Skip to content
Snippets Groups Projects
Commit 169616fb authored by David Fifield's avatar David Fifield
Browse files

Merge remote-tracking branch 'bamsoftware/main'

parents e195aff8 3be00b7b
No related branches found
No related tags found
No related merge requests found
Pipeline #152464 passed
......@@ -2,12 +2,12 @@
.\" Title: meek-client
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 09/03/2021
.\" Date: 10/20/2022
.\" Manual: \ \&
.\" Source: \ \&
.\" Language: English
.\"
.TH "MEEK\-CLIENT" "1" "09/03/2021" "\ \&" "\ \&"
.TH "MEEK\-CLIENT" "1" "10/20/2022" "\ \&" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......@@ -139,7 +139,40 @@ HelloFirefox_65
.sp -1
.IP \(bu 2.3
.\}
HelloFirefox_Auto = HelloFirefox_65
HelloFirefox_99
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
HelloFirefox_102
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
HelloFirefox_105
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
HelloFirefox_Auto = HelloFirefox_105
.RE
.sp
.RS 4
......@@ -205,7 +238,51 @@ HelloChrome_83
.sp -1
.IP \(bu 2.3
.\}
HelloChrome_Auto = HelloChrome_83
HelloChrome_87
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
HelloChrome_96
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
HelloChrome_100
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
HelloChrome_102
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
HelloChrome_Auto = HelloChrome_102
.RE
.sp
.RS 4
......@@ -238,7 +315,117 @@ HelloIOS_12_1
.sp -1
.IP \(bu 2.3
.\}
HelloIOS_Auto = HelloIOS_12_1
HelloIOS_13
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
HelloIOS_14
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
HelloIOS_Auto = HelloIOS_14
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
HelloEdge_85
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
HelloEdge_Auto = HelloEdge_85
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
HelloSafari_16_0
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
HelloSafari_Auto = HelloSafari_16_0
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Hello360_7_5
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Hello360_Auto = Hello360_7_5
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
HelloQQ_11_1
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
HelloQQ_Auto = HelloQQ_11_1
.RE
.sp
As a special case, the values "none" and "HelloGolang" are recognized as aliases for omitting the
......
......@@ -57,16 +57,33 @@ The possible values of __CLIENTHELLOID__ are:
- HelloFirefox_56
- HelloFirefox_63
- HelloFirefox_65
- HelloFirefox_Auto = HelloFirefox_65
- HelloFirefox_99
- HelloFirefox_102
- HelloFirefox_105
- HelloFirefox_Auto = HelloFirefox_105
- HelloChrome_58
- HelloChrome_62
- HelloChrome_70
- HelloChrome_72
- HelloChrome_83
- HelloChrome_Auto = HelloChrome_83
- HelloChrome_87
- HelloChrome_96
- HelloChrome_100
- HelloChrome_102
- HelloChrome_Auto = HelloChrome_102
- HelloIOS_11_1
- HelloIOS_12_1
- HelloIOS_Auto = HelloIOS_12_1
- HelloIOS_13
- HelloIOS_14
- HelloIOS_Auto = HelloIOS_14
- HelloEdge_85
- HelloEdge_Auto = HelloEdge_85
- HelloSafari_16_0
- HelloSafari_Auto = HelloSafari_16_0
- Hello360_7_5
- Hello360_Auto = Hello360_7_5
- HelloQQ_11_1
- HelloQQ_Auto = HelloQQ_11_1
As a special case, the values "none" and "HelloGolang"
are recognized as aliases for
......
