doc/identity.texi b/doc/identity.texi index 3a37790..d74e6cf 100644 --- a/doc/identity.texi +++ b/doc/identity.texi @@ -1,4 +1,6 @@ @node Identity +@cindex Client identity +@cindex Identity @subsection Identity Client's identity is 128-bit string. It is not secret, so can be diff --git a/doc/installation.texi b/doc/installation.texi index c6ac214..ca95bb1 100644 --- a/doc/installation.texi +++ b/doc/installation.texi @@ -1,4 +1,13 @@ @node Installation +@cindex Installation +@cindex Getting GoVPN +@cindex Requirements +@cindex Dependencies +@cindex Ports +@cindex Packages +@cindex FreeBSD +@cindex AUR +@cindex Texinfo @unnumbered Installation Possibly GoVPN already exists in your distribution: diff --git a/doc/integrity.texi b/doc/integrity.texi index ccbb5c8..b9c6ff5 100644 --- a/doc/integrity.texi +++ b/doc/integrity.texi @@ -1,4 +1,8 @@ @node Integrity +@cindex Integrity +@cindex Tarball integrity +@cindex PGP +@cindex Public key @section Tarballs integrity check You @strong{have to} verify downloaded archives integrity and check diff --git a/doc/media.texi b/doc/media.texi index b129c0d..332ed63 100644 --- a/doc/media.texi +++ b/doc/media.texi @@ -1,4 +1,6 @@ @node Media +@cindex In the media +@cindex Articles @unnumbered In the media @itemize diff --git a/doc/mtu.texi b/doc/mtu.texi index 29930b6..2206c55 100644 --- a/doc/mtu.texi +++ b/doc/mtu.texi @@ -1,4 +1,6 @@ @node MTU +@cindex MTU +@cindex Maximum Transmission Unit @subsection Maximum Transmission Unit MTU option tells what maximum transmission unit is expected to get from diff --git a/doc/netproto.texi b/doc/netproto.texi index d57edb3..f5b26f4 100644 --- a/doc/netproto.texi +++ b/doc/netproto.texi @@ -1,4 +1,8 @@ @node Network +@cindex Transport +@cindex Network transport +@cindex TCP +@cindex UDP @subsection Network transport You can use either UDP or TCP underlying network transport protocols. diff --git a/doc/news.texi b/doc/news.texi index d704715..da5e9b2 100644 --- a/doc/news.texi +++ b/doc/news.texi @@ -1,9 +1,12 @@ @node News +@cindex Releases +@cindex News @unnumbered News @table @strong @item Release 5.1 +@cindex Release 5.1 @itemize @item Server is configured using @url{http://yaml.org/, YAML} file. It is very convenient to have comments and templates, comparing to JSON. @@ -12,6 +15,7 @@ with @emph{BLAKE2b} in handshake code. @end itemize @item Release 5.0 +@cindex Release 5.0 @itemize @item New optional @ref{Encless, encryptionless mode} of operation. Technically no encryption functions are applied for outgoing packets, so @@ -25,12 +29,14 @@ up-scripts for convenience. @end itemize @item Release 4.2 +@cindex Release 4.2 @itemize @item Fixed non-critical bug when server may fail if up-script is not executed successfully. @end itemize @item Release 4.1 +@cindex Release 4.1 @itemize @item @url{https://password-hashing.net/#argon2, Argon2d} is used instead of PBKDF2 for password verifier hashing. @@ -39,6 +45,7 @@ server-side configuration and the code. @end itemize @item Release 4.0 +@cindex Release 4.0 @itemize @item Handshake messages can be noised: their messages lengths are hidden. Now they are indistinguishable from transport messages. @@ -48,6 +55,7 @@ hidden. Now they are indistinguishable from transport messages. @end itemize @item Release 3.5 +@cindex Release 3.5 @itemize @item Ability to use @ref{Network, TCP} network transport. Server can listen on both UDP and TCP sockets. @@ -59,6 +67,7 @@ reasons. @end itemize @item Release 3.4 +@cindex Release 3.4 @itemize @item Ability to use external @ref{EGD}-compatible PRNGs. Now you are able to use GoVPN even on systems with the bad @code{/dev/random}, @@ -69,6 +78,7 @@ without performance degradation related to inbound packets reordering. @end itemize @item Release 3.3 +@cindex Release 3.3 @itemize @item Compatibility with an old GNU Make 3.x. Previously only BSD Make and GNU Make 4.x were supported. @@ -79,6 +89,7 @@ GNU/Linux systems. Previously /dev/random can produce