func pavePsinetDatabaseFile(t *testing.T, psinetFilename string) (string, string) { sponsorID, _ := common.MakeRandomStringHex(8) fakeDomain, _ := common.MakeRandomStringHex(4) fakePath, _ := common.MakeRandomStringHex(4) expectedHomepageURL := fmt.Sprintf("https://%s.com/%s", fakeDomain, fakePath) psinetJSONFormat := ` { "sponsors": { "%s": { "home_pages": { "None": [ { "region": null, "url": "%s" } ] } } } } ` psinetJSON := fmt.Sprintf(psinetJSONFormat, sponsorID, expectedHomepageURL) err := ioutil.WriteFile(psinetFilename, []byte(psinetJSON), 0600) if err != nil { t.Fatalf("error paving psinet database file: %s", err) } return sponsorID, expectedHomepageURL }
// GenerateConfig creates a new Psiphon server config. It returns JSON // encoded configs and a client-compatible "server entry" for the server. It // generates all necessary secrets and key material, which are emitted in // the config file and server entry as necessary. // GenerateConfig uses sample values for many fields. The intention is for // generated configs to be used for testing or as a template for production // setup, not to generate production-ready configurations. func GenerateConfig(params *GenerateConfigParams) ([]byte, []byte, []byte, error) { // Input validation if net.ParseIP(params.ServerIPAddress) == nil { return nil, nil, nil, common.ContextError(errors.New("invalid IP address")) } if len(params.TunnelProtocolPorts) == 0 { return nil, nil, nil, common.ContextError(errors.New("no tunnel protocols")) } usedPort := make(map[int]bool) if params.WebServerPort != 0 { usedPort[params.WebServerPort] = true } usingMeek := false for protocol, port := range params.TunnelProtocolPorts { if !common.Contains(common.SupportedTunnelProtocols, protocol) { return nil, nil, nil, common.ContextError(errors.New("invalid tunnel protocol")) } if usedPort[port] { return nil, nil, nil, common.ContextError(errors.New("duplicate listening port")) } usedPort[port] = true if common.TunnelProtocolUsesMeekHTTP(protocol) || common.TunnelProtocolUsesMeekHTTPS(protocol) { usingMeek = true } } // Web server config var webServerSecret, webServerCertificate, webServerPrivateKey, webServerPortForwardAddress string if params.WebServerPort != 0 { var err error webServerSecret, err = common.MakeRandomStringHex(WEB_SERVER_SECRET_BYTE_LENGTH) if err != nil { return nil, nil, nil, common.ContextError(err) } webServerCertificate, webServerPrivateKey, err = GenerateWebServerCertificate("") if err != nil { return nil, nil, nil, common.ContextError(err) } webServerPortForwardAddress = net.JoinHostPort( params.ServerIPAddress, strconv.Itoa(params.WebServerPort)) } // SSH config // TODO: use other key types: anti-fingerprint by varying params rsaKey, err := rsa.GenerateKey(rand.Reader, SSH_RSA_HOST_KEY_BITS) if err != nil { return nil, nil, nil, common.ContextError(err) } sshPrivateKey := pem.EncodeToMemory( &pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(rsaKey), }, ) signer, err := ssh.NewSignerFromKey(rsaKey) if err != nil { return nil, nil, nil, common.ContextError(err) } sshPublicKey := signer.PublicKey() sshUserNameSuffix, err := common.MakeRandomStringHex(SSH_USERNAME_SUFFIX_BYTE_LENGTH) if err != nil { return nil, nil, nil, common.ContextError(err) } sshUserName := "******" + sshUserNameSuffix sshPassword, err := common.MakeRandomStringHex(SSH_PASSWORD_BYTE_LENGTH) if err != nil { return nil, nil, nil, common.ContextError(err) } // TODO: vary version string for anti-fingerprint