......@@ -3,9 +3,9 @@ module gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek.git
go 1.13
require (
github.com/refraction-networking/utls v0.0.0-20210713165636-0b2885c8c0d4
github.com/refraction-networking/utls v1.1.5
gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/goptlib v1.4.0
golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79
golang.org/x/net v0.0.0-20200425230154-ff2c4b7c35a0
golang.org/x/sys v0.0.0-20200428200454-593003d681fa
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90
golang.org/x/net v0.0.0-20220909164309-bea034e7d591
golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10
)
github.com/refraction-networking/utls v0.0.0-20210713165636-0b2885c8c0d4 h1:n9NMHJusHylTmtaJ0Qe0VV9dkTZLiwAxHmrI/l98GeE=
github.com/refraction-networking/utls v0.0.0-20210713165636-0b2885c8c0d4/go.mod h1:tz9gX959MEFfFN5whTIocCLUG57WiILqtdVxI8c6Wj0=
github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
github.com/klauspost/compress v1.15.9 h1:wKRjX6JRtDdrE9qwa4b/Cip7ACOshUI4smpCQanqjSY=
github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
github.com/refraction-networking/utls v1.1.5 h1:JtrojoNhbUQkBqEg05sP3gDgDj6hIEAAVKbI9lx4n6w=
github.com/refraction-networking/utls v1.1.5/go.mod h1:jRQxtYi7nkq1p28HF2lwOH5zQm9aC8rpK0O9lIIzGh8=
gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/goptlib v1.4.0 h1:Y7fHDMy11yyjM+YlHfcM3svaujdL+m5DqS444wbj8o4=
gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/goptlib v1.4.0/go.mod h1:70bhd4JKW/+1HLfm+TMrgHJsUHG4coelMWwiVEJ2gAg=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79 h1:IaQbIIB2X/Mp/DKctl6ROxz1KyMlKp4uyvL6+kQ7C88=
golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20200425230154-ff2c4b7c35a0 h1:Jcxah/M+oLZ/R4/z5RzfPzGbPXnVDPkEDtf2JnuxN+U=
golang.org/x/net v0.0.0-20200425230154-ff2c4b7c35a0/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200428200454-593003d681fa h1:yMbJOvnfYkO1dSAviTu/ZguZWLBTXx4xE3LYrxUCCiA=
golang.org/x/sys v0.0.0-20200428200454-593003d681fa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 h1:Y/gsMcFOcR+6S6f3YeMKl5g+dZMEWqcz5Czj/GWYbkM=
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20220909164309-bea034e7d591 h1:D0B/7al0LLrVC8aWF4+oxpv/m8bc7ViFfVS8/gXGdqI=
golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg=
golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
//go:build linux
// +build linux
// This file is compiled only on linux. It contains paths used by the linux
// browser bundle.
// http://golang.org/pkg/go/build/#hdr-Build_Constraints
......
//go:build darwin
// +build darwin
// This file is compiled only on mac. It contains paths used by the mac
// browser bundle.
// http://golang.org/pkg/go/build/#hdr-Build_Constraints
......
......@@ -2,7 +2,9 @@
// meek-client to meek-http-helper running in Tor Browser.
//
// Sample usage in torrc (exact paths depend on platform):
// ClientTransportPlugin meek exec ./meek-client-torbrowser --log meek-client-torbrowser.log -- ./meek-client --url=https://forbidden.example/ --front=allowed.example --log meek-client.log
//
// ClientTransportPlugin meek exec ./meek-client-torbrowser --log meek-client-torbrowser.log -- ./meek-client --url=https://forbidden.example/ --front=allowed.example --log meek-client.log
//
// Everything up to "--" is options for this program. Everything following it is
// a meek-client command line. The command line for running firefox is implicit
// and hardcoded in this program.
......
//go:build !windows
// +build !windows
// Process termination code for platforms that have SIGTERM (i.e., not Windows).
......
//go:build windows
// +build windows
// Process termination code for platforms that don't have SIGTERM (i.e.,
......
//go:build windows
// +build windows
// This file is compiled only on windows. It contains paths used by the windows
// browser bundle.
// http://golang.org/pkg/go/build/#hdr-Build_Constraints
......
// meek-client is the client transport plugin for the meek pluggable transport.