less than required @end itemize @item Release 3.2 +@cindex Release 3.2 @itemize @item Deterministic building: dependent libraries source code commits are @@ -91,6 +102,7 @@ FreeBSD Make compatibility. GNU Make is not necessary anymore. @end itemize @item Release 3.1 +@cindex Release 3.1 @itemize @item Diffie-Hellman public keys are encoded with Elligator algorithm when @@ -101,6 +113,7 @@ consume twice entropy for DH key generation in average. @end itemize @item Release 3.0 +@cindex Release 3.0 @itemize @item EKE protocol is replaced by Augmented-EKE and static symmetric (both @@ -133,6 +146,7 @@ Per-peer @code{-timeout}, @code{-noncediff}, @code{-noise} and @end itemize @item Release 2.4 +@cindex Release 2.4 @itemize @item Added ability to optionally run built-in HTTP-server responding with @@ -144,6 +158,7 @@ Documentation is explicitly licenced under GNU FDL 1.3+. @end itemize @item Release 2.3 +@cindex Release 2.3 @itemize @item Handshake packets became indistinguishable from the random. @@ -159,16 +174,19 @@ consuming and resource heavy computations. @end itemize @item Release 2.2 +@cindex Release 2.2 @itemize @item Fixed several possible channel deadlocks. @end itemize @item Release 2.1 +@cindex Release 2.1 @itemize @item Fixed Linux-related building. @end itemize @item Release 2.0 +@cindex Release 2.0 @itemize @item Added clients identification. @item Simultaneous several clients support by server. @@ -176,16 +194,19 @@ consuming and resource heavy computations. @end itemize @item Release 1.5 +@cindex Release 1.5 @itemize @item Nonce obfuscation/encryption. @end itemize @item Release 1.4 +@cindex Release 1.4 @itemize @item Performance optimizations. @end itemize @item Release 1.3 +@cindex Release 1.3 @itemize @item Heartbeat feature. @item Rehandshake feature. @@ -193,11 +214,13 @@ consuming and resource heavy computations. @end itemize @item Release 1.1 +@cindex Release 1.1 @itemize @item FreeBSD support. @end itemize @item Release 1.0 +@cindex Release 1.0 @itemize @item Initial stable release. @end itemize diff --git a/doc/noise.texi b/doc/noise.texi index 5df68a9..9e171d1 100644 --- a/doc/noise.texi +++ b/doc/noise.texi @@ -1,4 +1,6 @@ @node Noise +@cindex Noise +@cindex Timestamps @subsection Noise So-called noise is used to hide underlying payload packets length. diff --git a/doc/pake.texi b/doc/pake.texi index cdae552..d343a49 100644 --- a/doc/pake.texi +++ b/doc/pake.texi @@ -1,4 +1,6 @@ @node PAKE +@cindex Password Authenticated Key Agreement +@cindex PAKE @subsection Password Authenticated Key Agreement GoVPN uses strong password authentication. That means that it uses human diff --git a/doc/precautions.texi b/doc/precautions.texi index fbf45d1..0401778 100644 --- a/doc/precautions.texi +++ b/doc/precautions.texi @@ -1,12 +1,14 @@ @node Precautions +@cindex Dangers +@cindex Precautions @unnumbered Precautions @enumerate @item -We use password (passphrase) authentication, so overall security fully -depends on its strength. You @strong{should} use long, high-entropy -passphrases. Also remember to keep passphrase in temporary file and read -it securely as described in @ref{Verifier, verifier}. +We use passphrase authentication, so overall security fully depends on +its strength. You @strong{should} use long, high-entropy passphrases. +Also remember to keep passphrase in temporary file and read it securely +as described in @ref{Verifier, verifier}. @item You must @strong{never} use the same key for multiple clients. diff --git a/doc/proxy.texi b/doc/proxy.texi index b0f08fc..a314b79 100644 --- a/doc/proxy.texi +++ b/doc/proxy.texi @@ -1,4 +1,9 @@ @node Proxy +@cindex Proxy +@cindex HTTP proxy +@cindex HTTP authentication +@cindex CONNECT +@cindex HTTP @subsection Proxy You can proxy your requests through HTTP using CONNECT method. This can diff --git a/doc/server.texi b/doc/server.texi index 0882ff2..ee132bd 100644 --- a/doc/server.texi +++ b/doc/server.texi @@ -1,4 +1,9 @@ @node Server +@cindex Server +@cindex Server part +@cindex Server configuration +@cindex Server side +@cindex govpn-server @section Server part Except for common @code{-stats}, @code{-egd} options server has the @@ -21,6 +26,9 @@ Start trivial HTTP @ref{Proxy} server on specified @emph{host:port}. @end table +@cindex YAML +@cindex YAML configuration +@cindex Configuration file Configuration file is YAML file with following example structure: @verbatim @@ -45,6 +53,8 @@ must output interface's name to stdout (first output line). For example up-script can be just @code{echo tap10}, or more advanced like the following one: +@cindex up-script + @example #!/bin/sh $tap=$(ifconfig tap create) diff --git a/doc/sources.texi b/doc/sources.texi index 862fa86..f1eb3eb 100644 --- a/doc/sources.texi +++ b/doc/sources.texi @@ -1,4 +1,10 @@ @node Sources +@cindex Sources +@cindex Source code +@cindex Development source code +@cindex Git +@cindex Repository +@cindex Mirrors @section Development source code Development source code contains the latest version of the code. It may diff --git a/doc/stats.texi b/doc/stats.texi index c543137..0c14700 100644 --- a/doc/stats.texi +++ b/doc/stats.texi @@ -1,4 +1,6 @@ @node Stats +@cindex Stats +@cindex Statistics @subsection Statistics Both client and server has ability to show statistics about known diff --git a/doc/thanks.texi b/doc/thanks.texi index d551819..aed296a 100644 --- a/doc/thanks.texi +++ b/doc/thanks.texi @@ -1,4 +1,5 @@ @node Thanks +@cindex Thanks @unnumbered Thanks Thanks for contributions and suggestions to: diff --git a/doc/timeout.texi b/doc/timeout.texi index 89dd5b0..89dcf1e 100644 --- a/doc/timeout.texi +++ b/doc/timeout.texi @@ -1,4 +1,5 @@ @node Timeout +@cindex Timeout @subsection Timeout Because of stateless UDP nature there is no way to reliably know if diff --git a/doc/todo.texi b/doc/todo.texi index 520192c..f77ab2f 100644 --- a/doc/todo.texi +++ b/doc/todo.texi @@ -1,4 +1,5 @@ @node TODO +@cindex TODO @unnumbered TODO @itemize diff --git a/doc/transport.texi b/doc/transport.texi index 4b8413b..3b894ec 100644 --- a/doc/transport.texi +++ b/doc/transport.texi @@ -1,4 +1,12 @@ @node Transport +@cindex Transport +@cindex Transport protocol +@cindex Salsa20 +@cindex PRP +@cindex Nonce +@cindex Poly1305 +@cindex XTEA +@cindex Serial @section Transport protocol @verbatim diff --git a/doc/user.texi b/doc/user.texi index d2118b3..ca2e81c 100644 --- a/doc/user.texi +++ b/doc/user.texi @@ -1,7 +1,10 @@ @node User +@cindex User +@cindex User manual @unnumbered User manual -Announcements about updates and new releases can be found in @ref{Contacts}. +Announcements about updates and new releases can be found in +@ref{Contacts, contacts}. GoVPN is split into two pieces: @ref{Client} and @ref{Server}. Each of them work on top of @ref{Network, UDP/TCP} and TAP virtual network @@ -9,6 +12,7 @@ interfaces. GoVPN is just a tunnelling of Ethernet frames, nothing less, nothing more. All you IP-related network management is not touched by VPN at all. You can automate it using up and down shell scripts. +@cindex Performance What network performance can user expect? For example single @emph{Intel i5-2450M 2.5 GHz} core on @emph{FreeBSD 10.2 amd64} with @emph{Go 1.5.1} gives 786 Mbps (UDP transport) throughput. diff --git a/doc/verifier.texi b/doc/verifier.texi index bb364d7..779f247 100644 --- a/doc/verifier.texi +++ b/doc/verifier.texi @@ -1,4 +1,7 @@ @node Verifier +@cindex Verifier +@cindex storekey.sh +@cindex govpn-verifier @subsection Verifier Verifier is created using @code{govpn-verifier} utility. But currently diff --git a/doc/verifierstruct.texi b/doc/verifierstruct.texi index 792506d..51cf289 100644 --- a/doc/verifierstruct.texi +++ b/doc/verifierstruct.texi @@ -1,4 +1,8 @@ @node Verifier structure +@cindex Verifier structure +@cindex Argon2 +@cindex Argon2d +@cindex Salt @section Verifier structure Verifier is a derivative of the password. It is resistant to -- 2.44.0