func pavePsinetDatabaseFile(t *testing.T, psinetFilename string) (string, string) {
sponsorID, _ := common.MakeRandomStringHex(8)
fakeDomain, _ := common.MakeRandomStringHex(4)
fakePath, _ := common.MakeRandomStringHex(4)
expectedHomepageURL := fmt.Sprintf("https://%s.com/%s", fakeDomain, fakePath)
psinetJSONFormat := `
{
"sponsors": {
"%s": {
"home_pages": {
"None": [
{
"region": null,
"url": "%s"
}
]
}
}
}
}
`
psinetJSON := fmt.Sprintf(psinetJSONFormat, sponsorID, expectedHomepageURL)
err := ioutil.WriteFile(psinetFilename, []byte(psinetJSON), 0600)
if err != nil {
t.Fatalf("error paving psinet database file: %s", err)
}
return sponsorID, expectedHomepageURL
}
// GenerateConfig creates a new Psiphon server config. It returns JSON
// encoded configs and a client-compatible "server entry" for the server. It
// generates all necessary secrets and key material, which are emitted in
// the config file and server entry as necessary.
// GenerateConfig uses sample values for many fields. The intention is for
// generated configs to be used for testing or as a template for production
// setup, not to generate production-ready configurations.
func GenerateConfig(params *GenerateConfigParams) ([]byte, []byte, []byte, error) {
// Input validation
if net.ParseIP(params.ServerIPAddress) == nil {
return nil, nil, nil, common.ContextError(errors.New("invalid IP address"))
}
if len(params.TunnelProtocolPorts) == 0 {
return nil, nil, nil, common.ContextError(errors.New("no tunnel protocols"))
}
usedPort := make(map[int]bool)
if params.WebServerPort != 0 {
usedPort[params.WebServerPort] = true
}
usingMeek := false
for protocol, port := range params.TunnelProtocolPorts {
if !common.Contains(common.SupportedTunnelProtocols, protocol) {
return nil, nil, nil, common.ContextError(errors.New("invalid tunnel protocol"))
}
if usedPort[port] {
return nil, nil, nil, common.ContextError(errors.New("duplicate listening port"))
}
usedPort[port] = true
if common.TunnelProtocolUsesMeekHTTP(protocol) ||
common.TunnelProtocolUsesMeekHTTPS(protocol) {
usingMeek = true
}
}
// Web server config
var webServerSecret, webServerCertificate,
webServerPrivateKey, webServerPortForwardAddress string
if params.WebServerPort != 0 {
var err error
webServerSecret, err = common.MakeRandomStringHex(WEB_SERVER_SECRET_BYTE_LENGTH)
if err != nil {
return nil, nil, nil, common.ContextError(err)
}
webServerCertificate, webServerPrivateKey, err = GenerateWebServerCertificate("")
if err != nil {
return nil, nil, nil, common.ContextError(err)
}
webServerPortForwardAddress = net.JoinHostPort(
params.ServerIPAddress, strconv.Itoa(params.WebServerPort))
}
// SSH config
// TODO: use other key types: anti-fingerprint by varying params
rsaKey, err := rsa.GenerateKey(rand.Reader, SSH_RSA_HOST_KEY_BITS)
if err != nil {
return nil, nil, nil, common.ContextError(err)
}
sshPrivateKey := pem.EncodeToMemory(
&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(rsaKey),
},
)
signer, err := ssh.NewSignerFromKey(rsaKey)
if err != nil {
return nil, nil, nil, common.ContextError(err)
}
sshPublicKey := signer.PublicKey()
sshUserNameSuffix, err := common.MakeRandomStringHex(SSH_USERNAME_SUFFIX_BYTE_LENGTH)
if err != nil {
return nil, nil, nil, common.ContextError(err)
}
sshUserName := "******" + sshUserNameSuffix
sshPassword, err := common.MakeRandomStringHex(SSH_PASSWORD_BYTE_LENGTH)
if err != nil {
return nil, nil, nil, common.ContextError(err)
}
// TODO: vary version string for anti-fingerprint
sshServerVersion := "SSH-2.0-Psiphon"
// Obfuscated SSH config
obfuscatedSSHKey, err := common.MakeRandomStringHex(SSH_OBFUSCATED_KEY_BYTE_LENGTH)
if err != nil {
return nil, nil, nil, common.ContextError(err)
}
// Meek config
var meekCookieEncryptionPublicKey, meekCookieEncryptionPrivateKey, meekObfuscatedKey string
if usingMeek {
rawMeekCookieEncryptionPublicKey, rawMeekCookieEncryptionPrivateKey, err :=
box.GenerateKey(rand.Reader)
if err != nil {
return nil, nil, nil, common.ContextError(err)
}
meekCookieEncryptionPublicKey = base64.StdEncoding.EncodeToString(rawMeekCookieEncryptionPublicKey[:])
meekCookieEncryptionPrivateKey = base64.StdEncoding.EncodeToString(rawMeekCookieEncryptionPrivateKey[:])
meekObfuscatedKey, err = common.MakeRandomStringHex(SSH_OBFUSCATED_KEY_BYTE_LENGTH)
if err != nil {
return nil, nil, nil, common.ContextError(err)
}
}
// Other config
discoveryValueHMACKey, err := common.MakeRandomStringBase64(DISCOVERY_VALUE_KEY_BYTE_LENGTH)
if err != nil {
return nil, nil, nil, common.ContextError(err)
}
// Assemble configs and server entry
// Note: this config is intended for either testing or as an illustrative
// example or template and is not intended for production deployment.