//
// Sample usage in torrc:
// Bridge meek 0.0.2.0:1 url=https://forbidden.example/ front=allowed.example
// ClientTransportPlugin meek exec ./meek-client
//
// Bridge meek 0.0.2.0:1 url=https://forbidden.example/ front=allowed.example
// ClientTransportPlugin meek exec ./meek-client
//
// The transport ignores the bridge address 0.0.2.0:1 and instead connects to
// the URL given by url=. When front= is given, the domain in the URL is
// replaced by the front domain for the purpose of the DNS lookup, TCP
......@@ -13,11 +15,15 @@
// Bridge line) or through command line options. SOCKS args take precedence
// per-connection over command line options. For example, this configuration
// using SOCKS args:
// Bridge meek 0.0.2.0:1 url=https://forbidden.example/ front=allowed.example
// ClientTransportPlugin meek exec ./meek-client
//
// Bridge meek 0.0.2.0:1 url=https://forbidden.example/ front=allowed.example
// ClientTransportPlugin meek exec ./meek-client
//
// is the same as this one using command line options:
// Bridge meek 0.0.2.0:1
// ClientTransportPlugin meek exec ./meek-client --url=https://forbidden.example/ --front=allowed.example
//
// Bridge meek 0.0.2.0:1
// ClientTransportPlugin meek exec ./meek-client --url=https://forbidden.example/ --front=allowed.example
//
// The command-line configuration interface is for compatibility with tor 0.2.4
// and older, which doesn't support parameters on Bridge lines.
//
......@@ -132,11 +138,11 @@ func makeRequest(buf []byte, info *RequestInfo) (*http.Request, error) {
body = bytes.NewReader(buf)
}
req, err := http.NewRequest("POST", info.URL.String(), body)
// Prevent Content-Type sniffing by net/http and middleboxes.
req.Header.Set("Content-Type", "application/octet-stream")
if err != nil {
return nil, err
}
// Prevent Content-Type sniffing by net/http and middleboxes.
req.Header.Set("Content-Type", "application/octet-stream")
if info.Host != "" {
req.Host = info.Host
}
......
......@@ -94,11 +94,10 @@ func dialUTLS(network, addr string, cfg *utls.Config, clientHelloID *utls.Client
//
// Can only be reused among servers which negotiate the same ALPN.
type UTLSRoundTripper struct {
sync.Mutex
clientHelloID *utls.ClientHelloID
config *utls.Config
proxyDialer proxy.Dialer
rtLock sync.Mutex
rt http.RoundTripper
// Transport for HTTP requests, which don't use uTLS.
......@@ -115,18 +114,18 @@ func (rt *UTLSRoundTripper) RoundTrip(req *http.Request) (*http.Response, error)
return nil, fmt.Errorf("unsupported URL scheme %q", req.URL.Scheme)
}
rt.Lock()
defer rt.Unlock()
var err error
rt.rtLock.Lock()
if rt.rt == nil {
// On the first call, make an http.Transport or http2.Transport
// as appropriate.
var err error
rt.rt, err = makeRoundTripper(req.URL, rt.clientHelloID, rt.config, rt.proxyDialer)
if err != nil {
return nil, err
}
}
rt.rtLock.Unlock()
if err != nil {
return nil, err
}
// Forward the request to the internal http.Transport or http2.Transport.
return rt.rt.RoundTrip(req)
}
......@@ -265,15 +264,33 @@ var clientHelloIDMap = map[string]*utls.ClientHelloID{
"hellofirefox_56": &utls.HelloFirefox_56,
"hellofirefox_63": &utls.HelloFirefox_63,
"hellofirefox_65": &utls.HelloFirefox_65,
"hellofirefox_99": &utls.HelloFirefox_99,
"hellofirefox_102": &utls.HelloFirefox_102,
"hellofirefox_105": &utls.HelloFirefox_105,
"hellochrome_auto": &utls.HelloChrome_Auto,
"hellochrome_58": &utls.HelloChrome_58,
"hellochrome_62": &utls.HelloChrome_62,
"hellochrome_70": &utls.HelloChrome_70,
"hellochrome_72": &utls.HelloChrome_72,
"hellochrome_83": &utls.HelloChrome_83,
"hellochrome_87": &utls.HelloChrome_87,
"hellochrome_96": &utls.HelloChrome_96,
"hellochrome_100": &utls.HelloChrome_100,
"hellochrome_102": &utls.HelloChrome_102,
"helloios_auto": &utls.HelloIOS_Auto,
"helloios_11_1": &utls.HelloIOS_11_1,
"helloios_12_1": &utls.HelloIOS_12_1,
"helloios_13": &utls.HelloIOS_13,
"helloios_14": &utls.HelloIOS_14,
"helloedge_85": &utls.HelloEdge_85,
"hellosafari_16_0": &utls.HelloSafari_16_0,
"hello360_7_5": &utls.Hello360_7_5,
"helloqq_11_1": &utls.HelloQQ_11_1,
// omitting utls.HelloEdge_106
// omitting utls.Hello360_11_0
// https://github.com/refraction-networking/utls/pull/122#issue-1401840671
// "the specs based on Edge 106 and 360 11.0 seem to be incompatible with this library"
// omitting utls.HelloAndroid_11_OkHttp
}
func NewUTLSRoundTripper(name string, cfg *utls.Config, proxyURL *url.URL) (http.RoundTripper, error) {
......
