protocol

package
v0.0.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 20, 2024 License: GPL-3.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	TUNNEL_PROTOCOL_SSH                              = "SSH"
	TUNNEL_PROTOCOL_OBFUSCATED_SSH                   = "OSSH"
	TUNNEL_PROTOCOL_TLS_OBFUSCATED_SSH               = "TLS-OSSH"
	TUNNEL_PROTOCOL_UNFRONTED_MEEK                   = "UNFRONTED-MEEK-OSSH"
	TUNNEL_PROTOCOL_UNFRONTED_MEEK_HTTPS             = "UNFRONTED-MEEK-HTTPS-OSSH"
	TUNNEL_PROTOCOL_UNFRONTED_MEEK_SESSION_TICKET    = "UNFRONTED-MEEK-SESSION-TICKET-OSSH"
	TUNNEL_PROTOCOL_FRONTED_MEEK                     = "FRONTED-MEEK-OSSH"
	TUNNEL_PROTOCOL_FRONTED_MEEK_HTTP                = "FRONTED-MEEK-HTTP-OSSH"
	TUNNEL_PROTOCOL_QUIC_OBFUSCATED_SSH              = "QUIC-OSSH"
	TUNNEL_PROTOCOL_FRONTED_MEEK_QUIC_OBFUSCATED_SSH = "FRONTED-MEEK-QUIC-OSSH"
	TUNNEL_PROTOCOL_TAPDANCE_OBFUSCATED_SSH          = "TAPDANCE-OSSH"
	TUNNEL_PROTOCOL_CONJURE_OBFUSCATED_SSH           = "CONJURE-OSSH"

	FRONTING_TRANSPORT_HTTPS = "FRONTED-HTTPS"
	FRONTING_TRANSPORT_HTTP  = "FRONTED-HTTP"
	FRONTING_TRANSPORT_QUIC  = "FRONTED-QUIC"

	TUNNEL_PROTOCOLS_ALL = "All"

	INPROXY_PROTOCOL_WEBRTC = "INPROXY-WEBRTC"

	SERVER_ENTRY_SOURCE_EMBEDDED   = "EMBEDDED"
	SERVER_ENTRY_SOURCE_REMOTE     = "REMOTE"
	SERVER_ENTRY_SOURCE_DISCOVERY  = "DISCOVERY"
	SERVER_ENTRY_SOURCE_TARGET     = "TARGET"
	SERVER_ENTRY_SOURCE_OBFUSCATED = "OBFUSCATED"
	SERVER_ENTRY_SOURCE_EXCHANGED  = "EXCHANGED"

	CAPABILITY_SSH_API_REQUESTS            = "ssh-api-requests"
	CAPABILITY_UNTUNNELED_WEB_API_REQUESTS = "handshake"

	CLIENT_CAPABILITY_SERVER_REQUESTS = "server-requests"

	PSIPHON_API_HANDSHAKE_REQUEST_NAME     = "psiphon-handshake"
	PSIPHON_API_CONNECTED_REQUEST_NAME     = "psiphon-connected"
	PSIPHON_API_STATUS_REQUEST_NAME        = "psiphon-status"
	PSIPHON_API_OSL_REQUEST_NAME           = "psiphon-osl"
	PSIPHON_API_ALERT_REQUEST_NAME         = "psiphon-alert"
	PSIPHON_API_INPROXY_RELAY_REQUEST_NAME = "psiphon-inproxy-relay"

	PSIPHON_API_ALERT_DISALLOWED_TRAFFIC = "disallowed-traffic"
	PSIPHON_API_ALERT_UNSAFE_TRAFFIC     = "unsafe-traffic"

	// PSIPHON_API_CLIENT_VERIFICATION_REQUEST_NAME may still be used by older Android clients
	PSIPHON_API_CLIENT_VERIFICATION_REQUEST_NAME = "psiphon-client-verification"

	PSIPHON_API_CLIENT_SESSION_ID_LENGTH = 16

	PSIPHON_API_PROTOCOL_SSH  = "ssh"
	PSIPHON_API_PROTOCOL_WEB  = "web"
	PSIPHON_API_ENCODING_CBOR = "cbor"
	PSIPHON_API_ENCODING_JSON = "json"

	PACKET_TUNNEL_CHANNEL_TYPE            = "tun@psiphon.ca"
	RANDOM_STREAM_CHANNEL_TYPE            = "random@psiphon.ca"
	TCP_PORT_FORWARD_NO_SPLIT_TUNNEL_TYPE = "direct-tcpip-no-split-tunnel@psiphon.ca"

	// Reject reason codes are returned in SSH open channel responses.
	//
	// Values 0xFE000000 to 0xFFFFFFFF are reserved for "PRIVATE USE" (see
	// https://tools.ietf.org/rfc/rfc4254.html#section-5.1).
	CHANNEL_REJECT_REASON_SPLIT_TUNNEL = 0xFE000000

