common

package
v0.0.0-...-9e90a31 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 16, 2024 License: GPL-3.0 Imports: 49 Imported by: 0

Documentation

Index

Constants

View Source
const IsRaceDetectorEnabled = false
View Source
const RFC3339Milli = "2006-01-02T15:04:05.000Z07:00"
View Source
const UDP_PACKET_WRITE_TIMEOUT = 1 * time.Second

Variables

This section is empty.

Functions

func Compress

func Compress(data []byte) []byte

Compress returns zlib compressed data

func Contains

func Contains(list []string, target string) bool

Contains is a helper function that returns true if the target string is in the list.

func ContainsAny

func ContainsAny(list, targets []string) bool

ContainsAny returns true if any string in targets is present in the list.

func ContainsInt

func ContainsInt(list []int, target int) bool

ContainsInt returns true if the target int is in the list.

func ContainsWildcard

func ContainsWildcard(patterns []string, target string) bool

ContainsWildcard returns true if target matches any of the patterns. Patterns may contain the '*' wildcard.

func CopyBuffer

func CopyBuffer(dst io.Writer, src io.Reader, buf []byte) (written int64, err error)

CopyBuffer calls io.CopyBuffer, masking out any src.WriteTo or dst.ReadFrom to force use of the specified buf.

func CopyNBuffer

func CopyNBuffer(dst io.Writer, src io.Reader, n int64, buf []byte) (written int64, err error)

func Decompress

func Decompress(data []byte) ([]byte, error)

Decompress returns zlib decompressed data

func EscapeRedactIPAddressString

func EscapeRedactIPAddressString(address string) string

EscapeRedactIPAddressString escapes the IP or IP:port addresses in the input in such a way that they won't be redacted when part of the input to RedactIPAddresses.

The escape encoding is not guaranteed to be reversable or suitable for machine processing; the goal is to simply ensure the original value is human readable.

func FileExists

func FileExists(filePath string) bool

FileExists returns true if a file, or directory, exists at the given path.

func FormatByteCount

func FormatByteCount(bytes uint64) string

FormatByteCount returns a string representation of the specified byte count in conventional, human-readable format.

func GenerateAuthenticatedDataPackageKeys

func GenerateAuthenticatedDataPackageKeys() (string, string, error)

GenerateAuthenticatedDataPackageKeys generates a key pair be used to sign and verify AuthenticatedDataPackages.

func GenerateWebServerCertificate

func GenerateWebServerCertificate(hostname string) (string, string, string, error)

GenerateWebServerCertificate creates a self-signed web server certificate, using the specified host name. The host name is used as the subject common name and a SAN DNS name.

This is primarily intended for use by MeekServer to generate on-the-fly, self-signed TLS certificates for fronted HTTPS mode. In this case, the nature of the certificate is non-circumvention; it only has to be acceptable to the front CDN making connections to meek. The same certificates are used for unfronted HTTPS meek. In this case, the certificates may be a fingerprint used to detect Psiphon servers or traffic. TODO: more effort to mitigate fingerprinting these certificates.

In addition, GenerateWebServerCertificate is used by GenerateConfig to create Psiphon web server certificates for test/example configurations. If these Psiphon web server certificates are used in production, the same caveats about fingerprints apply.

The verification pin return value is a hash of the certificate public key which is compatible with FrontingSpec.VerifyPins, and is intended for use in testing.

func GetCurrentTimestamp

func GetCurrentTimestamp() string

GetCurrentTimestamp returns the current time in UTC as an RFC 3339 formatted string.

func GetInterfaceIPAddresses

func GetInterfaceIPAddresses(interfaceName string) (net.IP, net.IP, error)

GetInterfaceIPAddresses takes an interface name, such as "eth0", and returns the first non-link local IPv4 and IPv6 addresses associated with it. Either of the IPv4 or IPv6 address may be nil. If neither type of address is found, an error is returned.

func GetRoutableInterfaceIPAddresses

func GetRoutableInterfaceIPAddresses() (net.IP, net.IP, error)

GetRoutableInterfaceIPAddresses returns GetInterfaceIPAddresses values for the first non-loopback, non-point-to-point network interface on the host that has an IP address.

func GetStringSlice

func GetStringSlice(value interface{}) ([]string, bool)

GetStringSlice converts an interface{} which is of type []interace{}, and with the type of each element a string, to []string.

func IPAddressFromAddr

func IPAddressFromAddr(addr net.Addr) string

IPAddressFromAddr is a helper which extracts an IP address from a net.Addr or returns "" if there is no IP address.

func IsBogon

func IsBogon(IP net.IP) bool

IsBogon checks if the specified IP is a bogon (loopback, private addresses, link-local addresses, etc.)

func MakeSecureRandomBytes

func MakeSecureRandomBytes(length int) ([]byte, error)

MakeSecureRandomBytes is a helper function that wraps crypto/rand.Read.

func MergeContextCancel

func MergeContextCancel(ctx, cancelCtx context.Context) (context.Context, context.CancelFunc)

MergeContextCancel returns a context which has the properties of the 1st input content and merges in the cancellation signal of the 2nd context, so the returned context is cancelled when either input context is cancelled.

