-
Notifications
You must be signed in to change notification settings - Fork 19
/
main.go
321 lines (278 loc) · 9.19 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
// Copyright (C) 2020, IrineSistiana
//
// This file is part of simple-tls.
//
// simple-tls is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// simple-tls is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package main
import (
"context"
"crypto/tls"
"crypto/x509"
"encoding/base64"
"flag"
"fmt"
"io/ioutil"
"log"
"net"
"os"
"os/signal"
"runtime"
"strconv"
"strings"
"syscall"
"time"
"github.com/IrineSistiana/simple-tls/core"
)
var version = "unknown/dev"
func main() {
go func() {
//wait signals
osSignals := make(chan os.Signal, 1)
signal.Notify(osSignals, os.Interrupt, os.Kill, syscall.SIGTERM)
s := <-osSignals
log.Printf("main: exiting: signal: %v", s)
os.Exit(0)
}()
var bindAddr, dstAddr, serverName, cca, ca, cert, key string
var insecureSkipVerify, isServer, sendPaddingData, tfo, vpn, genCert, showVersion bool
var cpu int
var timeout time.Duration
var timeoutFlag int
commandLine := flag.NewFlagSet(os.Args[0], flag.ContinueOnError)
commandLine.StringVar(&bindAddr, "b", "", "[Host:Port] bind address")
commandLine.StringVar(&dstAddr, "d", "", "[Host:Port] destination address")
commandLine.BoolVar(&sendPaddingData, "pd", false, "send padding data occasionally to against traffic analysis")
// client only
commandLine.StringVar(&serverName, "n", "", "server name")
commandLine.StringVar(&ca, "ca", "", "PEM CA file path")
commandLine.StringVar(&cca, "cca", "", "base64 encoded PEM CA")
commandLine.BoolVar(&insecureSkipVerify, "no-verify", false, "client won't verify the server's certificate chain and host name")
commandLine.BoolVar(&vpn, "V", false, "DO NOT USE, this is for android vpn mode")
// server only
commandLine.BoolVar(&isServer, "s", false, "is server")
commandLine.StringVar(&cert, "cert", "", "[Path] PEM cert file")
commandLine.StringVar(&key, "key", "", "[Path] PEM key file")
// etc
commandLine.IntVar(&timeoutFlag, "t", 300, "timeout after sec")
commandLine.BoolVar(&tfo, "fast-open", false, "enable tfo, only available on linux 4.11+")
commandLine.IntVar(&cpu, "cpu", runtime.NumCPU(), "the maximum number of CPUs that can be executing simultaneously")
// helper commands
commandLine.BoolVar(&genCert, "gen-cert", false, "[This is a helper function]: generate a certificate, store it's key to [-key] and cert to [-cert], print cert in base64 format without padding characters")
commandLine.BoolVar(&showVersion, "v", false, "output version info and exit")
err := commandLine.Parse(os.Args[1:])
if err != nil {
log.Fatalf("main: invalid arg: %v", err)
}
// display version
if showVersion {
println(version)
os.Exit(0)
}
// gen cert
if genCert {
log.Print("main: WARNING: generating PEM encoded key and cert")
dnsName, keyPEM, certPEM, err := core.GenerateCertificate(serverName)
if err != nil {
log.Fatalf("main: generateCertificate: %v", err)
}
// key
if len(key) == 0 {
key = dnsName + ".key"
}
log.Printf("main: generating PEM encoded key to %s", key)
keyFile, err := os.Create(key)
if err != nil {
log.Fatalf("main: creating key file [%s]: %v", key, err)
}
defer keyFile.Close()
_, err = keyFile.Write(keyPEM)
if err != nil {
log.Fatalf("main: writing key file [%s]: %v", key, err)
}
// cert
if len(cert) == 0 {
cert = dnsName + ".cert"
}
log.Printf("main: generating PEM encoded cert to %s", cert)
certFile, err := os.Create(cert)
if err != nil {
log.Fatalf("main: creating cert file [%s]: %v", cert, err)
}
defer certFile.Close()
_, err = certFile.Write(certPEM)
if err != nil {
log.Fatalf("main: writing cert file [%s]: %v", cert, err)
}
certBase64 := base64.RawStdEncoding.EncodeToString(certPEM)
fmt.Printf("Your new cert dns name is: %s\n", dnsName)
fmt.Print("Your new cert base64 string is:\n")
fmt.Printf("%s\n", certBase64)
fmt.Println("Copy this string and import it to client using -cca option")
return
}
// overwrite args from env
sip003Args, err := core.GetSIP003Args()
if err != nil {
log.Fatalf("main: sip003 error: %v", err)
}
if sip003Args != nil {
log.Print("main: simple-tls is running as a sip003 plugin")
var ok bool
var s string
// android only
_, ok = sip003Args.SS_PLUGIN_OPTIONS["V"]
vpn = vpn || ok