sshServerVersion := "SSH-2.0-Psiphon" // Obfuscated SSH config obfuscatedSSHKey, err := common.MakeRandomStringHex(SSH_OBFUSCATED_KEY_BYTE_LENGTH) if err != nil { return nil, nil, nil, common.ContextError(err) } // Meek config var meekCookieEncryptionPublicKey, meekCookieEncryptionPrivateKey, meekObfuscatedKey string if usingMeek { rawMeekCookieEncryptionPublicKey, rawMeekCookieEncryptionPrivateKey, err := box.GenerateKey(rand.Reader) if err != nil { return nil, nil, nil, common.ContextError(err) } meekCookieEncryptionPublicKey = base64.StdEncoding.EncodeToString(rawMeekCookieEncryptionPublicKey[:]) meekCookieEncryptionPrivateKey = base64.StdEncoding.EncodeToString(rawMeekCookieEncryptionPrivateKey[:]) meekObfuscatedKey, err = common.MakeRandomStringHex(SSH_OBFUSCATED_KEY_BYTE_LENGTH) if err != nil { return nil, nil, nil, common.ContextError(err) } } // Other config discoveryValueHMACKey, err := common.MakeRandomStringBase64(DISCOVERY_VALUE_KEY_BYTE_LENGTH) if err != nil { return nil, nil, nil, common.ContextError(err) } // Assemble configs and server entry // Note: this config is intended for either testing or as an illustrative // example or template and is not intended for production deployment. config := &Config{ LogLevel: "info", LogFilename: params.LogFilename, GeoIPDatabaseFilenames: nil, HostID: "example-host-id", ServerIPAddress: params.ServerIPAddress, DiscoveryValueHMACKey: discoveryValueHMACKey, WebServerPort: params.WebServerPort, WebServerSecret: webServerSecret, WebServerCertificate: webServerCertificate, WebServerPrivateKey: webServerPrivateKey, WebServerPortForwardAddress: webServerPortForwardAddress, SSHPrivateKey: string(sshPrivateKey), SSHServerVersion: sshServerVersion, SSHUserName: sshUserName, SSHPassword: sshPassword, ObfuscatedSSHKey: obfuscatedSSHKey, TunnelProtocolPorts: params.TunnelProtocolPorts, DNSResolverIPAddress: "8.8.8.8", UDPInterceptUdpgwServerAddress: "127.0.0.1:7300", MeekCookieEncryptionPrivateKey: meekCookieEncryptionPrivateKey, MeekObfuscatedKey: meekObfuscatedKey, MeekCertificateCommonName: "www.example.org", MeekProhibitedHeaders: nil, MeekProxyForwardedForHeaders: []string{"X-Forwarded-For"}, LoadMonitorPeriodSeconds: 300, TrafficRulesFilename: params.TrafficRulesFilename, } encodedConfig, err := json.MarshalIndent(config, "\n", " ") if err != nil { return nil, nil, nil, common.ContextError(err) } intPtr := func(i int) *int { return &i } trafficRulesSet := &TrafficRulesSet{ DefaultRules: TrafficRules{ RateLimits: RateLimits{ ReadUnthrottledBytes: new(int64), ReadBytesPerSecond: new(int64), WriteUnthrottledBytes: new(int64), WriteBytesPerSecond: new(int64), }, IdleTCPPortForwardTimeoutMilliseconds: intPtr(DEFAULT_IDLE_TCP_PORT_FORWARD_TIMEOUT_MILLISECONDS), IdleUDPPortForwardTimeoutMilliseconds: intPtr(DEFAULT_IDLE_UDP_PORT_FORWARD_TIMEOUT_MILLISECONDS), MaxTCPPortForwardCount: intPtr(DEFAULT_MAX_TCP_PORT_FORWARD_COUNT), MaxUDPPortForwardCount: intPtr(DEFAULT_MAX_UDP_PORT_FORWARD_COUNT), AllowTCPPorts: nil, AllowUDPPorts: nil, }, } encodedTrafficRulesSet, err := json.MarshalIndent(trafficRulesSet, "\n", " ") if err != nil { return nil, nil, nil, common.ContextError(err) } capabilities := []string{} if params.EnableSSHAPIRequests { capabilities = append(capabilities, common.CAPABILITY_SSH_API_REQUESTS) } if params.WebServerPort != 0 { capabilities = append(capabilities, common.CAPABILITY_UNTUNNELED_WEB_API_REQUESTS) } for protocol, _ := range params.TunnelProtocolPorts { capabilities = append(capabilities, psiphon.GetCapability(protocol)) } sshPort := params.TunnelProtocolPorts["SSH"] obfuscatedSSHPort := params.TunnelProtocolPorts["OSSH"] // Meek port limitations // - fronted meek protocols are hard-wired in the client to be port 443 or 80. // - only one other meek port may be specified. meekPort := params.TunnelProtocolPorts["UNFRONTED-MEEK-OSSH"] if meekPort == 0 { meekPort = params.TunnelProtocolPorts["UNFRONTED-MEEK-HTTPS-OSSH"] } // Note: fronting params are a stub; this server entry will exercise // client and server fronting code paths, but not actually traverse // a fronting hop. serverEntryWebServerPort := "" strippedWebServerCertificate := "" if params.WebServerPort != 0 { serverEntryWebServerPort = fmt.Sprintf("%d", params.WebServerPort) // Server entry format omits the BEGIN/END lines and newlines lines := strings.Split(webServerCertificate, "\n") strippedWebServerCertificate = strings.Join(lines[1:len(lines)-2], "") } serverEntry := &psiphon.ServerEntry{ IpAddress: params.ServerIPAddress, WebServerPort: serverEntryWebServerPort, WebServerSecret: webServerSecret, WebServerCertificate: strippedWebServerCertificate, SshPort: sshPort, SshUsername: sshUserName, SshPassword: sshPassword, SshHostKey: base64.RawStdEncoding.EncodeToString(sshPublicKey.Marshal()), SshObfuscatedPort: obfuscatedSSHPort, SshObfuscatedKey: obfuscatedSSHKey, Capabilities: capabilities, Region: "US", MeekServerPort: meekPort, MeekCookieEncryptionPublicKey: meekCookieEncryptionPublicKey, MeekObfuscatedKey: meekObfuscatedKey, MeekFrontingHosts: []string{params.ServerIPAddress}, MeekFrontingAddresses: []string{params.ServerIPAddress}, MeekFrontingDisableSNI: false, } encodedServerEntry, err := psiphon.EncodeServerEntry(serverEntry) if err != nil { return nil, nil, nil, common.ContextError(err) } return encodedConfig, encodedTrafficRulesSet, []byte(encodedServerEntry), nil }
func paveOSLConfigFile(t *testing.T, oslConfigFilename string) string { oslConfigJSONFormat := ` { "Schemes" : [ { "Epoch" : "%s", "Regions" : [], "PropagationChannelIDs" : ["%s"], "MasterKey" : "wFuSbqU/pJ/35vRmoM8T9ys1PgDa8uzJps1Y+FNKa5U=", "SeedSpecs" : [ { "ID" : "IXHWfVgWFkEKvgqsjmnJuN3FpaGuCzQMETya+DSQvsk=", "UpstreamSubnets" : ["0.0.0.0/0"], "Targets" : { "BytesRead" : 1, "BytesWritten" : 1, "PortForwardDurationNanoseconds" : 1 } }, { "ID" : "qvpIcORLE2Pi5TZmqRtVkEp+OKov0MhfsYPLNV7FYtI=", "UpstreamSubnets" : ["0.0.0.0/0"], "Targets" : { "BytesRead" : 1, "BytesWritten" : 1, "PortForwardDurationNanoseconds" : 1 } } ], "SeedSpecThreshold" : 2, "SeedPeriodNanoseconds" : 10000000000, "SeedPeriodKeySplits": [ { "Total": 2, "Threshold": 2 } ] } ] } ` propagationChannelID, _ := common.MakeRandomStringHex(8) now := time.Now().UTC() epoch := now.Truncate(10 * time.Second) epochStr := epoch.Format(time.RFC3339Nano) oslConfigJSON := fmt.Sprintf( oslConfigJSONFormat, epochStr, propagationChannelID) err := ioutil.WriteFile(oslConfigFilename, []byte(oslConfigJSON), 0600) if err != nil { t.Fatalf("error paving osl config file: %s", err) } return propagationChannelID }