See (and adapted from): https://pkg.go.dev/context#example-AfterFunc-Merge

func NewAuthenticatedDataPackageReader

func NewAuthenticatedDataPackageReader(
	dataPackage io.ReadSeeker, signingPublicKey string) (io.Reader, error)

NewAuthenticatedDataPackageReader extracts and verifies authenticated data from an AuthenticatedDataPackage stored in the specified file. The package must have been signed with the given key. NewAuthenticatedDataPackageReader does not load the entire package nor the entire data into memory. It streams the package while verifying, and returns an io.Reader that the caller may use to stream the authenticated data payload.

func ParseDNSQuestion

func ParseDNSQuestion(request []byte) (string, error)

ParseDNSQuestion parses a DNS message. When the message is a query, the first question, a fully-qualified domain name, is returned.

For other valid DNS messages, "" is returned. An error is returned only for invalid DNS messages.

Limitations:

  • Only the first Question field is extracted.
  • ParseDNSQuestion only functions for plaintext DNS and cannot extract domains from DNS-over-TLS/HTTPS, etc.

func PortFromAddr

func PortFromAddr(addr net.Addr) int

PortFromAddr is a helper which extracts a port number from a net.Addr or returns 0 if there is no port number.

func ReadAuthenticatedDataPackage

func ReadAuthenticatedDataPackage(
	dataPackage []byte, isCompressed bool, signingPublicKey string) (string, error)

ReadAuthenticatedDataPackage extracts and verifies authenticated data from an AuthenticatedDataPackage. The package must have been signed with the given key.

Set isCompressed to false to read packages that are not compressed.

func RedactFilePaths

func RedactFilePaths(s string, filePaths ...string) string

RedactFilePaths returns a copy of the input with all file paths replaced by "[redacted]". First any occurrences of the provided file paths are replaced and then an attempt is made to replace any other file paths by searching with a heuristic. The latter is a best effort attempt it is not guaranteed that it will catch every file path.

func RedactFilePathsError

func RedactFilePathsError(err error, filePaths ...string) error

RedactFilePathsError is RedactFilePaths for errors.

func RedactIPAddresses

func RedactIPAddresses(b []byte) []byte

RedactIPAddresses returns a copy of the input with all IP addresses (and optional ports) replaced by "[redacted]". This is intended to be used to redact addresses from "net" package I/O error messages and otherwise avoid inadvertently recording direct server IPs via error message logs; and, in metrics, to reduce the error space due to superfluous source port data.

RedactIPAddresses uses a simple regex match which liberally matches IP address-like patterns and will match invalid addresses; for example, it will match port numbers greater than 65535. We err on the side of redaction and are not as concerned, in this context, with false positive matches. If a user configures an upstream proxy address with an invalid IP or port value, we prefer to redact it.

See the redactIPAddressAndPortRegex comment for some uncommon IP address representations that are not matched.

func RedactIPAddressesString

func RedactIPAddressesString(s string) string

RedactIPAddressesString is RedactIPAddresses for strings.

func RedactNetError

func RedactNetError(err error) error

RedactNetError removes network address information from a "net" package error message. Addresses may be domains or IP addresses.

Limitations: some non-address error context can be lost; this function makes assumptions about how the Go "net" package error messages are formatted and will fail to redact network addresses if this assumptions become untrue.

func RedactURLError

func RedactURLError(err error) error

RedactURLError transforms an error, when it is a url.Error, removing the URL value. This is to avoid logging private user data in cases where the URL may be a user input value. This function is used with errors returned by net/http and net/url, which are (currently) of type url.Error. In particular, the round trip function used by our HttpProxy, http.Client.Do, returns errors of type url.Error, with the URL being the url sent from the user's tunneled applications: https://github.com/golang/go/blob/release-branch.go1.4/src/net/http/client.go#L394

func RunNetworkConfigCommand

func RunNetworkConfigCommand(
	logger Logger,
	useSudo bool,
	commandName string, commandArgs ...string) error

RunNetworkConfigCommand execs a network config command, such as "ifconfig" or "iptables". On platforms that support capabilities, the network config capabilities of the current process is made available to the command subprocess. Alternatively, "sudo" will be used when useSudo is true.

func SafeParseRequestURI

func SafeParseRequestURI(rawurl string) (*url.URL, error)

SafeParseRequestURI wraps url.ParseRequestURI, stripping the input URL from any error message. This allows logging url.ParseRequestURI errors without unintentially logging PII that may appear in the input URL.

func SafeParseURL

func SafeParseURL(rawurl string) (*url.URL, error)

SafeParseURL wraps url.Parse, stripping the input URL from any error message. This allows logging url.Parse errors without unintentially logging PII that may appear in the input URL.

func SleepWithContext

func SleepWithContext(ctx context.Context, duration time.Duration)

SleepWithContext returns after the specified duration or once the input ctx is done, whichever is first.

func SleepWithJitter

func SleepWithJitter(ctx context.Context, duration time.Duration, jitter float64)

SleepWithJitter returns after the specified duration, with random jitter applied, or once the input ctx is done, whichever is first.

func TerminateHTTPConnection

func TerminateHTTPConnection(
	responseWriter http.ResponseWriter, request *http.Request)

TerminateHTTPConnection sends a 404 response to a client and also closes the persistent connection.