	PSIPHON_API_HANDSHAKE_AUTHORIZATIONS = "authorizations"
)
View Source 
const (
	TLS_VERSION_12             = "TLSv1.2"
	TLS_VERSION_13             = "TLSv1.3"
	TLS_PROFILE_IOS_111        = "iOS-11.1"
	TLS_PROFILE_IOS_121        = "iOS-12.1"
	TLS_PROFILE_IOS_13         = "iOS-13"
	TLS_PROFILE_IOS_14         = "iOS-14"
	TLS_PROFILE_SAFARI_16      = "Safari-16"
	TLS_PROFILE_CHROME_58      = "Chrome-58"
	TLS_PROFILE_CHROME_62      = "Chrome-62"
	TLS_PROFILE_CHROME_70      = "Chrome-70"
	TLS_PROFILE_CHROME_72      = "Chrome-72"
	TLS_PROFILE_CHROME_83      = "Chrome-83"
	TLS_PROFILE_CHROME_96      = "Chrome-96"
	TLS_PROFILE_CHROME_102     = "Chrome-102"
	TLS_PROFILE_CHROME_106     = "Chrome-106"
	TLS_PROFILE_CHROME_112_PSK = "Chrome-112_PSK"
	TLS_PROFILE_FIREFOX_55     = "Firefox-55"
	TLS_PROFILE_FIREFOX_56     = "Firefox-56"
	TLS_PROFILE_FIREFOX_65     = "Firefox-65"
	TLS_PROFILE_FIREFOX_99     = "Firefox-99"
	TLS_PROFILE_FIREFOX_105    = "Firefox-105"
	TLS_PROFILE_RANDOMIZED     = "Randomized-v2"
)
View Source 
const (
	QUIC_VERSION_GQUIC39       = "gQUICv39"
	QUIC_VERSION_GQUIC43       = "gQUICv43"
	QUIC_VERSION_GQUIC44       = "gQUICv44"
	QUIC_VERSION_OBFUSCATED    = "OBFUSCATED"
	QUIC_VERSION_V1            = "QUICv1"
	QUIC_VERSION_RANDOMIZED_V1 = "RANDOMIZED-QUICv1"
	QUIC_VERSION_OBFUSCATED_V1 = "OBFUSCATED-QUICv1"
	QUIC_VERSION_DECOY_V1      = "DECOY-QUICv1"
)
View Source 
const (
	CONJURE_TRANSPORT_MIN_OSSH    = "Min-OSSH"
	CONJURE_TRANSPORT_PREFIX_OSSH = "Prefix-OSSH"
	CONJURE_TRANSPORT_DTLS_OSSH   = "DTLS-OSSH"
)

Variables

View Source 
var CBOREncoding cbor.EncMode

CBOREncoding defines the specific CBDR encoding used for all Psiphon CBOR message encoding. This is initialized to FIDO2 CTAP2 Canonical CBOR.

View Source 
var DefaultDisabledTunnelProtocols = TunnelProtocols{
	TUNNEL_PROTOCOL_FRONTED_MEEK_QUIC_OBFUSCATED_SSH,
	TUNNEL_PROTOCOL_TAPDANCE_OBFUSCATED_SSH,
	TUNNEL_PROTOCOL_CONJURE_OBFUSCATED_SSH,
}
View Source 
var DisabledTunnelProtocols = TunnelProtocols{

	TUNNEL_PROTOCOL_TAPDANCE_OBFUSCATED_SSH,
}

DisabledTunnelProtocols are protocols which are still integrated, but which cannot be enabled in tactics and cannot be selected by clients.

View Source 
var InproxyTunnelProtocols = TunnelProtocols{}
View Source 
var SupportedConjureTransports = ConjureTransports{
	CONJURE_TRANSPORT_MIN_OSSH,
	CONJURE_TRANSPORT_PREFIX_OSSH,
	CONJURE_TRANSPORT_DTLS_OSSH,
}
View Source 
var SupportedQUICVersions = QUICVersions{
	QUIC_VERSION_GQUIC39,
	QUIC_VERSION_GQUIC43,
	QUIC_VERSION_GQUIC44,
	QUIC_VERSION_OBFUSCATED,
	QUIC_VERSION_V1,
	QUIC_VERSION_RANDOMIZED_V1,
	QUIC_VERSION_OBFUSCATED_V1,
	QUIC_VERSION_DECOY_V1,
}
View Source 
var SupportedQUICv1Versions = QUICVersions{
	QUIC_VERSION_V1,
	QUIC_VERSION_RANDOMIZED_V1,
	QUIC_VERSION_OBFUSCATED_V1,
	QUIC_VERSION_DECOY_V1,
}
View Source 
var SupportedServerEntrySources = []string{
	SERVER_ENTRY_SOURCE_EMBEDDED,
	SERVER_ENTRY_SOURCE_REMOTE,
	SERVER_ENTRY_SOURCE_DISCOVERY,
	SERVER_ENTRY_SOURCE_TARGET,
	SERVER_ENTRY_SOURCE_OBFUSCATED,
	SERVER_ENTRY_SOURCE_EXCHANGED,
}
View Source 
var SupportedTLSProfiles = TLSProfiles{
	TLS_PROFILE_IOS_111,
	TLS_PROFILE_IOS_121,
	TLS_PROFILE_IOS_13,
	TLS_PROFILE_IOS_14,
	TLS_PROFILE_SAFARI_16,
	TLS_PROFILE_CHROME_58,
	TLS_PROFILE_CHROME_62,
	TLS_PROFILE_CHROME_70,
	TLS_PROFILE_CHROME_72,
	TLS_PROFILE_CHROME_83,
	TLS_PROFILE_CHROME_96,
	TLS_PROFILE_CHROME_102,
	TLS_PROFILE_CHROME_106,
	TLS_PROFILE_CHROME_112_PSK,
	TLS_PROFILE_FIREFOX_55,
	TLS_PROFILE_FIREFOX_56,
	TLS_PROFILE_FIREFOX_65,
	TLS_PROFILE_FIREFOX_99,
	TLS_PROFILE_FIREFOX_105,
	TLS_PROFILE_RANDOMIZED,
}
View Source 
var SupportedTunnelProtocols = TunnelProtocols{
	TUNNEL_PROTOCOL_SSH,
	TUNNEL_PROTOCOL_OBFUSCATED_SSH,
	TUNNEL_PROTOCOL_TLS_OBFUSCATED_SSH,
	TUNNEL_PROTOCOL_UNFRONTED_MEEK,
	TUNNEL_PROTOCOL_UNFRONTED_MEEK_HTTPS,
	TUNNEL_PROTOCOL_UNFRONTED_MEEK_SESSION_TICKET,
	TUNNEL_PROTOCOL_FRONTED_MEEK,
	TUNNEL_PROTOCOL_FRONTED_MEEK_HTTP,
	TUNNEL_PROTOCOL_QUIC_OBFUSCATED_SSH,
	TUNNEL_PROTOCOL_FRONTED_MEEK_QUIC_OBFUSCATED_SSH,
	TUNNEL_PROTOCOL_TAPDANCE_OBFUSCATED_SSH,
	TUNNEL_PROTOCOL_CONJURE_OBFUSCATED_SSH,
}

Functions

func AllowServerEntrySourceWithUpstreamProxy 

func AllowServerEntrySourceWithUpstreamProxy(source string) bool

func ConjureTransportUsesDTLS 

func ConjureTransportUsesDTLS(transport string) bool

func ConjureTransportUsesSTUN 

func ConjureTransportUsesSTUN(transport string) bool

func DecodePackedAPIParameters 

func DecodePackedAPIParameters(packedParams PackedAPIParameters) (common.APIParameters, error)

DecodePackedAPIParameters converts PackedAPIParameters to common.APIParameters

func DeriveBPFServerProgramPRNGSeed 

func DeriveBPFServerProgramPRNGSeed(obfuscatedKey string) (*prng.Seed, error)

func DeriveSSHServerKEXPRNGSeed 

func DeriveSSHServerKEXPRNGSeed(obfuscatedKey string) (*prng.Seed, error)

func DeriveSSHServerVersionPRNGSeed 

func DeriveSSHServerVersionPRNGSeed(obfuscatedKey string) (*prng.Seed, error)

func EncodeServerEntry 

func EncodeServerEntry(serverEntry *ServerEntry) (string, error)

EncodeServerEntry returns a string containing the encoding of a ServerEntry following Psiphon conventions.

func EncodeServerEntryFields 

func EncodeServerEntryFields(serverEntryFields ServerEntryFields) (string, error)

EncodeServerEntryFields returns a string containing the encoding of ServerEntryFields following Psiphon conventions.

func EquivilentTunnelProtocol 

func EquivilentTunnelProtocol(t string) (string, error)

EquivilentTunnelProtocol returns the tunnel protocol equivilent of a fronting transport. This value may be used to select tactics, defined for the tunnel protocol, for the fronting transport.

func GenerateServerEntryTag 

func GenerateServerEntryTag(ipAddress, webServerSecret string) string

GenerateServerEntryTag creates a server entry tag value that is cryptographically derived from the IP address and web server secret in a way that is difficult to reverse the IP address value from the tag or compute the tag without having the web server secret, a 256-bit random value which is unique per server, in addition to the IP address. A database consisting only of server entry tags should be resistent to an attack that attempts to reverse all the server IPs, even given a small IP space (IPv4), or some subset of the web server secrets.

func GetCapability 

func GetCapability(protocol string) string

GetCapability returns the server capability corresponding to the tunnel protocol.

func GetPackedAPIParametersRequestPayload 

func GetPackedAPIParametersRequestPayload(
	payload []byte) (common.APIParameters, bool, error)

GetPackedAPIParametersRequestPayload decodes the CBOR payload and converts the PackedAPIParameters to common.APIParameters.

GetPackedAPIParametersRequestPayload returns false and a nil error if the input payload is not CBOR data, which is the case for legacy JSON payloads.

func GetTacticsCapability 

func GetTacticsCapability(protocol string) string

GetTacticsCapability returns the server tactics capability corresponding to the tunnel protocol.

func IsValidClientTunnelProtocol 

func IsValidClientTunnelProtocol(
	clientProtocol string,
	listenerProtocol string,
	serverProtocols TunnelProtocols) bool

func MakePackedAPIParametersRequestPayload 

func MakePackedAPIParametersRequestPayload(
	params common.APIParameters) ([]byte, error)

MakePackedAPIParametersRequestPayload converts common.APIParameters to PackedAPIParameters and encodes the packed parameters as CBOR data.

func NewServerEntrySignatureKeyPair 

func NewServerEntrySignatureKeyPair() (string, string, error)

NewServerEntrySignatureKeyPair creates an ed25519 key pair for use in server entry signing and verification.

func PsiphonAPIEncodingIsValid 

func PsiphonAPIEncodingIsValid(protocol string) bool

func PsiphonAPIProtocolIsValid 

func PsiphonAPIProtocolIsValid(protocol string) bool

func QUICVersionHasRandomizedClientHello 

func QUICVersionHasRandomizedClientHello(version string) bool

func QUICVersionIsObfuscated 

func QUICVersionIsObfuscated(version string) bool

func QUICVersionUsesPathMTUDiscovery 

func QUICVersionUsesPathMTUDiscovery(version string) bool

func SetFrontedMeekHTTPDialPortNumber 

func SetFrontedMeekHTTPDialPortNumber(port int)

SetFrontedMeekHTTPDialPortNumber sets the FRONTED-MEEK-OSSH dial port number, which defaults to 443. Overriding the port number enables running test servers where binding to port 443 is not possible.

func TLS12ProfileOmitsSessionTickets 

func TLS12ProfileOmitsSessionTickets(tlsProfile string) bool

func TLSProfileIsRandomized 

func TLSProfileIsRandomized(tlsProfile string) bool

func TagToDiagnosticID 

func TagToDiagnosticID(tag string) string

TagToDiagnosticID returns a prefix of the server entry tag that should be sufficient to uniquely identify servers in diagnostics, while also being more human readable than emitting the full tag. The tag is used as the base of the diagnostic ID as it doesn't leak the server IP address in diagnostic output.

func TunnelProtocolIsCompatibleWithFragmentor 

func TunnelProtocolIsCompatibleWithFragmentor(protocol string) bool

func TunnelProtocolIsCompatibleWithInproxy 

func TunnelProtocolIsCompatibleWithInproxy(protocol string) bool

func TunnelProtocolIsDirect 

func TunnelProtocolIsDirect(protocol string) bool

func TunnelProtocolIsObfuscatedSSH 

func TunnelProtocolIsObfuscatedSSH(protocol string) bool

func TunnelProtocolIsResourceIntensive 

func TunnelProtocolIsResourceIntensive(protocol string) bool

func TunnelProtocolMayUseClientBPF 

func TunnelProtocolMayUseClientBPF(protocol string) bool

func TunnelProtocolMayUseServerPacketManipulation 

func TunnelProtocolMayUseServerPacketManipulation(protocol string) bool

func TunnelProtocolMinusInproxy 

func TunnelProtocolMinusInproxy(protocol string) string

func TunnelProtocolPlusInproxyWebRTC 

func TunnelProtocolPlusInproxyWebRTC(protocol string) string

func TunnelProtocolRequiresTLS12SessionTickets 

func TunnelProtocolRequiresTLS12SessionTickets(protocol string) bool

func TunnelProtocolRequiresTLS13Support 

func TunnelProtocolRequiresTLS13Support(protocol string) bool

func TunnelProtocolSupportsPassthrough 

func TunnelProtocolSupportsPassthrough(protocol string) bool

func TunnelProtocolSupportsTactics 

func TunnelProtocolSupportsTactics(protocol string) bool

func TunnelProtocolSupportsUpstreamProxy 

func TunnelProtocolSupportsUpstreamProxy(protocol string) bool

func TunnelProtocolUsesConjure 

func TunnelProtocolUsesConjure(protocol string) bool

func TunnelProtocolUsesFrontedMeek 

func TunnelProtocolUsesFrontedMeek(protocol string) bool

func TunnelProtocolUsesFrontedMeekQUIC 

func TunnelProtocolUsesFrontedMeekQUIC(protocol string) bool

func TunnelProtocolUsesInproxy 

func TunnelProtocolUsesInproxy(protocol string) bool

func TunnelProtocolUsesMeek 

func TunnelProtocolUsesMeek(protocol string) bool

func TunnelProtocolUsesMeekHTTP 

func TunnelProtocolUsesMeekHTTP(protocol string) bool

func TunnelProtocolUsesMeekHTTPNormalizer 

func TunnelProtocolUsesMeekHTTPNormalizer(protocol string) bool

func TunnelProtocolUsesMeekHTTPS 

func TunnelProtocolUsesMeekHTTPS(protocol string) bool

func TunnelProtocolUsesObfuscatedSSH 

func TunnelProtocolUsesObfuscatedSSH(protocol string) bool

func TunnelProtocolUsesObfuscatedSessionTickets 

func TunnelProtocolUsesObfuscatedSessionTickets(protocol string) bool

func TunnelProtocolUsesQUIC 

func TunnelProtocolUsesQUIC(protocol string) bool

func TunnelProtocolUsesRefractionNetworking 

func TunnelProtocolUsesRefractionNetworking(protocol string) bool

func TunnelProtocolUsesSSH 

func TunnelProtocolUsesSSH(protocol string) bool

func TunnelProtocolUsesTCP 

func TunnelProtocolUsesTCP(protocol string) bool

func TunnelProtocolUsesTLSOSSH 

func TunnelProtocolUsesTLSOSSH(protocol string) bool

NOTE: breaks the naming convention of dropping the OSSH suffix because UsesTLS is ambiguous by itself as there are other protocols which use a TLS layer, e.g. UNFRONTED-MEEK-HTTPS-OSSH.

func TunnelProtocolUsesTapDance 

func TunnelProtocolUsesTapDance(protocol string) bool

func ValidateServerEntryFields 

func ValidateServerEntryFields(serverEntryFields ServerEntryFields) error

ValidateServerEntryFields checks for malformed server entries.

Types

type ALPNExtensionCompat 

type ALPNExtensionCompat utls.ALPNExtension

type AlertRequest 

type AlertRequest struct {
	Reason     string   `json:"reason"`
	Subject    string   `json:"subject"`
	ActionURLs []string `json:"action"`
}

type ApplicationSettingsExtensionCompat 

type ApplicationSettingsExtensionCompat utls.ApplicationSettingsExtension

type ConditionallyEnabledComponents 

type ConditionallyEnabledComponents interface {
	QUICEnabled() bool
	RefractionNetworkingEnabled() bool
	InproxyEnabled() bool
}

ConditionallyEnabledComponents defines an interface which can be queried to determine which conditionally compiled protocol components are present.

type ConjureTransports 

type ConjureTransports []string

func (ConjureTransports) PruneInvalid 

func (transports ConjureTransports) PruneInvalid() ConjureTransports

func (ConjureTransports) Validate 

func (transports ConjureTransports) Validate() error

type ConnectedResponse 

type ConnectedResponse struct {
	ConnectedTimestamp string `json:"connected_timestamp"`
	Padding            string `json:"padding"`
}

type CustomTLSProfile 

type CustomTLSProfile struct {
	Name     string
	UTLSSpec *UTLSSpec
}

CustomTLSProfile specifies custom TLS profile. This is used to deploy custom ClientHellos as tactics data.

func (*CustomTLSProfile) GetClientHelloSpec 

func (profile *CustomTLSProfile) GetClientHelloSpec() (*utls.ClientHelloSpec, error)

GetClientHelloSpec creates a new utls.ClientHelloSpec from the ClientHello definition in UTLSpec.

A new utls.ClientHelloSpec, with no shared data, is created for each call, as per: https://github.com/refraction-networking/utls/blob/4da67951864128358459681399dd208c49d5d001/u_parrots.go#L483

type CustomTLSProfiles 

type CustomTLSProfiles []*CustomTLSProfile

func (CustomTLSProfiles) Validate 

func (profiles CustomTLSProfiles) Validate() error

Validate checks that the profiles in CustomTLSProfiles are initialized and have no name conflicts.

type DelegatedCredentialsExtensionCompat 

type DelegatedCredentialsExtensionCompat utls.DelegatedCredentialsExtension

type FakeChannelIDExtensionCompat 

type FakeChannelIDExtensionCompat utls.FakeChannelIDExtension

type FakeRecordSizeLimitExtensionCompat 

type FakeRecordSizeLimitExtensionCompat utls.FakeRecordSizeLimitExtension

type FrontingTransports 

type FrontingTransports []string

FrontingTransports are transport protocols used for non-tunnel, fronted connections such as in-proxy broker requests.

func (FrontingTransports) Validate 

func (transports FrontingTransports) Validate() error

type GenericExtensionCompat 

type GenericExtensionCompat utls.GenericExtension

type HandshakeResponse 

type HandshakeResponse struct {
	SSHSessionID             string              `json:"ssh_session_id"`
	Homepages                []string            `json:"homepages"`
	UpgradeClientVersion     string              `json:"upgrade_client_version"`
	PageViewRegexes          []map[string]string `json:"page_view_regexes"`
	HttpsRequestRegexes      []map[string]string `json:"https_request_regexes"`
	EncodedServerList        []string            `json:"encoded_server_list"`
	ClientRegion             string              `json:"client_region"`
	ClientAddress            string              `json:"client_address"`
	ServerTimestamp          string              `json:"server_timestamp"`
	ActiveAuthorizationIDs   []string            `json:"active_authorization_ids"`
	TacticsPayload           json.RawMessage     `json:"tactics_payload"`
	UpstreamBytesPerSecond   int64               `json:"upstream_bytes_per_second"`
	DownstreamBytesPerSecond int64               `json:"downstream_bytes_per_second"`
	SteeringIP               string              `json:"steering_ip"`
	Padding                  string              `json:"padding"`
}

type InproxyRelayRequest 

type InproxyRelayRequest struct {
	Packet []byte `cbor:"1,keyasint,omitempty"`
}

type InproxyRelayResponse 

type InproxyRelayResponse struct {
	Packet []byte `cbor:"1,keyasint,omitempty"`
}

type KeyShareExtensionCompat 

type KeyShareExtensionCompat struct {
	KeyShares []struct {
		Group utls.CurveID
		Data  []byte
	}
}

type LabeledQUICVersions 

type LabeledQUICVersions map[string]QUICVersions

func (LabeledQUICVersions) PruneInvalid 

func (labeledVersions LabeledQUICVersions) PruneInvalid() LabeledQUICVersions

func (LabeledQUICVersions) Validate 

func (labeledVersions LabeledQUICVersions) Validate() error

type LabeledTLSProfiles 

type LabeledTLSProfiles map[string]TLSProfiles

func (LabeledTLSProfiles) PruneInvalid 

func (labeledProfiles LabeledTLSProfiles) PruneInvalid(customTLSProfiles []string) LabeledTLSProfiles

func (LabeledTLSProfiles) Validate 

func (labeledProfiles LabeledTLSProfiles) Validate(customTLSProfiles []string) error

type LabeledTunnelProtocols 

type LabeledTunnelProtocols map[string]TunnelProtocols

func (LabeledTunnelProtocols) PruneInvalid 

func (labeledProtocols LabeledTunnelProtocols) PruneInvalid() LabeledTunnelProtocols

func (LabeledTunnelProtocols) Validate 

func (labeledProtocols LabeledTunnelProtocols) Validate() error

type MeekCookieData 

type MeekCookieData struct {
	MeekProtocolVersion  int    `json:"v"`
	ClientTunnelProtocol string `json:"t"`
	EndPoint             string `json:"e"`
}

type NPNExtensionCompat 

type NPNExtensionCompat utls.NPNExtension

Redefined uTLS extensions. uTLS added Unmarshaler interface to it's TLS extensions, which is not compatible with currently deployed tactics. We redefine the types to maintain compatibility. This may change in the future.

type OSLRequest 

type OSLRequest struct {
	ClearLocalSLOKs bool             `json:"clear_local_sloks"`
	SeedPayload     *osl.SeedPayload `json:"seed_payload"`
}

type PSKKeyExchangeModesExtensionCompat 

type PSKKeyExchangeModesExtensionCompat utls.PSKKeyExchangeModesExtension

type PackedAPIParameters 

type PackedAPIParameters map[int]interface{}

PackedAPIParameters is a compacted representation of common.APIParameters using integer keys in place of string keys, and with some values represented in compacted form, such as byte slices in place of hex or base64 strings.

The PackedAPIParameters representation is intended to be used to create compacted, CBOR encodings of API parameters.

func EncodePackedAPIParameters 

func EncodePackedAPIParameters(params common.APIParameters) (PackedAPIParameters, error)

EncodePackedAPIParameters converts common.APIParameters to PackedAPIParameters.

func (PackedAPIParameters) GetNetworkType 

func (p PackedAPIParameters) GetNetworkType() (string, bool)

GetNetworkType returns the "network_type" API parameter value, if present.

type PackedServerEntryFields 

type PackedServerEntryFields struct {
	Fields             map[int]interface{}    `cbor:"1,keyasint,omitempty"`
	UnrecognizedFields map[string]interface{} `cbor:"2,keyasint,omitempty"`
}

PackedServerEntryFields is a compacted representation of ServerEntryFields using integer keys in place of string keys, and with some values represented in compacted form, such as byte slices in place of hex or base64 strings.

The PackedServerEntryFields representation is intended to be used in CBOR-encoded messages, including in-proxy broker requests.

To support older clients encoding signed server entries with new, unrecognized fields, the encoded structure includes a list of packed fields, Fields, and a list of raw, unpacked fields, UnrecognizedFields.

func EncodePackedServerEntryFields 

func EncodePackedServerEntryFields(
	serverEntryFields ServerEntryFields) (PackedServerEntryFields, error)

EncodePackedServerEntryFields converts serverEntryFields to PackedServerEntryFields.

type QUICVersions 

type QUICVersions []string

func (QUICVersions) PruneInvalid 

func (versions QUICVersions) PruneInvalid() QUICVersions

func (QUICVersions) Validate 

func (versions QUICVersions) Validate() error

type RandomStreamRequest 

type RandomStreamRequest struct {
	UpstreamBytes   int `json:"u"`
	DownstreamBytes int `json:"d"`
}

type RenegotiationInfoExtensionCompat 

type RenegotiationInfoExtensionCompat utls.RenegotiationInfoExtension

type SCTExtensionCompat 

type SCTExtensionCompat utls.SCTExtension

type SNIExtensionCompat 

type SNIExtensionCompat utls.SNIExtension

type SSHPasswordPayload 

type SSHPasswordPayload struct {
	SessionId          string   `json:"SessionId"`
	SshPassword        string   `json:"SshPassword"`
	ClientCapabilities []string `json:"ClientCapabilities"`
}

type ServerEntry 

type ServerEntry struct {
	Tag                                 string   `json:"tag,omitempty"`
	IpAddress                           string   `json:"ipAddress,omitempty"`
	WebServerPort                       string   `json:"webServerPort,omitempty"` // not an int
	WebServerSecret                     string   `json:"webServerSecret,omitempty"`
	WebServerCertificate                string   `json:"webServerCertificate,omitempty"`
	SshPort                             int      `json:"sshPort,omitempty"`
	SshUsername                         string   `json:"sshUsername,omitempty"`
	SshPassword                         string   `json:"sshPassword,omitempty"`
	SshHostKey                          string   `json:"sshHostKey,omitempty"`
	SshObfuscatedPort                   int      `json:"sshObfuscatedPort,omitempty"`
	SshObfuscatedQUICPort               int      `json:"sshObfuscatedQUICPort,omitempty"`
	LimitQUICVersions                   []string `json:"limitQUICVersions,omitempty"`
	SshObfuscatedTapDancePort           int      `json:"sshObfuscatedTapdancePort,omitempty"`
	SshObfuscatedConjurePort            int      `json:"sshObfuscatedConjurePort,omitempty"`
	SshObfuscatedKey                    string   `json:"sshObfuscatedKey,omitempty"`
	Capabilities                        []string `json:"capabilities,omitempty"`
	Region                              string   `json:"region,omitempty"`
	ProviderID                          string   `json:"providerID,omitempty"`
	FrontingProviderID                  string   `json:"frontingProviderID,omitempty"`
	TlsOSSHPort                         int      `json:"tlsOSSHPort,omitempty"`
	MeekServerPort                      int      `json:"meekServerPort,omitempty"`
	MeekCookieEncryptionPublicKey       string   `json:"meekCookieEncryptionPublicKey,omitempty"`
	MeekObfuscatedKey                   string   `json:"meekObfuscatedKey,omitempty"`
	MeekFrontingHost                    string   `json:"meekFrontingHost,omitempty"`
	MeekFrontingHosts                   []string `json:"meekFrontingHosts,omitempty"`
	MeekFrontingDomain                  string   `json:"meekFrontingDomain,omitempty"`
	MeekFrontingAddresses               []string `json:"meekFrontingAddresses,omitempty"`
	MeekFrontingAddressesRegex          string   `json:"meekFrontingAddressesRegex,omitempty"`
	MeekFrontingDisableSNI              bool     `json:"meekFrontingDisableSNI,omitempty"`
	TacticsRequestPublicKey             string   `json:"tacticsRequestPublicKey,omitempty"`
	TacticsRequestObfuscatedKey         string   `json:"tacticsRequestObfuscatedKey,omitempty"`
	ConfigurationVersion                int      `json:"configurationVersion,omitempty"`
	Signature                           string   `json:"signature,omitempty"`
	DisableHTTPTransforms               bool     `json:"disableHTTPTransforms,omitempty"`
	DisableObfuscatedQUICTransforms     bool     `json:"disableObfuscatedQUICTransforms,omitempty"`
	DisableOSSHTransforms               bool     `json:"disableOSSHTransforms,omitempty"`
	DisableOSSHPrefix                   bool     `json:"disableOSSHPrefix,omitempty"`
	InproxySessionPublicKey             string   `json:"inproxySessionPublicKey,omitempty"`
	InproxySessionRootObfuscationSecret string   `json:"inproxySessionRootObfuscationSecret,omitempty"`
	InproxySSHPort                      int      `json:"inproxySSHPort,omitempty"`
	InproxyOSSHPort                     int      `json:"inproxyOSSHPort,omitempty"`
	InproxyQUICPort                     int      `json:"inproxyQUICPort,omitempty"`
	InproxyMeekPort                     int      `json:"inproxyMeekPort,omitempty"`
	InproxyTlsOSSHPort                  int      `json:"inproxyTlsOSSHPort,omitempty"`

	// These local fields are not expected to be present in downloaded server
	// entries. They are added by the client to record and report stats about
	// how and when server entries are obtained.
	// All local fields should be included the list of fields in RemoveUnsignedFields.
	LocalSource       string `json:"localSource,omitempty"`
	LocalTimestamp    string `json:"localTimestamp,omitempty"`
	IsLocalDerivedTag bool   `json:"isLocalDerivedTag,omitempty"`
}

ServerEntry represents a Psiphon server. It contains information about how to establish a tunnel connection to the server through several protocols. Server entries are JSON records downloaded from various sources.

func DecodeServerEntry 

func DecodeServerEntry(
	encodedServerEntry, timestamp, serverEntrySource string) (*ServerEntry, error)

DecodeServerEntry extracts a server entry from the encoding used by remote server lists and Psiphon server handshake requests.

The resulting ServerEntry.LocalSource is populated with serverEntrySource, which should be one of SERVER_ENTRY_SOURCE_EMBEDDED, SERVER_ENTRY_SOURCE_REMOTE, SERVER_ENTRY_SOURCE_DISCOVERY, SERVER_ENTRY_SOURCE_TARGET, SERVER_ENTRY_SOURCE_OBFUSCATED. ServerEntry.LocalTimestamp is populated with the provided timestamp, which should be a RFC 3339 formatted string. These local fields are stored with the server entry and reported to the server as stats (a coarse granularity timestamp is reported).

func (*ServerEntry) GetDiagnosticID 

func (serverEntry *ServerEntry) GetDiagnosticID() string

func (*ServerEntry) GetDialPortNumber 

func (serverEntry *ServerEntry) GetDialPortNumber(tunnelProtocol string) (int, error)

func (*ServerEntry) GetSupportedProtocols 

func (serverEntry *ServerEntry) GetSupportedProtocols(
	conditionallyEnabled ConditionallyEnabledComponents,
	useUpstreamProxy bool,
	limitTunnelProtocols TunnelProtocols,
	limitTunnelDialPortNumbers TunnelProtocolPortLists,
	limitQUICVersions QUICVersions,
	excludeIntensive bool,
	excludeInproxy bool) TunnelProtocols

GetSupportedProtocols returns a list of tunnel protocols supported by the ServerEntry's capabilities and allowed by various constraints.

func (*ServerEntry) GetSupportedTacticsProtocols 

func (serverEntry *ServerEntry) GetSupportedTacticsProtocols() []string

GetSupportedTacticsProtocols returns a list of tunnel protocols, supported by the ServerEntry's capabilities, that may be used for tactics requests.

func (*ServerEntry) GetTLSSessionCacheKeyAddress 

func (serverEntry *ServerEntry) GetTLSSessionCacheKeyAddress(tunnelProtocol string) (string, error)

GetTLSSessionCacheKeyAddress returns a network address (IP:port) that is suitable to use as a TLS session cache key.

By default, TLS implementations, including crypto/tls and utls use SNI as a session cache key, but this is not a suitable key when SNI is manipulated. When SNI is not present, these implementations fall back to using the peer remote address, which is also not a suitable key in cases where there is a non-TLS-terminating temporary intermediary, such as an in-proxy proxy.

The key is unique to the Psiphon server and tunnel protocol listener. For direct tunnel protocols, the key precisely maps TLS sessions to the corresponding TLS server. For indirect tunnel protocols, with an intermediate TLS server, the key is an approximate map which assumes the redials will mostly use the same intermediate TLS server.

Do not use the GetTLSSessionCacheKeyAddress value for dialing.

func (*ServerEntry) HasProviderID 

func (serverEntry *ServerEntry) HasProviderID() bool

func (*ServerEntry) HasSignature 

func (serverEntry *ServerEntry) HasSignature() bool

func (*ServerEntry) IsValidInproxyDialAddress 

func (serverEntry *ServerEntry) IsValidInproxyDialAddress(
	networkProtocol string, dialHost string, dialPortNumber int) bool

IsValidInproxyDialAddress indicates whether the dial destination network/host/port matches the dial parameters for any of the tunnel protocols supported by the server entry.

Limitations: - TAPDANCE-OSSH and CONJURE-OSSH are not supported. - The host header is not considered in the case of fronted protocols.

func (*ServerEntry) ProtocolUsesLegacyPassthrough 

func (serverEntry *ServerEntry) ProtocolUsesLegacyPassthrough(protocol string) bool

ProtocolUsesLegacyPassthrough indicates whether the ServerEntry supports the specified protocol using legacy passthrough messages.

There is no corresponding check for v2 passthrough, as clients send v2 passthrough messages unconditionally, by default, for passthrough protocols.

func (*ServerEntry) SupportsOnlyQUICv1 

func (serverEntry *ServerEntry) SupportsOnlyQUICv1() bool

SupportsOnlyQUICv1 indicates that the QUIC-OSSH server supports only QUICv1 and gQUIC versions should not be selected, as they will fail to connect while sending atypical traffic to the server.

SupportsOnlyQUICv1 strictly applies to QUIC-OSSH and not the in-proxy variant.

func (*ServerEntry) SupportsProtocol 

func (serverEntry *ServerEntry) SupportsProtocol(protocol string) bool

SupportsProtocol returns true if and only if the ServerEntry has the necessary capability to support the specified tunnel protocol.

func (*ServerEntry) SupportsSSHAPIRequests 

func (serverEntry *ServerEntry) SupportsSSHAPIRequests() bool

SupportsSSHAPIRequests returns true when the server supports SSH API requests.

type ServerEntryFields 

type ServerEntryFields map[string]interface{}

ServerEntryFields is an alternate representation of ServerEntry which enables future compatibility when unmarshaling and persisting new server entries which may contain new, unrecognized fields not in the ServerEntry type for a particular client version.

When new JSON server entries with new fields are unmarshaled to ServerEntry types, unrecognized fields are discarded. When unmarshaled to ServerEntryFields, unrecognized fields are retained and may be persisted and available when the client is upgraded and unmarshals to an updated ServerEntry type.

func DecodePackedServerEntryFields 

func DecodePackedServerEntryFields(
	packedServerEntryFields PackedServerEntryFields) (ServerEntryFields, error)

DecodePackedServerEntryFields converts PackedServerEntryFields to ServerEntryFields.

func DecodeServerEntryFields 

func DecodeServerEntryFields(
	encodedServerEntry, timestamp, serverEntrySource string) (ServerEntryFields, error)

DecodeServerEntryFields extracts an encoded server entry into a ServerEntryFields type, much like DecodeServerEntry. Unrecognized fields not in ServerEntry are retained in the ServerEntryFields.

LocalSource/LocalTimestamp map entries are set only when the corresponding inputs are non-blank.

func DecodeServerEntryList 

func DecodeServerEntryList(
	encodedServerEntryList, timestamp,
	serverEntrySource string) ([]ServerEntryFields, error)

DecodeServerEntryList extracts server entries from the list encoding used by remote server lists and Psiphon server handshake requests. Each server entry is validated and invalid entries are skipped. See DecodeServerEntry for note on serverEntrySource/timestamp.

func (ServerEntryFields) AddSignature 

func (fields ServerEntryFields) AddSignature(publicKey, privateKey string) error

AddSignature signs a server entry and attaches a new field containing the signature. Any existing "signature" field will be replaced.

The signature incudes a public key ID that is derived from a digest of the public key value. This ID is intended for future use when multiple signing keys may be deployed.

func (ServerEntryFields) GetConfigurationVersion 

func (fields ServerEntryFields) GetConfigurationVersion() int

func (ServerEntryFields) GetDiagnosticID 

func (fields ServerEntryFields) GetDiagnosticID() string

func (ServerEntryFields) GetIPAddress 

func (fields ServerEntryFields) GetIPAddress() string

func (ServerEntryFields) GetLocalSource 

func (fields ServerEntryFields) GetLocalSource() string

func (ServerEntryFields) GetLocalTimestamp 

func (fields ServerEntryFields) GetLocalTimestamp() string

func (ServerEntryFields) GetServerEntry 

func (fields ServerEntryFields) GetServerEntry() (*ServerEntry, error)

GetServerEntry converts a ServerEntryFields into a ServerEntry.