config := &Config{
LogLevel: "info",
LogFilename: params.LogFilename,
GeoIPDatabaseFilenames: nil,
HostID: "example-host-id",
ServerIPAddress: params.ServerIPAddress,
DiscoveryValueHMACKey: discoveryValueHMACKey,
WebServerPort: params.WebServerPort,
WebServerSecret: webServerSecret,
WebServerCertificate: webServerCertificate,
WebServerPrivateKey: webServerPrivateKey,
WebServerPortForwardAddress: webServerPortForwardAddress,
SSHPrivateKey: string(sshPrivateKey),
SSHServerVersion: sshServerVersion,
SSHUserName: sshUserName,
SSHPassword: sshPassword,
ObfuscatedSSHKey: obfuscatedSSHKey,
TunnelProtocolPorts: params.TunnelProtocolPorts,
DNSResolverIPAddress: "8.8.8.8",
UDPInterceptUdpgwServerAddress: "127.0.0.1:7300",
MeekCookieEncryptionPrivateKey: meekCookieEncryptionPrivateKey,
MeekObfuscatedKey: meekObfuscatedKey,
MeekCertificateCommonName: "www.example.org",
MeekProhibitedHeaders: nil,
MeekProxyForwardedForHeaders: []string{"X-Forwarded-For"},
LoadMonitorPeriodSeconds: 300,
TrafficRulesFilename: params.TrafficRulesFilename,
}
encodedConfig, err := json.MarshalIndent(config, "\n", " ")
if err != nil {
return nil, nil, nil, common.ContextError(err)
}
intPtr := func(i int) *int {
return &i
}
trafficRulesSet := &TrafficRulesSet{
DefaultRules: TrafficRules{
RateLimits: RateLimits{
ReadUnthrottledBytes: new(int64),
ReadBytesPerSecond: new(int64),
WriteUnthrottledBytes: new(int64),
WriteBytesPerSecond: new(int64),
},
IdleTCPPortForwardTimeoutMilliseconds: intPtr(DEFAULT_IDLE_TCP_PORT_FORWARD_TIMEOUT_MILLISECONDS),
IdleUDPPortForwardTimeoutMilliseconds: intPtr(DEFAULT_IDLE_UDP_PORT_FORWARD_TIMEOUT_MILLISECONDS),
MaxTCPPortForwardCount: intPtr(DEFAULT_MAX_TCP_PORT_FORWARD_COUNT),
MaxUDPPortForwardCount: intPtr(DEFAULT_MAX_UDP_PORT_FORWARD_COUNT),
AllowTCPPorts: nil,
AllowUDPPorts: nil,
},
}
encodedTrafficRulesSet, err := json.MarshalIndent(trafficRulesSet, "\n", " ")
if err != nil {
return nil, nil, nil, common.ContextError(err)
}
capabilities := []string{}
if params.EnableSSHAPIRequests {
capabilities = append(capabilities, common.CAPABILITY_SSH_API_REQUESTS)
}
if params.WebServerPort != 0 {
capabilities = append(capabilities, common.CAPABILITY_UNTUNNELED_WEB_API_REQUESTS)
}
for protocol, _ := range params.TunnelProtocolPorts {
capabilities = append(capabilities, psiphon.GetCapability(protocol))
}
sshPort := params.TunnelProtocolPorts["SSH"]
obfuscatedSSHPort := params.TunnelProtocolPorts["OSSH"]
// Meek port limitations
// - fronted meek protocols are hard-wired in the client to be port 443 or 80.