func TruncateTimestampToHour

func TruncateTimestampToHour(timestamp string) string

TruncateTimestampToHour truncates an RFC 3339 formatted string to hour granularity. If the input is not a valid format, the result is "".

func ValueOrDefault

func ValueOrDefault[T comparable](value, defaultValue T) T

ValueOrDefault returns the input value, or, when value is the zero value of its type, defaultValue.

func WriteAuthenticatedDataPackage

func WriteAuthenticatedDataPackage(
	data string, signingPublicKey, signingPrivateKey string) ([]byte, error)

WriteAuthenticatedDataPackage creates an AuthenticatedDataPackage containing the specified data and signed by the given key. The output conforms with the legacy format here: https://bitbucket.org/psiphon/psiphon-circumvention-system/src/c25d080f6827b141fe637050ce0d5bd0ae2e9db5/Automation/psi_ops_crypto_tools.py

func WriteRuntimeProfiles

func WriteRuntimeProfiles(
	logger Logger,
	outputDirectory string,
	filenameSuffix string,
	blockSampleDurationSeconds int,
	cpuSampleDurationSeconds int)

WriteRuntimeProfiles writes Go runtime profile information to a set of files in the specified output directory. The profiles include "heap", "goroutine", and other selected profiles from: https://golang.org/pkg/runtime/pprof/#Profile.

The SampleDurationSeconds inputs determine how long to wait and sample profiles that require active sampling. When set to 0, these profiles are skipped.

Types

type APIParameterLogFieldFormatter

type APIParameterLogFieldFormatter func(GeoIPData, APIParameters) LogFields

APIParameterLogFieldFormatter is a function that returns formatted LogFields containing the given GeoIPData and APIParameters.

type APIParameterValidator

type APIParameterValidator func(APIParameters) error

APIParameterValidator is a function that validates API parameters for a particular request or context.

type APIParameters

type APIParameters map[string]interface{}

APIParameters is a set of API parameter values, typically received from a Psiphon client and used/logged by the Psiphon server. The values are of varying types: strings, ints, arrays, structs, etc.

func (APIParameters) Add

func (a APIParameters) Add(b APIParameters)

Add copies API parameters from b to a, skipping parameters which already exist, regardless of value, in a.

type ActivityMonitoredConn

type ActivityMonitoredConn struct {
	net.Conn
	// contains filtered or unexported fields
}

ActivityMonitoredConn wraps a net.Conn, adding logic to deal with events triggered by I/O activity.

ActivityMonitoredConn uses lock-free concurrency synronization, avoiding an additional mutex resource, making it suitable for wrapping many net.Conns (e.g, each Psiphon port forward).

When an inactivity timeout is specified, the network I/O will timeout after the specified period of read inactivity. Optionally, for the purpose of inactivity only, ActivityMonitoredConn will also consider the connection active when data is written to it.

When a LRUConnsEntry is specified, then the LRU entry is promoted on either a successful read or write.

When an ActivityUpdater is set, then its UpdateActivity method is called on each read and write with the number of bytes transferred. The durationNanoseconds, which is the time since the last read, is reported only on reads.

func NewActivityMonitoredConn

func NewActivityMonitoredConn(
	conn net.Conn,
	inactivityTimeout time.Duration,
	activeOnWrite bool,
	lruEntry *LRUConnsEntry,
	activityUpdaters ...ActivityUpdater) (*ActivityMonitoredConn, error)

NewActivityMonitoredConn creates a new ActivityMonitoredConn.

func (*ActivityMonitoredConn) GetActiveDuration

func (conn *ActivityMonitoredConn) GetActiveDuration() time.Duration

GetActiveDuration returns the time elapsed between the initialization of the ActivityMonitoredConn and the last Read. Only reads are used for this calculation since writes may succeed locally due to buffering.

func (*ActivityMonitoredConn) GetStartTime

func (conn *ActivityMonitoredConn) GetStartTime() time.Time

GetStartTime gets the time when the ActivityMonitoredConn was initialized. Reported time is UTC.

func (*ActivityMonitoredConn) IsClosed

func (conn *ActivityMonitoredConn) IsClosed() bool

IsClosed implements the Closer iterface. The return value indicates whether the underlying conn has been closed.

func (*ActivityMonitoredConn) Read

func (conn *ActivityMonitoredConn) Read(buffer []byte) (int, error)

func (*ActivityMonitoredConn) Write

func (conn *ActivityMonitoredConn) Write(buffer []byte) (int, error)

type ActivityUpdater

type ActivityUpdater interface {
	UpdateProgress(bytesRead, bytesWritten, durationNanoseconds int64)
}

ActivityUpdater defines an interface for receiving updates for ActivityMonitoredConn activity. Values passed to UpdateProgress are bytes transferred and conn duration since the previous UpdateProgress.

type AuthenticatedDataPackage

type AuthenticatedDataPackage struct {
	Data                   string `json:"data"`
	SigningPublicKeyDigest []byte `json:"signingPublicKeyDigest"`
	Signature              []byte `json:"signature"`
}

AuthenticatedDataPackage is a JSON record containing some Psiphon data payload, such as list of Psiphon server entries. As it may be downloaded from various sources, it is digitally signed so that the data may be authenticated.

type BurstMonitoredConn

type BurstMonitoredConn struct {
	net.Conn
	// contains filtered or unexported fields
}

BurstMonitoredConn wraps a net.Conn and monitors for data transfer bursts. Upstream (read) and downstream (write) bursts are tracked independently.

