mirror of https://github.com/cbeuw/Cloak
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
207 lines
6.0 KiB
Go
207 lines
6.0 KiB
Go
6 years ago
|
package client
|
||
|
|
||
|
import (
|
||
5 years ago
|
"crypto"
|
||
6 years ago
|
"encoding/json"
|
||
5 years ago
|
"fmt"
|
||
2 years ago
|
"github.com/cbeuw/Cloak/internal/common"
|
||
|
"github.com/cbeuw/Cloak/libcloak/client/browsers"
|
||
|
"github.com/cbeuw/Cloak/libcloak/client/transports"
|
||
6 years ago
|
"io/ioutil"
|
||
5 years ago
|
"net"
|
||
6 years ago
|
"strings"
|
||
|
"time"
|
||
6 years ago
|
|
||
2 years ago
|
"github.com/cbeuw/Cloak/internal/common"
|
||
|
log "github.com/sirupsen/logrus"
|
||
|
|
||
6 years ago
|
"github.com/cbeuw/Cloak/internal/ecdh"
|
||
5 years ago
|
mux "github.com/cbeuw/Cloak/internal/multiplex"
|
||
6 years ago
|
)
|
||
|
|
||
5 years ago
|
// RawConfig represents the fields in the config json file
|
||
5 years ago
|
// jsonOptional means if the json's empty, its value will be set from environment variables or commandline args
|
||
4 years ago
|
// but it mustn't be empty when ProcessRawConfig is called
|
||
5 years ago
|
type RawConfig struct {
|
||
2 years ago
|
// Required fields
|
||
|
// ServerName is the domain you appear to be visiting
|
||
|
// to your Firewall or ISP
|
||
|
ServerName string
|
||
|
// ProxyMethod is the name of the underlying proxy you wish
|
||
|
// to connect to, as determined by your server. The value can
|
||
|
// be any string whose UTF-8 ENCODED byte length is no greater than
|
||
|
// 12 bytes
|
||
|
ProxyMethod string
|
||
|
// UID is a 16-byte secret string unique to an authorised user
|
||
|
// The same UID can be used by the same user for multiple Cloak connections
|
||
|
UID []byte
|
||
|
// PublicKey is the 32-byte public Curve25519 ECDH key of your server
|
||
|
PublicKey []byte
|
||
|
// RemoteHost is the Cloak server's hostname or IP address
|
||
|
RemoteHost string // jsonOptional
|
||
|
|
||
|
// Optional Fields
|
||
|
// EncryptionMethod is the cryptographic algorithm used to
|
||
|
// encrypt data on the wire.
|
||
|
// Valid values are `aes-128-gcm`, `aes-256-gcm`, `chacha20-poly1305`, and `plain`
|
||
|
// Defaults to `aes-256-gcm`
|
||
5 years ago
|
EncryptionMethod string
|
||
2 years ago
|
// NumConn is the amount of underlying TLS connections to establish with Cloak server.
|
||
|
// Cloak multiplexes any number of incoming connections to a fixed number of underlying TLS connections.
|
||
|
// If set to 0, a special singleplex mode is enabled: each incoming connection will correspond to exactly one
|
||
|
// TLS connection
|
||
|
// Defaults to 4
|
||
|
NumConn *int
|
||
|
// UDP enables UDP semantics, where packets must fit into one unit of message (below 16000 bytes by default),
|
||
|
// and packets can be received out of order. Though reliable delivery is still guaranteed.
|
||
|
UDP bool
|
||
|
// BrowserSig is the browser signature to be used. Options are `chrome` and `firefox`
|
||
|
// Defaults to `chrome`
|
||
|
BrowserSig string
|
||
|
// Transport is either `direct` or `cdn`. Under `direct`, the client connects to a Cloak server directly.
|
||
|
// Under `cdn`, the client connects to a CDN provider such as Amazon Cloudfront, which in turn connects
|
||
|
// to a Cloak server.
|
||
|
// Defaults to `direct`
|
||
|
Transport string
|
||
|
// CDNOriginHost is the CDN Origin's (i.e. Cloak server) real hostname or IP address, which is encrypted between
|
||
|
// the client and the CDN server, and therefore hidden to ISP or firewalls. This only has effect when Transport
|
||
|
// is set to `cdn`
|
||
|
// Defaults to RemoteHost
|
||
|
CDNOriginHost string
|
||
|
// KeepAlive is the interval between TCP KeepAlive packets to be sent over the underlying TLS connections
|
||
|
// Defaults to -1, which means no TCP KeepAlive is ever sent
|
||
|
KeepAlive int
|
||
|
// RemotePort is the port Cloak server is listening to
|
||
|
// Defaults to 443
|
||
|
RemotePort string
|
||
6 years ago
|
}
|
||
|
|
||
5 years ago
|
type RemoteConnConfig struct {
|
||
4 years ago
|
Singleplex bool
|
||
5 years ago
|
NumConn int
|
||
|
KeepAlive time.Duration
|
||
|
RemoteAddr string
|
||
2 years ago
|
TransportMaker func() transports.Transport
|
||
5 years ago
|
}
|
||
|
|
||
2 years ago
|
type AuthInfo = transports.AuthInfo
|
||
5 years ago
|
|
||
2 years ago
|
func (raw *RawConfig) ProcessRawConfig(worldState common.WorldState) (remote RemoteConnConfig, auth AuthInfo, err error) {
|
||
|
nullErr := func(field string) (remote RemoteConnConfig, auth AuthInfo, err error) {
|
||
5 years ago
|
err = fmt.Errorf("%v cannot be empty", field)
|
||
|
return
|
||
|
}
|
||
|
|
||
5 years ago
|
auth.UID = raw.UID
|
||
|
auth.Unordered = raw.UDP
|
||
5 years ago
|
if raw.ServerName == "" {
|
||
|
return nullErr("ServerName")
|
||
|
}
|
||
|
auth.MockDomain = raw.ServerName
|
||
3 years ago
|
|
||
5 years ago
|
if raw.ProxyMethod == "" {
|
||
2 years ago
|
return nullErr("ProxyMethod")
|
||
5 years ago
|
}
|
||
|
auth.ProxyMethod = raw.ProxyMethod
|
||
|
if len(raw.UID) == 0 {
|
||
|
return nullErr("UID")
|
||
|
}
|
||
|
|
||
|
// static public key
|
||
|
if len(raw.PublicKey) == 0 {
|
||
|
return nullErr("PublicKey")
|
||
|
}
|
||
|
pub, ok := ecdh.Unmarshal(raw.PublicKey)
|
||
|
if !ok {
|
||
|
err = fmt.Errorf("failed to unmarshal Public key")
|
||
|
return
|
||
|
}
|
||
|
auth.ServerPubKey = pub
|
||
5 years ago
|
auth.WorldState = worldState
|
||
5 years ago
|
|
||
|
// Encryption method
|
||
|
switch strings.ToLower(raw.EncryptionMethod) {
|
||
5 years ago
|
case "plain":
|
||
4 years ago
|
auth.EncryptionMethod = mux.EncryptionMethodPlain
|
||
4 years ago
|
case "aes-gcm", "aes-256-gcm":
|
||
4 years ago
|
auth.EncryptionMethod = mux.EncryptionMethodAES256GCM
|
||
|
case "aes-128-gcm":
|
||
|
auth.EncryptionMethod = mux.EncryptionMethodAES128GCM
|
||
5 years ago
|
case "chacha20-poly1305":
|
||
4 years ago
|
auth.EncryptionMethod = mux.EncryptionMethodChaha20Poly1305
|
||
2 years ago
|
case "":
|
||
|
auth.EncryptionMethod = mux.EncryptionMethodAES256GCM
|
||
5 years ago
|
default:
|
||
5 years ago
|
err = fmt.Errorf("unknown encryption method %v", raw.EncryptionMethod)
|
||
|
return
|
||
5 years ago
|
}
|
||
|
|
||
5 years ago
|
if raw.RemoteHost == "" {
|
||
|
return nullErr("RemoteHost")
|
||
|
}
|
||
2 years ago
|
var remotePort string
|
||
5 years ago
|
if raw.RemotePort == "" {
|
||
2 years ago
|
remotePort = "443"
|
||
|
} else {
|
||
|
remotePort = raw.RemotePort
|
||
5 years ago
|
}
|
||
2 years ago
|
remote.RemoteAddr = net.JoinHostPort(raw.RemoteHost, remotePort)
|
||
|
if raw.NumConn == nil {
|
||
|
remote.NumConn = 4
|
||
|
remote.Singleplex = false
|
||
|
} else if *raw.NumConn <= 0 {
|
||
4 years ago
|
remote.NumConn = 1
|
||
|
remote.Singleplex = true
|
||
|
} else {
|
||
2 years ago
|
remote.NumConn = *raw.NumConn
|
||
4 years ago
|
remote.Singleplex = false
|
||
5 years ago
|
}
|
||
5 years ago
|
|
||
5 years ago
|
// Transport and (if TLS mode), browser
|
||
|
switch strings.ToLower(raw.Transport) {
|
||
5 years ago
|
case "cdn":
|
||
2 years ago
|
cdnPort := raw.RemotePort
|
||
|
var cdnHost string
|
||
4 years ago
|
if raw.CDNOriginHost == "" {
|
||
2 years ago
|
cdnHost = raw.RemoteHost
|
||
4 years ago
|
} else {
|
||
2 years ago
|
cdnHost = raw.CDNOriginHost
|
||
2 years ago
|
}
|
||
4 years ago
|
|
||
2 years ago
|
remote.TransportMaker = func() transports.Transport {
|
||
|
return &transports.WSOverTLS{
|
||
|
CDNHost: cdnHost,
|
||
|
CDNPort: cdnPort,
|
||
5 years ago
|
}
|
||
|
}
|
||
5 years ago
|
case "direct":
|
||
|
fallthrough
|
||
5 years ago
|
default:
|
||
5 years ago
|
var browser browser
|
||
|
switch strings.ToLower(raw.BrowserSig) {
|
||
|
case "firefox":
|
||
8 months ago
|
browser = firefox
|
||
1 year ago
|
case "safari":
|
||
8 months ago
|
browser = safari
|
||
5 years ago
|
case "chrome":
|
||
|
fallthrough
|
||
|
default:
|
||
8 months ago
|
browser = chrome
|
||
5 years ago
|
}
|
||
2 years ago
|
remote.TransportMaker = func() transports.Transport {
|
||
|
return &transports.DirectTLS{
|
||
|
Browser: browser,
|
||
5 years ago
|
}
|
||
|
}
|
||
5 years ago
|
}
|
||
|
|
||
5 years ago
|
// KeepAlive
|
||
|
if raw.KeepAlive <= 0 {
|
||
|
remote.KeepAlive = -1
|
||
5 years ago
|
} else {
|
||
5 years ago
|
remote.KeepAlive = remote.KeepAlive * time.Second
|
||
5 years ago
|
}
|
||
5 years ago
|
|
||
5 years ago
|
return
|
||
6 years ago
|
}
|