func (ServerEntryFields) GetTag 

func (fields ServerEntryFields) GetTag() string

func (ServerEntryFields) GetWebServerCertificate 

func (fields ServerEntryFields) GetWebServerCertificate() string

func (ServerEntryFields) GetWebServerPort 

func (fields ServerEntryFields) GetWebServerPort() string

func (ServerEntryFields) GetWebServerSecret 

func (fields ServerEntryFields) GetWebServerSecret() string

func (ServerEntryFields) HasSignature 

func (fields ServerEntryFields) HasSignature() bool

func (ServerEntryFields) RemoveUnsignedFields 

func (fields ServerEntryFields) RemoveUnsignedFields()

RemoveUnsignedFields prepares a server entry for signing or signature verification by removing unsigned fields. The JSON marshalling of the remaining fields is the data that is signed.

func (ServerEntryFields) SetLocalSource 

func (fields ServerEntryFields) SetLocalSource(source string)

func (ServerEntryFields) SetLocalTimestamp 

func (fields ServerEntryFields) SetLocalTimestamp(timestamp string)

func (ServerEntryFields) SetTag 

func (fields ServerEntryFields) SetTag(tag string)

SetTag sets a local, derived server entry tag. A tag is an identifier used in server entry pruning and potentially other use cases. An explict tag, set by the Psiphon Network, may be present in a server entry that is imported; otherwise, the client will set a derived tag. The tag should be generated using GenerateServerEntryTag. When SetTag finds a explicit tag, the new, derived tag is ignored. The isLocalTag local field is set to distinguish explict and derived tags and is used in signature verification to determine if the tag field is part of the signature.

func (ServerEntryFields) ToSignedFields 

func (fields ServerEntryFields) ToSignedFields() error

ToSignedFields checks for a signature and calls RemoveUnsignedFields.

func (ServerEntryFields) VerifySignature 

func (fields ServerEntryFields) VerifySignature(publicKey string) error

VerifySignature verifies the signature set by AddSignature.

VerifySignature must be called before using any server entry that is imported from an untrusted source, such as client-to-client exchange.

type SessionTicketExtensionCompat 

type SessionTicketExtensionCompat utls.SessionTicketExtension

type SignatureAlgorithmsExtensionCompat 

type SignatureAlgorithmsExtensionCompat utls.SignatureAlgorithmsExtension

type StatusRequestExtensionCompat 

type StatusRequestExtensionCompat utls.StatusRequestExtension

type StatusResponse 

type StatusResponse struct {
	InvalidServerEntryTags []string `json:"invalid_server_entry_tags"`
	Padding                string   `json:"padding"`
}

type StreamingServerEntryDecoder 

type StreamingServerEntryDecoder struct {
	// contains filtered or unexported fields
}

StreamingServerEntryDecoder performs the DecodeServerEntryList operation, loading only one server entry into memory at a time.

func NewStreamingServerEntryDecoder 

func NewStreamingServerEntryDecoder(
	encodedServerEntryListReader io.Reader,
	timestamp, serverEntrySource string) *StreamingServerEntryDecoder

NewStreamingServerEntryDecoder creates a new StreamingServerEntryDecoder.

func (*StreamingServerEntryDecoder) Next 

func (decoder *StreamingServerEntryDecoder) Next() (ServerEntryFields, error)

Next reads and decodes, and validates the next server entry from the input stream, returning a nil server entry when the stream is complete.

Limitations:

  • Each encoded server entry line cannot exceed bufio.MaxScanTokenSize, the default buffer size which this decoder uses. This is 64K.
  • DecodeServerEntry is called on each encoded server entry line, which will allocate memory to hex decode and JSON deserialze the server entry. As this is not presently reusing a fixed buffer, each call will allocate additional memory; garbage collection is necessary to reclaim that memory for reuse for the next server entry.

type SupportedCurvesExtensionCompat 

type SupportedCurvesExtensionCompat utls.SupportedCurvesExtension

type SupportedPointsExtensionCompat 

type SupportedPointsExtensionCompat utls.SupportedPointsExtension

type SupportedVersionsExtensionCompat 

type SupportedVersionsExtensionCompat utls.SupportedVersionsExtension

type TLSProfiles 

type TLSProfiles []string

func (TLSProfiles) PruneInvalid 

func (profiles TLSProfiles) PruneInvalid(customTLSProfiles []string) TLSProfiles

func (TLSProfiles) Validate 

func (profiles TLSProfiles) Validate(customTLSProfiles []string) error

type TunnelProtocolPortLists 

type TunnelProtocolPortLists map[string]*common.PortList

TunnelProtocolPortLists is a map from tunnel protocol names (or "All") to a list of port number ranges.

type TunnelProtocols 

type TunnelProtocols []string

func (TunnelProtocols) OnlyInproxyTunnelProtocols 

func (t TunnelProtocols) OnlyInproxyTunnelProtocols() TunnelProtocols

func (TunnelProtocols) PruneInvalid 

func (t TunnelProtocols) PruneInvalid() TunnelProtocols

func (TunnelProtocols) Validate 

func (t TunnelProtocols) Validate() error

type UTLSExtension 

type UTLSExtension struct {
	Name string
	Data json.RawMessage
}

UTLSExtension specifies one of the several utls.TLSExtension concrete implementations.

func (*UTLSExtension) GetUTLSExtension 

func (e *UTLSExtension) GetUTLSExtension() (utls.TLSExtension, error)

GetUTLSExtension instantiates the specified utls.TLSExtension concrete implementation.

type UTLSSpec 

type UTLSSpec struct {
	TLSVersMin         uint16
	TLSVersMax         uint16
	CipherSuites       []uint16
	CompressionMethods []uint8
	Extensions         []*UTLSExtension
	GetSessionID       string
}

UTLSSpec specifies a utls.ClientHelloSpec.

type UtlsCompressCertExtensionCompat 

type UtlsCompressCertExtensionCompat utls.UtlsCompressCertExtension

type UtlsGREASEExtensionCompat 

type UtlsGREASEExtensionCompat utls.UtlsGREASEExtension

type UtlsPaddingExtensionCompat 

type UtlsPaddingExtensionCompat utls.UtlsPaddingExtension

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.