// - only one other meek port may be specified.
meekPort := params.TunnelProtocolPorts["UNFRONTED-MEEK-OSSH"]
if meekPort == 0 {
meekPort = params.TunnelProtocolPorts["UNFRONTED-MEEK-HTTPS-OSSH"]
}
// Note: fronting params are a stub; this server entry will exercise
// client and server fronting code paths, but not actually traverse
// a fronting hop.
serverEntryWebServerPort := ""
strippedWebServerCertificate := ""
if params.WebServerPort != 0 {
serverEntryWebServerPort = fmt.Sprintf("%d", params.WebServerPort)
// Server entry format omits the BEGIN/END lines and newlines
lines := strings.Split(webServerCertificate, "\n")
strippedWebServerCertificate = strings.Join(lines[1:len(lines)-2], "")
}
serverEntry := &psiphon.ServerEntry{
IpAddress: params.ServerIPAddress,
WebServerPort: serverEntryWebServerPort,
WebServerSecret: webServerSecret,
WebServerCertificate: strippedWebServerCertificate,
SshPort: sshPort,
SshUsername: sshUserName,
SshPassword: sshPassword,
SshHostKey: base64.RawStdEncoding.EncodeToString(sshPublicKey.Marshal()),
SshObfuscatedPort: obfuscatedSSHPort,
SshObfuscatedKey: obfuscatedSSHKey,
Capabilities: capabilities,
Region: "US",
MeekServerPort: meekPort,
MeekCookieEncryptionPublicKey: meekCookieEncryptionPublicKey,
MeekObfuscatedKey: meekObfuscatedKey,
MeekFrontingHosts: []string{params.ServerIPAddress},
MeekFrontingAddresses: []string{params.ServerIPAddress},
MeekFrontingDisableSNI: false,
}
encodedServerEntry, err := psiphon.EncodeServerEntry(serverEntry)
if err != nil {
return nil, nil, nil, common.ContextError(err)
}
return encodedConfig, encodedTrafficRulesSet, []byte(encodedServerEntry), nil
}
func paveOSLConfigFile(t *testing.T, oslConfigFilename string) string {
oslConfigJSONFormat := `
{
"Schemes" : [
{
"Epoch" : "%s",
"Regions" : [],
"PropagationChannelIDs" : ["%s"],
"MasterKey" : "wFuSbqU/pJ/35vRmoM8T9ys1PgDa8uzJps1Y+FNKa5U=",
"SeedSpecs" : [
{
"ID" : "IXHWfVgWFkEKvgqsjmnJuN3FpaGuCzQMETya+DSQvsk=",
"UpstreamSubnets" : ["0.0.0.0/0"],
"Targets" :
{
"BytesRead" : 1,
"BytesWritten" : 1,
"PortForwardDurationNanoseconds" : 1
}
},
{
"ID" : "qvpIcORLE2Pi5TZmqRtVkEp+OKov0MhfsYPLNV7FYtI=",
"UpstreamSubnets" : ["0.0.0.0/0"],
"Targets" :
{
"BytesRead" : 1,
"BytesWritten" : 1,
"PortForwardDurationNanoseconds" : 1
}
}
],
"SeedSpecThreshold" : 2,
"SeedPeriodNanoseconds" : 10000000000,
"SeedPeriodKeySplits": [
{
"Total": 2,
"Threshold": 2
}
]
}
]
}
`
propagationChannelID, _ := common.MakeRandomStringHex(8)
now := time.Now().UTC()
epoch := now.Truncate(10 * time.Second)
epochStr := epoch.Format(time.RFC3339Nano)
oslConfigJSON := fmt.Sprintf(
oslConfigJSONFormat, epochStr, propagationChannelID)
err := ioutil.WriteFile(oslConfigFilename, []byte(oslConfigJSON), 0600)
if err != nil {
t.Fatalf("error paving osl config file: %s", err)
}
return propagationChannelID
}
func TestObfuscatedRemoteServerLists(t *testing.T) {
testDataDirName, err := ioutil.TempDir("", "psiphon-remote-server-list-test")
if err != nil {
t.Fatalf("TempDir failed: %s", err)
}
defer os.RemoveAll(testDataDirName)
//
// create a server
//
serverIPaddress := ""
for _, interfaceName := range []string{"eth0", "en0"} {
serverIPaddress, err = common.GetInterfaceIPAddress(interfaceName)
if err == nil {
break
}
}
if err != nil {
t.Fatalf("error getting server IP address: %s", err)
}
serverConfigJSON, _, encodedServerEntry, err := server.GenerateConfig(
&server.GenerateConfigParams{
ServerIPAddress: serverIPaddress,
EnableSSHAPIRequests: true,
WebServerPort: 8001,
TunnelProtocolPorts: map[string]int{"OSSH": 4001},
})
if err != nil {
t.Fatalf("error generating server config: %s", err)
}
//
// pave OSLs
//
oslConfigJSONTemplate := `
{
"Schemes" : [
{
"Epoch" : "%s",
"Regions" : [],
"PropagationChannelIDs" : ["%s"],
"MasterKey" : "vwab2WY3eNyMBpyFVPtsivMxF4MOpNHM/T7rHJIXctg=",
"SeedSpecs" : [
{
"ID" : "KuP2V6gLcROIFzb/27fUVu4SxtEfm2omUoISlrWv1mA=",
"UpstreamSubnets" : ["0.0.0.0/0"],
"Targets" :
{
"BytesRead" : 1,
"BytesWritten" : 1,
"PortForwardDurationNanoseconds" : 1
}
}
],
"SeedSpecThreshold" : 1,
"SeedPeriodNanoseconds" : %d,
"SeedPeriodKeySplits": [
{
"Total": 1,
"Threshold": 1
}
]
}
]
}`
now := time.Now().UTC()
seedPeriod := 24 * time.Hour
epoch := now.Truncate(seedPeriod)
epochStr := epoch.Format(time.RFC3339Nano)
propagationChannelID, _ := common.MakeRandomStringHex(8)
oslConfigJSON := fmt.Sprintf(
oslConfigJSONTemplate,
epochStr,
propagationChannelID,
seedPeriod)
oslConfig, err := osl.LoadConfig([]byte(oslConfigJSON))
if err != nil {
t.Fatalf("error loading OSL config: %s", err)
}
signingPublicKey, signingPrivateKey, err := common.GenerateAuthenticatedDataPackageKeys()
if err != nil {
t.Fatalf("error generating package keys: %s", err)
}
paveFiles, err := oslConfig.Pave(
epoch,
propagationChannelID,
signingPublicKey,
signingPrivateKey,
[]map[time.Time]string{
map[time.Time]string{
epoch: string(encodedServerEntry),
},
})
if err != nil {
t.Fatalf("error paving OSL files: %s", err)
}
//
// mock seeding SLOKs
//
singleton = dataStore{}
os.Remove(filepath.Join(testDataDirName, DATA_STORE_FILENAME))
err = InitDataStore(&Config{DataStoreDirectory: testDataDirName})
if err != nil {
t.Fatalf("error initializing client datastore: %s", err)
}
if CountServerEntries("", "") > 0 {
t.Fatalf("unexpected server entries")
}
seedState := oslConfig.NewClientSeedState("", propagationChannelID, nil)
seedPortForward := seedState.NewClientSeedPortForward(net.ParseIP("0.0.0.0"))
seedPortForward.UpdateProgress(1, 1, 1)
payload := seedState.GetSeedPayload()
if len(payload.SLOKs) != 1 {
t.Fatalf("expected 1 SLOKs, got %d", len(payload.SLOKs))
}
SetSLOK(payload.SLOKs[0].ID, payload.SLOKs[0].Key)
//
// run mock remote server list host
//
remoteServerListHostAddress := net.JoinHostPort(serverIPaddress, "8081")
// The common remote server list fetches will 404
remoteServerListURL := fmt.Sprintf("http://%s/server_list_compressed", remoteServerListHostAddress)
remoteServerListDownloadFilename := filepath.Join(testDataDirName, "server_list_compressed")
obfuscatedServerListRootURL := fmt.Sprintf("http://%s/", remoteServerListHostAddress)
obfuscatedServerListDownloadDirectory := testDataDirName
go func() {
startTime := time.Now()
serveMux := http.NewServeMux()
for _, paveFile := range paveFiles {
file := paveFile
serveMux.HandleFunc("/"+file.Name, func(w http.ResponseWriter, req *http.Request) {
md5sum := md5.Sum(file.Contents)
w.Header().Add("Content-Type", "application/octet-stream")
w.Header().Add("ETag", hex.EncodeToString(md5sum[:]))
http.ServeContent(w, req, file.Name, startTime, bytes.NewReader(file.Contents))
})
}
httpServer := &http.Server{
Addr: remoteServerListHostAddress,
Handler: serveMux,
}
err := httpServer.ListenAndServe()
if err != nil {
// TODO: wrong goroutine for t.FatalNow()
t.Fatalf("error running remote server list host: %s", err)
}
}()
//
// run Psiphon server
//
go func() {
err := server.RunServices(serverConfigJSON)
if err != nil {
// TODO: wrong goroutine for t.FatalNow()
t.Fatalf("error running server: %s", err)
}
}()
//
// disrupt remote server list downloads
//
disruptorProxyAddress := "127.0.0.1:2162"
disruptorProxyURL := "socks4a://" + disruptorProxyAddress
go func() {
listener, err := socks.ListenSocks("tcp", disruptorProxyAddress)
if err != nil {
fmt.Errorf("disruptor proxy listen error: %s", err)
return
}
for {
localConn, err := listener.AcceptSocks()
if err != nil {
fmt.Errorf("disruptor proxy accept error: %s", err)
return
}
go func() {
remoteConn, err := net.Dial("tcp", localConn.Req.Target)
if err != nil {
fmt.Errorf("disruptor proxy dial error: %s", err)
return
}
err = localConn.Grant(&net.TCPAddr{IP: net.ParseIP("0.0.0.0"), Port: 0})
if err != nil {
fmt.Errorf("disruptor proxy grant error: %s", err)
return
}
waitGroup := new(sync.WaitGroup)
waitGroup.Add(1)
go func() {
defer waitGroup.Done()
io.Copy(remoteConn, localConn)
}()
if localConn.Req.Target == remoteServerListHostAddress {
io.CopyN(localConn, remoteConn, 500)
} else {
io.Copy(localConn, remoteConn)
}
localConn.Close()
remoteConn.Close()
waitGroup.Wait()
}()
}
}()
//
// connect to Psiphon server with Psiphon client
//
SetEmitDiagnosticNotices(true)
// Note: calling LoadConfig ensures all *int config fields are initialized
clientConfigJSONTemplate := `
{
"ClientPlatform" : "",
"ClientVersion" : "0",
"SponsorId" : "0",
"PropagationChannelId" : "0",
"ConnectionPoolSize" : 1,
"EstablishTunnelPausePeriodSeconds" : 1,
"FetchRemoteServerListRetryPeriodSeconds" : 1,
"RemoteServerListSignaturePublicKey" : "%s",
"RemoteServerListUrl" : "%s",
"RemoteServerListDownloadFilename" : "%s",
"ObfuscatedServerListRootURL" : "%s",
"ObfuscatedServerListDownloadDirectory" : "%s",
"UpstreamProxyUrl" : "%s"
}`
clientConfigJSON := fmt.Sprintf(
clientConfigJSONTemplate,
signingPublicKey,
remoteServerListURL,
remoteServerListDownloadFilename,
obfuscatedServerListRootURL,
obfuscatedServerListDownloadDirectory,
disruptorProxyURL)
clientConfig, _ := LoadConfig([]byte(clientConfigJSON))
controller, err := NewController(clientConfig)
if err != nil {
t.Fatalf("error creating client controller: %s", err)
}
tunnelEstablished := make(chan struct{}, 1)
SetNoticeOutput(NewNoticeReceiver(
func(notice []byte) {
noticeType, payload, err := GetNotice(notice)
if err != nil {
return
}
printNotice := false
switch noticeType {
case "Tunnels":
printNotice = true
count := int(payload["count"].(float64))
if count == 1 {
tunnelEstablished <- *new(struct{})
}
case "RemoteServerListResourceDownloadedBytes":
// TODO: check for resumed download for each URL
//url := payload["url"].(string)
printNotice = true
case "RemoteServerListResourceDownloaded":
printNotice = true
}
if printNotice {
fmt.Printf("%s\n", string(notice))
}
}))
go func() {
controller.Run(make(chan struct{}))
}()
establishTimeout := time.NewTimer(30 * time.Second)
select {
case <-tunnelEstablished:
case <-establishTimeout.C:
t.Fatalf("tunnel establish timeout exceeded")
}
for _, paveFile := range paveFiles {
u, _ := url.Parse(obfuscatedServerListRootURL)
u.Path = path.Join(u.Path, paveFile.Name)
etag, _ := GetUrlETag(u.String())
md5sum := md5.Sum(paveFile.Contents)
if etag != hex.EncodeToString(md5sum[:]) {
t.Fatalf("unexpected ETag for %s", u)
}
}
}
