Cloak/cmd/ck-server/ck-server.go

package main

import (
	"bytes"
	"encoding/base64"
	"flag"
	"fmt"
	"io"
	"log"
	"net"
	"net/http"
	_ "net/http/pprof"
	"os"
	"runtime"
	"strings"
	"time"

	mux "github.com/cbeuw/Cloak/internal/multiplex"
	"github.com/cbeuw/Cloak/internal/server"
	"github.com/cbeuw/Cloak/internal/server/usermanager"
	"github.com/cbeuw/Cloak/internal/util"
)

var version string

func pipe(dst io.ReadWriteCloser, src io.ReadWriteCloser) {
	// The maximum size of TLS message will be 16396+16. 16 because of the stream header
	// 16408 is the max TLS message size on Firefox
	buf := make([]byte, 16396)
	for {
		i, err := io.ReadAtLeast(src, buf, 1)
		if err != nil || i == 0 {
			go dst.Close()
			go src.Close()
			return
		}
		i, err = dst.Write(buf[:i])
		if err != nil || i == 0 {
			go dst.Close()
			go src.Close()
			return
		}
	}
}

func dispatchConnection(conn net.Conn, sta *server.State) {
	goWeb := func(data []byte) {
		webConn, err := net.Dial("tcp", sta.WebServerAddr)
		if err != nil {
			log.Printf("Making connection to redirection server: %v\n", err)
			go webConn.Close()
			return
		}
		webConn.Write(data)
		go pipe(webConn, conn)
		go pipe(conn, webConn)
	}

	buf := make([]byte, 1500)

	conn.SetReadDeadline(time.Now().Add(3 * time.Second))
	i, err := io.ReadAtLeast(conn, buf, 1)
	if err != nil {
		go conn.Close()
		return
	}
	conn.SetReadDeadline(time.Time{})
	data := buf[:i]
	ch, err := server.ParseClientHello(data)
	if err != nil {
		log.Printf("+1 non SS non (or malformed) TLS traffic from %v\n", conn.RemoteAddr())
		goWeb(data)
		return
	}

	isSS, UID, sessionID := server.TouchStone(ch, sta)
	if !isSS {
		log.Printf("+1 non SS TLS traffic from %v\n", conn.RemoteAddr())
		goWeb(data)
		return
	}

	finishHandshake := func() error {
		reply := server.ComposeReply(ch)
		_, err = conn.Write(reply)
		if err != nil {
			go conn.Close()
			return err
		}

		// Two discarded messages: ChangeCipherSpec and Finished
		discardBuf := make([]byte, 1024)
		for c := 0; c < 2; c++ {
			_, err = util.ReadTLS(conn, discardBuf)
			if err != nil {
				go conn.Close()
				return err
			}
		}
		return nil
	}

	// adminUID can use the server as normal with unlimited QoS credits. The adminUID is not
	// added to the userinfo database. The distinction between going into the admin mode
	// and normal proxy mode is that sessionID needs == 0 for admin mode
	if bytes.Equal(UID, sta.AdminUID) && sessionID == 0 {
		err = finishHandshake()
		if err != nil {
			log.Println(err)
			return
		}
		c := sta.Userpanel.MakeController(sta.AdminUID)
		for {
			n, err := conn.Read(data)
			if err != nil {
				log.Println(err)
				return
			}
			resp, err := c.HandleRequest(data[:n])
			if err != nil {
				log.Println(err)
				return
			}
			_, err = conn.Write(resp)
			if err != nil {
				log.Println(err)
				return
			}
		}

	}

	var user *usermanager.User
	if bytes.Equal(UID, sta.AdminUID) {
		user, err = sta.Userpanel.GetAndActivateAdminUser(UID)
	} else {
		user, err = sta.Userpanel.GetAndActivateUser(UID)
	}
	if err != nil {
		log.Printf("+1 unauthorised user from %v, uid: %x\n", conn.RemoteAddr(), UID)
		goWeb(data)
		return
	}

	err = finishHandshake()
	if err != nil {
		log.Println(err)
		return
	}

	sesh, existing, err := user.GetSession(sessionID, mux.MakeObfs(UID), mux.MakeDeobfs(UID), util.ReadTLS)
	if err != nil {
		user.DelSession(sessionID)
		log.Println(err)
		return
	}

	if existing {
		sesh.AddConnection(conn)
		return
	} else {
		log.Printf("New session from UID:%v, sessionID:%v\n", base64.StdEncoding.EncodeToString(UID), sessionID)
		sesh.AddConnection(conn)
		for {
			newStream, err := sesh.AcceptStream()
			if err != nil {
				if err == mux.ErrBrokenSession {
					log.Printf("Session closed for UID:%v, sessionID:%v\n", base64.StdEncoding.EncodeToString(UID), sessionID)
					user.DelSession(sessionID)
					return
				} else {
					continue
				}
			}
			ssConn, err := net.Dial("tcp", sta.SS_LOCAL_HOST+":"+sta.SS_LOCAL_PORT)
			if err != nil {
				log.Printf("Failed to connect to ssserver: %v\n", err)
				continue
			}
			go pipe(ssConn, newStream)
			go pipe(newStream, ssConn)
		}
	}

}

func main() {
	runtime.SetBlockProfileRate(5)
	go func() {
		log.Println(http.ListenAndServe("0.0.0.0:8001", nil))
	}()
	// Should be 127.0.0.1 to listen to ss-server on this machine
	var localHost string
	// server_port in ss config, same as remotePort in plugin mode
	var localPort string
	// server in ss config, the outbound listening ip
	var remoteHost string
	// Outbound listening ip, should be 443
	var remotePort string
	var pluginOpts string

	log.SetFlags(log.LstdFlags | log.Lshortfile)

	if os.Getenv("SS_LOCAL_HOST") != "" {
		localHost = os.Getenv("SS_LOCAL_HOST")
		localPort = os.Getenv("SS_LOCAL_PORT")
		remoteHost = os.Getenv("SS_REMOTE_HOST")
		remotePort = os.Getenv("SS_REMOTE_PORT")
		pluginOpts = os.Getenv("SS_PLUGIN_OPTIONS")
	} else {
		localAddr := flag.String("r", "", "localAddr: 127.0.0.1:server_port as set in SS config")
		flag.StringVar(&remoteHost, "s", "0.0.0.0", "remoteHost: outbound listing ip, set to 0.0.0.0 to listen to everything")
		flag.StringVar(&remotePort, "p", "443", "remotePort: outbound listing port, should be 443")
		flag.StringVar(&pluginOpts, "c", "server.json", "pluginOpts: path to server.json or options seperated by semicolons")
		askVersion := flag.Bool("v", false, "Print the version number")
		printUsage := flag.Bool("h", false, "Print this message")

		genUID := flag.Bool("u", false, "Generate a UID")
		genKeyPair := flag.Bool("k", false, "Generate a pair of public and private key, output in the format of pubkey,pvkey")

		flag.Parse()

		if *askVersion {
			fmt.Printf("ck-server %s\n", version)
			return
		}
		if *printUsage {
			flag.Usage()
			return
		}
		if *genUID {
			fmt.Println(generateUID())
			return
		}
		if *genKeyPair {
			pub, pv := generateKeyPair()
			fmt.Printf("%v,%v", pub, pv)
			return
		}

		if *localAddr == "" {
			log.Fatal("Must specify localAddr")
		}
		localHost = strings.Split(*localAddr, ":")[0]
		localPort = strings.Split(*localAddr, ":")[1]
		log.Printf("Starting standalone mode, listening on %v:%v to ss at %v:%v\n", remoteHost, remotePort, localHost, localPort)
	}
	sta, _ := server.InitState(localHost, localPort, remoteHost, remotePort, time.Now)

	err := sta.ParseConfig(pluginOpts)
	if err != nil {
		log.Fatalf("Configuration file error: %v", err)
	}

	if sta.AdminUID == nil {
		log.Fatalln("AdminUID cannot be empty!")
	}

	go sta.UsedRandomCleaner()

	listen := func(addr, port string) {
		listener, err := net.Listen("tcp", addr+":"+port)
		log.Println("Listening on " + addr + ":" + port)
		if err != nil {
			log.Fatal(err)
		}
		for {
			conn, err := listener.Accept()
			if err != nil {
				log.Printf("%v", err)
				continue
			}
			go dispatchConnection(conn, sta)
		}
	}

	// When listening on an IPv6 and IPv4, SS gives REMOTE_HOST as e.g. ::|0.0.0.0
	listeningIP := strings.Split(sta.SS_REMOTE_HOST, "|")
	for i, ip := range listeningIP {
		if net.ParseIP(ip).To4() == nil {
			// IPv6 needs square brackets
			ip = "[" + ip + "]"
		}

		// The last listener must block main() because the program exits on main return.
		if i == len(listeningIP)-1 {
			listen(ip, sta.SS_REMOTE_PORT)
		} else {
			go listen(ip, sta.SS_REMOTE_PORT)
		}
	}

}
Untested server 2018-10-09 15:07:54 +00:00			`package main`

			`import (`
Basic remote control 2018-11-22 21:55:23 +00:00			`"bytes"`
Cleanup logs 2019-01-12 15:51:20 +00:00			`"encoding/base64"`
Untested server 2018-10-09 15:07:54 +00:00			`"flag"`
			`"fmt"`
			`"io"`
			`"log"`
			`"net"`
QOS and user managing, bug fixes 2018-11-07 21:16:13 +00:00			`"net/http"`
			`_ "net/http/pprof"`
Untested server 2018-10-09 15:07:54 +00:00			`"os"`
QOS and user managing, bug fixes 2018-11-07 21:16:13 +00:00			`"runtime"`
Untested server 2018-10-09 15:07:54 +00:00			`"strings"`
			`"time"`

			`mux "github.com/cbeuw/Cloak/internal/multiplex"`
			`"github.com/cbeuw/Cloak/internal/server"`
Client using AdminUID can now use the proxy without adding themselves to the db 2018-12-11 23:26:05 +00:00			`"github.com/cbeuw/Cloak/internal/server/usermanager"`
Untested server 2018-10-09 15:07:54 +00:00			`"github.com/cbeuw/Cloak/internal/util"`
			`)`

			`var version string`

			`func pipe(dst io.ReadWriteCloser, src io.ReadWriteCloser) {`
Redo the header obfuscation. Fix hiccups caused by short packets 2019-01-06 01:40:27 +00:00			`// The maximum size of TLS message will be 16396+16. 16 because of the stream header`
drop aes encryption of headers 2018-10-20 20:41:01 +00:00			`// 16408 is the max TLS message size on Firefox`
			`buf := make([]byte, 16396)`
Untested server 2018-10-09 15:07:54 +00:00			`for {`
Mostly works 2018-10-20 10:35:50 +00:00			`i, err := io.ReadAtLeast(src, buf, 1)`
Fix infinite loop. Baseline 2018-10-16 20:13:19 +00:00			`if err != nil \|\| i == 0 {`
Mostly works 2018-10-20 10:35:50 +00:00			`go dst.Close()`
			`go src.Close()`
			`return`
			`}`
			`i, err = dst.Write(buf[:i])`
			`if err != nil \|\| i == 0 {`
Untested server 2018-10-09 15:07:54 +00:00			`go dst.Close()`
			`go src.Close()`
			`return`
			`}`
			`}`
			`}`

			`func dispatchConnection(conn net.Conn, sta *server.State) {`
			`goWeb := func(data []byte) {`
			`webConn, err := net.Dial("tcp", sta.WebServerAddr)`
			`if err != nil {`
			`log.Printf("Making connection to redirection server: %v\n", err)`
			`go webConn.Close()`
			`return`
			`}`
			`webConn.Write(data)`
			`go pipe(webConn, conn)`
			`go pipe(conn, webConn)`
			`}`

			`buf := make([]byte, 1500)`

			`conn.SetReadDeadline(time.Now().Add(3 * time.Second))`
			`i, err := io.ReadAtLeast(conn, buf, 1)`
			`if err != nil {`
			`go conn.Close()`
			`return`
			`}`
			`conn.SetReadDeadline(time.Time{})`
			`data := buf[:i]`
			`ch, err := server.ParseClientHello(data)`
			`if err != nil {`
			`log.Printf("+1 non SS non (or malformed) TLS traffic from %v\n", conn.RemoteAddr())`
			`goWeb(data)`
			`return`
			`}`

QOS and user managing, bug fixes 2018-11-07 21:16:13 +00:00			`isSS, UID, sessionID := server.TouchStone(ch, sta)`
Untested server 2018-10-09 15:07:54 +00:00			`if !isSS {`
			`log.Printf("+1 non SS TLS traffic from %v\n", conn.RemoteAddr())`
			`goWeb(data)`
			`return`
			`}`

Client using AdminUID can now use the proxy without adding themselves to the db 2018-12-11 23:26:05 +00:00			`finishHandshake := func() error {`
Basic remote control 2018-11-22 21:55:23 +00:00			`reply := server.ComposeReply(ch)`
			`_, err = conn.Write(reply)`
			`if err != nil {`
			`go conn.Close()`
Client using AdminUID can now use the proxy without adding themselves to the db 2018-12-11 23:26:05 +00:00			`return err`
Basic remote control 2018-11-22 21:55:23 +00:00			`}`

			`// Two discarded messages: ChangeCipherSpec and Finished`
			`discardBuf := make([]byte, 1024)`
			`for c := 0; c < 2; c++ {`
			`_, err = util.ReadTLS(conn, discardBuf)`
			`if err != nil {`
			`go conn.Close()`
Client using AdminUID can now use the proxy without adding themselves to the db 2018-12-11 23:26:05 +00:00			`return err`
Basic remote control 2018-11-22 21:55:23 +00:00			`}`
			`}`
Client using AdminUID can now use the proxy without adding themselves to the db 2018-12-11 23:26:05 +00:00			`return nil`
			`}`
Basic remote control 2018-11-22 21:55:23 +00:00
Cleanup logs 2019-01-12 15:51:20 +00:00			`// adminUID can use the server as normal with unlimited QoS credits. The adminUID is not`
			`// added to the userinfo database. The distinction between going into the admin mode`
			`// and normal proxy mode is that sessionID needs == 0 for admin mode`
Client using AdminUID can now use the proxy without adding themselves to the db 2018-12-11 23:26:05 +00:00			`if bytes.Equal(UID, sta.AdminUID) && sessionID == 0 {`
			`err = finishHandshake()`
			`if err != nil {`
			`log.Println(err)`
			`return`
			`}`
Basic remote control 2018-11-22 21:55:23 +00:00			`c := sta.Userpanel.MakeController(sta.AdminUID)`
			`for {`
			`n, err := conn.Read(data)`
			`if err != nil {`
			`log.Println(err)`
			`return`
			`}`
			`resp, err := c.HandleRequest(data[:n])`
			`if err != nil {`
Client using AdminUID can now use the proxy without adding themselves to the db 2018-12-11 23:26:05 +00:00			`log.Println(err)`
Basic remote control 2018-11-22 21:55:23 +00:00			`return`
			`}`
			`_, err = conn.Write(resp)`
			`if err != nil {`
			`log.Println(err)`
			`return`
			`}`
			`}`

			`}`
Client using AdminUID can now use the proxy without adding themselves to the db 2018-12-11 23:26:05 +00:00
			`var user *usermanager.User`
			`if bytes.Equal(UID, sta.AdminUID) {`
			`user, err = sta.Userpanel.GetAndActivateAdminUser(UID)`
			`} else {`
			`user, err = sta.Userpanel.GetAndActivateUser(UID)`
			`}`
QOS and user managing, bug fixes 2018-11-07 21:16:13 +00:00			`if err != nil {`
			`log.Printf("+1 unauthorised user from %v, uid: %x\n", conn.RemoteAddr(), UID)`
			`goWeb(data)`
Basic remote control 2018-11-22 21:55:23 +00:00			`return`
QOS and user managing, bug fixes 2018-11-07 21:16:13 +00:00			`}`
Untested server 2018-10-09 15:07:54 +00:00
Client using AdminUID can now use the proxy without adding themselves to the db 2018-12-11 23:26:05 +00:00			`err = finishHandshake()`
Untested server 2018-10-09 15:07:54 +00:00			`if err != nil {`
Client using AdminUID can now use the proxy without adding themselves to the db 2018-12-11 23:26:05 +00:00			`log.Println(err)`
Untested server 2018-10-09 15:07:54 +00:00			`return`
			`}`

Implement SessionsCap and ExpiryTime limitations 2018-12-29 00:54:10 +00:00			`sesh, existing, err := user.GetSession(sessionID, mux.MakeObfs(UID), mux.MakeDeobfs(UID), util.ReadTLS)`
			`if err != nil {`
			`user.DelSession(sessionID)`
			`log.Println(err)`
			`return`
			`}`

			`if existing {`
Stop duplicate goroutines accepting streams 2018-11-08 19:47:53 +00:00			`sesh.AddConnection(conn)`
			`return`
			`} else {`
Cleanup logs 2019-01-12 15:51:20 +00:00			`log.Printf("New session from UID:%v, sessionID:%v\n", base64.StdEncoding.EncodeToString(UID), sessionID)`
Stop duplicate goroutines accepting streams 2018-11-08 19:47:53 +00:00			`sesh.AddConnection(conn)`
			`for {`
			`newStream, err := sesh.AcceptStream()`
			`if err != nil {`
			`if err == mux.ErrBrokenSession {`
Cleanup logs 2019-01-12 15:51:20 +00:00			`log.Printf("Session closed for UID:%v, sessionID:%v\n", base64.StdEncoding.EncodeToString(UID), sessionID)`
Stop duplicate goroutines accepting streams 2018-11-08 19:47:53 +00:00			`user.DelSession(sessionID)`
			`return`
			`} else {`
			`continue`
			`}`
			`}`
			`ssConn, err := net.Dial("tcp", sta.SS_LOCAL_HOST+":"+sta.SS_LOCAL_PORT)`
			`if err != nil {`
Use sync.Once to close die ch 2018-11-23 23:57:35 +00:00			`log.Printf("Failed to connect to ssserver: %v\n", err)`
QOS and user managing, bug fixes 2018-11-07 21:16:13 +00:00			`continue`
Untested server 2018-10-09 15:07:54 +00:00			`}`
Stop duplicate goroutines accepting streams 2018-11-08 19:47:53 +00:00			`go pipe(ssConn, newStream)`
			`go pipe(newStream, ssConn)`
QOS and user managing, bug fixes 2018-11-07 21:16:13 +00:00			`}`
			`}`
Untested server 2018-10-09 15:07:54 +00:00
			`}`

			`func main() {`
QOS and user managing, bug fixes 2018-11-07 21:16:13 +00:00			`runtime.SetBlockProfileRate(5)`
			`go func() {`
			`log.Println(http.ListenAndServe("0.0.0.0:8001", nil))`
			`}()`
Untested server 2018-10-09 15:07:54 +00:00			`// Should be 127.0.0.1 to listen to ss-server on this machine`
			`var localHost string`
			`// server_port in ss config, same as remotePort in plugin mode`
			`var localPort string`
			`// server in ss config, the outbound listening ip`
			`var remoteHost string`
			`// Outbound listening ip, should be 443`
			`var remotePort string`
			`var pluginOpts string`

			`log.SetFlags(log.LstdFlags \| log.Lshortfile)`

			`if os.Getenv("SS_LOCAL_HOST") != "" {`
			`localHost = os.Getenv("SS_LOCAL_HOST")`
			`localPort = os.Getenv("SS_LOCAL_PORT")`
			`remoteHost = os.Getenv("SS_REMOTE_HOST")`
			`remotePort = os.Getenv("SS_REMOTE_PORT")`
			`pluginOpts = os.Getenv("SS_PLUGIN_OPTIONS")`
			`} else {`
			`localAddr := flag.String("r", "", "localAddr: 127.0.0.1:server_port as set in SS config")`
			`flag.StringVar(&remoteHost, "s", "0.0.0.0", "remoteHost: outbound listing ip, set to 0.0.0.0 to listen to everything")`
			`flag.StringVar(&remotePort, "p", "443", "remotePort: outbound listing port, should be 443")`
			`flag.StringVar(&pluginOpts, "c", "server.json", "pluginOpts: path to server.json or options seperated by semicolons")`
			`askVersion := flag.Bool("v", false, "Print the version number")`
			`printUsage := flag.Bool("h", false, "Print this message")`
Integrate keygen util into ck-server 2018-12-17 22:12:38 +00:00
			`genUID := flag.Bool("u", false, "Generate a UID")`
			`genKeyPair := flag.Bool("k", false, "Generate a pair of public and private key, output in the format of pubkey,pvkey")`

Untested server 2018-10-09 15:07:54 +00:00			`flag.Parse()`

			`if *askVersion {`
			`fmt.Printf("ck-server %s\n", version)`
			`return`
			`}`
			`if *printUsage {`
			`flag.Usage()`
			`return`
			`}`
Integrate keygen util into ck-server 2018-12-17 22:12:38 +00:00			`if *genUID {`
			`fmt.Println(generateUID())`
			`return`
			`}`
			`if *genKeyPair {`
			`pub, pv := generateKeyPair()`
			`fmt.Printf("%v,%v", pub, pv)`
			`return`
			`}`
Untested server 2018-10-09 15:07:54 +00:00
			`if *localAddr == "" {`
			`log.Fatal("Must specify localAddr")`
			`}`
			`localHost = strings.Split(*localAddr, ":")[0]`
			`localPort = strings.Split(*localAddr, ":")[1]`
			`log.Printf("Starting standalone mode, listening on %v:%v to ss at %v:%v\n", remoteHost, remotePort, localHost, localPort)`
			`}`
User can now specify the path of db file and backups 2018-12-30 00:18:50 +00:00			`sta, _ := server.InitState(localHost, localPort, remoteHost, remotePort, time.Now)`
QOS and user managing, bug fixes 2018-11-07 21:16:13 +00:00
Untested server 2018-10-09 15:07:54 +00:00			`err := sta.ParseConfig(pluginOpts)`
			`if err != nil {`
			`log.Fatalf("Configuration file error: %v", err)`
			`}`

Disallow empty AdminUID 2018-12-03 20:44:08 +00:00			`if sta.AdminUID == nil {`
			`log.Fatalln("AdminUID cannot be empty!")`
			`}`

Untested server 2018-10-09 15:07:54 +00:00			`go sta.UsedRandomCleaner()`

			`listen := func(addr, port string) {`
			`listener, err := net.Listen("tcp", addr+":"+port)`
			`log.Println("Listening on " + addr + ":" + port)`
			`if err != nil {`
			`log.Fatal(err)`
			`}`
			`for {`
			`conn, err := listener.Accept()`
			`if err != nil {`
			`log.Printf("%v", err)`
			`continue`
			`}`
			`go dispatchConnection(conn, sta)`
			`}`
			`}`

			`// When listening on an IPv6 and IPv4, SS gives REMOTE_HOST as e.g. ::\|0.0.0.0`
			`listeningIP := strings.Split(sta.SS_REMOTE_HOST, "\|")`
			`for i, ip := range listeningIP {`
			`if net.ParseIP(ip).To4() == nil {`
			`// IPv6 needs square brackets`
			`ip = "[" + ip + "]"`
			`}`

			`// The last listener must block main() because the program exits on main return.`
			`if i == len(listeningIP)-1 {`
			`listen(ip, sta.SS_REMOTE_PORT)`
			`} else {`
			`go listen(ip, sta.SS_REMOTE_PORT)`
			`}`
			`}`

			`}`