A burst is defined as a transfer of "target" bytes, possibly across multiple I/O operations, where the total time elapsed does not exceed "deadline". Both a non-zero deadline and theshold must be set to enable monitoring. Four bursts are reported: the first, the last, the min (by rate) and max.

The burst monitoring is heuristical in nature and may not capture all bursts. The reported rates will be more accurate for larger target values and shorter deadlines, but these settings may fail to register bursts on slower connections. Tune the deadline/target as required. The threshold should be set to account for buffering (e.g, the local host socket send/receive buffer) but this is not enforced by BurstMonitoredConn.

Overhead: BurstMonitoredConn adds mutexes but does not use timers.

func NewBurstMonitoredConn

func NewBurstMonitoredConn(
	conn net.Conn,
	isServer bool,
	upstreamTargetBytes int64,
	upstreamDeadline time.Duration,
	downstreamTargetBytes int64,
	downstreamDeadline time.Duration) *BurstMonitoredConn

NewBurstMonitoredConn creates a new BurstMonitoredConn.

func (*BurstMonitoredConn) GetMetrics

func (conn *BurstMonitoredConn) GetMetrics(baseTime time.Time) LogFields

GetMetrics returns log fields with burst metrics for the first, last, min (by rate), and max bursts for this conn. Time/duration values are reported in milliseconds. Rate is reported in bytes per second.

func (*BurstMonitoredConn) IsClosed

func (conn *BurstMonitoredConn) IsClosed() bool

IsClosed implements the Closer iterface. The return value indicates whether the underlying conn has been closed.

func (*BurstMonitoredConn) Read

func (conn *BurstMonitoredConn) Read(buffer []byte) (int, error)

func (*BurstMonitoredConn) Write

func (conn *BurstMonitoredConn) Write(buffer []byte) (int, error)

type CloseWriter

type CloseWriter interface {
	CloseWrite() error
}

CloseWriter defines the interface to a type, typically a net.TCPConn, that implements CloseWrite.

type Closer

type Closer interface {
	IsClosed() bool
}

Closer defines the interface to a type, typically a net.Conn, that can be closed.

type Conns

type Conns[T interface {
	comparable
	io.Closer
}] struct {
	// contains filtered or unexported fields
}

Conns is a synchronized list of Conns that is used to coordinate interrupting a set of goroutines establishing connections, or close a set of open connections, etc. Once the list is closed, no more items may be added to the list (unless it is reset).

func NewConns

func NewConns[T interface {
	comparable
	io.Closer
}]() *Conns[T]

NewConns initializes a new Conns.

func (*Conns[T]) Add

func (conns *Conns[T]) Add(conn T) bool

func (*Conns[T]) CloseAll

func (conns *Conns[T]) CloseAll()

func (*Conns[T]) IsClosed

func (conns *Conns[T]) IsClosed() bool

func (*Conns[T]) Remove

func (conns *Conns[T]) Remove(conn T)

func (*Conns[T]) Reset

func (conns *Conns[T]) Reset()

type Dialer

type Dialer func(context.Context, string, string) (net.Conn, error)

Dialer is a custom network dialer.

type FragmentorAccessor

type FragmentorAccessor interface {
	SetReplay(*prng.PRNG)
	GetReplay() (*prng.Seed, bool)
	StopFragmenting()
}

FragmentorAccessor defines the interface for accessing properties of a fragmentor Conn.

type GeoIPData

type GeoIPData struct {
	Country string
	City    string
	ISP     string
	ASN     string
	ASO     string
}

GeoIPData is type-compatible with psiphon/server.GeoIPData.

type HTTPRoundTripper

type HTTPRoundTripper struct {
	// contains filtered or unexported fields
}

HTTPRoundTripper is an adapter that allows using a function as a http.RoundTripper.

func NewHTTPRoundTripper

func NewHTTPRoundTripper(
	roundTrip func(*http.Request) (*http.Response, error)) *HTTPRoundTripper

NewHTTPRoundTripper creates a new HTTPRoundTripper, using the specified roundTrip function for HTTP round trips.

func (HTTPRoundTripper) RoundTrip

func (h HTTPRoundTripper) RoundTrip(request *http.Request) (*http.Response, error)

RoundTrip implements http.RoundTripper RoundTrip.

type IrregularIndicator

type IrregularIndicator interface {
	IrregularTunnelError() error
}

IrregularIndicator defines the interface for a type, typically a net.Conn, that detects and reports irregular conditions during initial network connection establishment.

type LRUConns

type LRUConns struct {
	// contains filtered or unexported fields
}

LRUConns is a concurrency-safe list of net.Conns ordered by recent activity. Its purpose is to facilitate closing the oldest connection in a set of connections.

New connections added are referenced by a LRUConnsEntry, which is used to Touch() active connections, which promotes them to the front of the order and to Remove() connections that are no longer LRU candidates.

CloseOldest() will remove the oldest connection from the list and call net.Conn.Close() on the connection.

After an entry has been removed, LRUConnsEntry Touch() and Remove() will have no effect.

func NewLRUConns

func NewLRUConns() *LRUConns

NewLRUConns initializes a new LRUConns.

func (*LRUConns) Add

func (conns *LRUConns) Add(conn net.Conn) *LRUConnsEntry

Add inserts a net.Conn as the freshest connection in a LRUConns and returns an LRUConnsEntry to be used to freshen the connection or remove the connection from the LRU list.

func (*LRUConns) CloseOldest

func (conns *LRUConns) CloseOldest()

CloseOldest closes the oldest connection in a LRUConns. It calls net.Conn.Close() on the connection.

type LRUConnsEntry

type LRUConnsEntry struct {
	// contains filtered or unexported fields
}

LRUConnsEntry is an entry in a LRUConns list.

func (*LRUConnsEntry) Remove

func (entry *LRUConnsEntry) Remove()

Remove deletes the connection referenced by the LRUConnsEntry from the associated LRUConns. Has no effect if the entry was not initialized or previously removed.

func (*LRUConnsEntry) Touch

func (entry *LRUConnsEntry) Touch()

Touch promotes the connection referenced by the LRUConnsEntry to the front of the associated LRUConns. Has no effect if the entry was not initialized or previously removed.

type LogFields

type LogFields map[string]interface{}

LogFields is type-compatible with psiphon/server.LogFields and logrus.LogFields.

func (LogFields) Add

func (a LogFields) Add(b LogFields)

Add copies log fields from b to a, skipping fields which already exist, regardless of value, in a.

type LogTrace

type LogTrace interface {
	Debug(args ...interface{})
	Info(args ...interface{})
	Warning(args ...interface{})
	Error(args ...interface{})
}

LogTrace is interface-compatible with the return values from psiphon/server.TraceLogger.WitTrace/WithTraceFields.

type Logger

type Logger interface {
	WithTrace() LogTrace
	WithTraceFields(fields LogFields) LogTrace
	LogMetric(metric string, fields LogFields)

	// IsLogLevelDebug is used to skip formatting debug-level log messages in
	// cases where performance would be impacted.
	IsLogLevelDebug() bool
}

Logger exposes a logging interface that's compatible with psiphon/server.TraceLogger. This interface allows packages to implement logging that will integrate with psiphon/server without importing that package. Other implementations of Logger may also be provided.

type MetricsSource

type MetricsSource interface {

	// GetMetrics returns a LogFields populated with metrics from the
	// MetricsSource.
	GetMetrics() LogFields
}

MetricsSource is an object that provides metrics to be logged.

type NetDialer

type NetDialer interface {
	Dial(network, address string) (net.Conn, error)
	DialContext(ctx context.Context, network, address string) (net.Conn, error)
}

NetDialer mimicks the net.Dialer interface.

type NoticeMetricsSource

type NoticeMetricsSource interface {

	// GetNoticeMetrics returns a LogFields populated with metrics from
	// the NoticeMetricsSource.
	GetNoticeMetrics() LogFields
}

NoticeMetricsSource is an object that provides metrics to be logged only in notices, for inclusion in diagnostics.

type PortList

type PortList struct {
	// contains filtered or unexported fields
}

PortList provides a lookup for a configured list of IP ports and port ranges. PortList is intended for use with JSON config files and is initialized via UnmarshalJSON.

A JSON port list field should look like:

"FieldName": [1, 2, 3, [10, 20], [30, 40]]

where the ports in the list are 1, 2, 3, 10-20, 30-40. UnmarshalJSON validates that each port is in the range 1-65535 and that ranges have two elements in increasing order. PortList is designed to be backwards compatible with existing JSON config files where port list fields were defined as `[]int`.

func (*PortList) IsEmpty

func (p *PortList) IsEmpty() bool

IsEmpty returns true for a nil PortList or a PortList with no entries.

func (*PortList) Lookup

func (p *PortList) Lookup(port int) bool

Lookup returns true if the specified port is in the port list and false otherwise. Lookups on a nil PortList are allowed and return false.

func (*PortList) MarshalJSON

func (p *PortList) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface.

func (*PortList) OptimizeLookups

func (p *PortList) OptimizeLookups()

OptimizeLookups converts the internal port list representation to use a map, which increases the performance of lookups for longer lists with an increased memory footprint tradeoff. OptimizeLookups is not safe to use concurrently with Lookup and should be called immediately after UnmarshalJSON and before performing lookups.

func (*PortList) UnmarshalJSON

func (p *PortList) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaler interface.

type RateLimits

type RateLimits struct {

	// ReadUnthrottledBytes specifies the number of bytes to
	// read, approximately, before starting rate limiting.
	ReadUnthrottledBytes int64

	// ReadBytesPerSecond specifies a rate limit for read
	// data transfer. The default, 0, is no limit.
	ReadBytesPerSecond int64

	// WriteUnthrottledBytes specifies the number of bytes to
	// write, approximately, before starting rate limiting.
	WriteUnthrottledBytes int64

	// WriteBytesPerSecond specifies a rate limit for write
	// data transfer. The default, 0, is no limit.
	WriteBytesPerSecond int64

	// CloseAfterExhausted indicates that the underlying
	// net.Conn should be closed once either the read or
	// write unthrottled bytes have been exhausted. In this
	// case, throttling is never applied.
	CloseAfterExhausted bool
}

RateLimits specify the rate limits for a ThrottledConn.

type ReloadableFile

type ReloadableFile struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

ReloadableFile is a file-backed Reloader. This type is intended to be embedded in other types that add the actual reloadable data structures.