......@@ -138,9 +138,6 @@ func TestUTLSClientHello(t *testing.T) {
func TestUTLSServerName(t *testing.T) {
const clientHelloIDName = "HelloFirefox_63"
// No ServerName, dial IP address. Results in an invalid server_name
// extension with a 0-length host_name. Not sure if that's what it
// should do, but check if the behavior ever changes.
rt, err := NewUTLSRoundTripper(clientHelloIDName, &utls.Config{InsecureSkipVerify: true}, nil)
if err != nil {
panic(err)
......@@ -149,8 +146,11 @@ func TestUTLSServerName(t *testing.T) {
if err != nil {
panic(err)
}
if !bytes.Contains(buf, []byte("\x00\x00\x00\x05\x00\x03\x00\x00\x00")) {
t.Errorf("expected 0-length server_name extension with no ServerName and IP address dial")
// Check that Compression Methods (length 0x01, contents 0x00) and the
// length field (0x18f) go right into the extended_master_secret
// extension (0x0017) without a server_name extension.
if !bytes.Contains(buf, []byte("\x01\x00\x01\x8f\x00\x17\x00\x00")) {
t.Errorf("expected no server_name extension with no ServerName and IP address dial")
}
// No ServerName, dial hostname. server_name extension should come from
......
// certificate.go - Certificate management for meek-server.
//go:build go1.6
// +build go1.6
package main
......
......@@ -3,14 +3,19 @@
// data to a local OR port.
//
// Sample usage in torrc:
// ServerTransportListenAddr meek 0.0.0.0:443
// ServerTransportPlugin meek exec ./meek-server --acme-hostnames meek-server.example --acme-email admin@meek-server.example --log meek-server.log
//
// ServerTransportListenAddr meek 0.0.0.0:443
// ServerTransportPlugin meek exec ./meek-server --acme-hostnames meek-server.example --acme-email admin@meek-server.example --log meek-server.log
//
// Using your own TLS certificate:
// ServerTransportListenAddr meek 0.0.0.0:8443
// ServerTransportPlugin meek exec ./meek-server --cert cert.pem --key key.pem --log meek-server.log
//
// ServerTransportListenAddr meek 0.0.0.0:8443
// ServerTransportPlugin meek exec ./meek-server --cert cert.pem --key key.pem --log meek-server.log
//
// Plain HTTP usage:
// ServerTransportListenAddr meek 0.0.0.0:8080
// ServerTransportPlugin meek exec ./meek-server --disable-tls --log meek-server.log
//
// ServerTransportListenAddr meek 0.0.0.0:8080
// ServerTransportPlugin meek exec ./meek-server --disable-tls --log meek-server.log
//
// The server runs in HTTPS mode by default, getting certificates from Let's
// Encrypt automatically. The server opens an auxiliary ACME listener on port 80
......@@ -44,7 +49,7 @@ import (
)
const (
programVersion = "0.37.0"
programVersion = "0.38.0"
ptMethodName = "meek"
// Reject session ids shorter than this, as a weak defense against
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment