obfs4proxy.go

/*
 * Copyright (c) 2014, Yawning Angel <yawning at torproject dot org>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 *  * Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 *
 *  * Redistributions in binary form must reproduce the above copyright notice,
 *    this list of conditions and the following disclaimer in the documentation
 *    and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 * This file is based off goptlib's dummy-[client,server].go files.
 */

// obfs4 pluggable transport.  Works only as a managed proxy.
//
// Client usage (in torrc):
//   UseBridges 1
//   Bridge obfs4 X.X.X.X:YYYY <Fingerprint> public-key=<Base64 Bridge Public Key> node-id=<Base64 Bridge Node ID>
//   ClientTransportPlugin obfs4 exec obfs4proxy
//
// Server usage (in torrc):
//   BridgeRelay 1
//   ORPort 9001
//   ExtORPort 6669
//   ServerTransportPlugin obfs4 exec obfs4proxy
//   ServerTransportOptions obfs4 private-key=<Base64 Bridge Private Key> node-id=<Base64 Node ID> drbg-seed=<Base64 DRBG Seed>
//
// Because the pluggable transport requires arguments, obfs4proxy requires
// tor-0.2.5.x to be useful.
package main

import (
	"encoding/base64"
	"encoding/hex"
	"flag"
	"fmt"
	"io"
	"io/ioutil"
	"log"
	"net"
	"net/url"
	"os"
	"os/signal"
	"path"
	"sync"
	"syscall"

	"git.torproject.org/pluggable-transports/goptlib.git"
	"github.com/yawning/obfs4"
	"github.com/yawning/obfs4/csrand"
	"github.com/yawning/obfs4/ntor"
)

const (
	obfs4Method  = "obfs4"
	obfs4LogFile = "obfs4proxy.log"
)

var enableLogging bool
var unsafeLogging bool
var iatObfuscation bool
var ptListeners []net.Listener

// When a connection handler starts, +1 is written to this channel; when it
// ends, -1 is written.
var handlerChan = make(chan int)

func logAndRecover(conn *obfs4.Obfs4Conn) {
	if err := recover(); err != nil {
		log.Printf("[ERROR] %p: Panic: %s", conn, err)
	}
}

func copyLoop(a net.Conn, b *obfs4.Obfs4Conn) {
	var wg sync.WaitGroup
	wg.Add(2)

	go func() {
		defer logAndRecover(b)
		defer wg.Done()
		defer b.Close()
		defer a.Close()

		_, err := io.Copy(b, a)
		if err != nil {
			log.Printf("[WARN] copyLoop: %p: Connection closed: %s", b, err)
		}
	}()
	go func() {
		defer logAndRecover(b)
		defer wg.Done()
		defer a.Close()
		defer b.Close()

		_, err := io.Copy(a, b)
		if err != nil {
			log.Printf("[WARN] copyLoop: %p: Connection closed: %s", b, err)
		}
	}()

	wg.Wait()
}

func serverHandler(conn *obfs4.Obfs4Conn, info *pt.ServerInfo) error {
	defer conn.Close()
	defer logAndRecover(conn)

	handlerChan <- 1
	defer func() {
		handlerChan <- -1
	}()

	var addr string
	if unsafeLogging {
		addr = conn.RemoteAddr().String()
	} else {
		addr = "[scrubbed]"
	}

	log.Printf("[INFO] server: %p: New connection from %s", conn, addr)

	// Handshake with the client.
	err := conn.ServerHandshake()
	if err != nil {
		log.Printf("[WARN] server: %p: Handshake failed: %s", conn, err)
		return err
	}

	or, err := pt.DialOr(info, conn.RemoteAddr().String(), obfs4Method)
	if err != nil {
		log.Printf("[ERROR] server: %p: DialOr failed: %s", conn, err)
		return err
	}
	defer or.Close()

	copyLoop(or, conn)

	return nil
}

func serverAcceptLoop(ln *obfs4.Obfs4Listener, info *pt.ServerInfo) error {
	defer ln.Close()
	for {
		conn, err := ln.AcceptObfs4()
		if err != nil {
			if e, ok := err.(net.Error); ok && !e.Temporary() {
				return err
			}
			continue
		}
		go serverHandler(conn, info)
	}
}

func serverSetup() (launched bool) {
	// Initialize pt logging.
	err := ptInitializeLogging(enableLogging)
	if err != nil {
		return
	}

	ptServerInfo, err := pt.ServerSetup([]string{obfs4Method})
	if err != nil {
		return
	}

	for _, bindaddr := range ptServerInfo.Bindaddrs {
		switch bindaddr.MethodName {
		case obfs4Method:
			// Handle the mandetory arguments.
			privateKey, ok := bindaddr.Options.Get("private-key")
			if !ok {
				pt.SmethodError(bindaddr.MethodName, "needs a private-key option")
				break
			}
			nodeID, ok := bindaddr.Options.Get("node-id")
			if !ok {
				pt.SmethodError(bindaddr.MethodName, "needs a node-id option")
				break
			}
			seed, ok := bindaddr.Options.Get("drbg-seed")
			if !ok {
				pt.SmethodError(bindaddr.MethodName, "needs a drbg-seed option")
				break
			}