ReloadableFile has a multi-reader mutex for synchronization. Its Reload() function will obtain a write lock before reloading the data structures. The actual reloading action is to be provided via the reloadAction callback, which receives the content of reloaded files, along with file modification time, and must process the new data (for example, unmarshall the contents into data structures). All read access to the data structures should be guarded by RLocks on the ReloadableFile mutex.

reloadAction must ensure that data structures revert to their previous state when a reload fails.

func NewReloadableFile

func NewReloadableFile(
	filename string,
	loadFileContent bool,
	reloadAction func([]byte, time.Time) error) ReloadableFile

NewReloadableFile initializes a new ReloadableFile.

When loadFileContent is true, the file content is loaded and passed to reloadAction; otherwise, reloadAction receives a nil argument and is responsible for loading the file. The latter option allows for cases where the file contents must be streamed, memory mapped, etc.

func (*ReloadableFile) LogDescription

func (reloadable *ReloadableFile) LogDescription() string

func (*ReloadableFile) Reload

func (reloadable *ReloadableFile) Reload() (bool, error)

Reload checks if the underlying file has changed and, when changed, invokes the reloadAction callback which should reload the in-memory data structures.

In some case (e.g., traffic rules and OSL), there are penalties associated with proceeding with reload, so care is taken to not invoke the reload action unless the contents have changed.

The file content is loaded and a checksum is taken to determine whether it has changed. Neither file size (may not change when content changes) nor modified date (may change when identical file is repaved) is a sufficient indicator.

All data structure readers should be blocked by the ReloadableFile mutex.

Reload must not be called from multiple concurrent goroutines.

func (*ReloadableFile) WillReload

func (reloadable *ReloadableFile) WillReload() bool

WillReload indicates whether the ReloadableFile is capable of reloading.

type Reloader

type Reloader interface {

	// Reload reloads the data object. Reload returns a flag indicating if the
	// reloadable target has changed and reloaded or remains unchanged. By
	// convention, when reloading fails the Reloader should revert to its previous
	// in-memory state.
	Reload() (bool, error)

	// WillReload indicates if the data object is capable of reloading.
	WillReload() bool

	// LogDescription returns a description to be used for logging
	// events related to the Reloader.
	LogDescription() string
}

Reloader represents a read-only, in-memory reloadable data object. For example, a JSON data file that is loaded into memory and accessed for read-only lookups; and from time to time may be reloaded from the same file, updating the memory copy.

type SubnetLookup

type SubnetLookup []net.IPNet

SubnetLookup provides an efficient lookup for individual IPv4 addresses within a list of subnets.

func NewSubnetLookup

func NewSubnetLookup(CIDRs []string) (SubnetLookup, error)

NewSubnetLookup creates a SubnetLookup from a list of subnet CIDRs.

func NewSubnetLookupFromRoutes

func NewSubnetLookupFromRoutes(routesData []byte) (SubnetLookup, error)

NewSubnetLookupFromRoutes creates a SubnetLookup from text routes data. The input format is expected to be text lines where each line is, e.g., "1.2.3.0\t255.255.255.0\n"

func (SubnetLookup) ContainsIPAddress

func (lookup SubnetLookup) ContainsIPAddress(addr net.IP) bool

ContainsIPAddress performs a binary search on the sorted subnet list to find a network containing the candidate IP address.

func (SubnetLookup) Len

func (lookup SubnetLookup) Len() int

Len implements Sort.Interface

func (SubnetLookup) Less

func (lookup SubnetLookup) Less(i, j int) bool

Less implements Sort.Interface

func (SubnetLookup) Swap

func (lookup SubnetLookup) Swap(i, j int)

Swap implements Sort.Interface

type TLSClientSessionCacheWrapper

type TLSClientSessionCacheWrapper struct {
	tls.ClientSessionCache
	// contains filtered or unexported fields
}

TLSClientSessionCacheWrapper is a wrapper around tls.ClientSessionCache that provides a hard-coded key for the cache. It implements the TLSClientSessionCacheWrapper interface.

func WrapClientSessionCache

func WrapClientSessionCache(
	cache tls.ClientSessionCache,
	hardCodedSessionKey string,
) *TLSClientSessionCacheWrapper

WrapClientSessionCache wraps a tls.ClientSessionCache with an alternative key, ignoring the SNI-based key that crypto/tls passes to Put/Get, which may be incompatible with SNI obfuscation transforms.

func (*TLSClientSessionCacheWrapper) Get

func (*TLSClientSessionCacheWrapper) Put

func (*TLSClientSessionCacheWrapper) RemoveCacheEntry

func (c *TLSClientSessionCacheWrapper) RemoveCacheEntry()

type ThrottledConn

type ThrottledConn struct {
	net.Conn
	// contains filtered or unexported fields
}

ThrottledConn wraps a net.Conn with read and write rate limiters. Rates are specified as bytes per second. Optional unlimited byte counts allow for a number of bytes to read or write before applying rate limiting. Specify limit values of 0 to set no rate limit (unlimited counts are ignored in this case). The underlying rate limiter uses the token bucket algorithm to calculate delay times for read and write operations.

func NewThrottledConn

func NewThrottledConn(
	conn net.Conn, isStream bool, limits RateLimits) *ThrottledConn

NewThrottledConn initializes a new ThrottledConn.

Set isStreamConn to true when conn is stream-oriented, such as TCP, and false when the conn is packet-oriented, such as UDP. When conn is a stream, reads and writes may be split to accomodate rate limits.

func (*ThrottledConn) Close

func (conn *ThrottledConn) Close() error

func (*ThrottledConn) Read

func (conn *ThrottledConn) Read(buffer []byte) (int, error)

func (*ThrottledConn) SetLimits

func (conn *ThrottledConn) SetLimits(limits RateLimits)

SetLimits modifies the rate limits of an existing ThrottledConn. It is safe to call SetLimits while other goroutines are calling Read/Write. This function will not block, and the new rate limits will be applied within Read/Write, but not necessarily until some further I/O at previous rates.

func (*ThrottledConn) Write

func (conn *ThrottledConn) Write(buffer []byte) (int, error)

type UnderlyingTCPAddrSource

type UnderlyingTCPAddrSource interface {

	// GetUnderlyingTCPAddrs returns the LocalAddr and RemoteAddr properties of
	// the underlying TCP conn.
	GetUnderlyingTCPAddrs() (*net.TCPAddr, *net.TCPAddr, bool)
}

UnderlyingTCPAddrSource defines the interface for a type, typically a net.Conn, such as a server meek Conn, which has an underlying TCP conn(s), providing access to the LocalAddr and RemoteAddr properties of the underlying TCP conn.

type UtlsClientSessionCacheWrapper

type UtlsClientSessionCacheWrapper struct {
	utls.ClientSessionCache
	// contains filtered or unexported fields
}

UtlClientSessionCacheWrapper is a wrapper around utls.ClientSessionCache that provides a hard-coded key for the cache. It implements the TLSClientSessionCacheWrapper interface.

func WrapUtlsClientSessionCache

func WrapUtlsClientSessionCache(
	cache utls.ClientSessionCache,
	hardCodedSessionKey string,
) *UtlsClientSessionCacheWrapper

WrapUtlsClientSessionCache wraps a utls.ClientSessionCache with an alternative key, ignoring the SNI-based key that crypto/tls passes to Put/Get, which may be incompatible with SNI obfuscation transforms.

func (*UtlsClientSessionCacheWrapper) Get

func (*UtlsClientSessionCacheWrapper) Put

func (*UtlsClientSessionCacheWrapper) RemoveCacheEntry

func (c *UtlsClientSessionCacheWrapper) RemoveCacheEntry()

type WriteTimeoutPacketConn

type WriteTimeoutPacketConn struct {
	net.PacketConn
}

WriteTimeoutPacketConn is the equivilent of WriteTimeoutUDPConn for non-*net.UDPConns.

func (*WriteTimeoutPacketConn) GetMetrics

func (conn *WriteTimeoutPacketConn) GetMetrics() LogFields

GetMetrics implements the common.MetricsSource interface.

func (*WriteTimeoutPacketConn) WriteTo

func (conn *WriteTimeoutPacketConn) WriteTo(b []byte, addr net.Addr) (int, error)

type WriteTimeoutUDPConn

type WriteTimeoutUDPConn struct {
	*net.UDPConn
}

WriteTimeoutUDPConn sets write deadlines before each UDP packet write.

Generally, a UDP packet write doesn't block. However, Go's internal/poll.FD.WriteMsg continues to loop when syscall.SendmsgN fails with EAGAIN, which indicates that an OS socket buffer is currently full; in certain OS states this may cause WriteMsgUDP/etc. to block indefinitely. In this scenario, we want to instead behave as if the packet were dropped, so we set a write deadline which will eventually interrupt any EAGAIN loop.

func (*WriteTimeoutUDPConn) Write

func (conn *WriteTimeoutUDPConn) Write(b []byte) (int, error)

func (*WriteTimeoutUDPConn) WriteMsgUDP

func (conn *WriteTimeoutUDPConn) WriteMsgUDP(b, oob []byte, addr *net.UDPAddr) (int, int, error)

func (*WriteTimeoutUDPConn) WriteMsgUDPAddrPort

func (conn *WriteTimeoutUDPConn) WriteMsgUDPAddrPort(b, oob []byte, addr netip.AddrPort) (int, int, error)

func (*WriteTimeoutUDPConn) WriteTo

func (conn *WriteTimeoutUDPConn) WriteTo(b []byte, addr net.Addr) (int, error)

func (*WriteTimeoutUDPConn) WriteToUDP

func (conn *WriteTimeoutUDPConn) WriteToUDP(b []byte, addr *net.UDPAddr) (int, error)

func (*WriteTimeoutUDPConn) WriteToUDPAddrPort

func (conn *WriteTimeoutUDPConn) WriteToUDPAddrPort(b []byte, addr netip.AddrPort) (int, error)

Directories

Path Synopsis
Package accesscontrol implements an access control authorization scheme based on digital signatures.
Package accesscontrol implements an access control authorization scheme based on digital signatures.
crypto
internal/poly1305
Package poly1305 implements Poly1305 one-time message authentication code as specified in https://cr.yp.to/mac/poly1305-20050329.pdf.
Package poly1305 implements Poly1305 one-time message authentication code as specified in https://cr.yp.to/mac/poly1305-20050329.pdf.
internal/subtle
Package subtle implements functions that are often useful in cryptographic code but require careful thought to use correctly.
Package subtle implements functions that are often useful in cryptographic code but require careful thought to use correctly.
nacl/secretbox
Package secretbox encrypts and authenticates small messages.
Package secretbox encrypts and authenticates small messages.
ssh
Package ssh implements an SSH client and server.
Package ssh implements an SSH client and server.
ssh/agent
Package agent implements the ssh-agent protocol, and provides both a client and a server.
Package agent implements the ssh-agent protocol, and provides both a client and a server.
ssh/internal/bcrypt_pbkdf
Package bcrypt_pbkdf implements bcrypt_pbkdf(3) from OpenBSD.
Package bcrypt_pbkdf implements bcrypt_pbkdf(3) from OpenBSD.
ssh/knownhosts
Package knownhosts implements a parser for the OpenSSH known_hosts host key database, and provides utility functions for writing OpenSSH compliant known_hosts files.
Package knownhosts implements a parser for the OpenSSH known_hosts host key database, and provides utility functions for writing OpenSSH compliant known_hosts files.
ssh/terminal
Package terminal provides support functions for dealing with terminals, as commonly found on UNIX systems.
Package terminal provides support functions for dealing with terminals, as commonly found on UNIX systems.
ssh/test
Package test contains integration tests for the github.com/toidicakhia/psiphon-tunnel/psiphon/common/crypto/ssh package.
Package test contains integration tests for the github.com/toidicakhia/psiphon-tunnel/psiphon/common/crypto/ssh package.
Package errors provides error wrapping helpers that add inline, single frame stack trace information to error messages.
Package errors provides error wrapping helpers that add inline, single frame stack trace information to error messages.
Package inproxy enables 3rd party, ephemeral proxies to help Psiphon clients connect to the Psiphon network.
Package inproxy enables 3rd party, ephemeral proxies to help Psiphon clients connect to the Psiphon network.
Package monotime provides a fast monotonic clock source.
Package monotime provides a fast monotonic clock source.
osl
Package osl implements the Obfuscated Server List (OSL) mechanism.
Package osl implements the Obfuscated Server List (OSL) mechanism.
Package packetman implements low-level manipulation of TCP packets, enabling a variety of strategies to evade network censorship.
Package packetman implements low-level manipulation of TCP packets, enabling a variety of strategies to evade network censorship.
Package parameters implements dynamic, concurrency-safe parameters that determine Psiphon client and server behaviors.
Package parameters implements dynamic, concurrency-safe parameters that determine Psiphon client and server behaviors.
Package prng implements a seeded, unbiased PRNG that is suitable for use cases including obfuscation, network jitter, load balancing.
Package prng implements a seeded, unbiased PRNG that is suitable for use cases including obfuscation, network jitter, load balancing.
Package quic wraps github.com/lucas-clemente/quic-go with net.Listener and net.Conn types that provide a drop-in replacement for net.TCPConn.
Package quic wraps github.com/lucas-clemente/quic-go with net.Listener and net.Conn types that provide a drop-in replacement for net.TCPConn.
Package regen is a library for generating random strings from regular expressions.
Package regen is a library for generating random strings from regular expressions.
Package resolver implements a DNS stub resolver, or DNS client, which resolves domain names.
Package resolver implements a DNS stub resolver, or DNS client, which resolves domain names.
Package sss implements Shamir's Secret Sharing algorithm over GF(2^8).
Package sss implements Shamir's Secret Sharing algorithm over GF(2^8).
Package stacktrace provides helpers for handling stack trace information.
Package stacktrace provides helpers for handling stack trace information.
Package tactics provides dynamic Psiphon client configuration based on GeoIP attributes, API parameters, and speed test data.
Package tactics provides dynamic Psiphon client configuration based on GeoIP attributes, API parameters, and speed test data.
Package transforms provides a mechanism to define and apply string data transformations, with the transformations defined by regular expressions to match data to be transformed, and regular expression generators to specify additional or replacement data.
Package transforms provides a mechanism to define and apply string data transformations, with the transformations defined by regular expressions to match data to be transformed, and regular expression generators to specify additional or replacement data.
Package tun is an IP packet tunnel server and client.
Package tun is an IP packet tunnel server and client.
Package values provides a mechanism for specifying and selecting dynamic values employed by the Psiphon client and server.
Package values provides a mechanism for specifying and selecting dynamic values employed by the Psiphon client and server.
Package wildcard implements a very simple wildcard matcher which supports only the term '*', which matches any sequence of characters.
Package wildcard implements a very simple wildcard matcher which supports only the term '*', which matches any sequence of characters.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL