MainCycle:
for {
if peer != nil && peer.Bytes > govpn.MaxBytesPerKey {
+ peer.Zero()
peer = nil
handshake = govpn.HandshakeStart(conn, remote, id, key)
log.Println("Rehandshaking")
firstUpCall = false
}
peer = p
+ handshake.Zero()
handshake = nil
}
udpReady <- struct{}{}
for addr, hs := range states {
if hs.LastPing.Add(timeout).Before(now) {
log.Println("Deleting handshake state", addr)
+ hs.Zero()
delete(states, addr)
}
}
)
go govpn.ScriptCall(downPath, state.tap.Name)
state.terminate <- struct{}{}
+ state.peer.Zero()
}
}
case peerReady = <-peerReadySink:
}
delete(peers, addr)
state.terminate <- struct{}{}
+ state.peer.Zero()
break
}
addr = peerReady.peer.Addr.String()
continue
}
peers[addr] = state
+ states[addr].Zero()
delete(states, addr)
log.Println("Registered interface", peerReady.iface, "with peer", peer)
go func(state *PeerState) {
copy(key[:], keyDecoded)
return key
}
+
+// Zero each byte
+func sliceZero(data []byte) {
+ for i := 0; i < len(data); i++ {
+ data[i] = '\x00'
+ }
+}
return true
}
+// Zero handshake's memory state
+func (h *Handshake) Zero() {
+ sliceZero(h.rNonce[:])
+ sliceZero(h.dhPriv[:])
+ sliceZero(h.key[:])
+ if h.rServer != nil {
+ sliceZero(h.rServer[:])
+ }
+ if h.rClient != nil {
+ sliceZero(h.rClient[:])
+ }
+ if h.sServer != nil {
+ sliceZero(h.sServer[:])
+ }
+ if h.sClient != nil {
+ sliceZero(h.sClient[:])
+ }
+}
+
func (h *Handshake) rNonceNext() []byte {
nonce := make([]byte, 8)
nonceCurrent, _ := binary.Uvarint(h.rNonce[:])
return p.Id.String() + ":" + p.Addr.String()
}
+// Zero peer's memory state
+func (p *Peer) Zero() {
+ sliceZero(p.Key[:])
+ sliceZero(p.tag[:])
+ sliceZero(p.keyAuth[:])
+ sliceZero(p.buf)
+ sliceZero(p.frame)
+ sliceZero(p.nonce)
+}
+
var (
HeartbeatMark = []byte("\x00\x00\x00HEARTBEAT")
Emptiness = make([]byte, KeySize)