			// Initialize the listener.
			ln, err := obfs4.ListenObfs4("tcp", bindaddr.Addr.String(), nodeID,
				privateKey, seed, iatObfuscation)
			if err != nil {
				pt.SmethodError(bindaddr.MethodName, err.Error())
				break
			}

			// Report the SMETHOD including the parameters.
			args := pt.Args{}
			args.Add("node-id", nodeID)
			args.Add("public-key", ln.PublicKey())
			go serverAcceptLoop(ln, &ptServerInfo)
			pt.SmethodArgs(bindaddr.MethodName, ln.Addr(), args)
			ptListeners = append(ptListeners, ln)
			launched = true
		default:
			pt.SmethodError(bindaddr.MethodName, "no such method")
		}
	}
	pt.SmethodsDone()

	return
}

func clientHandler(conn *pt.SocksConn, proxyURI *url.URL) error {
	defer conn.Close()

	var addr string
	if unsafeLogging {
		addr = conn.Req.Target
	} else {
		addr = "[scrubbed]"
	}

	log.Printf("[INFO] client: New connection to %s", addr)

	// Extract the peer's node ID and public key.
	nodeID, ok := conn.Req.Args.Get("node-id")
	if !ok {
		log.Printf("[ERROR] client: missing node-id argument")
		conn.Reject()
		return nil
	}
	publicKey, ok := conn.Req.Args.Get("public-key")
	if !ok {
		log.Printf("[ERROR] client: missing public-key argument")
		conn.Reject()
		return nil
	}

	handlerChan <- 1
	defer func() {
		handlerChan <- -1
	}()

	defer logAndRecover(nil)
	dialFn, err := getProxyDialer(proxyURI)
	if err != nil {
		log.Printf("[ERROR] client: failed to get proxy dialer: %s", err)
		conn.Reject()
		return err
	}
	remote, err := obfs4.DialObfs4DialFn(dialFn, "tcp", conn.Req.Target, nodeID, publicKey, iatObfuscation)
	if err != nil {
		log.Printf("[ERROR] client: %p: Handshake failed: %s", remote, err)
		conn.Reject()
		return err
	}
	defer remote.Close()
	err = conn.Grant(remote.RemoteAddr().(*net.TCPAddr))
	if err != nil {
		return err
	}

	copyLoop(conn, remote)

	return nil
}

func clientAcceptLoop(ln *pt.SocksListener, proxyURI *url.URL) error {
	defer ln.Close()
	for {
		conn, err := ln.AcceptSocks()
		if err != nil {
			if e, ok := err.(net.Error); ok && !e.Temporary() {
				return err
			}
			continue
		}
		go clientHandler(conn, proxyURI)
	}
}

func clientSetup() (launched bool) {
	// Initialize pt logging.
	err := ptInitializeLogging(enableLogging)
	if err != nil {
		return
	}

	ptClientInfo, err := pt.ClientSetup([]string{obfs4Method})
	if err != nil {
		log.Fatal(err)
	}

	ptClientProxy, err := ptGetProxy()
	if err != nil {
		log.Fatal(err)
	} else if ptClientProxy != nil {
		ptProxyDone()
	}

	for _, methodName := range ptClientInfo.MethodNames {
		switch methodName {
		case obfs4Method:
			ln, err := pt.ListenSocks("tcp", "127.0.0.1:0")
			if err != nil {
				pt.CmethodError(methodName, err.Error())
				break
			}
			go clientAcceptLoop(ln, ptClientProxy)
			pt.Cmethod(methodName, ln.Version(), ln.Addr())
			ptListeners = append(ptListeners, ln)
			launched = true
		default:
			pt.CmethodError(methodName, "no such method")
		}
	}
	pt.CmethodsDone()

	return
}

func ptInitializeLogging(enable bool) error {
	if enable {
		// pt.MakeStateDir will ENV-ERROR for us.
		dir, err := pt.MakeStateDir()
		if err != nil {
			return err
		}

		// While we could just exit, log an ENV-ERROR so it will propagate to
		// the tor log.
		f, err := os.OpenFile(path.Join(dir, obfs4LogFile), os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600)
		if err != nil {
			return ptEnvError(fmt.Sprintf("Failed to open log file: %s\n", err))
		}
		log.SetOutput(f)
	} else {
		log.SetOutput(ioutil.Discard)
	}

	return nil
}

func generateServerParams(id string) {
	idIsFP := id != ""
	var rawID []byte

	if idIsFP {
		var err error
		rawID, err = hex.DecodeString(id)
		if err != nil {
			fmt.Println("Failed to hex decode id:", err)
			return
		}
	} else {
		rawID = make([]byte, ntor.NodeIDLength)
		err := csrand.Bytes(rawID)
		if err != nil {
			fmt.Println("Failed to generate random node-id:", err)
			return
		}
	}
	parsedID, err := ntor.NewNodeID(rawID)
	if err != nil {
		fmt.Println("Failed to parse id:", err)
		return
	}

	fmt.Println("Generated node-id:", parsedID.Base64())

	keypair, err := ntor.NewKeypair(false)
	if err != nil {
		fmt.Println("Failed to generate keypair:", err)
		return
	}

	seed := make([]byte, obfs4.SeedLength)
	err = csrand.Bytes(seed)
	if err != nil {
		fmt.Println("Failed to generate DRBG seed:", err)
		return
	}
	seedBase64 := base64.StdEncoding.EncodeToString(seed)

	fmt.Println("Generated private-key:", keypair.Private().Base64())
	fmt.Println("Generated public-key:", keypair.Public().Base64())
	fmt.Println("Generated drbg-seed:", seedBase64)
	fmt.Println()
	fmt.Println("Client config: ")
	if idIsFP {
		fmt.Printf("  Bridge obfs4 <IP Address:Port> %s node-id=%s public-key=%s\n",
			id, parsedID.Base64(), keypair.Public().Base64())
	} else {
		fmt.Printf("  Bridge obfs4 <IP Address:Port> <Fingerprint> node-id=%s public-key=%s\n",
			parsedID.Base64(), keypair.Public().Base64())
	}
	fmt.Println()
	fmt.Println("Server config:")
	fmt.Printf("  ServerTransportOptions obfs4 node-id=%s private-key=%s drbg-seed=%s\n",
		parsedID.Base64(), keypair.Private().Base64(), seedBase64)
}

func main() {
	// Some command line args.
	genParams := flag.Bool("genServerParams", false, "Generate Bridge operator torrc parameters")
	genParamsFP := flag.String("genServerParamsFP", "", "Optional bridge fingerprint for genServerParams")
	flag.BoolVar(&enableLogging, "enableLogging", false, "Log to TOR_PT_STATE_LOCATION/obfs4proxy.log")
	flag.BoolVar(&iatObfuscation, "iatObfuscation", false, "Enable IAT obufscation (EXPENSIVE)")
	flag.BoolVar(&unsafeLogging, "unsafeLogging", false, "Disable the address scrubber")
	flag.Parse()
	if *genParams {
		generateServerParams(*genParamsFP)
		return
	}

	// Go through the pt protocol and initialize client or server mode.
	launched := false
	isClient, err := ptIsClient()
	if err != nil {
		log.Fatal("[ERROR] obfs4proxy must be run as a managed transport or server")
	} else if isClient {
		launched = clientSetup()
	} else {
		launched = serverSetup()
	}
	if !launched {
		// Something must have failed in client/server setup, just bail.
		os.Exit(-1)
	}

	log.Println("[INFO] obfs4proxy - Launched and listening")
	defer func() {
		log.Println("[INFO] obfs4proxy - Terminated")
	}()

	// Handle termination notification.
	numHandlers := 0
	var sig os.Signal
	sigChan := make(chan os.Signal, 1)
	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)

	// wait for first signal
	sig = nil
	for sig == nil {
		select {
		case n := <-handlerChan:
			numHandlers += n
		case sig = <-sigChan:
		}
	}
	for _, ln := range ptListeners {
		ln.Close()
	}

	if sig == syscall.SIGTERM {
		return
	}

	// wait for second signal or no more handlers
	sig = nil
	for sig == nil && numHandlers != 0 {
		select {
		case n := <-handlerChan:
			numHandlers += n
		case sig = <-sigChan:
		}
	}
}

/* vim :set ts=4 sw=4 sts=4 noet : */