Documentation
¶
Overview ¶
* @Author: FunctionSir * @License: AGPLv3 * @Date: 2025-11-25 23:19:07 * @LastEditTime: 2025-11-27 19:56:18 * @LastEditors: FunctionSir * @Description: - * @FilePath: /roxytunnel/core/shared/memokeys.go
* @Author: FunctionSir * @License: AGPLv3 * @Date: 2025-09-23 18:18:02 * @LastEditTime: 2025-09-27 23:40:00 * @LastEditors: FunctionSir * @Description: - * @FilePath: /roxytunnel/core/shared/tls.go
Index ¶
- Constants
- Variables
- func CertOCSPVerifier(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
- func Check(ctx context.Context, db *sql.DB, err error, where string)
- func Ensure(ctx context.Context, db *sql.DB, condition bool, msg string)
- func GetConfVal[T any](ctx context.Context, conn *sql.DB, key string, to *T) error
- func GetConfValTx[T any](ctx context.Context, tx *sql.Tx, key string, to *T) error
- func GetMemoVal[T any](ctx context.Context, conn *sql.DB, key string, to *T) error
- func GetMemoValTx[T any](ctx context.Context, tx *sql.Tx, key string, to *T) error
- func LogToAll(ctx context.Context, db *sql.DB, level LogLevel, msg string)
- func LogToDatabase(ctx context.Context, db *sql.DB, level LogLevel, msg string)
- func LogToScreen(level LogLevel, msg string)
- func SetMemoValTx[T any](ctx context.Context, tx *sql.Tx, key string, val T) error
- type AntiReplayChecker
- type AntiReplayGenerator
- type AntiReplayHeader
- type HTTPSDialTLSCtxFunc
- type LogLevel
- type TLSCertVerificationFunc
Constants ¶
View Source
const ( HTTPHeaderXPadding string = "X-Padding" HTTPHeaderXNoiseInit string = "X-Noise-Init" HTTPHeaderXNoiseResp string = "X-Noise-Resp" )
Related HTTP headers
View Source
const ( ConfKeyClientServer string = "client.server" // Example: "wss://example.org:8443" ConfKeyClientHeadersLengthRandomPaddingMin string = "client.header_length_random_padding.min" // Example: "32" ConfKeyClientHeadersLengthRandomPaddingMax string = "client.header_length_random_padding.max" // Example: "128" ConfKeyClientAuthMethod string = "client.auth.method" // Example: "bearer" ConfKeyClientAuthPayload string = "client.auth.payload" // Value is auth payload ConfKeyClientTLSVerifyMode string = "client.tls.verify.mode" // Example: "strict" ConfKeyClientTLSServerName string = "client.tls.server_name" // Example: "example.org" ConfKeyClientTLSMeek string = "client.tls.meek" // Example: "chrome" ConfKeyClientTLSCertPinning string = "client.tls.cert_pinning" // Example: "pubkey" ConfKeyClientTLSCertPinned string = "client.tls.cert_pinned" // Value is the hash of whole cert or public key ConfKeyClientNoiseServerPublicKey string = "client.noise.server.public_key" // Value is Base64 encoded Noise public key of server ConfKeyClientNoiseClientPublicKey string = "client.noise.client.public_key" // Value is Base64 encoded Noise public key of client ConfKeyClientNoiseClientPrivateKey string = "client.noise.client.private_key" // Value is Base64 encoded Noise private key of client ConfKeyClientNoisePSK string = "client.noise.psk" // Value is Base64 encoded Noise PSK for post-quantum security ConfKeyClientInboundProcessorPath string = "client.processor.inbound.path" // Example: "/opt/demoprocessor" ConfKeyClientInboundProcessorArgs string = "client.processor.inbound.args" // Example: "-in" ConfKeyClientOutboundProcessorPath string = "client.processor.outbound.path" // Example: "/opt/demoprocessor" ConfKeyClientOutboundProcessorArgs string = "client.processor.outbound.args" // Example: "-out" )
Client side config keys
View Source
const ( ConfKeyServerListen string = "server.listen" // Example: "127.0.0.1:8443" ConfKeyServerTransport string = "server.transport" // Currently, value should be "wss" only ConfKeyServerTLSCert string = "server.tls.cert" // Value is Base64 encoded cert data (PEM format) ConfKeyServerTLSKey string = "server.tls.key" // Value is Base64 encoded cert key data (PEM format) ConfKeyServerAuthType string = "server.auth.type" // Example: "bearer" ConfKeyServerEntryPath string = "server.entry_path" // Example: "/a702a023-d435-481f-83ab-7563c978e5ac" ConfKeyServerAuthOnFailAction string = "server.auth.on_fail.action" // Example: "meek" ConfKeyServerAuthOnFailArgs string = "server.auth.on_fail.args" // Example: "nginx.403" ConfKeyServerNoisePSK string = "server.noise.psk" // Value is Base64 encoded Noise PSK for post-quantum security ConfKeyServerNoiseServerPublicKey string = "server.noise.server.public_key" // Value is Base64 encoded Noise public key of server ConfKeyServerNoiseServerPrivateKey string = "server.noise.server.private_key" // Value is Base64 encoded Noise private key of server ConfKeyServerInboundProcessorPath string = "server.processor.inbound.path" // Example: "/opt/demoprocessor" ConfKeyServerInboundProcessorArgs string = "server.processor.inbound.args" // Example: "-in" ConfKeyServerOutboundProcessorPath string = "server.processor.outbound.path" // Example: "/opt/demoprocessor" ConfKeyServerOutboundProcessorArgs string = "server.processor.outbound.args" // Example: "-out" )
Server side config keys
View Source
const ( ConfKeyNukeOverwritePasses string = "nuke.overwrite.passes" // Example: "3" ConfKeyNukeOverwritePattern string = "nuke.overwrite.pattern" // Example: "01R" ConfKeyNukePostNuke string = "nuke.post_nuke" // Example: "reboot_to_memtest86+.sh" )
Nuke related config keys
View Source
const ( QueryGetConf string = "SELECT VALUE FROM `CONFIG` WHERE `KEY` = ? LIMIT 1;" QueryGetMemo string = "SELECT VALUE FROM `MEMO` WHERE `KEY` = ? LIMIT 1;" )
Pre-defined SQL queries
View Source
const ( LogLevelDebugStr string = "DEBUG" LogLevelInfoStr string = "INFO" LogLevelWarnStr string = "WARN" LogLevelErrorStr string = "ERROR" LogLevelFatalStr string = "FATAL" // Fatal will ALWAYS trigger a panic! Be careful! LogLevelUnknownStr string = "UNKNOWN" )
View Source
const ( MemoKeyClientSessionNextEpoch string = "client.session.next_epoch" MemoKeyClientSessionNextSeq string = "client.session.next_seq" )
Memo keys for client.
View Source
const ( TLSVerifyModeStrict string = "strict" // Full + OCSP TLSVerifyModeFull string = "full" // Pinned + regular verification TLSVerifyModePinned string = "pinned" // Only match cert pinning, can NOT be used with TLSCertPinningModeOff TLSVerifyModeDisabled string = "disabled" // Disable all TLS cert verification (INSECURE! FOR TESTING ONLY!) )
TLS verify modes
View Source
const ( TLSCertPinningModePubKey string = "pubkey" // Pinning the cert by the SHA-512 of public key, more convenient TLSCertPinningModeCert string = "cert" // Pinning the cert by the SHA-512 of the whole cert, more secure TLSCertPinningModeOff string = "off" // Do not use cert pinning, vulnerable if any trust CA is compromised, and can NOT be used with TLSVerifyModePinned )
TLS cert pinning modes
View Source
const ( TLSClientMeekFirefox string = "firefox" // Let TLS handshakes look like Firefox TLSClientMeekChrome string = "chrome" // Let TLS handshakes look like Chrome TLSClientMeekEdge string = "edge" // Let TLS handshakes look like Edge TLSClientMeekSafari string = "safari" // Let TLS handshakes look like Safari on Mac systems TLSClientMeekAndroid11OkHttp string = "android_11_okhttp" // Let TLS handshakes look like the OkHttp library on Android 11 TLSClientMeekIOS string = "ios" // Let TLS handshakes look like Safari on IOS systems TLSClientMeekQQ string = "qq" // Let TLS handshakes look like QQ Browser TLSClientMeek360 string = "360" // Let TLS handshakes look like 360 Browser TLSClientMeekRandomized string = "randomized" // Let TLS handshakes use a randomized client hello schema, maybe with or with no ALPN TLSClientMeekRandomizedALPN string = "randomized_alpn" // Let TLS handshakes use a randomized client hello schema with ALPN TLSClientMeekRandomizedNoALPN string = "randomized_no_alpn" // Let TLS handshakes use a randomized client hello schema with no ALPN TLSClientMeekGolang string = "golang" // Let TLS handshakes look like a regular Golang based program using standard library, functionally equals to no meek )
TLS client meek modes
View Source
const (
ContentTypeOCSPRequest string = "application/ocsp-request"
)
OCSP content-type
View Source
const (
QuerySetMemo string = "UPDATE `MEMO` SET `VALUE` = ? WHERE `KEY` = ?"
)
Variables ¶
View Source
var ( ErrInvalidDBConn error = errors.New("invalid DB connection") ErrInvalidDBTx error = errors.New("invalid DB transaction") ErrUnexpectedRowsAffected error = errors.New("unexpected rows affected") )
Pre-defined errors
View Source
var ( ErrInvalidTLSVerifyMode error = errors.New("invalid TLS verify mode") ErrInvalidTLSCertPinningMode error = errors.New("invalid TLS cert pinning mode") ErrVerifyModeSetToPinnedButNoCertPinned error = errors.New("cert verify mode set to pinned but no cert pinned") ErrOCSPVerificationFailed error = errors.New("cert OCSP verification failed") ErrCertPinMismatch error = errors.New("TLS cert pin mismatch") ErrInvalidTLSMeekTarget error = errors.New("invalid TLS meek target") )
Pre-defined errors
View Source
var ErrDataTooShort = errors.New("anti-replay header requires at least 12 bytes")
View Source
var ErrEpochIsTooLarge = errors.New("epoch is too large")
View Source
var ErrInvalidKeyRotationInterval = errors.New("invalid key rotation interval")
View Source
var (
LogLevelStr = [...]string{LogLevelDebugStr, LogLevelInfoStr, LogLevelWarnStr, LogLevelErrorStr, LogLevelFatalStr}
)
View Source
var ( // This TIMESTAMP is a TIMESTAMP as ms! NOT second! QueryLogToDB string = "INSERT INTO `LOG` (`TIMESTAMP`, `LEVEL`, `MESSAGE`) VALUES (?,?,?);" )
Functions ¶
func CertOCSPVerifier ¶
func CertOCSPVerifier(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
Verify TLS cert using OCSP verifier
func GetConfVal ¶
Get config value from db connection specified
func GetConfValTx ¶
Get conf value from db in a transaction
func GetMemoVal ¶
Get memo value from db connection specified
func GetMemoValTx ¶
Get memo value from db in a transaction
func LogToDatabase ¶
func LogToScreen ¶
Types ¶
type AntiReplayChecker ¶
type AntiReplayChecker struct {
// contains filtered or unexported fields
}
func NewAntiReplayChecker ¶
func NewAntiReplayChecker(keyRotationInterval uint64) (*AntiReplayChecker, error)
func NewAntiReplayCheckerWithStart ¶
func NewAntiReplayCheckerWithStart(minValidEpoch uint32, minValidSeq uint64, keyRotationInterval uint64) (*AntiReplayChecker, error)
func (*AntiReplayChecker) Check ¶
func (checker *AntiReplayChecker) Check(header AntiReplayHeader) (bool, bool, error)
Returns: Pass or not, Need key rotation or not, Error.
type AntiReplayGenerator ¶
type AntiReplayGenerator struct {
// contains filtered or unexported fields
}
func NewAntiReplayGenerator ¶
func NewAntiReplayGenerator(keyRotationInterval uint64) (*AntiReplayGenerator, error)
func NewAntiReplayGeneratorWithStart ¶
func NewAntiReplayGeneratorWithStart(nextEpoch uint32, nextSeq uint64, keyRotationInterval uint64) (*AntiReplayGenerator, error)
func (*AntiReplayGenerator) NextAttachToData ¶
func (generator *AntiReplayGenerator) NextAttachToData(data []byte) ([]byte, bool, error)
func (*AntiReplayGenerator) NextHeader ¶
func (generator *AntiReplayGenerator) NextHeader() (AntiReplayHeader, bool, error)
type AntiReplayHeader ¶
AntiReplayHeader should be transport in Big-Endian (a.k.a. Network Bytes Order).
Format of data using this:
[Epoch (4B Big-Endian Uint)][Seq (8B Big-Endian Uint)][Protected Data]
Use it with AEAD is STRONGLY RECOMMENDED.
func SplitAntiReplayHeader ¶
func SplitAntiReplayHeader(data []byte) (AntiReplayHeader, []byte, error)
func (*AntiReplayHeader) Marshal ¶
func (header *AntiReplayHeader) Marshal() []byte
type HTTPSDialTLSCtxFunc ¶
func NewMeekedHTTPSDialTLSCtxFunc ¶
func NewMeekedHTTPSDialTLSCtxFunc(meekMode string, utlsConf *utls.Config) (HTTPSDialTLSCtxFunc, error)
type LogLevel ¶
type LogLevel uint8
We use iota to make it act like a enum in C/CPP.
That means LogLevelDebug = 0, LogLevelInfo = 1, LogLevelWarn = 2 ...
About Fatal:
Fatal will ALWAYS trigger a panic! Be careful!
Do NOT use it unless TERMINATE is intended!
var (
MinimumLogLevel LogLevel = LogLevelWarn
)
type TLSCertVerificationFunc ¶
type TLSCertVerificationFunc func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
func CertPinningVerifier ¶
func CertPinningVerifier(pinningMode string, pinned string) (TLSCertVerificationFunc, error)
func ListOfCertVerifiers ¶
func ListOfCertVerifiers(verifiers []TLSCertVerificationFunc) TLSCertVerificationFunc
func NewRoxyCertVerificationFunc ¶
func NewRoxyCertVerificationFunc(mode string, pinningMode string, pinned string) (TLSCertVerificationFunc, error)
Source Files
Click to show internal directories.
Click to hide internal directories.