_, ok = sip003Args.SS_PLUGIN_OPTIONS["__android_vpn"]
vpn = vpn || ok
// common
s, _ = sip003Args.SS_PLUGIN_OPTIONS["b"]
setStrIfNotEmpty(&bindAddr, s)
s, _ = sip003Args.SS_PLUGIN_OPTIONS["d"]
setStrIfNotEmpty(&dstAddr, s)
_, ok = sip003Args.SS_PLUGIN_OPTIONS["pd"]
sendPaddingData = sendPaddingData || ok
// client
s, _ = sip003Args.SS_PLUGIN_OPTIONS["n"]
setStrIfNotEmpty(&serverName, s)
s, _ = sip003Args.SS_PLUGIN_OPTIONS["ca"]
setStrIfNotEmpty(&ca, s)
s, _ = sip003Args.SS_PLUGIN_OPTIONS["cca"]
setStrIfNotEmpty(&cca, s)
_, ok = sip003Args.SS_PLUGIN_OPTIONS["no-verify"]
insecureSkipVerify = insecureSkipVerify || ok
// server
_, ok = sip003Args.SS_PLUGIN_OPTIONS["s"]
isServer = isServer || ok
s, _ = sip003Args.SS_PLUGIN_OPTIONS["cert"]
setStrIfNotEmpty(&cert, s)
s, _ = sip003Args.SS_PLUGIN_OPTIONS["key"]
setStrIfNotEmpty(&key, s)
// etc
s, _ = sip003Args.SS_PLUGIN_OPTIONS["t"]
if err := setIntIfNotZero(&timeoutFlag, s); err != nil {
log.Fatalf("main: invalid timeout value, %v", err)
}
s, _ = sip003Args.SS_PLUGIN_OPTIONS["cpu"]
if err := setIntIfNotZero(&cpu, s); err != nil {
log.Fatalf("main: invalid cpu number, %v", err)
}
_, ok = sip003Args.SS_PLUGIN_OPTIONS["fast-open"]
tfo = tfo || ok
if isServer {
dstAddr = sip003Args.GetLocalAddr()
bindAddr = sip003Args.GetRemoteAddr()
} else {
bindAddr = sip003Args.GetLocalAddr()
dstAddr = sip003Args.GetRemoteAddr()
}
}
timeout = time.Duration(timeoutFlag) * time.Second
runtime.GOMAXPROCS(cpu)
if len(bindAddr) == 0 {
log.Fatal("main: bind addr is required")
}
if len(dstAddr) == 0 {
log.Fatal("main: destination addr is required")
}
log.Printf("main: simple-tls %s (go version: %s, os: %s, arch: %s)", version, runtime.Version(), runtime.GOOS, runtime.GOARCH)
if isServer {
var certificates []tls.Certificate
switch {
case len(cert) == 0 && len(key) == 0: // no cert and key
log.Printf("main: warnning: neither -key nor -cert is specified")
dnsName, keyPEM, certPEM, err := core.GenerateCertificate(serverName)
if err != nil {
log.Fatalf("main: generateCertificate: %v", err)
}
log.Printf("main: warnning: using tmp certificate %s", dnsName)
cer, err := tls.X509KeyPair(certPEM, keyPEM)
if err != nil {
log.Fatalf("main: X509KeyPair: %v", err)
}
certificates = []tls.Certificate{cer}
case len(cert) != 0 && len(key) != 0: // has cert and key
cer, err := tls.LoadX509KeyPair(cert, key) //load cert
if err != nil {
log.Fatalf("main: LoadX509KeyPair: %v", err)
}
certificates = []tls.Certificate{cer}
default:
log.Fatal("main: server must have a X509 key pair, aka. -cert and -key")
}
lc := net.ListenConfig{Control: core.GetControlFunc(&core.TcpConfig{EnableTFO: tfo})}
l, err := lc.Listen(context.Background(), "tcp", bindAddr)
if err != nil {
log.Fatalf("main: net.Listen: %v", err)
}
err = core.DoServer(l, certificates, dstAddr, sendPaddingData, timeout)
if err != nil {
log.Fatalf("main: doServer: %v", err)
}
} else { // do client
var host string
if len(serverName) != 0 {
host = serverName
} else {
host = strings.SplitN(bindAddr, ":", 2)[0]
}
var rootCAs *x509.CertPool
switch {
case len(cca) != 0:
cca = strings.TrimRight(cca, "=")
pem, err := base64.RawStdEncoding.DecodeString(cca)
if err != nil {
log.Fatalf("main: base64.RawStdEncoding.DecodeString: %v", err)
}
rootCAs = x509.NewCertPool()
if ok := rootCAs.AppendCertsFromPEM(pem); !ok {
log.Fatal("main: AppendCertsFromPEM failed, cca is invaild")
}
case len(ca) != 0:
rootCAs = x509.NewCertPool()
certPEMBlock, err := ioutil.ReadFile(ca)
if err != nil {
log.Fatalf("main: ReadFile ca [%s], %v", ca, err)
}
if ok := rootCAs.AppendCertsFromPEM(certPEMBlock); !ok {
log.Fatal("main: AppendCertsFromPEM failed, ca is invaild")
}
}
lc := net.ListenConfig{}
l, err := lc.Listen(context.Background(), "tcp", bindAddr)
if err != nil {
log.Fatalf("main: net.Listen: %v", err)
}
err = core.DoClient(l, dstAddr, host, rootCAs, insecureSkipVerify, sendPaddingData, timeout, vpn, tfo)
if err != nil {
log.Fatalf("main: doServer: %v", err)
}
}
}
func setStrIfNotEmpty(dst *string, src string) {
if len(src) != 0 {
*dst = src
}
}
func setIntIfNotZero(dst *int, src string) error {
if len(src) != 0 {
i, err := strconv.Atoi(src)
if err != nil {
return fmt.Errorf("string %s is not an int", src)
}
if i > 0 {
*dst = i
}
}
return nil
}