func TestObfuscatedRemoteServerLists(t *testing.T) { testDataDirName, err := ioutil.TempDir("", "psiphon-remote-server-list-test") if err != nil { t.Fatalf("TempDir failed: %s", err) } defer os.RemoveAll(testDataDirName) // // create a server // serverIPaddress := "" for _, interfaceName := range []string{"eth0", "en0"} { serverIPaddress, err = common.GetInterfaceIPAddress(interfaceName) if err == nil { break } } if err != nil { t.Fatalf("error getting server IP address: %s", err) } serverConfigJSON, _, encodedServerEntry, err := server.GenerateConfig( &server.GenerateConfigParams{ ServerIPAddress: serverIPaddress, EnableSSHAPIRequests: true, WebServerPort: 8001, TunnelProtocolPorts: map[string]int{"OSSH": 4001}, }) if err != nil { t.Fatalf("error generating server config: %s", err) } // // pave OSLs // oslConfigJSONTemplate := ` { "Schemes" : [ { "Epoch" : "%s", "Regions" : [], "PropagationChannelIDs" : ["%s"], "MasterKey" : "vwab2WY3eNyMBpyFVPtsivMxF4MOpNHM/T7rHJIXctg=", "SeedSpecs" : [ { "ID" : "KuP2V6gLcROIFzb/27fUVu4SxtEfm2omUoISlrWv1mA=", "UpstreamSubnets" : ["0.0.0.0/0"], "Targets" : { "BytesRead" : 1, "BytesWritten" : 1, "PortForwardDurationNanoseconds" : 1 } } ], "SeedSpecThreshold" : 1, "SeedPeriodNanoseconds" : %d, "SeedPeriodKeySplits": [ { "Total": 1, "Threshold": 1 } ] } ] }` now := time.Now().UTC() seedPeriod := 24 * time.Hour epoch := now.Truncate(seedPeriod) epochStr := epoch.Format(time.RFC3339Nano) propagationChannelID, _ := common.MakeRandomStringHex(8) oslConfigJSON := fmt.Sprintf( oslConfigJSONTemplate, epochStr, propagationChannelID, seedPeriod) oslConfig, err := osl.LoadConfig([]byte(oslConfigJSON)) if err != nil { t.Fatalf("error loading OSL config: %s", err) } signingPublicKey, signingPrivateKey, err := common.GenerateAuthenticatedDataPackageKeys() if err != nil { t.Fatalf("error generating package keys: %s", err) } paveFiles, err := oslConfig.Pave( epoch, propagationChannelID, signingPublicKey, signingPrivateKey, []map[time.Time]string{ map[time.Time]string{ epoch: string(encodedServerEntry), }, }) if err != nil { t.Fatalf("error paving OSL files: %s", err) } // // mock seeding SLOKs // singleton = dataStore{} os.Remove(filepath.Join(testDataDirName, DATA_STORE_FILENAME)) err = InitDataStore(&Config{DataStoreDirectory: testDataDirName}) if err != nil { t.Fatalf("error initializing client datastore: %s", err) } if CountServerEntries("", "") > 0 { t.Fatalf("unexpected server entries") } seedState := oslConfig.NewClientSeedState("", propagationChannelID, nil) seedPortForward := seedState.NewClientSeedPortForward(net.ParseIP("0.0.0.0")) seedPortForward.UpdateProgress(1, 1, 1) payload := seedState.GetSeedPayload() if len(payload.SLOKs) != 1 { t.Fatalf("expected 1 SLOKs, got %d", len(payload.SLOKs)) } SetSLOK(payload.SLOKs[0].ID, payload.SLOKs[0].Key) // // run mock remote server list host // remoteServerListHostAddress := net.JoinHostPort(serverIPaddress, "8081") // The common remote server list fetches will 404 remoteServerListURL := fmt.Sprintf("http://%s/server_list_compressed", remoteServerListHostAddress) remoteServerListDownloadFilename := filepath.Join(testDataDirName, "server_list_compressed") obfuscatedServerListRootURL := fmt.Sprintf("http://%s/", remoteServerListHostAddress) obfuscatedServerListDownloadDirectory := testDataDirName go func() { startTime := time.Now() serveMux := http.NewServeMux() for _, paveFile := range paveFiles { file := paveFile serveMux.HandleFunc("/"+file.Name, func(w http.ResponseWriter, req *http.Request) { md5sum := md5.Sum(file.Contents) w.Header().Add("Content-Type", "application/octet-stream") w.Header().Add("ETag", hex.EncodeToString(md5sum[:])) http.ServeContent(w, req, file.Name, startTime, bytes.NewReader(file.Contents)) }) } httpServer := &http.Server{ Addr: remoteServerListHostAddress, Handler: serveMux, } err := httpServer.ListenAndServe() if err != nil { // TODO: wrong goroutine for t.FatalNow() t.Fatalf("error running remote server list host: %s", err) } }() // // run Psiphon server // go func() { err := server.RunServices(serverConfigJSON) if err != nil { // TODO: wrong goroutine for t.FatalNow() t.Fatalf("error running server: %s", err) } }() // // disrupt remote server list downloads // disruptorProxyAddress := "127.0.0.1:2162" disruptorProxyURL := "socks4a://" + disruptorProxyAddress go func() { listener, err := socks.ListenSocks("tcp", disruptorProxyAddress) if err != nil { fmt.Errorf("disruptor proxy listen error: %s", err) return } for { localConn, err := listener.AcceptSocks() if err != nil { fmt.Errorf("disruptor proxy accept error: %s", err) return } go func() { remoteConn, err := net.Dial("tcp", localConn.Req.Target) if err != nil { fmt.Errorf("disruptor proxy dial error: %s", err) return } err = localConn.Grant(&net.TCPAddr{IP: net.ParseIP("0.0.0.0"), Port: 0}) if err != nil { fmt.Errorf("disruptor proxy grant error: %s", err) return } waitGroup := new(sync.WaitGroup) waitGroup.Add(1) go func() { defer waitGroup.Done() io.Copy(remoteConn, localConn) }() if localConn.Req.Target == remoteServerListHostAddress { io.CopyN(localConn, remoteConn, 500) } else { io.Copy(localConn, remoteConn) } localConn.Close() remoteConn.Close() waitGroup.Wait() }() } }() // // connect to Psiphon server with Psiphon client // SetEmitDiagnosticNotices(true) // Note: calling LoadConfig ensures all *int config fields are initialized clientConfigJSONTemplate := ` { "ClientPlatform" : "", "ClientVersion" : "0", "SponsorId" : "0", "PropagationChannelId" : "0", "ConnectionPoolSize" : 1, "EstablishTunnelPausePeriodSeconds" : 1, "FetchRemoteServerListRetryPeriodSeconds" : 1, "RemoteServerListSignaturePublicKey" : "%s", "RemoteServerListUrl" : "%s", "RemoteServerListDownloadFilename" : "%s", "ObfuscatedServerListRootURL" : "%s", "ObfuscatedServerListDownloadDirectory" : "%s", "UpstreamProxyUrl" : "%s" }` clientConfigJSON := fmt.Sprintf( clientConfigJSONTemplate, signingPublicKey, remoteServerListURL, remoteServerListDownloadFilename, obfuscatedServerListRootURL, obfuscatedServerListDownloadDirectory, disruptorProxyURL) clientConfig, _ := LoadConfig([]byte(clientConfigJSON)) controller, err := NewController(clientConfig) if err != nil { t.Fatalf("error creating client controller: %s", err) } tunnelEstablished := make(chan struct{}, 1) SetNoticeOutput(NewNoticeReceiver( func(notice []byte) { noticeType, payload, err := GetNotice(notice) if err != nil { return } printNotice := false switch noticeType { case "Tunnels": printNotice = true count := int(payload["count"].(float64)) if count == 1 { tunnelEstablished <- *new(struct{}) } case "RemoteServerListResourceDownloadedBytes": // TODO: check for resumed download for each URL //url := payload["url"].(string) printNotice = true case "RemoteServerListResourceDownloaded": printNotice = true } if printNotice { fmt.Printf("%s\n", string(notice)) } })) go func() { controller.Run(make(chan struct{})) }() establishTimeout := time.NewTimer(30 * time.Second) select { case <-tunnelEstablished: case <-establishTimeout.C: t.Fatalf("tunnel establish timeout exceeded") } for _, paveFile := range paveFiles { u, _ := url.Parse(obfuscatedServerListRootURL) u.Path = path.Join(u.Path, paveFile.Name) etag, _ := GetUrlETag(u.String()) md5sum := md5.Sum(paveFile.Contents) if etag != hex.EncodeToString(md5sum[:]) { t.Fatalf("unexpected ETag for %s", u) } } }