2 govpn -- high-performance secure virtual private network daemon
3 Copyright (C) 2014 Sergey Matveev <stargrave@stargrave.org>
5 This program is free software: you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation, either version 3 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
29 "code.google.com/p/go.crypto/poly1305"
30 "code.google.com/p/go.crypto/salsa20"
31 "github.com/chon219/water"
36 AliveTimeout = time.Second * 90
38 // S20BS is Salsa20's internal blocksize in bytes
45 key *[KeySize]byte // encryption key
46 nonceOur uint64 // nonce for our messages
47 nonceRecv uint64 // latest received nonce from remote peer
50 func (p *Peer) IsAlive() bool {
51 if (p == nil) || (p.lastPing.Add(AliveTimeout).Before(time.Now())) {
57 func (p *Peer) SetAlive() {
58 p.lastPing = time.Now()
67 remoteAddr = flag.String("remote", "", "Remote server address")
68 bindAddr = flag.String("bind", "", "Bind to address")
69 ifaceName = flag.String("iface", "tap0", "TAP network interface")
70 keyHex = flag.String("key", "", "Authentication key")
71 mtu = flag.Int("mtu", 1500, "MTU")
72 verbose = flag.Bool("v", false, "Increase verbosity")
77 log.SetFlags(log.Ldate | log.Lmicroseconds | log.Lshortfile)
80 if len(*keyHex) != 64 {
81 panic("Key is required argument (64 hex characters)")
83 keyDecoded, err := hex.DecodeString(*keyHex)
87 key := new([KeySize]byte)
88 copy(key[:], keyDecoded)
90 // Interface listening
91 maxIfacePktSize := *mtu - poly1305.TagSize - NonceSize
92 log.Println("Max MTU", maxIfacePktSize, "on interface", *ifaceName)
93 iface, err := water.NewTAP(*ifaceName)
97 ethBuf := make([]byte, maxIfacePktSize)
98 ethSink := make(chan int)
99 ethSinkReady := make(chan bool)
103 n, err := iface.Read(ethBuf)
112 // Network address parsing
113 if (len(*bindAddr) > 1 && len(*remoteAddr) > 1) ||
114 (len(*bindAddr) == 0 && len(*remoteAddr) == 0) {
115 panic("Either -bind or -remote must be specified only")
117 var conn *net.UDPConn
118 var remote *net.UDPAddr
120 bindTo := "0.0.0.0:0"
122 if len(*bindAddr) > 1 {
127 bind, err := net.ResolveUDPAddr("udp", bindTo)
131 conn, err = net.ListenUDP("udp", bind)
136 if len(*remoteAddr) > 1 {
137 remote, err = net.ResolveUDPAddr("udp", *remoteAddr)
143 udpBuf := make([]byte, *mtu)
144 udpSink := make(chan UDPPkt)
145 udpSinkReady := make(chan bool)
146 go func(conn *net.UDPConn) {
149 n, addr, err := conn.ReadFromUDP(udpBuf)
153 udpSink <- UDPPkt{addr, n}
160 var udpPktData []byte
166 states := make(map[string]*Handshake)
167 nonce := make([]byte, NonceSize)
168 keyAuth := new([KeySize]byte)
169 tag := new([poly1305.TagSize]byte)
170 buf := make([]byte, *mtu+S20BS)
171 emptyKey := make([]byte, KeySize)
172 ethPkt := make([]byte, maxIfacePktSize)
173 udpPktDataBuf := make([]byte, *mtu)
176 log.Println("starting handshake with", *remoteAddr)
177 states[remote.String()] = HandshakeStart(conn, remote, key)
182 case udpPkt = <-udpSink:
183 copy(udpPktDataBuf, udpBuf[:udpPkt.size])
185 udpPktData = udpPktDataBuf[:udpPkt.size]
186 if isValidHandshakePkt(udpPktData) {
187 addr = udpPkt.addr.String()
188 state, exists := states[addr]
191 state = &Handshake{addr: udpPkt.addr}
194 p = state.Server(conn, key, udpPktData)
200 p = state.Client(conn, key, udpPktData)
212 nonceRecv, _ := binary.Uvarint(udpPktData[:8])
213 if peer.nonceRecv >= nonceRecv {
217 copy(buf[:KeySize], emptyKey)
218 copy(tag[:], udpPktData[udpPkt.size-poly1305.TagSize:])
219 copy(buf[S20BS:], udpPktData[NonceSize:udpPkt.size-poly1305.TagSize])
220 salsa20.XORKeyStream(
221 buf[:S20BS+udpPkt.size-poly1305.TagSize],
222 buf[:S20BS+udpPkt.size-poly1305.TagSize],
223 udpPktData[:NonceSize],
226 copy(keyAuth[:], buf[:KeySize])
227 if !poly1305.Verify(tag, udpPktData[:udpPkt.size-poly1305.TagSize], keyAuth) {
231 peer.nonceRecv = nonceRecv
233 if _, err := iface.Write(buf[S20BS : S20BS+udpPkt.size-NonceSize-poly1305.TagSize]); err != nil {
234 log.Println("Error writing to iface")
239 case ethPktSize = <-ethSink:
240 if ethPktSize > maxIfacePktSize {
241 panic("Too large packet on interface")
247 copy(ethPkt, ethBuf[:ethPktSize])
249 peer.nonceOur = peer.nonceOur + 2
250 binary.PutUvarint(nonce, peer.nonceOur)
251 copy(buf[:KeySize], emptyKey)
252 copy(buf[S20BS:], ethPkt[:ethPktSize])
253 salsa20.XORKeyStream(buf, buf, nonce, peer.key)
254 copy(buf[S20BS-NonceSize:S20BS], nonce)
255 copy(keyAuth[:], buf[:KeySize])
256 dataToSend := buf[S20BS-NonceSize : S20BS+ethPktSize]
257 poly1305.Sum(tag, dataToSend, keyAuth)
258 if _, err := conn.WriteTo(append(dataToSend, tag[:]...), peer.addr); err != nil {
259 log.Println("Error sending UDP", err)